Ieee1609Dot2.md

 determine the whole-certificate hash algorithm is specified in 5.3.9.2.
>>>
```asn1
CertificateBase ::= SEQUENCE {
  version    Uint8(3),
  type       CertificateType,
  issuer     IssuerIdentifier,
  toBeSigned ToBeSignedCertificate,
  signature  Signature OPTIONAL
}
```


### <a name="CertificateType"></a>CertificateType
This enumerated type indicates whether a certificate is explicit or
 implicit.

>>>
NOTE:&emsp;Critical information fields: If present, this is a critical
 information field as defined in 5.2.5. An implementation that does not
 recognize the indicated CHOICE for this type when verifying a signed SPDU
 shall indicate that the signed SPDU is invalid in the sense of 4.2.2.3.2, 
 that is, it is invalid in the sense that its validity cannot be 
 established.
>>>
```asn1
CertificateType ::= ENUMERATED {
  explicit,
  implicit,
  ...
}
```


### <a name="ImplicitCertificate"></a>ImplicitCertificate
This is a profile of the CertificateBase structure providing all
 the fields necessary for an implicit certificate, and no others.
```asn1
ImplicitCertificate ::= CertificateBase (WITH COMPONENTS {...,
  type(implicit),
  toBeSigned(WITH COMPONENTS {...,
    verifyKeyIndicator(WITH COMPONENTS {reconstructionValue})
  }),
  signature ABSENT
})
```


### <a name="ExplicitCertificate"></a>ExplicitCertificate
This is a profile of the CertificateBase structure providing all
 the fields necessary for an explicit certificate, and no others.
```asn1
ExplicitCertificate ::= CertificateBase (WITH COMPONENTS {...,
  type(explicit),
  toBeSigned (WITH COMPONENTS {...,
    verifyKeyIndicator(WITH COMPONENTS {verificationKey})
  }),
  signature PRESENT
})
```

### <a name="IssuerIdentifier"></a>IssuerIdentifier
This structure allows the recipient of a certificate to determine
 which keying material to use to authenticate the certificate.


 If the choice indicated is sha256AndDigest, sha384AndDigest, or 
 sm3AndDigest:
   - The structure contains the HashedId8 of the issuing certificate. The 
 HashedId8 is calculated with the whole-certificate hash algorithm, 
 determined as described in 6.4.3, applied to the COER-encoded certificate, 
 canonicalized as defined in the definition of Certificate. 
   - The hash algorithm to be used to generate the hash of the certificate 
 for verification is SHA-256 (in the case of sha256AndDigest), SM3 (in the 
 case of sm3AndDigest) or SHA-384 (in the case of sha384AndDigest).
   - The certificate is to be verified with the public key of the
 indicated issuing certificate.

 If the choice indicated is self:
   - The structure indicates what hash algorithm is to be used to generate
 the hash of the certificate for verification.
   - The certificate is to be verified with the public key indicated by
 the verifyKeyIndicator field in theToBeSignedCertificate.

Fields:
* sha256AndDigest of type [**HashedId8**](Ieee1609Dot2BaseTypes.md#HashedId8) <br>
* self of type [**HashAlgorithm**](Ieee1609Dot2BaseTypes.md#HashAlgorithm) <br>
   
* sha384AndDigest of type [**HashedId8**](Ieee1609Dot2BaseTypes.md#HashedId8) <br>
   
     ...,
* sm3AndDigest of type [**HashedId8**](Ieee1609Dot2BaseTypes.md#HashedId8) <br>
   

>>>
NOTE:&emsp;Critical information fields: If present, this is a critical
 information field as defined in 5.2.5. An implementation that does not
 recognize the indicated CHOICE for this type when verifying a signed SPDU
 shall indicate that the signed SPDU is invalid in the sense of 4.2.2.3.2, 
 that is, it is invalid in the sense that its validity cannot be 
 established.
>>>
```asn1
IssuerIdentifier ::= CHOICE { 
  sha256AndDigest HashedId8,
  self            HashAlgorithm,
  ...,
  sha384AndDigest HashedId8,
  sm3AndDigest    HashedId8
}
```

