Table 29: An overview of attribute certificate attributes
SUPPORT REFERENCES
# EXTENSION OID SEMANTICS MULTI-
VALUED GEN PROC RFC CO.PKI NO TES
RFC3281ATTRIBUTES
(NOT YET PART OF COMMON PKI)
RFC3281
1 SvceAuthInfo {id-aca 1} This service authentication info identifies the AC holder by a
name to a server or service.
Y -- +- 4.4.1 n.a. [1]
2 AccessIdentity {id-aca 2} Identifies the AC holder to a server or service. Y -- +- 4.4.2 n.a. [1]
3 ChargingIdentity {id-aca 3} Identifies the AC holder for charging purposes. N -- +- 4.4.3 n.a. [1]
4 Group {id-aca 4} Group membership of the AC holder N -- +- 4.4.4 n.a. [1]
5 Role {id-at 72} Role allocation of the AC holder Y -- +- 4.4.5 n.a. [1]
6 Clearance {2 5 1 5 55} Clearance information about the AC holder Y -- +- 4.4.6 n.a. [1]
COMMON PKI
P
RIVATEA
TTRIBUTES[2] 7 Procuration {id-commonpki-at
2} Procuration information Y +- +- n.a. T29a
8 Admission {id-commonpki-at
3} Professional information N +- +- n.a. T29b
9 MonetaryLimit {id-commonpki-at
4} Monetary limit for transactions.
The QcEuMonetaryLimit QC statement MUST be used in new certificates in place of the extension/attribute MonetaryLimit since January 1, 2004. For the sake of backward compatibility with certificates already in use, components SHOULD support MonetaryLimit (as well as QcEuLimitValue).
N -- +- n.a. T29c [3]
[4]
10 DeclarationOfMajority {id-commonpki-at
5} A declaration of majority N +- +- n.a. T29d
11 Restriction {id-commonpki-at
8} Some other restriction regarding the usage of this certif icate. Y +- +- n.a. T29e [3]
12 AdditionalInformation {id-commonpki-at
15} Some other information of non-restrictive nature regarding the usage of this certificate. Y +- +- n.a. T29f
13 SubjectDirectoryAttributes {2 5 29 9} Personal identification data.
The SubjectDirectoryAttributes syntax is used for this purpose.
N +- +- n.a. T17 [5]
14 QcEuLimitValue
id-etsi-qcs-QcLimitValue
{id-etsi-qcs 2} Instead of including it in a QCStatements extension, a monetary
limit MAY be specified in an attribute (not an extension) using
this QC statement syntax.
N +- +- n.a. T25#13 [3]
Attribute Certificate Format
Common PKI Part 1 – Page 46 of 67
[1] These extensions are part of [RFC3281].
Common PKI Profile: These extensions are NOT YET PART of the current version of Common PKI.
[2] These attributes were originally defined in the optional SigG-Profile of Common PKI. Applications conforming to the Common PKI core specification MAY include them
in attribute certificates.
[3] Common PKI Profile: Attribute certificates with restrictive content MUST always be included in the signed document.
[4] Common PKI Profile: In new certificates, MonetaryLimit MUST be replaced by QcEuLimitValue, defined in [ETSI-QC]. Instead of inserting a QCStatements extension,
CAs MAY choose to specify a monetary limit as an attribute using the QcEuLimitValue syntax and the id-etsi-qcs-QcLimitValue OID. Note that QcEuLimitValue is backward compatible with MonetaryLimit. Hence, it sufficient for processing components to implement the QcEuLimitValue structure and use it to process any attributes with the id-etsi-qcs-QcLimitValue and the id-commonpki-at-monetaryLimit OIDs.
If both QcEuLimitValue and MonetaryLimit occur in the same certificate (as extension or attribute), they MUST assert the same value and currency. A certificate SHOULD use only one form.
Attribute Certificate Format
Common PKI Part 1 – Page 47 of 67
Table 29a: Procuration
SUPPORT REFERENCES
# ASN.1 DEFINITION SEMANTICS
GEN PROC RFC CO.PKI NO TES
1 id-commonpki-at-procuration OBJECT IDENTIFIER ::=
{id-commonpki-at 2} OID for extension/attribute Procuration n.a. T43
2 ProcurationSyntax ::= SEQUENCE { Attribute to indicate that the certificate holder
may sign in the name of a third person
+- + n.a. [1]
3 country [1] EXPLICIT PrintableString(SIZE(2))
OPTIONAL, indicates the country whose laws apply +- ++
4 typeOfSubstitution [2] EXPLICIT DirectoryString
(SIZE(1..128)) OPTIONAL, type of procuration (e.g. manager, procuration,
custody)
+- ++ T6
5 signingFor [3] EXPLICIT SigningFor } #6
6 SigningFor ::= CHOICE { Identification of the represented (substituted)
person via:
7 thirdPerson GeneralName, either his/her name T8
T7
[2] 8 certRef IssuerSerial } or a reference to his/her base certificate.
