-- from pkisv10.pdf -- you can find this document at https://web.archive.org/web/19990224174228/http://www.developer.novell.com/repository/attributes/certattrs_v10.htm PKIS { joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719) } DEFINITIONS IMPLICIT TAGS ::= BEGIN -- ASN.1 Definition of Useful Attributes -- The following are useful Novell OIDs, etc. novell OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) country(16) us(840) organization(1) novell (113719)} applications OBJECT IDENTIFIER ::= {novell applications(1) } pki OBJECT IDENTIFIER ::= {applications pki(9) } pkiAttributeType OBJECT IDENTIFIER ::= {pki at(4) } pkiAttributeSyntax OBJECT IDENTIFIER ::= {pki at(5) } pkiObjectClass OBJECT IDENTIFIER ::= {pki at(6) } -- The following unique PKI attributes are hereby defined under the novell applications pki arc: pa-sa OBJECT IDENTIFIER ::= { pkiAttributeType (1) } -- securityAttributes -- 2.16.840.113719.1.9.4.1 pa-rl OBJECT IDENTIFIER ::= { pkiAttributeType (2) } -- relianceLimit -- 2.16.840.113719.1.9.4.2 SecurityAttributes ::= SEQUENCE { versionNumber OCTET STRING (SIZE (2)), -- The initial value should be (01 00) -- The first octet is the major version, -- the second octet is the minor version number. nSI BOOLEAN (TRUE), -- NSI = “Nonverified Subscriber Information” -- If FALSE, it means that the CA issuing -- a certificate HAS verified the validity -- of ALL of the values contained -- within the Novell Security Attributes -- using appropriate means as defined -- for example in their Certificate Policy -- and/or Certificate Practice Statement -- If TRUE, it means that the subscriber -- requesting the certificate has represented -- to the CA that the extension defined -- is valid and correct, but that the CA -- has not independently validated the accuracy -- of the attribute. Note that in no case may -- the CA issue a certificate containing an -- extension which it has reason to -- believe is not accurate at the time of -- issuance, except for test certificates -- which are identified as such in the -- Certificate class attribute (by setting -- the certificateValid flag to FALSE.) securityTM PrintableString ("Novell Security Attribute(tm)"), -- Note: Since the “Novell Security -- Attribute(tm)” string is trademarked, if -- it is displayed visually to the user it -- must be presented exactly as shown, -- in English, even in non-English -- implementations. A translation of the -- phrase may be displayed to the user -- in addition, if desired. -- Vendors who license the use of the term -- must agree to check for the presence of -- this string in any attribute defined (by its -- OID) as a Novell Security attribute uriReference IA5String, -- The initial value should be set to (“http://developer.novell.com/repository/attributes/certattrs_v10.htm”), -- This attribute will be included in all -- NICI and PKIS certificates. -- Novell will maintain a copy of this -- document or other suitable definition -- at that location. gLBExtensions GLBExtensions } GLBExtensions::=SEQUENCE{ -- These are the extensions over which the -- Greatest Lower Bound is computed within NICI. keyQuality [0] IMPLICIT KeyQuality, cryptoProcessQuality [1] IMPLICIT CryptoProcessQuality, certificateClass [2] IMPLICIT CertificateClass, enterpriseId [3] IMPLICIT EnterpriseId } -- ASN.1 Definitions of Key Quality and Crypto Process Quality Attributes: KeyQuality ::= Quality CryptoProcessQuality ::= Quality Quality ::= SEQUENCE { enforceQuality BOOLEAN, -- If TRUE, the explicit attributes compusecQuality, -- cryptoQuality, and keyStorageQuality, plus the -- implicit attributes algorithmType and keyLength -- are either enforced at all times, or a dynamic low -- water mark (Greatest Lower Bound)may be maintained. -- I.e., if enforceQuality is TRUE for the -- keyQuality attribute, the key must never be -- allowed to be transported to and/or used on any -- platform that does not meet the minimum -- criteria, and hence enforceQuality must be TRUE for -- the cryptoProcessQuality as well -- If enforceQuality is FALSE for keyQuality, but -- TRUE for cryptoProcessQuality, then the -- operating system has not enforced the criteria -- in any technical sense, but the subscriber -- is nonetheless representing that the minimum -- criteria will be maintained, -- e.g., by manual or procedural controls. -- For PKIS and NICI versions 1.0, enforceQuality -- must be set to FALSE in the keyQuality attribute. compusecQuality CompusecQuality, cryptoQuality CryptoQuality, keyStorageQuality INTEGER (0..255) -- See definitions in Appendix C } CompusecQuality ::= SEQUENCE SIZE (1..1) OF CompusecQualityPair -- Multiple pairs of {Criteria, Rating} are allowed -- In the first release, only one pair(TCSEC criteria)is provided CompusecQualityPair ::= SEQUENCE { compusecCriteria INTEGER(0..255), -- The default should be 1, but DEFAULT implies OPTIONAL, which -- is not the intent. So the value has to be coded explicitly. -- 0= Reserved (encoding error) -- 1= Trusted Computer Security Evaluation Criteria (TCSEC) -- 2= International Trusted Security Evaluation Criteria (ITSEC) -- 3= Common Criteria -- all others reserved compusecRating INTEGER (0..255) -- the compusecRating is in accordance with the specified -- compusecCriteria for each pair in the sequence -- Defined values for