1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
|
-- from pkisv10.pdf
-- you can find this document at https://web.archive.org/web/19990224174228/http://www.developer.novell.com/repository/attributes/certattrs_v10.htm
PKIS { joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719) } DEFINITIONS IMPLICIT TAGS ::=
BEGIN
-- ASN.1 Definition of Useful Attributes
-- The following are useful Novell OIDs, etc.
novell OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719)}
applications OBJECT IDENTIFIER ::= {novell applications(1) }
pki OBJECT IDENTIFIER ::= {applications pki(9) }
pkiAttributeType OBJECT IDENTIFIER ::= {pki at(4) }
pkiAttributeSyntax OBJECT IDENTIFIER ::= {pki at(5) }
pkiObjectClass OBJECT IDENTIFIER ::= {pki at(6) }
-- The following unique PKI attributes are hereby defined under the novell applications pki arc:
pa-sa OBJECT IDENTIFIER ::= { pkiAttributeType (1) }
-- securityAttributes
-- 2.16.840.113719.1.9.4.1
pa-rl OBJECT IDENTIFIER ::= { pkiAttributeType (2) }
-- relianceLimit
-- 2.16.840.113719.1.9.4.2
SecurityAttributes ::= SEQUENCE {
versionNumber OCTET STRING (SIZE (2)),
-- The initial value should be (01 00)
-- The first octet is the major version,
-- the second octet is the minor version number.
nSI BOOLEAN (TRUE),
-- NSI = “Nonverified Subscriber Information”
-- If FALSE, it means that the CA issuing
-- a certificate HAS verified the validity
-- of ALL of the values contained
-- within the Novell Security Attributes
-- using appropriate means as defined
-- for example in their Certificate Policy
-- and/or Certificate Practice Statement
-- If TRUE, it means that the subscriber
-- requesting the certificate has represented
-- to the CA that the extension defined
-- is valid and correct, but that the CA
-- has not independently validated the accuracy
-- of the attribute. Note that in no case may
-- the CA issue a certificate containing an
-- extension which it has reason to
-- believe is not accurate at the time of
-- issuance, except for test certificates
-- which are identified as such in the
-- Certificate class attribute (by setting
-- the certificateValid flag to FALSE.)
securityTM PrintableString ("Novell Security Attribute(tm)"),
-- Note: Since the “Novell Security
-- Attribute(tm)” string is trademarked, if
-- it is displayed visually to the user it
-- must be presented exactly as shown,
-- in English, even in non-English
-- implementations. A translation of the
-- phrase may be displayed to the user
-- in addition, if desired.
-- Vendors who license the use of the term
-- must agree to check for the presence of
-- this string in any attribute defined (by its
-- OID) as a Novell Security attribute
uriReference IA5String,
-- The initial value should be set to (“http://developer.novell.com/repository/attributes/certattrs_v10.htm”),
-- This attribute will be included in all
-- NICI and PKIS certificates.
-- Novell will maintain a copy of this
-- document or other suitable definition
-- at that location.
gLBExtensions GLBExtensions
}
GLBExtensions::=SEQUENCE{
-- These are the extensions over which the
-- Greatest Lower Bound is computed within NICI.
keyQuality [0] IMPLICIT KeyQuality,
cryptoProcessQuality [1] IMPLICIT CryptoProcessQuality,
certificateClass [2] IMPLICIT CertificateClass,
enterpriseId [3] IMPLICIT EnterpriseId
}
-- ASN.1 Definitions of Key Quality and Crypto Process Quality Attributes:
KeyQuality ::= Quality
CryptoProcessQuality ::= Quality
Quality ::= SEQUENCE {
enforceQuality BOOLEAN,
-- If TRUE, the explicit attributes compusecQuality,
-- cryptoQuality, and keyStorageQuality, plus the
-- implicit attributes algorithmType and keyLength
-- are either enforced at all times, or a dynamic low
-- water mark (Greatest Lower Bound)may be maintained.
