Ieee1609Dot2.asn

 * @param appPermissions indicates the permissions that the certificate
 * holder has to sign application data with this certificate. A valid
 * instance of appPermissions contains any particular Psid value in at most
 * one entry.  
 *
 * @param certIssuePermissions indicates the permissions that the certificate
 * holder has to sign certificates with this certificate. A valid instance of
 * this array contains no more than one entry whose psidSspRange field
 * indicates all. If the array has multiple entries and one entry has its
 * psidSspRange field indicate all, then the entry indicating all specifies
 * the permissions for all PSIDs other than the ones explicitly specified in
 * the other entries. See the description of PsidGroupPermissions for further
 * discussion.
 *
 * @param certRequestPermissions indicates the permissions that the
 * certificate holder has to sign certificate requests with this certificate.
 * A valid instance of this array contains no more than one entry whose
 * psidSspRange field indicates all. If the array has multiple entries and
 * one entry has its psidSspRange field indicate all, then the entry
 * indicating all specifies the permissions for all PSIDs other than the ones
 * explicitly specified in the other entries. See the description of
 * PsidGroupPermissions for further discussion.
 *
 * @param canRequestRollover indicates that the certificate may be used to
 * sign a request for another certificate with the same permissions. This
 * field is provided for future use and its use is not defined in this
 * version of this standard.
 *
 * @param encryptionKey contains a public key for encryption for which the
 * certificate holder holds the corresponding private key. 
 *
 * @param verifyKeyIndicator contains material that may be used to recover
 * the public key that may be used to verify data signed by this certificate. 
 */
  ToBeSignedCertificate ::= SEQUENCE { 
    id                      CertificateId,
    cracaId                 HashedId3,
    crlSeries               CrlSeries,
    validityPeriod          ValidityPeriod,
    region                  GeographicRegion OPTIONAL,
    assuranceLevel          SubjectAssurance OPTIONAL,
    appPermissions          SequenceOfPsidSsp OPTIONAL,
    certIssuePermissions    SequenceOfPsidGroupPermissions OPTIONAL,
    certRequestPermissions  SequenceOfPsidGroupPermissions OPTIONAL, 
    canRequestRollover      NULL OPTIONAL,
    encryptionKey           PublicEncryptionKey OPTIONAL,
    verifyKeyIndicator      VerificationKeyIndicator,
    ...,
    flags                  BIT STRING {cubk (0)} (SIZE (8)) OPTIONAL
  }
  (WITH COMPONENTS { ..., appPermissions PRESENT} |
   WITH COMPONENTS { ..., certIssuePermissions PRESENT} |
   WITH COMPONENTS { ..., certRequestPermissions PRESENT})

/** 
 * @class CertificateId
 *
 * @brief This structure contains information that is used to identify the
 * certificate holder if necessary.
 *
 * <br><br><b>Critical information fields</b>: 
 * <ul>
 * <li> If present, this is a critical information field as defined in 5.2.6.
 * An implementation that does not recognize the choice indicated in this
 * field shall reject a signed SPDU as invalid.</li>
 * </ul>
 *
 * <b>Parameters</b>:
 *
 * @param linkageData is used to identify the certificate for revocation
 * purposes in the case of certificates that appear on linked certificate
 * CRLs. See 5.1.3 and 7.3 for further discussion.
 *
 * @param name is used to identify the certificate holder in the case of
 * non-anonymous certificates. The contents of this field are a matter of
 * policy and should be human-readable.
 *
 * @param binaryId supports identifiers that are not human-readable.
 *
 * @param none indicates that the certificate does not include an identifier.
 */
  CertificateId ::= CHOICE {
    linkageData  LinkageData,
    name         Hostname,
    binaryId     OCTET STRING(SIZE(1..64)),
    none         NULL,
    ...
  }

/** 
 * @class LinkageData
 *
 * @brief This structure contains information that is matched against
 * information obtained from a linkage ID-based CRL to determine whether the
 * containing certificate has been revoked. See 5.1.3.4 and 7.3 for details
 * of use.
 */
  LinkageData ::= SEQUENCE { 
    iCert                IValue,
    linkage-value        LinkageValue, 
    group-linkage-value  GroupLinkageValue OPTIONAL
  }
  
/** 
 * @class EndEntityType
 *
 * @brief This type indicates which type of permissions may appear in
 * end-entity certificates the chain of whose permissions passes through the
 * PsidGroupPermissions field containing this value. If app is indicated, the
 * end-entity certificate may contain an appPermissions field. If enroll is
 * indicated, the end-entity certificate may contain a certRequestPermissions
 * field.   
 */
  EndEntityType ::= BIT STRING {
    app (0), 
    enroll (1) 
  } (SIZE (8)) (ALL EXCEPT {})

