draft-ietf-smime-new-asn1-02.txt   draft-ietf-smime-new-asn1-03.txt 
Network Working Group P. Hoffman Network Working Group P. Hoffman
Internet-Draft VPN Consortium Internet-Draft VPN Consortium
Updates: 3370, 3565, 3851, 3852, J. Schaad Updates: 3370, 3565, 3851, 3852, J. Schaad
4108, 4998, 5035, 5083, 5084 Soaring Hawk Consulting 4108, 4998, 5035, 5083, 5084 Soaring Hawk Consulting
(if approved) January 9, 2009 (if approved) March 9, 2009
Intended status: Standards Track Intended status: Standards Track
Expires: July 13, 2009 Expires: September 10, 2009
New ASN.1 Modules for CMS and S/MIME New ASN.1 Modules for CMS and S/MIME
draft-ietf-smime-new-asn1-02.txt draft-ietf-smime-new-asn1-03.txt
Status of this Memo Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet- other groups may also distribute working documents as Internet-
Drafts. Drafts.
Internet-Drafts are draft documents valid for a maximum of six months Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress." material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt. http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html. http://www.ietf.org/shadow.html.
This Internet-Draft will expire on July 13, 2009. This Internet-Draft will expire on September 10, 2009.
Copyright Notice Copyright Notice
Copyright (c) 2009 IETF Trust and the persons identified as the Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved. document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents Provisions Relating to IETF Documents in effect on the date of
(http://trustee.ietf.org/license-info) in effect on the date of publication of this document (http://trustee.ietf.org/license-info).
publication of this document. Please review these documents Please review these documents carefully, as they describe your rights
carefully, as they describe your rights and restrictions with respect and restrictions with respect to this document.
to this document.
Abstract Abstract
The Cryptographic Message Syntax (CMS) format, and many associated The Cryptographic Message Syntax (CMS) format, and many associated
formats, are expressed using ASN.1. The current ASN.1 modules formats, are expressed using ASN.1. The current ASN.1 modules
conform to the 1988 version of ASN.1. This document updates those conform to the 1988 version of ASN.1. This document updates those
ASN.1 modules to conform to the 2002 version of ASN.1. There are no ASN.1 modules to conform to the 2002 version of ASN.1. There are no
bits-on-the-wire changes to any of the formats; this is simply a bits-on-the-wire changes to any of the formats; this is simply a
change to the syntax. change to the syntax.
Table of Contents Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 4 1.1. Design Notes . . . . . . . . . . . . . . . . . . . . . . . 5
1.2. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 4 1.2. Issues . . . . . . . . . . . . . . . . . . . . . . . . . . 5
1.2.1. Module OIDs Changing . . . . . . . . . . . . . . . . . 4 1.2.1. Module OIDs Changing . . . . . . . . . . . . . . . . . 5
2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 5 2. ASN.1 Module AlgorithmInformation . . . . . . . . . . . . . . 6
3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 14 3. ASN.1 Module for RFC 3370 . . . . . . . . . . . . . . . . . . 15
4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 19 4. ASN.1 Module for RFC 3565 . . . . . . . . . . . . . . . . . . 21
5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 21 5. ASN.1 Module for RFC 3851 . . . . . . . . . . . . . . . . . . 23
6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 24 6. ASN.1 Module for RFC 3852 . . . . . . . . . . . . . . . . . . 25
7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 34 7. ASN.1 Module for RFC 4108 . . . . . . . . . . . . . . . . . . 35
8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 40 8. ASN.1 Module for RFC 4998 . . . . . . . . . . . . . . . . . . 41
9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 41 9. ASN.1 Module for RFC 5035 . . . . . . . . . . . . . . . . . . 42
10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 48 10. ASN.1 Module for RFC 5083 . . . . . . . . . . . . . . . . . . 49
11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 48 11. ASN.1 Module for RFC 5084 . . . . . . . . . . . . . . . . . . 49
12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 51 12. ASN.1 Module for RFC 5275 . . . . . . . . . . . . . . . . . . 51
13. Security Considerations . . . . . . . . . . . . . . . . . . . 58 13. Security Considerations . . . . . . . . . . . . . . . . . . . 59
14. Normative References . . . . . . . . . . . . . . . . . . . . . 58 14. Normative References . . . . . . . . . . . . . . . . . . . . . 59
Appendix A. Change History . . . . . . . . . . . . . . . . . . . 59 Appendix A. Change History . . . . . . . . . . . . . . . . . . . 60
A.1. Changes between draft-hoffman-cms-new-asn1-00 and A.1. Changes between draft-hoffman-cms-new-asn1-00 and
draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 59 draft-ietf-smime-new-asn1-00 . . . . . . . . . . . . . . . 60
A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 60 A.2. Changes between draft-ietf-smime-new-asn1-00 and -01 . . . 61
A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 . . . 60 A.3. Changes between draft-ietf-smime-new-asn1-01 and -02 . . . 61
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 60 A.4. Changes between draft-ietf-smime-new-asn1-02 and -03 . . . 61
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . . 61
1. Introduction 1. Introduction
Some developers would like the IETF to use the latest version of Some developers would like the IETF to use the latest version of
ASN.1 in its standards. Most of the RFCs that relate to security ASN.1 in its standards. Most of the RFCs that relate to security
protocols still use ASN.1 from the 1988 standard, which has been protocols still use ASN.1 from the 1988 standard, which has been
deprecated. This is particularly true for the standards that relate deprecated. This is particularly true for the standards that relate
to PKIX, CMS, and S/MIME. to PKIX, CMS, and S/MIME.
This document updates the following RFCs to use ASN.1 modules that This document updates the following RFCs to use ASN.1 modules that
skipping to change at page 3, line 45 skipping to change at page 4, line 45
CMS [RFC5084] CMS [RFC5084]
o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275] o RFC 5275, CMS Symmetric Key Management and Distribution [RFC5275]
Note that some of the modules in this document get some of their Note that some of the modules in this document get some of their
definitions from places different than the modules in the original definitions from places different than the modules in the original
RFCs. The idea is that these modules, when combined with the modules RFCs. The idea is that these modules, when combined with the modules
in [NEW-PKIX] can stand on their own and do not need to import in [NEW-PKIX] can stand on their own and do not need to import
definitions from anywhere else. definitions from anywhere else.
The document also includes a module of common defintions called The document also includes a module of common definitions called
"AlgorithmInformation". These definitions are used here and in "AlgorithmInformation". These definitions are used here and in
[NEW-PKIX]. [NEW-PKIX].
Note that some of the modules here import definitions from the common Note that some of the modules here import definitions from the common
definitions module, "PKIX-CommonTypes", in [NEW-PKIX]. definitions module, "PKIX-CommonTypes", in [NEW-PKIX].
1.1. Design Notes 1.1. Design Notes
The modules in this document use the object model available in the The modules in this document use the object model available in the
2002 ASN.1 documents to a great extent. Objects for each of the 2002 ASN.1 documents to a great extent. Objects for each of the
skipping to change at page 5, line 8 skipping to change at page 6, line 8
The OIDs given in the modules in this version of the document are the The OIDs given in the modules in this version of the document are the
same as the OIDs from the original modules, even though some of the same as the OIDs from the original modules, even though some of the
modules have changed syntax. That is clearly incorrect. In a later modules have changed syntax. That is clearly incorrect. In a later
version of this document, we will change the OIDs for every changed version of this document, we will change the OIDs for every changed
module. The WG (hopefully in coordination with the PKIX WG) needs to module. The WG (hopefully in coordination with the PKIX WG) needs to
determine how to do this and what the result will be. determine how to do this and what the result will be.
2. ASN.1 Module AlgorithmInformation 2. ASN.1 Module AlgorithmInformation
This section contains a module that is imported by many other modules This section contains a module that is imported by many other modules
in this document and in [NEW-PKIX]. This module does not come from in this document. Note that this module is also given in [NEW-PKIX].
any existing RFC. This module does not come from any existing RFC.
AlgorithmInformation AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
KeyUsage KeyUsage
FROM PKIX1Implicit88 FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-implicit(19) } id-mod-pkix1-implicit-02(59)} ;
;
-- Suggested prefixes for algorithm objects are: -- Suggested prefixes for algorithm objects are:
-- --
-- mda- Message Digest Algorithms -- mda- Message Digest Algorithms
-- sa- Signature Algorithms -- sa- Signature Algorithms
-- kta- Key Transport Algorithms (Asymetric) -- kta- Key Transport Algorithms (Asymmetric)
-- kaa- Key Agreement Algorithms (Asymetric) -- kaa- Key Agreement Algorithms (Asymmetric)
-- kwa- Key Wrap Algorithms (Symetric) -- kwa- Key Wrap Algorithms (Symmetric)
-- kda- Key Derivation Algorithms -- kda- Key Derivation Algorithms
-- maca- Message Authentication Code Algorithms -- maca- Message Authentication Code Algorithms
-- pk- Public Key -- pk- Public Key
-- cea- Content (symetric) Encryption Algorithm -- cea- Content (symmetric) Encryption Algorithm
-- cap- S/MIME Capabilities -- cap- S/MIME Capabilities
ParamOptions ::= ENUMERATED { ParamOptions ::= ENUMERATED {
required, -- Parameters MUST be encoded in structure required, -- Parameters MUST be encoded in structure
preferredPresent, -- Parameters SHOULD be encoded in structure preferredPresent, -- Parameters SHOULD be encoded in structure
preferredAbsent, -- Parameters SHOULD NOT be encoded in structure preferredAbsent, -- Parameters SHOULD NOT be encoded in structure
absent, -- Parameters MUST NOT be encoded in structure absent, -- Parameters MUST NOT be encoded in structure
inheritable, -- Parameters are inheritied if not present inheritable, -- Parameters are inherited if not present
optional, -- Parameters MAY be encoded in the structure optional, -- Parameters MAY be encoded in the structure
... ...
} }
-- DIGEST-ALGORITHM -- DIGEST-ALGORITHM
-- --
-- Describes the basic information for ASN.1 and a digest -- Describes the basic information for ASN.1 and a digest
-- algorithm. -- algorithm.
-- --
-- &id - contains the OID identifying the digest algorithm -- &id - contains the OID identifying the digest algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paramters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- --
-- Additional information such as the length of the hash could also -- Additional information such as the length of the hash could also
-- be encoded. -- be encoded.
-- --
-- Example: -- Example:
-- sha1 DIGEST-ALGORITHM ::= { -- sha1 DIGEST-ALGORITHM ::= {
-- IDENTIFIER id-sha1 -- IDENTIFIER id-sha1
-- PARAM TYPE NULL ARE preferredAbsent -- PARAMS TYPE NULL ARE preferredAbsent
-- } -- }
DIGEST-ALGORITHM ::= CLASS { DIGEST-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent &paramPresence ParamOptions DEFAULT absent
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [TYPE &Params] [ARE &paramPresence] ] [PARAMS [TYPE &Params] [ARE &paramPresence] ]
} }
-- SIGNATURE-ALGORITHM -- SIGNATURE-ALGORITHM
-- --
-- Describes the basic properities of a signature algorithm -- Describes the basic properties of a signature algorithm
-- --
-- &id - contains the OID identifying the signature algoithm -- &id - contains the OID identifying the signature algorithm
-- &Params - contains the type for the algoithm parameters, -- &Value - contains a type defintion for the value structure of
-- if present; absent implies no paameters -- the signature
-- &paramPresence - parameter presence requirement -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters
-- &paramPresence - parameter presence resquirement
-- &HashSet - The set of hash algorithms used with this -- &HashSet - The set of hash algorithms used with this
-- signature algoirthm -- signature algorithm
-- &PublicKeySet - the set of public key algorithms for this -- &PublicKeySet - the set of public key algorithms for this
-- signature algorithm -- signature algorithm
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
--
-- Example: -- Example:
-- sig-RSA-PSS SIGNATURE-ALGORITHM ::= { -- sig-RSA-PSS SIGNATURE-ALGORITHM ::= {
-- IDENTIFIER id-RSASSA-PSS -- IDENTIFIER id-RSASSA-PSS
-- PARAMS TYPE RSASSA-PSS-params ARE required -- PARAMS TYPE RSASSA-PSS-params ARE required
-- HASHES {sha1 | md5, ... } -- HASHES {sha1 | md5, ... }
-- PUBLIC KEYS { pk-rsa | pk-rsa-pss } -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
-- } -- }
SIGNATURE-ALGORITHM ::= CLASS { SIGNATURE-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL,
&Value OPTIONAL, &Value OPTIONAL,
&Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent, &paramPresence ParamOptions DEFAULT absent,
&HashSet DIGEST-ALGORITHM OPTIONAL, &HashSet DIGEST-ALGORITHM OPTIONAL,
&PublicKeySet PUBLIC-KEY OPTIONAL, &PublicKeySet PUBLIC-KEY OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL &smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[VALUE &Value] [VALUE &Value]
[PARAMS [TYPE &Params] ARE &paramPresence ] [PARAMS [TYPE &Params] ARE &paramPresence ]
[HASHES &HashSet] [HASHES &HashSet]
[PUBLIC KEYS &PublicKeySet] [PUBLIC-KEYS &PublicKeySet]
[SMIME CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- PUBLIC-KEY -- PUBLIC-KEY
-- --
-- Describes the basic properities of a public key -- Describes the basic properties of a public key
-- --
-- &id - contains the OID identifying the public key -- &id - contains the OID identifying the public key
-- &Params - contains the type for the algoithm parameters,
-- if present; absent implies no paameters
-- &paramPresence - parameter presence requirement
-- &KeyValue - contains the type for the key value -- &KeyValue - contains the type for the key value
-- -- &Params - contains the type for the algorithm parameters,
-- Could add information about the keyUsage bits -- if present; absent implies no paramters
-- &paramPresence - parameter presence requirement
-- &keyUsage - contains the set of bits that are legal for this
-- key type. Note that is does not make any statement
-- about how bits may be paired.
