-- Module CertificateExtensions (X.509:08/2005) CertificateExtensions {joint-iso-itu-t ds(5) module(1) certificateExtensions(26) 5} DEFINITIONS IMPLICIT TAGS ::= BEGIN -- EXPORTS ALL IMPORTS id-at, id-ce, id-mr, informationFramework, authenticationFramework, selectedAttributeTypes, upperBounds FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 5} Name, RelativeDistinguishedName, ATTRIBUTE, Attribute, MATCHING-RULE FROM InformationFramework informationFramework CertificateSerialNumber, CertificateList, AlgorithmIdentifier, EXTENSION, Time, PolicyID FROM AuthenticationFramework authenticationFramework DirectoryString{} FROM SelectedAttributeTypes selectedAttributeTypes ub-name FROM UpperBounds upperBounds ORAddress FROM MTSAbstractService {joint-iso-itu-t mhs(6) mts(3) modules(0) mts-abstract-service(1) version-1999(1)}; -- Unless explicitly noted otherwise, there is no significance to the ordering -- of components of a SEQUENCE OF construct in this Specification. -- public-key certificate and CRL extensions authorityKeyIdentifier EXTENSION ::= { SYNTAX AuthorityKeyIdentifier IDENTIFIED BY id-ce-authorityKeyIdentifier } AuthorityKeyIdentifier ::= SEQUENCE { keyIdentifier [0] KeyIdentifier OPTIONAL, authorityCertIssuer [1] GeneralNames OPTIONAL, authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL } (WITH COMPONENTS { ..., authorityCertIssuer PRESENT, authorityCertSerialNumber PRESENT } | WITH COMPONENTS { ..., authorityCertIssuer ABSENT, authorityCertSerialNumber ABSENT }) KeyIdentifier ::= OCTET STRING subjectKeyIdentifier EXTENSION ::= { SYNTAX SubjectKeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier } SubjectKeyIdentifier ::= KeyIdentifier keyUsage EXTENSION ::= {SYNTAX KeyUsage IDENTIFIED BY id-ce-keyUsage } KeyUsage ::= BIT STRING { digitalSignature(0), contentCommitment(1), keyEncipherment(2), dataEncipherment(3), keyAgreement(4), keyCertSign(5), cRLSign(6), encipherOnly(7), decipherOnly(8)} extKeyUsage EXTENSION ::= { SYNTAX SEQUENCE SIZE (1..MAX) OF KeyPurposeId IDENTIFIED BY id-ce-extKeyUsage } KeyPurposeId ::= OBJECT IDENTIFIER KeyPurposeIDs ::= SEQUENCE OF KeyPurposeId privateKeyUsagePeriod EXTENSION ::= { SYNTAX PrivateKeyUsagePeriod IDENTIFIED BY id-ce-privateKeyUsagePeriod } PrivateKeyUsagePeriod ::= SEQUENCE { notBefore [0] GeneralizedTime OPTIONAL, notAfter [1] GeneralizedTime OPTIONAL } (WITH COMPONENTS { ..., notBefore PRESENT } | WITH COMPONENTS { ..., notAfter PRESENT }) certificatePolicies EXTENSION ::= { SYNTAX CertificatePoliciesSyntax IDENTIFIED BY id-ce-certificatePolicies } CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation PolicyInformation ::= SEQUENCE { policyIdentifier CertPolicyId, policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL } CertPolicyId ::= OBJECT IDENTIFIER PolicyQualifierInfo ::= SEQUENCE { policyQualifierId CERT-POLICY-QUALIFIER.&id({SupportedPolicyQualifiers}), qualifier CERT-POLICY-QUALIFIER.&Qualifier ({SupportedPolicyQualifiers}{@policyQualifierId}) OPTIONAL } SupportedPolicyQualifiers CERT-POLICY-QUALIFIER ::= {...} anyPolicy OBJECT IDENTIFIER ::= {2 5 29 32 0} CERT-POLICY-QUALIFIER ::= CLASS { &id OBJECT IDENTIFIER UNIQUE, &Qualifier OPTIONAL }WITH SYNTAX {POLICY-QUALIFIER-ID &id [QUALIFIER-TYPE &Qualifier] } policyMappings EXTENSION ::= { SYNTAX PolicyMappingsSyntax IDENTIFIED BY id-ce-policyMappings } PolicyMappingsSyntax ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {issuerDomainPolicy CertPolicyId, subjectDomainPolicy CertPolicyId} subjectAltName EXTENSION ::= { SYNTAX GeneralNames IDENTIFIED BY id-ce-subjectAltName } GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName GeneralName ::= CHOICE { otherName [0] -- INSTANCE OF OTHER-NAME-- OtherName, rfc822Name [1] IA5String, dNSName [2] IA5String, x400Address [3] ORAddress, directoryName [4] Name, ediPartyName [5] EDIPartyName, uniformResourceIdentifier [6] IA5String, iPAddress [7] OCTET STRING, registeredID [8] OBJECT IDENTIFIER } -- OTHER-NAME ::= TYPE-IDENTIFIER OtherName ::= SEQUENCE { type-id OtherNameType, value [0] EXPLICIT OtherNameValue } OtherNameType ::= OBJECT IDENTIFIER OtherNameValue ::= ANY EDIPartyName ::= SEQUENCE { nameAssigner [0] DirectoryString{ub-name} OPTIONAL, partyName [1] DirectoryString{ub-name} } issuerAltName EXTENSION ::= { SYNTAX GeneralNames IDENTIFIED BY id-ce-issuerAltName } subjectDirectoryAttributes EXTENSION ::= { SYNTAX AttributesSyntax IDENTIFIED BY id-ce-subjectDirectoryAttributes } AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute basicConstraints EXTENSION ::= { SYNTAX BasicConstraintsSyntax IDENTIFIED BY id-ce-basicConstraints } BasicConstraintsSyntax ::= SEQUENCE { cA BOOLEAN DEFAULT FALSE, pathLenConstraint INTEGER(0..MAX) OPTIONAL } nameConstraints EXTENSION ::= { SYNTAX NameConstraintsSyntax IDENTIFIED BY id-ce-nameConstraints } NameConstraintsSyntax ::= SEQUENCE { permittedSubtrees [0] GeneralSubtrees OPTIONAL, excludedSubtrees [1] GeneralSubtrees OPTIONAL }(-- ALL EXCEPT -- ({ --none; at least one component shall be present--})) GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree GeneralSubtree ::= SEQUENCE { base GeneralName, minimum [0] BaseDistance DEFAULT 0, maximum [1] BaseDistance OPTIONAL } BaseDistance ::= INTEGER(0..MAX) policyConstraints EXTENSION ::= { SYNTAX PolicyConstraintsSyntax IDENTIFIED BY id-ce-policyConstraints } PolicyConstraintsSyntax ::= SEQUENCE { requireExplicitPolicy [0] SkipCerts OPTIONAL, inhibitPolicyMapping [1] SkipCerts OPTIONAL } SkipCerts ::= INTEGER(0..MAX) cRLNumber EXTENSION ::= { SYNTAX CRLNumber IDENTIFIED BY id-ce-cRLNumber } CRLNumber ::= INTEGER(0..MAX) reasonCode EXTENSION ::= { SYNTAX CRLReason IDENTIFIED BY id-ce-reasonCode } CRLReason ::= ENUMERATED { unspecified(0), keyCompromise(1), cACompromise(2), affiliationChanged(3), superseded(4), cessationOfOperation(5), certificateHold(6), removeFromCRL(8), privilegeWithdrawn(9), aaCompromise(10)} holdInstructionCode EXTENSION ::= { SYNTAX HoldInstruction IDENTIFIED BY id-ce-instructionCode } HoldInstruction ::= OBJECT IDENTIFIER invalidityDate EXTENSION ::= { SYNTAX GeneralizedTime IDENTIFIED BY id-ce-invalidityDate } crlScope EXTENSION ::= { SYNTAX CRLScopeSyntax IDENTIFIED BY id-ce-cRLScope } CRLScopeSyntax ::= SEQUENCE SIZE (1..MAX) OF PerAuthorityScope PerAuthorityScope ::= SEQUENCE { authorityName [0] GeneralName OPTIONAL, distributionPoint [1] DistributionPointName OPTIONAL, onlyContains [2] OnlyCertificateTypes OPTIONAL, onlySomeReasons [4] ReasonFlags OPTIONAL, serialNumberRange [5] NumberRange OPTIONAL, subjectKeyIdRange [6] NumberRange OPTIONAL, nameSubtrees [7] GeneralNames OPTIONAL, baseRevocationInfo [9] BaseRevocationInfo OPTIONAL } OnlyCertificateTypes ::= BIT STRING {user(0), authority(1), attribute(2)} NumberRange ::= SEQUENCE { startingNumber [0] INTEGER OPTIONAL, endingNumber [1] INTEGER OPTIONAL, modulus INTEGER OPTIONAL } BaseRevocationInfo ::= SEQUENCE { cRLStreamIdentifier [0] CRLStreamIdentifier OPTIONAL, cRLNumber [1] CRLNumber, baseThisUpdate [2] GeneralizedTime } statusReferrals EXTENSION ::= { SYNTAX StatusReferrals IDENTIFIED BY id-ce-statusReferrals } StatusReferrals ::= SEQUENCE SIZE (1..MAX) OF StatusReferral StatusReferral ::= CHOICE { cRLReferral [0] CRLReferral -- otherReferral [1] INSTANCE OF OTHER-REFERRAL } CRLReferral ::= SEQUENCE { issuer [0] GeneralName OPTIONAL, location [1] GeneralName OPTIONAL, deltaRefInfo [2] DeltaRefInfo OPTIONAL, cRLScope CRLScopeSyntax, lastUpdate [3] GeneralizedTime OPTIONAL, lastChangedCRL [4] GeneralizedTime OPTIONAL } DeltaRefInfo ::= SEQUENCE { deltaLocation GeneralName, lastDelta GeneralizedTime OPTIONAL } --OTHER-REFERRAL ::= TYPE-IDENTIFIER -- cRLStreamIdentifier EXTENSION ::= { SYNTAX CRLStreamIdentifier IDENTIFIED BY id-ce-cRLStreamIdentifier } CRLStreamIdentifier ::= INTEGER(0..MAX) orderedList EXTENSION ::= { SYNTAX OrderedListSyntax IDENTIFIED BY id-ce-orderedList } OrderedListSyntax ::= ENUMERATED {ascSerialNum(0), ascRevDate(1)} deltaInfo EXTENSION ::= { SYNTAX DeltaInformation IDENTIFIED BY id-ce-deltaInfo } DeltaInformation ::= SEQUENCE { deltaLocation GeneralName, nextDelta GeneralizedTime OPTIONAL } cRLDistributionPoints EXTENSION ::= { SYNTAX CRLDistPointsSyntax IDENTIFIED BY id-ce-cRLDistributionPoints } CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint DistributionPoint ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, reasons [1] ReasonFlags OPTIONAL, cRLIssuer [2] GeneralNames OPTIONAL } DistributionPointName ::= CHOICE { fullName [0] GeneralNames, nameRelativeToCRLIssuer [1] RelativeDistinguishedName } ReasonFlags ::= BIT STRING { unused(0), keyCompromise(1), cACompromise(2), affiliationChanged(3), superseded(4), cessationOfOperation(5), certificateHold(6), privilegeWithdrawn(7), aACompromise(8)} issuingDistributionPoint EXTENSION ::= { SYNTAX IssuingDistPointSyntax IDENTIFIED BY id-ce-issuingDistributionPoint } IssuingDistPointSyntax ::= SEQUENCE { -- If onlyContainsUserPublicKeyCerts and onlyContainsCACerts are both FALSE, -- the CRL covers both certificate types distributionPoint [0] DistributionPointName OPTIONAL, onlyContainsUserPublicKeyCerts [1] BOOLEAN DEFAULT FALSE, onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, onlySomeReasons [3] ReasonFlags OPTIONAL, indirectCRL [4] BOOLEAN DEFAULT FALSE } certificateIssuer EXTENSION ::= { SYNTAX GeneralNames IDENTIFIED BY id-ce-certificateIssuer } deltaCRLIndicator EXTENSION ::= { SYNTAX BaseCRLNumber IDENTIFIED BY id-ce-deltaCRLIndicator } BaseCRLNumber ::= CRLNumber toBeRevoked EXTENSION ::= { SYNTAX ToBeRevokedSyntax IDENTIFIED BY id-ce-toBeRevoked } ToBeRevokedSyntax ::= SEQUENCE SIZE (1..MAX) OF ToBeRevokedGroup ToBeRevokedGroup ::= SEQUENCE { certificateIssuer [0] GeneralName OPTIONAL, reasonInfo [1] ReasonInfo OPTIONAL, revocationTime GeneralizedTime, certificateGroup CertificateGroup } ReasonInfo ::= SEQUENCE { reasonCode CRLReason, holdInstructionCode HoldInstruction OPTIONAL } CertificateGroup ::= CHOICE { serialNumbers [0] CertificateSerialNumbers, serialNumberRange [1] CertificateGroupNumberRange, nameSubtree [2] GeneralName } CertificateGroupNumberRange ::= SEQUENCE { startingNumber [0] INTEGER, endingNumber [1] INTEGER } CertificateSerialNumbers ::= SEQUENCE SIZE (1..MAX) OF CertificateSerialNumber revokedGroups EXTENSION ::= { SYNTAX RevokedGroupsSyntax IDENTIFIED BY id-ce-RevokedGroups } RevokedGroupsSyntax ::= SEQUENCE SIZE (1..MAX) OF RevokedGroup RevokedGroup ::= SEQUENCE { certificateIssuer [0] GeneralName OPTIONAL, reasonInfo [1] ReasonInfo OPTIONAL, invalidityDate [2] GeneralizedTime OPTIONAL, revokedcertificateGroup [3] RevokedCertificateGroup } RevokedCertificateGroup ::= CHOICE { serialNumberRange NumberRange, nameSubtree GeneralName } expiredCertsOnCRL EXTENSION ::= { SYNTAX ExpiredCertsOnCRL IDENTIFIED BY id-ce-expiredCertsOnCRL } ExpiredCertsOnCRL ::= GeneralizedTime baseUpdateTime EXTENSION ::= { SYNTAX GeneralizedTime IDENTIFIED BY id-ce-baseUpdateTime } freshestCRL EXTENSION ::= { SYNTAX CRLDistPointsSyntax IDENTIFIED BY id-ce-freshestCRL } aAissuingDistributionPoint EXTENSION ::= { SYNTAX AAIssuingDistPointSyntax IDENTIFIED BY id-ce-aAissuingDistributionPoint } AAIssuingDistPointSyntax ::= SEQUENCE { distributionPoint [0] DistributionPointName