/** 
 * @class PsidGroupPermissions
 *
 * @brief This structure states the permissions that a certificate holder has
 * with respect to issuing and requesting certificates for a particular set
 * of PSIDs. In this structure:
 *
 * <br><br> For examples, see D.5.3 and D.5.4.
 *
 * @param subjectPermissions indicates PSIDs and SSP Ranges covered by this
 * field.
 *
 * @param minChainLength and chainLengthRange indicate how long the
 * certificate chain from this certificate to the end-entity certificate is
 * permitted to be. As specified in 5.1.2.1, the length of the certificate
 * chain is the number of certificates "below" this certificate in the chain,
 * down to and including the end-entity certificate. The length is permitted
 * to be (a) greater than or equal to minChainLength certificates and (b)
 * less than or equal to minChainLength + chainLengthRange certificates. A
 * value of 0 for minChainLength is not permitted when this type appears in
 * the certIssuePermissions field of a ToBeSignedCertificate; a certificate
 * that has a value of 0 for this field is invalid. The value −1 for
 * chainLengthRange is a special case: if the value of chainLengthRange is −1
 * it indicates that the certificate chain may be any length equal to or
 * greater than minChainLength. See the examples below for further discussion. 
 *
 * @param eeType takes one or more of the values app and enroll and indicates
 * the type of certificates or requests that this instance of
 * PsidGroupPermissions in the certificate is entitled to authorize. If this
 * field indicates app, the chain is allowed to end in an authorization
 * certificate, i.e., a certficate in which these permissions appear in an
 * appPermissions field (in other words, if the field does not indicate app
 * but the chain ends in an authorization certificate, the chain shall be
 * considered invalid). If this field indicates enroll, the chain is allowed
 * to end in an enrollment certificate, i.e., a certificate in which these
 * permissions appear in a certReqPermissions permissions field), or both (in
 * other words, if the field does not indicate app but the chain ends in an
 * authorization certificate, the chain shall be considered invalid).
 * Different instances of PsidGroupPermissions within a ToBeSignedCertificate
 * may have different values for eeType.
 */
  PsidGroupPermissions ::= SEQUENCE {
    subjectPermissions  SubjectPermissions,
    minChainLength      INTEGER DEFAULT 1, 
    chainLengthRange    INTEGER DEFAULT 0, 
    eeType              EndEntityType DEFAULT {app}
  }

/** 
 * @class SequenceOfPsidGroupPermissions
 *
 * @brief This type is used for clarity of definitions.
 */
  SequenceOfPsidGroupPermissions ::= SEQUENCE OF PsidGroupPermissions

/** 
 * @class SubjectPermissions
 *
 * @brief This indicates the PSIDs and associated SSPs for which certificate
 * issuance or request permissions are granted by a PsidGroupPermissions
 * structure. If this takes the value explicit, the enclosing
 * PsidGroupPermissions structure grants certificate issuance or request
 * permissions for the indicated PSIDs and SSP Ranges. If this takes the
 * value all, the enclosing PsidGroupPermissions structure grants certificate
 * issuance or request permissions for all PSIDs not indicated by other
 * PsidGroupPermissions in the same certIssuePermissions or
 * certRequestPermissions field.
 *
 * <br><br><b>Critical information fields</b>:
 * <ul>
 * <li> If present, this is a critical information field as defined in 5.2.6.
 * An implementation that does not recognize the indicated CHOICE when
 * verifying a signed SPDU shall indicate that the signed SPDU is
 * invalid.</li>
 *
 * <li> If present, explicit is a critical information field as defined in
 * 5.2.6. An implementation that does not support the number of PsidSspRange
 * in explicit when verifying a signed SPDU shall indicate that the signed
 * SPDU is invalid. A compliant implementation shall support explicit fields
 * containing at least eight entries.</li>
 * </ul>
 */
  SubjectPermissions ::= CHOICE {
          explicit        SequenceOfPsidSspRange,
          all             NULL,
          ...
  }

/** 
 * @class VerificationKeyIndicator
 *
 * @brief The contents of this field depend on whether the certificate is an
 * implicit or an explicit certificate.
 *
 * <br><br><b>Critical information fields</b>: If present, this is a critical
 * information field as defined in 5.2.5. An implementation that does not
 * recognize the indicated CHOICE for this type when verifying a signed SPDU
 * shall indicate that the signed SPDU is invalid.
 *
 * <br><br><b>Parameters</b>:
 *
 * @param verificationKey is included in explicit certificates. It contains
 * the public key to be used to verify signatures generated by the holder of
 * the Certificate.
 *
 * @param reconstructionValue is included in implicit certificates. It
 * contains the reconstruction value, which is used to recover the public key
 * as specified in SEC 4 and 5.3.2. 
 */
  VerificationKeyIndicator ::= CHOICE {
    verificationKey      PublicVerificationKey,
    reconstructionValue  EccP256CurvePoint,
    ...
  }
  
END