| blob | e0121c6d3268c47dcd676a190157fa8dd71f6cbc |
2 PKIX1 { }
4 DEFINITIONS IMPLICIT TAGS ::=
6 BEGIN
8 -- This contains both PKIX1Implicit88 and RFC2630 ASN.1 modules.
10 id-pkix OBJECT IDENTIFIER ::=
11 { iso(1) identified-organization(3) dod(6) internet(1)
12 security(5) mechanisms(5) pkix(7) }
14 -- ISO arc for standard certificate and CRL extensions
16 -- authority key identifier OID and syntax
18 AuthorityKeyIdentifier ::= SEQUENCE {
19 keyIdentifier [0] KeyIdentifier OPTIONAL,
20 authorityCertIssuer [1] GeneralNames OPTIONAL,
21 authorityCertSerialNumber [2] CertificateSerialNumber OPTIONAL }
22 -- authorityCertIssuer and authorityCertSerialNumber shall both
23 -- be present or both be absgent
25 KeyIdentifier ::= OCTET STRING
27 -- subject key identifier OID and syntax
29 SubjectKeyIdentifier ::= KeyIdentifier
31 -- key usage extension OID and syntax
33 KeyUsage ::= BIT STRING
35 -- Directory string type --
37 DirectoryString ::= CHOICE {
38 teletexString TeletexString (SIZE (1..MAX)),
39 printableString PrintableString (SIZE (1..MAX)),
40 universalString UniversalString (SIZE (1..MAX)),
41 utf8String UTF8String (SIZE (1..MAX)),
42 bmpString BMPString (SIZE(1..MAX)),
43 -- IA5String is added here to handle old UID encoded as ia5String --
44 -- See tests/userid/ for more information. It shouldn't be here, --
45 -- so if it causes problems, considering dropping it. --
46 ia5String IA5String (SIZE(1..MAX)) }
48 SubjectAltName ::= GeneralNames
50 GeneralNames ::= SEQUENCE SIZE (1..MAX) OF GeneralName
52 GeneralName ::= CHOICE {
53 otherName [0] AnotherName,
54 rfc822Name [1] IA5String,
55 dNSName [2] IA5String,
56 x400Address [3] ANY,
57 -- Changed to work with the libtasn1 parser.
58 directoryName [4] EXPLICIT RDNSequence, --Name,
59 ediPartyName [5] ANY, --EDIPartyName replaced by ANY to save memory
60 uniformResourceIdentifier [6] IA5String,
61 iPAddress [7] OCTET STRING,
62 registeredID [8] OBJECT IDENTIFIER }
64 -- AnotherName replaces OTHER-NAME ::= TYPE-IDENTIFIER, as
65 -- TYPE-IDENTIFIER is not supported in the '88 ASN.1 syntax
67 AnotherName ::= SEQUENCE {
68 type-id OBJECT IDENTIFIER,
69 value [0] EXPLICIT ANY DEFINED BY type-id }
71 -- issuer alternative name extension OID and syntax
73 IssuerAltName ::= GeneralNames
75 -- basic constraints extension OID and syntax
77 BasicConstraints ::= SEQUENCE {
78 cA BOOLEAN DEFAULT FALSE,
79 pathLenConstraint INTEGER (0..MAX) OPTIONAL }
81 -- CRL distribution points extension OID and syntax
83 CRLDistributionPoints ::= SEQUENCE SIZE (1..MAX) OF DistributionPoint
85 DistributionPoint ::= SEQUENCE {
86 distributionPoint [0] EXPLICIT DistributionPointName OPTIONAL,
87 reasons [1] ReasonFlags OPTIONAL,
88 cRLIssuer [2] GeneralNames OPTIONAL
89 }
91 DistributionPointName ::= CHOICE {
92 fullName [0] GeneralNames,
93 nameRelativeToCRLIssuer [1] RelativeDistinguishedName
94 }
96 ReasonFlags ::= BIT STRING
98 -- extended key usage extension OID and syntax
100 ExtKeyUsageSyntax ::= SEQUENCE SIZE (1..MAX) OF KeyPurposeId
102 KeyPurposeId ::= OBJECT IDENTIFIER
104 -- authority info access
106 AuthorityInfoAccessSyntax ::=
107 SEQUENCE SIZE (1..MAX) OF AccessDescription
109 AccessDescription ::= SEQUENCE {
110 accessMethod OBJECT IDENTIFIER,
111 accessLocation GeneralName }
