Network Working Group                                           M. Nystrom
Request for Comments: 2985                                      B. Kaliski
Category: Informational                                       RSA Security
                                                             November 2000
        
Network Working Group                                           M. Nystrom
Request for Comments: 2985                                      B. Kaliski
Category: Informational                                       RSA Security
                                                             November 2000
        

PKCS #9: Selected Object Classes and Attribute Types Version 2.0

PKCS#9:选定对象类和属性类型版本2.0

Status of this Memo

本备忘录的状况

This memo provides information for the Internet community. It does not specify an Internet standard of any kind. Distribution of this memo is unlimited.

本备忘录为互联网社区提供信息。它没有规定任何类型的互联网标准。本备忘录的分发不受限制。

Copyright Notice

版权公告

Copyright (C) The Internet Society (2000). All Rights Reserved.

版权所有(C)互联网协会(2000年)。版权所有。

Abstract

摘要

This memo represents a republication of PKCS #9 v2.0 from RSA Laboratories' Public-Key Cryptography Standards (PKCS) series, and change control is retained within the PKCS process. The body of this document, except for the security considerations section, is taken directly from that specification.

本备忘录是RSA Laboratories公钥加密标准(PKCS)系列中PKCS#9 v2.0的再版,PKCS过程中保留更改控制。除安全注意事项部分外,本文档正文直接取自该规范。

This memo provides a selection of object classes and attribute types for use in conjunction with public-key cryptography and Lightweight Directory Access Protocol (LDAP) accessible directories. It also includes ASN.1 syntax for all constructs.

此备忘录提供了对象类和属性类型的选择,可与公钥加密和轻量级目录访问协议(LDAP)可访问目录一起使用。它还包括所有构造的ASN.1语法。

Table of Contents

目录

   1.  Introduction ................................................. 2
   2.  Definitions, notation and document convention ................ 2
   2.1  Definitions ................................................. 2
   2.2  Notation and document convention ............................ 3
   3.  Overview ..................................................... 4
   4.  Auxiliary object classes ..................................... 5
   4.1  The "pkcsEntity" auxiliary object class ..................... 5
   4.2  The "naturalPerson" auxiliary object class .................. 6
   5.  Selected attribute types ..................................... 6
   5.1  Attribute types for use with the "pkcsEntity" object class .. 6
   5.2  Attribute types for use with the "naturalPerson" object class 7
   5.3  Attribute types for use in PKCS #7 data .................... 12
   5.4  Attribute types for use in PKCS #10 certificate requests ... 16
        
   1.  Introduction ................................................. 2
   2.  Definitions, notation and document convention ................ 2
   2.1  Definitions ................................................. 2
   2.2  Notation and document convention ............................ 3
   3.  Overview ..................................................... 4
   4.  Auxiliary object classes ..................................... 5
   4.1  The "pkcsEntity" auxiliary object class ..................... 5
   4.2  The "naturalPerson" auxiliary object class .................. 6
   5.  Selected attribute types ..................................... 6
   5.1  Attribute types for use with the "pkcsEntity" object class .. 6
   5.2  Attribute types for use with the "naturalPerson" object class 7
   5.3  Attribute types for use in PKCS #7 data .................... 12
   5.4  Attribute types for use in PKCS #10 certificate requests ... 16
        
   5.5  Attribute types for use in PKCS #12 "PFX" PDUs or PKCS #15
        tokens ..................................................... 17
   5.6  Attributes defined in S/MIMIE .............................. 18
   6.  Matching rules .............................................. 19
   6.1  Case ignore match .......................................... 19
   6.2  Signing time match ......................................... 20
   7.  Security Considerations ..................................... 20
   8.  Authors' Addresses .......................................... 21
   A.  ASN.1 module ................................................ 22
   B.  BNF schema summary .......................................... 30
   B.1  Syntaxes ................................................... 30
   B.2  Object classes ............................................. 31
   B.3  Attribute types ............................................ 32
   B.4  Matching rules ............................................. 36
   C.  Intellectual property considerations ........................ 37
   D.  Revision history ............................................ 37
   E.  References .................................................. 39
   F.  Contact information & About PKCS ............................ 41
   Full Copyright Statement ........................................ 41
        
   5.5  Attribute types for use in PKCS #12 "PFX" PDUs or PKCS #15
        tokens ..................................................... 17
   5.6  Attributes defined in S/MIMIE .............................. 18
   6.  Matching rules .............................................. 19
   6.1  Case ignore match .......................................... 19
   6.2  Signing time match ......................................... 20
   7.  Security Considerations ..................................... 20
   8.  Authors' Addresses .......................................... 21
   A.  ASN.1 module ................................................ 22
   B.  BNF schema summary .......................................... 30
   B.1  Syntaxes ................................................... 30
   B.2  Object classes ............................................. 31
   B.3  Attribute types ............................................ 32
   B.4  Matching rules ............................................. 36
   C.  Intellectual property considerations ........................ 37
   D.  Revision history ............................................ 37
   E.  References .................................................. 39
   F.  Contact information & About PKCS ............................ 41
   Full Copyright Statement ........................................ 41
        
1. Introduction
1. 介绍

This document defines two new auxiliary object classes, pkcsEntity and naturalPerson, and selected attribute types for use with these classes. It also defines some attribute types for use in conjunction with PKCS #7 [14] (and S/MIME CMS [3]) digitally signed messages, PKCS #10 [16] certificate-signing requests, PKCS #12 [17] personal information exchanges and PKCS #15 [18] cryptographic tokens. Matching rules for use with these attributes are also defined, whenever necessary.

本文档定义了两个新的辅助对象类pkcsEntity和naturalPerson,以及用于这些类的选定属性类型。它还定义了一些属性类型,可与PKCS#7[14](和S/MIME CMS[3])数字签名消息、PKCS#10[16]证书签名请求、PKCS#12[17]个人信息交换和PKCS#15[18]加密令牌一起使用。必要时,还定义了与这些属性一起使用的匹配规则。

2. Definitions, notation and document conventions
2. 定义、符号和文档约定
2.1 Definitions
2.1 定义

For the purposes of this document, the following definitions apply.

在本文件中,以下定义适用。

ASN.1 Abstract Syntax Notation One, as defined in [5].

ASN.1抽象语法符号1,如[5]中所定义。

Attributes An ASN.1 type that specifies a set of attributes. Each attribute contains an attribute type (specified by object identifier) and one or more attribute values. Some attribute types are restricted in their definition to have a single value; others may have multiple values. This type is defined in [7].