The base certificate MUST be a qualified PKC.
T28#14
[1] COMMON PKIPROFILE: The corresponding ProcurationSyntax contains either the name of the person who is represented (subcomponent thirdPerson) or a reference
to his/her base certificate (in the component signingFor, subcomponent certRef), furthermore the optional components country and typeSubstitution to indicate the country whose laws apply, and respectively the type of procuration (e.g. manager, procuration, custody).
[2] COMMON PKIPROFILE:The GeneralName MUST be of type directoryName and MAY only contain:
- RFC3739 attributes, except pseudonym (countryName, commonName, surname, givenName, serialNumber, organizationName, organizationalUnitName,
stateOrProvincename, localityName, postalAddress) and
Attribute Certificate Format
Common PKI Part 1 – Page 48 of 67
Table 29b: Admission
SUPPORT REFERENCES
# ASN.1 DEFINITION SEMANTICS
GEN PROC RFC CO.PKI NO TES
1 id-commonpki-at-admission OBJECT IDENTIFIER ::=
{id-commonpki-at 3} OID for extension/attribute Admission n.a. T43
2 id-commonpki-at-namingAuthorities OBJECT IDENTIFIER ::=
{id-commonpki-at 11} n.a. T43
3 AdmissionSyntax ::= SEQUENCE { Attribute to indicate admissions to certain
professions
+- + n.a.
4 admissionAuthority GeneralName OPTIONAL,
5 contentsOfAdmissions SEQUENCE OF Admissions } [1]
6 Admissions ::= SEQUENCE {
7 admissionAuthority [0] EXPLICIT GeneralName OPTIONAL, T8
8 namingAuthority [1] EXPLICIT NamingAuthority OPTIONAL, #10
9 professionInfos SEQUENCE OF ProfessionInfo } #14
10 NamingAuthority ::= SEQUENCE {
11 namingAuthorityId OBJECT IDENTIFIER OPTIONAL,
12 namingAuthorityUrl IA5String OPTIONAL,
13 namingAuthorityText DirectoryString(SIZE(1..128)) OPTIONAL} T6
14 ProfessionInfo ::= SEQUENCE {
15 namingAuthority [0] EXPLICIT NamingAuthority OPTIONAL, #10
16 professionItems SEQUENCE OF DirectoryString
(SIZE(1..128)), T6
17 professionOIDs SEQUENCE OF OBJECT IDENTIFIER OPTIONAL,
18 registrationNumber PrintableString(SIZE(1..128)) OPTIONAL,
19 addProfessionInfo OCTET STRING OPTIONAL }
[1] COMMON PKIPROFILE: The relatively complex structure of AdmissionSyntax supports the following concepts and requirements:
• External institutions (e.g. professional associations, chambers, unions, administrative bodies, companies, etc.), which are responsible for granting and verifying
professional admissions, are indicated by means of the data field admissionAuthority. An admission authority is indicated by a GeneralName object. Here an X.501 directory name (distinguished name) can be indicated in the field directoryName, a URL address can be indicated in the field uniformResourceIdentifier, and an object identifier can be indicated in the field registeredId.
• The names of authorities which are responsible for the administration of title registers are indicated in the data field namingAuthority. The name of the authority
can be identified by an object identifier in the field namingAuthorityId , by means of a text string in the field namingAuthorityText, by means of a URL address in the field namingAuthorityUrl, or by a combination of them. For example, the text string can contain the name of the authority, the country and the name of the title register. The URL-option refers to a web page which contains lists with „officially“ registered professions (text and possibly OID) as well as further information on these professions. Object identifiers for the component namingAuthorityId MAY be grouped under the OID-branch id-commonpki-at- namingAuthorities and MAY be applied for by interested authorities.
Attribute Certificate Format
Common PKI Part 1 – Page 49 of 67
See http://www.teletrust.de/fileadmin/files/oid/oid_Antrag.pdf for an application form and http://www.teletrust.de/index.php?id=524 for an overview of registered naming authorities.
However a naming authority is NOT REQUIRED to register under the OID id-commonpki-at-namingAuthorities in order to define profession OIDs .
• By means of the data type ProfessionInfo certain professions, specializations, disciplines, fields of activity, etc. are identified. A profession is represented by one
or more text strings, resp. profession OIDs in the fields professionItems and professionOIDs and by a registration number in the field registrationNumber. An indication in text form MUST always be present, whereas the other indications are optional. The component addProfessionInfo MAY contain additional application-specific information in DER-encoded form.
