PKIXAttributeCertificate {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-mod-attribute-cert(12)} DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS ALL -- IMPORTS -- IMPORTed module OIDs MAY change if [PKIXPROF] changes -- PKIX Certificate Extensions Attribute, AlgorithmIdentifier, CertificateSerialNumber, Extensions, UniqueIdentifier, id-pkix, id-pe, id-kp, id-ad, id-at FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6) internet(1) security(5) mechanisms(5) pkix(7) id-mod(0) id-pkix1-explicit-88(1)} GeneralName, GeneralNames, id-ce FROM CertificateExtensions {joint-iso-itu-t ds(5) module(1) certificateExtensions(26) 5} ; -- FROM PKIX1Implicit88 {iso(1) identified-organization(3) -- dod(6) internet(1) security(5) mechanisms(5) -- pkix(7) id-mod(0) id-pkix1-implicit-88(2)} ; id-pe-ac-auditIdentity OBJECT IDENTIFIER ::= { id-pe 4 } id-pe-aaControls OBJECT IDENTIFIER ::= { id-pe 6 } id-pe-ac-proxying OBJECT IDENTIFIER ::= { id-pe 10 } id-ce-targetInformation OBJECT IDENTIFIER ::= { id-ce 55 } id-aca OBJECT IDENTIFIER ::= { id-pkix 10 } id-aca-authenticationInfo OBJECT IDENTIFIER ::= { id-aca 1 } id-aca-accessIdentity OBJECT IDENTIFIER ::= { id-aca 2 } id-aca-chargingIdentity OBJECT IDENTIFIER ::= { id-aca 3 } id-aca-group OBJECT IDENTIFIER ::= { id-aca 4 } -- { id-aca 5 } is reserved id-aca-encAttrs OBJECT IDENTIFIER ::= { id-aca 6 } id-at-role OBJECT IDENTIFIER ::= { id-at 72} id-at-clearance OBJECT IDENTIFIER ::= { joint-iso-ccitt(2) ds(5) module(1) selected-attribute-types(5) clearance (55) } -- Uncomment this if using a 1988 level ASN.1 compiler -- UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING AttributeCertificate ::= SEQUENCE { acinfo AttributeCertificateInfo, signatureAlgorithm AlgorithmIdentifier, signatureValue BIT STRING } AttributeCertificateInfo ::= SEQUENCE { version AttCertVersion, -- version is v2 holder Holder, issuer AttCertIssuer, signature AlgorithmIdentifier, serialNumber CertificateSerialNumber, attrCertValidityPeriod AttCertValidityPeriod, attributes SEQUENCE OF Attribute, issuerUniqueID UniqueIdentifier OPTIONAL, extensions Extensions OPTIONAL } AttCertVersion ::= INTEGER { v2(1) } Holder ::= SEQUENCE { baseCertificateID [0] IssuerSerial OPTIONAL, -- the issuer and serial number of -- the holder's Public Key Certificate entityName [1] GeneralNames OPTIONAL, -- the name of the claimant or role objectDigestInfo [2] ObjectDigestInfo OPTIONAL -- used to directly authenticate the -- holder, for example, an executable } ObjectDigestInfo ::= SEQUENCE { digestedObjectType ENUMERATED { publicKey (0), publicKeyCert (1), otherObjectTypes (2) }, -- otherObjectTypes MUST NOT -- MUST NOT be used in this profile otherObjectTypeID OBJECT IDENTIFIER OPTIONAL, digestAlgorithm AlgorithmIdentifier, objectDigest BIT STRING } AttCertIssuer ::= CHOICE { v1Form GeneralNames, -- MUST NOT be used in this -- profile v2Form [0] V2Form -- v2 only } V2Form ::= SEQUENCE { issuerName GeneralNames OPTIONAL, baseCertificateID [0] IssuerSerial OPTIONAL, objectDigestInfo [1] ObjectDigestInfo OPTIONAL -- issuerName MUST be present in this profile -- baseCertificateID and objectDigestInfo MUST -- NOT be present in this profile } IssuerSerial ::= SEQUENCE { issuer GeneralNames, serial CertificateSerialNumber, issuerUID UniqueIdentifier OPTIONAL } AttCertValidityPeriod ::= SEQUENCE { notBeforeTime GeneralizedTime, notAfterTime GeneralizedTime } Targets ::= SEQUENCE OF Target Target ::= CHOICE { targetName [0] GeneralName, targetGroup [1] GeneralName, targetCert [2] TargetCert } TargetCert ::= SEQUENCE { targetCertificate IssuerSerial, targetName GeneralName OPTIONAL, certDigestInfo ObjectDigestInfo OPTIONAL } IetfAttrSyntax ::= SEQUENCE { policyAuthority[0] GeneralNames OPTIONAL, values SEQUENCE OF CHOICE { octets OCTET STRING, oid OBJECT IDENTIFIER, string UTF8String } } SvceAuthInfo ::= SEQUENCE { service GeneralName, ident GeneralName, authInfo OCTET STRING OPTIONAL } RoleSyntax ::= SEQUENCE { roleAuthority [0] GeneralNames OPTIONAL, roleName [1] GeneralName } Clearance ::= SEQUENCE { policyId OBJECT IDENTIFIER, classList ClassList DEFAULT {unclassified}, securityCategories SET OF SecurityCategory OPTIONAL } RFC3281Clearance ::= SEQUENCE { policyId [0] OBJECT IDENTIFIER, classList [1] ClassList DEFAULT {unclassified}, securityCategories [2] SET OF SecurityCategory OPTIONAL } ClassList ::= BIT STRING { unmarked (0), unclassified (1), restricted (2), confidential (3), secret (4), topSecret (5) } SecurityCategory ::= SEQUENCE { type [0] IMPLICIT OBJECT IDENTIFIER, value [1] ANY DEFINED BY type } AAControls ::= SEQUENCE { pathLenConstraint INTEGER (0..MAX) OPTIONAL, permittedAttrs [0] AttrSpec OPTIONAL, excludedAttrs [1] AttrSpec OPTIONAL, permitUnSpecified BOOLEAN DEFAULT TRUE } AttrSpec::= SEQUENCE OF OBJECT IDENTIFIER ACClearAttrs ::= SEQUENCE { acIssuer GeneralName, acSerial INTEGER, attrs SEQUENCE OF Attribute } ProxyInfo ::= SEQUENCE OF Targets END