属性指定一组属性的ASN.1类型。每个属性都包含一个属性类型(由对象标识符指定)和一个或多个属性值。某些属性类型在其定义中被限制为具有单个值;其他可能有多个值。这种类型在[7]中定义。

CertificationRequestInfo An ASN.1 type that specifies a subject name, a public key, and a set of attributes. This type is defined in [16].

CertificationRequestInfo是一种ASN.1类型,指定使用者名称、公钥和一组属性。该类型在[16]中定义。

ContentInfo An ASN.1 type that specifies content exchanged between entities. The contentType field, which has type OBJECT IDENTIFIER, specifies the content type, and the content field, whose type is defined by the contentType field, contains the content value. This type is defined in [14] and [3].

ContentInfo指定实体之间交换的内容的ASN.1类型。contentType字段(具有类型对象标识符)指定内容类型,contentType字段(其类型由contentType字段定义)包含内容值。这种类型在[14]和[3]中有定义。

PrivateKeyInfo A type that specifies a private key and a set of extended attributes. This type and the associated EncryptedPrivateKeyInfo type are defined in [15].

PrivateKeyInfo指定私钥和一组扩展属性的类型。此类型和关联的EncryptedPrivateKeyInfo类型在[15]中定义。

SignerInfo A type that specifies per-signer information in the signed-data content type, including a set of attributes authenticated by the signer, and a set of attributes not authenticated by the signer. This type is defined in [14] and [3].

SignerInfo在签名数据内容类型中指定每个签名者的信息的类型,包括一组由签名者验证的属性和一组未经签名者验证的属性。这种类型在[14]和[3]中有定义。

DER Distinguished Encoding Rules for ASN.1, as defined in [6].

ASN.1的DER可分辨编码规则,如[6]中所定义。

UCS Universal Multiple-Octet Coded Character Set, as defined in [11].

UCS通用多八位编码字符集,如[11]中所定义。

UTF8String UCS Transformation Format encoded string. The UTF-8 encoding is defined in [11].

UTF8String UCS转换格式编码字符串。UTF-8编码在[11]中定义。

2.2 Notation and document conventions
2.2 符号和文档约定

In this document, all attribute type and object class definitions are written in the ASN.1 value notation defined in [5]. Appendix B contains most of these definitions written in the augmented BNF notation defined in [2] as well. This has been done in an attempt to simplify the task of integrating this work into LDAP [22] development environments.

在本文档中,所有属性类型和对象类定义都使用[5]中定义的ASN.1值表示法编写。附录B中包含了[2]中定义的增广BNF符号中的大部分定义。这样做是为了简化将这项工作集成到LDAP[22]开发环境中的任务。

The keywords "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [1].

本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照[1]中所述进行解释。

3. Overview
3. 概述

This document specifies two new auxiliary object classes, pkcsEntity and naturalPerson, and some new attribute types and matching rules. All ASN.1 object classes, attributes, matching rules and types are exported for use in other environments.

本文档指定了两个新的辅助对象类pkcsEntity和naturalPerson,以及一些新的属性类型和匹配规则。所有ASN.1对象类、属性、匹配规则和类型都将导出以在其他环境中使用。

Attribute types defined in this document that are useful in conjunction with storage of PKCS-related data and the pkcsEntity object class includes PKCS #12 PFX PDUs, PKCS #15 tokens and encrypted private keys.

本文档中定义的属性类型与PKCS相关数据和pkcsEntity对象类的存储结合使用,包括PKCS#12 PFX PDU、PKCS#15令牌和加密私钥。

Attribute types defined in this document that are useful in conjunction with PKCS #10 certificate requests and the naturalPerson object class includes electronic-mail address, pseudonym, unstructured name, and unstructured address.

本文档中定义的属性类型与PKCS#10证书请求和naturalPerson对象类结合使用,包括电子邮件地址、笔名、非结构化名称和非结构化地址。

Attribute types defined in this document that are useful in PKCS #7 digitally signed messages are content type, message digest, signing time, sequence number, random nonce and countersignature. The attributes would be used in the authenticatedAttributes and unauthenticatedAttributes fields of a SignerInfo or an AuthenticatedData ([3]) value.

本文档中定义的在PKCS#7数字签名消息中有用的属性类型包括内容类型、消息摘要、签名时间、序列号、随机nonce和会签。这些属性将用于SignerInfo或AuthenticatedData([3])值的authenticatedAttributes和unauthenticatedAttributes字段。

Attribute types that are useful especially in PKCS #10 certification requests are the challenge password and the extension-request attribute. The attributes would be used in the attributes field of a CertificationRequestInfo value.

在PKCS#10认证请求中特别有用的属性类型是质询密码和扩展请求属性。这些属性将在CertificationRequestInfo值的属性字段中使用。

Note - The attributes types (from [8]) in Table 1, and probably several others, might also be helpful in PKCS #10, PKCS #12 and PKCS #15-aware applications.

注意-表1中的属性类型(来自[8])以及其他一些可能的属性类型,在支持PKCS#10、PKCS#12和PKCS#15的应用程序中可能也会有所帮助。

businessCategory preferredDeliveryMethod commonName presentationAddress countryName registeredAddress description roleOccupant destinationIndicator serialNumber facsimileTelephoneNumber stateOrProvinceName iSDNAddress streetAddress localityName supportedApplicationContext member surname objectClass telephoneNumber organizationName teletexTerminalIdentifier physicalDeliveryOfficeName telexNumber postalAddress title postalCode x121Address postOfficeBox

businessCategory PreferredDelivery常用名称表示地址countryName registeredAddress描述角色Occuppant destinationIndicator序列号FacSimiletPhoneNumber州或省名IsdAddress streetAddress localityName支持的应用程序上下文成员姓氏对象类电话号码组织名称teletexTerminalIdentifier physicalDeliveryOfficeName电传号码邮寄地址标题邮寄代码X121地址邮箱

Table 1: ISO/IEC 9594-6 attribute types useful in PKCS documents

表1:PKCS文档中有用的ISO/IEC 9594-6属性类型

4. Auxiliary object classes
4. 辅助对象类

This document defines two new auxiliary object classes: pkcsEntity and naturalPerson.

