-- from pkisv10.pdf
-- you can find this document at https://web.archive.org/web/19990224174228/http://www.developer.novell.com/repository/attributes/certattrs_v10.htm

PKIS { joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719) } DEFINITIONS IMPLICIT TAGS ::=
BEGIN

-- ASN.1 Definition of Useful Attributes

-- The following are useful Novell OIDs, etc.
novell OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719)}
applications OBJECT IDENTIFIER ::= {novell applications(1) }
pki OBJECT IDENTIFIER ::= {applications pki(9) }
pkiAttributeType OBJECT IDENTIFIER ::= {pki at(4) }
pkiAttributeSyntax OBJECT IDENTIFIER ::= {pki at(5) }
pkiObjectClass OBJECT IDENTIFIER ::= {pki at(6) }

-- The following unique PKI attributes are hereby defined under the novell applications pki arc:
pa-sa OBJECT IDENTIFIER ::= { pkiAttributeType (1) }
 -- securityAttributes
 -- 2.16.840.113719.1.9.4.1

pa-rl OBJECT IDENTIFIER ::= { pkiAttributeType (2) }
 -- relianceLimit
 -- 2.16.840.113719.1.9.4.2

SecurityAttributes ::= SEQUENCE {
 versionNumber OCTET STRING (SIZE (2)),
  -- The initial value should be (01 00)
  -- The first octet is the major version,
  -- the second octet is the minor version number.
 nSI BOOLEAN (TRUE),
  -- NSI = “Nonverified Subscriber Information”
  -- If FALSE, it means that the CA issuing
  -- a certificate HAS verified the validity
  -- of ALL of the values contained
  -- within the Novell Security Attributes
  -- using appropriate means as defined
  -- for example in their Certificate Policy
  -- and/or Certificate Practice Statement
  -- If TRUE, it means that the subscriber
  -- requesting the certificate has represented
  -- to the CA that the extension defined
  -- is valid and correct, but that the CA
  -- has not independently validated the accuracy
  -- of the attribute. Note that in no case may
  -- the CA issue a certificate containing an
  -- extension which it has reason to
  -- believe is not accurate at the time of
  -- issuance, except for test certificates
  -- which are identified as such in the
  -- Certificate class attribute (by setting
  -- the certificateValid flag to FALSE.)
 securityTM PrintableString ("Novell Security Attribute(tm)"),
  -- Note: Since the “Novell Security
  -- Attribute(tm)” string is trademarked, if
  -- it is displayed visually to the user it
  -- must be presented exactly as shown,
  -- in English, even in non-English
  -- implementations. A translation of the
  -- phrase may be displayed to the user
  -- in addition, if desired.
  -- Vendors who license the use of the term
  -- must agree to check for the presence of
  -- this string in any attribute defined (by its
  -- OID) as a Novell Security attribute
 uriReference IA5String,
  -- The initial value should be set to (“http://developer.novell.com/repository/attributes/certattrs_v10.htm”),
  -- This attribute will be included in all
  -- NICI and PKIS certificates.
  -- Novell will maintain a copy of this
  -- document or other suitable definition
  -- at that location.
 gLBExtensions GLBExtensions
}

GLBExtensions::=SEQUENCE{
  -- These are the extensions over which the
  -- Greatest Lower Bound is computed within NICI.
 keyQuality [0] IMPLICIT KeyQuality,
 cryptoProcessQuality [1] IMPLICIT CryptoProcessQuality,
 certificateClass [2] IMPLICIT CertificateClass,
 enterpriseId [3] IMPLICIT EnterpriseId
}

-- ASN.1 Definitions of Key Quality and Crypto Process Quality Attributes:
KeyQuality ::= Quality
CryptoProcessQuality ::= Quality

