1-- Module CertificateExtensions (X.509:08/2005) 2CertificateExtensions {joint-iso-itu-t ds(5) module(1) 3 certificateExtensions(26) 5} DEFINITIONS IMPLICIT TAGS ::= 4BEGIN 5 6-- EXPORTS ALL 7IMPORTS 8 id-at, id-ce, id-mr, informationFramework, authenticationFramework, 9 selectedAttributeTypes, upperBounds 10 FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) 11 usefulDefinitions(0) 5} 12 Name, RelativeDistinguishedName, ATTRIBUTE, Attribute, MATCHING-RULE 13 FROM InformationFramework informationFramework 14 CertificateSerialNumber, CertificateList, AlgorithmIdentifier, EXTENSION, 15 Time, PolicyID 16 FROM AuthenticationFramework authenticationFramework 17 DirectoryString{} 18 FROM SelectedAttributeTypes selectedAttributeTypes 19 ub-name 20 FROM UpperBounds upperBounds 21 ORAddress 22 FROM MTSAbstractService {joint-iso-itu-t mhs(6) mts(3) modules(0) 23 mts-abstract-service(1) version-1999(1)}; 24 25-- Unless explicitly noted otherwise, there is no significance to the ordering 26-- of components of a SEQUENCE OF construct in this Specification. 27-- public-key certificate and CRL extensions 28authorityKeyIdentifier EXTENSION ::= { 29 SYNTAX AuthorityKeyIdentifier 30 IDENTIFIED BY id-ce-authorityKeyIdentifier 31} 32 33AuthorityKeyIdentifier ::= SEQUENCE { 34 keyIdentifier [0] KeyIdentifier OPTIONAL, 35 authorityCertIssuer [1] GeneralNames OPTIONAL, 36 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL 37} 38(WITH COMPONENTS { 39 ..., 40 authorityCertIssuer PRESENT, 41 authorityCertSerialNumber PRESENT 42 } | 43 WITH COMPONENTS { 44 ..., 45 authorityCertIssuer ABSENT, 46 authorityCertSerialNumber ABSENT 47 }) 48 49KeyIdentifier ::= OCTET STRING 50 51subjectKeyIdentifier EXTENSION ::= { 52 SYNTAX SubjectKeyIdentifier 53 IDENTIFIED BY id-ce-subjectKeyIdentifier 54} 55 56SubjectKeyIdentifier ::= KeyIdentifier 57 58keyUsage EXTENSION ::= {SYNTAX KeyUsage 59 IDENTIFIED BY id-ce-keyUsage 60} 61 62KeyUsage ::= BIT STRING { 63 digitalSignature(0), contentCommitment(1), keyEncipherment(2), 64 dataEncipherment(3), keyAgreement(4), keyCertSign(5), cRLSign(6), 65 encipherOnly(7), decipherOnly(8)} 66 67extKeyUsage EXTENSION ::= { 68 SYNTAX SEQUENCE SIZE (1..MAX) OF KeyPurposeId 69 IDENTIFIED BY id-ce-extKeyUsage 70} 71 72KeyPurposeId ::= OBJECT IDENTIFIER 73 74KeyPurposeIDs ::= SEQUENCE OF KeyPurposeId 75 76privateKeyUsagePeriod EXTENSION ::= { 77 SYNTAX PrivateKeyUsagePeriod 78 IDENTIFIED BY id-ce-privateKeyUsagePeriod 79} 80 81PrivateKeyUsagePeriod ::= SEQUENCE { 82 notBefore [0] GeneralizedTime OPTIONAL, 83 notAfter [1] GeneralizedTime OPTIONAL 84} 85(WITH COMPONENTS { 86 ..., 87 notBefore PRESENT 88 } | WITH COMPONENTS { 89 ..., 90 notAfter PRESENT 91 }) 92 93certificatePolicies EXTENSION ::= { 94 SYNTAX CertificatePoliciesSyntax 95 IDENTIFIED BY id-ce-certificatePolicies 96} 97 98CertificatePoliciesSyntax ::= SEQUENCE SIZE (1..MAX) OF PolicyInformation 99 100PolicyInformation ::= SEQUENCE { 101 policyIdentifier CertPolicyId, 102 policyQualifiers SEQUENCE SIZE (1..MAX) OF PolicyQualifierInfo OPTIONAL 103} 104 105CertPolicyId ::= OBJECT IDENTIFIER 106 107PolicyQualifierInfo ::= SEQUENCE { 108 policyQualifierId CERT-POLICY-QUALIFIER.