summaryrefslogtreecommitdiff
path: root/doc/rfc/rfc2985.txt
diff options
context:
space:
mode:
Diffstat (limited to 'doc/rfc/rfc2985.txt')
-rw-r--r--doc/rfc/rfc2985.txt2355
1 files changed, 2355 insertions, 0 deletions
diff --git a/doc/rfc/rfc2985.txt b/doc/rfc/rfc2985.txt
new file mode 100644
index 0000000..bf9fd84
--- /dev/null
+++ b/doc/rfc/rfc2985.txt
@@ -0,0 +1,2355 @@
+
+
+
+
+
+
+Network Working Group M. Nystrom
+Request for Comments: 2985 B. Kaliski
+Category: Informational RSA Security
+ November 2000
+
+
+ PKCS #9: Selected Object Classes and Attribute Types
+ Version 2.0
+
+Status of this Memo
+
+ This memo provides information for the Internet community. It does
+ not specify an Internet standard of any kind. Distribution of this
+ memo is unlimited.
+
+Copyright Notice
+
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+Abstract
+
+ This memo represents a republication of PKCS #9 v2.0 from RSA
+ Laboratories' Public-Key Cryptography Standards (PKCS) series, and
+ change control is retained within the PKCS process. The body of this
+ document, except for the security considerations section, is taken
+ directly from that specification.
+
+ This memo provides a selection of object classes and attribute types
+ for use in conjunction with public-key cryptography and Lightweight
+ Directory Access Protocol (LDAP) accessible directories. It also
+ includes ASN.1 syntax for all constructs.
+
+Table of Contents
+
+ 1. Introduction ................................................. 2
+ 2. Definitions, notation and document convention ................ 2
+ 2.1 Definitions ................................................. 2
+ 2.2 Notation and document convention ............................ 3
+ 3. Overview ..................................................... 4
+ 4. Auxiliary object classes ..................................... 5
+ 4.1 The "pkcsEntity" auxiliary object class ..................... 5
+ 4.2 The "naturalPerson" auxiliary object class .................. 6
+ 5. Selected attribute types ..................................... 6
+ 5.1 Attribute types for use with the "pkcsEntity" object class .. 6
+ 5.2 Attribute types for use with the "naturalPerson" object class 7
+ 5.3 Attribute types for use in PKCS #7 data .................... 12
+ 5.4 Attribute types for use in PKCS #10 certificate requests ... 16
+
+
+
+
+Nystrom & Kaliski Informational [Page 1]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ 5.5 Attribute types for use in PKCS #12 "PFX" PDUs or PKCS #15
+ tokens ..................................................... 17
+ 5.6 Attributes defined in S/MIMIE .............................. 18
+ 6. Matching rules .............................................. 19
+ 6.1 Case ignore match .......................................... 19
+ 6.2 Signing time match ......................................... 20
+ 7. Security Considerations ..................................... 20
+ 8. Authors' Addresses .......................................... 21
+ A. ASN.1 module ................................................ 22
+ B. BNF schema summary .......................................... 30
+ B.1 Syntaxes ................................................... 30
+ B.2 Object classes ............................................. 31
+ B.3 Attribute types ............................................ 32
+ B.4 Matching rules ............................................. 36
+ C. Intellectual property considerations ........................ 37
+ D. Revision history ............................................ 37
+ E. References .................................................. 39
+ F. Contact information & About PKCS ............................ 41
+ Full Copyright Statement ........................................ 41
+
+1. Introduction
+
+ This document defines two new auxiliary object classes, pkcsEntity
+ and naturalPerson, and selected attribute types for use with these
+ classes. It also defines some attribute types for use in conjunction
+ with PKCS #7 [14] (and S/MIME CMS [3]) digitally signed messages,
+ PKCS #10 [16] certificate-signing requests, PKCS #12 [17] personal
+ information exchanges and PKCS #15 [18] cryptographic tokens.
+ Matching rules for use with these attributes are also defined,
+ whenever necessary.
+
+2. Definitions, notation and document conventions
+
+ 2.1 Definitions
+
+ For the purposes of this document, the following definitions apply.
+
+ ASN.1 Abstract Syntax Notation One, as defined in [5].
+
+ Attributes An ASN.1 type that specifies a set of attributes.
+ Each attribute contains an attribute type (specified
+ by object identifier) and one or more attribute
+ values. Some attribute types are restricted in their
+ definition to have a single value; others may have
+ multiple values. This type is defined in [7].
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 2]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ CertificationRequestInfo
+ An ASN.1 type that specifies a subject name, a public
+ key, and a set of attributes. This type is defined
+ in [16].
+
+ ContentInfo An ASN.1 type that specifies content exchanged
+ between entities. The contentType field, which has
+ type OBJECT IDENTIFIER, specifies the content type,
+ and the content field, whose type is defined by the
+ contentType field, contains the content value. This
+ type is defined in [14] and [3].
+
+ PrivateKeyInfo A type that specifies a private key and a set of
+ extended attributes. This type and the associated
+ EncryptedPrivateKeyInfo type are defined in [15].
+
+ SignerInfo A type that specifies per-signer information in the
+ signed-data content type, including a set of
+ attributes authenticated by the signer, and a set of
+ attributes not authenticated by the signer. This
+ type is defined in [14] and [3].
+
+ DER Distinguished Encoding Rules for ASN.1, as defined in
+ [6].
+
+ UCS Universal Multiple-Octet Coded Character Set, as
+ defined in [11].
+
+ UTF8String UCS Transformation Format encoded string. The UTF-8
+ encoding is defined in [11].
+
+ 2.2 Notation and document conventions
+
+ In this document, all attribute type and object class definitions are
+ written in the ASN.1 value notation defined in [5]. Appendix B
+ contains most of these definitions written in the augmented BNF
+ notation defined in [2] as well. This has been done in an attempt to
+ simplify the task of integrating this work into LDAP [22] development
+ environments.
+
+ The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
+ "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
+ document are to be interpreted as described in [1].
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 3]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+3. Overview
+
+ This document specifies two new auxiliary object classes, pkcsEntity
+ and naturalPerson, and some new attribute types and matching rules.
+ All ASN.1 object classes, attributes, matching rules and types are
+ exported for use in other environments.
+
+ Attribute types defined in this document that are useful in
+ conjunction with storage of PKCS-related data and the pkcsEntity
+ object class includes PKCS #12 PFX PDUs, PKCS #15 tokens and
+ encrypted private keys.
+
+ Attribute types defined in this document that are useful in
+ conjunction with PKCS #10 certificate requests and the naturalPerson
+ object class includes electronic-mail address, pseudonym,
+ unstructured name, and unstructured address.
+
+ Attribute types defined in this document that are useful in PKCS #7
+ digitally signed messages are content type, message digest, signing
+ time, sequence number, random nonce and countersignature. The
+ attributes would be used in the authenticatedAttributes and
+ unauthenticatedAttributes fields of a SignerInfo or an
+ AuthenticatedData ([3]) value.
+
+ Attribute types that are useful especially in PKCS #10 certification
+ requests are the challenge password and the extension-request
+ attribute. The attributes would be used in the attributes field of a
+ CertificationRequestInfo value.
+
+ Note - The attributes types (from [8]) in Table 1, and probably
+ several others, might also be helpful in PKCS #10, PKCS #12 and PKCS
+ #15-aware applications.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 4]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ businessCategory preferredDeliveryMethod
+ commonName presentationAddress
+ countryName registeredAddress
+ description roleOccupant
+ destinationIndicator serialNumber
+ facsimileTelephoneNumber stateOrProvinceName
+ iSDNAddress streetAddress
+ localityName supportedApplicationContext
+ member surname
+ objectClass telephoneNumber
+ organizationName teletexTerminalIdentifier
+ physicalDeliveryOfficeName telexNumber
+ postalAddress title
+ postalCode x121Address
+ postOfficeBox
+
+ Table 1: ISO/IEC 9594-6 attribute types useful in PKCS documents
+
+4. Auxiliary object classes
+
+ This document defines two new auxiliary object classes: pkcsEntity
+ and naturalPerson.
+
+ 4.1 The pkcsEntity auxiliary object class
+
+ The pkcsEntity object class is a general-purpose auxiliary object
+ class that is intended to hold attributes about PKCS-related
+ entities. It has been designed for use within directory services
+ based on the LDAP protocol [22] and the X.500 family of protocols,
+ where support for PKCS-defined attributes is considered useful.