-- &PrivateKey - contains a type structure for encoding the private
-- key information.
-- --
-- Example: -- Example:
-- pk-rsa-pss PUBLIC-KEY ::= { -- pk-rsa-pss PUBLIC-KEY ::= {
-- IDENTIFIER id-RSASSA-PSS -- IDENTIFIER id-RSASSA-PSS
-- KEY RSAPublicKey -- KEY RSAPublicKey
-- PARAMS TYPE RSASSA-PSS-params ARE optional -- PARAMS TYPE RSASSA-PSS-params ARE optional
-- KEY USAGE BITS { .... } -- CERT-KEY-USAGE { .... }
-- } -- }
PUBLIC-KEY ::= CLASS { PUBLIC-KEY ::= CLASS {
&id OBJECT IDENTIFIER, &id OBJECT IDENTIFIER UNIQUE,
&KeyValue OPTIONAL,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent, &paramPresence ParamOptions DEFAULT absent,
&KeyValue OPTIONAL, &keyUsage KeyUsage OPTIONAL,
&PrivateKey OPTIONAL, &PrivateKey OPTIONAL
&keyUsage KeyUsage OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[KEY &KeyValue] [KEY &KeyValue]
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[CERT KEY USAGE &keyUsage] [CERT-KEY-USAGE &keyUsage]
[PRIVATE KEY &PrivateKey] [PRIVATE-KEY &PrivateKey]
} }
-- KEY-TRANSPORT -- KEY-TRANSPORT
-- --
-- Describes the basic properities of a key transport algorithm -- Describes the basic properties of a key transport algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key transport algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paramters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &PublicKeySet - specify which public keys are used with -- &PublicKeySet - specify which public keys are used with
-- this algorithm -- this algorithm
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
-- --
-- Example: -- Example:
-- rsaTransport KEY-TRANSPORT ::= { -- rsaTransport KEY-TRANSPORT ::= {
-- &id rsaEncryption -- IDENTIFIER &id
-- &Params NULL -- PARAMS TYPE NULL ARE required
-- &paramPresence required -- PUBLIC-KEYS { pk-rsa | pk-rsa-pss }
-- &PublicKeySet { pk-rsa | pk-rsa-pss }
-- } -- }
KEY-TRANSPORT ::= CLASS { KEY-TRANSPORT ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent, &paramPresence ParamOptions DEFAULT absent,
&PublicKeySet PUBLIC-KEY OPTIONAL, &PublicKeySet PUBLIC-KEY OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL &smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[PUBLIC KEYS &PublicKeySet] [PUBLIC-KEYS &PublicKeySet]
[SMIME CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- KEY-AGREE -- KEY-AGREE
-- --
-- Describes the basic properities of a key agreement algorithm -- Describes the basic properties of a key agreement algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key agreement algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paramters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &Ukm - type of user keying material used
-- &PublicKeySet - specify which public keys are used with -- &PublicKeySet - specify which public keys are used with
-- this algorithm -- this algorithm
-- -- &Ukm - type of user keying material used
-- Additional items could be a restricted set of key wrap algoithms -- &ukmPresence - specifies the requirements to define the UKM field
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
-- --
-- Example: -- Example:
-- dh-static-ephemerial KEY-AGREE ::= { -- dh-static-ephemerial KEY-AGREE ::= {
-- IDENTIFIER id-alg-ESDH -- IDENTIFIER id-alg-ESDH
-- PARAMS TYPE KeyWrapAlgorithm ARE required -- PARAMS TYPE KeyWrapAlgorithm ARE required
-- - - user key material is not ASN.1 encoded. -- - - user key material is not ASN.1-encoded.
-- PUBLIC KEYS { -- PUBLIC-KEYS {
-- {IDENTIFIER dh-public-number KEY DHPublicKey -- {IDENTIFIER dh-public-number KEY DHPublicKey
-- HASH PARAMS DHDomainParamters PARAMS ARE inheritable } -- PARAMS TYPE DHDomainParameters ARE inheritable }
-- } -- }
-- - - UKM should be present, but is not separately -- - - UKM should be present but is not separately ASN.1-encoded
-- - - ASN.1 encoded
-- UKM ARE preferredPresent -- UKM ARE preferredPresent
-- } -- }
KEY-AGREE ::= CLASS { KEY-AGREE ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent, &paramPresence ParamOptions DEFAULT absent,
&PublicKeySet PUBLIC-KEY OPTIONAL,
&Ukm OPTIONAL, &Ukm OPTIONAL,
&ukmPresence ParamOptions DEFAULT absent, &ukmPresence ParamOptions DEFAULT absent,
&PublicKeySet PUBLIC-KEY OPTIONAL,
&smimeCaps SMIME-CAPS OPTIONAL &smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[PUBLIC KEYS &PublicKeySet] [PUBLIC-KEYS &PublicKeySet]
[UKM [TYPE &Ukm] ARE &ukmPresence] [UKM [TYPE &Ukm] ARE &ukmPresence]
[SMIME CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- KEY-WRAP -- KEY-WRAP
-- --
-- Describes the basic properities of a key wrap algorithm -- Describes the basic properties of a key wrap algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key wrap algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paramters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
-- --
-- Example: -- Example:
-- cms3DESwrap KEY-WRAP ::= { -- cms3DESwrap KEY-WRAP ::= {
-- IDENTIFIER id-alg-CMS3DESwrap -- IDENTIFIER id-alg-CMS3DESwrap
-- PARAMS TYPE NULL ARE required -- PARAMS TYPE NULL ARE required
-- } -- }
KEY-WRAP ::= CLASS { KEY-WRAP ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent, &paramPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL &smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- KEY-DERIVATION -- KEY-DERIVATION
-- --
-- Describes the basic properities of a key transport algorithm -- Describes the basic properties of a key derivation algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the key derivation algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paramters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
-- --
-- Could add information about defaults for the derivation algorithm -- Could add information about defaults for the derivation algorithm
-- such as PRFs -- such as PRFs
-- --
-- Example: -- Example:
-- pbkdf2 KEY-DERIVATION ::= { -- pbkdf2 KEY-DERIVATION ::= {
-- IDENTIFIER id-PBKF2 -- IDENTIFIER id-PBKDF2
-- PARAMS TYPE PBKDF2-params ARE required -- PARAMS TYPE PBKDF2-params ARE required
-- } -- }
KEY-DERIVATION ::= CLASS { KEY-DERIVATION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent, &paramPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL &smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- MAC-ALGORITHM -- MAC-ALGORITHM
-- --
-- Describes the basic properities of a key transport algorithm -- Describes the basic properties of a MAC algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the MAC algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paramters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &keyed - MAC algorithm is a keyed MAC algorithm -- &keyed - MAC algorithm is a keyed MAC algorithm
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
-- --
-- It would make sense to also add minimum and maximum MAC lengths -- It would make sense to also add minimum and maximum MAC lengths
-- --
-- Example: -- Example:
-- maca-hmac-sha1 MAC-ALGORITHM ::= { -- maca-hmac-sha1 MAC-ALGORITHM ::= {
-- IDENTIFIER hMAC-SHA1 -- IDENTIFIER hMAC-SHA1
-- PARAMS TYPE NULL ARE perferedAbsent -- PARAMS TYPE NULL ARE preferredAbsent
-- IS KEYED MAC TRUE
-- SMIME-CAPS {IDENTIFIED BY hMAC-SHA1}
-- } -- }
MAC-ALGORITHM ::= CLASS { MAC-ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent, &paramPresence ParamOptions DEFAULT absent,
&keyed BOOLEAN, &keyed BOOLEAN,
&smimeCaps SMIME-CAPS OPTIONAL &smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [TYPE &Params] [ARE &paramPresence]] [PARAMS [TYPE &Params] [ARE &paramPresence]]
IS KEYED MAC &keyed IS-KEYED-MAC &keyed
[SMIME CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- CONTENT-ENCRYPTION -- CONTENT-ENCRYPTION
-- --
-- Describes the basic properities of a symetric encryption -- Describes the basic properties of a content encryption
-- algorithm -- algorithm
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the content
-- &Params - contains the type for the algoithm parameters, -- encryption algorithm
-- if present; absent implies no paameters -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paramters
-- &paramPresence - parameter presence requirement -- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
-- --
-- Example: -- Example:
-- cms3DESwrap KEY-WRAP ::= { -- cea-3DES-cbc CONTENT-ENCRYPTION ::= {
-- IDENTIFIER id-alg-CMS3DESwrap -- IDENTIFIER des-ede3-cbc
-- PARAMS TYPE NULL ARE required -- PARAMS TYPE IV ARE required
-- SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
-- } -- }
CONTENT-ENCRYPTION ::= CLASS { CONTENT-ENCRYPTION ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent, &paramPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL &smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- ALGORITHM -- ALGORITHM
-- --
-- Describes a generic algorithm identifier -- Describes a generic algorithm identifier
-- --
-- &id - contains the OID identifying the key transport algorithm -- &id - contains the OID identifying the algorithm
-- &Params - contains the type for the algoithm parameters, -- &Params - contains the type for the algorithm parameters,
-- if present; absent implies no paameters -- if present; absent implies no paramters
-- &paramPresence - parameter presence requirement
-- &smimeCaps - contains the object describing how the S/MIME
-- capabilities are presented.
-- --
-- This would be used for cases where an unknown algorithm is -- This would be used for cases where an unknown algorithm is
-- used. One should consider using TYPE-IDENTIFIER in these cases. -- used. One should consider using TYPE-IDENTIFIER in these cases.
ALGORITHM ::= CLASS { ALGORITHM ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Params OPTIONAL, &Params OPTIONAL,
&paramPresence ParamOptions DEFAULT absent, &paramPresence ParamOptions DEFAULT absent,
&smimeCaps SMIME-CAPS OPTIONAL &smimeCaps SMIME-CAPS OPTIONAL
} WITH SYNTAX { } WITH SYNTAX {
IDENTIFIER &id IDENTIFIER &id
[PARAMS [TYPE &Params] ARE &paramPresence] [PARAMS [TYPE &Params] ARE &paramPresence]
[SMIME CAPS &smimeCaps] [SMIME-CAPS &smimeCaps]
} }
-- AlgorithmIdentifier -- AlgorithmIdentifier
-- --
-- Provides the generic structure that is used to encode algorithm -- Provides the generic structure that is used to encode algorithm
-- identification and the parameters associated with the -- identification and the parameters associated with the
-- algorithm. -- algorithm.
-- --
-- The first parameter represents the type of the algorithm being -- The first parameter represents the type of the algorithm being
-- used. -- used.
-- The second parameter represents a object set containing the set of -- The second parameter represents an object set containing the
-- algorithms that may occur in this situation. -- algorithms that may occur in this situation.
-- The first set of required algorithms should occur to the left -- The initial list of required algorithms should occur to the
-- of an extension marker, all other algorithms should occur to -- left of an extension marker, all other algorithms should
-- the right of an extension marker. -- occur to the right of an extension marker.
-- --
-- The object class ALGORITHM can be used for generic unspecified -- The object class ALGORITHM can be used for generic unspecified
-- items. -- items.
-- If new ALGORITHM objects are defined, the fields &id and &Params -- If new ALGORITHM objects are defined, the fields &id and &Params
-- need to be present as field in the object. -- need to be present as field in the object.
-- --
AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
SEQUENCE { SEQUENCE {
algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
skipping to change at page 13, line 4 skipping to change at page 14, line 26
-- If new ALGORITHM objects are defined, the fields &id and &Params -- If new ALGORITHM objects are defined, the fields &id and &Params
-- need to be present as field in the object. -- need to be present as field in the object.
-- --
AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::= AlgorithmIdentifier{ALGORITHM-TYPE, ALGORITHM-TYPE:AlgorithmSet} ::=
SEQUENCE { SEQUENCE {
algorithm ALGORITHM-TYPE.&id({AlgorithmSet}), algorithm ALGORITHM-TYPE.&id({AlgorithmSet}),
parameters ALGORITHM-TYPE. parameters ALGORITHM-TYPE.
&Params({AlgorithmSet}{@algorithm}) OPTIONAL &Params({AlgorithmSet}{@algorithm}) OPTIONAL
} }
-- S/MIME Capabilities -- S/MIME Capabilities
-- --
-- We have moved the SMIME-CAPS out of rfc3851.asn to here since it -- We have moved the SMIME-CAPS from the module for RFC 3851 to here
-- is used in the PKIX document RFC 4262 - Use of S/MIME Caps in -- because it is used in the PKIX document RFC 4262 - Use of S/MIME
-- certificate extension -- Caps in certificate extension
-- --
-- --
-- This class is used to represent an S/MIME capability. S/MIME -- This class is used to represent an S/MIME capability. S/MIME
-- capabilities are used to represent what algorithm capabilities -- capabilities are used to represent what algorithm capabilities
-- an individual has. The classic example was the content encryption -- an individual has. The classic example was the content encryption
-- algorithm RC2 where the algorithm id and the RC2 key lengths -- algorithm RC2 where the algorithm id and the RC2 key lengths
-- supported needed to be advertised, but the IV used is not fixed. -- supported needed to be advertised, but the IV used is not fixed.
-- Thus for RC2 we used -- Thus for RC2 we used
-- --
-- cap-RC2CBC SMIME-CAPS ::= { -- cap-RC2CBC SMIME-CAPS ::= {
-- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc } -- TYPE INTEGER ( 40 | 128 ) IDENTIFIED BY rc2-cbc }
-- --
-- where 40 and 128 represent the RC2 key length in number of bits. -- where 40 and 128 represent the RC2 key length in number of bits.