OPTIONAL, onlySomeReasons [1] ReasonFlags OPTIONAL, indirectCRL [2] BOOLEAN DEFAULT FALSE, containsUserAttributeCerts [3] BOOLEAN DEFAULT TRUE, containsAACerts [4] BOOLEAN DEFAULT TRUE, containsSOAPublicKeyCerts [5] BOOLEAN DEFAULT TRUE } inhibitAnyPolicy EXTENSION ::= { SYNTAX SkipCerts IDENTIFIED BY id-ce-inhibitAnyPolicy } -- PKI matching rules certificateExactMatch MATCHING-RULE ::= { SYNTAX CertificateExactAssertion ID id-mr-certificateExactMatch } CertificateExactAssertion ::= SEQUENCE { serialNumber CertificateSerialNumber, issuer Name } certificateMatch MATCHING-RULE ::= { SYNTAX CertificateAssertion ID id-mr-certificateMatch } CertificateAssertion ::= SEQUENCE { serialNumber [0] CertificateSerialNumber OPTIONAL, issuer [1] Name OPTIONAL, subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL, authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL, certificateValid [4] Time OPTIONAL, privateKeyValid [5] GeneralizedTime OPTIONAL, subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL, keyUsage [7] KeyUsage OPTIONAL, subjectAltName [8] AltNameType OPTIONAL, policy [9] CertPolicySet OPTIONAL, pathToName [10] Name OPTIONAL, subject [11] Name OPTIONAL, nameConstraints [12] NameConstraintsSyntax OPTIONAL } AltNameType ::= CHOICE { builtinNameForm ENUMERATED {rfc822Name(1), dNSName(2), x400Address(3), directoryName(4), ediPartyName(5), uniformResourceIdentifier(6), iPAddress(7), registeredId(8)}, otherNameForm OBJECT IDENTIFIER } CertPolicySet ::= SEQUENCE SIZE (1..MAX) OF CertPolicyId certificatePairExactMatch MATCHING-RULE ::= { SYNTAX CertificatePairExactAssertion ID id-mr-certificatePairExactMatch } CertificatePairExactAssertion ::= SEQUENCE { issuedToThisCAAssertion [0] CertificateExactAssertion OPTIONAL, issuedByThisCAAssertion [1] CertificateExactAssertion OPTIONAL } (WITH COMPONENTS { ..., issuedToThisCAAssertion PRESENT } | WITH COMPONENTS { ..., issuedByThisCAAssertion PRESENT }) certificatePairMatch MATCHING-RULE ::= { SYNTAX CertificatePairAssertion ID id-mr-certificatePairMatch } CertificatePairAssertion ::= SEQUENCE { issuedToThisCAAssertion [0] CertificateAssertion OPTIONAL, issuedByThisCAAssertion [1] CertificateAssertion OPTIONAL } (WITH COMPONENTS { ..., issuedToThisCAAssertion PRESENT } | WITH COMPONENTS { ..., issuedByThisCAAssertion PRESENT }) certificateListExactMatch MATCHING-RULE ::= { SYNTAX CertificateListExactAssertion ID id-mr-certificateListExactMatch } CertificateListExactAssertion ::= SEQUENCE { issuer Name, thisUpdate Time, distributionPoint DistributionPointName OPTIONAL } certificateListMatch MATCHING-RULE ::= { SYNTAX CertificateListAssertion ID id-mr-certificateListMatch } CertificateListAssertion ::= SEQUENCE { issuer Name OPTIONAL, minCRLNumber [0] CRLNumber OPTIONAL, maxCRLNumber [1] CRLNumber OPTIONAL, reasonFlags ReasonFlags OPTIONAL, dateAndTime Time OPTIONAL, distributionPoint [2] DistributionPointName OPTIONAL, authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL } algorithmIdentifierMatch MATCHING-RULE ::= { SYNTAX AlgorithmIdentifier ID id-mr-algorithmIdentifierMatch } policyMatch MATCHING-RULE ::= {SYNTAX PolicyID ID id-mr-policyMatch } pkiPathMatch MATCHING-RULE ::= { SYNTAX PkiPathMatchSyntax ID id-mr-pkiPathMatch } PkiPathMatchSyntax ::= SEQUENCE {firstIssuer Name, lastSubject Name } enhancedCertificateMatch MATCHING-RULE ::= { SYNTAX EnhancedCertificateAssertion ID id-mr-enhancedCertificateMatch } EnhancedCertificateAssertion ::= SEQUENCE { serialNumber [0] CertificateSerialNumber OPTIONAL, issuer [1] Name OPTIONAL, subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL, authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL, certificateValid [4] Time OPTIONAL, privateKeyValid [5] GeneralizedTime