113 -- CRL number extension OID and syntax
115 CRLNumber ::= INTEGER (0..MAX)
117 -- certificate issuer CRL entry extension OID and syntax
119 CertificateIssuer ::= GeneralNames
121 -- --------------------------------------
122 -- EXPLICIT
123 -- --------------------------------------
125 -- UNIVERSAL Types defined in '93 and '98 ASN.1
126 -- but required by this specification
128 NumericString ::= [UNIVERSAL 18] IMPLICIT OCTET STRING
130 IA5String ::= [UNIVERSAL 22] IMPLICIT OCTET STRING
132 TeletexString ::= [UNIVERSAL 20] IMPLICIT OCTET STRING
134 PrintableString ::= [UNIVERSAL 19] IMPLICIT OCTET STRING
136 UniversalString ::= [UNIVERSAL 28] IMPLICIT OCTET STRING
137 -- UniversalString is defined in ASN.1:1993
139 BMPString ::= [UNIVERSAL 30] IMPLICIT OCTET STRING
140 -- BMPString is the subtype of UniversalString and models
141 -- the Basic Multilingual Plane of ISO/IEC/ITU 10646-1
143 UTF8String ::= [UNIVERSAL 12] IMPLICIT OCTET STRING
144 -- The content of this type conforms to RFC 2279.
147 -- attribute data types --
149 Attribute ::= SEQUENCE {
150 type AttributeType,
151 values SET OF AttributeValue
152 -- at least one value is required --
153 }
155 AttributeType ::= OBJECT IDENTIFIER
157 AttributeValue ::= ANY DEFINED BY type
159 AttributeTypeAndValue ::= SEQUENCE {
160 type AttributeType,
161 value AttributeValue }
163 -- suggested naming attributes: Definition of the following
164 -- information object set may be augmented to meet local
165 -- requirements. Note that deleting members of the set may
166 -- prevent interoperability with conforming implementations.
167 -- presented in pairs: the AttributeType followed by the
168 -- type definition for the corresponding AttributeValue
170 -- Arc for standard naming attributes
171 id-at OBJECT IDENTIFIER ::= {joint-iso-ccitt(2) ds(5) 4}
173 -- Attributes of type NameDirectoryString
175 -- gnutls: Note that the Object ID (id-at*) is being set just before the
176 -- actual definition. This is done in order for asn1_find_structure_from_oid
177 -- to work (locate structure from OID).
178 -- Maybe this is inefficient and memory consuming. Should we replace with
179 -- a table that maps OIDs to structures?
181 PostalAddress ::= SEQUENCE OF DirectoryString
183 -- Legacy attributes
185 emailAddress AttributeType ::= { iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 1 }
187 Pkcs9email ::= IA5String (SIZE (1..ub-emailaddress-length))
189 -- naming data types --
191 Name ::= CHOICE { -- only one possibility for now --
192 rdnSequence RDNSequence }
194 RDNSequence ::= SEQUENCE OF RelativeDistinguishedName
196 DistinguishedName ::= RDNSequence
198 RelativeDistinguishedName ::=
199 SET SIZE (1 .. MAX) OF AttributeTypeAndValue
203 -- --------------------------------------------------------
204 -- certificate and CRL specific structures begin here
205 -- --------------------------------------------------------
207 Certificate ::= SEQUENCE {
208 tbsCertificate TBSCertificate,
209 signatureAlgorithm AlgorithmIdentifier,
210 signature BIT STRING }
212 TBSCertificate ::= SEQUENCE {
213 version [0] EXPLICIT Version DEFAULT v1,
214 serialNumber CertificateSerialNumber,
215 signature AlgorithmIdentifier,
216 issuer Name,
217 validity Validity,
218 subject Name,
