| blob | fff6c8a9ad198d9646b39617bf81eda8467a1034 |
1 -- from pkisv10.pdf
2 -- you can find this document at https://web.archive.org/web/19990224174228/http://www.developer.novell.com/repository/attributes/certattrs_v10.htm
4 PKIS { joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719) } DEFINITIONS IMPLICIT TAGS ::=
5 BEGIN
7 -- ASN.1 Definition of Useful Attributes
9 -- The following are useful Novell OIDs, etc.
10 novell OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719)}
11 applications OBJECT IDENTIFIER ::= {novell applications(1) }
12 pki OBJECT IDENTIFIER ::= {applications pki(9) }
13 pkiAttributeType OBJECT IDENTIFIER ::= {pki at(4) }
14 pkiAttributeSyntax OBJECT IDENTIFIER ::= {pki at(5) }
15 pkiObjectClass OBJECT IDENTIFIER ::= {pki at(6) }
17 -- The following unique PKI attributes are hereby defined under the novell applications pki arc:
18 pa-sa OBJECT IDENTIFIER ::= { pkiAttributeType (1) }
19 -- securityAttributes
20 -- 2.16.840.113719.1.9.4.1
22 pa-rl OBJECT IDENTIFIER ::= { pkiAttributeType (2) }
23 -- relianceLimit
24 -- 2.16.840.113719.1.9.4.2
26 SecurityAttributes ::= SEQUENCE {
27 versionNumber OCTET STRING (SIZE (2)),
28 -- The initial value should be (01 00)
29 -- The first octet is the major version,
30 -- the second octet is the minor version number.
31 nSI BOOLEAN (TRUE),
32 -- NSI = “Nonverified Subscriber Information”
33 -- If FALSE, it means that the CA issuing
34 -- a certificate HAS verified the validity
35 -- of ALL of the values contained
36 -- within the Novell Security Attributes
37 -- using appropriate means as defined
38 -- for example in their Certificate Policy
39 -- and/or Certificate Practice Statement
40 -- If TRUE, it means that the subscriber
41 -- requesting the certificate has represented
42 -- to the CA that the extension defined
43 -- is valid and correct, but that the CA
44 -- has not independently validated the accuracy
45 -- of the attribute. Note that in no case may
46 -- the CA issue a certificate containing an
47 -- extension which it has reason to
48 -- believe is not accurate at the time of
49 -- issuance, except for test certificates
50 -- which are identified as such in the
51 -- Certificate class attribute (by setting
52 -- the certificateValid flag to FALSE.)
53 securityTM PrintableString ("Novell Security Attribute(tm)"),
54 -- Note: Since the “Novell Security
55 -- Attribute(tm)” string is trademarked, if
56 -- it is displayed visually to the user it
57 -- must be presented exactly as shown,
58 -- in English, even in non-English
59 -- implementations. A translation of the
60 -- phrase may be displayed to the user
61 -- in addition, if desired.
62 -- Vendors who license the use of the term
63 -- must agree to check for the presence of
64 -- this string in any attribute defined (by its
65 -- OID) as a Novell Security attribute
66 uriReference IA5String,
67 -- The initial value should be set to (“http://developer.novell.com/repository/attributes/certattrs_v10.htm”),
68 -- This attribute will be included in all
69 -- NICI and PKIS certificates.
70 -- Novell will maintain a copy of this
71 -- document or other suitable definition
72 -- at that location.
73 gLBExtensions GLBExtensions
74 }
76 GLBExtensions::=SEQUENCE{
77 -- These are the extensions over which the
78 -- Greatest Lower Bound is computed within NICI.
79 keyQuality [0] IMPLICIT KeyQuality,
80 cryptoProcessQuality [1] IMPLICIT CryptoProcessQuality,
81 certificateClass [2] IMPLICIT CertificateClass,
82 enterpriseId [3] IMPLICIT EnterpriseId
83 }
85 -- ASN.1 Definitions of Key Quality and Crypto Process Quality Attributes:
86 KeyQuality ::= Quality
87 CryptoProcessQuality ::= Quality
89 Quality ::= SEQUENCE {
90 enforceQuality BOOLEAN,
91 -- If TRUE, the explicit attributes compusecQuality,
92 -- cryptoQuality, and keyStorageQuality, plus the
93 -- implicit attributes algorithmType and keyLength
94 -- are either enforced at all times, or a dynamic low
95 -- water mark (Greatest Lower Bound)may be maintained.