+
+ pkcsEntity OBJECT-CLASS ::= {
+ SUBCLASS OF { top }
+ KIND auxiliary
+ MAY CONTAIN { PKCSEntityAttributeSet }
+ ID pkcs-9-oc-pkcsEntity
+ }
+
+ PKCSEntityAttributeSet ATTRIBUTE ::= {
+ pKCS7PDU |
+ userPKCS12 |
+ pKCS15Token |
+ encryptedPrivateKeyInfo,
+ ... -- For future extensions
+ }
+
+ Attributes in the PKCSEntityAttributeSet are defined in Section 5.
+
+
+
+
+Nystrom & Kaliski Informational [Page 5]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ 4.2 The naturalPerson auxiliary object class
+
+ The naturalPerson object class is a general-purpose auxiliary object
+ class that is intended to hold attributes about human beings. It has
+ been designed for use within directory services based on the LDAP
+ protocol [22] and the X.500 family of protocols, where support for
+ these attributes is considered useful.
+
+ naturalPerson OBJECT-CLASS ::= {
+ SUBCLASS OF { top }
+ KIND auxiliary
+ MAY CONTAIN { NaturalPersonAttributeSet }
+ ID pkcs-9-oc-naturalPerson
+ }
+
+ NaturalPersonAttributeSet ATTRIBUTE ::= {
+ emailAddress |
+ unstructuredName |
+ unstructuredAddress |
+ dateOfBirth |
+ placeOfBirth |
+ gender |
+ countryOfCitizenship |
+ countryOfResidence |
+ pseudonym |
+ serialNumber,
+ ... -- For future extensions
+ }
+
+ Attributes in the NaturalPersonAttributeSet are defined in Section 5.
+
+5. Selected attribute types
+
+ 5.1 Attribute types for use with the "pkcsEntity" object class
+
+ 5.1.1 PKCS #7 PDU
+
+ PKCS #7 provides several formats for enveloped, signed and otherwise
+ protected data. When such information is stored in a directory
+ service, the pKCS7PDU attribute may be used.
+
+ pKCS7PDU ATTRIBUTE ::= {
+ WITH SYNTAX ContentInfo
+ ID pkcs-9-at-pkcs7PDU
+ }
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 6]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ 5.1.2 PKCS #12 token
+
+ PKCS #12 provides a format for exchange of personal identity
+ information. When such information is stored in a directory service,
+ the userPKCS12 attribute should be used.
+
+ userPKCS12 ATTRIBUTE ::= {
+ WITH SYNTAX PFX
+ ID pkcs-9-at-userPKCS12
+ }
+
+ This type was originally defined in [20].
+
+ 5.1.3 PKCS #15 token
+
+ PKCS #15 provides a format for cryptographic tokens. When software
+ variants of such tokens are stored in a directory service, the
+ pKCS15Token attribute should be used.
+
+ pKCS15Token ATTRIBUTE ::= {
+ WITH SYNTAX PKCS15Token
+ ID pkcs-9-at-pkcs15Token
+ }
+
+ 5.1.4 PKCS #8 encrypted private key information
+
+ PKCS #8 provides a format for encrypted private keys. When such
+ information is stored in a directory service, the
+ encryptedPrivateKeyInfo attribute should be used.
+
+ encryptedPrivateKeyInfo ATTRIBUTE ::= {
+ WITH SYNTAX EncryptedPrivateKeyInfo
+ ID pkcs-9-at-encryptedPrivateKeyInfo
+ }
+
+ 5.2 Attribute types for use with the "naturalPerson" object class
+
+ 5.2.1 Electronic-mail address
+
+ The emailAddress attribute type specifies the electronic-mail address
+ or addresses of a subject as an unstructured ASCII string. The
+ interpretation of electronic-mail addresses is intended to be
+ specified by certificate issuers etc.; no particular interpretation
+ is required.
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 7]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ emailAddress ATTRIBUTE ::= {
+ WITH SYNTAX IA5String (SIZE(1..pkcs-9-ub-emailAddress))
+ EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
+ ID pkcs-9-at-emailAdress
+ }
+
+ An electronic-mail address attribute can have multiple attribute
+ values. When comparing two email addresses, case is irrelevant. The
+ pkcs9CaseIgnoreMatch is defined in Section 6.
+
+ Note - It is likely that other standards bodies overseeing
+ electronic-mail systems will, or have, registered electronic-mail
+ address attribute types specific to their system. The electronic-
+ mail address attribute type defined here was intended as a short-term
+ substitute for those specific attribute types, but is included here
+ for backwards-compatibility reasons.
+
+ 5.2.2 Unstructured name
+
+ The unstructuredName attribute type specifies the name or names of a
+ subject as an unstructured ASCII string. The interpretation of
+ unstructured names is intended to be specified by certificate issuers
+ etc.; no particular interpretation is required.
+
+ unstructuredName ATTRIBUTE ::= {
+ WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName}
+ EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
+ ID pkcs-9-at-unstructuredName
+ }
+
+ PKCS9String { INTEGER : maxSize} ::= CHOICE {
+ ia5String IA5String (SIZE(1..maxSize)),
+ directoryString DirectoryString {maxSize}
+ }
+
+ An unstructured-name attribute can have multiple attribute values.
+ When comparing two unstructured names, case is irrelevant.
+
+ The PKCS9String type is defined as a choice of IA5String and
+ DirectoryString. Applications SHOULD use the IA5String type when
+ generating attribute values in accordance with this version of this
+ document, unless internationalization issues makes this impossible.
+ In that case, the UTF8String alternative of the DirectoryString
+ alternative is the preferred choice. PKCS #9-attribute processing
+ systems MUST be able to recognize and process all string types in
+ PKCS9String values.
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 8]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ Note - Version 1.1 of this document defined unstructuredName as
+ having the syntax IA5String, but did contain a note explaining that
+ this might be changed to a CHOICE of different string types in future
+ versions. To better accommodate international names, this type has
+ been extended to also include a directory string in this version of
+ this document. Since [21] does not support a directory string type
+ containing IA5Strings, a separate syntax object identifier has been
+ defined (see [21] and Appendix B).
+
+ 5.2.3 Unstructured address
+
+ The unstructuredAddress attribute type specifies the address or
+ addresses of a subject as an unstructured directory string. The
+ interpretation of unstructured addresses is intended to be specified
+ by certificate issuers etc; no particular interpretation is required.
+ A likely interpretation is as an alternative to the postalAddress
+ attribute type defined in [8].
+
+ unstructuredAddress ATTRIBUTE ::= {
+ WITH SYNTAX DirectoryString {pkcs-9-ub-unstructuredAddress}
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ ID pkcs-9-at-unstructuredAddress
+ }
+
+ An unstructured-address attribute can have multiple attribute values.
+ The caseIgnoreMatch matching rule is defined in [8].
+
+ Note 1 - It is recommended to use the ASN.1 type TeletexString's
+ new-line character (hexadecimal code 0d) as a line separator in
+ multi-line addresses.
+
+ Note 2 - Previous versions of this document defined
+ unstructuredAddress as having the following syntax:
+
+ CHOICE {
+ teletexString TeletexString,
+ printableString PrintableString,
+ }
+
+ But also mentioned the possibility of a future definition as follows:
+
+ CHOICE {
+ teletexString TeletexString,
+ printableString PrintableString,
+ universalString UniversalString
+ }
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 9]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ In this version of this document, the X.520 type DirectoryString has
+ been used in order to be more aligned with international standards
+ and current practice. When generating attribute values in accordance
+ with this version of this document, applications SHOULD use the
+ PrintableString alternative unless internationalization issues makes
+ this impossible. In those cases, the UTF8String alternative SHOULD
+ be used. PKCS #9-attribute processing systems MUST be able to
+ recognize and process all string types in DirectoryString values.
+
+ 5.2.4 Date of birth
+
+ The dateOfBirth attribute specifies the date of birth for the subject
+ it is associated with.
+
+ dateOfBirth ATTRIBUTE ::= {
+ WITH SYNTAX GeneralizedTime
+ EQUALITY MATCHING RULE generalizedTimeMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-dateOfBirth
+ }
+
+ dateOfBirth attributes must be single-valued. The
+ generalizedTimeMatch matching rule is defined in [8].