### <a name="ToBeSignedCertificate"></a>ToBeSignedCertificate
The fields in the ToBeSignedCertificate structure have the
 following meaning:


 For both implicit and explicit certificates, when the certificate
 is hashed to create or recover the public key (in the case of an implicit
 certificate) or to generate or verify the signature (in the case of an
 explicit certificate), the hash is Hash (Data input) || Hash (
 Signer identifier input), where:
   - Data input is the COER encoding of toBeSigned, canonicalized
 as described above.
   - Signer identifier input depends on the verification type,
 which in turn depends on the choice indicated by issuer. If the choice
 indicated by issuer is self, the verification type is self-signed and the
 signer identifier input is the empty string. If the choice indicated by
 issuer is not self, the verification type is certificate and the signer
 identifier input is the COER encoding of the canonicalization per 6.4.3 of
 the certificate indicated by issuer.

 In other words, for implicit certificates, the value H (CertU) in SEC 4,
 section 3, is for purposes of this standard taken to be H [H
 (canonicalized ToBeSignedCertificate from the subordinate certificate) ||
 H (entirety of issuer Certificate)]. See 5.3.2 for further discussion,
 including material differences between this standard and SEC 4 regarding
 how the hash function output is converted from a bit string to an integer.

Fields:
* id of type [**CertificateId**](#CertificateId) <br>
  contains information that is used to identify the certificate
   holder if necessary.


* cracaId of type [**HashedId3**](Ieee1609Dot2BaseTypes.md#HashedId3) <br>
  identifies the Certificate Revocation Authorization CA
   (CRACA) responsible for certificate revocation lists (CRLs) on which this
   certificate might appear. Use of the cracaId is specified in 5.1.3. The
   HashedId3 is calculated with the whole-certificate hash algorithm,
   determined as described in 6.4.3, applied to the COER-encoded certificate, 
   canonicalized as defined in the definition of Certificate.


   
* crlSeries of type [**CrlSeries**](Ieee1609Dot2BaseTypes.md#CrlSeries) <br>
  represents the CRL series relevant to a particular
   Certificate Revocation Authorization CA (CRACA) on which the certificate
   might appear. Use of this field is specified in 5.1.3.


   
* validityPeriod of type [**ValidityPeriod**](Ieee1609Dot2BaseTypes.md#ValidityPeriod) <br>
  contains the validity period of the certificate.


   
* region of type [**GeographicRegion**](Ieee1609Dot2BaseTypes.md#GeographicRegion)  OPTIONAL<br>
  if present, indicates the validity region of the
   certificate. If it is omitted the validity region is indicated as follows:
     - If enclosing certificate is self-signed, i.e., the choice indicated
   by the issuer field in the enclosing certificate structure is self, the
   certificate is valid worldwide.
     - Otherwise, the certificate has the same validity region as the
   certificate that issued it.


   
* assuranceLevel of type [**SubjectAssurance**](Ieee1609Dot2BaseTypes.md#SubjectAssurance)  OPTIONAL<br>
  indicates the assurance level of the certificate
   holder.


   
* appPermissions of type [**SequenceOfPsidSsp**](Ieee1609Dot2BaseTypes.md#SequenceOfPsidSsp)  OPTIONAL<br>
  indicates the permissions that the certificate
   holder has to sign application data with this certificate. A valid
   instance of appPermissions contains any particular Psid value in at most
   one entry.


   
* certIssuePermissions of type [**SequenceOfPsidGroupPermissions**](#SequenceOfPsidGroupPermissions)  OPTIONAL<br>
  indicates the permissions that the certificate
   holder has to sign certificates with this certificate. A valid instance of
   this array contains no more than one entry whose psidSspRange field
   indicates all. If the array has multiple entries and one entry has its
   psidSspRange field indicate all, then the entry indicating all specifies
   the permissions for all PSIDs other than the ones explicitly specified in
   the other entries. See the description of PsidGroupPermissions for further
   discussion.