96 -- I.e., if enforceQuality is TRUE for the
97 -- keyQuality attribute, the key must never be
98 -- allowed to be transported to and/or used on any
99 -- platform that does not meet the minimum
100 -- criteria, and hence enforceQuality must be TRUE for
101 -- the cryptoProcessQuality as well
102 -- If enforceQuality is FALSE for keyQuality, but
103 -- TRUE for cryptoProcessQuality, then the
104 -- operating system has not enforced the criteria
105 -- in any technical sense, but the subscriber
106 -- is nonetheless representing that the minimum
107 -- criteria will be maintained,
108 -- e.g., by manual or procedural controls.
109 -- For PKIS and NICI versions 1.0, enforceQuality
110 -- must be set to FALSE in the keyQuality attribute.
111 compusecQuality CompusecQuality,
112 cryptoQuality CryptoQuality,
113 keyStorageQuality INTEGER (0..255) -- See definitions in Appendix C
114 }
116 CompusecQuality ::= SEQUENCE SIZE (1..1)
117 OF CompusecQualityPair
118 -- Multiple pairs of {Criteria, Rating} are allowed
119 -- In the first release, only one pair(TCSEC criteria)is provided
121 CompusecQualityPair ::= SEQUENCE {
122 compusecCriteria INTEGER(0..255),
123 -- The default should be 1, but DEFAULT implies OPTIONAL, which
124 -- is not the intent. So the value has to be coded explicitly.
125 -- 0= Reserved (encoding error)
126 -- 1= Trusted Computer Security Evaluation Criteria (TCSEC)
127 -- 2= International Trusted Security Evaluation Criteria (ITSEC)
128 -- 3= Common Criteria
129 -- all others reserved
130 compusecRating INTEGER (0..255)
131 -- the compusecRating is in accordance with the specified
132 -- compusecCriteria for each pair in the sequence
133 -- Defined values for ratings for components and systems formally
134 -- evaluated in accordance with the Trusted Computer Security
135 -- Evaluation Criteria and the Trusted Network Interpretation
136 -- (Red Book) are provided in Appendix A.
137 }
139 CryptoQuality ::= SEQUENCE SIZE (1..1)
140 OF CryptoQualityPair
141 -- Multiple pairs of {Criteria, Rating} are allowed.
142 -- In the initial release, only one pair is provided.
144 CryptoQualityPair ::= SEQUENCE {
145 cryptoModuleCriteria INTEGER(0..255),
146 -- The default should be 1, but DEFAULT implies OPTIONAL, which
147 -- is not the intent. So the value has to be coded explicitly.
148 -- 1 = FIPS 140-1
149 -- all others reserved
150 cryptoModuleRating INTEGER (0..255)
151 -- the cryptoModuleRating value is in accordance with
152 -- the specified cryptoModuleCriteria for each pair
153 -- FIPS 140-1 ratings definitions:
154 -- 0 = Reserved (encoding error)
155 -- 1 = unevaluated/unknown,
156 -- all others—see Appendix B
157 }
159 -- ASN.1 Definition of Certificate Class Attribute:
161 CertificateClass ::= SEQUENCE {
162 classValue INTEGER (0..255),
163 -- Defined class values are contained in Appendix C
164 certificateValid BOOLEAN
165 -- The default should be true, but DEFAULT is OPTIONAL
166 -- which would make the GLB computation awkward.
167 -- See Section 5 and the footnote for a discussion.
168 }
170 -- ASN.1 Definition of Enterprise Identifier Attribute:
172 EnterpriseId ::= SEQUENCE {
173 rootLabel [0] IMPLICIT SecurityLabelType1,
174 registryLabel [1] IMPLICIT SecurityLabelType1,
175 enterpriseLabel [2] IMPLICIT SEQUENCE SIZE (1..1) OF SecurityLabelType1
176 }
178 SecurityLabelType1 ::= SEQUENCE {
179 labelType1 INTEGER (0..255),
180 -- The default should be 2, but DEFAULT implies OPTIONAL, which
181 -- is not the intent. So the value has to be coded explicitly.
182 -- Note that the label type for Version 1
183 -- of Graded Authentication is 0 or 1.
184 -- Byte sizes and reserved fields are omitted,
185 -- because they are derivable from the ASN.1.