-- I.e., if enforceQuality is TRUE for the
-- keyQuality attribute, the key must never be
-- allowed to be transported to and/or used on any
-- platform that does not meet the minimum
-- criteria, and hence enforceQuality must be TRUE for
-- the cryptoProcessQuality as well
-- If enforceQuality is FALSE for keyQuality, but
-- TRUE for cryptoProcessQuality, then the
-- operating system has not enforced the criteria
-- in any technical sense, but the subscriber
-- is nonetheless representing that the minimum
-- criteria will be maintained,
-- e.g., by manual or procedural controls.
-- For PKIS and NICI versions 1.0, enforceQuality
-- must be set to FALSE in the keyQuality attribute.
compusecQuality CompusecQuality,
cryptoQuality CryptoQuality,
keyStorageQuality INTEGER (0..255) -- See definitions in Appendix C
}
CompusecQuality ::= SEQUENCE SIZE (1..1)
OF CompusecQualityPair
-- Multiple pairs of {Criteria, Rating} are allowed
-- In the first release, only one pair(TCSEC criteria)is provided
CompusecQualityPair ::= SEQUENCE {
compusecCriteria INTEGER(0..255),
-- The default should be 1, but DEFAULT implies OPTIONAL, which
-- is not the intent. So the value has to be coded explicitly.
-- 0= Reserved (encoding error)
-- 1= Trusted Computer Security Evaluation Criteria (TCSEC)
-- 2= International Trusted Security Evaluation Criteria (ITSEC)
-- 3= Common Criteria
-- all others reserved
compusecRating INTEGER (0..255)
-- the compusecRating is in accordance with the specified
-- compusecCriteria for each pair in the sequence
-- Defined values for ratings for components and systems formally
-- evaluated in accordance with the Trusted Computer Security
-- Evaluation Criteria and the Trusted Network Interpretation
-- (Red Book) are provided in Appendix A.
}
CryptoQuality ::= SEQUENCE SIZE (1..1)
OF CryptoQualityPair
-- Multiple pairs of {Criteria, Rating} are allowed.
-- In the initial release, only one pair is provided.
CryptoQualityPair ::= SEQUENCE {
cryptoModuleCriteria INTEGER(0..255),
-- The default should be 1, but DEFAULT implies OPTIONAL, which
-- is not the intent. So the value has to be coded explicitly.
-- 1 = FIPS 140-1
-- all others reserved
cryptoModuleRating INTEGER (0..255)
-- the cryptoModuleRating value is in accordance with
-- the specified cryptoModuleCriteria for each pair
-- FIPS 140-1 ratings definitions:
-- 0 = Reserved (encoding error)
-- 1 = unevaluated/unknown,
-- all others—see Appendix B
}
-- ASN.1 Definition of Certificate Class Attribute:
CertificateClass ::= SEQUENCE {
classValue INTEGER (0..255),
-- Defined class values are contained in Appendix C
certificateValid BOOLEAN
-- The default should be true, but DEFAULT is OPTIONAL
-- which would make the GLB computation awkward.
-- See Section 5 and the footnote for a discussion.
}
-- ASN.1 Definition of Enterprise Identifier Attribute:
EnterpriseId ::= SEQUENCE {
rootLabel [0] IMPLICIT SecurityLabelType1,
registryLabel [1] IMPLICIT SecurityLabelType1,
enterpriseLabel [2] IMPLICIT SEQUENCE SIZE (1..1) OF SecurityLabelType1
}
SecurityLabelType1 ::= SEQUENCE {
labelType1 INTEGER (0..255),
-- The default should be 2, but DEFAULT implies OPTIONAL, which
-- is not the intent. So the value has to be coded explicitly.
-- Note that the label type for Version 1
-- of Graded Authentication is 0 or 1.