-- --
-- Another example where infomation needs to be shown is for -- Another example where information needs to be shown is for
-- RSA-OAEP where only specific hash functions or mask generation -- RSA-OAEP where only specific hash functions or mask generation
-- functions are suppoted, but the saltLength is specified by the -- functions are supported, but the saltLength is specified by the
-- sender and not the recipient. In this case one can either -- sender and not the recipient. In this case one can either
-- generate a number of different capability items are generated, -- generate a number of capability items,
-- or a new S/MIME capability type could be generated where -- or a new S/MIME capability type could be generated where
-- multiple hash functions could be specified. -- multiple hash functions could be specified.
-- --
-- --
-- SMIME-CAP -- SMIME-CAP
-- --
-- This class is used to associate the type descibing capabilities -- This class is used to associate the type describing capabilities
-- with the object identifier. -- with the object identifier.
-- --
SMIME-CAPS ::= CLASS { SMIME-CAPS ::= CLASS {
&id OBJECT IDENTIFIER UNIQUE, &id OBJECT IDENTIFIER UNIQUE,
&Type OPTIONAL &Type OPTIONAL
} }
WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id } WITH SYNTAX { [TYPE &Type] IDENTIFIED BY &id }
-- --
-- Generic type - this is used for defining values. -- Generic type - this is used for defining values.
-- --
-- Parameterized Type - this is used in structures to allow for -- Define a single S/MIME capability encoding
-- automatic decoding to occur on capaiblity parameters for a
-- specific set of values.
SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE { SMIMECapability{SMIME-CAPS:CapabilitySet} ::= SEQUENCE {
capabilityID SMIME-CAPS.&id({CapabilitySet}), capabilityID SMIME-CAPS.&id({CapabilitySet}),
parameters SMIME-CAPS.&Type({CapabilitySet} parameters SMIME-CAPS.&Type({CapabilitySet}
{@capabilityID}) OPTIONAL {@capabilityID}) OPTIONAL
} }
-- Parameterized Type - this is used in structures to all for -- Define a sequence of S/MIME capability value
-- automatic decoding to occur on capability parametes for a
-- specific set of values.
SMIMECapabilities { SMIME-CAPS : CapabilitySet } ::= SMIMECapabilities { SMIME-CAPS : CapabilitySet } ::=
SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} } SEQUENCE SIZE (1..MAX) OF SMIMECapability{{CapabilitySet} }
END END
3. ASN.1 Module for RFC 3370 3. ASN.1 Module for RFC 3370
CryptographicMessageSyntaxAlgorithms CryptographicMessageSyntaxAlgorithms-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) } smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier{}, SMIME-CAPS AlgorithmIdentifier{}, SMIME-CAPS
FROM AlgorithmInformation FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
pk-rsa, pk-dh, pk-dsa, pk-rsa, pk-dh, pk-dsa, rsaEncryption, DHPublicKey, dhpublicnumber
rsaEncryption, DHPublicKey, dhpublicnumber FROM PKIXAlgs-2009
FROM {iso(1) identified-organization(3) dod(6)
PKIXAlgs-2008 { iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 995 } id-mod-pkix1-algorithms2008-02(56)}
cap-RC2CBC cap-RC2CBC
FROM SecureMimeMessageV3dot1 FROM SecureMimeMessageV3dot1-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) msg-v3dot1(21) } smime(16) modules(0) id-mod-msg-v3dot1-02(39)};
;
-- 2. Hash algorthms in this document -- 2. Hash algorthms in this document
MessageDigestAlgs DIGEST-ALGORITHM ::= { MessageDigestAlgs DIGEST-ALGORITHM ::= {
-- mda-md5 | -- mda-md5 | mda-sha1,
-- mda-sha1,
... } ... }
-- 3. Signature algorithms in this document -- 3. Signature algorithms in this document
SignatureAlgs SIGNATURE-ALGORITHM ::= { SignatureAlgs SIGNATURE-ALGORITHM ::= {
-- See rfc3279.asn -- See RFC 3279
-- sa-dsaWithSHA1 | -- sa-dsaWithSHA1 | sa-rsaWithMD5 | sa-rsaWithSHA1,
-- sa-rsaWithMD5 |
-- sa-rsaWithSHA1,
... } ... }
-- 4. Key Managment Algorithms -- 4. Key Managment Algorithms
-- 4.1 Key Agreement Algorithms -- 4.1 Key Agreement Algorithms
KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...} KeyAgreementAlgs KEY-AGREE ::= { kaa-esdh | kaa-ssdh, ...}
KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...} KeyAgreePublicKeys PUBLIC-KEY ::= { pk-dh, ...}
-- 4.2 Key Transport Algorithms -- 4.2 Key Transport Algorithms
skipping to change at page 15, line 35 skipping to change at page 17, line 4
-- 4.2 Key Transport Algorithms -- 4.2 Key Transport Algorithms
KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... } KeyTransportAlgs KEY-TRANSPORT ::= { kt-rsa, ... }
-- 4.3 Symmetric Key-Encryption Key Algorithms -- 4.3 Symmetric Key-Encryption Key Algorithms
KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... } KeyWrapAlgs KEY-WRAP ::= { kwa-3DESWrap | kwa-RC2Wrap, ... }
-- 4.4 Key Derivation Algorithms -- 4.4 Key Derivation Algorithms
KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... } KeyDerivationAlgs KEY-DERIVATION ::= { kda-PBKDF2, ... }
-- 5. Content Encryption Algorithms -- 5. Content Encryption Algorithms
ContentEncryptionAlgs CONTENT-ENCRYPTION ::= ContentEncryptionAlgs CONTENT-ENCRYPTION ::=
{ cea-3DES-cbc | cea-RC2-cbc, ... } { cea-3DES-cbc | cea-RC2-cbc, ... }
-- 6. Message Authenticaiton Code Algorithms -- 6. Message Authentication Code Algorithms
MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... } MessageAuthAlgs MAC-ALGORITHM ::= { maca-hMAC-SHA1, ... }
-- SMIME Capabilities for these items -- SMIME Capabilities for these items
SMimeCaps SMIME-CAPS ::= { SMimeCaps SMIME-CAPS ::= {
kaa-esdh.&smimeCaps | kaa-esdh.&smimeCaps |
kaa-ssdh.&smimeCaps | kaa-ssdh.&smimeCaps |
kt-rsa.&smimeCaps | kt-rsa.&smimeCaps |
kwa-3DESWrap.&smimeCaps | kwa-3DESWrap.&smimeCaps |
skipping to change at page 17, line 17 skipping to change at page 18, line 33
IV ::= OCTET STRING -- exactly 8 octets IV ::= OCTET STRING -- exactly 8 octets
RC2CBCParameter ::= SEQUENCE { RC2CBCParameter ::= SEQUENCE {
rc2ParameterVersion INTEGER (1..256), rc2ParameterVersion INTEGER (1..256),
iv OCTET STRING } -- exactly 8 octets iv OCTET STRING } -- exactly 8 octets
maca-hMAC-SHA1 MAC-ALGORITHM ::= { maca-hMAC-SHA1 MAC-ALGORITHM ::= {
IDENTIFIER hMAC-SHA1 IDENTIFIER hMAC-SHA1
PARAMS TYPE NULL ARE preferredAbsent PARAMS TYPE NULL ARE preferredAbsent
IS KEYED MAC TRUE IS-KEYED-MAC TRUE
SMIME CAPS {IDENTIFIED BY hMAC-SHA1} SMIME-CAPS {IDENTIFIED BY hMAC-SHA1}
} }
-- Another way to do the following would be:
-- alg-hMAC-SHA1 AlgorithmIdentifier{{PBKDF2-PRFs}} ::=
-- { algorithm hMAC-SHA1, parameters NULL:NULL }
PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM, PBKDF2-PRFsAlgorithmIdentifier ::= AlgorithmIdentifier{ ALGORITHM,
{PBKDF2-PRFs} } {PBKDF2-PRFs} }
alg-hMAC-SHA1 -- PBKDF2-PRFsAlgorithmIdentifier ::= alg-hMAC-SHA1 ALGORITHM ::=
ALGORITHM ::=
{ IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required } { IDENTIFIER hMAC-SHA1 PARAMS TYPE NULL ARE required }
PBKDF2-SaltSources ALGORITHM ::= { ... }
PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... } PBKDF2-PRFs ALGORITHM ::= { alg-hMAC-SHA1, ... }
PBKDF2-SaltSources ALGORITHM ::= { ... }
PBKDF2-SaltSourcesAlgorithmIdentifier ::= PBKDF2-SaltSourcesAlgorithmIdentifier ::=
AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}} AlgorithmIdentifier {ALGORITHM, {PBKDF2-SaltSources}}
defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::= defaultPBKDF2 PBKDF2-PRFsAlgorithmIdentifier ::=
{ algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL } { algorithm alg-hMAC-SHA1.&id, parameters NULL:NULL }
PBKDF2-params ::= SEQUENCE { PBKDF2-params ::= SEQUENCE {
salt CHOICE { salt CHOICE {
specified OCTET STRING, specified OCTET STRING,
otherSource PBKDF2-SaltSourcesAlgorithmIdentifier }, otherSource PBKDF2-SaltSourcesAlgorithmIdentifier },
iterationCount INTEGER (1..MAX), iterationCount INTEGER (1..MAX),
keyLength INTEGER (1..MAX) OPTIONAL, keyLength INTEGER (1..MAX) OPTIONAL,
prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT prf PBKDF2-PRFsAlgorithmIdentifier DEFAULT
defaultPBKDF2 defaultPBKDF2
} }
-- --
-- This object is included for completeness. It should not be used -- This object is included for completeness. It should not be used
-- for encoding of signtures, but was sometimes used in older -- for encoding of signatures, but was sometimes used in older
-- versions of CMS for encoding of RSA signatures. -- versions of CMS for encoding of RSA signatures.
-- --
-- --
-- sa-rsa SIGNATURE-ALGORITHM ::= { -- sa-rsa SIGNATURE-ALGORITHM ::= {
-- IDENTIFIER rsaEncryption -- IDENTIFIER rsaEncryption
-- - - value is not ASN.1 encoded -- - - value is not ASN.1 encoded
-- PARAMS TYPE NULL ARE required -- PARAMS TYPE NULL ARE required
-- HASHES {mda-sha1 | mda-md5, ...} -- HASHES {mda-sha1 | mda-md5, ...}
-- PUBLIC KEYS { pk-rsa} -- PUBLIC-KEYS { pk-rsa}
-- } -- }
-- --
-- No ASN.1 encoding is applied to the signature value -- No ASN.1 encoding is applied to the signature value
-- for these items -- for these items
kaa-esdh KEY-AGREE ::= { kaa-esdh KEY-AGREE ::= {
IDENTIFIER id-alg-ESDH IDENTIFIER id-alg-ESDH
PARAMS TYPE KeyWrapAlgorithm ARE required PARAMS TYPE KeyWrapAlgorithm ARE required
PUBLIC KEYS { pk-dh } PUBLIC-KEYS { pk-dh }
-- UKM is not ASN.1 encoded -- UKM is not ASN.1 encoded
UKM ARE optional UKM ARE optional
SMIME CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH} SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-ESDH}
} }
kaa-ssdh KEY-AGREE ::= { kaa-ssdh KEY-AGREE ::= {
IDENTIFIER id-alg-SSDH IDENTIFIER id-alg-SSDH
PARAMS TYPE KeyWrapAlgorithm ARE required PARAMS TYPE KeyWrapAlgorithm ARE required
PUBLIC KEYS {pk-dh} PUBLIC-KEYS {pk-dh}
-- UKM is not ASN.1 encoded -- UKM is not ASN.1 encoded
UKM ARE optional UKM ARE optional
SMIME CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH} SMIME-CAPS {TYPE KeyWrapAlgorithm IDENTIFIED BY id-alg-SSDH}
} }
dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber dh-public-number OBJECT IDENTIFIER ::= dhpublicnumber
pk-originator-dh PUBLIC-KEY ::= { pk-originator-dh PUBLIC-KEY ::= {
IDENTIFIER dh-public-number IDENTIFIER dh-public-number
KEY DHPublicKey KEY DHPublicKey
PARAMS ARE absent PARAMS ARE absent
CERT KEY USAGE {keyAgreement, encipherOnly, decipherOnly} CERT-KEY-USAGE {keyAgreement, encipherOnly, decipherOnly}
} }
kwa-3DESWrap KEY-WRAP ::= { kwa-3DESWrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMS3DESwrap IDENTIFIER id-alg-CMS3DESwrap
PARAMS TYPE NULL ARE required PARAMS TYPE NULL ARE required
SMIME CAPS {IDENTIFIED BY id-alg-CMSRC2wrap} SMIME-CAPS {IDENTIFIED BY id-alg-CMS3DESwrap}
} }
kwa-RC2Wrap KEY-WRAP ::= { kwa-RC2Wrap KEY-WRAP ::= {
IDENTIFIER id-alg-CMSRC2wrap IDENTIFIER id-alg-CMSRC2wrap
PARAMS TYPE RC2wrapParameter ARE required PARAMS TYPE RC2wrapParameter ARE required
SMIME CAPS { IDENTIFIED BY id-alg-CMSRC2wrap } SMIME-CAPS { IDENTIFIED BY id-alg-CMSRC2wrap }
} }
kda-PBKDF2 KEY-DERIVATION ::= { kda-PBKDF2 KEY-DERIVATION ::= {
IDENTIFIER id-PBKDF2 IDENTIFIER id-PBKDF2
PARAMS TYPE PBKDF2-params ARE required PARAMS TYPE PBKDF2-params ARE required
-- No s/mime caps defined -- No s/mime caps defined
} }
cea-3DES-cbc CONTENT-ENCRYPTION ::= { cea-3DES-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER des-ede3-cbc IDENTIFIER des-ede3-cbc
PARAMS TYPE IV ARE required PARAMS TYPE IV ARE required
SMIME CAPS { IDENTIFIED BY des-ede3-cbc } SMIME-CAPS { IDENTIFIED BY des-ede3-cbc }
} }
cea-RC2-cbc CONTENT-ENCRYPTION ::= { cea-RC2-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER rc2-cbc IDENTIFIER rc2-cbc
PARAMS TYPE RC2CBCParameter ARE required PARAMS TYPE RC2CBCParameter ARE required
SMIME CAPS cap-RC2CBC SMIME-CAPS cap-RC2CBC
} }
kt-rsa KEY-TRANSPORT ::= { kt-rsa KEY-TRANSPORT ::= {
IDENTIFIER rsaEncryption IDENTIFIER rsaEncryption
PARAMS TYPE NULL ARE required PARAMS TYPE NULL ARE required
PUBLIC KEYS { pk-rsa } PUBLIC-KEYS { pk-rsa }
SMIME CAPS {IDENTIFIED BY rsaEncryption} SMIME-CAPS {IDENTIFIED BY rsaEncryption}
} }
-- S/MIME Capabilities - most have no label. -- S/MIME Capabilities - most have no label.
cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap } cap-3DESwrap SMIME-CAPS ::= { IDENTIFIED BY id-alg-CMS3DESwrap }
END END
4. ASN.1 Module for RFC 3565 4. ASN.1 Module for RFC 3565
CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549) CMSAesRsaesOaep-2009 {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) } pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38)}
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS CONTENT-ENCRYPTION, KEY-WRAP, SMIME-CAPS
FROM AlgorithmInformation FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} mechanisms(5) pkix(7) id-mod(0)
; id-mod-algorithmInformation-02(58)};
AES-ContentEncryption CONTENT-ENCRYPTION ::= { AES-ContentEncryption CONTENT-ENCRYPTION ::= {
cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ... cea-aes128-cbc | cea-aes192-cbc | cea-aes256-cbc, ...
} }
AES-KeyWrap KEY-WRAP ::= { AES-KeyWrap KEY-WRAP ::= {
kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ... kwa-aes128-wrap | kwa-aes192-wrap | kwa-aes256-wrap, ...
} }
SMimeCaps SMIME-CAPS ::= { SMimeCaps SMIME-CAPS ::= {
skipping to change at page 20, line 35 skipping to change at page 21, line 43
kwa-aes192-wrap.&smimeCaps | kwa-aes192-wrap.&smimeCaps |
kwa-aes256-wrap.&smimeCaps, ... kwa-aes256-wrap.&smimeCaps, ...
} }
-- AES information object identifiers -- -- AES information object identifiers --
aes OBJECT IDENTIFIER ::= aes OBJECT IDENTIFIER ::=
{ joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101) { joint-iso-itu-t(2) country(16) us(840) organization(1) gov(101)
csor(3) nistAlgorithms(4) 1 } csor(3) nistAlgorithms(4) 1 }
-- AES using CBC-chaining mode for key sizes of 128, 192, 256 -- AES using CBC mode for key sizes of 128, 192, 256
id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 }
id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 }
id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 }
cea-aes128-cbc CONTENT-ENCRYPTION ::= { cea-aes128-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-CBC IDENTIFIER id-aes128-CBC
PARAMS TYPE AES-IV ARE required PARAMS TYPE AES-IV ARE required
SMIME CAPS { IDENTIFIED BY id-aes128-CBC } SMIME-CAPS { IDENTIFIED BY id-aes128-CBC }
} }
id-aes128-CBC OBJECT IDENTIFIER ::= { aes 2 }
cea-aes192-cbc CONTENT-ENCRYPTION ::= { cea-aes192-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-CBC IDENTIFIER id-aes192-CBC
PARAMS TYPE AES-IV ARE required PARAMS TYPE AES-IV ARE required
SMIME CAPS { IDENTIFIED BY id-aes192-CBC } SMIME-CAPS { IDENTIFIED BY id-aes192-CBC }
} }
id-aes192-CBC OBJECT IDENTIFIER ::= { aes 22 }
cea-aes256-cbc CONTENT-ENCRYPTION ::= { cea-aes256-cbc CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes256-CBC IDENTIFIER id-aes256-CBC
PARAMS TYPE AES-IV ARE required PARAMS TYPE AES-IV ARE required
SMIME CAPS { IDENTIFIED BY id-aes256-CBC } SMIME-CAPS { IDENTIFIED BY id-aes256-CBC }
} }
id-aes256-CBC OBJECT IDENTIFIER ::= { aes 42 }
-- AES-IV is a the parameter for all the above object identifiers. -- AES-IV is the parameter for all the above object identifiers.
AES-IV ::= OCTET STRING (SIZE(16)) AES-IV ::= OCTET STRING (SIZE(16))
-- AES Key Wrap Algorithm Identifiers - Parameter is absent -- AES Key Wrap Algorithm Identifiers - Parameter is absent
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
kwa-aes128-wrap KEY-WRAP ::= { kwa-aes128-wrap KEY-WRAP ::= {
IDENTIFIER id-aes128-wrap IDENTIFIER id-aes128-wrap
PARAMS ARE absent PARAMS ARE absent
SMIME CAPS { IDENTIFIED BY id-aes128-wrap } SMIME-CAPS { IDENTIFIED BY id-aes128-wrap }
} }
id-aes128-wrap OBJECT IDENTIFIER ::= { aes 5 }
kwa-aes192-wrap KEY-WRAP ::= { kwa-aes192-wrap KEY-WRAP ::= {
IDENTIFIER id-aes192-wrap IDENTIFIER id-aes192-wrap
PARAMS ARE absent PARAMS ARE absent
SMIME CAPS { IDENTIFIED BY id-aes192-wrap } SMIME-CAPS { IDENTIFIED BY id-aes192-wrap }
} }
id-aes192-wrap OBJECT IDENTIFIER ::= { aes 25 }
kwa-aes256-wrap KEY-WRAP ::= { kwa-aes256-wrap KEY-WRAP ::= {
IDENTIFIER id-aes256-wrap IDENTIFIER id-aes256-wrap
PARAMS ARE absent PARAMS ARE absent
SMIME CAPS { IDENTIFIED BY id-aes256-wrap } SMIME-CAPS { IDENTIFIED BY id-aes256-wrap }
} }
id-aes256-wrap OBJECT IDENTIFIER ::= { aes 45 }
END END
5. ASN.1 Module for RFC 3851 5. ASN.1 Module for RFC 3851
SecureMimeMessageV3dot1 SecureMimeMessageV3dot1-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) msg-v3dot1(21) } smime(16) modules(0) id-mod-msg-v3dot1-02(39)}
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
SMIME-CAPS, SMIMECapabilities{} SMIME-CAPS, SMIMECapabilities{}
FROM AlgorithmInformation FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
ATTRIBUTE ATTRIBUTE
FROM PKIX-CommonTypes FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)}
SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier SubjectKeyIdentifier, IssuerAndSerialNumber, RecipientKeyIdentifier
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } smime(16) modules(0) id-mod-cms-2004-02(41)}
rc2-cbc, SMimeCaps rc2-cbc, SMimeCaps
FROM CryptographicMessageSyntaxAlgorithms FROM CryptographicMessageSyntaxAlgorithms-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) } smime(16) modules(0) id-mod-cmsalg-2001-02(37)}
SMimeCaps SMimeCaps
FROM PKIXAlgs-2008 { iso(1) identified-organization(3) dod(6) FROM PKIXAlgs-2009
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) 995 } {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-algorithms2008-02(56)}
SMimeCaps SMimeCaps
FROM PKIX1-PSS-OAEP-Algorithms FROM PKIX1-PSS-OAEP-Algorithms-2009
{ iso(1) identified-organization(3) dod(6) {iso(1) identified-organization(3) dod(6) internet(1)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs(33) } id-mod-pkix1-rsa-pkalgs-02(54)};
;
SMimeAttributeSet ATTRIBUTE ::= SMimeAttributeSet ATTRIBUTE ::=
{ aa-smimeCapabilities | aa-encrypKeyPref, ... } { aa-smimeCapabilities | aa-encrypKeyPref, ... }
-- id-aa is the arc with all new authenticated and unauthenticated -- id-aa is the arc with all new authenticated and unauthenticated
-- attributes produced the by S/MIME Working Group -- attributes produced by the S/MIME Working Group
id-aa OBJECT IDENTIFIER ::= id-aa OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) usa(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) attributes(2)} smime(16) attributes(2)}
-- S/MIME Capabilities provides a method of broadcasting the symmetric -- S/MIME Capabilities provides a method of broadcasting the symmetric
-- capabilities understood. Algorithms SHOULD be ordered by -- capabilities understood. Algorithms SHOULD be ordered by
-- preference and grouped by type -- preference and grouped by type
aa-smimeCapabilities ATTRIBUTE ::= aa-smimeCapabilities ATTRIBUTE ::=
{ TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY { TYPE SMIMECapabilities{{SMimeCapsSet}} IDENTIFIED BY
smimeCapabilities } smimeCapabilities }
smimeCapabilities OBJECT IDENTIFIER ::= smimeCapabilities OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
15 } 15 }
SMimeCapsSet SMIME-CAPS ::= SMimeCapsSet SMIME-CAPS ::=
{ cap-preferBinaryInside | cap-RC2CBC | { cap-preferBinaryInside | cap-RC2CBC |
PKIXAlgs-2008.SMimeCaps | PKIXAlgs-2009.SMimeCaps |
CryptographicMessageSyntaxAlgorithms.SMimeCaps | CryptographicMessageSyntaxAlgorithms-2009.SMimeCaps |
PKIX1-PSS-OAEP-Algorithms.SMimeCaps, ... } PKIX1-PSS-OAEP-Algorithms-2009.SMimeCaps, ... }
--- Encryption Key Preference provides a method of broadcasting the -- Encryption Key Preference provides a method of broadcasting the
-- preferred encryption certificate. -- preferred encryption certificate.
aa-encrypKeyPref ATTRIBUTE ::= aa-encrypKeyPref ATTRIBUTE ::=
{ TYPE SMIMEEncryptionKeyPreference { TYPE SMIMEEncryptionKeyPreference
IDENTIFIED BY id-aa-encrypKeyPref } IDENTIFIED BY id-aa-encrypKeyPref }
id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11} id-aa-encrypKeyPref OBJECT IDENTIFIER ::= {id-aa 11}
SMIMEEncryptionKeyPreference ::= CHOICE { SMIMEEncryptionKeyPreference ::= CHOICE {
issuerAndSerialNumber [0] IssuerAndSerialNumber, issuerAndSerialNumber [0] IssuerAndSerialNumber,
skipping to change at page 23, line 46 skipping to change at page 25, line 4
id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 16 }
id-cap OBJECT IDENTIFIER ::= { id-smime 11 } id-cap OBJECT IDENTIFIER ::= { id-smime 11 }
-- The preferBinaryInside indicates an ability to receive messages -- The preferBinaryInside indicates an ability to receive messages
-- with binary encoding inside the CMS wrapper -- with binary encoding inside the CMS wrapper
cap-preferBinaryInside SMIME-CAPS ::= cap-preferBinaryInside SMIME-CAPS ::=
{ -- No value -- IDENTIFIED BY id-cap-preferBinaryInside } { -- No value -- IDENTIFIED BY id-cap-preferBinaryInside }
id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 } id-cap-preferBinaryInside OBJECT IDENTIFIER ::= { id-cap 1 }
-- The following list the OIDs to be used with S/MIME V3 -- The following list OIDs to be used with S/MIME V3
-- Signature Algorithms Not Found in [CMSALG] -- Signature Algorithms Not Found in [CMSALG]
-- --
-- md2WithRSAEncryption OBJECT IDENTIFIER ::= -- md2WithRSAEncryption OBJECT IDENTIFIER ::=
-- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1) -- {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-1(1)
-- 2} -- 2}
-- --
-- Other Signed Attributes -- Other Signed Attributes
-- --
-- signingTime OBJECT IDENTIFIER ::= -- signingTime OBJECT IDENTIFIER ::=
skipping to change at page 24, line 41 skipping to change at page 25, line 46
RevocationInfoChoice ::= CHOICE { RevocationInfoChoice ::= CHOICE {
crl CertificateList, crl CertificateList,
..., ...,
[[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] } [[5: other [1] IMPLICIT OtherRevocationInfoFormat ]] }
Similarly, this module adds the ASN.1 idiom for extensiblity (the Similarly, this module adds the ASN.1 idiom for extensiblity (the
"...,") in all places that have been extended in the past. See the "...,") in all places that have been extended in the past. See the
example above. example above.