186 secrecyLevel1 INTEGER (0..255),
187 -- The default should be 0, but DEFAULT implies OPTIONAL, which
188 -- is not the intent. So the value has to be coded explicitly.
189 -- 0 = low secrecy, 255 = high secrecy
190 -- It seems highly unlikely anyone would ever
191 -- need more than 255 secrecy levels
192 integrityLevel1 INTEGER (0..255),
193 -- The default should be 0, but DEFAULT implies OPTIONAL, which
194 -- is not the intent. So the value has to be coded explicitly.
195 -- NOTE! 255 = low integrity, 0 = high integrity!
196 -- It seems highly unlikely anyone would ever
197 -- need more than 255 integrity levels
198 secrecyCategories1 BIT STRING (SIZE(96)),
199 -- The default should be FALSE, but DEFAULT implies OPTIONAL,
200 -- which is not the intent. So the value has to be coded
201 -- explicitly.
202 -- 96 secrecy categories, 0 origin indexing
203 integrityCategories1 BIT STRING (SIZE(64)),
204 -- The default should be FALSE, but DEFAULT implies OPTIONAL,
205 -- which is not the intent. So the value has to be coded
206 -- explicitly.
207 -- 64 integrity categories, 0 origin indexing
208 secrecySingletons1 Singletons,
209 integritySingletons1 Singletons
210 }
212 -- (removed the unused definition of SecurityLabelType2)
214 Singletons ::= SEQUENCE SIZE (1..16) OF SingletonChoice
215 -- Presently up to 16 singletons or singleton ranges
216 -- can be defined within one security label. This
217 -- is completely arbitrary and can be easily changed,
218 -- but it seems reasonable. Note that no more space
219 -- is taken in the ASN.1 DER encoding than is actually
220 -- required.
222 SingletonChoice ::= CHOICE {
223 uniqueSingleton INTEGER (0..9223372036854775807),
224 -- The implied value of the singleton being
225 -- specified in this case is TRUE.
226 -- Note that there isn’t any way to set a
227 -- singleton value to FALSE, except by using the
228 -- SingletonRange functions with identical lower
229 -- and upper bounds.
230 singletonRange SingletonRange
231 }
233 SingletonRange ::= SEQUENCE {
234 singletonLowerBound INTEGER (0..9223372036854775807),
235 -- The default should be 0, but DEFAULT implies OPTIONAL,
236 -- which is not the intent. So the value has to be coded
237 -- explicitly.
238 -- Lower bound of a range of singletons
239 -- to be set to the singletonValue specified
241 singletonUpperBound INTEGER (0..9223372036854775807),
242 -- The default should be 9223372036854775807,
243 -- but DEFAULT implies OPTIONAL,
244 -- which is not the intent. So the value has to be coded
245 -- explicitly.
246 -- Upper bound of a range of singletons
247 -- to be set to the singletonValue specified
248 singletonValue BOOLEAN
249 -- An entire range of singletons can be set to
250 -- either TRUE or FALSE.
251 -- Note that singletonRanges are allowed to overlap,
252 -- and in particular that a uniqueSingleton can
253 -- reset a singleton value already set by a
254 -- singletonRange, and vice versa.
255 -- The uniqueSingleton and singletonRanges are applied
256 -- consecutively, from the lower bound of SEQUENCE (1)
257 -- to the upper bound.
258 }
260 -- ASN.1 Definition of Reliance Limit Attribute:
262 -- relianceLimits EXTENSION ::= { SYNTAX RelianceLimits IDENTIFIED BY {pa-rl) }
263 -- 2.16.840.113719.1.9.4.2
265 RelianceLimits ::= SEQUENCE {
266 perTransactionLimit MonetaryValue,
267 perCertificateLimit MonetaryValue
268 }
270 MonetaryValue ::= SEQUENCE { -- from SET and draft ANSI X9.45
271 currency Currency,
272 amount INTEGER, -- value is amount * (10 ** amtExp10), an exact representation
273 amtExp10 INTEGER
274 }
276 Currency ::= INTEGER (1..999)
277 -- currency denomination from ISO 4217
278 -- cf. Appendix E for the numeric currency codes and their
279 -- alphabetic (display) equivalents.
280 -- US Dollar (USD) is 840.
281 -- Euro (EUR) is 978.
283 END