本文档定义了两个新的辅助对象类:pkcsEntity和naturalPerson。

4.1 The pkcsEntity auxiliary object class
4.1 pkcsEntity辅助对象类

The pkcsEntity object class is a general-purpose auxiliary object class that is intended to hold attributes about PKCS-related entities. It has been designed for use within directory services based on the LDAP protocol [22] and the X.500 family of protocols, where support for PKCS-defined attributes is considered useful.

pkcsEntity对象类是一个通用辅助对象类,用于保存有关PKCS相关实体的属性。它被设计用于基于LDAP协议[22]和X.500协议系列的目录服务中,其中对PKCS定义属性的支持被认为是有用的。

   pkcsEntity OBJECT-CLASS ::=     {
           SUBCLASS OF { top }
           KIND auxiliary
           MAY CONTAIN { PKCSEntityAttributeSet }
           ID pkcs-9-oc-pkcsEntity
   }
        
   pkcsEntity OBJECT-CLASS ::=     {
           SUBCLASS OF { top }
           KIND auxiliary
           MAY CONTAIN { PKCSEntityAttributeSet }
           ID pkcs-9-oc-pkcsEntity
   }
        
   PKCSEntityAttributeSet ATTRIBUTE ::= {
           pKCS7PDU |
           userPKCS12 |
           pKCS15Token |
           encryptedPrivateKeyInfo,
           ... -- For future extensions
   }
        
   PKCSEntityAttributeSet ATTRIBUTE ::= {
           pKCS7PDU |
           userPKCS12 |
           pKCS15Token |
           encryptedPrivateKeyInfo,
           ... -- For future extensions
   }
        

Attributes in the PKCSEntityAttributeSet are defined in Section 5.

PKCSEntityAttributeSet中的属性在第5节中定义。

4.2 The naturalPerson auxiliary object class
4.2 naturalPerson辅助对象类

The naturalPerson object class is a general-purpose auxiliary object class that is intended to hold attributes about human beings. It has been designed for use within directory services based on the LDAP protocol [22] and the X.500 family of protocols, where support for these attributes is considered useful.

naturalPerson对象类是一个通用的辅助对象类,用于保存有关人类的属性。它被设计用于基于LDAP协议[22]和X.500协议系列的目录服务中,对这些属性的支持被认为是有用的。

   naturalPerson OBJECT-CLASS      ::=     {
           SUBCLASS OF { top }
           KIND auxiliary
           MAY CONTAIN { NaturalPersonAttributeSet }
           ID pkcs-9-oc-naturalPerson
   }
        
   naturalPerson OBJECT-CLASS      ::=     {
           SUBCLASS OF { top }
           KIND auxiliary
           MAY CONTAIN { NaturalPersonAttributeSet }
           ID pkcs-9-oc-naturalPerson
   }
        
   NaturalPersonAttributeSet ATTRIBUTE ::= {
           emailAddress |
           unstructuredName |
           unstructuredAddress |
           dateOfBirth |
           placeOfBirth |
           gender |
           countryOfCitizenship |
           countryOfResidence |
           pseudonym |
           serialNumber,
           ... -- For future extensions
   }
        
   NaturalPersonAttributeSet ATTRIBUTE ::= {
           emailAddress |
           unstructuredName |
           unstructuredAddress |
           dateOfBirth |
           placeOfBirth |
           gender |
           countryOfCitizenship |
           countryOfResidence |
           pseudonym |
           serialNumber,
           ... -- For future extensions
   }
        

Attributes in the NaturalPersonAttributeSet are defined in Section 5.

NaturalPersonAttributeSet中的属性在第5节中定义。

5. Selected attribute types
5. 选定的属性类型
5.1 Attribute types for use with the "pkcsEntity" object class
5.1 用于“pkcsEntity”对象类的属性类型
5.1.1 PKCS #7 PDU
5.1.1 PKCS#7 PDU

PKCS #7 provides several formats for enveloped, signed and otherwise protected data. When such information is stored in a directory service, the pKCS7PDU attribute may be used.

PKCS#7为封装、签名和其他受保护的数据提供了多种格式。当这些信息存储在目录服务中时,可以使用pKCS7PDU属性。

   pKCS7PDU ATTRIBUTE ::= {
           WITH SYNTAX ContentInfo
           ID pkcs-9-at-pkcs7PDU
   }
        
   pKCS7PDU ATTRIBUTE ::= {
           WITH SYNTAX ContentInfo
           ID pkcs-9-at-pkcs7PDU
   }
        
5.1.2 PKCS #12 token
5.1.2 PKCS#12代币

PKCS #12 provides a format for exchange of personal identity information. When such information is stored in a directory service, the userPKCS12 attribute should be used.

PKCS#12提供了个人身份信息交换的格式。当这些信息存储在目录服务中时,应该使用userPKCS12属性。

   userPKCS12 ATTRIBUTE ::= {
           WITH SYNTAX PFX
           ID pkcs-9-at-userPKCS12
   }
        
   userPKCS12 ATTRIBUTE ::= {
           WITH SYNTAX PFX
           ID pkcs-9-at-userPKCS12
   }
        

This type was originally defined in [20].

这种类型最初在[20]中定义。

5.1.3 PKCS #15 token
5.1.3 PKCS#15代币

PKCS #15 provides a format for cryptographic tokens. When software variants of such tokens are stored in a directory service, the pKCS15Token attribute should be used.

PKCS#15提供了加密令牌的格式。当此类令牌的软件变体存储在目录服务中时,应使用pKCS15Token属性。

   pKCS15Token ATTRIBUTE ::= {
           WITH SYNTAX PKCS15Token
           ID pkcs-9-at-pkcs15Token
   }
        
   pKCS15Token ATTRIBUTE ::= {
           WITH SYNTAX PKCS15Token
           ID pkcs-9-at-pkcs15Token
   }
        
5.1.4 PKCS #8 encrypted private key information
5.1.4 PKCS#8加密私钥信息

PKCS #8 provides a format for encrypted private keys. When such information is stored in a directory service, the encryptedPrivateKeyInfo attribute should be used.

PKCS#8提供了加密私钥的格式。当此类信息存储在目录服务中时,应使用encryptedPrivateKeyInfo属性。

   encryptedPrivateKeyInfo ATTRIBUTE ::= {
           WITH SYNTAX EncryptedPrivateKeyInfo
           ID pkcs-9-at-encryptedPrivateKeyInfo
   }
        
   encryptedPrivateKeyInfo ATTRIBUTE ::= {
           WITH SYNTAX EncryptedPrivateKeyInfo
           ID pkcs-9-at-encryptedPrivateKeyInfo
   }
        
5.2 Attribute types for use with the "naturalPerson" object class
5.2 用于“naturalPerson”对象类的属性类型
5.2.1 Electronic-mail address
5.2.1 电子邮件地址

The emailAddress attribute type specifies the electronic-mail address or addresses of a subject as an unstructured ASCII string. The interpretation of electronic-mail addresses is intended to be specified by certificate issuers etc.; no particular interpretation is required.

emailAddress属性类型将主题的电子邮件地址指定为非结构化ASCII字符串。电子邮件地址的解释由证书颁发者等指定。;不需要特别解释。

   emailAddress ATTRIBUTE ::= {
           WITH SYNTAX IA5String (SIZE(1..pkcs-9-ub-emailAddress))
           EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
           ID pkcs-9-at-emailAdress
   }
        
   emailAddress ATTRIBUTE ::= {
           WITH SYNTAX IA5String (SIZE(1..pkcs-9-ub-emailAddress))
           EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
           ID pkcs-9-at-emailAdress
   }
        

An electronic-mail address attribute can have multiple attribute values. When comparing two email addresses, case is irrelevant. The pkcs9CaseIgnoreMatch is defined in Section 6.