   
* certRequestPermissions of type [**SequenceOfPsidGroupPermissions**](#SequenceOfPsidGroupPermissions)  OPTIONAL<br>
  indicates the permissions that the 
   certificate holder can request in its certificate. A valid instance of this
   array contains no more than one entry whose psidSspRange field indicates 
   all. If the array has multiple entries and one entry has its psidSspRange 
   field indicate all, then the entry indicating all specifies the permissions 
   for all PSIDs other than the ones explicitly specified in the other entries.
   See the description of PsidGroupPermissions for further discussion.


   
* canRequestRollover of type **NULL**  OPTIONAL<br>
  indicates that the certificate may be used to
   sign a request for another certificate with the same permissions. This
   field is provided for future use and its use is not defined in this
   version of this standard.


    
* encryptionKey of type [**PublicEncryptionKey**](Ieee1609Dot2BaseTypes.md#PublicEncryptionKey)  OPTIONAL<br>
  contains a public key for encryption for which the
   certificate holder holds the corresponding private key.


   
* verifyKeyIndicator of type [**VerificationKeyIndicator**](#VerificationKeyIndicator) <br>
  contains material that may be used to recover
   the public key that may be used to verify data signed by this certificate.


   
* flags of type **BIT STRING**  {usesCubk (0)} (SIZE (8)) OPTIONAL<br>
  indicates additional yes/no properties of the certificate 
   holder. The only bit with defined semantics in this string in this version 
   of this standard is usesCubk. If set, the usesCubk bit indicates that the 
   certificate holder supports the compact unified butterfly key response. 
   Further material about the compact unified butterfly key response can be 
   found in IEEE Std 1609.2.1.


   
     ...,
* appExtensions of type [**SequenceOfAppExtensions**](#SequenceOfAppExtensions) <br>
  indicates additional permissions that may be applied
   to application activities that the certificate holder is carrying out. 


   
* certIssueExtensions of type [**SequenceOfCertIssueExtensions**](#SequenceOfCertIssueExtensions) <br>
  indicates additional permissions to issue 
   certificates containing endEntityExtensions. 


   
* certRequestExtension of type [**SequenceOfCertRequestExtensions**](#SequenceOfCertRequestExtensions) <br>
   
If the PublicEncryptionKey contains a BasePublicEncryptionKey that is an 
 elliptic curve point (i.e., of type EccP256CurvePoint or EccP384CurvePoint),
 then the elliptic curve point is encoded in compressed form, i.e., such 
 that the choice indicated within the Ecc*CurvePoint is compressed-y-0 or 
 compressed-y-1.

