draft-ietf-smime-certdist-04.txt   draft-ietf-smime-certdist-05.txt 
Internet Draft Jim Schaad Internet Draft Jim Schaad
October 20, 1999 Microsoft November 19, 2000
Expires in six months Expires in six months
Certificate Distribution Specification Certificate Distribution Specification
draft-ietf-smime-certdist-04.txt draft-ietf-smime-certdist-05.txt
Status of this memo Status of this memo
This document is an Internet-Draft and is in full conformance with This document is an Internet-Draft and is in full conformance with
all provisions of Section 10 of RFC2026. Internet-Drafts are working all provisions of Section 10 of RFC2026. Internet-Drafts are working
documents of the Internet Engineering Task Force (IETF), its areas, documents of the Internet Engineering Task Force (IETF), its areas,
and its working groups. Note that other groups may also distribute and its working groups. Note that other groups may also distribute
working documents as Internet-Drafts. working documents as Internet-Drafts.
Internet-Drafts are draft documents valid for a maximum of six Internet-Drafts are draft documents valid for a maximum of six
skipping to change at line 61 skipping to change at line 62
directory to provide authenticated attributes as part of the directory to provide authenticated attributes as part of the
certificate publishing process. This allows for the addition of certificate publishing process. This allows for the addition of
information such as the SMimeCapabilities attribute from [SMIME] information such as the SMimeCapabilities attribute from [SMIME]
which contains information about the bulk encryption algorithms which contains information about the bulk encryption algorithms
supported by the End-Entity's cryptography module. supported by the End-Entity's cryptography module.
Section 2 discusses the current set of publishing methods available Section 2 discusses the current set of publishing methods available
for use, along with the benefits and restrictions of each method. for use, along with the benefits and restrictions of each method.
Schaad 1 Schaad 1
CertDist October 1999 CertDist May 2000
Section 3 covers the definition and properties of a Section 3 covers the definition and properties of a
SMimeCertificatePublish object. SMimeCertificatePublish object.
Throughout this draft, the terms MUST, MUST NOT, SHOULD, and SHOULD The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL
NOT are used in capital letters. This conforms to the definitions in NOT","SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
[MUSTSHOULD]. [MUSTSHOULD] defines the use of these key words to this document are to be interpreted as described in RFC 2119.
help make the intent of standards track documents as clear as
possible. The same key words are used in this document to help
implementers achieve interoperability.
2. Current Publishing Methods 2. Current Publishing Methods
There are several different ways to publish certificate information. There are several different ways to publish certificate information.
These methods include the userCertificate property in LDAP These methods include the userCertificate property in LDAP
directories, sending signed objects between users, and transport of directories, sending signed objects between users, and transport of
certificate files (either bare or as CMS degenerate signed objects). certificate files (either bare or as CMS degenerate signed objects).
Each of these methods has benefits and drawbacks. Each of these Each of these methods has benefits and drawbacks. Each of these
methods will now be briefly discussed. methods will now be briefly discussed.
Public Directory
A public directory may be used to distribute certificates. LDAP A public directory may be used to distribute certificates. LDAP
currently has the userCertificate property defined just for that currently has the userCertificate property defined just for that
purpose. The benefits of using a public directory are that a sender purpose. The benefits of using a public directory are that a sender
may create an encrypted object for a recipient without first may create an encrypted object for a recipient without first
receiving information (such as a signed message) from the recipient. receiving information (such as a signed message) from the recipient.
Most public directories currently only contain leaf certificates for However the use of directories has two drawbacks: First, the set of
individuals in the directory entry for the individual. While some bulk algorithms supported by the recipient is unknown. Second, the
directories, such as X.500 directories, provide for a directory chain of certificates needed to validate the userĘs certificate
entry to contain the CA certificate, this is not the case for all needs to be found in another manner.
directories. Outside of the structure of an X.500 directory the
problems associated with chaining from the individual's certificate Although there exists a property for listing bulk algorithms in the
to the CA's directory entry in order to obtain it's certificate is X.509 directory, it has no way of binding a list of algorithms to a
difficult to impossible. This leads to two drawbacks: First, the single certificate. It is possible that a certificate bound to a
set of bulk algorithms supported by the recipient is unknown. key located on a hardware device is limited to a small set of
Second, no additional certificates may be carried which would help algorithms, while a certificate bound to a software implementation
in validating the recipient's certificates. can have a greater set of algorithms associated with it. The
problem of determining what to publish is made all the harder
because it is possible the intersection of the algorithms is empty.
We therefore need to have a method that binds a specific list of
algorithms to a specific certificate.
Building the necessary chain of certificates is the other problem.
While it is possible to do direct lookup using an X.500 directory,
the same is not true of an LDAP directory especially if one is using
cross-certificates to a different root. While the problem is made
somewhat easier by the Authority Information Access extension (it is
possible to know where to look for the issuer certificate), it still
requires multiple network accesses to build the certificate chain
for what is relatively static information. If we can include at
least one common chain with the userĘs certificate this problem is
simplified.
Certificate Files
Schaad 2
CertDist May 2000
Using certificate files for certificate distribution has the benefit Using certificate files for certificate distribution has the benefit
of already being in wide spread use. (They are commonly used for of already being in wide spread use. (They are commonly used for
certificate distribution from Certificate Authorities either as part certificate distribution from Certificate Authorities either as part
of the enrollment protocol or from web based repositories.) The of the enrollment protocol or from web based repositories.) The
degenerate CMS signed object form, certificate files may carry a set degenerate CMS signed object form, certificate files may carry a set
of certificates to allow a sender to validate the recipients of certificates to allow a sender to validate the recipients
certificates. However, they suffer from two drawbacks. First, as certificates. However, they suffer from two drawbacks. First, as
with the public directory, the additional information is not with the public directory, the additional information is not
available as part of the certificate file. Second, the certificate available as part of the certificate file. Second, the certificate
is obtained from either the recipient one is encrypting for or a is obtained from either the recipient one is encrypting for or a
third party (not a directory). third party (not a directory).
Signed Objects
Using signed objects for certificate distribution has the benefit of Using signed objects for certificate distribution has the benefit of
allowing additional information such as the SMimeCapabilities allowing additional information such as the SMimeCapabilities
attribute to be carried as part of the package. It also allows for attribute to be carried as part of the package. It also allows for
the inclusion of additional certificates to be used in verifying the the inclusion of additional certificates to be used in verifying the
encryption certificate used to build an encrypted object. However, encryption certificate used to build an encrypted object. However,
Schaad 2
CertDist October 1999
it has the drawback that the initialization process is done via a it has the drawback that the initialization process is done via a
one-on-one process. one-on-one process.