电子邮件地址属性可以有多个属性值。比较两个电子邮件地址时,大小写无关。pkcs9CaseIgnoreMatch的定义见第6节。

Note - It is likely that other standards bodies overseeing electronic-mail systems will, or have, registered electronic-mail address attribute types specific to their system. The electronic-mail address attribute type defined here was intended as a short-term substitute for those specific attribute types, but is included here for backwards-compatibility reasons.

注-其他监管电子邮件系统的标准机构可能会或拥有特定于其系统的注册电子邮件地址属性类型。此处定义的电子邮件地址属性类型旨在作为这些特定属性类型的短期替代品,但出于向后兼容性的原因,此处将其包括在内。

5.2.2 Unstructured name
5.2.2 非结构化名称

The unstructuredName attribute type specifies the name or names of a subject as an unstructured ASCII string. The interpretation of unstructured names is intended to be specified by certificate issuers etc.; no particular interpretation is required.

unstructuredName属性类型将主题的名称指定为非结构化ASCII字符串。非结构化名称的解释由证书颁发者等指定。;不需要特别解释。

   unstructuredName ATTRIBUTE ::= {
           WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName}
           EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
           ID pkcs-9-at-unstructuredName
   }
        
   unstructuredName ATTRIBUTE ::= {
           WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName}
           EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
           ID pkcs-9-at-unstructuredName
   }
        
   PKCS9String { INTEGER : maxSize} ::= CHOICE {
           ia5String       IA5String (SIZE(1..maxSize)),
           directoryString DirectoryString {maxSize}
   }
        
   PKCS9String { INTEGER : maxSize} ::= CHOICE {
           ia5String       IA5String (SIZE(1..maxSize)),
           directoryString DirectoryString {maxSize}
   }
        

An unstructured-name attribute can have multiple attribute values. When comparing two unstructured names, case is irrelevant.

非结构化名称属性可以具有多个属性值。比较两个非结构化名称时,大小写无关。

The PKCS9String type is defined as a choice of IA5String and DirectoryString. Applications SHOULD use the IA5String type when generating attribute values in accordance with this version of this document, unless internationalization issues makes this impossible. In that case, the UTF8String alternative of the DirectoryString alternative is the preferred choice. PKCS #9-attribute processing systems MUST be able to recognize and process all string types in PKCS9String values.

PKCS9String类型定义为IA5String和DirectoryString的选择。应用程序在根据本文档的此版本生成属性值时应使用IA5String类型,除非国际化问题使其无法实现。在这种情况下,DirectoryString备选方案的UTF8String备选方案是首选方案。PKCS#9属性处理系统必须能够识别和处理PKCS9String值中的所有字符串类型。

Note - Version 1.1 of this document defined unstructuredName as having the syntax IA5String, but did contain a note explaining that this might be changed to a CHOICE of different string types in future versions. To better accommodate international names, this type has been extended to also include a directory string in this version of this document. Since [21] does not support a directory string type containing IA5Strings, a separate syntax object identifier has been defined (see [21] and Appendix B).

注意-本文档的1.1版将unstructuredName定义为具有语法IA5String,但确实包含一条说明,说明在未来版本中可能会将其更改为选择不同的字符串类型。为了更好地适应国际名称,此类型已扩展为在此版本的文档中还包含目录字符串。由于[21]不支持包含IA5Strings的目录字符串类型,因此定义了一个单独的语法对象标识符(参见[21]和附录B)。

5.2.3 Unstructured address
5.2.3 非结构化地址

The unstructuredAddress attribute type specifies the address or addresses of a subject as an unstructured directory string. The interpretation of unstructured addresses is intended to be specified by certificate issuers etc; no particular interpretation is required. A likely interpretation is as an alternative to the postalAddress attribute type defined in [8].

unstructuredAddress属性类型将主题的一个或多个地址指定为非结构化目录字符串。非结构化地址的解释由证书颁发者等指定;不需要特别解释。一种可能的解释是作为[8]中定义的PostLaddress属性类型的替代。

   unstructuredAddress ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-unstructuredAddress}
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-unstructuredAddress
   }
        
   unstructuredAddress ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-unstructuredAddress}
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-unstructuredAddress
   }
        

An unstructured-address attribute can have multiple attribute values. The caseIgnoreMatch matching rule is defined in [8].

非结构化地址属性可以有多个属性值。[8]中定义了caseIgnoreMatch匹配规则。

Note 1 - It is recommended to use the ASN.1 type TeletexString's new-line character (hexadecimal code 0d) as a line separator in multi-line addresses.

注1-建议在多行地址中使用ASN.1型电传字符串的新行字符(十六进制代码0d)作为行分隔符。

Note 2 - Previous versions of this document defined unstructuredAddress as having the following syntax:

注2-本文档的早期版本将非结构化地址定义为具有以下语法:

   CHOICE {
           teletexString TeletexString,
           printableString PrintableString,
   }
        
   CHOICE {
           teletexString TeletexString,
           printableString PrintableString,
   }
        

But also mentioned the possibility of a future definition as follows:

但也提到了未来定义的可能性,如下所示:

   CHOICE {
           teletexString TeletexString,
           printableString PrintableString,
           universalString UniversalString
   }
        
   CHOICE {
           teletexString TeletexString,
           printableString PrintableString,
           universalString UniversalString
   }
        

In this version of this document, the X.520 type DirectoryString has been used in order to be more aligned with international standards and current practice. When generating attribute values in accordance with this version of this document, applications SHOULD use the PrintableString alternative unless internationalization issues makes this impossible. In those cases, the UTF8String alternative SHOULD be used. PKCS #9-attribute processing systems MUST be able to recognize and process all string types in DirectoryString values.