>>>
NOTE:&emsp;Critical information fields:
   - If present, appPermissions is a critical information field as defined 
 in 5.2.6. If an implementation of verification does not support the number 
 of PsidSsp in the appPermissions field of a certificate that signed a 
 signed SPDU, that implementation shall indicate that the signed SPDU is 
 invalid in the sense of 4.2.2.3.2, that is, it is invalid in the sense 
 that its validity cannot be established.. A conformant implementation 
 shall support appPermissions fields containing at least eight entries. 
 It may be the case that an implementation of verification does not support 
 the number of entries in  the appPermissions field and the appPermissions 
 field is not relevant to the verification: this will occur, for example, 
 if the certificate in question is a CA certificate and so the 
 certIssuePermissions field is relevant to the verification and the 
 appPermissions field is not. In this case, whether the implementation 
 indicates that the signed SPDU is valid (because it could validate all 
 relevant fields) or invalid (because it could not parse the entire 
 certificate) is implementation-specific.
   - If present, certIssuePermissions is a critical information field as 
 defined in 5.2.6. If an implementation of verification does not support 
 the number of PsidGroupPermissions in the certIssuePermissions field of a 
 CA certificate in the chain of a signed SPDU, the implementation shall 
 indicate that the signed SPDU is invalid in the sense of 4.2.2.3.2, that 
 is, it is invalid in the sense that its validity cannot be established. 
 A conformant implementation shall support certIssuePermissions fields 
 containing at least eight entries.
 It may be the case that an implementation of verification does not support
 the number of entries in  the certIssuePermissions field and the 
 certIssuePermissions field is not relevant to the verification: this will 
 occur, for example, if the certificate in question is the signing 
 certificate for the SPDU and so the appPermissions field is relevant to 
 the verification and the certIssuePermissions field is not. In this case, 
 whether the implementation indicates that the signed SPDU is valid 
 (because it could validate all relevant fields) or invalid (because it 
 could not parse the entire certificate) is implementation-specific.
   - If present, certRequestPermissions is a critical information field as 
 defined in 5.2.6. If an implementaiton of verification of a certificate 
 request does not support the number of PsidGroupPermissions in 
 certRequestPermissions, the implementation shall indicate that the signed 
 SPDU is invalid in the sense of 4.2.2.3.2, that is, it is invalid in the 
 sense that its validity cannot be established. A conformant implementation 
 shall support certRequestPermissions fields containing at least eight 
 entries.
 It may be the case that an implementation of verification does not support 
 the number of entries in  the certRequestPermissions field and the 
 certRequestPermissions field is not relevant to the verification: this will 
 occur, for example, if the certificate in question is the signing 
 certificate for the SPDU and so the appPermissions field is relevant to 
 the verification and the certRequestPermissions field is not. In this 
 case, whether the implementation indicates that the signed SPDU is valid 
 (because it could validate all relevant fields) or invalid (because it 
 could not parse the entire certificate) is implementation-specific.
>>>
```asn1
ToBeSignedCertificate ::= SEQUENCE { 
  id                     CertificateId,
  cracaId                HashedId3,
  crlSeries              CrlSeries,
  validityPeriod         ValidityPeriod,
  region                 GeographicRegion OPTIONAL,
  assuranceLevel         SubjectAssurance OPTIONAL,
  appPermissions         SequenceOfPsidSsp OPTIONAL,
  certIssuePermissions   SequenceOfPsidGroupPermissions OPTIONAL,
  certRequestPermissions SequenceOfPsidGroupPermissions OPTIONAL, 
  canRequestRollover     NULL OPTIONAL,
  encryptionKey          PublicEncryptionKey OPTIONAL,
  verifyKeyIndicator     VerificationKeyIndicator,
  ...,
  flags                  BIT STRING {usesCubk (0)} (SIZE (8)) OPTIONAL,
  appExtensions          SequenceOfAppExtensions,
  certIssueExtensions    SequenceOfCertIssueExtensions,
  certRequestExtension   SequenceOfCertRequestExtensions
}
(WITH COMPONENTS { ..., appPermissions PRESENT} |
 WITH COMPONENTS { ..., certIssuePermissions PRESENT} |
 WITH COMPONENTS { ..., certRequestPermissions PRESENT})
```

### <a name="CertificateId"></a>CertificateId
This structure contains information that is used to identify the
 certificate holder if necessary.

Fields:
* linkageData of type [**LinkageData**](#LinkageData) <br>
  is used to identify the certificate for revocation
   purposes in the case of certificates that appear on linked certificate
   CRLs. See 5.1.3 and 7.3 for further discussion.


* name of type [**Hostname**](Ieee1609Dot2BaseTypes.md#Hostname) <br>
  is used to identify the certificate holder in the case of
   non-anonymous certificates. The contents of this field are a matter of
   policy and are expected to be human-readable.


   
* binaryId of type **OCTET STRING** (SIZE(1..64))<br>
  supports identifiers that are not human-readable.


   
* none of type **NULL** <br>
  indicates that the certificate does not include an identifier.


   

>>>
NOTE:&emsp;Critical information fields:
   - If present, this is a critical information field as defined in 5.2.6.
 An implementation that does not recognize the choice indicated in this
 field shall reject a signed SPDU as invalid.
>>>
```asn1
CertificateId ::= CHOICE {
  linkageData LinkageData,
  name        Hostname,
  binaryId    OCTET STRING(SIZE(1..64)),
  none        NULL,
  ...
}
```

### <a name="LinkageData"></a>LinkageData
This structure contains information that is matched against
 information obtained from a linkage ID-based CRL to determine whether the
 containing certificate has been revoked. See 5.1.3.4 and 7.3 for details
 of use.