Quality ::= SEQUENCE {
 enforceQuality BOOLEAN,
  -- If TRUE, the explicit attributes compusecQuality,
  -- cryptoQuality, and keyStorageQuality, plus the
  -- implicit attributes algorithmType and keyLength
  -- are either enforced at all times, or a dynamic low
  -- water mark (Greatest Lower Bound)may be maintained.
  -- I.e., if enforceQuality is TRUE for the
  -- keyQuality attribute, the key must never be
  -- allowed to be transported to and/or used on any
  -- platform that does not meet the minimum
  -- criteria, and hence enforceQuality must be TRUE for
  -- the cryptoProcessQuality as well
  -- If enforceQuality is FALSE for keyQuality, but
  -- TRUE for cryptoProcessQuality, then the
  -- operating system has not enforced the criteria
  -- in any technical sense, but the subscriber
  -- is nonetheless representing that the minimum
  -- criteria will be maintained,
  -- e.g., by manual or procedural controls.
  -- For PKIS and NICI versions 1.0, enforceQuality
  -- must be set to FALSE in the keyQuality attribute.
 compusecQuality     CompusecQuality,
 cryptoQuality       CryptoQuality,
 keyStorageQuality   INTEGER (0..255) -- See definitions in Appendix C
}

CompusecQuality ::= SEQUENCE SIZE (1..1)
                    OF CompusecQualityPair
  -- Multiple pairs of {Criteria, Rating} are allowed
  -- In the first release, only one pair(TCSEC criteria)is provided

CompusecQualityPair ::= SEQUENCE {
 compusecCriteria INTEGER(0..255),
  -- The default should be 1, but DEFAULT implies OPTIONAL, which
  -- is not the intent. So the value has to be coded explicitly.
  -- 0= Reserved (encoding error)
  -- 1= Trusted Computer Security Evaluation Criteria (TCSEC)
  -- 2= International Trusted Security Evaluation Criteria (ITSEC)
  -- 3= Common Criteria
  -- all others reserved
 compusecRating INTEGER (0..255)
  -- the compusecRating is in accordance with the specified
  -- compusecCriteria for each pair in the sequence
  -- Defined values for ratings for components and systems formally
  -- evaluated in accordance with the Trusted Computer Security
  -- Evaluation Criteria and the Trusted Network Interpretation
  -- (Red Book) are provided in Appendix A.
}

CryptoQuality ::= SEQUENCE SIZE (1..1)
                  OF CryptoQualityPair
  -- Multiple pairs of {Criteria, Rating} are allowed.
  -- In the initial release, only one pair is provided.

CryptoQualityPair ::= SEQUENCE {
 cryptoModuleCriteria INTEGER(0..255),
  -- The default should be 1, but DEFAULT implies OPTIONAL, which
  -- is not the intent. So the value has to be coded explicitly.
  -- 1 = FIPS 140-1
  -- all others reserved
 cryptoModuleRating INTEGER (0..255)
  -- the cryptoModuleRating value is in accordance with
  -- the specified cryptoModuleCriteria for each pair
  -- FIPS 140-1 ratings definitions:
  -- 0 = Reserved (encoding error)
  -- 1 = unevaluated/unknown,
  -- all others—see Appendix B
}

-- ASN.1 Definition of Certificate Class Attribute:

CertificateClass ::= SEQUENCE {
 classValue       INTEGER (0..255),
  -- Defined class values are contained in Appendix C
 certificateValid       BOOLEAN
  -- The default should be true, but DEFAULT is OPTIONAL
  -- which would make the GLB computation awkward.
  -- See Section 5 and the footnote for a discussion.
}

-- ASN.1 Definition of Enterprise Identifier Attribute:

EnterpriseId ::= SEQUENCE {
 rootLabel [0] IMPLICIT SecurityLabelType1,
 registryLabel [1] IMPLICIT SecurityLabelType1,
 enterpriseLabel [2] IMPLICIT SEQUENCE SIZE (1..1) OF SecurityLabelType1
}