3. SMimeEncryptCerts 3. SMimeEncryptCerts
When publishing one's own encryption certificates, it is often When publishing one's own encryption certificates, it is often
advisable to publish a wide selection of certificates to insure advisable to publish a wide selection of certificates to insure
maximum interoperability. This section describes an attribute that maximum interoperability. This section describes an attribute that
is used both to identify the set of encryption certificates and to is used both to identify the set of encryption certificates and to
establish the set of bulk encryption algorithms supported by each of establish the set of bulk encryption algorithms supported by each of
skipping to change at line 156 skipping to change at line 174
hash Hash, hash Hash,
capabilities SMIMECapabilities capabilities SMIMECapabilities
} }
SMimeEncryptCerts ::= SEQUENCE OF SmimeEncryptCert SMimeEncryptCerts ::= SEQUENCE OF SmimeEncryptCert
Hash ::= OCTET STRING - SHA1 hash of the certificate Hash ::= OCTET STRING - SHA1 hash of the certificate
When a certificate appears in an SMimeEncryptCerts attribute, the When a certificate appears in an SMimeEncryptCerts attribute, the
certificate MUST be available to the verifier in a well known certificate MUST be available to the verifier in a well known
location. For plain SignedData objects, this is the certificate bag Schaad 3
in the object. (Section 4.5 defines another location for LDAP CertDist May 2000
directories.) The order of certificates in the SMimeEncryptCerts
location. For SignedData objects, this is the certificate bag in
the object. The order of certificates in the SMimeEncryptCerts
attribute is the preferred order of use by the sender. attribute is the preferred order of use by the sender.
If present, the SMimeEncryptCerts attribute MUST be an authenticated If present, the SMimeEncryptCerts attribute MUST be an authenticated
attribute; it MUST NOT be an unauthenticated attribute. CMS defines attribute; it MUST NOT be an unauthenticated attribute. CMS defines
authenticatedAttributes as a SET OF AuthAttribute. A SignerInfo authenticatedAttributes as a SET OF AuthAttribute. A SignerInfo
MUST NOT include multiple instances of the SMimeEncryptCerts MUST NOT include multiple instances of the SMimeEncryptCerts
attribute. CMS defines the ASN.1 syntax for the authenticated attribute. CMS defines the ASN.1 syntax for the authenticated
attributes to include attrValues SET OF AttributeValue. A attributes to include attrValues SET OF AttributeValue. A
SMimeEncryptCerts attribute MUST only include a single instance of SMimeEncryptCerts attribute MUST only include a single instance of
AttributeValue. There MUST NOT be zero or multiple instances of AttributeValue. There MUST be one instance of AttributeValue present
AttributeValue present in the attrValues SET OF AttributeValue. in the attrValues SET OF AttributeValue.
4. SMimeCertificatePublish Object 4. SMimeCertificatePublish Object
Schaad 3
CertDist October 1999
The structure of the SMimeCertificatePublish object is defined in The structure of the SMimeCertificatePublish object is defined in
this section. This object has the benefit that it is published into this section. This object has the benefit that it is published into
a directory service (and thus is available to all parties) and a directory service (and thus is available to all parties) and it
itcontains a signed object that allows it to carry the additional contains a signed object that allows it to carry the additional
information desired to increase interoperability. information desired to increase interoperability.
This section describes the LDAP directory schema, the body content This section describes the LDAP directory schema, the body content
and additional restrictions on the attribute and signers of the and additional restrictions on the attribute and signers of the
SignedData object used in publishing the user's certificate. SignedData object used in publishing the user's certificate.
The ASN definition of a SMimeCertificatePublish object is the same a The ASN definition of a SMimeCertificatePublish object is the same a
CMS signed object. CMS signed object.
SMimeCertificatePublish ::= ContentInfo SMimeCertificatePublish ::= ContentInfo
skipping to change at line 214 skipping to change at line 231
The following object identifier is used to distinguish the content The following object identifier is used to distinguish the content
of a SMimeCertificatePublish: of a SMimeCertificatePublish:
id-ct-publishCert OBJECT IDENTIFIER ::= { iso(1) member-body(2) id-ct-publishCert OBJECT IDENTIFIER ::= { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-ct(1) us(840) rsadsi(113549) pkcs(1) pkcs9(9) smime(16) id-ct(1)
3) 3)
When creating a SMimeCertificatePublish object, the eContent of the When creating a SMimeCertificatePublish object, the eContent of the
Signed-Data object is omitted and the eContentType OID is set to id- Signed-Data object is omitted and the eContentType OID is set to id-
ct- publishCert. Note this is different from an empty content, Schaad 4
which would be represented as an octet string containing zero bytes. CertDist May 2000
The hash of the body (used in the id-message-digest attribute) is
set to the initialization value of the hash function. (This is ct-publishCert. Note this is different from an empty content, which
expected to provide the same result as if you had hashed a body would be represented as an octet string containing zero bytes. The
containing exactly 0 bytes.) hash of the body (used in the id-message-digest attribute) is set to
the initialization value of the hash function. (This is expected to
provide the same result as if you had hashed a body containing
exactly 0 bytes.)
4.2 Signed Attributes 4.2 Signed Attributes
The signed attributes section MUST be present in the SignerInfo The signed attributes section MUST be present in the SignerInfo
object, and the following signed attributes MUST be present: The object, and the following signed attributes MUST be present: The
signing-time attribute (from [CMS]), the SMimeCapabilities and signing-time attribute (from [CMS]), the SMimeCapabilities and
SMIMEEncryptionKeyPreference (from [SMIME]). SMIMEEncryptionKeyPreference (from [SMIME]).
4.3 CertificateSet 4.3 CertificateSet
Schaad 4
CertDist October 1999
This draft imposes additional restrictions on the set of This draft imposes additional restrictions on the set of
certificates to be included in the SignedData object beyond those certificates to be included in the SignedData object beyond those
specified in [CMS] and [SMIMECERT]. A chain of certificate from the specified in [CMS] and [SMIMECERT]. A chain of certificate from the
end-entitycertificate(s) to the root certificate(s) MUST be included end-entity certificate(s) to the root certificate(s) MUST be
in the CertificateSet. Unlike in S/MIME messages the root included in the CertificateSet. Unlike in S/MIME messages the root
certificate MUST be included in the CertificateSet. The root certificate MUST be included in the CertificateSet. The root
certificate is included so that end-entities have a better chance of certificate is included so that end-entities have a better chance of
finding and independently verifying the trustworthiness of the root finding and independently verifying the trustworthiness of the root
certificate based on its content. certificate based on its content.
User agents MUST NOT automatically trust any root certificate found User agents MUST NOT automatically trust any root certificate found
in a SMimeCertificatePublish object. in a SMimeCertificatePublish object.
4.4 Signing Certificate 4.4 Signing Certificate
skipping to change at line 268 skipping to change at line 285
The steps for extracting the encryption certificate from a The steps for extracting the encryption certificate from a
SMimeCertificatePublish object are as follows: SMimeCertificatePublish object are as follows:
1. Verify that the SMimeCertificatePublish object contains a valid 1. Verify that the SMimeCertificatePublish object contains a valid
signature and the certificate used to sign the message can be signature and the certificate used to sign the message can be
validated. validated.
2. Does the certificate used to sign the SMimeCertificatePublish 2. Does the certificate used to sign the SMimeCertificatePublish
object "match" the intended recipient of the encryption object? object "match" the intended recipient of the encryption object?
If so, proceed to step 6 else no encryption certificate is found. If so, proceed to step 3 else no encryption certificate is found.
Schaad 5
CertDist May 2000
3. Get the set of potential encryption certificates from the 3. Get the set of potential encryption certificates from the
SMIMEEncryptCerts attribute in the signed attributes of the SMIMEEncryptCerts attribute in the signed attributes of the
SMimeCertificatePublish object. SMimeCertificatePublish object.
4. Select the encryption certificate from the set of potential 4. Select the encryption certificate from the set of potential
encryption certificates by validating the certificate and encryption certificates by validating the certificate and
examining the set of encryption algorithms. examining the set of encryption algorithms.