+
+ 5.2.5 Place of birth
+
+ The placeOfBirth attribute specifies the place of birth for the
+ subject it is associated with.
+
+ placeOfBirth ATTRIBUTE ::= {
+ WITH SYNTAX DirectoryString {pkcs-9-ub-placeOfBirth}
+ EQUALITY MATCHING RULE caseExactMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-placeOfBirth
+ }
+
+ placeOfBirth attributes must be single-valued. The caseExactMatch
+ matching rule is defined in [8].
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 10]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ 5.2.6 Gender
+
+ The gender attribute specifies the gender of the subject it is
+ associated with.
+
+ gender ATTRIBUTE ::= {
+ WITH SYNTAX PrintableString (SIZE(1) ^
+ FROM ("M" | "F" | "m" | "f"))
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-gender
+ }
+
+ The letter "M" (or "m") represents "male" and the letter "F" (or "f")
+ represents "female". gender attributes must be single-valued.
+
+ 5.2.7 Country of citizenship
+
+ The countryOfCitizenship attribute specifies the (claimed) countries
+ of citizenship for the subject it is associated with. It SHALL be a
+ 2-letter acronym of a country in accordance with [4].
+
+ countryOfCitizenship ATTRIBUTE ::= {
+ WITH SYNTAX PrintableString (SIZE(2) ^ CONSTRAINED BY {
+ -- Must be a two-letter country acronym in accordance with
+ -- ISO/IEC 3166 --})
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ ID pkcs-9-at-countryOfCitizenship
+ }
+
+ Attributes of this type need not be single-valued.
+
+ 5.2.8 Country of residence
+
+ The countryOfResidence attribute specifies the (claimed) country of
+ residence for the subject is associated with. It SHALL be a 2-letter
+ acronym of a country in accordance with [4].
+
+ countryOfResidence ATTRIBUTE ::= {
+ WITH SYNTAX PrintableString (SIZE(2) ^ CONSTRAINED BY {
+ -- Must be a two-letter country acronym in accordance with
+ -- ISO/IEC 3166 --})
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ ID pkcs-9-at-countryOfResidence
+ }
+
+ Attributes of this type need not be single-valued, since it is
+ possible to be a resident of several countries.
+
+
+
+Nystrom & Kaliski Informational [Page 11]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ 5.2.9 Pseudonym
+
+ The pseudonym attribute type shall contain a pseudonym of a subject.
+ The exact interpretation of pseudonyms is intended to be specified by
+ certificate issuers etc.; no particular interpretation is required.
+
+ pseudonym ATTRIBUTE ::= {
+ WITH SYNTAX DirectoryString {pkcs-9-ub-pseudonym}
+ EQUALITY MATCHING RULE caseExactMatch
+ ID id-at-pseudonym
+ }
+
+ Note - The pseudonym attribute has received an object identifier in
+ the joint-iso-itu-t object identifier tree.
+
+ The caseExactMatch matching rule is defined in [8].
+
+ 5.2.10 Serial number
+
+ The serialNumber attribute is defined in [8].
+
+ 5.3 Attribute types for use in PKCS #7 data
+
+ 5.3.1 Content type
+
+ The contentType attribute type specifies the content type of the
+ ContentInfo value being signed in PKCS #7 (or S/MIME CMS) digitally
+ signed data. In such data, the contentType attribute type is
+ required if there are any PKCS #7 authenticated attributes.
+
+ contentType ATTRIBUTE ::= {
+ WITH SYNTAX ContentType
+ EQUALITY MATCHING RULE objectIdentifierMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-contentType
+ }
+
+ ContentType ::= OBJECT IDENTIFIER
+
+ As indicated, content-type attributes must have a single attribute
+ value. For two content-type values to match, their octet string
+ representation must be of equal length and corresponding octets
+ identical. The objectIdentifierMatch matching rule is defined in
+ [7].
+
+ Note - This attribute type is described in [3] as well.
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 12]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ 5.3.2 Message digest
+
+ The messageDigest attribute type specifies the message digest of the
+ contents octets of the DER-encoding of the content field of the
+ ContentInfo value being signed in PKCS #7 digitally signed data,
+ where the message digest is computed under the signer's message
+ digest algorithm. The message-digest attribute type is required in
+ these cases if there are any PKCS #7 authenticated attributes
+ present.
+
+ messageDigest ATTRIBUTE ::= {
+ WITH SYNTAX MessageDigest
+ EQUALITY MATCHING RULE octetStringMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-messageDigest
+ }
+
+ MessageDigest ::= OCTET STRING
+
+ As indicated, a message-digest attribute must have a single attribute
+ value. For two messageDigest values to match, their octet string
+ representation must be of equal length and corresponding octets
+ identical. The octetStringMatch matching rule is defined in [8].
+
+ Note - This attribute is described in [3] as well.
+
+ 5.3.3 Signing time
+
+ The signingTime attribute type is intended for PKCS #7 digitally
+ signed data. It specifies the time at which the signer (purportedly)
+ performed the signing process.
+
+ signingTime ATTRIBUTE ::= {
+ WITH SYNTAX SigningTime
+ EQUALITY MATCHING RULE signingTimeMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-signingTime
+ }
+
+ SigningTime ::= Time -- imported from ISO/IEC 9594-8
+
+ A signing-time attribute must have a single attribute value.
+
+ The signingTimeMatch matching rule (defined in Section 6.1) returns
+ TRUE if an attribute value represents the same time as a presented
+ value.
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 13]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ Quoting from [3]:
+ "Dates between 1 January 1950 and 31 December 2049 (inclusive) MUST
+ be encoded as UTCTime. Any dates with year values before 1950 or
+ after 2049 MUST be encoded as GeneralizedTime. [Further,] UTCTime
+ values MUST be expressed in Greenwich Mean Time (Zulu) and MUST
+ include seconds (i.e., times are YYMMDDHHMMSSZ), even where the
+ number of seconds is zero. Midnight (GMT) must be represented as
+ "YYMMDD000000Z". Century information is implicit, and the century
+ shall be determined as follows:
+
+ - Where YY is greater than or equal to 50, the year shall be
+ interpreted as 19YY; and
+ - Where YY is less than 50, the year shall be interpreted as 20YY.
+
+ GeneralizedTime values shall be expressed in Greenwich Mean Time
+ (Zulu) and must include seconds (i.e., times are YYYYMMDDHHMMSSZ),
+ even where the number of seconds is zero. GeneralizedTime values
+ must not include fractional seconds."
+
+ Note 1 - The definition of SigningTime matches the definition of Time
+ specified in [10].
+
+ Note 2 - No requirement is imposed concerning the correctness of the
+ signing time, and acceptance of a purported signing time is a matter
+ of a recipient's discretion. It is expected, however, that some
+ signers, such as time-stamp servers, will be trusted implicitly.
+
+ 5.3.4 Random nonce
+
+ The randomNonce attribute type is intended for PKCS #7 digitally
+ signed data. It may be used by a signer unable (or unwilling) to
+ specify the time at which the signing process was performed. Used in
+ a correct manner, it will make it possible for the signer to protect
+ against certain attacks, i.e. replay attacks.
+
+ randomNonce ATTRIBUTE ::= {
+ WITH SYNTAX RandomNonce
+ EQUALITY MATCHING RULE octetStringMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-randomNonce
+ }
+
+ RandomNonce ::= OCTET STRING (SIZE(4..MAX))
+ -- At least four bytes long
+
+ A random nonce attribute must have a single attribute value.
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 14]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ 5.3.5 Sequence number
+
+ The sequenceNumber attribute type is intended for PKCS #7 digitally
+ signed data. A signer wishing to associate a sequence number to all
+ signature operations (much like a physical checkbook) may use it as
+ an alternative to the randomNonce attribute. Used in a correct
+ manner, it will make it possible for the signer to protect against
+ certain attacks, i.e. replay attacks.
+
+ sequenceNumber ATTRIBUTE ::= {
+ WITH SYNTAX SequenceNumber
+ EQUALITY MATCHING RULE integerMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-sequenceNumber
+ }
+
+ SequenceNumber ::= INTEGER (1..MAX)
+
+ A sequence number attribute must have a single attribute value.
+
+ The integerMatch matching rule is defined in [8].