Fields:
* iCert of type [**IValue**](Ieee1609Dot2BaseTypes.md#IValue) <br>
* linkage-value of type [**LinkageValue**](Ieee1609Dot2BaseTypes.md#LinkageValue) <br>
   
* group-linkage-value of type [**GroupLinkageValue**](Ieee1609Dot2BaseTypes.md#GroupLinkageValue)  OPTIONAL<br>
    
```asn1
LinkageData ::= SEQUENCE {
  iCert               IValue,
  linkage-value       LinkageValue, 
  group-linkage-value GroupLinkageValue OPTIONAL
}
```

### <a name="PsidGroupPermissions"></a>PsidGroupPermissions
This type indicates which type of permissions may appear in
 end-entity certificates the chain of whose permissions passes through the
 PsidGroupPermissions field containing this value. If app is indicated, the
 end-entity certificate may contain an appPermissions field. If enroll is
 indicated, the end-entity certificate may contain a certRequestPermissions
 field.

This structure states the permissions that a certificate holder has
 with respect to issuing and requesting certificates for a particular set
 of PSIDs. For examples, see D.5.3 and D.5.4.

Fields:
* subjectPermissions of type [**SubjectPermissions**](#SubjectPermissions) <br>
  indicates PSIDs and SSP Ranges covered by this
   field.


* minChainLength of type **INTEGER**  DEFAULT 1<br>
  and chainLengthRange indicate how long the
   certificate chain from this certificate to the end-entity certificate is
   permitted to be. As specified in 5.1.2.1, the length of the certificate
   chain is the number of certificates "below" this certificate in the chain,
   down to and including the end-entity certificate. The length is permitted
   to be (a) greater than or equal to minChainLength certificates and (b)
   less than or equal to minChainLength + chainLengthRange certificates. A
   value of 0 for minChainLength is not permitted when this type appears in
   the certIssuePermissions field of a ToBeSignedCertificate; a certificate
   that has a value of 0 for this field is invalid. The value -1 for
   chainLengthRange is a special case: if the value of chainLengthRange is -1
   it indicates that the certificate chain may be any length equal to or
   greater than minChainLength. See the examples below for further discussion.


   
* chainLengthRange of type **INTEGER**  DEFAULT 0<br>
    
* eeType of type [**EndEntityType**](#EndEntityType)  DEFAULT {app}<br>
  takes one or more of the values app and enroll and indicates
   the type of certificates or requests that this instance of
   PsidGroupPermissions in the certificate is entitled to authorize. 
   Different instances of PsidGroupPermissions within a ToBeSignedCertificate
   may have different values for eeType.
     - If this field indicates app, the chain is allowed to end in an 
   authorization certificate, i.e., a certficate in which these permissions 
   appear in an appPermissions field (in other words, if the field does not 
   indicate app and the chain ends in an authorization certificate, the 
   chain shall be considered invalid).
     - If this field indicates enroll, the chain is allowed to end in an 
   enrollment certificate, i.e., a certificate in which these permissions 
   appear in a certReqPermissions permissions field (in other words, if the 
   field does not indicate enroll and the chain ends in an enrollment 
   certificate, the chain shall be considered invalid).
   


    
```asn1
PsidGroupPermissions ::= SEQUENCE {
  subjectPermissions SubjectPermissions,
  minChainLength     INTEGER DEFAULT 1, 
  chainLengthRange   INTEGER DEFAULT 0, 
  eeType             EndEntityType DEFAULT {app}
}
```


### <a name="SequenceOfPsidGroupPermissions"></a>SequenceOfPsidGroupPermissions
This type is used for clarity of definitions.
```asn1
SequenceOfPsidGroupPermissions ::= SEQUENCE OF PsidGroupPermissions
```

### <a name="SubjectPermissions"></a>SubjectPermissions
This indicates the PSIDs and associated SSPs for which certificate
 issuance or request permissions are granted by a PsidGroupPermissions
 structure. If this takes the value explicit, the enclosing
 PsidGroupPermissions structure grants certificate issuance or request
 permissions for the indicated PSIDs and SSP Ranges. If this takes the
 value all, the enclosing PsidGroupPermissions structure grants certificate
 issuance or request permissions for all PSIDs not indicated by other
 PsidGroupPermissions in the same certIssuePermissions or
 certRequestPermissions field.