&id({SupportedPolicyQualifiers}), 109 qualifier 110 CERT-POLICY-QUALIFIER.&Qualifier 111 ({SupportedPolicyQualifiers}{@policyQualifierId}) OPTIONAL 112} 113 114SupportedPolicyQualifiers CERT-POLICY-QUALIFIER ::= 115 {...} 116 117anyPolicy OBJECT IDENTIFIER ::= {2 5 29 32 0} 118 119CERT-POLICY-QUALIFIER ::= CLASS { 120 &id OBJECT IDENTIFIER UNIQUE, 121 &Qualifier OPTIONAL 122}WITH SYNTAX {POLICY-QUALIFIER-ID &id 123 [QUALIFIER-TYPE &Qualifier] 124} 125 126policyMappings EXTENSION ::= { 127 SYNTAX PolicyMappingsSyntax 128 IDENTIFIED BY id-ce-policyMappings 129} 130 131PolicyMappingsSyntax ::= 132 SEQUENCE SIZE (1..MAX) OF 133 SEQUENCE {issuerDomainPolicy CertPolicyId, 134 subjectDomainPolicy CertPolicyId} 135 136subjectAltName EXTENSION ::= { 137 SYNTAX GeneralNames 138 IDENTIFIED BY id-ce-subjectAltName 139} 140 141GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName 142 143GeneralName ::= CHOICE { 144 otherName [0] -- INSTANCE OF OTHER-NAME-- OtherName, 145 rfc822Name [1] IA5String, 146 dNSName [2] IA5String, 147 x400Address [3] ORAddress, 148 directoryName [4] Name, 149 ediPartyName [5] EDIPartyName, 150 uniformResourceIdentifier [6] IA5String, 151 iPAddress [7] OCTET STRING, 152 registeredID [8] OBJECT IDENTIFIER 153} 154 155-- OTHER-NAME ::= TYPE-IDENTIFIER 156 157OtherName ::= SEQUENCE { 158 type-id OtherNameType, 159 value [0] EXPLICIT OtherNameValue 160} 161 162OtherNameType ::= OBJECT IDENTIFIER 163OtherNameValue ::= ANY 164 165EDIPartyName ::= SEQUENCE { 166 nameAssigner [0] DirectoryString{ub-name} OPTIONAL, 167 partyName [1] DirectoryString{ub-name} 168} 169 170issuerAltName EXTENSION ::= { 171 SYNTAX GeneralNames 172 IDENTIFIED BY id-ce-issuerAltName 173} 174 175subjectDirectoryAttributes EXTENSION ::= { 176 SYNTAX AttributesSyntax 177 IDENTIFIED BY id-ce-subjectDirectoryAttributes 178} 179 180AttributesSyntax ::= SEQUENCE SIZE (1..MAX) OF Attribute 181 182basicConstraints EXTENSION ::= { 183 SYNTAX BasicConstraintsSyntax 184 IDENTIFIED BY id-ce-basicConstraints 185} 186 187BasicConstraintsSyntax ::= SEQUENCE { 188 cA BOOLEAN DEFAULT FALSE, 189 pathLenConstraint INTEGER(0..MAX) OPTIONAL 190} 191 192nameConstraints EXTENSION ::= { 193 SYNTAX NameConstraintsSyntax 194 IDENTIFIED BY id-ce-nameConstraints 195} 196 197NameConstraintsSyntax ::= SEQUENCE { 198 permittedSubtrees [0] GeneralSubtrees OPTIONAL, 199 excludedSubtrees [1] GeneralSubtrees OPTIONAL 200}(-- ALL EXCEPT -- ({ --none; at least one component shall be present--})) 201 202GeneralSubtrees ::= SEQUENCE SIZE (1..MAX) OF GeneralSubtree 203 204GeneralSubtree ::= SEQUENCE { 205 base GeneralName, 206 minimum [0] BaseDistance DEFAULT 0, 207 maximum [1] BaseDistance OPTIONAL 208} 209 210BaseDistance ::= INTEGER(0..MAX) 211 212policyConstraints EXTENSION ::= { 213 SYNTAX PolicyConstraintsSyntax 214 IDENTIFIED BY id-ce-policyConstraints 215} 216 217PolicyConstraintsSyntax ::= SEQUENCE { 218 requireExplicitPolicy [0] SkipCerts OPTIONAL, 219 inhibitPolicyMapping [1] SkipCerts OPTIONAL 220} 221 222SkipCerts ::= INTEGER(0..MAX) 223 224cRLNumber EXTENSION ::= { 225 SYNTAX CRLNumber 226 IDENTIFIED BY id-ce-cRLNumber 227} 228 229CRLNumber ::= INTEGER(0..MAX) 230 231reasonCode EXTENSION ::= { 232 SYNTAX CRLReason 233 IDENTIFIED BY id-ce-reasonCode 234} 235 236CRLReason ::= ENUMERATED { 237 unspecified(0), keyCompromise(1), cACompromise(2), affiliationChanged(3), 238 superseded(4), cessationOfOperation(5), certificateHold(6), removeFromCRL(8), 239 privilegeWithdrawn(9), aaCompromise(10)} 240 241holdInstructionCode EXTENSION ::= { 242 SYNTAX HoldInstruction 243 IDENTIFIED BY id-ce-instructionCode 244} 245 246HoldInstruction ::= OBJECT IDENTIFIER 247 248invalidityDate EXTENSION ::= { 249 SYNTAX GeneralizedTime 250 IDENTIFIED BY id-ce-invalidityDate 251} 252 253crlScope EXTENSION ::= { 254 SYNTAX CRLScopeSyntax 255 IDENTIFIED BY id-ce-cRLScope 256} 257 258CRLScopeSyntax ::= SEQUENCE SIZE (1..MAX) OF PerAuthorityScope 259 260PerAuthorityScope ::= SEQUENCE { 261 authorityName [0] GeneralName OPTIONAL, 262 distributionPoint [1] DistributionPointName OPTIONAL, 263 onlyContains [2] OnlyCertificateTypes OPTIONAL, 264 onlySomeReasons [4] ReasonFlags OPTIONAL, 265 serialNumberRange [5] NumberRange OPTIONAL, 266 subjectKeyIdRange [6] NumberRange OPTIONAL, 267 nameSubtrees [7] GeneralNames OPTIONAL, 268 baseRevocationInfo [9] BaseRevocationInfo OPTIONAL 269} 270 271OnlyCertificateTypes ::= BIT STRING {user(0), authority(1), attribute(2)} 272 273NumberRange ::= SEQUENCE { 274 startingNumber [0] INTEGER OPTIONAL, 275 endingNumber [1] INTEGER OPTIONAL, 276 modulus INTEGER OPTIONAL 277} 278 279BaseRevocationInfo ::= SEQUENCE { 280 cRLStreamIdentifier [0] CRLStreamIdentifier OPTIONAL, 281 cRLNumber [1] CRLNumber, 282 baseThisUpdate [2] GeneralizedTime 283} 284 285statusReferrals EXTENSION ::= { 286 SYNTAX StatusReferrals 287 IDENTIFIED BY id-ce-statusReferrals 288} 289 290StatusReferrals ::= SEQUENCE SIZE (1..MAX) OF StatusReferral 291 292StatusReferral ::= CHOICE { 293 cRLReferral [0] CRLReferral 294-- otherReferral [1] INSTANCE OF OTHER-REFERRAL 295} 296 297CRLReferral ::= SEQUENCE { 298 issuer [0] GeneralName OPTIONAL, 299 location [1] GeneralName OPTIONAL, 300 deltaRefInfo [2] DeltaRefInfo OPTIONAL, 301 cRLScope CRLScopeSyntax, 302 lastUpdate [3] GeneralizedTime OPTIONAL, 303 lastChangedCRL [4] GeneralizedTime OPTIONAL 304} 305 306DeltaRefInfo ::= SEQUENCE { 307 deltaLocation GeneralName, 308 lastDelta GeneralizedTime OPTIONAL 309} 310 311--OTHER-REFERRAL ::= TYPE-IDENTIFIER 312-- 313cRLStreamIdentifier EXTENSION ::= { 314 SYNTAX CRLStreamIdentifier 315 IDENTIFIED BY id-ce-cRLStreamIdentifier 316} 317 318CRLStreamIdentifier ::= INTEGER(0..MAX) 319 320orderedList EXTENSION ::= { 321 SYNTAX OrderedListSyntax 322 IDENTIFIED BY id-ce-orderedList 323} 324 325OrderedListSyntax ::= ENUMERATED {ascSerialNum(0), ascRevDate(1)} 326 327deltaInfo EXTENSION ::= { 328 SYNTAX DeltaInformation 329 IDENTIFIED BY id-ce-deltaInfo 330} 331 