In all cases, once an encryption certificate has been obtained, the In all cases, once an encryption certificate has been obtained, the
standard methods of validating signatures on the certificate and standard methods of validating signatures on the certificate and
checking for revocation MUST be followed. checking for revocation MUST be followed.
4.5 LDAP Schema 4.5 LDAP Schema
After a SignedData object has been produced, it needs to be After a SignedData object has been produced, it needs to be
published into one or more directories. This section describes the published into one or more directories. The following auxiliary
LDAP schema used to support this. object class MAY be used to represent certificate subjects:
Schaad 5
CertDist October 1999
A new LDAP attribute userSMimeCertificate is defined by this
document. The attribute is defined according to the syntax provided
in [LDAPV3]. The definition of this attribute is:
( 1 2 840 113549 1 9 16 <TBD> pkiUser OBJECT-CLASS ::= {
NAME `userSMimeCertificate' SUBCLASS OF { top}
SYNTAX `binary' KIND auxiliary
MULTI-VALUE MAY CONTAIN {userSMimeCertificate}
USAGE userApplications ID joint-iso-ccitt(2) ds(5) objectClass(6) pkiUser(21)}
)
If the SignedData object is to be published in userSMimeCertificate, userSMimeCertificate ATTRIBUTE ::= {
the end-entity certificates MAY be omitted from the certificate bag WITH SYNTAX ContentInfo
and published in the userCertificates LDAP attribute instead. EQUALITY MATCHING RULE contentInfoExactMatch
ID 1 2 840 113549 1 9 16 4 1 }
If the CA is the only entity that can write to the directory, it may If the CA is the only entity that can write to the directory, it may
wish to provide some mechanism for updating the attributes such as wish to provide some mechanism for updating the attributes such as
the smimeUserCapabilities in the published object. the smimeUserCapabilities in the published object.
4.6 MIME Encoding 4.6 MIME Encoding
The application/pkcs7-mime-publish content type is used to carry The application/pkcs7-mime-publish content type is used to carry
SMimeCertificatePublish objects as mime objects. The optional SMimeCertificatePublish objects as mime objects. The optional
"name" parameter SHOULD be emitted as part of the Content-Type "name" parameter SHOULD be emitted as part of the Content-Type
skipping to change at line 329 skipping to change at line 343
{ iso(1) member-body(2) us(840) rsadsi(113549) { iso(1) member-body(2) us(840) rsadsi(113549)
pkcs(1) pkcs-9(9) smime(16) modules(0) <TBD> } pkcs(1) pkcs-9(9) smime(16) modules(0) <TBD> }
DEFINITIONS IMPLICIT TAGS ::= DEFINITIONS IMPLICIT TAGS ::=
BEGIN BEGIN
-- EXPORTS All -- EXPORTS All
-- The types and values defined in this module are exported for -- The types and values defined in this module are exported for
-- use in the other ASN.1 modules. Other applications may use -- use in the other ASN.1 modules. Other applications may use
-- them for their own purposes. -- them for their own purposes.
Schaad 6
CertDist May 2000
IMPORTS IMPORTS
-- SMime Cryptographic Message Format -- SMime Cryptographic Message Format
ContentInfo ContentInfo
FROM CryptographicMessageSyntax { iso(1) member-body(2) FROM CryptographicMessageSyntax { iso(1) member-body(2)
us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16)
modules(0) cms(1) } modules(0) cms(1) }
-- SecureMimeMessageV3 -- SecureMimeMessageV3
SMIMECapabilities SMIMECapabilities
FROM SecureMimeMessageV3 { iso(1) member-body(2) us(840) FROM SecureMimeMessageV3 { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0)
smime(4)}; smime(4)};
-- S/MIME Object Identifier Registry -- S/MIME Object Identifier Registry
Schaad 6
CertDist October 1999
id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840) id-smime OBJECT IDENTIFIER ::= { iso(1) member-body(2) us(840)
rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) } rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) }
-- Authenticated Attribute identifing Encryption Certificates -- Authenticated Attribute identifying Encryption Certificates
-- Value is a single SMimeEncryptCerts -- Value is a single SMimeEncryptCerts
id-aa-smimeEncryptCerts OBJECT IDENTIFIER ::= { id-smime id-aa(2) id-aa-smimeEncryptCerts OBJECT IDENTIFIER ::= { id-smime id-aa(2)
13 } 13 }
SMimeEncryptCerts ::= SEQUENCE OF SMimeEncryptCert SMimeEncryptCerts ::= SEQUENCE OF SMimeEncryptCert
SMimeEncryptCert ::= SEQUENCE { SMimeEncryptCert ::= SEQUENCE {
hash Hash, hash Hash,
capabilities SMIMECapabilities capabilities SMIMECapabilities
} }
Hash ::= OCTET STRING -- SHA1 hash of the certificate Hash ::= OCTET STRING -- SHA1 hash of the certificate
-- Content Type of Certificate publish message. -- Content Type of Certificate publish message.
-- Signed content is detatched and empty -- Signed content is detached and empty
id-ct-publishCert OBJECT IDENTIFIER ::= { id-smime id-ct(1) 3 } id-ct-publishCert OBJECT IDENTIFIER ::= { id-smime id-ct(1) 3 }
SMimeCertificatePublish ::= ContentInfo SMimeCertificatePublish ::= ContentInfo
END -- of SMimeCertDistributionSyntax END -- of SMimeCertDistributionSyntax
B. Backwards Compatibility B. Backwards Compatibility
The SMimeCertificatePublish object is based on work previously done The SMimeCertificatePublish object is based on work previously done
at both Microsoft and Netscape. at both Microsoft and Netscape.
Both of these companies have implemented a version of Both of these companies have implemented a version of
userSMimeCertificate in their mail LDAP directory structures. userSMimeCertificate in their mail LDAP directory structures.
Microsoft has also put the property into its MAPI based directory Microsoft has also put the property into its MAPI based directory
schema. schema.
Both companies use a ContentInfo object containing a SignedData Both companies use a ContentInfo object containing a SignedData
object with one SignerInfo object. In both cases however the object with one SignerInfo object. In both cases however the
eContent is tagged with id-data not id-ct-publishCert. The actual eContent is tagged with id-data not id-ct-publishCert. The actual
content is omitted from the SMimeCertificatePublish object. content is omitted from the SMimeCertificatePublish object.
Schaad 7
In the case of both companies, clients who implement this feature CertDist May 2000
require that the end-entity is the signer of the object; the CA is
not permitted to sign and publish the object.
Microsoft has also produced an early version of the Microsoft has also produced an early version of the
SMimeEncryptCerts attribute. The syntax for this structure is SMimeEncryptCerts attribute. The syntax for this structure is
id-Microsoft-SMimeEncryptCert OBJECT IDENTIFIER ::= {1 3 6 1 4 1 id-Microsoft-SMimeEncryptCert OBJECT IDENTIFIER ::= {1 3 6 1 4 1
311 16 4} 311 16 4}
Microsoft-SMimeEncryptionert ::= IssuerAndSerialNumber Microsoft-SMimeEncryptionCert ::= IssuerAndSerialNumber
A description of IssuerAndSerialNumber can be find in [CMS].
Schaad 7 A description of IssuerAndSerialNumber can be found in [CMS].