219 subjectPublicKeyInfo SubjectPublicKeyInfo,
220 issuerUniqueID [1] IMPLICIT UniqueIdentifier OPTIONAL,
221 -- If present, version shall be v2 or v3
222 subjectUniqueID [2] IMPLICIT UniqueIdentifier OPTIONAL,
223 -- If present, version shall be v2 or v3
224 extensions [3] EXPLICIT Extensions OPTIONAL
225 -- If present, version shall be v3 --
226 }
228 Version ::= INTEGER { v1(0), v2(1), v3(2) }
230 CertificateSerialNumber ::= INTEGER
232 Validity ::= SEQUENCE {
233 notBefore Time,
234 notAfter Time }
236 Time ::= CHOICE {
237 utcTime UTCTime,
238 generalTime GeneralizedTime }
240 UniqueIdentifier ::= BIT STRING
242 SubjectPublicKeyInfo ::= SEQUENCE {
243 algorithm AlgorithmIdentifier,
244 subjectPublicKey BIT STRING }
246 Extensions ::= SEQUENCE SIZE (1..MAX) OF Extension
248 Extension ::= SEQUENCE {
249 extnID OBJECT IDENTIFIER,
250 critical BOOLEAN DEFAULT FALSE,
251 extnValue OCTET STRING }
254 -- ------------------------------------------
255 -- CRL structures
256 -- ------------------------------------------
258 CertificateList ::= SEQUENCE {
259 tbsCertList TBSCertList,
260 signatureAlgorithm AlgorithmIdentifier,
261 signature BIT STRING }
263 TBSCertList ::= SEQUENCE {
264 version Version OPTIONAL,
265 -- if present, shall be v2
266 signature AlgorithmIdentifier,
267 issuer Name,
268 thisUpdate Time,
269 nextUpdate Time OPTIONAL,
270 revokedCertificates SEQUENCE OF SEQUENCE {
271 userCertificate CertificateSerialNumber,
272 revocationDate Time,
273 crlEntryExtensions Extensions OPTIONAL
274 -- if present, shall be v2
275 } OPTIONAL,
276 crlExtensions [0] EXPLICIT Extensions OPTIONAL
277 -- if present, shall be v2 --
278 }
280 -- Version, Time, CertificateSerialNumber, and Extensions were
281 -- defined earlier for use in the certificate structure
283 AlgorithmIdentifier ::= SEQUENCE {
284 algorithm OBJECT IDENTIFIER,
285 parameters ANY DEFINED BY algorithm OPTIONAL }
286 -- contains a value of the type
287 -- registered for use with the
288 -- algorithm object identifier value
290 -- Algorithm OIDs and parameter structures
292 Dss-Sig-Value ::= SEQUENCE {
293 r INTEGER,
294 s INTEGER
295 }
297 DomainParameters ::= SEQUENCE {
298 p INTEGER, -- odd prime, p=jq +1
299 g INTEGER, -- generator, g
300 q INTEGER, -- factor of p-1
301 j INTEGER OPTIONAL, -- subgroup factor, j>= 2
302 validationParms ValidationParms OPTIONAL }
304 ValidationParms ::= SEQUENCE {
305 seed BIT STRING,
306 pgenCounter INTEGER }
308 Dss-Parms ::= SEQUENCE {
309 p INTEGER,
310 q INTEGER,
311 g INTEGER }
313 -- x400 address syntax starts here
314 -- OR Names
316 CountryName ::= [APPLICATION 1] CHOICE {
317 x121-dcc-code NumericString
318 (SIZE (ub-country-name-numeric-length)),
319 iso-3166-alpha2-code PrintableString
320 (SIZE (ub-country-name-alpha-length)) }
322 OrganizationName ::= PrintableString
323 (SIZE (1..ub-organization-name-length))
324 -- see also teletex-organization-name
326 NumericUserIdentifier ::= NumericString
327 (SIZE (1..ub-numeric-user-id-length))
329 -- see also teletex-personal-name
331 OrganizationalUnitNames ::= SEQUENCE SIZE (1..ub-organizational-units)
332 OF OrganizationalUnitName
333 -- see also teletex-organizational-unit-names
335 OrganizationalUnitName ::= PrintableString (SIZE
336 (1..ub-organizational-unit-name-length))