332DeltaInformation ::= SEQUENCE { 333 deltaLocation GeneralName, 334 nextDelta GeneralizedTime OPTIONAL 335} 336 337cRLDistributionPoints EXTENSION ::= { 338 SYNTAX CRLDistPointsSyntax 339 IDENTIFIED BY id-ce-cRLDistributionPoints 340} 341 342CRLDistPointsSyntax ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint 343 344DistributionPoint ::= SEQUENCE { 345 distributionPoint [0] DistributionPointName OPTIONAL, 346 reasons [1] ReasonFlags OPTIONAL, 347 cRLIssuer [2] GeneralNames OPTIONAL 348} 349 350DistributionPointName ::= CHOICE { 351 fullName [0] GeneralNames, 352 nameRelativeToCRLIssuer [1] RelativeDistinguishedName 353} 354 355ReasonFlags ::= BIT STRING { 356 unused(0), keyCompromise(1), cACompromise(2), affiliationChanged(3), 357 superseded(4), cessationOfOperation(5), certificateHold(6), 358 privilegeWithdrawn(7), aACompromise(8)} 359 360issuingDistributionPoint EXTENSION ::= { 361 SYNTAX IssuingDistPointSyntax 362 IDENTIFIED BY id-ce-issuingDistributionPoint 363} 364 365IssuingDistPointSyntax ::= SEQUENCE { 366 -- If onlyContainsUserPublicKeyCerts and onlyContainsCACerts are both FALSE, 367 -- the CRL covers both certificate types 368 distributionPoint [0] DistributionPointName OPTIONAL, 369 onlyContainsUserPublicKeyCerts [1] BOOLEAN DEFAULT FALSE, 370 onlyContainsCACerts [2] BOOLEAN DEFAULT FALSE, 371 onlySomeReasons [3] ReasonFlags OPTIONAL, 372 indirectCRL [4] BOOLEAN DEFAULT FALSE 373} 374 375certificateIssuer EXTENSION ::= { 376 SYNTAX GeneralNames 377 IDENTIFIED BY id-ce-certificateIssuer 378} 379 380deltaCRLIndicator EXTENSION ::= { 381 SYNTAX BaseCRLNumber 382 IDENTIFIED BY id-ce-deltaCRLIndicator 383} 384 385BaseCRLNumber ::= CRLNumber 386 387toBeRevoked EXTENSION ::= { 388 SYNTAX ToBeRevokedSyntax 389 IDENTIFIED BY id-ce-toBeRevoked 390} 391 392ToBeRevokedSyntax ::= SEQUENCE SIZE (1..MAX) OF ToBeRevokedGroup 393 394ToBeRevokedGroup ::= SEQUENCE { 395 certificateIssuer [0] GeneralName OPTIONAL, 396 reasonInfo [1] ReasonInfo OPTIONAL, 397 revocationTime GeneralizedTime, 398 certificateGroup CertificateGroup 399} 400 401ReasonInfo ::= SEQUENCE { 402 reasonCode CRLReason, 403 holdInstructionCode HoldInstruction OPTIONAL 404} 405 406CertificateGroup ::= CHOICE { 407 serialNumbers [0] CertificateSerialNumbers, 408 serialNumberRange [1] CertificateGroupNumberRange, 409 nameSubtree [2] GeneralName 410} 411 412CertificateGroupNumberRange ::= SEQUENCE { 413 startingNumber [0] INTEGER, 414 endingNumber [1] INTEGER 415} 416 417CertificateSerialNumbers ::= SEQUENCE SIZE (1..MAX) OF CertificateSerialNumber 418 419revokedGroups EXTENSION ::= { 420 SYNTAX RevokedGroupsSyntax 421 IDENTIFIED BY id-ce-RevokedGroups 422} 423 424RevokedGroupsSyntax ::= SEQUENCE SIZE (1..MAX) OF RevokedGroup 425 426RevokedGroup ::= SEQUENCE { 427 certificateIssuer [0] GeneralName OPTIONAL, 428 reasonInfo [1] ReasonInfo OPTIONAL, 429 invalidityDate [2] GeneralizedTime OPTIONAL, 430 revokedcertificateGroup [3] RevokedCertificateGroup 431} 432 433RevokedCertificateGroup ::= CHOICE { 434 serialNumberRange NumberRange, 435 