+
+ 5.3.6 Countersignature
+
+ The counterSignature attribute type specifies one or more signatures
+ on the content octets of the DER encoding of the encryptedDigest
+ field of a SignerInfo value in PKCS #7 digitally signed data. Thus,
+ the countersignature attribute type countersigns (signs in serial)
+ another signature. The countersignature attribute must be an
+ unauthenticated PKCS #7 attribute; it cannot be an authenticated
+ attribute.
+
+ counterSignature ATTRIBUTE ::= {
+ WITH SYNTAX SignerInfo
+ ID pkcs-9-at-counterSignature
+ }
+
+ Countersignature values have the same meaning as SignerInfo values
+ for ordinary signatures (see Section 9 of [14] and Section 5.3 of
+ [3]), except that:
+
+ 1. The authenticatedAttributes field must contain a messageDigest
+ attribute if it contains any other attributes, but need not contain a
+ contentType attribute, as there is no content type for
+ countersignatures; and
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 15]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ 2. The input to the message-digesting process is the content octets
+ of the DER encoding of the signatureValue field of the SignerInfo
+ value with which the attribute is associated.
+
+ A countersignature attribute can have multiple attribute values.
+
+ Note 1 - The fact that a countersignature is computed on a signature
+ (encrypted digest) means that the countersigning process need not
+ know the original content input to the signing process. This has
+ advantages both in efficiency and in confidentiality.
+
+ Note 2 - A countersignature, since it has type SignerInfo, can itself
+ contain a countersignature attribute. Thus it is possible to
+ construct arbitrarily long series of countersignatures.
+
+ 5.4 Attribute types for use with PKCS #10 certificate requests
+
+ 5.4.1 Challenge password
+
+ The challengePassword attribute type specifies a password by which an
+ entity may request certificate revocation. The interpretation of
+ challenge passwords is intended to be specified by certificate
+ issuers etc; no particular interpretation is required.
+
+ challengePassword ATTRIBUTE ::= {
+ WITH SYNTAX DirectoryString {pkcs-9-ub-challengePassword}
+ EQUALITY MATCHING RULE caseExactMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-challengePassword
+ }
+
+ A challenge-password attribute must have a single attribute value.
+
+ ChallengePassword attribute values generated in accordance with this
+ version of this document SHOULD use the PrintableString encoding
+ whenever possible. If internationalization issues make this
+ impossible, the UTF8String alternative SHOULD be used. PKCS #9-
+ attribute processing systems MUST be able to recognize and process
+ all string types in DirectoryString values.
+
+ Note - Version 1.1 of this document defined challengePassword as
+ having the syntax CHOICE {PrintableString, T61String}, but did
+ contain a note explaining that this might be changed to a CHOICE of
+ different string types in the future See also Note 2 in section
+ 5.2.3.
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 16]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ 5.4.2 Extension request
+
+ The extensionRequest attribute type may be used to carry information
+ about certificate extensions the requester wishes to be included in a
+ certificate.
+
+ extensionRequest ATTRIBUTE ::= {
+ WITH SYNTAX ExtensionRequest
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-extensionRequest
+ }
+
+ ExtensionRequest ::= Extensions
+
+ The Extensions type is imported from [10].
+
+ 5.4.3 Extended-certificate attributes (deprecated)
+
+ The extendedCertificateAttributes attribute type specified a set of
+ attributes for a PKCS #6 [13] extended certificate in a PKCS #10
+ certification request (the value of the extended certificate-
+ attributes attribute would become the extension in the requested PKCS
+ #6 extended certificate). Since the status of PKCS #6 is historic
+ after the introduction of X.509 v3 certificates [10], the use of this
+ attribute is deprecated.
+
+ extendedCertificateAttributes ATTRIBUTE ::= {
+ WITH SYNTAX SET OF Attribute
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-extendedCertificateAttributes
+ }
+
+ An extended certificate attributes attribute must have a single
+ attribute value (that value is a set, which itself may contain
+ multiple values, but there must be only one set).
+
+ 5.5 Attributes for use in PKCS #12 "PFX" PDUs or PKCS #15 tokens
+
+ 5.5.1 Friendly name
+
+ The friendlyName attribute type specifies a user-friendly name of the
+ object it belongs to. It is referenced in [17].
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 17]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ friendlyName ATTRIBUTE ::= {
+ WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-friendlyName
+ }
+
+ As indicated, friendlyName attributes must have a single attribute
+ value.
+
+ 5.5.2 Local key identifier
+
+ The localKeyId attribute type specifies an identifier for a
+ particular key. It is only to be used locally in applications. This
+ attribute is referenced in [17].
+
+ localKeyId ATTRIBUTE ::= {
+ WITH SYNTAX OCTET STRING
+ EQUALITY MATCHING RULE octetStringMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-localKeyId
+ }
+
+ As indicated, localKeyId attributes must have a single attribute
+ value. For two localKeyId values to match, their octet string
+ representation must be of equal length and corresponding octets
+ identical.
+
+ 5.6 Attributes defined in S/MIME
+
+ S/MIME (c.f. [12]) defines some attributes and object identifiers in
+ the PKCS #9 object identifier tree. For completeness, they are
+ mentioned here.
+
+ 5.6.1 Signing description
+
+ The signingDescription attribute is intended to provide a short
+ synopsis of a message that can be used to present a user with an
+ additional confirmation step before committing to a cryptographic
+ operation. In most cases, the replication of the "Subject:" line
+ from the header of a message should be sufficient and is recommended.
+
+ signingDescription ATTRIBUTE ::= {
+ WITH SYNTAX DirectoryString {pkcs-9-ub-signingDescription}
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-signingDescription
+ }
+
+
+
+Nystrom & Kaliski Informational [Page 18]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ 5.6.2 S/MIME capabilities
+
+ The syntax and semantics of the smimeCapabilities attribute is
+ defined in [12]. It is included here for the sake of completeness.
+
+ smimeCapabilities ATTRIBUTE ::= {
+ WITH SYNTAX SMIMECapabilities
+ SINGLE VALUE
+ ID pkcs-9-at-smimeCapabilities
+ }
+
+ SMIMECapabilities ::= SEQUENCE OF SMIMECapability
+
+ SMIMECapability ::= SEQUENCE {
+ algorithm ALGORITHM.&id ({SMIMEv3Algorithms}),
+ parameters ALGORITHM.&Type ({SMIMEv3Algorithms}{@algorithm})
+ }
+
+ SMIMEv3Algorithms ALGORITHM ::= {... -- See RFC 2633 -- }
+
+6. Matching rules
+
+ This section defines matching rules used in the definition of
+ attributes in this document.
+
+ 6.1 Case ignore match
+
+ The pkcs9CaseIgnoreMatch rule compares for equality a presented
+ string with an attribute value of type PKCS9String, without regard to
+ the case (upper or lower) of the strings (e.g. "Pkcs" and "PKCS"
+ match).
+
+ pkcs9CaseIgnoreMatch MATCHING-RULE ::= {
+ SYNTAX PKCS9String {pkcs9-ub-match}
+ ID id-mr-pkcs9CaseIgnoreMatch
+ }
+
+ The rule returns TRUE if the strings are the same length and
+ corresponding characters are identical except possibly with regard to
+ case.
+
+ Where the strings being matched are of different ASN.1 syntax, the
+ comparison proceeds as normal so long as the corresponding characters
+ are in both character sets. Otherwise matching fails.
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 19]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ 6.2 Signing time match
+
+ The signingTimeMatch rule compares for equality a presented value
+ with an attribute value of type SigningTime.
+
+ signingTimeMatch MATCHING-RULE ::= {
+ SYNTAX SigningTime
+ ID pkcs-9-mr-signingTimeMatch
+ }
+
+ The rule returns TRUE if the attribute value represents the same time
+ as the presented value. If a time is specified with seconds (or
+ fractional seconds) absent, the number of seconds (fractional
+ seconds) is assumed to be zero.
+
+ Where the strings being matched are of different ASN.1 syntax, the
+ comparison proceeds as follows:
+
+ a) Convert both values to DER-encoded values of type GeneralizedTime,
+ coordinated universal time. If this is not possible the matching
+ fails.
+
+ b) Compare the strings for equality. The rule returns TRUE if and
+ only if the strings are of the same length and corresponding octets
+ are identical.
+
+7. Security Considerations
+
+ Attributes of directory entries are used to provide descriptive
+ information about the real-world objects they represent, which can be
+ people, organizations or devices. Most countries have privacy laws
+ regarding the publication of information about people.