338 -- Extension types and attribute values
339 --
341 CommonName ::= PrintableString
343 -- END of PKIX1Implicit88
346 -- BEGIN of RFC2630
348 -- Cryptographic Message Syntax
350 pkcs-7-ContentInfo ::= SEQUENCE {
351 contentType pkcs-7-ContentType,
352 content [0] EXPLICIT ANY DEFINED BY contentType }
354 pkcs-7-DigestInfo ::= SEQUENCE {
355 digestAlgorithm pkcs-7-DigestAlgorithmIdentifier,
356 digest pkcs-7-Digest
357 }
359 pkcs-7-Digest ::= OCTET STRING
361 pkcs-7-ContentType ::= OBJECT IDENTIFIER
363 pkcs-7-SignedData ::= SEQUENCE {
364 version pkcs-7-CMSVersion,
365 digestAlgorithms pkcs-7-DigestAlgorithmIdentifiers,
366 encapContentInfo pkcs-7-EncapsulatedContentInfo,
367 certificates [0] IMPLICIT pkcs-7-CertificateSet OPTIONAL,
368 crls [1] IMPLICIT pkcs-7-CertificateRevocationLists OPTIONAL,
369 signerInfos pkcs-7-SignerInfos
370 }
372 pkcs-7-CMSVersion ::= INTEGER { v0(0), v1(1), v2(2), v3(3), v4(4) }
374 pkcs-7-DigestAlgorithmIdentifiers ::= SET OF pkcs-7-DigestAlgorithmIdentifier
376 pkcs-7-DigestAlgorithmIdentifier ::= AlgorithmIdentifier
378 pkcs-7-EncapsulatedContentInfo ::= SEQUENCE {
379 eContentType pkcs-7-ContentType,
380 eContent [0] EXPLICIT OCTET STRING OPTIONAL }
382 -- We don't use CertificateList here since we only want
383 -- to read the raw data.
384 pkcs-7-CertificateRevocationLists ::= SET OF ANY
386 pkcs-7-CertificateChoices ::= CHOICE {
387 -- Although the paper uses Certificate type, we
388 -- don't use it since, we don't need to parse it.
389 -- We only need to read and store it.
390 certificate ANY
391 }
393 pkcs-7-CertificateSet ::= SET OF pkcs-7-CertificateChoices
395 pkcs-7-SignerInfos ::= SET OF ANY -- this is not correct but we don't use it
396 -- anyway
399 -- BEGIN of RFC2986
401 -- Certificate requests
402 pkcs-10-CertificationRequestInfo ::= SEQUENCE {
403 version INTEGER { v1(0) },
404 subject Name,
405 subjectPKInfo SubjectPublicKeyInfo,
406 attributes [0] Attributes
407 }
409 Attributes ::= SET OF Attribute
411 pkcs-10-CertificationRequest ::= SEQUENCE {
412 certificationRequestInfo pkcs-10-CertificationRequestInfo,
413 signatureAlgorithm AlgorithmIdentifier,
414 signature BIT STRING
415 }
417 -- stuff from PKCS#9
419 pkcs-9-at-challengePassword OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 7}
421 pkcs-9-challengePassword ::= CHOICE {
422 printableString PrintableString,
423 utf8String UTF8String }
425 pkcs-9-localKeyId ::= OCTET STRING
427 -- PKCS #8 stuff
429 -- Private-key information syntax
431 pkcs-8-PrivateKeyInfo ::= SEQUENCE {
432 version pkcs-8-Version,
433 privateKeyAlgorithm AlgorithmIdentifier,
434 privateKey pkcs-8-PrivateKey,
435 attributes [0] Attributes OPTIONAL }
437 pkcs-8-Version ::= INTEGER {v1(0)}
439 pkcs-8-PrivateKey ::= OCTET STRING
441 pkcs-8-Attributes ::= SET OF Attribute
443 -- Encrypted private-key information syntax
445 pkcs-8-EncryptedPrivateKeyInfo ::= SEQUENCE {
446 encryptionAlgorithm AlgorithmIdentifier,
447 encryptedData pkcs-8-EncryptedData
448 }
450 pkcs-8-EncryptedData ::= OCTET STRING
452 -- PKCS #5 stuff
454 pkcs-5-des-EDE3-CBC-params ::= OCTET STRING (SIZE(8))
455 pkcs-5-aes128-CBC-params ::= OCTET STRING (SIZE(16))
456 pkcs-5-aes192-CBC-params ::= OCTET STRING (SIZE(16))
457 pkcs-5-aes256-CBC-params ::= OCTET STRING (SIZE(16))