CryptographicMessageSyntax2004 CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- Set MAX and MIN for attributes
IMPORTS IMPORTS
ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, ParamOptions, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM,
PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM, PUBLIC-KEY, KEY-DERIVATION, KEY-WRAP, MAC-ALGORITHM,
KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM, KEY-AGREE, KEY-TRANSPORT, CONTENT-ENCRYPTION, ALGORITHM,
AlgorithmIdentifier AlgorithmIdentifier
FROM AlgorithmInformation FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs, SignatureAlgs, MessageDigestAlgs, KeyAgreementAlgs,
MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs, MessageAuthAlgs, KeyWrapAlgs, ContentEncryptionAlgs,
KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys KeyTransportAlgs, KeyDerivationAlgs, KeyAgreePublicKeys
FROM CryptographicMessageSyntaxAlgorithms FROM CryptographicMessageSyntaxAlgorithms-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) } smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
Certificate, CertificateList, CertificateSerialNumber, Certificate, CertificateList, CertificateSerialNumber,
Name, ATTRIBUTE Name, ATTRIBUTE
FROM PKIX1Explicit88 FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18) } id-mod-pkix1-explicit-02(51) }
AttributeCertificate AttributeCertificate
FROM PKIXAttributeCertificate FROM PKIXAttributeCertificate-2009
{ iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-attribute-cert(12) } id-mod-attribute-cert-02(47) }
AttributeCertificateV1 AttributeCertificateV1
FROM AttributeCertificateVersion1 FROM AttributeCertificateVersion1-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) v1AttrCert(15) } ; smime(16) modules(0) id-mod-v1AttrCert-02(49) } ;
-- Cryptographic Message Syntax -- Cryptographic Message Syntax
-- The following are used for version numbers using the ASN.1 -- The following are used for version numbers using the ASN.1
-- idiom "[[n:" -- idiom "[[n:"
-- Version 1 = PKCS #7 -- Version 1 = PKCS #7
-- Version 2 = S/MIME V2 -- Version 2 = S/MIME V2
-- Version 3 = RFC 2630 -- Version 3 = RFC 2630
-- Version 4 = RFC 3369 -- Version 4 = RFC 3369
-- Version 5 = RFC 3852 -- Version 5 = RFC 3852
skipping to change at page 26, line 47 skipping to change at page 27, line 51
unsignedAttrs [1] IMPLICIT Attributes unsignedAttrs [1] IMPLICIT Attributes
{{UnsignedAttributes}} OPTIONAL } {{UnsignedAttributes}} OPTIONAL }
SignedAttributes ::= Attributes {{ SignedAttributesSet }} SignedAttributes ::= Attributes {{ SignedAttributesSet }}
SignerIdentifier ::= CHOICE { SignerIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
..., ...,
[[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] } [[3: subjectKeyIdentifier [0] SubjectKeyIdentifier ]] }
-- M00QUEST - should we add in the ESS & S/MIME attributes or
-- leave them out
SignedAttributesSet ATTRIBUTE ::= SignedAttributesSet ATTRIBUTE ::=
{ aa-signingTime | aa-messageDigest | aa-contentType, ... } { aa-signingTime | aa-messageDigest | aa-contentType, ... }
UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... } UnsignedAttributes ATTRIBUTE ::= { aa-countersignature, ... }
SignatureValue ::= OCTET STRING SignatureValue ::= OCTET STRING
EnvelopedData ::= SEQUENCE { EnvelopedData ::= SEQUENCE {
version CMSVersion, version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
encryptedContentInfo EncryptedContentInfo, encryptedContentInfo EncryptedContentInfo,
..., ...,
skipping to change at page 28, line 34 skipping to change at page 29, line 36
OriginatorIdentifierOrKey ::= CHOICE { OriginatorIdentifierOrKey ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier [0] SubjectKeyIdentifier, subjectKeyIdentifier [0] SubjectKeyIdentifier,
originatorKey [1] OriginatorPublicKey } originatorKey [1] OriginatorPublicKey }
OriginatorPublicKey ::= SEQUENCE { OriginatorPublicKey ::= SEQUENCE {
algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}}, algorithm AlgorithmIdentifier {PUBLIC-KEY, {OriginatorKeySet}},
publicKey BIT STRING } publicKey BIT STRING }
OriginatorKeySet PUBLIC-KEY ::= { OriginatorKeySet PUBLIC-KEY ::= { KeyAgreePublicKeys, ... }
KeyAgreePublicKeys, ...
}
RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey RecipientEncryptedKeys ::= SEQUENCE OF RecipientEncryptedKey
RecipientEncryptedKey ::= SEQUENCE { RecipientEncryptedKey ::= SEQUENCE {
rid KeyAgreeRecipientIdentifier, rid KeyAgreeRecipientIdentifier,
encryptedKey EncryptedKey } encryptedKey EncryptedKey }
KeyAgreeRecipientIdentifier ::= CHOICE { KeyAgreeRecipientIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
rKeyId [0] IMPLICIT RecipientKeyIdentifier } rKeyId [0] IMPLICIT RecipientKeyIdentifier }
skipping to change at page 30, line 15 skipping to change at page 31, line 15
macAlgorithm MessageAuthenticationCodeAlgorithm, macAlgorithm MessageAuthenticationCodeAlgorithm,
digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL, digestAlgorithm [1] DigestAlgorithmIdentifier OPTIONAL,
encapContentInfo EncapsulatedContentInfo, encapContentInfo EncapsulatedContentInfo,
authAttrs [2] IMPLICIT AuthAttributes OPTIONAL, authAttrs [2] IMPLICIT AuthAttributes OPTIONAL,
mac MessageAuthenticationCode, mac MessageAuthenticationCode,
unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL } unauthAttrs [3] IMPLICIT UnauthAttributes OPTIONAL }
AuthAttributes ::= SET SIZE (1..MAX) OF Attribute AuthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{AuthAttributeSet}} {{AuthAttributeSet}}
UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{UnauthAttributeSet}}
AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest AuthAttributeSet ATTRIBUTE ::= { aa-contentType | aa-messageDigest
| aa-signingTime, ...} | aa-signingTime, ...}
MessageAuthenticationCode ::= OCTET STRING
UnauthAttributes ::= SET SIZE (1..MAX) OF Attribute
{{UnauthAttributeSet}}
UnauthAttributeSet ATTRIBUTE ::= {...} UnauthAttributeSet ATTRIBUTE ::= {...}
MessageAuthenticationCode ::= OCTET STRING --
-- General algorithm definitions
--
DigestAlgorithmIdentifier ::= AlgorithmIdentifier DigestAlgorithmIdentifier ::= AlgorithmIdentifier
{DIGEST-ALGORITHM, {DigestAlgorithmSet}} {DIGEST-ALGORITHM, {DigestAlgorithmSet}}
DigestAlgorithmSet DIGEST-ALGORITHM ::= { DigestAlgorithmSet DIGEST-ALGORITHM ::= {
CryptographicMessageSyntaxAlgorithms.MessageDigestAlgs, ... } CryptographicMessageSyntaxAlgorithms-2009.MessageDigestAlgs, ... }
SignatureAlgorithmIdentifier ::= AlgorithmIdentifier SignatureAlgorithmIdentifier ::= AlgorithmIdentifier
{SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}} {SIGNATURE-ALGORITHM, {SignatureAlgorithmSet}}
SignatureAlgorithmSet SIGNATURE-ALGORITHM ::= SignatureAlgorithmSet SIGNATURE-ALGORITHM ::=
{ SignatureAlgs, ... } { SignatureAlgs, ... }
KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier KeyEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
{KEY-WRAP, {KeyEncryptionAlgorithmSet}} {KEY-WRAP, {KeyEncryptionAlgorithmSet}}
skipping to change at page 33, line 12 skipping to change at page 34, line 16
id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-encryptedData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 } us(840) rsadsi(113549) pkcs(1) pkcs7(7) 6 }
ct-AuthenticatedData CONTENT-TYPE ::= ct-AuthenticatedData CONTENT-TYPE ::=
{ AuthenticatedData IDENTIFIED BY id-ct-authData} { AuthenticatedData IDENTIFIED BY id-ct-authData}
id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-ct-authData OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 } us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) ct(1) 2 }
--
-- The CMS Attributes -- The CMS Attributes
--
MessageDigest ::= OCTET STRING MessageDigest ::= OCTET STRING
SigningTime ::= Time SigningTime ::= Time
Time ::= CHOICE { Time ::= CHOICE {
utcTime UTCTime, utcTime UTCTime,
generalTime GeneralizedTime } generalTime GeneralizedTime }
Countersignature ::= SignerInfo Countersignature ::= SignerInfo
skipping to change at page 33, line 28 skipping to change at page 34, line 34
Time ::= CHOICE { Time ::= CHOICE {
utcTime UTCTime, utcTime UTCTime,
generalTime GeneralizedTime } generalTime GeneralizedTime }
Countersignature ::= SignerInfo Countersignature ::= SignerInfo
-- Attribute Object Identifiers -- Attribute Object Identifiers
aa-contentType ATTRIBUTE ::= aa-contentType ATTRIBUTE ::=
{ TYPE ContentType IDENTIFIED BY id-contentType } { TYPE ContentType IDENTIFIED BY id-contentType }
id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-contentType OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 3 }
aa-messageDigest ATTRIBUTE ::= aa-messageDigest ATTRIBUTE ::=
{ TYPE MessageDigest IDENTIFIED BY id-messageDigest} { TYPE MessageDigest IDENTIFIED BY id-messageDigest}
id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-messageDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 4 }
aa-signingTime ATTRIBUTE ::= aa-signingTime ATTRIBUTE ::=
{ TYPE SigningTime IDENTIFIED BY id-signingTime } { TYPE SigningTime IDENTIFIED BY id-signingTime }
id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-signingTime OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 5 }
aa-countersignature ATTRIBUTE ::= aa-countersignature ATTRIBUTE ::=
{ TYPE Countersignature IDENTIFIED BY id-countersignature } { TYPE Countersignature IDENTIFIED BY id-countersignature }
id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-countersignature OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 } us(840) rsadsi(113549) pkcs(1) pkcs9(9) 6 }
--
-- Obsolete Extended Certificate syntax from PKCS#6 -- Obsolete Extended Certificate syntax from PKCS#6
--
ExtendedCertificateOrCertificate ::= CHOICE { ExtendedCertificateOrCertificate ::= CHOICE {
certificate Certificate, certificate Certificate,
extendedCertificate [0] IMPLICIT ExtendedCertificate } extendedCertificate [0] IMPLICIT ExtendedCertificate }
ExtendedCertificate ::= SEQUENCE { ExtendedCertificate ::= SEQUENCE {
extendedCertificateInfo ExtendedCertificateInfo, extendedCertificateInfo ExtendedCertificateInfo,
signatureAlgorithm SignatureAlgorithmIdentifier, signatureAlgorithm SignatureAlgorithmIdentifier,
signature Signature } signature Signature }
ExtendedCertificateInfo ::= SEQUENCE { ExtendedCertificateInfo ::= SEQUENCE {
skipping to change at page 34, line 33 skipping to change at page 35, line 37
attrValues SET OF ATTRIBUTE. attrValues SET OF ATTRIBUTE.