SecurityLabelType1 ::= SEQUENCE {
 labelType1 INTEGER (0..255),
  -- The default should be 2, but DEFAULT implies OPTIONAL, which
  -- is not the intent. So the value has to be coded explicitly.
  -- Note that the label type for Version 1
  -- of Graded Authentication is 0 or 1.
  -- Byte sizes and reserved fields are omitted,
  -- because they are derivable from the ASN.1.
 secrecyLevel1 INTEGER (0..255),
  -- The default should be 0, but DEFAULT implies OPTIONAL, which
  -- is not the intent. So the value has to be coded explicitly.
  -- 0 = low secrecy, 255 = high secrecy
  -- It seems highly unlikely anyone would ever
  -- need more than 255 secrecy levels
 integrityLevel1      INTEGER (0..255),
  -- The default should be 0, but DEFAULT implies OPTIONAL, which
  -- is not the intent. So the value has to be coded explicitly.
  -- NOTE! 255 = low integrity, 0 = high integrity!
  -- It seems highly unlikely anyone would ever
  -- need more than 255 integrity levels
 secrecyCategories1   BIT STRING (SIZE(96)),
  -- The default should be FALSE, but DEFAULT implies OPTIONAL,
  -- which is not the intent. So the value has to be coded
  -- explicitly.
  -- 96 secrecy categories, 0 origin indexing
 integrityCategories1 BIT STRING (SIZE(64)),
  -- The default should be FALSE, but DEFAULT implies OPTIONAL,
  -- which is not the intent. So the value has to be coded
  -- explicitly.
  -- 64 integrity categories, 0 origin indexing
 secrecySingletons1 Singletons,
 integritySingletons1 Singletons
}

-- (removed the unused definition of SecurityLabelType2)

Singletons ::= SEQUENCE SIZE (1..16) OF SingletonChoice
  -- Presently up to 16 singletons or singleton ranges
  -- can be defined within one security label. This
  -- is completely arbitrary and can be easily changed,
  -- but it seems reasonable. Note that no more space
  -- is taken in the ASN.1 DER encoding than is actually
  -- required.

SingletonChoice ::= CHOICE {
 uniqueSingleton     INTEGER (0..9223372036854775807),
  -- The implied value of the singleton being
  -- specified in this case is TRUE.
  -- Note that there isn’t any way to set a
  -- singleton value to FALSE, except by using the
  -- SingletonRange functions with identical lower
  -- and upper bounds.
 singletonRange      SingletonRange
}

SingletonRange ::= SEQUENCE {
 singletonLowerBound INTEGER (0..9223372036854775807),
  -- The default should be 0, but DEFAULT implies OPTIONAL,
  -- which is not the intent. So the value has to be coded
  -- explicitly.
  -- Lower bound of a range of singletons
  -- to be set to the singletonValue specified

 singletonUpperBound INTEGER (0..9223372036854775807),
  -- The default should be 9223372036854775807,
  -- but DEFAULT implies OPTIONAL,
  -- which is not the intent. So the value has to be coded
  -- explicitly.
  -- Upper bound of a range of singletons
  -- to be set to the singletonValue specified
 singletonValue BOOLEAN
  -- An entire range of singletons can be set to
  -- either TRUE or FALSE.
  -- Note that singletonRanges are allowed to overlap,
  -- and in particular that a uniqueSingleton can
  -- reset a singleton value already set by a
  -- singletonRange, and vice versa.
  -- The uniqueSingleton and singletonRanges are applied
  -- consecutively, from the lower bound of SEQUENCE (1)
  -- to the upper bound.
}

-- ASN.1 Definition of Reliance Limit Attribute:

-- relianceLimits EXTENSION ::= { SYNTAX RelianceLimits IDENTIFIED BY {pa-rl) }
-- 2.16.840.113719.1.9.4.2

RelianceLimits ::= SEQUENCE {
 perTransactionLimit MonetaryValue,
 perCertificateLimit MonetaryValue
}

MonetaryValue ::= SEQUENCE { -- from SET and draft ANSI X9.45
 currency Currency,
 amount INTEGER, -- value is amount * (10 ** amtExp10), an exact representation
 amtExp10 INTEGER
}

Currency ::= INTEGER (1..999)
-- currency denomination from ISO 4217
-- cf. Appendix E for the numeric currency codes and their
-- alphabetic (display) equivalents.
-- US Dollar (USD) is 840.
-- Euro (EUR) is 978.

END