OPTIONAL, subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL, keyUsage [7] KeyUsage OPTIONAL, subjectAltName [8] AltName OPTIONAL, policy [9] CertPolicySet OPTIONAL, pathToName [10] GeneralNames OPTIONAL, subject [11] Name OPTIONAL, nameConstraints [12] NameConstraintsSyntax OPTIONAL }(--ALL EXCEPT-- ({ -- none; at least one component shall be present --})) AltName ::= SEQUENCE { altnameType AltNameType, altNameValue GeneralName OPTIONAL } -- Object identifier assignments id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= {id-ce 9} id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14} id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15} id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16} id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17} id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18} id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19} id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20} id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21} id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23} id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24} id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27} id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28} id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29} id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30} id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32} id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33} -- deprecated OBJECT IDENTIFIER ::= {id-ce 34} id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 35} id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36} id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} id-ce-cRLStreamIdentifier OBJECT IDENTIFIER ::= {id-ce 40} id-ce-cRLScope OBJECT IDENTIFIER ::= {id-ce 44} id-ce-statusReferrals OBJECT IDENTIFIER ::= {id-ce 45} id-ce-freshestCRL OBJECT IDENTIFIER ::= {id-ce 46} id-ce-orderedList OBJECT IDENTIFIER ::= {id-ce 47} id-ce-baseUpdateTime OBJECT IDENTIFIER ::= {id-ce 51} id-ce-deltaInfo OBJECT IDENTIFIER ::= {id-ce 53} id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= {id-ce 54} id-ce-toBeRevoked OBJECT IDENTIFIER ::= {id-ce 58} id-ce-RevokedGroups OBJECT IDENTIFIER ::= {id-ce 59} id-ce-expiredCertsOnCRL OBJECT IDENTIFIER ::= {id-ce 60} id-ce-aAissuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 63} -- matching rule OIDs id-mr-certificateExactMatch OBJECT IDENTIFIER ::= {id-mr 34} id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35} id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36} id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37} id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38} id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39} id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40} id-mr-policyMatch OBJECT IDENTIFIER ::= {id-mr 60} id-mr-pkiPathMatch OBJECT IDENTIFIER ::= {id-mr 62} id-mr-enhancedCertificateMatch OBJECT IDENTIFIER ::= {id-mr 65} -- The following OBJECT IDENTIFIERS are not used by this Specification: -- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7}, -- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13}, -- {id-ce 22}, {id-ce 25}, {id-ce 26} -- Microsoft Certificate Extension CertificateTemplate ::= SEQUENCE { templateID OBJECT IDENTIFIER, templateMajorVersion INTEGER, templateMinorVersion INTEGER OPTIONAL } -- Entrust Certificate Extension EntrustVersionInfo ::= SEQUENCE { entrustVers GeneralString, entrustVersInfoFlags EntrustInfoFlags OPTIONAL } EntrustInfoFlags ::= BIT STRING { keyUpdateAllowed(0), newExtensions(1), pKIXCertificate(2), enterpriseCategory(3), webCategory(4), sETCategory(5) } END -- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D