&Type({AttrList}{@attrType}) } &Type({AttrList}{@attrType}) }
Attributes { ATTRIBUTE:AttrList } ::= Attributes { ATTRIBUTE:AttrList } ::=
SET SIZE (1..MAX) OF Attribute {{ AttrList }} SET SIZE (1..MAX) OF Attribute {{ AttrList }}
END END
7. ASN.1 Module for RFC 4108 7. ASN.1 Module for RFC 4108
CMSFirmwareWrapper CMSFirmwareWrapper-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-firmware-wrap(22) } smime(16) modules(0) id-mod-cms-firmware-wrap-02(40) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
OTHER-NAME OTHER-NAME
FROM PKIX1Implicit88 FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
EnvelopedData, CONTENT-TYPE, ATTRIBUTE EnvelopedData, CONTENT-TYPE, ATTRIBUTE
FROM CryptographicMessageSyntax FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) }; smime(16) modules(0) id-mod-cms-2004-02(41) };
FirmwareContentTypes CONTENT-TYPE ::= { FirmwareContentTypes CONTENT-TYPE ::= {
ct-firmwarePackage | ct-firmwareLoadReceipt | ct-firmwarePackage | ct-firmwareLoadReceipt |
ct-firmwareLoadError,... } ct-firmwareLoadError,... }
FirmwareSignedAttrs ATTRIBUTE ::= { FirmwareSignedAttrs ATTRIBUTE ::= {
aa-firmwarePackageID | aa-targetHardwareIDs | aa-firmwarePackageID | aa-targetHardwareIDs |
aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs | aa-decryptKeyID | aa-implCryptoAlgs | aa-implCompressAlgs |
aa-communityIdentifiers | aa-firmwarePackageInfo,... } aa-communityIdentifiers | aa-firmwarePackageInfo,... }
FirmwareUnsignedAttrs ATTRIBUTE ::= { FirmwareUnsignedAttrs ATTRIBUTE ::= {
skipping to change at page 37, line 22 skipping to change at page 38, line 26
HardwareModules ::= SEQUENCE { HardwareModules ::= SEQUENCE {
hwType OBJECT IDENTIFIER, hwType OBJECT IDENTIFIER,
hwSerialEntries SEQUENCE OF HardwareSerialEntry } hwSerialEntries SEQUENCE OF HardwareSerialEntry }
HardwareSerialEntry ::= CHOICE { HardwareSerialEntry ::= CHOICE {
all NULL, all NULL,
single OCTET STRING, single OCTET STRING,
block SEQUENCE { block SEQUENCE {
low OCTET STRING, low OCTET STRING,
high OCTET STRING } } high OCTET STRING
}
}
aa-firmwarePackageInfo ATTRIBUTE ::= aa-firmwarePackageInfo ATTRIBUTE ::=
{ TYPE FirmwarePackageInfo IDENTIFIED BY { TYPE FirmwarePackageInfo IDENTIFIED BY
id-aa-firmwarePackageInfo } id-aa-firmwarePackageInfo }
id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= { id-aa-firmwarePackageInfo OBJECT IDENTIFIER ::= {
iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9) iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) aa(2) 42 } smime(16) aa(2) 42 }
FirmwarePackageInfo ::= SEQUENCE { FirmwarePackageInfo ::= SEQUENCE {
fwPkgType INTEGER OPTIONAL, fwPkgType INTEGER OPTIONAL,
dependencies SEQUENCE OF dependencies SEQUENCE OF
PreferredOrLegacyPackageIdentifier OPTIONAL } PreferredOrLegacyPackageIdentifier OPTIONAL }
-- Firmware Package Unsigned Attributes and Object Identifiers -- Firmware Package Unsigned Attributes and Object Identifiers
skipping to change at page 39, line 45 skipping to change at page 40, line 45
unsupportedParameters (35), unsupportedParameters (35),
breaksDependency (36), breaksDependency (36),
otherError (99) } otherError (99) }
VendorLoadErrorCode ::= INTEGER VendorLoadErrorCode ::= INTEGER
-- Other Name syntax for Hardware Module Name -- Other Name syntax for Hardware Module Name
on-hardwareModuleName OTHER-NAME ::= on-hardwareModuleName OTHER-NAME ::=
{ HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName } { HardwareModuleName IDENTIFIED BY id-on-hardwareModuleName }
id-on-hardwareModuleName OBJECT IDENTIFIER ::= { id-on-hardwareModuleName OBJECT IDENTIFIER ::= {
iso(1) identified-organization(3) dod(6) internet(1) security(5) iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) on(8) 4 } mechanisms(5) pkix(7) on(8) 4 }
HardwareModuleName ::= SEQUENCE { HardwareModuleName ::= SEQUENCE {
hwType OBJECT IDENTIFIER, hwType OBJECT IDENTIFIER,
hwSerialNum OCTET STRING } hwSerialNum OCTET STRING }
END END
8. ASN.1 Module for RFC 4998 8. ASN.1 Module for RFC 4998
ERS {iso(1) identified-organization(3) dod(6) internet(1) ERS {iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1) security(5) mechanisms(5) ltans(11) id-mod(0) id-mod-ers(1)
id-mod-ers-v1(1) } id-mod-ers-v1(1) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AttributeSet{}, ATTRIBUTE AttributeSet{}, ATTRIBUTE
FROM PKIX-CommonTypes FROM PKIX-CommonTypes
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM
FROM AlgorithmInformation FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
ContentInfo ContentInfo
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax2004
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) cms-2004(24) } ; pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-2004-02(41) } ;
aa-er-Internal ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal }
id-aa-er-internal OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 49 }
aa-er-External ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external }
id-aa-er-external OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 50 }
ltans OBJECT IDENTIFIER ::= ltans OBJECT IDENTIFIER ::=
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) ltans(11) } mechanisms(5) ltans(11) }
EvidenceRecord ::= SEQUENCE { EvidenceRecord ::= SEQUENCE {
version INTEGER { v1(1) } , version INTEGER { v1(1) } ,
digestAlgorithms SEQUENCE OF AlgorithmIdentifier digestAlgorithms SEQUENCE OF AlgorithmIdentifier
{DIGEST-ALGORITHM, {...}}, {DIGEST-ALGORITHM, {...}},
cryptoInfos [0] CryptoInfos OPTIONAL, cryptoInfos [0] CryptoInfos OPTIONAL,
encryptionInfo [1] EncryptionInfo OPTIONAL, encryptionInfo [1] EncryptionInfo OPTIONAL,
archiveTimeStampSequence ArchiveTimeStampSequence archiveTimeStampSequence ArchiveTimeStampSequence
} }
CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{...}} CryptoInfos ::= SEQUENCE SIZE (1..MAX) OF AttributeSet{{...}}
ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain
ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp
ArchiveTimeStamp ::= SEQUENCE { ArchiveTimeStamp ::= SEQUENCE {
digestAlgorithm [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}} digestAlgorithm [0] AlgorithmIdentifier{DIGEST-ALGORITHM, {...}}
OPTIONAL, OPTIONAL,
attributes [1] Attributes OPTIONAL, attributes [1] Attributes OPTIONAL,
reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL, reducedHashtree [2] SEQUENCE OF PartialHashtree OPTIONAL,
timeStamp ContentInfo timeStamp ContentInfo
} }
PartialHashtree ::= SEQUENCE OF OCTET STRING PartialHashtree ::= SEQUENCE OF OCTET STRING
Attributes ::= SET SIZE (1..MAX) OF AttributeSet{{...}} Attributes ::= SET SIZE (1..MAX) OF AttributeSet{{...}}
ArchiveTimeStampChain ::= SEQUENCE OF ArchiveTimeStamp
ArchiveTimeStampSequence ::= SEQUENCE OF ArchiveTimeStampChain
EncryptionInfo ::= SEQUENCE { EncryptionInfo ::= SEQUENCE {
encryptionInfoType ENCINFO-TYPE. encryptionInfoType ENCINFO-TYPE.
&id({SupportedEncryptionAlgorithms}), &id({SupportedEncryptionAlgorithms}),
encryptionInfoValue ENCINFO-TYPE. encryptionInfoValue ENCINFO-TYPE.
&Type({SupportedEncryptionAlgorithms} &Type({SupportedEncryptionAlgorithms}
{@encryptionInfoType}) {@encryptionInfoType})
} }
ENCINFO-TYPE ::= TYPE-IDENTIFIER ENCINFO-TYPE ::= TYPE-IDENTIFIER
SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...} SupportedEncryptionAlgorithms ENCINFO-TYPE ::= {...}
aa-er-Internal ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-internal }
id-aa-er-internal OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 49 }
aa-er-External ATTRIBUTE ::=
{ TYPE EvidenceRecord IDENTIFIED BY id-aa-er-external }
id-aa-er-external OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 50 }
END END
9. ASN.1 Module for RFC 5035 9. ASN.1 Module for RFC 5035
ExtendedSecurityServices-2006 ExtendedSecurityServices-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) id-mod-ess-2006(30) } smime(16) modules(0) id-mod-ess-2006-02(42) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{} AttributeSet{}, ATTRIBUTE, SECURITY-CATEGORY, SecurityCategory{}
FROM PKIX-CommonTypes FROM PKIX-CommonTypes-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon(43) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57) }
AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM
FROM AlgorithmInformation FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier, ContentType, IssuerAndSerialNumber, SubjectKeyIdentifier,
CONTENT-TYPE CONTENT-TYPE
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } smime(16) modules(0) id-mod-cms-2004-02(41) }
CertificateSerialNumber CertificateSerialNumber
FROM PKIX1Explicit88 FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
PolicyInformation, GeneralNames PolicyInformation, GeneralNames
FROM PKIX1Implicit88 FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19)} mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)}
mda-sha256 mda-sha256
FROM PKIX1-PSS-OAEP-Algorithms FROM PKIX1-PSS-OAEP-Algorithms-2009
{ iso(1) identified-organization(3) dod(6) { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-pkix1-rsa-pkalgs(33) } id-mod-pkix1-rsa-pkalgs-02(54) } ;
;
EssSignedAttributes ATTRIBUTE ::= { EssSignedAttributes ATTRIBUTE ::= {
aa-receiptRequest | aa-contentIdentifier | aa-contentHint | aa-receiptRequest | aa-contentIdentifier | aa-contentHint |
aa-msgSigDigest | aa-contentReference | aa-securityLabel | aa-msgSigDigest | aa-contentReference | aa-securityLabel |
aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate | aa-equivalentLabels | aa-mlExpandHistory | aa-signingCertificate |
aa-signingCertificateV2, ... } aa-signingCertificateV2, ... }
EssContentTypes CONTENT-TYPE ::= { ct-receipt, ... } EssContentTypes CONTENT-TYPE ::= { ct-receipt, ... }
-- Extended Security Services -- Extended Security Services
-- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1 -- The construct "SEQUENCE SIZE (1..MAX) OF" appears in several ASN.1
-- constructs in this module. A valid ASN.1 SEQUENCE can have zero or -- constructs in this module. A valid ASN.1 SEQUENCE can have zero or
-- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE -- more entries. The SIZE (1..MAX) construct constrains the SEQUENCE
-- tp have at least one entry. MAX indicates the upper bound is -- to have at least one entry. MAX indicates the upper bound is
-- unspecified. Implementations are free to choose an upper bound -- unspecified. Implementations are free to choose an upper bound
-- that suits their environment. -- that suits their environment.
-- Section 2.7 -- Section 2.7
aa-receiptRequest ATTRIBUTE ::= aa-receiptRequest ATTRIBUTE ::=
{ TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest} { TYPE ReceiptRequest IDENTIFIED BY id-aa-receiptRequest}
ReceiptRequest ::= SEQUENCE { ReceiptRequest ::= SEQUENCE {
signedContentIdentifier ContentIdentifier, signedContentIdentifier ContentIdentifier,
receiptsFrom ReceiptsFrom, receiptsFrom ReceiptsFrom,
receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames receiptsTo SEQUENCE SIZE (1..ub-receiptsTo) OF GeneralNames
} }
ub-receiptsTo INTEGER ::= 16 ub-receiptsTo INTEGER ::= 16
aa-contentIdentifier ATTRIBUTE ::=
{ TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier}
id-aa-receiptRequest OBJECT IDENTIFIER ::= id-aa-receiptRequest OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 1} smime(16) id-aa(2) 1}
aa-contentIdentifier ATTRIBUTE ::=
{ TYPE ContentIdentifier IDENTIFIED BY id-aa-contentIdentifier}
ContentIdentifier ::= OCTET STRING ContentIdentifier ::= OCTET STRING
id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-aa-contentIdentifier OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7} us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 7}
ct-receipt CONTENT-TYPE ::= ct-receipt CONTENT-TYPE ::=
{ Receipt IDENTIFIED BY id-ct-receipt } { Receipt IDENTIFIED BY id-ct-receipt }
id-ct-receipt OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-ct(1) 1}
ReceiptsFrom ::= CHOICE { ReceiptsFrom ::= CHOICE {