nameSubtree GeneralName 436} 437 438expiredCertsOnCRL EXTENSION ::= { 439 SYNTAX ExpiredCertsOnCRL 440 IDENTIFIED BY id-ce-expiredCertsOnCRL 441} 442 443ExpiredCertsOnCRL ::= GeneralizedTime 444 445baseUpdateTime EXTENSION ::= { 446 SYNTAX GeneralizedTime 447 IDENTIFIED BY id-ce-baseUpdateTime 448} 449 450freshestCRL EXTENSION ::= { 451 SYNTAX CRLDistPointsSyntax 452 IDENTIFIED BY id-ce-freshestCRL 453} 454 455aAissuingDistributionPoint EXTENSION ::= { 456 SYNTAX AAIssuingDistPointSyntax 457 IDENTIFIED BY id-ce-aAissuingDistributionPoint 458} 459 460AAIssuingDistPointSyntax ::= SEQUENCE { 461 distributionPoint [0] DistributionPointName OPTIONAL, 462 onlySomeReasons [1] ReasonFlags OPTIONAL, 463 indirectCRL [2] BOOLEAN DEFAULT FALSE, 464 containsUserAttributeCerts [3] BOOLEAN DEFAULT TRUE, 465 containsAACerts [4] BOOLEAN DEFAULT TRUE, 466 containsSOAPublicKeyCerts [5] BOOLEAN DEFAULT TRUE 467} 468 469inhibitAnyPolicy EXTENSION ::= { 470 SYNTAX SkipCerts 471 IDENTIFIED BY id-ce-inhibitAnyPolicy 472} 473 474-- PKI matching rules 475certificateExactMatch MATCHING-RULE ::= { 476 SYNTAX CertificateExactAssertion 477 ID id-mr-certificateExactMatch 478} 479 480CertificateExactAssertion ::= SEQUENCE { 481 serialNumber CertificateSerialNumber, 482 issuer Name 483} 484 485certificateMatch MATCHING-RULE ::= { 486 SYNTAX CertificateAssertion 487 ID id-mr-certificateMatch 488} 489 490CertificateAssertion ::= SEQUENCE { 491 serialNumber [0] CertificateSerialNumber OPTIONAL, 492 issuer [1] Name OPTIONAL, 493 subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL, 494 authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL, 495 certificateValid [4] Time OPTIONAL, 496 privateKeyValid [5] GeneralizedTime OPTIONAL, 497 subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL, 498 keyUsage [7] KeyUsage OPTIONAL, 499 subjectAltName [8] AltNameType OPTIONAL, 500 policy [9] CertPolicySet OPTIONAL, 501 pathToName [10] Name OPTIONAL, 502 subject [11] Name OPTIONAL, 503 nameConstraints [12] NameConstraintsSyntax OPTIONAL 504} 505 506AltNameType ::= CHOICE { 507 builtinNameForm 508 ENUMERATED {rfc822Name(1), dNSName(2), x400Address(3), directoryName(4), 509 ediPartyName(5), uniformResourceIdentifier(6), iPAddress(7), 510 registeredId(8)}, 511 otherNameForm OBJECT IDENTIFIER 512} 513 514CertPolicySet ::= SEQUENCE SIZE (1..MAX) OF CertPolicyId 515 516certificatePairExactMatch MATCHING-RULE ::= { 517 SYNTAX CertificatePairExactAssertion 518 ID id-mr-certificatePairExactMatch 519} 520 521CertificatePairExactAssertion ::= SEQUENCE { 522 issuedToThisCAAssertion [0] CertificateExactAssertion OPTIONAL, 523 issuedByThisCAAssertion [1] CertificateExactAssertion OPTIONAL 524} 525(WITH COMPONENTS { 526 ..., 527 issuedToThisCAAssertion PRESENT 528 } | WITH COMPONENTS { 529 ..., 530 issuedByThisCAAssertion PRESENT 531 }) 532 533certificatePairMatch MATCHING-RULE ::= { 534 SYNTAX CertificatePairAssertion 535 ID id-mr-certificatePairMatch 536} 537 538CertificatePairAssertion ::= SEQUENCE { 539 issuedToThisCAAssertion [0] CertificateAssertion