在本文档的这个版本中,使用了X.520类型的DirectoryString,以便更符合国际标准和当前实践。当根据本文档的此版本生成属性值时,应用程序应使用PrintableString替代方法,除非国际化问题使其无法实现。在这些情况下,应使用UTF8String替代方案。PKCS#9属性处理系统必须能够识别和处理DirectoryString值中的所有字符串类型。

5.2.4 Date of birth
5.2.4 出生日期

The dateOfBirth attribute specifies the date of birth for the subject it is associated with.

dateOfBirth属性指定与其关联的主题的出生日期。

   dateOfBirth ATTRIBUTE ::= {
           WITH SYNTAX GeneralizedTime
           EQUALITY MATCHING RULE generalizedTimeMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-dateOfBirth
   }
        
   dateOfBirth ATTRIBUTE ::= {
           WITH SYNTAX GeneralizedTime
           EQUALITY MATCHING RULE generalizedTimeMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-dateOfBirth
   }
        

dateOfBirth attributes must be single-valued. The generalizedTimeMatch matching rule is defined in [8].

dateOfBirth属性必须为单值。[8]中定义了GeneratedTimeMatch匹配规则。

5.2.5 Place of birth
5.2.5 出生地

The placeOfBirth attribute specifies the place of birth for the subject it is associated with.

placeOfBirth属性指定与其关联的主题的出生地。

   placeOfBirth ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-placeOfBirth}
           EQUALITY MATCHING RULE caseExactMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-placeOfBirth
   }
        
   placeOfBirth ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-placeOfBirth}
           EQUALITY MATCHING RULE caseExactMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-placeOfBirth
   }
        

placeOfBirth attributes must be single-valued. The caseExactMatch matching rule is defined in [8].

placeOfBirth属性必须是单值的。[8]中定义了caseExactMatch匹配规则。

5.2.6 Gender
5.2.6 性别

The gender attribute specifies the gender of the subject it is associated with.

性别属性指定与其关联的主题的性别。

   gender ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(1) ^
                       FROM ("M" | "F" | "m" | "f"))
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-gender
   }
        
   gender ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(1) ^
                       FROM ("M" | "F" | "m" | "f"))
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-gender
   }
        

The letter "M" (or "m") represents "male" and the letter "F" (or "f") represents "female". gender attributes must be single-valued.

字母“M”(或“M”)代表“男性”,字母“F”(或“F”)代表“女性”。性别属性必须是单值的。

5.2.7 Country of citizenship
5.2.7 国籍国

The countryOfCitizenship attribute specifies the (claimed) countries of citizenship for the subject it is associated with. It SHALL be a 2-letter acronym of a country in accordance with [4].

countryOfCitizenship属性指定与其关联的主题的(声称的)国籍国。根据[4]的规定,应为一个国家的两个字母的首字母缩略词。

   countryOfCitizenship ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(2) ^ CONSTRAINED BY {
           -- Must be a two-letter country acronym in accordance with
           -- ISO/IEC 3166 --})
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-countryOfCitizenship
   }
        
   countryOfCitizenship ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(2) ^ CONSTRAINED BY {
           -- Must be a two-letter country acronym in accordance with
           -- ISO/IEC 3166 --})
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-countryOfCitizenship
   }
        

Attributes of this type need not be single-valued.

此类型的属性不需要是单值的。

5.2.8 Country of residence
5.2.8 居住国

The countryOfResidence attribute specifies the (claimed) country of residence for the subject is associated with. It SHALL be a 2-letter acronym of a country in accordance with [4].

countryOfResidence属性指定与主题关联的(声明的)居住国。根据[4]的规定,应为一个国家的两个字母的首字母缩略词。

   countryOfResidence ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(2) ^ CONSTRAINED BY {
           -- Must be a two-letter country acronym in accordance with
           -- ISO/IEC 3166 --})
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-countryOfResidence
   }
        
   countryOfResidence ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(2) ^ CONSTRAINED BY {
           -- Must be a two-letter country acronym in accordance with
           -- ISO/IEC 3166 --})
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-countryOfResidence
   }
        

Attributes of this type need not be single-valued, since it is possible to be a resident of several countries.

这种类型的属性不需要是单值的,因为它可能是多个国家的居民。

5.2.9 Pseudonym
5.2.9 假名

The pseudonym attribute type shall contain a pseudonym of a subject. The exact interpretation of pseudonyms is intended to be specified by certificate issuers etc.; no particular interpretation is required.

笔名属性类型应包含主题的笔名。笔名的准确解释由证书颁发者等指定。;不需要特别解释。

   pseudonym ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-pseudonym}
           EQUALITY MATCHING RULE caseExactMatch
           ID id-at-pseudonym
   }
        
   pseudonym ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-pseudonym}
           EQUALITY MATCHING RULE caseExactMatch
           ID id-at-pseudonym
   }
        

Note - The pseudonym attribute has received an object identifier in the joint-iso-itu-t object identifier tree.

注意-笔名属性已在joint-iso-itu-t对象标识符树中接收到对象标识符。

The caseExactMatch matching rule is defined in [8].

[8]中定义了caseExactMatch匹配规则。

5.2.10 Serial number
5.2.10 序列号

The serialNumber attribute is defined in [8].

serialNumber属性在[8]中定义。

5.3 Attribute types for use in PKCS #7 data
5.3 PKCS#7数据中使用的属性类型
5.3.1 Content type
5.3.1 内容类型

The contentType attribute type specifies the content type of the ContentInfo value being signed in PKCS #7 (or S/MIME CMS) digitally signed data. In such data, the contentType attribute type is required if there are any PKCS #7 authenticated attributes.

contentType属性类型指定在PKCS#7(或S/MIME CMS)数字签名数据中签名的ContentInfo值的内容类型。在此类数据中,如果存在任何PKCS#7身份验证属性,则需要contentType属性类型。

   contentType ATTRIBUTE ::= {
           WITH SYNTAX ContentType
           EQUALITY MATCHING RULE objectIdentifierMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-contentType
   }
        
   contentType ATTRIBUTE ::= {
           WITH SYNTAX ContentType
           EQUALITY MATCHING RULE objectIdentifierMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-contentType
   }
        
   ContentType ::= OBJECT IDENTIFIER
        
   ContentType ::= OBJECT IDENTIFIER
        

As indicated, content-type attributes must have a single attribute value. For two content-type values to match, their octet string representation must be of equal length and corresponding octets identical. The objectIdentifierMatch matching rule is defined in [7].

如前所述,内容类型属性必须具有单个属性值。对于要匹配的两个内容类型值,它们的八位字节字符串表示形式必须具有相同的长度,并且对应的八位字节相同。objectIdentifierMatch匹配规则在[7]中定义。

Note - This attribute type is described in [3] as well.