CertDist October 1999
C. Registration of MIME C. Registration of MIME
To: ietf-types@iana.org To: ietf-types@iana.org
Subject: Registration of MIME media type application/pkcs7-mime- Subject: Registration of MIME media type application/pkcs7-mime-
publish publish
MIME media type name: application MIME media type name: application
MIME subtype name: pkcs7-mime-publish MIME subtype name: pkcs7-mime-publish
skipping to change at line 437 skipping to change at line 445
Published specification: this document Published specification: this document
Applications that use this media type: Secure Internet mail and Applications that use this media type: Secure Internet mail and
other secure data transports. other secure data transports.
Additional information: Additional information:
File extension (s): p7p File extension (s): p7p
Macintosh File Type Code (s): - Macintosh File Type Code (s): -
Person and email address to contact for further information: Jim Person and email address to contact for further information: Jim
Schaad, jimsch@microsoft.com Schaad, jimsch@exmsft.com
Intended usage: COMMON Intended usage: COMMON
D. Example Message D. Example Message
In this example Alice makes the statement that messages encrypted In this example Alice makes the statement that messages encrypted
for her should use one of two encryption certificates issued to Bob. for her should use one of two encryption certificates issued to Bob.
0 30 NDEF: SEQUENCE { 0 30 NDEF: SEQUENCE {
2 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2) 2 06 9: OBJECT IDENTIFIER signedData (1 2 840 113549 1 7 2)
Schaad 8
CertDist May 2000
13 A0 NDEF: [0] { 13 A0 NDEF: [0] {
15 30 NDEF: SEQUENCE { 15 30 NDEF: SEQUENCE {
17 02 1: INTEGER 1 17 02 1: INTEGER 1
20 31 11: SET { 20 31 11: SET {
22 30 9: SEQUENCE { 22 30 9: SEQUENCE {
24 06 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 24 06 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
31 05 0: NULL 31 05 0: NULL
: } : }
: } : }
33 30 NDEF: SEQUENCE { 33 30 NDEF: SEQUENCE {
35 06 11: OBJECT IDENTIFIER 35 06 11: OBJECT IDENTIFIER
: id-ct-publishCert (1 2 840 113549 1 9 16 1 3) : id-ct-publishCert (1 2 840 113549 1 9 16 1 3)
Schaad 8
CertDist October 1999
48 A0 NDEF: [0] { 48 A0 NDEF: [0] {
: } : }
: } : }
54 A0 3298: [0] { 54 A0 3298: [0] {
58 30 491: SEQUENCE { 58 30 491: SEQUENCE {
62 30 340: SEQUENCE { 62 30 340: SEQUENCE {
66 A0 3: [0] { 66 A0 3: [0] {
68 02 1: INTEGER 2 68 02 1: INTEGER 2
: } : }
71 02 16: INTEGER 71 02 16: INTEGER
skipping to change at line 506 skipping to change at line 514
: } : }
: } : }
: } : }
176 30 159: SEQUENCE { 176 30 159: SEQUENCE {
179 30 13: SEQUENCE { 179 30 13: SEQUENCE {
181 06 9: OBJECT IDENTIFIER 181 06 9: OBJECT IDENTIFIER
: rsaEncryption (1 2 840 113549 1 1 1) : rsaEncryption (1 2 840 113549 1 1 1)
192 05 0: NULL 192 05 0: NULL
: } : }
194 03 141: BIT STRING 0 unused bits 194 03 141: BIT STRING 0 unused bits
Schaad 9
CertDist May 2000
: 30 81 89 02 81 81 00 E4 4B FF 18 B8 24 57 F4 77 : 30 81 89 02 81 81 00 E4 4B FF 18 B8 24 57 F4 77
: FF 6E 73 7B 93 71 5C BC 33 1A 92 92 72 23 D8 41 : FF 6E 73 7B 93 71 5C BC 33 1A 92 92 72 23 D8 41
: 46 D0 CD 11 3A 04 B3 8E AF 82 9D BD 51 1E 17 7A : 46 D0 CD 11 3A 04 B3 8E AF 82 9D BD 51 1E 17 7A
: F2 76 2C 2B 86 39 A7 BD D7 8D 1A 53 EC E4 00 D5 : F2 76 2C 2B 86 39 A7 BD D7 8D 1A 53 EC E4 00 D5
: E8 EC A2 36 B1 ED E2 50 E2 32 09 8A 3F 9F 99 25 : E8 EC A2 36 B1 ED E2 50 E2 32 09 8A 3F 9F 99 25
: 8F B8 4E AB B9 7D D5 96 65 DA 16 A0 C5 BE 0E AE : 8F B8 4E AB B9 7D D5 96 65 DA 16 A0 C5 BE 0E AE
: 44 5B EF 5E F4 A7 29 CB 82 DD AC 44 E9 AA 93 94 : 44 5B EF 5E F4 A7 29 CB 82 DD AC 44 E9 AA 93 94
: 29 0E F8 18 D6 C8 57 5E F2 76 C4 F2 11 60 38 B9 : 29 0E F8 18 D6 C8 57 5E F2 76 C4 F2 11 60 38 B9
: 1B 3C 1D 97 C9 6A F1 02 03 01 00 01 : 1B 3C 1D 97 C9 6A F1 02 03 01 00 01
: } : }
338 A3 66: [3] { 338 A3 66: [3] {
340 30 64: SEQUENCE { 340 30 64: SEQUENCE {
Schaad 9
CertDist October 1999
342 30 15: SEQUENCE { 342 30 15: SEQUENCE {
344 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 344 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
349 01 1: BOOLEAN TRUE 349 01 1: BOOLEAN TRUE
352 04 5: OCTET STRING 352 04 5: OCTET STRING
: 30 03 01 01 FF : 30 03 01 01 FF
: } : }
359 30 14: SEQUENCE { 359 30 14: SEQUENCE {
361 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 361 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
366 01 1: BOOLEAN TRUE 366 01 1: BOOLEAN TRUE
369 04 4: OCTET STRING 369 04 4: OCTET STRING
skipping to change at line 564 skipping to change at line 572
: 76 FA B9 B9 31 F9 F9 6B 12 53 A0 F5 14 60 9B 7D : 76 FA B9 B9 31 F9 F9 6B 12 53 A0 F5 14 60 9B 7D
: CA 3E F2 53 6B B0 37 6F AD E6 74 D7 DB FA 5A EA : CA 3E F2 53 6B B0 37 6F AD E6 74 D7 DB FA 5A EA
: 14 41 63 5D CD BE C8 0E C1 DA 6A 8D 53 34 18 02 : 14 41 63 5D CD BE C8 0E C1 DA 6A 8D 53 34 18 02
: } : }
553 30 520: SEQUENCE { 553 30 520: SEQUENCE {
557 30 369: SEQUENCE { 557 30 369: SEQUENCE {
561 A0 3: [0] { 561 A0 3: [0] {
563 02 1: INTEGER 2 563 02 1: INTEGER 2
: } : }