-- Byte sizes and reserved fields are omitted,
-- because they are derivable from the ASN.1.
secrecyLevel1 INTEGER (0..255),
-- The default should be 0, but DEFAULT implies OPTIONAL, which
-- is not the intent. So the value has to be coded explicitly.
-- 0 = low secrecy, 255 = high secrecy
-- It seems highly unlikely anyone would ever
-- need more than 255 secrecy levels
integrityLevel1 INTEGER (0..255),
-- The default should be 0, but DEFAULT implies OPTIONAL, which
-- is not the intent. So the value has to be coded explicitly.
-- NOTE! 255 = low integrity, 0 = high integrity!
-- It seems highly unlikely anyone would ever
-- need more than 255 integrity levels
secrecyCategories1 BIT STRING (SIZE(96)),
-- The default should be FALSE, but DEFAULT implies OPTIONAL,
-- which is not the intent. So the value has to be coded
-- explicitly.
-- 96 secrecy categories, 0 origin indexing
integrityCategories1 BIT STRING (SIZE(64)),
-- The default should be FALSE, but DEFAULT implies OPTIONAL,
-- which is not the intent. So the value has to be coded
-- explicitly.
-- 64 integrity categories, 0 origin indexing
secrecySingletons1 Singletons,
integritySingletons1 Singletons
}
-- (removed the unused definition of SecurityLabelType2)
Singletons ::= SEQUENCE SIZE (1..16) OF SingletonChoice
-- Presently up to 16 singletons or singleton ranges
-- can be defined within one security label. This
-- is completely arbitrary and can be easily changed,
-- but it seems reasonable. Note that no more space
-- is taken in the ASN.1 DER encoding than is actually
-- required.
SingletonChoice ::= CHOICE {
uniqueSingleton INTEGER (0..9223372036854775807),
-- The implied value of the singleton being
-- specified in this case is TRUE.
-- Note that there isn’t any way to set a
-- singleton value to FALSE, except by using the
-- SingletonRange functions with identical lower
-- and upper bounds.
singletonRange SingletonRange
}
SingletonRange ::= SEQUENCE {
singletonLowerBound INTEGER (0..9223372036854775807),
-- The default should be 0, but DEFAULT implies OPTIONAL,
-- which is not the intent. So the value has to be coded
-- explicitly.
-- Lower bound of a range of singletons
-- to be set to the singletonValue specified
singletonUpperBound INTEGER (0..9223372036854775807),
-- The default should be 9223372036854775807,
-- but DEFAULT implies OPTIONAL,
-- which is not the intent. So the value has to be coded
-- explicitly.
-- Upper bound of a range of singletons
-- to be set to the singletonValue specified
singletonValue BOOLEAN
-- An entire range of singletons can be set to
-- either TRUE or FALSE.
-- Note that singletonRanges are allowed to overlap,
-- and in particular that a uniqueSingleton can
-- reset a singleton value already set by a
-- singletonRange, and vice versa.
-- The uniqueSingleton and singletonRanges are applied
-- consecutively, from the lower bound of SEQUENCE (1)
-- to the upper bound.
}
-- ASN.1 Definition of Reliance Limit Attribute:
-- relianceLimits EXTENSION ::= { SYNTAX RelianceLimits IDENTIFIED BY {pa-rl) }
-- 2.16.840.113719.1.9.4.2
RelianceLimits ::= SEQUENCE {
perTransactionLimit MonetaryValue,
perCertificateLimit MonetaryValue
}
MonetaryValue ::= SEQUENCE { -- from SET and draft ANSI X9.45
currency Currency,
amount INTEGER, -- value is amount * (10 ** amtExp10), an exact representation
amtExp10 INTEGER
}
Currency ::= INTEGER (1..999)
-- currency denomination from ISO 4217
-- cf. Appendix E for the numeric currency codes and their
-- alphabetic (display) equivalents.
-- US Dollar (USD) is 840.
-- Euro (EUR) is 978.
END
|