+
+ The challengePassword attribute should not be stored un-encrypted in
+ a directory.
+
+ Users of directory-aware applications making use of attributes
+ defined for use with the pkcsEntity object class should make sure
+ that the class's attributes are adequately protected, since they may
+ potentially be read by third parties. If a password-protected value
+ is stored (PKCS #8, #12 or #15), the directory should authenticate
+ the requester before delivering the value to prevent an off-line
+ password-search attack. Note that this potentially raises non-
+ repudiation issues since the directory itself can try a password
+ search to recover a private value, if stored this way.
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 20]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+8. Authors' Addresses
+
+ Magnus Nystrom
+ RSA Security
+ Box 10704
+ S-121 29 Stockholm
+ Sweden
+
+ EMail: magnus@rsasecurity.com
+
+
+ Burt Kaliski
+ RSA Security
+ 20 Crosby Drive
+ Bedford, MA 01730 USA
+
+ EMail: bkaliski@rsasecurity.com
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 21]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+APPENDICES
+
+A. ASN.1 module
+
+ This appendix includes all of the ASN.1 type and value definitions
+ contained in this document in the form of the ASN.1 module PKCS-9.
+
+ PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
+ pkcs-9(9) modules(0) pkcs-9(1)}
+
+ DEFINITIONS IMPLICIT TAGS ::=
+
+ BEGIN
+
+ -- EXPORTS All --
+ -- All types and values defined in this module is exported for use
+ -- in other ASN.1 modules.
+
+ IMPORTS
+
+ informationFramework, authenticationFramework,
+ selectedAttributeTypes, upperBounds , id-at
+ FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1)
+ usefulDefinitions(0) 3}
+
+ ub-name
+ FROM UpperBounds upperBounds
+
+ OBJECT-CLASS, ATTRIBUTE, MATCHING-RULE, Attribute, top,
+ objectIdentifierMatch
+ FROM InformationFramework informationFramework
+
+ ALGORITHM, Extensions, Time
+ FROM AuthenticationFramework authenticationFramework
+
+ DirectoryString, octetStringMatch, caseIgnoreMatch, caseExactMatch,
+ generalizedTimeMatch, integerMatch, serialNumber
+ FROM SelectedAttributeTypes selectedAttributeTypes
+
+ ContentInfo, SignerInfo
+ FROM CryptographicMessageSyntax {iso(1) member-body(2) us(840)
+ rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1)}
+
+ EncryptedPrivateKeyInfo
+ FROM PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549)
+ pkcs(1) pkcs-8(8) modules(1) pkcs-8(1)}
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 22]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ PFX
+ FROM PKCS-12 {iso(1) member-body(2) us(840) rsadsi(113549)
+ pkcs(1) pkcs-12(12) modules(0) pkcs-12(1)}
+
+ PKCS15Token
+ FROM PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549)
+ pkcs(1) pkcs-15(15) modules(1) pkcs-15(1)};
+
+ -- Upper bounds
+
+ pkcs-9-ub-pkcs9String INTEGER ::= 255
+ pkcs-9-ub-emailAddress INTEGER ::= pkcs-9-ub-pkcs9String
+ pkcs-9-ub-unstructuredName INTEGER ::= pkcs-9-ub-pkcs9String
+ pkcs-9-ub-unstructuredAddress INTEGER ::= pkcs-9-ub-pkcs9String
+ pkcs-9-ub-challengePassword INTEGER ::= pkcs-9-ub-pkcs9String
+ pkcs-9-ub-friendlyName INTEGER ::= pkcs-9-ub-pkcs9String
+ pkcs-9-ub-signingDescription INTEGER ::= pkcs-9-ub-pkcs9String
+ pkcs-9-ub-match INTEGER ::= pkcs-9-ub-pkcs9String
+ pkcs-9-ub-pseudonym INTEGER ::= ub-name
+ pkcs-9-ub-placeOfBirth INTEGER ::= ub-name
+
+ -- Object Identifiers
+
+ pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
+ rsadsi(113549) pkcs(1) 9}
+
+ -- Main arcs
+ pkcs-9-mo OBJECT IDENTIFIER ::= {pkcs-9 0} -- Modules branch
+ pkcs-9-oc OBJECT IDENTIFIER ::= {pkcs-9 24} -- Object class branch
+ pkcs-9-at OBJECT IDENTIFIER ::= {pkcs-9 25} -- Attribute branch, for
+ -- new attributes
+ pkcs-9-sx OBJECT IDENTIFIER ::= {pkcs-9 26} -- For syntaxes (RFC 2252)
+ pkcs-9-mr OBJECT IDENTIFIER ::= {pkcs-9 27} -- Matching rules
+
+ -- Object classes
+ pkcs-9-oc-pkcsEntity OBJECT IDENTIFIER ::= {pkcs-9-oc 1}
+ pkcs-9-oc-naturalPerson OBJECT IDENTIFIER ::= {pkcs-9-oc 2}
+
+ -- Attributes
+ pkcs-9-at-emailAddress OBJECT IDENTIFIER ::= {pkcs-9 1}
+ pkcs-9-at-unstructuredName OBJECT IDENTIFIER ::= {pkcs-9 2}
+ pkcs-9-at-contentType OBJECT IDENTIFIER ::= {pkcs-9 3}
+ pkcs-9-at-messageDigest OBJECT IDENTIFIER ::= {pkcs-9 4}
+ pkcs-9-at-signingTime OBJECT IDENTIFIER ::= {pkcs-9 5}
+ pkcs-9-at-counterSignature OBJECT IDENTIFIER ::= {pkcs-9 6}
+ pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {pkcs-9 7}
+ pkcs-9-at-unstructuredAddress OBJECT IDENTIFIER ::= {pkcs-9 8}
+
+
+
+
+Nystrom & Kaliski Informational [Page 23]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ pkcs-9-at-extendedCertificateAttributes
+ OBJECT IDENTIFIER ::= {pkcs-9 9}
+
+ -- Obsolete (?) attribute identifiers, purportedly from "tentative
+ -- PKCS #9 draft"
+ -- pkcs-9-at-issuerAndSerialNumber OBJECT IDENTIFIER ::= {pkcs-9 10}
+ -- pkcs-9-at-passwordCheck OBJECT IDENTIFIER ::= {pkcs-9 11}
+ -- pkcs-9-at-publicKey OBJECT IDENTIFIER ::= {pkcs-9 12}
+
+ pkcs-9-at-signingDescription OBJECT IDENTIFIER ::= {pkcs-9 13}
+ pkcs-9-at-extensionRequest OBJECT IDENTIFIER ::= {pkcs-9 14}
+ pkcs-9-at-smimeCapabilities OBJECT IDENTIFIER ::= {pkcs-9 15}
+
+ -- Unused (?)