Fields:
* explicit of type [**SequenceOfPsidSspRange**](Ieee1609Dot2BaseTypes.md#SequenceOfPsidSspRange) <br>
* all of type **NULL** <br>
   

>>>
NOTE:&emsp;Critical information fields:
   - If present, this is a critical information field as defined in 5.2.6.
 An implementation that does not recognize the indicated CHOICE when
 verifying a signed SPDU shall indicate that the signed SPDU is
 invalidin the sense of 4.2.2.3.2, that is, it is invalid in the sense that
 its validity cannot be established.
   - If present, explicit is a critical information field as defined in
 5.2.6. An implementation that does not support the number of PsidSspRange
 in explicit when verifying a signed SPDU shall indicate that the signed
 SPDU is invalid in the sense of 4.2.2.3.2, that is, it is invalid in the 
 sense that its validity cannot be established. A conformant implementation
 shall support explicit fields containing at least eight entries.
>>>
```asn1
SubjectPermissions ::= CHOICE {
  explicit SequenceOfPsidSspRange,
  all      NULL,
  ...
}
```

### <a name="VerificationKeyIndicator"></a>VerificationKeyIndicator
The contents of this field depend on whether the certificate is an
 implicit or an explicit certificate.

Fields:
* verificationKey of type [**PublicVerificationKey**](Ieee1609Dot2BaseTypes.md#PublicVerificationKey) <br>
  is included in explicit certificates. It contains
   the public key to be used to verify signatures generated by the holder of
   the Certificate.


* reconstructionValue of type [**EccP256CurvePoint**](Ieee1609Dot2BaseTypes.md#EccP256CurvePoint) <br>
  is included in implicit certificates. It
   contains the reconstruction value, which is used to recover the public key
   as specified in SEC 4 and 5.3.2.


   

>>>
NOTE:&emsp;Canonicalization: This data structure is subject to canonicalization 
 for the relevant operations specified in 6.1.2. The canonicalization 
 applies to the PublicVerificationKey and to the EccP256CurvePoint. The 
 EccP256CurvePoint is encoded in compressed form, i.e., such that the 
 choice indicated within the EccP256CurvePoint is compressed-y-0 or 
 compressed-y-1.
>>>
```asn1
VerificationKeyIndicator ::= CHOICE {
  verificationKey     PublicVerificationKey,
  reconstructionValue EccP256CurvePoint,
  ...
}
```


### <a name="Ieee1609HeaderInfoExtensionId"></a>Ieee1609HeaderInfoExtensionId
This structure uses the parameterized type Extension to define an 
 Ieee1609ContributedHeaderInfoExtension as an open Extension Content field 
 identified by an extension identifier. The extension identifier value is 
 unique to extensions defined by ETSI and need not be unique among all 
 extension identifier values defined by all contributing organizations.

This is an integer used to identify an 
 Ieee1609ContributedHeaderInfoExtension.
```asn1
Ieee1609HeaderInfoExtensionId ::= ExtId
```

```asn1
p2pcd8ByteLearningRequestId Ieee1609HeaderInfoExtensionId ::= 1
```


### <a name="Ieee1609HeaderInfoExtensions"></a>Ieee1609HeaderInfoExtensions
This is the ASN.1 Information Object Class that associates IEEE 
 1609 HeaderInfo contributed extensions with the appropriate 
 Ieee1609HeaderInfoExtensionId value.
```asn1
Ieee1609HeaderInfoExtensions EXT-TYPE ::= {
  {HashedId8 IDENTIFIED BY p2pcd8ByteLearningRequestId},
  ...
}
```