459 pkcs-5-PBES2-params ::= SEQUENCE {
460 keyDerivationFunc AlgorithmIdentifier,
461 encryptionScheme AlgorithmIdentifier }
463 -- PBKDF2
465 -- pkcs-5-algid-hmacWithSHA1 AlgorithmIdentifier ::=
466 -- {algorithm pkcs-5-id-hmacWithSHA1, parameters NULL : NULL}
468 pkcs-5-PBKDF2-params ::= SEQUENCE {
469 salt CHOICE {
470 specified OCTET STRING,
471 otherSource AlgorithmIdentifier
472 },
473 iterationCount INTEGER (1..MAX),
474 keyLength INTEGER (1..MAX) OPTIONAL,
475 prf AlgorithmIdentifier OPTIONAL -- DEFAULT pkcs-5-id-hmacWithSHA1
476 }
478 -- PKCS #12 stuff
480 pkcs-12-PFX ::= SEQUENCE {
481 version INTEGER {v3(3)},
482 authSafe pkcs-7-ContentInfo,
483 macData pkcs-12-MacData OPTIONAL
484 }
486 pkcs-12-PbeParams ::= SEQUENCE {
487 salt OCTET STRING,
488 iterations INTEGER
489 }
491 pkcs-12-MacData ::= SEQUENCE {
492 mac pkcs-7-DigestInfo,
493 macSalt OCTET STRING,
494 iterations INTEGER DEFAULT 1
495 -- Note: The default is for historical reasons and its use is
496 -- deprecated. A higher value, like 1024 is recommended.
497 }
499 pkcs-12-AuthenticatedSafe ::= SEQUENCE OF pkcs-7-ContentInfo
500 -- Data if unencrypted
501 -- EncryptedData if password-encrypted
502 -- EnvelopedData if public key-encrypted
504 pkcs-12-SafeContents ::= SEQUENCE OF pkcs-12-SafeBag
506 pkcs-12-SafeBag ::= SEQUENCE {
507 bagId OBJECT IDENTIFIER,
508 bagValue [0] EXPLICIT ANY DEFINED BY badId,
509 bagAttributes SET OF pkcs-12-PKCS12Attribute OPTIONAL
510 }
512 -- Bag types
514 pkcs-12-KeyBag ::= pkcs-8-PrivateKeyInfo
516 -- Shrouded KeyBag
518 pkcs-12-PKCS8ShroudedKeyBag ::= pkcs-8-EncryptedPrivateKeyInfo
520 -- CertBag
522 pkcs-12-CertBag ::= SEQUENCE {
523 certId OBJECT IDENTIFIER,
524 certValue [0] EXPLICIT ANY DEFINED BY certId
525 }
527 -- x509Certificate BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-certTypes 1}}
528 -- DER-encoded X.509 certificate stored in OCTET STRING
530 pkcs-12-CRLBag ::= SEQUENCE {
531 crlId OBJECT IDENTIFIER,
532 crlValue [0] EXPLICIT ANY DEFINED BY crlId
533 }
535 pkcs-12-SecretBag ::= SEQUENCE {
536 secretTypeId OBJECT IDENTIFIER,
537 secretValue [0] EXPLICIT ANY DEFINED BY secretTypeId
538 }
540 -- x509CRL BAG-TYPE ::= {OCTET STRING IDENTIFIED BY {pkcs-9-crlTypes 1}}
541 -- DER-encoded X.509 CRL stored in OCTET STRING
543 pkcs-12-PKCS12Attribute ::= Attribute
545 -- PKCS #7 stuff (needed in PKCS 12)
547 pkcs-7-Data ::= OCTET STRING
549 pkcs-7-EncryptedData ::= SEQUENCE {
550 version pkcs-7-CMSVersion,
551 encryptedContentInfo pkcs-7-EncryptedContentInfo,
552 unprotectedAttrs [1] IMPLICIT pkcs-7-UnprotectedAttributes OPTIONAL }
554 pkcs-7-EncryptedContentInfo ::= SEQUENCE {
555 contentType pkcs-7-ContentType,
556 contentEncryptionAlgorithm pkcs-7-ContentEncryptionAlgorithmIdentifier,
557 encryptedContent [0] IMPLICIT pkcs-7-EncryptedContent OPTIONAL }
559 pkcs-7-ContentEncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
561 pkcs-7-EncryptedContent ::= OCTET STRING
563 pkcs-7-UnprotectedAttributes ::= SET SIZE (1..MAX) OF Attribute
565 -- rfc3820
567 ProxyCertInfo ::= SEQUENCE {
568 pCPathLenConstraint INTEGER (0..MAX) OPTIONAL,
569 proxyPolicy ProxyPolicy }
571 ProxyPolicy ::= SEQUENCE {
572 policyLanguage OBJECT IDENTIFIER,
573 policy OCTET STRING OPTIONAL }
575 -- rfc2560