+ -- pkcs-9-at-? OBJECT IDENTIFIER ::= {pkcs-9 17}
+ -- pkcs-9-at-? OBJECT IDENTIFIER ::= {pkcs-9 18}
+ -- pkcs-9-at-? OBJECT IDENTIFIER ::= {pkcs-9 19}
+
+ pkcs-9-at-friendlyName OBJECT IDENTIFIER ::= {pkcs-9 20}
+ pkcs-9-at-localKeyId OBJECT IDENTIFIER ::= {pkcs-9 21}
+ pkcs-9-at-userPKCS12 OBJECT IDENTIFIER ::=
+ {2 16 840 1 113730 3 1 216}
+ pkcs-9-at-pkcs15Token OBJECT IDENTIFIER ::= {pkcs-9-at 1}
+ pkcs-9-at-encryptedPrivateKeyInfo OBJECT IDENTIFIER ::= {pkcs-9-at 2}
+ pkcs-9-at-randomNonce OBJECT IDENTIFIER ::= {pkcs-9-at 3}
+ pkcs-9-at-sequenceNumber OBJECT IDENTIFIER ::= {pkcs-9-at 4}
+ pkcs-9-at-pkcs7PDU OBJECT IDENTIFIER ::= {pkcs-9-at 5}
+
+ -- IETF PKIX Attribute branch
+ ietf-at OBJECT IDENTIFIER ::=
+ {1 3 6 1 5 5 7 9}
+
+ pkcs-9-at-dateOfBirth OBJECT IDENTIFIER ::= {ietf-at 1}
+ pkcs-9-at-placeOfBirth OBJECT IDENTIFIER ::= {ietf-at 2}
+ pkcs-9-at-gender OBJECT IDENTIFIER ::= {ietf-at 3}
+ pkcs-9-at-countryOfCitizenship OBJECT IDENTIFIER ::= {ietf-at 4}
+ pkcs-9-at-countryOfResidence OBJECT IDENTIFIER ::= {ietf-at 5}
+
+ -- Syntaxes (for use with LDAP accessible directories)
+ pkcs-9-sx-pkcs9String OBJECT IDENTIFIER ::= {pkcs-9-sx 1}
+ pkcs-9-sx-signingTime OBJECT IDENTIFIER ::= {pkcs-9-sx 2}
+
+ -- Matching rules
+ pkcs-9-mr-caseIgnoreMatch OBJECT IDENTIFIER ::= {pkcs-9-mr 1}
+ pkcs-9-mr-signingTimeMatch OBJECT IDENTIFIER ::= {pkcs-9-mr 2}
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 24]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ -- Arcs with attributes defined elsewhere
+ smime OBJECT IDENTIFIER ::= {pkcs-9 16}
+
+ -- Main arc for S/MIME (RFC 2633)
+ certTypes OBJECT IDENTIFIER ::= {pkcs-9 22}
+
+ -- Main arc for certificate types defined in PKCS #12
+ crlTypes OBJECT IDENTIFIER ::= {pkcs-9 23}
+
+ -- Main arc for crl types defined in PKCS #12
+
+ -- Other object identifiers
+ id-at-pseudonym OBJECT IDENTIFIER ::= {id-at 65}
+
+ -- Useful types
+
+ PKCS9String {INTEGER : maxSize} ::= CHOICE {
+ ia5String IA5String (SIZE(1..maxSize)),
+ directoryString DirectoryString {maxSize}
+ }
+
+ -- Object classes
+
+ pkcsEntity OBJECT-CLASS ::= {
+ SUBCLASS OF { top }
+ KIND auxiliary
+ MAY CONTAIN { PKCSEntityAttributeSet }
+ ID pkcs-9-oc-pkcsEntity
+ }
+
+ naturalPerson OBJECT-CLASS ::= {
+ SUBCLASS OF { top }
+ KIND auxiliary
+ MAY CONTAIN { NaturalPersonAttributeSet }
+ ID pkcs-9-oc-naturalPerson
+ }
+
+ -- Attribute sets
+
+ PKCSEntityAttributeSet ATTRIBUTE ::= {
+ pKCS7PDU |
+ userPKCS12 |
+ pKCS15Token |
+ encryptedPrivateKeyInfo,
+ ... -- For future extensions
+ }
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 25]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ NaturalPersonAttributeSet ATTRIBUTE ::= {
+ emailAddress |
+ unstructuredName |
+ unstructuredAddress |
+ dateOfBirth |
+ placeOfBirth |
+ gender |
+ countryOfCitizenship |
+ countryOfResidence |
+ pseudonym |
+ serialNumber,
+ ... -- For future extensions
+ }
+
+ -- Attributes
+
+ pKCS7PDU ATTRIBUTE ::= {
+ WITH SYNTAX ContentInfo
+ ID pkcs-9-at-pkcs7PDU
+ }
+
+ userPKCS12 ATTRIBUTE ::= {
+ WITH SYNTAX PFX
+ ID pkcs-9-at-userPKCS12
+ }
+
+ pKCS15Token ATTRIBUTE ::= {
+ WITH SYNTAX PKCS15Token
+ ID pkcs-9-at-pkcs15Token
+ }
+
+ encryptedPrivateKeyInfo ATTRIBUTE ::= {
+ WITH SYNTAX EncryptedPrivateKeyInfo
+ ID pkcs-9-at-encryptedPrivateKeyInfo
+ }
+
+ emailAddress ATTRIBUTE ::= {
+ WITH SYNTAX IA5String (SIZE(1..pkcs-9-ub-emailAddress))
+ EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
+ ID pkcs-9-at-emailAddress
+ }
+
+ unstructuredName ATTRIBUTE ::= {
+ WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName}
+ EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
+ ID pkcs-9-at-unstructuredName
+ }
+
+
+
+
+Nystrom & Kaliski Informational [Page 26]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ unstructuredAddress ATTRIBUTE ::= {
+ WITH SYNTAX DirectoryString {pkcs-9-ub-unstructuredAddress}
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ ID pkcs-9-at-unstructuredAddress
+ }
+
+ dateOfBirth ATTRIBUTE ::= {
+ WITH SYNTAX GeneralizedTime
+ EQUALITY MATCHING RULE generalizedTimeMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-dateOfBirth
+ }
+
+ placeOfBirth ATTRIBUTE ::= {
+ WITH SYNTAX DirectoryString {pkcs-9-ub-placeOfBirth}
+ EQUALITY MATCHING RULE caseExactMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-placeOfBirth
+ }
+
+ gender ATTRIBUTE ::= {
+ WITH SYNTAX PrintableString (SIZE(1) ^
+ FROM ("M" | "F" | "m" | "f"))
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-gender
+ }
+
+ countryOfCitizenship ATTRIBUTE ::= {
+ WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY {
+ -- Must be a two-letter country acronym in accordance with
+ -- ISO/IEC 3166 --})
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ ID pkcs-9-at-countryOfCitizenship
+ }
+
+ countryOfResidence ATTRIBUTE ::= {
+ WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY {
+ -- Must be a two-letter country acronym in accordance with
+ -- ISO/IEC 3166 --})
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ ID pkcs-9-at-countryOfResidence
+ }
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 27]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ pseudonym ATTRIBUTE ::= {
+ WITH SYNTAX DirectoryString {pkcs-9-ub-pseudonym}
+ EQUALITY MATCHING RULE caseExactMatch
+ ID id-at-pseudonym
+ }
+
+ contentType ATTRIBUTE ::= {
+ WITH SYNTAX ContentType
+ EQUALITY MATCHING RULE objectIdentifierMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-contentType
+ }
+
+ ContentType ::= OBJECT IDENTIFIER
+
+ messageDigest ATTRIBUTE ::= {
+ WITH SYNTAX MessageDigest
+ EQUALITY MATCHING RULE octetStringMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-messageDigest
+ }
+
+ MessageDigest ::= OCTET STRING
+
+ signingTime ATTRIBUTE ::= {
+ WITH SYNTAX SigningTime
+ EQUALITY MATCHING RULE signingTimeMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-signingTime
+ }
+
+ SigningTime ::= Time -- imported from ISO/IEC 9594-8
+
+ randomNonce ATTRIBUTE ::= {
+ WITH SYNTAX RandomNonce
+ EQUALITY MATCHING RULE octetStringMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-randomNonce
+ }
+
+ RandomNonce ::= OCTET STRING (SIZE(4..MAX))
+ -- At least four bytes long
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 28]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ sequenceNumber ATTRIBUTE ::= {
+ WITH SYNTAX SequenceNumber
+ EQUALITY MATCHING RULE integerMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-sequenceNumber
+ }
+
+ SequenceNumber ::= INTEGER (1..MAX)
+
+ counterSignature ATTRIBUTE ::= {
+ WITH SYNTAX SignerInfo
+ ID pkcs-9-at-counterSignature
+ }
+
+ challengePassword ATTRIBUTE ::= {
+ WITH SYNTAX DirectoryString {pkcs-9-ub-challengePassword}
+ EQUALITY MATCHING RULE caseExactMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-challengePassword
+ }
+
+ extensionRequest ATTRIBUTE ::= {
+ WITH SYNTAX ExtensionRequest
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-extensionRequest
+ }
+
+ ExtensionRequest ::= Extensions
+
+ extendedCertificateAttributes ATTRIBUTE ::= {
+ WITH SYNTAX SET OF Attribute
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-extendedCertificateAttributes
+ }
+
+ friendlyName ATTRIBUTE ::= {
+ WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-friendlyName
+ }
+
+ localKeyId ATTRIBUTE ::= {
+ WITH SYNTAX OCTET STRING
+ EQUALITY MATCHING RULE octetStringMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-localKeyId
+ }
+
+
+
+Nystrom & Kaliski Informational [Page 29]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ signingDescription ATTRIBUTE ::= {
+ WITH SYNTAX DirectoryString {pkcs-9-ub-signingDescription}
+ EQUALITY MATCHING RULE caseIgnoreMatch
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-signingDescription
+ }
+
+ smimeCapabilities ATTRIBUTE ::= {
+ WITH SYNTAX SMIMECapabilities
+ SINGLE VALUE TRUE
+ ID pkcs-9-at-smimeCapabilities
+ }
+
+ SMIMECapabilities ::= SEQUENCE OF SMIMECapability
+
+ SMIMECapability ::= SEQUENCE {
+ algorithm ALGORITHM.&id ({SMIMEv3Algorithms}),
+ parameters ALGORITHM.&Type ({SMIMEv3Algorithms}{@algorithm})
+ }
+
+ SMIMEv3Algorithms ALGORITHM ::= {...-- See RFC 2633 --}
+
+ -- Matching rules
+
+ pkcs9CaseIgnoreMatch MATCHING-RULE ::= {
+ SYNTAX PKCS9String {pkcs-9-ub-match}
+ ID pkcs-9-mr-caseIgnoreMatch
+ }
+
+ signingTimeMatch MATCHING-RULE ::= {
+ SYNTAX SigningTime
+ ID pkcs-9-mr-signingTimeMatch
+ }
+
+ END
+
+B. BNF schema summary This appendix provides augmented BNF [2]
+ definitions of the object class and most attribute types specified in
+ this document along with their associated syntaxes and matching
+ rules. The ABNF definitions have been done in accordance with [21],
+ in an attempt to ease integration with LDAP-accessible Directory
+ systems. Lines have been folded in some cases to improve
+ readability.