### <a name="SequenceOfAppExtensions"></a>SequenceOfAppExtensions
This structure contains any AppExtensions that apply to the 
 certificate holder. As specified in 5.2.4.2.3, each individual 
 AppExtension type is associated with consistency conditions, specific to 
 that extension, that govern its consistency with SPDUs signed by the 
 certificate holder and with the CertIssueExtensions in the CA certificates 
 in that certificate holders chain. Those consistency conditions are 
 specified for each individual AppExtension below.
```asn1
SequenceOfAppExtensions ::= SEQUENCE (SIZE(1..MAX)) OF AppExtension
```

### <a name="AppExtension"></a>AppExtension
This structure contains an individual AppExtension. AppExtensions 
 specified in this standard are drawn from the ASN.1 Information Object Set 
 SetCertExtensions. This set, and its use in the AppExtension type, is 
 structured so that each AppExtension is associated with a 
 CertIssueExtension and a CertRequestExtension and all are identified by 
 the same id value. In this structure:

Fields:
* id of type [**CERT-EXT-TYPE**](Ieee1609Dot2BaseTypes.md#CERT-EXT-TYPE) .&id({SetCertExtensions})<br>
  identifies the extension type.


* content of type [**CERT-EXT-TYPE**](Ieee1609Dot2BaseTypes.md#CERT-EXT-TYPE) .&App({SetCertExtensions}{@.id})<br>
  provides the content of the extension.
   


   
```asn1
AppExtension ::= SEQUENCE {
  id      CERT-EXT-TYPE.&id({SetCertExtensions}),
  content CERT-EXT-TYPE.&App({SetCertExtensions}{@.id})
}
```


### <a name="SequenceOfCertIssueExtensions"></a>SequenceOfCertIssueExtensions
This field contains any CertIssueExtensions that apply to the 
 certificate holder. As specified in 5.2.4.2.3, each individual 
 CertIssueExtension type is associated with consistency conditions, 
 specific to that extension, that govern its consistency with 
 AppExtensions in certificates issued by the certificate holder and with 
 the CertIssueExtensions in the CA certificates in that certificate 
 holders chain. Those consistency conditions are specified for each 
 individual CertIssueExtension below.
```asn1
SequenceOfCertIssueExtensions ::= 
  SEQUENCE (SIZE(1..MAX)) OF CertIssueExtension
```

### <a name="CertIssueExtension"></a>CertIssueExtension
This field contains an individual CertIssueExtension. 
 CertIssueExtensions specified in this standard are drawn from the ASN.1 
 Information Object Set SetCertExtensions. This set, and its use in the 
 CertIssueExtension type, is structured so that each CertIssueExtension 
 is associated with a AppExtension and a CertRequestExtension and all are 
 identified by the same id value. In this structure:

Fields:
* id of type [**CERT-EXT-TYPE**](Ieee1609Dot2BaseTypes.md#CERT-EXT-TYPE) .&id({SetCertExtensions})<br>
  identifies the extension type.


* permissions of type [**CHOICE**](#CHOICE)  {
    specific  CERT-EXT-TYPE.&Issue({SetCertExtensions}{@.id})<br>
  indicates the permissions. Within this field.
     - all indicates that the certificate is entitled to issue all values of
   the extension.
     - specific is used to specify which values of the extension may be 
   issued in the case where all does not apply.
   


   
* all of type **NULL** <br>
   
```asn1
CertIssueExtension ::= SEQUENCE {
  id          CERT-EXT-TYPE.&id({SetCertExtensions}),
  permissions CHOICE {
    specific  CERT-EXT-TYPE.&Issue({SetCertExtensions}{@.id}),
    all       NULL
  }
}
```


### <a name="SequenceOfCertRequestExtensions"></a>SequenceOfCertRequestExtensions
This field contains any CertRequestExtensions that apply to the 
 certificate holder. As specified in 5.2.4.2.3, each individual 
 CertRequestExtension type is associated with consistency conditions, 
 specific to that extension, that govern its consistency with 
 AppExtensions in certificates issued by the certificate holder and with 
 the CertRequestExtensions in the CA certificates in that certificate 
 holders chain. Those consistency conditions are specified for each 
 individual CertRequestExtension below.
```asn1
SequenceOfCertRequestExtensions ::= SEQUENCE (SIZE(1..MAX)) OF CertRequestExtension
```