566 02 16: INTEGER 566 02 16: INTEGER
Schaad 10
CertDist May 2000
: 46 34 6B C7 80 00 56 BC 11 D3 6E 2E CD 5D 71 D0 : 46 34 6B C7 80 00 56 BC 11 D3 6E 2E CD 5D 71 D0
584 30 13: SEQUENCE { 584 30 13: SEQUENCE {
586 06 9: OBJECT IDENTIFIER 586 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5) : sha1withRSAEncryption (1 2 840 113549 1 1 5)
597 05 0: NULL 597 05 0: NULL
: } : }
599 30 18: SEQUENCE { 599 30 18: SEQUENCE {
601 31 16: SET { 601 31 16: SET {
603 30 14: SEQUENCE { 603 30 14: SEQUENCE {
605 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 605 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
610 13 7: PrintableString 'CarlRSA' 610 13 7: PrintableString 'CarlRSA'
: } : }
Schaad 10
CertDist October 1999
: } : }
: } : }
619 30 30: SEQUENCE { 619 30 30: SEQUENCE {
621 17 13: UTCTime '990819070000Z' 621 17 13: UTCTime '990819070000Z'
636 17 13: UTCTime '391231235959Z' 636 17 13: UTCTime '391231235959Z'
: } : }
651 30 17: SEQUENCE { 651 30 17: SEQUENCE {
653 31 15: SET { 653 31 15: SET {
655 30 13: SEQUENCE { 655 30 13: SEQUENCE {
657 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 657 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
skipping to change at line 622 skipping to change at line 630
836 30 12: SEQUENCE { 836 30 12: SEQUENCE {
838 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 838 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
843 01 1: BOOLEAN TRUE 843 01 1: BOOLEAN TRUE
846 04 2: OCTET STRING 846 04 2: OCTET STRING
: 30 00 : 30 00
: } : }
850 30 14: SEQUENCE { 850 30 14: SEQUENCE {
852 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 852 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
857 01 1: BOOLEAN TRUE 857 01 1: BOOLEAN TRUE
860 04 4: OCTET STRING 860 04 4: OCTET STRING
Schaad 11
CertDist May 2000
: 03 02 05 20 : 03 02 05 20
: } : }
866 30 31: SEQUENCE { 866 30 31: SEQUENCE {
868 06 3: OBJECT IDENTIFIER 868 06 3: OBJECT IDENTIFIER
: authorityKeyIdentifier (2 5 29 35) : authorityKeyIdentifier (2 5 29 35)
873 04 24: OCTET STRING 873 04 24: OCTET STRING
: 30 16 80 14 E9 E0 90 27 AC 78 20 7A 9A D3 4C F2 : 30 16 80 14 E9 E0 90 27 AC 78 20 7A 9A D3 4C F2
: 42 37 4E 22 AE 9E 38 BB : 42 37 4E 22 AE 9E 38 BB
: } : }
899 30 29: SEQUENCE { 899 30 29: SEQUENCE {
901 06 3: OBJECT IDENTIFIER 901 06 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14) : subjectKeyIdentifier (2 5 29 14)
Schaad 11
CertDist October 1999
906 04 22: OCTET STRING 906 04 22: OCTET STRING
: 04 14 E8 F4 B8 67 D8 B3 96 A4 2A F3 11 AA 29 D3 : 04 14 E8 F4 B8 67 D8 B3 96 A4 2A F3 11 AA 29 D3
: 95 5A 86 16 B4 24 : 95 5A 86 16 B4 24
: } : }
: } : }
: } : }
: } : }
930 30 13: SEQUENCE { 930 30 13: SEQUENCE {
932 06 9: OBJECT IDENTIFIER 932 06 9: OBJECT IDENTIFIER
: sha1withRSAEncryption (1 2 840 113549 1 1 5) : sha1withRSAEncryption (1 2 840 113549 1 1 5)
skipping to change at line 680 skipping to change at line 688
1108 30 14: SEQUENCE { 1108 30 14: SEQUENCE {
1110 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 1110 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
1115 13 7: PrintableString 'CarlDSS' 1115 13 7: PrintableString 'CarlDSS'
: } : }
: } : }
: } : }
1124 30 30: SEQUENCE { 1124 30 30: SEQUENCE {
1126 17 13: UTCTime '990816225050Z' 1126 17 13: UTCTime '990816225050Z'
1141 17 13: UTCTime '391231235959Z' 1141 17 13: UTCTime '391231235959Z'
: } : }
Schaad 12
CertDist May 2000
1156 30 18: SEQUENCE { 1156 30 18: SEQUENCE {
1158 31 16: SET { 1158 31 16: SET {
1160 30 14: SEQUENCE { 1160 30 14: SEQUENCE {
1162 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 1162 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
1167 13 7: PrintableString 'CarlDSS' 1167 13 7: PrintableString 'CarlDSS'
: } : }
: } : }
: } : }
1176 30 439: SEQUENCE { 1176 30 439: SEQUENCE {
1180 30 299: SEQUENCE { 1180 30 299: SEQUENCE {
1184 06 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1) 1184 06 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
1193 30 286: SEQUENCE { 1193 30 286: SEQUENCE {
Schaad 12
CertDist October 1999
1197 02 129: INTEGER 1197 02 129: INTEGER
: 00 B6 49 18 3E 8A 44 C1 29 71 94 4C 01 C4 12 C1 : 00 B6 49 18 3E 8A 44 C1 29 71 94 4C 01 C4 12 C1
: 7A 79 CB 54 4D AB 1E 81 FB C6 4C B3 0E 94 09 06 : 7A 79 CB 54 4D AB 1E 81 FB C6 4C B3 0E 94 09 06
: EB 01 D4 B1 C8 71 4B C7 45 C0 50 25 5D 9C FC DA : EB 01 D4 B1 C8 71 4B C7 45 C0 50 25 5D 9C FC DA
: E4 6D D3 E2 86 48 84 82 7D BA 15 95 4A 16 F6 46 : E4 6D D3 E2 86 48 84 82 7D BA 15 95 4A 16 F6 46
: ED DD F6 98 D2 BB 7E 8A 0A 8A BA 16 7B B9 50 01 : ED DD F6 98 D2 BB 7E 8A 0A 8A BA 16 7B B9 50 01
: 48 93 8B EB 25 15 51 97 55 DC 8F 53 0E 10 A9 50 : 48 93 8B EB 25 15 51 97 55 DC 8F 53 0E 10 A9 50
: FC 70 B7 CD 30 54 FD DA DE A8 AA 22 B5 A1 AF 8B : FC 70 B7 CD 30 54 FD DA DE A8 AA 22 B5 A1 AF 8B
: CC 02 88 E7 8B 70 5F B9 AD E1 08 D4 6D 29 2D D6 : CC 02 88 E7 8B 70 5F B9 AD E1 08 D4 6D 29 2D D6
: E9 : E9
skipping to change at line 738 skipping to change at line 746
: 56 4D 80 7A : 56 4D 80 7A
: } : }
1619 A3 66: [3] { 1619 A3 66: [3] {
1621 30 64: SEQUENCE { 1621 30 64: SEQUENCE {