+
+ B.1 Syntaxes
+
+ This section defines all syntaxes that are used in this document.
+
+
+
+
+Nystrom & Kaliski Informational [Page 30]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ B.1.1 PKCS9String
+
+ (
+ 1.2.840.113549.1.9.26.1
+ DESC 'PKCS9String'
+ )
+
+ The encoding of a value in this syntax is the string value itself.
+
+ B.1.2 SigningTime
+
+ (
+ 1.2.840.113549.1.9.26.2
+ DESC 'SigningTime'
+ )
+
+ Values in this syntax are encoded as printable strings, represented
+ as specified in [5]. Note that the time zone must be specified. For
+ example, "199412161032Z".
+
+ B.2 Object classes
+
+ B.2.1 pkcsEntity
+
+ (
+ 1.2.840.113549.1.9.24.1
+ NAME 'pkcsEntity'
+ SUP top
+ AUXILIARY
+ MAY (
+ pKCS7PDU $ userPKCS12 $ pKCS15Token $ encryptedPrivateKeyInfo
+ )
+ )
+
+ B.2.2 naturalPerson
+
+ (
+ 1.2.840.113549.1.9.24.2
+ NAME 'naturalPerson'
+ SUP top
+ AUXILIARY
+ MAY (
+ emailAddress $ unstructuredName $ unstructuredAddress $
+ dateOfBirth & placeOfBirth & gender & countryOfCitizenship &
+ countryOfResidence & pseudonym & serialNumber
+ )
+ )
+
+
+
+
+Nystrom & Kaliski Informational [Page 31]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ B.3 Attribute types
+
+ B.3.1 pKCS7PDU
+
+ This attribute is to be stored and requested in binary form, as
+ pKCS7PDU;binary. The attribute values are BER- or DER-encoded
+ ContentInfo values.
+
+ (
+ 1.2.840.113549.1.9.25.5
+ NAME 'pKCS7PDU'
+ DESC 'PKCS #7 ContentInfo PDU'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
+ )
+
+ B.3.2 userPKCS12
+
+ This attribute is to be stored and requested in binary form, as
+ userPKCS12;binary. The attribute values are PFX PDUs stored as
+ binary (BER- or DER-encoded) data.
+
+ (
+ 2.16.840.1.113730.3.1.216
+ NAME 'userPKCS12'
+ DESC 'PKCS #12 PFX PDU for exchange of personal information'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
+ )
+
+ B.3.3 pKCS15Token
+
+ This attribute is to be stored and requested in binary form, as
+ pKCS15Token;binary. The attribute values are PKCS15Token PDUs stored
+ as binary (BER- or DER-encoded) data.
+
+ (
+ 1.2.840.113549.1.9.25.1
+ NAME 'pKCS15Token'
+ DESC 'PKCS #15 token PDU'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
+ )
+
+ B.3.4 encryptedPrivateKeyInfo
+
+ This attribute is to be stored and requested in binary form, as
+ encryptedPrivateKeyInfo;binary. The attribute values are
+ EncryptedPrivateKeyInfo PDUs stored as binary (BER- or DER-encoded)
+ data.
+
+
+
+
+Nystrom & Kaliski Informational [Page 32]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ (
+ 1.2.840.113549.1.9.25.2
+ NAME 'encryptedPrivateKeyInfo'
+ DESC 'PKCS #8 encrypted private key info'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
+ )
+
+ B.3.5 emailAddress
+
+ (
+ 1.2.840.113549.1.9.1
+ NAME 'emailAddress'
+ DESC 'Email address'
+ EQUALITY pkcs9CaseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.26
+ )
+
+ B.3.6 unstructuredName
+
+ (
+ 1.2.840.113549.1.9.2
+ NAME 'unstructuredName'
+ DESC 'PKCS #9 unstructured name'
+ EQUALITY pkcs9CaseIgnoreMatch
+ SYNTAX 1.2.840.113549.1.9.26.1
+ )
+
+ B.3.7 unstructuredAddress
+
+ (
+ 1.2.840.113549.1.9.8
+ NAME 'unstructuredAddress'
+ DESC 'PKCS #9 unstructured address'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ )
+
+ B.3.8 dateOfBirth
+
+ (
+ 1.3.6.1.5.5.7.9.1
+ NAME 'dateOfBirth'
+ DESC 'Date of birth'
+ EQUALITY generalizedTimeMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
+ SINGLE-VALUE
+ )
+
+
+
+
+Nystrom & Kaliski Informational [Page 33]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ B.3.9 placeOfBirth
+
+ (
+ 1.3.6.1.5.5.7.9.2
+ NAME 'placeOfBirth'
+ DESC 'Place of birth'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE
+ )
+
+ B.3.10 gender
+
+ (
+ 1.3.6.1.5.5.7.9.3
+ NAME 'gender'
+ DESC 'Gender'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
+ SINGLE-VALUE
+ )
+
+ B.3.11 countryOfCitizenship
+
+ (
+ 1.3.6.1.5.5.7.9.4
+ NAME 'countryOfCitizenship'
+ DESC 'Country of citizenship'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
+ )
+
+ B.3.12 countryOfResidence
+
+ (
+ 1.3.6.1.5.5.7.9.5
+ NAME 'countryOfResidence'
+ DESC 'Country of residence'
+ EQUALITY caseIgnoreMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.44
+ )
+
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 34]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ B.3.13 pseudonym
+
+ (
+ 2.5.4.65
+ NAME 'pseudonym'
+ DESC 'Pseudonym'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ )
+
+ B.3.14 contentType
+
+ In the (highly unlikely) event of this attribute being stored in a
+ Directory it is to be stored and requested in binary form, as
+ contentType;binary. Attribute values shall be OCTET STRINGs stored
+ as binary (BER- or DER-encoded) data.
+
+ (
+ 1.2.840.113549.1.9.3
+ NAME 'contentType'
+ DESC 'PKCS #7 content type attribute'
+ EQUALITY objectIdentifierMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.38
+ SINGLE-VALUE
+ )
+
+ B.3.15 messageDigest
+
+ In the (highly unlikely) event of this attribute being stored in a
+ Directory it is to be stored and requested in binary form, as
+ messageDigest;binary. Attribute values shall be OCTET STRINGs stored
+ as binary (BER- or DER-encoded) data.
+
+ (
+ 1.2.840.113549.1.9.4
+ NAME 'messageDigest'
+ DESC 'PKCS #7 mesage digest attribute'
+ EQUALITY octetStringMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
+ SINGLE-VALUE
+ )
+
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 35]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ B.3.16 signingTime
+
+ (
+ 1.2.840.113549.1.9.5
+ NAME 'signingTime'
+ DESC 'PKCS #7 signing time'
+ EQUALITY signingTimeMatch
+ SYNTAX 1.2.840.113549.1.9.26.2
+ SINGLE-VALUE
+ )
+
+ B.3.17 counterSignature
+
+ In the (highly unlikely) event that this attribute is to be stored in
+ a directory, it is to be stored and requested in binary form, as
+ counterSignature;binary. Attribute values shall be stored as binary
+ (BER- or DER-encoded) data.