By means of different namingAuthority-OIDs or profession OIDs hierarchies of professions, specializations, disciplines, fields of activity, etc. can be expressed as illustrated as a possible example in the figure below. The issuing admission authority SHOULD always be indicated (field admissionAuthority), whenever a registration number is presented. Still, information on admissions MAY be given without indicating an admission or a naming authority by the exclusive use of the component professionItems. In this case the certification authority is responsible for the verification of the admission information.
i d-commonpki-at-namingAuthorities
OID of the authority for „Law, Economy, Taxes “
OID of the profession „Lawyer “
OID of the profession
„Tax Adviser “
...
OID of the authority forother area of application
...
This attribute is single-valued. Still, several admissions can be captured in the sequence structure of the component contentsOfAdmissions of AdmissionSyntax or in the component professionInfos of Admissions.
The component admissionAuthority of AdmissionSyntax serves as default value for the component admissionAuthority of Admissions. Within the latter component the default value can be overwritten, in case that another authority is responsible.
The component namingAuthority of Admissions serves as a default value for the component namingAuthority of ProfessionInfo. Within the latter component the default value can be overwritten, in case that another naming authority needs to be recorded.
The length of the string objects is limited to 128 characters. It is RECOMMENDED to indicate a namingAuthorityURL in all issued attribute certificates. If a namingAuthorityURL is indicated, the field professionItems of ProfessionInfo SHOULD contain only registered titles. If the field professionOIDs exists, it has to contain the OIDs of the professions listed in professionItems in the same order. In general, the field professionInfos SHOULD contain only one entry, unless the
Attribute Certificate Format
Common PKI Part 1 – Page 50 of 67
Attribute Certificate Format
Common PKI Part 1 – Page 51 of 67
Table 29c: MonetaryLimit
SUPPORT REFERENCES
# ASN.1 DEFINITION SEMANTICS
GEN PROC RFC CO.PKI NO TES
1 id-commonpki-at-monetaryLimit OBJECT IDENTIFIER ::=
{id-commonpki-at 4} OID for extension/attribute MonetaryLimit n.a. T43
2 MonetaryLimitSyntax ::= SEQUENCE { Indicates a monetary limit within which the
certificate holder is authorized to act.
(This value DOES NOT express a limit on the liability of the certification authority).
+- ++ n.a.
3 currency PrintableString (SIZE(3)), ISO code
4 amount INTEGER, value = amount•10exponent
5 exponent INTEGER }
Table 29d: DeclarationOfMajority
SUPPORT REFERENCES
# ASN.1 DEFINITION SEMANTICS
GEN PROC RFC CO.PKI NO TES
1 id-commonpki-at-declarationOfMajority OBJECT IDENTIFIER ::=
{id-commonpki-at 5} OID for extension/attrib. DeclarationOfMajority n.a. T43
2 DeclarationOfMajoritySyntax ::= CHOICE { +- ++ n.a.
3 notYoungerThen [0] IMPLICIT INTEGER, indicates a minimu m age [1]
4 fullAgeAtCountry [1] IMPLICIT SEQUENCE { indicates the majority of the owner with respect
to the laws of a specific country 5 fullAge BOOLEAN DEAULT TRUE, majority age reached in that country
6 country PrintableString (SIZE(2)) } ISO code of that country
7 dateOfBirth [2] IMPLICIT GeneralizedTime } date of birth of the certificate owner [1]
Attribute Certificate Format
Common PKI Part 1 – Page 52 of 67
Table 29e: Restriction
SUPPORT REFERENCES
# ASN.1 DEFINITION SEMANTICS
GEN PROC RFC CO.PKI NO TES
1 id-commonpki-at-restriction OBJECT IDENTIFIER ::=
{id-commonpki-at 8} OID for extension/attrib. Restriction n.a. T43
2 RestrictionSyntax ::= DirectoryString (SIZE(1..1024)) Text indicating some other restriction regarding
the usage of this certificate.
+- ++ n.a. P1.T6
Table 29f: AdditionalInformation
SUPPORT REFERENCES
# ASN.1 DEFINITION SEMANTICS
GEN PROC RFC CO.PKI NO TES
1 id-commonpki-at-additionalInformation OBJECT IDENTIFIER ::=
{id-commonpki-at 15} OID for extension/attrib. AdditionalInformation n.a. T43
2 AdditionalInformationSyntax ::=
DirectoryString (SIZE(1..2048)) Text indicating some other information (of non-
restrictive nature) regarding the usage of this certificate.