1623 30 15: SEQUENCE { 1623 30 15: SEQUENCE {
1625 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 1625 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
1630 01 1: BOOLEAN TRUE 1630 01 1: BOOLEAN TRUE
1633 04 5: OCTET STRING 1633 04 5: OCTET STRING
: 30 03 01 01 FF : 30 03 01 01 FF
: } : }
Schaad 13
CertDist May 2000
1640 30 14: SEQUENCE { 1640 30 14: SEQUENCE {
1642 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 1642 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
1647 01 1: BOOLEAN TRUE 1647 01 1: BOOLEAN TRUE
1650 04 4: OCTET STRING 1650 04 4: OCTET STRING
: 03 02 01 86 : 03 02 01 86
: } : }
1656 30 29: SEQUENCE { 1656 30 29: SEQUENCE {
1658 06 3: OBJECT IDENTIFIER 1658 06 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14) : subjectKeyIdentifier (2 5 29 14)
1663 04 22: OCTET STRING 1663 04 22: OCTET STRING
: 04 14 70 44 3E 82 2E 6F 87 DE 4A D3 75 E3 3D 20 : 04 14 70 44 3E 82 2E 6F 87 DE 4A D3 75 E3 3D 20
: BC 43 2B 93 F1 1F : BC 43 2B 93 F1 1F
Schaad 13
CertDist October 1999
: } : }
: } : }
: } : }
: } : }
1687 30 9: SEQUENCE { 1687 30 9: SEQUENCE {
1689 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3) 1689 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: } : }
1698 03 48: BIT STRING 0 unused bits 1698 03 48: BIT STRING 0 unused bits
: 30 2D 02 14 6B A9 F0 4E 7A 5A 79 E3 F9 BE 3D 2B : 30 2D 02 14 6B A9 F0 4E 7A 5A 79 E3 F9 BE 3D 2B
: C9 06 37 E9 11 17 A1 13 02 15 00 8F 34 69 2A 8B : C9 06 37 E9 11 17 A1 13 02 15 00 8F 34 69 2A 8B
skipping to change at line 796 skipping to change at line 804
1828 30 19: SEQUENCE { 1828 30 19: SEQUENCE {
1830 31 17: SET { 1830 31 17: SET {
1832 30 15: SEQUENCE { 1832 30 15: SEQUENCE {
1834 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 1834 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
1839 13 8: PrintableString 'AliceDSS' 1839 13 8: PrintableString 'AliceDSS'
: } : }
: } : }
: } : }
1849 30 438: SEQUENCE { 1849 30 438: SEQUENCE {
1853 30 299: SEQUENCE { 1853 30 299: SEQUENCE {
Schaad 14
CertDist May 2000
1857 06 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1) 1857 06 7: OBJECT IDENTIFIER dsa (1 2 840 10040 4 1)
1866 30 286: SEQUENCE { 1866 30 286: SEQUENCE {
1870 02 129: INTEGER 1870 02 129: INTEGER
: 00 81 8D CD ED 83 EA 0A 9E 39 3E C2 48 28 A3 E4 : 00 81 8D CD ED 83 EA 0A 9E 39 3E C2 48 28 A3 E4
: 47 93 DD 0E D7 A8 0E EC 53 C5 AB 84 08 4F FF 94 : 47 93 DD 0E D7 A8 0E EC 53 C5 AB 84 08 4F FF 94
: E1 73 48 7E 0C D6 F3 44 48 D1 FE 9F AF A4 A1 89 : E1 73 48 7E 0C D6 F3 44 48 D1 FE 9F AF A4 A1 89
: 2F E1 D9 30 C8 36 DE 3F 9B BF B7 4C DC 5F 69 8A : 2F E1 D9 30 C8 36 DE 3F 9B BF B7 4C DC 5F 69 8A
: E4 75 D0 37 0C 91 08 95 9B DE A7 5E F9 FC F4 9F : E4 75 D0 37 0C 91 08 95 9B DE A7 5E F9 FC F4 9F
: 2F DD 43 A8 8B 54 F1 3F B0 07 08 47 4D 5D 88 C3 : 2F DD 43 A8 8B 54 F1 3F B0 07 08 47 4D 5D 88 C3
: C3 B5 B3 E3 55 08 75 D5 39 76 10 C4 78 BD FF 9D : C3 B5 B3 E3 55 08 75 D5 39 76 10 C4 78 BD FF 9D
: B0 84 97 37 F2 E4 51 1B B5 E4 09 96 5C F3 7E 5B : B0 84 97 37 F2 E4 51 1B B5 E4 09 96 5C F3 7E 5B
: DB : DB
Schaad 14
CertDist October 1999
2002 02 21: INTEGER 2002 02 21: INTEGER
: 00 E2 47 A6 1A 45 66 B8 13 C6 DA 8F B8 37 21 2B : 00 E2 47 A6 1A 45 66 B8 13 C6 DA 8F B8 37 21 2B
: 62 8B F7 93 CD : 62 8B F7 93 CD
2025 02 128: INTEGER 2025 02 128: INTEGER
: 26 38 D0 14 89 32 AA 39 FB 3E 6D D9 4B 59 6A 4C : 26 38 D0 14 89 32 AA 39 FB 3E 6D D9 4B 59 6A 4C
: 76 23 39 04 02 35 5C F2 CB 1A 30 C3 1E 50 5D DD : 76 23 39 04 02 35 5C F2 CB 1A 30 C3 1E 50 5D DD
: 9B 59 E2 CD AA 05 3D 58 C0 7B A2 36 B8 6E 07 AF : 9B 59 E2 CD AA 05 3D 58 C0 7B A2 36 B8 6E 07 AF
: 7D 8A 42 25 A7 F4 75 CF 4A 08 5E 4B 3E 90 F8 6D : 7D 8A 42 25 A7 F4 75 CF 4A 08 5E 4B 3E 90 F8 6D
: EA 9C C9 21 8A 3B 76 14 E9 CE 2E 5D A3 07 CD 23 : EA 9C C9 21 8A 3B 76 14 E9 CE 2E 5D A3 07 CD 23
: 85 B8 2F 30 01 7C 6D 49 89 11 89 36 44 BD F8 C8 : 85 B8 2F 30 01 7C 6D 49 89 11 89 36 44 BD F8 C8
skipping to change at line 854 skipping to change at line 862
2331 30 12: SEQUENCE { 2331 30 12: SEQUENCE {
2333 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 2333 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
2338 01 1: BOOLEAN TRUE 2338 01 1: BOOLEAN TRUE
2341 04 2: OCTET STRING 2341 04 2: OCTET STRING
: 30 00 : 30 00
: } : }
2345 30 14: SEQUENCE { 2345 30 14: SEQUENCE {
2347 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 2347 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
2352 01 1: BOOLEAN TRUE 2352 01 1: BOOLEAN TRUE
2355 04 4: OCTET STRING 2355 04 4: OCTET STRING
Schaad 15
CertDist May 2000
: 03 02 06 C0 : 03 02 06 C0
: } : }
2361 30 31: SEQUENCE { 2361 30 31: SEQUENCE {
2363 06 3: OBJECT IDENTIFIER 2363 06 3: OBJECT IDENTIFIER
: authorityKeyIdentifier (2 5 29 35) : authorityKeyIdentifier (2 5 29 35)
2368 04 24: OCTET STRING 2368 04 24: OCTET STRING
: 30 16 80 14 70 44 3E 82 2E 6F 87 DE 4A D3 75 E3 : 30 16 80 14 70 44 3E 82 2E 6F 87 DE 4A D3 75 E3
: 3D 20 BC 43 2B 93 F1 1F : 3D 20 BC 43 2B 93 F1 1F
: } : }
2394 30 29: SEQUENCE { 2394 30 29: SEQUENCE {