注-此属性类型在[3]中也有描述。

5.3.2 Message digest
5.3.2 消息摘要

The messageDigest attribute type specifies the message digest of the contents octets of the DER-encoding of the content field of the ContentInfo value being signed in PKCS #7 digitally signed data, where the message digest is computed under the signer's message digest algorithm. The message-digest attribute type is required in these cases if there are any PKCS #7 authenticated attributes present.

messageDigest属性类型指定在PKCS#7数字签名数据中签名的ContentInfo值的内容字段的DER编码的内容八位字节的消息摘要,其中消息摘要是根据签名者的消息摘要算法计算的。如果存在任何PKCS#7身份验证属性,则在这些情况下需要消息摘要属性类型。

   messageDigest ATTRIBUTE ::= {
           WITH SYNTAX MessageDigest
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-messageDigest
   }
        
   messageDigest ATTRIBUTE ::= {
           WITH SYNTAX MessageDigest
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-messageDigest
   }
        
   MessageDigest ::= OCTET STRING
        
   MessageDigest ::= OCTET STRING
        

As indicated, a message-digest attribute must have a single attribute value. For two messageDigest values to match, their octet string representation must be of equal length and corresponding octets identical. The octetStringMatch matching rule is defined in [8].

如前所述,消息摘要属性必须具有单个属性值。要使两个messageDigest值匹配,它们的八位字节字符串表示形式必须长度相等,并且对应的八位字节相同。[8]中定义了octetStringMatch匹配规则。

Note - This attribute is described in [3] as well.

注-此属性也在[3]中描述。

5.3.3 Signing time
5.3.3 签署时间

The signingTime attribute type is intended for PKCS #7 digitally signed data. It specifies the time at which the signer (purportedly) performed the signing process.

signingTime属性类型适用于PKCS#7数字签名数据。它指定签名者(据称)执行签名过程的时间。

   signingTime ATTRIBUTE ::= {
           WITH SYNTAX SigningTime
           EQUALITY MATCHING RULE signingTimeMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-signingTime
   }
        
   signingTime ATTRIBUTE ::= {
           WITH SYNTAX SigningTime
           EQUALITY MATCHING RULE signingTimeMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-signingTime
   }
        
   SigningTime ::= Time -- imported from ISO/IEC 9594-8
        
   SigningTime ::= Time -- imported from ISO/IEC 9594-8
        

A signing-time attribute must have a single attribute value.

签名时间属性必须具有单个属性值。

The signingTimeMatch matching rule (defined in Section 6.1) returns TRUE if an attribute value represents the same time as a presented value.

如果属性值表示的时间与呈现的值相同,则signingTimeMatch匹配规则(在第6.1节中定义)返回TRUE。

Quoting from [3]: "Dates between 1 January 1950 and 31 December 2049 (inclusive) MUST be encoded as UTCTime. Any dates with year values before 1950 or after 2049 MUST be encoded as GeneralizedTime. [Further,] UTCTime values MUST be expressed in Greenwich Mean Time (Zulu) and MUST include seconds (i.e., times are YYMMDDHHMMSSZ), even where the number of seconds is zero. Midnight (GMT) must be represented as "YYMMDD000000Z". Century information is implicit, and the century shall be determined as follows:

引用[3]:“1950年1月1日至2049年12月31日(含)之间的日期必须编码为UTCTime。任何年份值在1950年之前或2049年之后的日期必须编码为GeneralizedTime。[此外,]UTCTime值必须以格林尼治平均时间(Zulu)表示,并且必须包括秒(即时间为YYMMDDHHMMSZ),即使秒数为零。午夜(GMT)必须表示为“YYMMDD000000Z”。世纪信息是隐含的,世纪应按以下方式确定:

- Where YY is greater than or equal to 50, the year shall be interpreted as 19YY; and - Where YY is less than 50, the year shall be interpreted as 20YY.

- 若YY大于或等于50,则年份应解释为19YY;如果YY小于50,则年份应解释为20YY。

GeneralizedTime values shall be expressed in Greenwich Mean Time (Zulu) and must include seconds (i.e., times are YYYYMMDDHHMMSSZ), even where the number of seconds is zero. GeneralizedTime values must not include fractional seconds."

广义时间值应以格林尼治平均时间(Zulu)表示,并且必须包括秒(即,时间为YYYYMMDDHHMMSSZ),即使秒数为零。GeneralizedTime值不能包含小数秒。“

Note 1 - The definition of SigningTime matches the definition of Time specified in [10].

注1-签名时间的定义与[10]中规定的时间定义相匹配。

Note 2 - No requirement is imposed concerning the correctness of the signing time, and acceptance of a purported signing time is a matter of a recipient's discretion. It is expected, however, that some signers, such as time-stamp servers, will be trusted implicitly.

注2-没有对签字时间的正确性提出任何要求,接受声称的签字时间是接收人的自由裁量权。但是,预计某些签名者(如时间戳服务器)将受到隐式信任。

5.3.4 Random nonce
5.3.4 随机时态

The randomNonce attribute type is intended for PKCS #7 digitally signed data. It may be used by a signer unable (or unwilling) to specify the time at which the signing process was performed. Used in a correct manner, it will make it possible for the signer to protect against certain attacks, i.e. replay attacks.

randomNonce属性类型适用于PKCS#7数字签名数据。无法(或不愿意)指定执行签名过程的时间的签名者可能会使用它。以正确的方式使用,签名者可以防止某些攻击,即重放攻击。

   randomNonce ATTRIBUTE ::= {
           WITH SYNTAX RandomNonce
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-randomNonce
   }
        
   randomNonce ATTRIBUTE ::= {
           WITH SYNTAX RandomNonce
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-randomNonce
   }
        
   RandomNonce ::= OCTET STRING (SIZE(4..MAX))
           -- At least four bytes long
        
   RandomNonce ::= OCTET STRING (SIZE(4..MAX))
           -- At least four bytes long
        

A random nonce attribute must have a single attribute value.

随机nonce属性必须具有单个属性值。

5.3.5 Sequence number
5.3.5 序列号

The sequenceNumber attribute type is intended for PKCS #7 digitally signed data. A signer wishing to associate a sequence number to all signature operations (much like a physical checkbook) may use it as an alternative to the randomNonce attribute. Used in a correct manner, it will make it possible for the signer to protect against certain attacks, i.e. replay attacks.

sequenceNumber属性类型适用于PKCS#7数字签名数据。希望将序列号与所有签名操作(非常类似于物理支票簿)关联的签名者可以将其用作randomNonce属性的替代。以正确的方式使用,签名者可以防止某些攻击,即重放攻击。

   sequenceNumber ATTRIBUTE ::= {
           WITH SYNTAX SequenceNumber
           EQUALITY MATCHING RULE integerMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-sequenceNumber
   }
        
   sequenceNumber ATTRIBUTE ::= {
           WITH SYNTAX SequenceNumber
           EQUALITY MATCHING RULE integerMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-sequenceNumber
   }
        
   SequenceNumber ::= INTEGER (1..MAX)
        
   SequenceNumber ::= INTEGER (1..MAX)
        

A sequence number attribute must have a single attribute value.