### <a name="CertRequestExtension"></a>CertRequestExtension
This field contains an individual CertRequestExtension. 
 CertRequestExtensions specified in this standard are drawn from the 
 ASN.1 Information Object Set SetCertExtensions. This set, and its use in 
 the CertRequestExtension type, is structured so that each 
 CertRequestExtension is associated with a AppExtension and a 
 CertRequestExtension and all are identified by the same id value. In this 
 structure:

Fields:
* id of type [**CERT-EXT-TYPE**](Ieee1609Dot2BaseTypes.md#CERT-EXT-TYPE) .&id({SetCertExtensions})<br>
  identifies the extension type.


* permissions of type [**CHOICE**](#CHOICE)  {
    content   CERT-EXT-TYPE.&Req({SetCertExtensions}{@.id})<br>
  indicates the permissions. Within this field.
     - all indicates that the certificate is entitled to issue all values of
   the extension.
     - specific is used to specify which values of the extension may be 
   issued in the case where all does not apply.
   


   
* all of type **NULL** <br>
   
```asn1
CertRequestExtension ::= SEQUENCE {
  id      CERT-EXT-TYPE.&id({SetCertExtensions}),
  permissions CHOICE {
    content   CERT-EXT-TYPE.&Req({SetCertExtensions}{@.id}),
    all       NULL
  }
}
```


### <a name="OperatingOrganizationId"></a>OperatingOrganizationId
This type is the AppExtension used to identify an operating 
 organization. The associated CertIssueExtension and CertRequestExtension 
 are both of type OperatingOrganizationId.
 To determine consistency between this type and an SPDU, the SDEE 
 specification for that SPDU is required to specify how the SPDU can be 
 used to determine an OBJECT IDENTIFIER (for example, by including the 
 full OBJECT IDENTIFIER in the SPDU, or by including a RELATIVE-OID with 
 clear instructions about how a full OBJECT IDENTIFIER can be obtained from
 the RELATIVE-OID). The SPDU is then consistent with this type if the 
 OBJECT IDENTIFIER determined from the SPDU is identical to the OBJECT 
 IDENTIFIER contained in this field.
 This AppExtension does not have consistency conditions with a 
 corresponding CertIssueExtension. It can appear in a certificate issued 
 by any CA.
```asn1
OperatingOrganizationId ::= OBJECT IDENTIFIER
```

```asn1
certExtId-OperatingOrganization ExtId ::= 1
```

```asn1
instanceOperatingOrganizationCertExtensions CERT-EXT-TYPE ::= {
  ID      certExtId-OperatingOrganization 
  APP     OperatingOrganizationId
  ISSUE   NULL
  REQUEST NULL
}
```


### <a name="SetCertExtensions"></a>SetCertExtensions
This Information Object Set is a collection of Information Objects 
 used to contain the AppExtension, CertIssueExtension, and 
 CertRequestExtension types associated with a specific use of certificate 
 extensions. In this version of this standard it only has a single entry 
 instanceOperatingOrganizationCertExtensions.
```asn1
SetCertExtensions CERT-EXT-TYPE ::= {
  instanceOperatingOrganizationCertExtensions,
  ...
}
```



This Information Object is an instance of the Information Object 
 Class CERT-EXT-TYPE. It is defined to bind together the AppExtension, 
 CertIssueExtension, and CertRequestExtension types associated with the 
 use of an operating organization identifier, and to assocaute them all 
 with the extension identifier value certExtId-OperatingOrganization.
  This Information Object Set is a collection of Information Objects 
 used to contain the AppExtension, CertIssueExtension, and 
 CertRequestExtension types associated with a specific use of certificate 
 extensions. In this version of this standard it only has a single entry 
 instanceOperatingOrganizationCertExtensions.