2396 06 3: OBJECT IDENTIFIER 2396 06 3: OBJECT IDENTIFIER
: subjectKeyIdentifier (2 5 29 14) : subjectKeyIdentifier (2 5 29 14)
Schaad 15
CertDist October 1999
2401 04 22: OCTET STRING 2401 04 22: OCTET STRING
: 04 14 BE 6C A1 B3 E3 C1 F7 ED 43 70 A4 CE 13 01 : 04 14 BE 6C A1 B3 E3 C1 F7 ED 43 70 A4 CE 13 01
: E2 FD E3 97 FE CD : E2 FD E3 97 FE CD
: } : }
: } : }
: } : }
: } : }
2425 30 9: SEQUENCE { 2425 30 9: SEQUENCE {
2427 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3) 2427 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: } : }
skipping to change at line 912 skipping to change at line 920
2536 17 13: UTCTime '990817011828Z' 2536 17 13: UTCTime '990817011828Z'
2551 17 13: UTCTime '391231235959Z' 2551 17 13: UTCTime '391231235959Z'
: } : }
2566 30 16: SEQUENCE { 2566 30 16: SEQUENCE {
2568 31 14: SET { 2568 31 14: SET {
2570 30 12: SEQUENCE { 2570 30 12: SEQUENCE {
2572 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 2572 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
2577 13 5: PrintableString 'bobDH' 2577 13 5: PrintableString 'bobDH'
: } : }
: } : }
Schaad 16
CertDist May 2000
: } : }
2584 30 578: SEQUENCE { 2584 30 578: SEQUENCE {
2588 30 439: SEQUENCE { 2588 30 439: SEQUENCE {
2592 06 7: OBJECT IDENTIFIER 2592 06 7: OBJECT IDENTIFIER
: dhPublicNumber (1 2 840 10046 2 1) : dhPublicNumber (1 2 840 10046 2 1)
2601 30 426: SEQUENCE { 2601 30 426: SEQUENCE {
2605 02 129: INTEGER 2605 02 129: INTEGER
: 00 EC 2C CD A4 EF 9A 26 2F 62 A7 BB 23 4D DF 2B : 00 EC 2C CD A4 EF 9A 26 2F 62 A7 BB 23 4D DF 2B
: 25 C1 68 D2 9E A9 45 5B 36 F1 94 89 1A AF 7D 11 : 25 C1 68 D2 9E A9 45 5B 36 F1 94 89 1A AF 7D 11
: 24 9D 3D B9 3C 29 E8 D7 23 80 33 A6 9E 45 02 BB : 24 9D 3D B9 3C 29 E8 D7 23 80 33 A6 9E 45 02 BB
: AA CC 9E 28 05 95 A0 B3 17 76 C1 F7 25 35 61 02 : AA CC 9E 28 05 95 A0 B3 17 76 C1 F7 25 35 61 02
: 41 92 27 0C 5E AE 48 E5 F3 6E 38 EF 91 D1 CF 37 : 41 92 27 0C 5E AE 48 E5 F3 6E 38 EF 91 D1 CF 37
Schaad 16
CertDist October 1999
: FE 9A 40 97 C8 2D 35 9E 9D 93 C6 F8 15 AF 3F DA : FE 9A 40 97 C8 2D 35 9E 9D 93 C6 F8 15 AF 3F DA
: 74 3A B7 C4 93 B5 B9 BB 76 6C 1F A8 7E BC 3A AA : 74 3A B7 C4 93 B5 B9 BB 76 6C 1F A8 7E BC 3A AA
: 43 0A 81 64 FC 63 F0 7B 71 98 FA C0 38 79 10 1A : 43 0A 81 64 FC 63 F0 7B 71 98 FA C0 38 79 10 1A
: 33 : 33
2737 02 129: INTEGER 2737 02 129: INTEGER
: 00 BA 0B D7 74 3D E7 34 E5 4C 13 A7 95 96 BB F1 : 00 BA 0B D7 74 3D E7 34 E5 4C 13 A7 95 96 BB F1
: E4 61 37 08 FB 12 C7 FB 9C 91 77 06 99 35 F0 48 : E4 61 37 08 FB 12 C7 FB 9C 91 77 06 99 35 F0 48
: 24 96 33 12 01 7E 8D EC 0B F6 B2 C0 63 A7 15 C5 : 24 96 33 12 01 7E 8D EC 0B F6 B2 C0 63 A7 15 C5
: 5E 95 86 A2 73 C5 49 46 37 79 60 FD 77 05 09 48 : 5E 95 86 A2 73 C5 49 46 37 79 60 FD 77 05 09 48
: 9B 70 8D 3C 05 F6 CE 44 2C 7F 7D 1B 2B 15 DD F3 : 9B 70 8D 3C 05 F6 CE 44 2C 7F 7D 1B 2B 15 DD F3
skipping to change at line 970 skipping to change at line 978
: } : }
3031 03 132: BIT STRING 0 unused bits 3031 03 132: BIT STRING 0 unused bits
: 02 81 80 6F D4 F6 CD 94 9A 6E AF 5B 57 17 96 75 : 02 81 80 6F D4 F6 CD 94 9A 6E AF 5B 57 17 96 75
: BB 0F B9 48 E9 90 37 0D 15 20 C2 55 1E 13 E2 AE : BB 0F B9 48 E9 90 37 0D 15 20 C2 55 1E 13 E2 AE
: 71 17 84 C3 0E 74 AE 8A 55 7F 28 7D 8B D7 28 22 : 71 17 84 C3 0E 74 AE 8A 55 7F 28 7D 8B D7 28 22
: 9C 76 46 D7 3B 4F 9D D1 4D 1B B2 DB 51 94 C5 6D : 9C 76 46 D7 3B 4F 9D D1 4D 1B B2 DB 51 94 C5 6D
: 54 96 40 38 8A 38 81 63 4A 8C C3 1E 09 89 74 A6 : 54 96 40 38 8A 38 81 63 4A 8C C3 1E 09 89 74 A6
: 58 D5 C8 5A 3D CF BB B8 23 7F 9C 1F 7D 78 FA 9E : 58 D5 C8 5A 3D CF BB B8 23 7F 9C 1F 7D 78 FA 9E
: F9 90 9E 91 E7 4B C2 A4 BE 45 06 78 42 58 3D 9F : F9 90 9E 91 E7 4B C2 A4 BE 45 06 78 42 58 3D 9F
: 63 2C EF 84 D4 67 E5 FB C6 6D A2 36 29 67 90 46 : 63 2C EF 84 D4 67 E5 FB C6 6D A2 36 29 67 90 46
Schaad 17
CertDist May 2000
: DB 4E 48 : DB 4E 48
: } : }
3166 A3 127: [3] { 3166 A3 127: [3] {
3168 30 125: SEQUENCE { 3168 30 125: SEQUENCE {
3170 30 29: SEQUENCE { 3170 30 29: SEQUENCE {
3172 06 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17) 3172 06 3: OBJECT IDENTIFIER subjectAltName (2 5 29 17)
3177 04 22: OCTET STRING 3177 04 22: OCTET STRING
: 30 14 81 12 62 6F 62 44 68 40 65 78 61 6D 70 6C : 30 14 81 12 62 6F 62 44 68 40 65 78 61 6D 70 6C
: 65 73 2E 63 6F 6D : 65 73 2E 63 6F 6D
: } : }
3201 30 12: SEQUENCE { 3201 30 12: SEQUENCE {
3203 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19) 3203 06 3: OBJECT IDENTIFIER basicConstraints (2 5 29 19)
Schaad 17
CertDist October 1999
3208 01 1: BOOLEAN TRUE 3208 01 1: BOOLEAN TRUE
3211 04 2: OCTET STRING 3211 04 2: OCTET STRING
: 30 00 : 30 00
: } : }
3215 30 14: SEQUENCE { 3215 30 14: SEQUENCE {
3217 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15) 3217 06 3: OBJECT IDENTIFIER keyUsage (2 5 29 15)
3222 01 1: BOOLEAN TRUE 3222 01 1: BOOLEAN TRUE
3225 04 4: OCTET STRING 3225 04 4: OCTET STRING
: 03 02 03 08 : 03 02 03 08
: } : }
skipping to change at line 1028 skipping to change at line 1036
: 71 75 A9 81 EB ED 9D 5E 00 19 7E F0 DE 5A D6 : 71 75 A9 81 EB ED 9D 5E 00 19 7E F0 DE 5A D6