序列号属性必须具有单个属性值。

The integerMatch matching rule is defined in [8].

整型匹配规则在[8]中定义。

5.3.6 Countersignature
5.3.6 会签

The counterSignature attribute type specifies one or more signatures on the content octets of the DER encoding of the encryptedDigest field of a SignerInfo value in PKCS #7 digitally signed data. Thus, the countersignature attribute type countersigns (signs in serial) another signature. The countersignature attribute must be an unauthenticated PKCS #7 attribute; it cannot be an authenticated attribute.

会签属性类型指定PKCS#7数字签名数据中SignerInfo值的encryptedDigest字段的DER编码的内容八位字节上的一个或多个签名。因此,会签属性类型会签(串行签名)另一个签名。会签属性必须是未经验证的PKCS#7属性;它不能是经过身份验证的属性。

   counterSignature ATTRIBUTE ::= {
           WITH SYNTAX SignerInfo
           ID pkcs-9-at-counterSignature
   }
        
   counterSignature ATTRIBUTE ::= {
           WITH SYNTAX SignerInfo
           ID pkcs-9-at-counterSignature
   }
        

Countersignature values have the same meaning as SignerInfo values for ordinary signatures (see Section 9 of [14] and Section 5.3 of [3]), except that:

会签值的含义与普通签名的SignerInfo值相同(见[14]第9节和[3]第5.3节),但以下情况除外:

1. The authenticatedAttributes field must contain a messageDigest attribute if it contains any other attributes, but need not contain a contentType attribute, as there is no content type for countersignatures; and

1. authenticatedAttributes字段必须包含messageDigest属性(如果它包含任何其他属性),但不需要包含contentType属性,因为没有用于反签名的内容类型;和

2. The input to the message-digesting process is the content octets of the DER encoding of the signatureValue field of the SignerInfo value with which the attribute is associated.

2. 消息摘要处理的输入是属性关联的SignerInfo值的signatureValue字段的DER编码的内容八位字节。

A countersignature attribute can have multiple attribute values.

一个会签属性可以有多个属性值。

Note 1 - The fact that a countersignature is computed on a signature (encrypted digest) means that the countersigning process need not know the original content input to the signing process. This has advantages both in efficiency and in confidentiality.

注1——根据签名(加密摘要)计算会签的事实意味着会签流程不需要知道输入到签名流程的原始内容。这在效率和保密性方面都有优势。

Note 2 - A countersignature, since it has type SignerInfo, can itself contain a countersignature attribute. Thus it is possible to construct arbitrarily long series of countersignatures.

注2-由于副署具有SignerInfo类型,因此它本身可以包含副署属性。因此,可以构造任意长系列的会签。

5.4 Attribute types for use with PKCS #10 certificate requests
5.4 用于PKCS#10证书请求的属性类型
5.4.1 Challenge password
5.4.1 询问密码

The challengePassword attribute type specifies a password by which an entity may request certificate revocation. The interpretation of challenge passwords is intended to be specified by certificate issuers etc; no particular interpretation is required.

challengePassword属性类型指定实体可以通过其请求证书吊销的密码。质询密码的解释由证书颁发者等指定;不需要特别解释。

   challengePassword ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-challengePassword}
           EQUALITY MATCHING RULE caseExactMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-challengePassword
   }
        
   challengePassword ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-challengePassword}
           EQUALITY MATCHING RULE caseExactMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-challengePassword
   }
        

A challenge-password attribute must have a single attribute value.

质询密码属性必须具有单个属性值。

ChallengePassword attribute values generated in accordance with this version of this document SHOULD use the PrintableString encoding whenever possible. If internationalization issues make this impossible, the UTF8String alternative SHOULD be used. PKCS #9- attribute processing systems MUST be able to recognize and process all string types in DirectoryString values.

根据本文档版本生成的ChallengePassword属性值应尽可能使用可打印字符串编码。如果国际化问题使这成为不可能,则应使用UTF8String替代方案。属性处理系统必须能够识别和处理DirectoryString值中的所有字符串类型。

Note - Version 1.1 of this document defined challengePassword as having the syntax CHOICE {PrintableString, T61String}, but did contain a note explaining that this might be changed to a CHOICE of different string types in the future See also Note 2 in section 5.2.3.

注-本文件1.1版将challengePassword定义为具有语法选项{PrintableString,T61String},但确实包含一条说明,说明将来可能会将其更改为不同字符串类型的选项,另请参见第5.2.3节中的注2。

5.4.2 Extension request
5.4.2 延期请求

The extensionRequest attribute type may be used to carry information about certificate extensions the requester wishes to be included in a certificate.

extensionRequest属性类型可用于携带有关请求者希望包含在证书中的证书扩展的信息。

   extensionRequest ATTRIBUTE ::= {
           WITH SYNTAX ExtensionRequest
           SINGLE VALUE TRUE
           ID pkcs-9-at-extensionRequest
   }
        
   extensionRequest ATTRIBUTE ::= {
           WITH SYNTAX ExtensionRequest
           SINGLE VALUE TRUE
           ID pkcs-9-at-extensionRequest
   }
        
   ExtensionRequest ::= Extensions
        
   ExtensionRequest ::= Extensions
        

The Extensions type is imported from [10].

扩展类型是从[10]导入的。

5.4.3 Extended-certificate attributes (deprecated)
5.4.3 扩展证书属性(已弃用)

The extendedCertificateAttributes attribute type specified a set of attributes for a PKCS #6 [13] extended certificate in a PKCS #10 certification request (the value of the extended certificate-attributes attribute would become the extension in the requested PKCS #6 extended certificate). Since the status of PKCS #6 is historic after the introduction of X.509 v3 certificates [10], the use of this attribute is deprecated.

extendedCertificateAttributes属性类型为PKCS#10证书请求中的PKCS#6[13]扩展证书指定了一组属性(扩展证书属性属性的值将成为请求的PKCS#6扩展证书中的扩展)。由于在引入X.509 v3证书[10]之后,PKCS#6的状态是历史性的,因此不推荐使用此属性。

   extendedCertificateAttributes ATTRIBUTE ::= {
           WITH SYNTAX SET OF Attribute
           SINGLE VALUE TRUE
           ID pkcs-9-at-extendedCertificateAttributes
   }
        
   extendedCertificateAttributes ATTRIBUTE ::= {
           WITH SYNTAX SET OF Attribute
           SINGLE VALUE TRUE
           ID pkcs-9-at-extendedCertificateAttributes
   }
        

An extended certificate attributes attribute must have a single attribute value (that value is a set, which itself may contain multiple values, but there must be only one set).

