PKIXAttributeCertificate-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47)} DEFINITIONS IMPLICIT TAGS ::= BEGIN IMPORTS AttributeSet{}, Extensions{}, SecurityCategory{}, EXTENSION, ATTRIBUTE, SECURITY-CATEGORY FROM PKIX-CommonTypes-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) } AlgorithmIdentifier{}, SIGNATURE-ALGORITHM, DIGEST-ALGORITHM FROM AlgorithmInformation-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-algorithmInformation-02(58)} -- IMPORTed module OIDs MAY change if [PKIXPROF] changes -- PKIX Certificate Extensions CertificateSerialNumber, UniqueIdentifier, id-pkix, id-pe, id-kp, id-ad, id-at, SIGNED{}, SignatureAlgorithms FROM PKIX1Explicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} GeneralName, GeneralNames, id-ce, ext-AuthorityKeyIdentifier, ext-AuthorityInfoAccess, ext-CRLDistributionPoints FROM PKIX1Implicit-2009 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} ContentInfo FROM CryptographicMessageSyntax-2009 { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }; -- Define the set of extensions that can appear. -- Some of these are imported from PKIX Cert AttributeCertExtensions EXTENSION ::= { ext-auditIdentity | ext-targetInformation | ext-AuthorityKeyIdentifier | ext-AuthorityInfoAccess | ext-CRLDistributionPoints | ext-noRevAvail | ext-ac-proxying | ext-aaControls, ... } ext-auditIdentity EXTENSION ::= { SYNTAX OCTET STRING IDENTIFIED BY id-pe-ac-auditIdentity} ext-targetInformation EXTENSION ::= { SYNTAX Targets IDENTIFIED BY id-ce-targetInformation } ext-noRevAvail EXTENSION ::= { SYNTAX NULL IDENTIFIED BY id-ce-noRevAvail} ext-ac-proxying EXTENSION ::= { SYNTAX ProxyInfo IDENTIFIED BY id-pe-ac-proxying} ext-aaControls EXTENSION ::= { SYNTAX AAControls IDENTIFIED BY id-pe-aaControls} -- Define the set of attributes used here AttributesDefined ATTRIBUTE ::= { at-authenticationInfo | at-accesIdentity | at-chargingIdentity | at-group | at-role | at-clearance | at-encAttrs, ...} at-authenticationInfo ATTRIBUTE ::= { TYPE SvceAuthInfo IDENTIFIED BY id-aca-authenticationInfo} at-accesIdentity ATTRIBUTE ::= { TYPE SvceAuthInfo IDENTIFIED BY id-aca-accessIdentity} at-chargingIdentity ATTRIBUTE ::= { TYPE IetfAttrSyntax IDENTIFIED BY id-aca-chargingIdentity} at-group ATTRIBUTE ::= { TYPE IetfAttrSyntax IDENTIFIED BY id-aca-group} at-role ATTRIBUTE ::= { TYPE RoleSyntax IDENTIFIED BY id-at-role} at-clearance ATTRIBUTE ::= { TYPE Clearance IDENTIFIED BY id-at-clearance} at-clearance-RFC3281 ATTRIBUTE ::= {TYPE Clearance-rfc3281 IDENTIFIED BY id-at-clearance-rfc3281 } at-encAttrs ATTRIBUTE ::= { TYPE ContentInfo IDENTIFIED BY id-aca-encAttrs} -- -- OIDs used by Attribute Certificate Extensions -- id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 } id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 } id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 } id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 } id-ce-noRevAvail OBJECT IDENTIFIER ::= { id-ce 56 } -- -- OIDs used by Attribute Certificate Attributes -- id-aca OBJECT IDENTIFIER ::= { id-pkix 10 } id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 } id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 } id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 } id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 } -- { id-aca 5 } is reserved id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 } id-at-role OBJECT IDENTIFIER ::= { id-at 72} id-at-clearance OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) attributeType(4) clearance (55) } -- Uncomment the following declaration and comment the above line if -- using the id-at-clearance attribute as defined in [RFC3281] -- id-at-clearance ::= id-at-clearance-3281 id-at-clearance-rfc3281 OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5) clearance (55) } -- -- The syntax of an Attribute Certificate -- AttributeCertificate ::= SIGNED{AttributeCertificateInfo} AttributeCertificateInfo ::= SEQUENCE { version AttCertVersion, -- version is v2 holder Holder, issuer AttCertIssuer, signature AlgorithmIdentifier{SIGNATURE-ALGORITHM, {SignatureAlgorithms}}, serialNumber CertificateSerialNumber, attrCertValidityPeriod AttCertValidityPeriod, attributes SEQUENCE OF AttributeSet{{AttributesDefined}}, issuerUniqueID UniqueIdentifier OPTIONAL, extensions Extensions{{AttributeCertExtensions}} OPTIONAL } AttCertVersion ::= INTEGER { v2(1) } Holder ::= SEQUENCE { baseCertificateID [0] IssuerSerial OPTIONAL, -- the issuer and serial number of -- the holder's Public Key Certificate entityName [1] GeneralNames OPTIONAL, -- the name of the claimant or role objectDigestInfo [2] ObjectDigestInfo OPTIONAL -- used to directly authenticate the -- holder, for example, an executable } ObjectDigestInfo ::= SEQUENCE { digestedObjectType ENUMERATED { publicKey (0), publicKeyCert (1), otherObjectTypes (2) }, -- otherObjectTypes MUST NOT -- be used in this profile otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, digestAlgorithm AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}, objectDigest BIT STRING } AttCertIssuer ::= CHOICE { v1Form GeneralNames, -- MUST NOT be used in this -- profile v2Form [0] V2Form -- v2 only } V2Form ::= SEQUENCE { issuerName GeneralNames OPTIONAL, baseCertificateID [0] IssuerSerial OPTIONAL, objectDigestInfo [1] ObjectDigestInfo OPTIONAL -- issuerName MUST be present in this profile -- baseCertificateID and objectDigestInfo MUST -- NOT be present in this profile } IssuerSerial ::= SEQUENCE { issuer GeneralNames, serial CertificateSerialNumber, issuerUID UniqueIdentifier OPTIONAL } AttCertValidityPeriod ::= SEQUENCE { notBeforeTime GeneralizedTime, notAfterTime GeneralizedTime } -- -- Syntax used by Attribute Certificate Extensions -- Targets ::= SEQUENCE OF Target Target ::= CHOICE { targetName [0] GeneralName, targetGroup [1] GeneralName, targetCert [2] TargetCert } TargetCert ::= SEQUENCE { targetCertificate IssuerSerial, targetName GeneralName OPTIONAL, certDigestInfo ObjectDigestInfo OPTIONAL } AAControls ::= SEQUENCE { pathLenConstraint INTEGER (0..MAX) OPTIONAL, permittedAttrs [0] AttrSpec OPTIONAL, excludedAttrs [1] AttrSpec OPTIONAL, permitUnSpecified BOOLEAN DEFAULT TRUE } AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER ProxyInfo ::= SEQUENCE OF Targets -- -- Syntax used by Attribute Certificate Attributes -- IetfAttrSyntax ::= SEQUENCE { policyAuthority[0] GeneralNames OPTIONAL, values SEQUENCE OF CHOICE { octets OCTET STRING, oid OBJECT IDENTIFIER, string UTF8String } } SvceAuthInfo ::= SEQUENCE { service GeneralName, ident GeneralName, authInfo OCTET STRING OPTIONAL } RoleSyntax ::= SEQUENCE { roleAuthority [0] GeneralNames OPTIONAL, roleName [1] GeneralName } Clearance ::= SEQUENCE { policyId OBJECT IDENTIFIER, classList ClassList DEFAULT {unclassified}, securityCategories SET OF SecurityCategory {{SupportedSecurityCategories}} OPTIONAL } -- Uncomment the following lines to support deprecated clearance -- syntax and comment out previous Clearance. -- Clearance ::= Clearance-rfc3281 Clearance-rfc3281 ::= SEQUENCE { policyId [0] OBJECT IDENTIFIER, classList [1] ClassList DEFAULT {unclassified}, securityCategories [2] SET OF SecurityCategory-rfc3281 {{SupportedSecurityCategories}} OPTIONAL } ClassList ::= BIT STRING { unmarked (0), unclassified (1), restricted (2), confidential (3), secret (4), topSecret (5) } SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } SecurityCategory-rfc3281{SECURITY-CATEGORY:Supported} ::= SEQUENCE { type [0] IMPLICIT SECURITY-CATEGORY. &id({Supported}), value [1] EXPLICIT SECURITY-CATEGORY. &Type({Supported}{@type}) } ACClearAttrs ::= SEQUENCE { acIssuer GeneralName, acSerial INTEGER, attrs SEQUENCE OF AttributeSet{{AttributesDefined}} } END