1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
|
-- This ASN definition is taken from (and modified to pass through asn2eth)
-- RFC3739
--
-- RFC3739 contains the followin copyright statements:
--
-- Full Copyright Statement
--
-- Copyright (C) The Internet Society (2004). This document is subject
-- to the rights, licenses and restrictions contained in BCP 78 and
-- except as set forth therein, the authors retain all their rights.
--
-- This document and the information contained herein are provided on an
-- "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
-- REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY AND THE
-- INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR
-- IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
-- THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
-- WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
--
-- Intellectual Property
--
-- The IETF takes no position regarding the validity or scope of any
-- Intellectual Property Rights or other rights that might be claimed
-- to pertain to the implementation or use of the technology
-- described in this document or the extent to which any license
-- under such rights might or might not be available; nor does it
-- represent that it has made any independent effort to identify any
-- such rights. Information on the procedures with respect to
-- rights in RFC documents can be found in BCP 78 and BCP 79.
--
-- Copies of IPR disclosures made to the IETF Secretariat and any
-- assurances of licenses to be made available, or the result of an
-- attempt made to obtain a general license or permission for the use
-- of such proprietary rights by implementers or users of this
-- specification can be obtained from the IETF on-line IPR repository
-- at http://www.ietf.org/ipr.
--
-- The IETF invites any interested party to bring to its attention
-- any copyrights, patents or patent applications, or other
-- proprietary rights that may cover technology that may be required
-- to implement this standard. Please address the information to the
-- IETF at ietf-ipr@ietf.org.
--
-- Acknowledgement
--
-- Funding for the RFC Editor function is currently provided by the
-- Internet Society.
--
PKIXqualified97 {iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-qualified-cert-97(35) }
DEFINITIONS EXPLICIT TAGS ::=
BEGIN
-- EXPORTS ALL --
IMPORTS
informationFramework, certificateExtensions, selectedAttributeTypes,
authenticationFramework, upperBounds, id-at
FROM UsefulDefinitions {joint-iso-itu-t(2) ds(5) module(1)
usefulDefinitions(0) 3 }
ub-name
FROM UpperBounds upperBounds
GeneralName
FROM CertificateExtensions certificateExtensions
ATTRIBUTE, AttributeType
FROM InformationFramework informationFramework
DirectoryString
FROM SelectedAttributeTypes selectedAttributeTypes
AlgorithmIdentifier, Extension, EXTENSION
FROM AuthenticationFramework authenticationFramework
id-pkix, id-pe
FROM PKIX1Explicit88 { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)
id-pkix1-explicit(18) };
-- Locally defined OIDs
-- Arc for QC personal data attributes
-- id-pda OBJECT IDENTIFIER ::= { id-pkix 9 }
-- Arc for QC statements
-- id-qcs OBJECT IDENTIFIER ::= { id-pkix 11 }
-- Personal data attributes
-- id-pda-dateOfBirth AttributeType ::= { id-pda 1 }
-- id-pda-placeOfBirth AttributeType ::= { id-pda 2 }
-- id-pda-gender AttributeType ::= { id-pda 3 }
-- id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }
-- id-pda-countryOfResidence AttributeType ::= { id-pda 5 }
-- Certificate extensions
-- id-pe-biometricInfo OBJECT IDENTIFIER ::= { id-pe 2 }
-- id-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3 }
-- QC statements
-- id-qcs-pkixQCSyntax-v1 OBJECT IDENTIFIER ::= { id-qcs 1 }
-- id-qcs-pkixQCSyntax-v2 OBJECT IDENTIFIER ::= { id-qcs 2 }
Generalizedtime ::= GeneralizedTime
Directorystring ::= DirectoryString
Printablestring ::= PrintableString
-- Personal data attributes
--
-- dateOfBirth ATTRIBUTE ::= {
-- WITH SYNTAX GeneralizedTime
-- ID id-pda-dateOfBirth }
--
-- placeOfBirth ATTRIBUTE ::= {
-- WITH SYNTAX DirectoryString {ub-name}
-- ID id-pda-placeOfBirth }
--
-- gender ATTRIBUTE ::= {
-- WITH SYNTAX PrintableString (SIZE(1) ^ FROM("M"|"F"|"m"|"f"))
-- ID id-pda-gender }
--
-- countryOfCitizenship ATTRIBUTE ::= {
-- WITH SYNTAX PrintableString (SIZE (2))
-- (CONSTRAINED BY { })
-- ID id-pda-countryOfCitizenship }
--
-- countryOfResidence ATTRIBUTE ::= {
-- WITH SYNTAX PrintableString (SIZE (2))
-- (CONSTRAINED BY { })
-- ID id-pda-countryOfResidence }
--
-- Certificate extensions
-- Biometric info extension
--
-- biometricInfo EXTENSION ::= {
-- SYNTAX BiometricSyntax
-- IDENTIFIED BY id-pe-biometricInfo }
BiometricSyntax ::= SEQUENCE OF BiometricData
BiometricData ::= SEQUENCE {
typeOfBiometricData TypeOfBiometricData,
hashAlgorithm AlgorithmIdentifier,
biometricDataHash OCTET STRING,
sourceDataUri IA5String OPTIONAL,
... }
TypeOfBiometricData ::= CHOICE {
predefinedBiometricType PredefinedBiometricType,
biometricDataOid OBJECT IDENTIFIER }
PredefinedBiometricType ::= INTEGER {
picture(0), handwritten-signature(1)}
-- QC Statements Extension
-- NOTE: This extension does not allow to mix critical and
-- non-critical Qualified Certificate Statements. Either all
-- statements must be critical or all statements must be
-- non-critical.
--
-- qcStatements EXTENSION ::= {
-- SYNTAX QCStatements
-- IDENTIFIED BY id-pe-qcStatements }
QCStatements ::= SEQUENCE OF QCStatement
QCStatement ::= SEQUENCE {
statementId OBJECT IDENTIFIER,
statementInfo ANY OPTIONAL }
-- QC-STATEMENT ::= CLASS {
-- &id OBJECT IDENTIFIER UNIQUE,
-- &Type OPTIONAL }
-- WITH SYNTAX {
-- [SYNTAX &Type] IDENTIFIED BY &id }
-- qcStatement-1 QC-STATEMENT ::= { SYNTAX SemanticsInformation
-- IDENTIFIED BY id-qcs-pkixQCSyntax-v1}
-- This statement identifies conformance with requirements
-- defined in RFC 3039 (Version 1). This statement
-- may optionally contain additional semantics information
-- as specified below.
-- qcStatement-2 QC-STATEMENT ::= { SYNTAX SemanticsInformation
-- IDENTIFIED BY id-qcs-pkixQCSyntax-v2}
-- This statement identifies conformance with requirements
-- defined in this Qualified Certificate profile
-- (Version 2). This statement may optionally contain
-- additional semantics information as specified below.
SemanticsInformation ::= SEQUENCE {
semanticsIdentifier OBJECT IDENTIFIER OPTIONAL,
nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL
}
NameRegistrationAuthorities ::= SEQUENCE OF GeneralName
-- The following information object set is defined to constrain the
-- set of attributes applications are required to recognize as QCSs.
-- SupportedStatements QC-STATEMENT ::= {
-- qcStatement-1 |
-- qcStatement-2 , ... }
END
|