+
+ (
+ 1.2.840.113549.1.9.6
+ NAME 'counterSignature'
+ DESC 'PKCS #7 countersignature'
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.5
+ )
+
+ B.3.18 challengePassword
+
+ (
+ 1.2.840.113549.1.9.7
+ NAME 'challengePassword'
+ DESC 'Challenge password for certificate revocations'
+ EQUALITY caseExactMatch
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
+ SINGLE-VALUE
+ )
+
+ Note - It is not recommended to store unprotected values of this
+ attribute in a directory.
+
+ B.4 Matching rules
+
+ B.4.1 pkcs9CaseIgnoreMatch
+
+ (
+ 1.2.840.113549.1.9.27.1
+ NAME 'pkcs9CaseIgnoreMatch'
+ SYNTAX 1.2.840.113549.1.9.26.1
+ )
+
+
+
+Nystrom & Kaliski Informational [Page 36]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ B.4.2 signingTimeMatch
+
+ (
+ 1.2.840.113549.1.9.27.3
+ NAME 'signingTimeMatch'
+ SYNTAX 1.2.840.113549.1.9.26.2
+ )
+
+C. Intellectual property considerations
+
+ RSA Security makes no patent claims on the general constructions
+ described in this document, although specific underlying techniques
+ may be covered.
+
+ License to copy this document is granted provided that it is
+ identified as "RSA Security Inc. Public-Key Cryptography Standards
+ (PKCS)" in all material mentioning or referencing this document.
+
+ RSA Security makes no representations regarding intellectual property
+ claims by other parties. Such determination is the responsibility of
+ the user.
+
+D. Revision history
+
+ Version 1.0
+
+ Version 1.0 was part of the June 3, 1991 initial public release of
+ PKCS. Version 1.0 was also published as NIST/OSI Implementors'
+ Workshop document SEC-SIG-91-24.
+
+ Version 1.1
+
+ Version 1.1 incorporated several editorial changes, including
+ updates to the references and the addition of a revision history.
+ The following substantive changes were made:
+
+ - Section 6: challengePassword, unstructuredAddress, and
+ extendedCertificateAttributes attribute types were added
+ - Section 7: challengePassword, unstructuredAddress, and
+ extendedCertificateAttributes object identifiers were added
+
+
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 37]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ Version 2.0
+
+ Version 2.0 incorporates several editorial changes as well. In
+ addition, the following substantive changes have been made:
+
+ - Addition of a Section defining two new auxiliary object classes,
+ pkcsEntity and naturalPerson
+ - Addition of several new attribute types and matching rules for
+ use in conjunction with these object classes and elsewhere
+ - Update of all ASN.1 to be in line with the 1997 version of this
+ syntax
+ - Addition a "compilable" ASN.1 module
+ - Addition, in accordance with [21], an ABNF description of all
+ attributes and object classes
+ - Addition of an intellectual property considerations section
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 38]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+E. References
+
+ [1] Bradner, S., "Key words for use in RFCs to Indicate Requirement
+ Levels", BCP 14, RFC 2119, March 1997.
+
+ [2] Crocker, D. and P. Overell, "Augmented BNF for Syntax
+ Specifications: ABNF", RFC 2234, November 1997.
+
+ [3] Housley, R., "Cryptographic Message Syntax CMS", RFC 2630, June
+ 1999.
+
+ [4] ISO/IEC 3166-1:Codes for the representation of names of
+ countries and their subdivisions - Part 1: Country codes. 1997.
+
+ [5] ISO/IEC 8824-1:1999: Information technology - Abstract Syntax
+ Notation One (ASN.1) - Specification of basic notation.1999.
+
+ [6] ISO/IEC 8825-1:1999: Information technology - ASN.1 Encoding
+ Rules: Specification of Basic Encoding Rules (BER), Canonical
+ Encoding Rules (CER) and Distinguished Encoding Rules (DER).
+ 1999.
+
+ [7] ISO/IEC 9594-2:1997: Information technology - Open Systems
+ Interconnection - The Directory: Models. 1997.
+
+ [8] ISO/IEC 9594-6:1997: Information technology - Open Systems
+ Interconnection - The Directory: Selected attribute types. 1997.
+
+ [9] ISO/IEC 9594-7:1997: Information technology - Open Systems
+ Interconnection - The Directory: Selected object classes. 1997.
+
+ [10] ISO/IEC 9594-8:1997: Information technology - Open Systems
+ Interconnection - The Directory: Authentication framework. 1997.
+
+ [11] ISO/IEC 10646-1: Information Technology - Universal Multiple-
+ Octet Coded Character Set (UCS) - Part 1: Architecture and Basic
+ Multilingual Plane. 1993.
+
+ [12] Ramsdell, R., "S/MIME Version 3 Message Specification", RFC
+ 2633, June 1999.
+
+ [13] RSA Laboratories. PKCS #6: Extended-Certificate Syntax Standard.
+ Version 1.5, November 1993.
+
+ [14] RSA Laboratories. PKCS #7: Cryptographic Message Syntax
+ Standard. Version 1.5, November 1993.
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 39]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+ [15] RSA Laboratories. PKCS #8: Private-Key Information Syntax
+ Standard. Version 1.2, November 1993.
+
+ [16] RSA Laboratories. PKCS #10: Certification Request Syntax
+ Standard. Version 1.0, November 1993.
+
+ [17] RSA Laboratories. PKCS #12: Personal Information Exchange Syntax
+ Standard. Version 1.0, June 1999.
+
+ [18] RSA Laboratories. PKCS #15: Cryptographic Token Information
+ Format Standard. Version 1.1, June 2000.
+
+ [19] Santesson, S., Polk, W., Barzin, P. and M. Nystrom, "Internet
+ X.509 Public Key Infrastructure - Qualified Certificates
+ Profile", Work in Progress.
+
+ [20] Smith, M. "Definition of the inetOrgPerson LDAP Object Class",
+ RFC 2798, April 2000.
+
+ [21] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, "Lightweight
+ Directory Access Protocol (v3): Attribute Syntax Definitions",
+ RFC 2252, December 1997.
+
+ [22] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access
+ Protocol (v3)", RFC 2251, December 1997.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 40]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+F. Contact information & About PKCS
+
+ The Public-Key Cryptography Standards are specifications produced by
+ RSA Laboratories in cooperation with secure systems developers
+ worldwide for the purpose of accelerating the deployment of public-
+ key cryptography. First published in 1991 as a result of meetings
+ with a small group of early adopters of public-key technology, the
+ PKCS documents have become widely referenced and implemented.
+ Contributions from the PKCS series have become part of many formal
+ and de facto standards, including ANSI X9 documents, PKIX, SET,
+ S/MIME, and SSL.
+
+ Further development of PKCS occurs through mailing list discussions
+ and occasional workshops, and suggestions for improvement are
+ welcome. For more information, contact:
+
+ PKCS Editor
+ RSA Laboratories
+ 20 Crosby Drive
+ Bedford, MA 01730 USA
+ pkcs-editor@rsasecurity.com
+ http://www.rsasecurity.com/rsalabs/PKCS
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 41]
+
+RFC 2985 Selected Object Classes and Attribute Types November 2000
+
+
+Full Copyright Statement
+
+ Copyright (C) The Internet Society (2000). All Rights Reserved.
+
+ This document and translations of it may be copied and furnished to
+ others provided that the above copyright notice and this paragraph
+ are included on all such copies. However, this document itself may
+ not be modified in any way, such as by removing the copyright notice
+ or references to the Internet Society or other Internet
+ organizations, except as required to translate it into languages
+ other than English.
+
+ The limited permissions granted above are perpetual and will not be
+ revoked by the Internet Society or its successors or assigns.
+
+ This document and the information contained herein is provided on an
+ "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
+ TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
+ BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
+ HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
+ MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
+
+Acknowledgement
+
+ Funding for the RFC Editor function is currently provided by the
+ Internet Society.
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+Nystrom & Kaliski Informational [Page 42]
+