allOrFirstTier [0] AllOrFirstTier, allOrFirstTier [0] AllOrFirstTier,
-- formerly "allOrNone [0]AllOrNone" -- formerly "allOrNone [0]AllOrNone"
receiptList [1] SEQUENCE OF GeneralNames } receiptList [1] SEQUENCE OF GeneralNames }
AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone
allReceipts (0), allReceipts (0),
firstTierRecipients (1) } firstTierRecipients (1) }
skipping to change at page 44, line 4 skipping to change at page 44, line 48
ReceiptsFrom ::= CHOICE { ReceiptsFrom ::= CHOICE {
allOrFirstTier [0] AllOrFirstTier, allOrFirstTier [0] AllOrFirstTier,
-- formerly "allOrNone [0]AllOrNone" -- formerly "allOrNone [0]AllOrNone"
receiptList [1] SEQUENCE OF GeneralNames } receiptList [1] SEQUENCE OF GeneralNames }
AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone AllOrFirstTier ::= INTEGER { -- Formerly AllOrNone
allReceipts (0), allReceipts (0),
firstTierRecipients (1) } firstTierRecipients (1) }
-- Section 2.8 -- Section 2.8
Receipt ::= SEQUENCE { Receipt ::= SEQUENCE {
version ESSVersion, version ESSVersion,
contentType ContentType, contentType ContentType,
signedContentIdentifier ContentIdentifier, signedContentIdentifier ContentIdentifier,
originatorSignatureValue OCTET STRING } originatorSignatureValue OCTET STRING
}
id-ct-receipt OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-ct(1) 1}
ESSVersion ::= INTEGER { v1(1) } ESSVersion ::= INTEGER { v1(1) }
-- Section 2.9 -- Section 2.9
aa-contentHint ATTRIBUTE ::= aa-contentHint ATTRIBUTE ::=
{ TYPE ContentHints IDENTIFIED BY id-aa-contentHint } { TYPE ContentHints IDENTIFIED BY id-aa-contentHint }
id-aa-contentHint OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 4}
ContentHints ::= SEQUENCE { ContentHints ::= SEQUENCE {
contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL, contentDescription UTF8String (SIZE (1..MAX)) OPTIONAL,
contentType ContentType } contentType ContentType }
id-aa-contentHint OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 4}
-- Section 2.10 -- Section 2.10
aa-msgSigDigest ATTRIBUTE ::= aa-msgSigDigest ATTRIBUTE ::=
{ TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest } { TYPE MsgSigDigest IDENTIFIED BY id-aa-msgSigDigest }
MsgSigDigest ::= OCTET STRING
id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-aa-msgSigDigest OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5} us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) id-aa(2) 5}
MsgSigDigest ::= OCTET STRING
-- Section 2.11 -- Section 2.11
aa-contentReference ATTRIBUTE ::= aa-contentReference ATTRIBUTE ::=
{ TYPE ContentReference IDENTIFIED BY id-aa-contentReference } { TYPE ContentReference IDENTIFIED BY id-aa-contentReference }
id-aa-contentReference OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 10 }
ContentReference ::= SEQUENCE { ContentReference ::= SEQUENCE {
contentType ContentType, contentType ContentType,
signedContentIdentifier ContentIdentifier, signedContentIdentifier ContentIdentifier,
originatorSignatureValue OCTET STRING } originatorSignatureValue OCTET STRING }
id-aa-contentReference OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 10 }
-- Section 3.2 -- Section 3.2
aa-securityLabel ATTRIBUTE ::= aa-securityLabel ATTRIBUTE ::=
{ TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel } { TYPE ESSSecurityLabel IDENTIFIED BY id-aa-securityLabel }
id-aa-securityLabel OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 2}
ESSSecurityLabel ::= SET { ESSSecurityLabel ::= SET {
security-policy-identifier SecurityPolicyIdentifier, security-policy-identifier SecurityPolicyIdentifier,
security-classification SecurityClassification OPTIONAL, security-classification SecurityClassification OPTIONAL,
privacy-mark ESSPrivacyMark OPTIONAL, privacy-mark ESSPrivacyMark OPTIONAL,
security-categories SecurityCategories OPTIONAL } security-categories SecurityCategories OPTIONAL }
id-aa-securityLabel OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 2}
SecurityPolicyIdentifier ::= OBJECT IDENTIFIER SecurityPolicyIdentifier ::= OBJECT IDENTIFIER
SecurityClassification ::= INTEGER { SecurityClassification ::= INTEGER {
unmarked (0), unmarked (0),
unclassified (1), unclassified (1),
restricted (2), restricted (2),
confidential (3), confidential (3),
secret (4), secret (4),
top-secret (5) top-secret (5)
} (0..ub-integer-options) } (0..ub-integer-options)
skipping to change at page 45, line 50 skipping to change at page 46, line 42
{{SupportedSecurityCategories}} {{SupportedSecurityCategories}}
ub-security-categories INTEGER ::= 64 ub-security-categories INTEGER ::= 64
SupportedSecurityCategories SECURITY-CATEGORY ::= { ... } SupportedSecurityCategories SECURITY-CATEGORY ::= { ... }
-- Section 3.4 -- Section 3.4
aa-equivalentLabels ATTRIBUTE ::= aa-equivalentLabels ATTRIBUTE ::=
{ TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels } { TYPE EquivalentLabels IDENTIFIED BY id-aa-equivalentLabels }
EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel
id-aa-equivalentLabels OBJECT IDENTIFIER ::= id-aa-equivalentLabels OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 9} smime(16) id-aa(2) 9}
EquivalentLabels ::= SEQUENCE OF ESSSecurityLabel
-- Section 4.4 -- Section 4.4
aa-mlExpandHistory ATTRIBUTE ::= aa-mlExpandHistory ATTRIBUTE ::=
{ TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory } { TYPE MLExpansionHistory IDENTIFIED BY id-aa-mlExpandHistory }
MLExpansionHistory ::= SEQUENCE
SIZE (1..ub-ml-expansion-history) OF MLData
id-aa-mlExpandHistory OBJECT IDENTIFIER ::= id-aa-mlExpandHistory OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) id-aa(2) 3 } smime(16) id-aa(2) 3 }
MLExpansionHistory ::= SEQUENCE
SIZE (1..ub-ml-expansion-history) OF MLData
ub-ml-expansion-history INTEGER ::= 64 ub-ml-expansion-history INTEGER ::= 64
MLData ::= SEQUENCE { MLData ::= SEQUENCE {
mailListIdentifier EntityIdentifier, mailListIdentifier EntityIdentifier,
expansionTime GeneralizedTime, expansionTime GeneralizedTime,
mlReceiptPolicy MLReceiptPolicy OPTIONAL } mlReceiptPolicy MLReceiptPolicy OPTIONAL }
EntityIdentifier ::= CHOICE { EntityIdentifier ::= CHOICE {
issuerAndSerialNumber IssuerAndSerialNumber, issuerAndSerialNumber IssuerAndSerialNumber,
subjectKeyIdentifier SubjectKeyIdentifier } subjectKeyIdentifier SubjectKeyIdentifier }
skipping to change at page 46, line 41 skipping to change at page 47, line 32
MLReceiptPolicy ::= CHOICE { MLReceiptPolicy ::= CHOICE {
none [0] NULL, none [0] NULL,
insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames, insteadOf [1] SEQUENCE SIZE (1..MAX) OF GeneralNames,
inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames } inAdditionTo [2] SEQUENCE SIZE (1..MAX) OF GeneralNames }
-- Section 5.4 -- Section 5.4
aa-signingCertificate ATTRIBUTE ::= aa-signingCertificate ATTRIBUTE ::=
{ TYPE SigningCertificate IDENTIFIED BY { TYPE SigningCertificate IDENTIFIED BY
id-aa-signingCertificate } id-aa-signingCertificate }
id-aa-signingCertificate OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 12 }
SigningCertificate ::= SEQUENCE { SigningCertificate ::= SEQUENCE {
certs SEQUENCE OF ESSCertID, certs SEQUENCE OF ESSCertID,
policies SEQUENCE OF PolicyInformation OPTIONAL policies SEQUENCE OF PolicyInformation OPTIONAL
} }
id-aa-signingCertificate OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 12 }
aa-signingCertificateV2 ATTRIBUTE ::= aa-signingCertificateV2 ATTRIBUTE ::=
{ TYPE SigningCertificateV2 IDENTIFIED BY { TYPE SigningCertificateV2 IDENTIFIED BY
id-aa-signingCertificateV2 } id-aa-signingCertificateV2 }
id-aa-signingCertificateV2 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 47 }
SigningCertificateV2 ::= SEQUENCE { SigningCertificateV2 ::= SEQUENCE {
certs SEQUENCE OF ESSCertIDv2, certs SEQUENCE OF ESSCertIDv2,
policies SEQUENCE OF PolicyInformation OPTIONAL policies SEQUENCE OF PolicyInformation OPTIONAL
} }
id-aa-signingCertificateV2 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs9(9)
smime(16) id-aa(2) 47 }
HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM, HashAlgorithm ::= AlgorithmIdentifier{DIGEST-ALGORITHM,
{mda-sha256, ...}} {mda-sha256, ...}}
ESSCertIDv2 ::= SEQUENCE { ESSCertIDv2 ::= SEQUENCE {
hashAlgorithm HashAlgorithm hashAlgorithm HashAlgorithm
DEFAULT { algorithm mda-sha256.&id }, DEFAULT { algorithm mda-sha256.&id },
certHash Hash, certHash Hash,
issuerSerial IssuerSerial OPTIONAL issuerSerial IssuerSerial OPTIONAL
} }
skipping to change at page 48, line 7 skipping to change at page 49, line 7
IssuerSerial ::= SEQUENCE { IssuerSerial ::= SEQUENCE {
issuer GeneralNames, issuer GeneralNames,
serialNumber CertificateSerialNumber serialNumber CertificateSerialNumber
} }
END END
10. ASN.1 Module for RFC 5083 10. ASN.1 Module for RFC 5083
CMS-AuthEnvelopedData-2007 CMS-AuthEnvelopedData-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
pkcs-9(9) smime(16) modules(0) cms-authEnvelopedData(31) } smime(16) modules(0) id-mod-cms-authEnvelopedData-02(43)}
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AuthAttributes, CMSVersion, EncryptedContentInfo, AuthAttributes, CMSVersion, EncryptedContentInfo,
MessageAuthenticationCode, OriginatorInfo, RecipientInfos, MessageAuthenticationCode, OriginatorInfo, RecipientInfos,
UnauthAttributes, CONTENT-TYPE UnauthAttributes, CONTENT-TYPE
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } ; smime(16) modules(0) id-mod-cms-2004-02(41)} ;
--
ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... } ContentTypes CONTENT-TYPE ::= {ct-authEnvelopedData, ... }
--
ct-authEnvelopedData CONTENT-TYPE ::= { ct-authEnvelopedData CONTENT-TYPE ::= {
AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData AuthEnvelopedData IDENTIFIED BY id-ct-authEnvelopedData
} }
id-ct-authEnvelopedData OBJECT IDENTIFIER ::= id-ct-authEnvelopedData OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) ct(1) 23 } smime(16) ct(1) 23 }
AuthEnvelopedData ::= SEQUENCE { AuthEnvelopedData ::= SEQUENCE {
version CMSVersion, version CMSVersion,
originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL, originatorInfo [0] IMPLICIT OriginatorInfo OPTIONAL,
recipientInfos RecipientInfos, recipientInfos RecipientInfos,
authEncryptedContentInfo EncryptedContentInfo, authEncryptedContentInfo EncryptedContentInfo,
authAttrs [1] IMPLICIT AuthAttributes OPTIONAL, authAttrs [1] IMPLICIT AuthAttributes OPTIONAL,
mac MessageAuthenticationCode, mac MessageAuthenticationCode,
unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL } unauthAttrs [2] IMPLICIT UnauthAttributes OPTIONAL
}
END END
11. ASN.1 Module for RFC 5084 11. ASN.1 Module for RFC 5084
CMS-AES-CCM-and-AES-GCM CMS-AES-CCM-and-AES-GCM-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
pkcs-9(9) smime(16) modules(0) cms-aes-ccm-and-gcm(32) } pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-ccm-gcm-02(44) }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
CONTENT-ENCRYPTION, SMIME-CAPS CONTENT-ENCRYPTION, SMIME-CAPS
FROM AlgorithmInformation FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)}; mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)};
-- Add this algorithm set to include all of the algorithms defined in -- Add this algorithm set to include all of the algorithms defined in
-- this document -- this document
ContentEncryptionAlgs CONTENT-ENCRYPTION ::= { ContentEncryptionAlgs CONTENT-ENCRYPTION ::= {
cea-aes128-CCM | cea-aes192-CCM | cea-aes256-CCM | cea-aes128-CCM | cea-aes192-CCM | cea-aes256-CCM |
cea-aes128-GCM | cea-aes192-GCM | cea-aes256-GCM, ... } cea-aes128-GCM | cea-aes192-GCM | cea-aes256-GCM, ... }
SMimeCaps SMIME-CAPS ::= { SMimeCaps SMIME-CAPS ::= {
cea-aes128-CCM.&smimeCaps | cea-aes128-CCM.&smimeCaps |
cea-aes192-CCM.&smimeCaps | cea-aes192-CCM.&smimeCaps |
cea-aes256-CCM.&smimeCaps | cea-aes256-CCM.&smimeCaps |
cea-aes128-GCM.&smimeCaps | cea-aes128-GCM.&smimeCaps |
cea-aes192-GCM.&smimeCaps | cea-aes192-GCM.&smimeCaps |
cea-aes256-GCM.&smimeCaps, cea-aes256-GCM.&smimeCaps,
... ...