OPTIONAL, 540 issuedByThisCAAssertion [1] CertificateAssertion OPTIONAL 541} 542(WITH COMPONENTS { 543 ..., 544 issuedToThisCAAssertion PRESENT 545 } | WITH COMPONENTS { 546 ..., 547 issuedByThisCAAssertion PRESENT 548 }) 549 550certificateListExactMatch MATCHING-RULE ::= { 551 SYNTAX CertificateListExactAssertion 552 ID id-mr-certificateListExactMatch 553} 554 555CertificateListExactAssertion ::= SEQUENCE { 556 issuer Name, 557 thisUpdate Time, 558 distributionPoint DistributionPointName OPTIONAL 559} 560 561certificateListMatch MATCHING-RULE ::= { 562 SYNTAX CertificateListAssertion 563 ID id-mr-certificateListMatch 564} 565 566CertificateListAssertion ::= SEQUENCE { 567 issuer Name OPTIONAL, 568 minCRLNumber [0] CRLNumber OPTIONAL, 569 maxCRLNumber [1] CRLNumber OPTIONAL, 570 reasonFlags ReasonFlags OPTIONAL, 571 dateAndTime Time OPTIONAL, 572 distributionPoint [2] DistributionPointName OPTIONAL, 573 authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL 574} 575 576algorithmIdentifierMatch MATCHING-RULE ::= { 577 SYNTAX AlgorithmIdentifier 578 ID id-mr-algorithmIdentifierMatch 579} 580 581policyMatch MATCHING-RULE ::= {SYNTAX PolicyID 582 ID id-mr-policyMatch 583} 584 585pkiPathMatch MATCHING-RULE ::= { 586 SYNTAX PkiPathMatchSyntax 587 ID id-mr-pkiPathMatch 588} 589 590PkiPathMatchSyntax ::= SEQUENCE {firstIssuer Name, 591 lastSubject Name 592} 593 594enhancedCertificateMatch MATCHING-RULE ::= { 595 SYNTAX EnhancedCertificateAssertion 596 ID id-mr-enhancedCertificateMatch 597} 598 599EnhancedCertificateAssertion ::= SEQUENCE { 600 serialNumber [0] CertificateSerialNumber OPTIONAL, 601 issuer [1] Name OPTIONAL, 602 subjectKeyIdentifier [2] SubjectKeyIdentifier OPTIONAL, 603 authorityKeyIdentifier [3] AuthorityKeyIdentifier OPTIONAL, 604 certificateValid [4] Time OPTIONAL, 605 privateKeyValid [5] GeneralizedTime OPTIONAL, 606 subjectPublicKeyAlgID [6] OBJECT IDENTIFIER OPTIONAL, 607 keyUsage [7] KeyUsage OPTIONAL, 608 subjectAltName [8] AltName OPTIONAL, 609 policy [9] CertPolicySet OPTIONAL, 610 pathToName [10] GeneralNames OPTIONAL, 611 subject [11] Name OPTIONAL, 612 nameConstraints [12] NameConstraintsSyntax OPTIONAL 613}(--ALL EXCEPT-- ({ -- none; at least one component shall be present --})) 614 615AltName ::= SEQUENCE { 616 altnameType AltNameType, 617 altNameValue GeneralName OPTIONAL 618} 619 620-- Object identifier assignments 621id-ce-subjectDirectoryAttributes OBJECT IDENTIFIER ::= 622 {id-ce 9} 623 624id-ce-subjectKeyIdentifier OBJECT IDENTIFIER ::= {id-ce 14} 625 626id-ce-keyUsage OBJECT IDENTIFIER ::= {id-ce 15} 627 628id-ce-privateKeyUsagePeriod OBJECT IDENTIFIER ::= {id-ce 16} 629 630id-ce-subjectAltName OBJECT IDENTIFIER ::= {id-ce 17} 631 632id-ce-issuerAltName OBJECT IDENTIFIER ::= {id-ce 18} 633 634id-ce-basicConstraints OBJECT IDENTIFIER ::= {id-ce 19} 635 636id-ce-cRLNumber OBJECT IDENTIFIER ::= {id-ce 20} 637 638id-ce-reasonCode OBJECT IDENTIFIER ::= {id-ce 21} 639 640id-ce-instructionCode OBJECT IDENTIFIER ::= {id-ce 23} 641 642id-ce-invalidityDate OBJECT IDENTIFIER ::= {id-ce 24} 643 644id-ce-deltaCRLIndicator OBJECT IDENTIFIER ::= {id-ce 27} 645 646id-ce-issuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 28} 647 648id-ce-certificateIssuer OBJECT IDENTIFIER ::= {id-ce 29} 649 650id-ce-nameConstraints OBJECT IDENTIFIER ::= {id-ce 30} 651 652id-ce-cRLDistributionPoints OBJECT IDENTIFIER ::= {id-ce 31} 653 654id-ce-certificatePolicies OBJECT IDENTIFIER ::= {id-ce 32} 655 656id-ce-policyMappings OBJECT IDENTIFIER ::= {id-ce 33} 657 658-- deprecated OBJECT IDENTIFIER ::= {id-ce 34} 659id-ce-authorityKeyIdentifier OBJECT IDENTIFIER ::= 660 {id-ce 35} 661 662id-ce-policyConstraints OBJECT IDENTIFIER ::= {id-ce 36} 663 664id-ce-extKeyUsage OBJECT IDENTIFIER ::= {id-ce 37} 665 666id-ce-cRLStreamIdentifier OBJECT IDENTIFIER ::= {id-ce 40} 667 668id-ce-cRLScope OBJECT IDENTIFIER ::= {id-ce 44} 669 670id-ce-statusReferrals OBJECT IDENTIFIER ::= {id-ce 45} 671 672id-ce-freshestCRL OBJECT IDENTIFIER ::= {id-ce 46} 673 674id-ce-orderedList OBJECT IDENTIFIER ::= {id-ce 47} 675 676id-ce-baseUpdateTime OBJECT IDENTIFIER ::= {id-ce 51} 677 678id-ce-deltaInfo OBJECT IDENTIFIER ::= {id-ce 53} 679 680id-ce-inhibitAnyPolicy OBJECT IDENTIFIER ::= {id-ce 54} 681 682id-ce-toBeRevoked OBJECT IDENTIFIER ::= {id-ce 58} 683 684id-ce-RevokedGroups OBJECT IDENTIFIER ::= {id-ce 59} 685 686id-ce-expiredCertsOnCRL OBJECT IDENTIFIER ::= {id-ce 60} 687 688id-ce-aAissuingDistributionPoint OBJECT IDENTIFIER ::= {id-ce 63} 689 690-- matching rule OIDs 691id-mr-certificateExactMatch OBJECT IDENTIFIER ::= 692 {id-mr 34} 693 694id-mr-certificateMatch OBJECT IDENTIFIER ::= {id-mr 35} 695 696id-mr-certificatePairExactMatch OBJECT IDENTIFIER ::= {id-mr 36} 697 698id-mr-certificatePairMatch OBJECT IDENTIFIER ::= {id-mr 37} 699 700id-mr-certificateListExactMatch OBJECT IDENTIFIER ::= {id-mr 38} 701 702id-mr-certificateListMatch OBJECT IDENTIFIER ::= {id-mr 39} 703 704id-mr-algorithmIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 40} 705 706id-mr-policyMatch OBJECT IDENTIFIER ::= {id-mr 60} 707 708id-mr-pkiPathMatch OBJECT IDENTIFIER ::= {id-mr 62} 709 710id-mr-enhancedCertificateMatch OBJECT IDENTIFIER ::= {id-mr 65} 711 712-- The following OBJECT IDENTIFIERS are not used by this Specification: 713-- {id-ce 2}, {id-ce 3}, {id-ce 4}, {id-ce 5}, {id-ce 6}, {id-ce 7}, 714-- {id-ce 8}, {id-ce 10}, {id-ce 11}, {id-ce 12}, {id-ce 13}, 715-- {id-ce 22}, {id-ce 25}, {id-ce 26} 716 717-- Microsoft Certificate Extension 718 719CertificateTemplate ::= SEQUENCE { 720 templateID OBJECT IDENTIFIER, 721 templateMajorVersion INTEGER, 722 templateMinorVersion INTEGER OPTIONAL 723} 724 725-- Entrust Certificate Extension 726 727EntrustVersionInfo ::= SEQUENCE { 728 entrustVers GeneralString, 729 entrustVersInfoFlags EntrustInfoFlags OPTIONAL 730} 731 732EntrustInfoFlags ::= BIT STRING { 733 keyUpdateAllowed(0), 734 newExtensions(1), 735 pKIXCertificate(2), 736 enterpriseCategory(3), 737 webCategory(4), 738 sETCategory(5) 739} 740 741END 742 743-- Generated by Asnp, the ASN.1 pretty-printer of France Telecom R&D 744 745