: } : }
: } : }
3356 31 283: SET { 3356 31 283: SET {
3360 30 279: SEQUENCE { 3360 30 279: SEQUENCE {
3364 02 1: INTEGER 1 3364 02 1: INTEGER 1
3367 30 24: SEQUENCE { 3367 30 24: SEQUENCE {
3369 30 18: SEQUENCE { 3369 30 18: SEQUENCE {
3371 31 16: SET { 3371 31 16: SET {
3373 30 14: SEQUENCE { 3373 30 14: SEQUENCE {
Schaad 18
CertDist May 2000
3375 06 3: OBJECT IDENTIFIER commonName (2 5 4 3) 3375 06 3: OBJECT IDENTIFIER commonName (2 5 4 3)
3380 13 7: PrintableString 'CarlDSS' 3380 13 7: PrintableString 'CarlDSS'
: } : }
: } : }
: } : }
3389 02 2: INTEGER 200 3389 02 2: INTEGER 200
: } : }
3393 30 9: SEQUENCE { 3393 30 9: SEQUENCE {
3395 06 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26) 3395 06 5: OBJECT IDENTIFIER sha1 (1 3 14 3 2 26)
3402 05 0: NULL 3402 05 0: NULL
: } : }
3404 A0 176: [0] { 3404 A0 176: [0] {
Schaad 18
CertDist October 1999
3407 30 26: SEQUENCE { 3407 30 26: SEQUENCE {
3409 06 9: OBJECT IDENTIFIER 3409 06 9: OBJECT IDENTIFIER
: contentType (1 2 840 113549 1 9 3) : contentType (1 2 840 113549 1 9 3)
3420 31 13: SET { 3420 31 13: SET {
3422 06 11: OBJECT IDENTIFIER 3422 06 11: OBJECT IDENTIFIER
: id-ct-publishCert (1 2 840 113549 1 9 16 1 3) : id-ct-publishCert (1 2 840 113549 1 9 16 1 3)
: } : }
: } : }
3435 30 35: SEQUENCE { 3435 30 35: SEQUENCE {
3437 06 9: OBJECT IDENTIFIER 3437 06 9: OBJECT IDENTIFIER
skipping to change at line 1086 skipping to change at line 1094
: } : }
3529 30 52: SEQUENCE { 3529 30 52: SEQUENCE {
3531 04 20: OCTET STRING 3531 04 20: OCTET STRING
: E4 B8 2D 17 E4 23 D5 22 F0 58 BD 73 BD 3D 59 76 : E4 B8 2D 17 E4 23 D5 22 F0 58 BD 73 BD 3D 59 76
: AF C6 18 C8 : AF C6 18 C8
3553 30 28: SEQUENCE { 3553 30 28: SEQUENCE {
3555 30 10: SEQUENCE { 3555 30 10: SEQUENCE {
3557 06 8: OBJECT IDENTIFIER 3557 06 8: OBJECT IDENTIFIER
: des-EDE3-CBC (1 2 840 113549 3 7) : des-EDE3-CBC (1 2 840 113549 3 7)
: } : }
Schaad 19
CertDist May 2000
3567 30 14: SEQUENCE { 3567 30 14: SEQUENCE {
3569 06 8: OBJECT IDENTIFIER 3569 06 8: OBJECT IDENTIFIER
: rc2CBC (1 2 840 113549 3 2) : rc2CBC (1 2 840 113549 3 2)
3579 02 2: INTEGER 160 3579 02 2: INTEGER 160
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
: } : }
3583 30 9: SEQUENCE { 3583 30 9: SEQUENCE {
Schaad 19
CertDist October 1999
3585 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3) 3585 06 7: OBJECT IDENTIFIER dsaWithSha1 (1 2 840 10040 4 3)
: } : }
3594 04 47: OCTET STRING 3594 04 47: OCTET STRING
: 30 2D 02 15 00 B7 D1 AD F0 EF F6 49 30 F9 9F 9C : 30 2D 02 15 00 B7 D1 AD F0 EF F6 49 30 F9 9F 9C
: 55 74 E0 60 56 65 B4 14 15 02 14 37 B4 90 1F 00 : 55 74 E0 60 56 65 B4 14 15 02 14 37 B4 90 1F 00
: 8A F6 F7 41 8B CF AF 90 E6 F3 8E 4D A0 7A 30 : 8A F6 F7 41 8B CF AF 90 E6 F3 8E 4D A0 7A 30
: } : }
: } : }
: } : }
: } : }
skipping to change at line 1115 skipping to change at line 1123
: 55 74 E0 60 56 65 B4 14 15 02 14 37 B4 90 1F 00 : 55 74 E0 60 56 65 B4 14 15 02 14 37 B4 90 1F 00
: 8A F6 F7 41 8B CF AF 90 E6 F3 8E 4D A0 7A 30 : 8A F6 F7 41 8B CF AF 90 E6 F3 8E 4D A0 7A 30
: } : }
: } : }
: } : }
: } : }
: } : }
References References
CMS Housley, R., "Cryptographic Message Syntax" RFC 2630, CMS Housley, R., "Cryptographic Message Syntax" RFC 2630,
June 1999. June 1999.
MUSTSHOULD Bradner, S., "Key words for use in RFCs to Indicate MUSTSHOULD Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", RFC 2119 , March 1997. Requirement Levels", RFC 2119 , March 1997.
LDAPV3 "Lightweight Directory Access Protocol (v3): Attribute
Syntax Definitions", RFC 2252, December 1997.
SMIME Ramsdell, B., "S/MIME Version 3 Message Specification", SMIME Ramsdell, B., "S/MIME Version 3 Message Specification",
RFC 2633, June 1999. RFC 2633, June 1999.
SMIMECERT Ramsdell, B., "S/MIME Version 3 Certificate Handling", SMIMECERT Ramsdell, B., "S/MIME Version 3 Certificate Handling",
RFC 2632, June 1999. RFC 2632, June 1999.
Security Considerations Security Considerations
This entire document discusses security. Some items of special note This entire document discusses security. Some items of special note
are: are:
skipping to change at line 1146 skipping to change at line 1150
of the signer's private key permits masquerading and therefore of the signer's private key permits masquerading and therefore
substitution of encryption certificates. substitution of encryption certificates.
Implementations must do appropriate checking that the entity named Implementations must do appropriate checking that the entity named
in a certificate is the same entity that the encrypted message is in a certificate is the same entity that the encrypted message is
destined for to protect contents of encrypted messages. destined for to protect contents of encrypted messages.
Author Address Author Address
Jim Schaad Jim Schaad
Microsoft Jimsch@exmsft.com
One Microsoft Way
Redmond, WA 98052-6399
Jimsch@Microsoft.com
Schaad 20 Schaad 20
http://www.nwlink.com
 End of changes. 

This html diff was produced by rfcdiff 1.23, available from http://www.levkowetz.com/ietf/tools/rfcdiff/