} }
-- Object Identifiers -- Defining objects
aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840) aes OBJECT IDENTIFIER ::= { joint-iso-itu-t(2) country(16) us(840)
organization(1) gov(101) csor(3) nistAlgorithm(4) 1 } organization(1) gov(101) csor(3) nistAlgorithm(4) 1 }
id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 }
id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 }
id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 }
id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 }
id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 }
id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 }
-- Parameters for AigorithmIdentifier
CCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING (SIZE(7..13)),
aes-ICVlen AES-CCM-ICVlen DEFAULT 12 }
AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16)
GCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING, -- recommended size is 12 octets
aes-ICVlen AES-GCM-ICVlen DEFAULT 12 }
AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16)
-- Defining objects
cea-aes128-CCM CONTENT-ENCRYPTION ::= { cea-aes128-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-CCM IDENTIFIER id-aes128-CCM
PARAMS TYPE CCMParameters ARE required PARAMS TYPE CCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes128-CCM } SMIME-CAPS { IDENTIFIED BY id-aes128-CCM }
} }
id-aes128-CCM OBJECT IDENTIFIER ::= { aes 7 }
cea-aes192-CCM CONTENT-ENCRYPTION ::= { cea-aes192-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes192-CCM IDENTIFIER id-aes192-CCM
PARAMS TYPE CCMParameters ARE required PARAMS TYPE CCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes192-CCM } SMIME-CAPS { IDENTIFIED BY id-aes192-CCM }
} }
id-aes192-CCM OBJECT IDENTIFIER ::= { aes 27 }
cea-aes256-CCM CONTENT-ENCRYPTION ::= { cea-aes256-CCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes256-CCM IDENTIFIER id-aes256-CCM
PARAMS TYPE CCMParameters ARE required PARAMS TYPE CCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes256-CCM } SMIME-CAPS { IDENTIFIED BY id-aes256-CCM }
} }
id-aes256-CCM OBJECT IDENTIFIER ::= { aes 47 }
cea-aes128-GCM CONTENT-ENCRYPTION ::= { cea-aes128-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required PARAMS TYPE GCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes128-GCM } SMIME-CAPS { IDENTIFIED BY id-aes128-GCM }
} }
id-aes128-GCM OBJECT IDENTIFIER ::= { aes 6 }
cea-aes192-GCM CONTENT-ENCRYPTION ::= { cea-aes192-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required PARAMS TYPE GCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes192-GCM } SMIME-CAPS { IDENTIFIED BY id-aes192-GCM }
} }
id-aes192-GCM OBJECT IDENTIFIER ::= { aes 26 }
cea-aes256-GCM CONTENT-ENCRYPTION ::= { cea-aes256-GCM CONTENT-ENCRYPTION ::= {
IDENTIFIER id-aes128-GCM IDENTIFIER id-aes128-GCM
PARAMS TYPE GCMParameters ARE required PARAMS TYPE GCMParameters ARE required
SMIME CAPS { IDENTIFIED BY id-aes256-GCM } SMIME-CAPS { IDENTIFIED BY id-aes256-GCM }
} }
id-aes256-GCM OBJECT IDENTIFIER ::= { aes 46 }
-- Parameters for AlgorithmIdentifier
CCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING (SIZE(7..13)),
aes-ICVlen AES-CCM-ICVlen DEFAULT 12 }
AES-CCM-ICVlen ::= INTEGER (4 | 6 | 8 | 10 | 12 | 14 | 16)
GCMParameters ::= SEQUENCE {
aes-nonce OCTET STRING, -- recommended size is 12 octets
aes-ICVlen AES-GCM-ICVlen DEFAULT 12 }
AES-GCM-ICVlen ::= INTEGER (12 | 13 | 14 | 15 | 16)
END END
12. ASN.1 Module for RFC 5275 12. ASN.1 Module for RFC 5275
SMIMESymmetricKeyDistribution SMIMESymmetricKeyDistribution-2009
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) symkeydist(12) } smime(16) modules(0) id-mod-symkeydist-02(36)}
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
EXPORTS ALL; EXPORTS ALL;
IMPORTS IMPORTS
AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-WRAP, AlgorithmIdentifier{}, ALGORITHM, DIGEST-ALGORITHM, KEY-WRAP,
SMIMECapability{}, SMIMECapabilities{}, SMIME-CAPS SMIMECapability{}, SMIMECapabilities{}, SMIME-CAPS
FROM AlgorithmInformation FROM AlgorithmInformation-2009
{iso(1) identified-organization(3) dod(6) internet(1) security(5) {iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-algorithInformation(99)} mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
GeneralName GeneralName
FROM PKIX1Implicit88 FROM PKIX1Implicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-implicit(19) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59) }
Certificate Certificate
FROM PKIX1Explicit88 FROM PKIX1Explicit-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit(18) } mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51) }
RecipientInfos, KEKIdentifier,CertificateSet RecipientInfos, KEKIdentifier,CertificateSet
FROM CryptographicMessageSyntax2004 FROM CryptographicMessageSyntax-2009
{iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cms-2004(24) } smime(16) modules(0) id-mod-cms-2004-02(41) }
cap-3DESwrap cap-3DESwrap
FROM CryptographicMessageSyntaxAlgorithms FROM CryptographicMessageSyntaxAlgorithms
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) modules(0) cmsalg-2001(16) } smime(16) modules(0) id-mod-cmsalg-2001-02(37) }
AttributeCertificate AttributeCertificate
FROM PKIXAttributeCertificate FROM PKIXAttributeCertificate-2009
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert(12) } mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert-02(47) }
CMC-CONTROL, EXTENDED-FAILURE-INFO CMC-CONTROL, EXTENDED-FAILURE-INFO
FROM EnrollmentMessageSyntax FROM EnrollmentMessageSyntax
{ iso(1) identified-organization(3) dod(4) internet(1) security(5) { iso(1) identified-organization(3) dod(4) internet(1) security(5)
mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002(23) } mechansims(5) pkix(7) id-mod(0) id-mod-cmc2002-02(53) }
cea-aes128-cbc, cea-aes192-cbc, cea-aes256-cbc
FROM CMSAesRsaesOaep {iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes(19) }
;
-- This defines the GL symmetric key distribution object identifier kwa-aes128-wrap, kwa-aes192-wrap, kwa-aes256-wrap
-- arc. FROM CMSAesRsaesOaep-2009
{ iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) id-mod-cms-aes-02(38) } ;
-- This defines the group list (GL symmetric key distribution OID arc
id-skd OBJECT IDENTIFIER ::= id-skd OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9)
smime(16) skd(8) } smime(16) skd(8) }
SKD-ControlSet CMC-CONTROL ::= { SKD-ControlSet CMC-CONTROL ::= {
skd-glUseKEK | skd-glDelete | skd-glAddMember | skd-glUseKEK | skd-glDelete | skd-glAddMember |
skd-glDeleteMember | skd-glRekey | skd-glAddOwner | skd-glDeleteMember | skd-glRekey | skd-glAddOwner |
skd-glRemoveOwner | skd-glKeyCompromise | skd-glRemoveOwner | skd-glKeyCompromise |
skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert | skd-glkRefresh | skd-glaQueryRequest | skd-glProvideCert |
skd-glManageCert | skd-glKey, ... } skd-glManageCert | skd-glKey, ... }
skipping to change at page 53, line 13 skipping to change at page 53, line 47
certificates Certificates OPTIONAL certificates Certificates OPTIONAL
} }
GLAdministration ::= INTEGER { GLAdministration ::= INTEGER {
unmanaged (0), unmanaged (0),
managed (1), managed (1),
closed (2) closed (2)
} }
-- --
-- The set of key wrap algorithms supported by this specification -- The advertised set of algorithm capabilites for the docment
-- --
SKD-Caps SMIME-CAPS ::= { SKD-Caps SMIME-CAPS ::= {
cap-3DESwrap | cea-aes128-cbc.&smimeCaps | cap-3DESwrap | kwa-aes128-wrap.&smimeCaps |
cea-aes192-cbc.&smimeCaps | cea-aes256-cbc.&smimeCaps, ... kwa-aes192-wrap.&smimeCaps | kwa-aes256-wrap.&smimeCaps, ...
} }
KeyWrapAlgorithm ::= SMIMECapability{{SKD-Caps}}
cap-aes128-cbc KeyWrapAlgorithm ::= cap-aes128-cbc KeyWrapAlgorithm ::=
{ capabilityID cea-aes128-cbc.&smimeCaps.&id } { capabilityID kwa-aes128-wrap.&smimeCaps.&id }
--
-- The set of key wrap algorithms supported by this specification
--
KeyWrapAlgorithm ::= SMIMECapability{{SKD-Caps}}
GLKeyAttributes ::= SEQUENCE { GLKeyAttributes ::= SEQUENCE {
rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE, rekeyControlledByGLO [0] BOOLEAN DEFAULT FALSE,
recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE, recipientsNotMutuallyAware [1] BOOLEAN DEFAULT TRUE,
duration [2] INTEGER DEFAULT 0, duration [2] INTEGER DEFAULT 0,
generationCounter [3] INTEGER DEFAULT 2, generationCounter [3] INTEGER DEFAULT 2,
requestedAlgorithm [4] KeyWrapAlgorithm requestedAlgorithm [4] KeyWrapAlgorithm
DEFAULT cap-aes128-cbc DEFAULT cap-aes128-cbc
} }
skipping to change at page 54, line 14 skipping to change at page 55, line 5
} }
GLMember ::= SEQUENCE { GLMember ::= SEQUENCE {
glMemberName GeneralName, glMemberName GeneralName,
glMemberAddress GeneralName OPTIONAL, glMemberAddress GeneralName OPTIONAL,
certificates Certificates OPTIONAL certificates Certificates OPTIONAL
} }
Certificates ::= SEQUENCE { Certificates ::= SEQUENCE {
pKC [0] Certificate OPTIONAL, pKC [0] Certificate OPTIONAL,
-- See [PROFILE] -- See RFC 5280
aC [1] SEQUENCE SIZE (1.. MAX) OF aC [1] SEQUENCE SIZE (1.. MAX) OF
AttributeCertificate OPTIONAL, AttributeCertificate OPTIONAL,
-- See [ACPROF] -- See RFC 3281
certPath [2] CertificateSet OPTIONAL certPath [2] CertificateSet OPTIONAL
-- From [CMS] -- From RFC 3852
} }
-- This defines the Delete GL Member control attribute -- This defines the Delete GL Member control attribute
skd-glDeleteMember CMC-CONTROL ::= skd-glDeleteMember CMC-CONTROL ::=
{ GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember } { GLDeleteMember IDENTIFIED BY id-skd-glDeleteMember }
id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4} id-skd-glDeleteMember OBJECT IDENTIFIER ::= { id-skd 4}
GLDeleteMember ::= SEQUENCE { GLDeleteMember ::= SEQUENCE {
skipping to change at page 57, line 4 skipping to change at page 57, line 42
mechanisms(5) pkix(7) cmc(7) glaRR(99) } mechanisms(5) pkix(7) cmc(7) glaRR(99) }
-- This defines the Algorithm Request -- This defines the Algorithm Request
skd-AlgRequest SKD-QUERY ::= { skd-AlgRequest SKD-QUERY ::= {
SKDAlgRequest IDENTIFIED BY id-cmc-gla-skdAlgRequest SKDAlgRequest IDENTIFIED BY id-cmc-gla-skdAlgRequest
} }
id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 } id-cmc-gla-skdAlgRequest OBJECT IDENTIFIER ::= { id-cmc-glaRR 1 }
SKDAlgRequest ::= NULL SKDAlgRequest ::= NULL
-- This defines the Algorithm Response -- This defines the Algorithm Response
skd-AlgResponse SKD-RESPONSE ::= { skd-AlgResponse SKD-RESPONSE ::= {
SMIMECapability{{SKD-Caps}} IDENTIFIED BY SMIMECapability{{SKD-Caps}} IDENTIFIED BY
id-cmc-gla-skdAlgResponse id-cmc-gla-skdAlgResponse
} }
id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 } id-cmc-gla-skdAlgResponse OBJECT IDENTIFIER ::= { id-cmc-glaRR 2 }
-- Note that the response for algorithmSupported request is the -- Note that the response for algorithmSupported request is the
-- smimeCapabilities attribute as defined in MsgSpec [MSG]. -- smimeCapabilities attribute as defined in RFC 3851.
-- This defines the control attribute to request an updated -- This defines the control attribute to request an updated
-- certificate to the GLA. -- certificate to the GLA.
skd-glProvideCert CMC-CONTROL ::= skd-glProvideCert CMC-CONTROL ::=
{ GLManageCert IDENTIFIED BY id-skd-glProvideCert } { GLManageCert IDENTIFIED BY id-skd-glProvideCert }
id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13} id-skd-glProvideCert OBJECT IDENTIFIER ::= { id-skd 13}
GLManageCert ::= SEQUENCE { GLManageCert ::= SEQUENCE {
glName GeneralName, glName GeneralName,
skipping to change at page 57, line 46 skipping to change at page 58, line 38
-- This defines the control attribute to distribute the GL shared -- This defines the control attribute to distribute the GL shared
-- KEK. -- KEK.
skd-glKey CMC-CONTROL ::= skd-glKey CMC-CONTROL ::=
{ GLKey IDENTIFIED BY id-skd-glKey } { GLKey IDENTIFIED BY id-skd-glKey }
id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15} id-skd-glKey OBJECT IDENTIFIER ::= { id-skd 15}
GLKey ::= SEQUENCE { GLKey ::= SEQUENCE {
glName GeneralName, glName GeneralName,
glIdentifier KEKIdentifier, -- See [CMS] glIdentifier KEKIdentifier, -- See RFC 3852
glkWrapped RecipientInfos, -- See [CMS] glkWrapped RecipientInfos, -- See RFC 3852
glkAlgorithm KeyWrapAlgorithm, glkAlgorithm KeyWrapAlgorithm,
glkNotBefore GeneralizedTime, glkNotBefore GeneralizedTime,
glkNotAfter GeneralizedTime glkNotAfter GeneralizedTime
} }
-- This defines the CMC error types -- This defines the CMC error types
skd-ExtendedFailures EXTENDED-FAILURE-INFO ::= { skd-ExtendedFailures EXTENDED-FAILURE-INFO ::= {
SKDFailInfo IDENTIFIED BY id-cet-skdFailInfo SKDFailInfo IDENTIFIED BY id-cet-skdFailInfo
} }
id-cet-skdFailInfo OBJECT IDENTIFIER ::= id-cet-skdFailInfo OBJECT IDENTIFIER ::=
{ iso(1) identified-organization(3) dod(6) internet(1) security(5) { iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) cet(15) skdFailInfo(1) } mechanisms(5) pkix(7) cet(15) skdFailInfo(1) }
skipping to change at page 58, line 43 skipping to change at page 59, line 36
13. Security Considerations 13. Security Considerations
Even though all the RFCs in this document are security-related, the Even though all the RFCs in this document are security-related, the
document itself does not have any security considerations. The ASN.1 document itself does not have any security considerations. The ASN.1
modules keep the same bits-on-the-wire as the modules that they modules keep the same bits-on-the-wire as the modules that they
replace. replace.
14. Normative References 14. Normative References
[ASN1-2002] [ASN1-2002]
ITU-T, "ITU-T Recommendation X.680 Information technology ITU-T, "ITU-T Recommendation X.680, X.681, X.682, and
[ETH] Abstract Syntax Notation One (ASN.1): Specification X.683", ITU-T X.680, X.681, X.682, and X.683, 2002.
of basic notation", ITU-T X.680, 2002.
[NEW-PKIX] [NEW-PKIX]
Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX", Hoffman, P. and J. Schaad, "New ASN.1 Modules for PKIX",
draft-ietf-pkix-new-asn1 (work in progress), draft-ietf-pkix-new-asn1 (work in progress),
December 2007. December 2007.
[RFC3370] Housley, R., "Cryptographic Message Syntax (CMS) [RFC3370] Housley, R., "Cryptographic Message Syntax (CMS)
Algorithms", RFC 3370, August 2002. Algorithms", RFC 3370, August 2002.
[RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES) [RFC3565] Schaad, J., "Use of the Advanced Encryption Standard (AES)
skipping to change at page 60, line 36 skipping to change at page 61, line 27
Added design notes. Added design notes.
Removed issue on "Algorithm Structure" and issue on "More Modules To Removed issue on "Algorithm Structure" and issue on "More Modules To
Be Added". Be Added".
Updated all modules to use objects more deeply. Updated all modules to use objects more deeply.
In section 6, changed "PKCS #10" to "PKCS #7" to reflect the actual In section 6, changed "PKCS #10" to "PKCS #7" to reflect the actual
module where the changes were made. module where the changes were made.
A.4. Changes between draft-ietf-smime-new-asn1-02 and -03
Many cosmetic-only changes to the modules.
Changed some multi-word keywords to hypenated (such as "SMIME CAPS"
to "SMIME-CAPS").
Updated the reference of X.680 to X.680, X.681, X.682, and X.683.
Authors' Addresses Authors' Addresses
Paul Hoffman Paul Hoffman
VPN Consortium VPN Consortium
127 Segre Place 127 Segre Place
Santa Cruz, CA 95060 Santa Cruz, CA 95060
US US
Phone: 1-831-426-9827 Phone: 1-831-426-9827
Email: paul.hoffman@vpnc.org Email: paul.hoffman@vpnc.org
 End of changes. 300 change blocks. 
447 lines changed or deleted 453 lines changed or added

This html diff was produced by rfcdiff 1.35. The latest version is available from http://tools.ietf.org/tools/rfcdiff/