ratings for components and systems formally -- evaluated in accordance with the Trusted Computer Security -- Evaluation Criteria and the Trusted Network Interpretation -- (Red Book) are provided in Appendix A. } CryptoQuality ::= SEQUENCE SIZE (1..1) OF CryptoQualityPair -- Multiple pairs of {Criteria, Rating} are allowed. -- In the initial release, only one pair is provided. CryptoQualityPair ::= SEQUENCE { cryptoModuleCriteria INTEGER(0..255), -- The default should be 1, but DEFAULT implies OPTIONAL, which -- is not the intent. So the value has to be coded explicitly. -- 1 = FIPS 140-1 -- all others reserved cryptoModuleRating INTEGER (0..255) -- the cryptoModuleRating value is in accordance with -- the specified cryptoModuleCriteria for each pair -- FIPS 140-1 ratings definitions: -- 0 = Reserved (encoding error) -- 1 = unevaluated/unknown, -- all others—see Appendix B } -- ASN.1 Definition of Certificate Class Attribute: CertificateClass ::= SEQUENCE { classValue INTEGER (0..255), -- Defined class values are contained in Appendix C certificateValid BOOLEAN -- The default should be true, but DEFAULT is OPTIONAL -- which would make the GLB computation awkward. -- See Section 5 and the footnote for a discussion. } -- ASN.1 Definition of Enterprise Identifier Attribute: EnterpriseId ::= SEQUENCE { rootLabel [0] IMPLICIT SecurityLabelType1, registryLabel [1] IMPLICIT SecurityLabelType1, enterpriseLabel [2] IMPLICIT SEQUENCE SIZE (1..1) OF SecurityLabelType1 } SecurityLabelType1 ::= SEQUENCE { labelType1 INTEGER (0..255), -- The default should be 2, but DEFAULT implies OPTIONAL, which -- is not the intent. So the value has to be coded explicitly. -- Note that the label type for Version 1 -- of Graded Authentication is 0 or 1. -- Byte sizes and reserved fields are omitted, -- because they are derivable from the ASN.1. secrecyLevel1 INTEGER (0..255), -- The default should be 0, but DEFAULT implies OPTIONAL, which -- is not the intent. So the value has to be coded explicitly. -- 0 = low secrecy, 255 = high secrecy -- It seems highly unlikely anyone would ever -- need more than 255 secrecy levels integrityLevel1 INTEGER (0..255), -- The default should be 0, but DEFAULT implies OPTIONAL, which -- is not the intent. So the value has to be coded explicitly. -- NOTE! 255 = low integrity, 0 = high integrity! -- It seems highly unlikely anyone would ever -- need more than 255 integrity levels secrecyCategories1 BIT STRING (SIZE(96)), -- The default should be FALSE, but DEFAULT implies OPTIONAL, -- which is not the intent. So the value has to be coded -- explicitly. -- 96 secrecy categories, 0 origin indexing integrityCategories1 BIT STRING (SIZE(64)), -- The default should be FALSE, but DEFAULT implies OPTIONAL, -- which is not the intent. So the value has to be coded -- explicitly. -- 64 integrity categories, 0 origin indexing secrecySingletons1 Singletons, integritySingletons1 Singletons } -- (removed the unused definition of SecurityLabelType2) Singletons ::= SEQUENCE SIZE (1..16) OF SingletonChoice -- Presently up to 16 singletons or singleton ranges -- can be defined within one security label. This -- is completely arbitrary and can be easily changed, -- but it seems reasonable. Note that no more space -- is taken in the ASN.1 DER encoding than is actually -- required. SingletonChoice ::= CHOICE { uniqueSingleton INTEGER (0..9223372036854775807), -- The implied value of the singleton being -- specified in this case is TRUE. -- Note that there isn’t any way to set a -- singleton value to FALSE, except by using the -- SingletonRange functions with identical lower -- and upper bounds. singletonRange SingletonRange } SingletonRange ::= SEQUENCE { singletonLowerBound INTEGER (0..9223372036854775807), -- The default should be 0, but DEFAULT implies OPTIONAL, -- which is not the intent. So the value has to be coded -- explicitly. -- Lower bound of a range of singletons -- to be set to the singletonValue specified singletonUpperBound INTEGER (0..9223372036854775807), -- The default should be 9223372036854775807, -- but DEFAULT implies OPTIONAL, -- which is not the intent. So the value has to be coded -- explicitly. -- Upper bound of a range of singletons -- to be set to the singletonValue specified singletonValue BOOLEAN -- An entire range of singletons can be set to -- either TRUE or FALSE. -- Note that singletonRanges are allowed to overlap, -- and in particular that a uniqueSingleton can -- reset a singleton value already set by a -- singletonRange, and vice versa. -- The uniqueSingleton and singletonRanges are applied -- consecutively, from the lower bound of SEQUENCE (1) -- to the upper bound. } -- ASN.1 Definition of Reliance Limit Attribute: -- relianceLimits EXTENSION ::= { SYNTAX RelianceLimits IDENTIFIED BY {pa-rl) } -- 2.16.840.113719.1.9.4.2 RelianceLimits ::= SEQUENCE { perTransactionLimit MonetaryValue, perCertificateLimit MonetaryValue } MonetaryValue ::= SEQUENCE { -- from SET and draft ANSI X9.45 currency Currency, amount INTEGER, -- value is amount * (10 ** amtExp10), an exact representation amtExp10 INTEGER } Currency ::= INTEGER (1..999) -- currency denomination from ISO 4217 -- cf. Appendix E for the numeric currency codes and their -- alphabetic (display) equivalents. -- US Dollar (USD) is 840. -- Euro (EUR) is 978. END