577 OCSPRequest ::= SEQUENCE {
578 tbsRequest TBSRequest,
579 optionalSignature [0] EXPLICIT Signature OPTIONAL }
581 TBSRequest ::= SEQUENCE {
582 version [0] EXPLICIT Version DEFAULT v1,
583 requestorName [1] EXPLICIT GeneralName OPTIONAL,
584 requestList SEQUENCE OF Request,
585 requestExtensions [2] EXPLICIT Extensions OPTIONAL }
587 Signature ::= SEQUENCE {
588 signatureAlgorithm AlgorithmIdentifier,
589 signature BIT STRING,
590 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
592 -- comment out, already used above, fortunately with same values and names
593 -- Version ::= INTEGER { v1(0) }
595 Request ::= SEQUENCE {
596 reqCert CertID,
597 singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL }
599 CertID ::= SEQUENCE {
600 hashAlgorithm AlgorithmIdentifier,
601 issuerNameHash OCTET STRING, -- Hash of Issuer's DN
602 issuerKeyHash OCTET STRING, -- Hash of Issuers public key
603 serialNumber CertificateSerialNumber }
605 OCSPResponse ::= SEQUENCE {
606 responseStatus OCSPResponseStatus,
607 responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
609 OCSPResponseStatus ::= ENUMERATED {
610 successful (0), --Response has valid confirmations
611 malformedRequest (1), --Illegal confirmation request
612 internalError (2), --Internal error in issuer
613 tryLater (3), --Try again later
614 --(4) is not used
615 sigRequired (5), --Must sign the request
616 unauthorized (6) --Request unauthorized
617 }
619 ResponseBytes ::= SEQUENCE {
620 responseType OBJECT IDENTIFIER,
621 response OCTET STRING }
623 BasicOCSPResponse ::= SEQUENCE {
624 tbsResponseData ResponseData,
625 signatureAlgorithm AlgorithmIdentifier,
626 signature BIT STRING,
627 certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL }
629 ResponseData ::= SEQUENCE {
630 version [0] EXPLICIT Version DEFAULT v1,
631 responderID ResponderID,
632 producedAt GeneralizedTime,
633 responses SEQUENCE OF SingleResponse,
634 responseExtensions [1] EXPLICIT Extensions OPTIONAL }
636 ResponderID ::= CHOICE {
637 -- Changed to work with the libtasn1 parser.
638 byName [1] EXPLICIT RDNSequence, --Name,
639 byKey [2] KeyHash }
641 KeyHash ::= OCTET STRING --SHA-1 hash of responder's public key
642 --(excluding the tag and length fields)
644 SingleResponse ::= SEQUENCE {
645 certID CertID,
646 certStatus CertStatus,
647 thisUpdate GeneralizedTime,
648 nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
649 singleExtensions [1] EXPLICIT Extensions OPTIONAL }
651 CertStatus ::= CHOICE {
652 good [0] IMPLICIT NULL,
653 revoked [1] IMPLICIT RevokedInfo,
654 unknown [2] IMPLICIT UnknownInfo }
656 RevokedInfo ::= SEQUENCE {
657 revocationTime GeneralizedTime,
658 revocationReason [0] EXPLICIT CRLReason OPTIONAL }
660 UnknownInfo ::= NULL -- this can be replaced with an enumeration
662 ArchiveCutoff ::= GeneralizedTime
664 AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
666 ServiceLocator ::= SEQUENCE {
667 issuer Name,
668 locator AuthorityInfoAccessSyntax }
670 -- rfc5280
672 CRLReason ::= ENUMERATED {
673 unspecified (0),
674 keyCompromise (1),
675 cACompromise (2),
676 affiliationChanged (3),
677 superseded (4),
678 cessationOfOperation (5),
679 certificateHold (6),
680 removeFromCRL (8),
681 privilegeWithdrawn (9),
682 aACompromise (10) }
684 END