扩展证书属性必须具有单个属性值(该值是一个集合,它本身可能包含多个值,但必须只有一个集合)。

5.5 Attributes for use in PKCS #12 "PFX" PDUs or PKCS #15 tokens
5.5 用于PKCS#12“PFX”PDU或PKCS#15令牌的属性
5.5.1 Friendly name
5.5.1 友好的名字

The friendlyName attribute type specifies a user-friendly name of the object it belongs to. It is referenced in [17].

friendlyName属性类型指定它所属对象的用户友好名称。参考文献[17]。

   friendlyName ATTRIBUTE ::= {
           WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-friendlyName
   }
        
   friendlyName ATTRIBUTE ::= {
           WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-friendlyName
   }
        

As indicated, friendlyName attributes must have a single attribute value.

如前所述,friendlyName属性必须具有单个属性值。

5.5.2 Local key identifier
5.5.2 本地密钥标识符

The localKeyId attribute type specifies an identifier for a particular key. It is only to be used locally in applications. This attribute is referenced in [17].

localKeyId属性类型指定特定密钥的标识符。它只能在本地应用中使用。[17]中引用了该属性。

   localKeyId ATTRIBUTE ::= {
           WITH SYNTAX OCTET STRING
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-localKeyId
   }
        
   localKeyId ATTRIBUTE ::= {
           WITH SYNTAX OCTET STRING
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-localKeyId
   }
        

As indicated, localKeyId attributes must have a single attribute value. For two localKeyId values to match, their octet string representation must be of equal length and corresponding octets identical.

如前所述,localKeyId属性必须具有单个属性值。要使两个localKeyId值匹配,它们的八位字节字符串表示形式必须具有相同的长度,并且对应的八位字节相同。

5.6 Attributes defined in S/MIME
5.6 在S/MIME中定义的属性

S/MIME (c.f. [12]) defines some attributes and object identifiers in the PKCS #9 object identifier tree. For completeness, they are mentioned here.

S/MIME(c.f.[12])在PKCS#9对象标识符树中定义了一些属性和对象标识符。为了完整性,这里提到了它们。

5.6.1 Signing description
5.6.1 签名说明

The signingDescription attribute is intended to provide a short synopsis of a message that can be used to present a user with an additional confirmation step before committing to a cryptographic operation. In most cases, the replication of the "Subject:" line from the header of a message should be sufficient and is recommended.

signingDescription属性旨在提供消息的简短概要,该消息可用于在提交加密操作之前向用户提供额外的确认步骤。在大多数情况下,从消息头复制“主题:”行就足够了,建议这样做。

   signingDescription ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-signingDescription}
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-signingDescription
   }
        
   signingDescription ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-signingDescription}
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-signingDescription
   }
        
5.6.2 S/MIME capabilities
5.6.2 S/MIME功能

The syntax and semantics of the smimeCapabilities attribute is defined in [12]. It is included here for the sake of completeness.

[12]中定义了smimeCapabilities属性的语法和语义。为了完整起见,这里包含了它。

   smimeCapabilities ATTRIBUTE ::= {
           WITH SYNTAX SMIMECapabilities
           SINGLE VALUE
           ID pkcs-9-at-smimeCapabilities
   }
        
   smimeCapabilities ATTRIBUTE ::= {
           WITH SYNTAX SMIMECapabilities
           SINGLE VALUE
           ID pkcs-9-at-smimeCapabilities
   }
        
   SMIMECapabilities ::= SEQUENCE OF SMIMECapability
        
   SMIMECapabilities ::= SEQUENCE OF SMIMECapability
        
   SMIMECapability ::= SEQUENCE {
           algorithm  ALGORITHM.&id ({SMIMEv3Algorithms}),
           parameters ALGORITHM.&Type ({SMIMEv3Algorithms}{@algorithm})
   }
        
   SMIMECapability ::= SEQUENCE {
           algorithm  ALGORITHM.&id ({SMIMEv3Algorithms}),
           parameters ALGORITHM.&Type ({SMIMEv3Algorithms}{@algorithm})
   }
        
   SMIMEv3Algorithms ALGORITHM ::= {... -- See RFC 2633 -- }
        
   SMIMEv3Algorithms ALGORITHM ::= {... -- See RFC 2633 -- }
        
6. Matching rules
6. 匹配规则

This section defines matching rules used in the definition of attributes in this document.

本节定义了本文档中属性定义中使用的匹配规则。

6.1 Case ignore match
6.1 大小写忽略匹配

The pkcs9CaseIgnoreMatch rule compares for equality a presented string with an attribute value of type PKCS9String, without regard to the case (upper or lower) of the strings (e.g. "Pkcs" and "PKCS" match).

pkcs9CaseIgnoreMatch规则将呈现的字符串与PKCS9String类型的属性值进行相等性比较,而不考虑字符串的大小写(例如“Pkcs”和“Pkcs”匹配)。

   pkcs9CaseIgnoreMatch MATCHING-RULE ::= {
           SYNTAX  PKCS9String {pkcs9-ub-match}
           ID              id-mr-pkcs9CaseIgnoreMatch
   }
        
   pkcs9CaseIgnoreMatch MATCHING-RULE ::= {
           SYNTAX  PKCS9String {pkcs9-ub-match}
           ID              id-mr-pkcs9CaseIgnoreMatch
   }
        

The rule returns TRUE if the strings are the same length and corresponding characters are identical except possibly with regard to case.

如果字符串长度相同,且相应的字符相同,则该规则返回TRUE,但可能与大小写有关。

Where the strings being matched are of different ASN.1 syntax, the comparison proceeds as normal so long as the corresponding characters are in both character sets. Otherwise matching fails.

如果要匹配的字符串具有不同的ASN.1语法,则只要两个字符集中都有相应的字符,比较就会正常进行。否则匹配失败。

6.2 Signing time match
6.2 签约时间匹配

The signingTimeMatch rule compares for equality a presented value with an attribute value of type SigningTime.

signingTimeMatch规则将显示的值与SigningTime类型的属性值进行相等性比较。

   signingTimeMatch MATCHING-RULE ::= {
           SYNTAX SigningTime
           ID pkcs-9-mr-signingTimeMatch
   }
        
   signingTimeMatch MATCHING-RULE ::= {
           SYNTAX SigningTime
           ID pkcs-9-mr-signingTimeMatch
   }
        

The rule returns TRUE if the attribute value represents the same time as the presented value. If a time is specified with seconds (or fractional seconds) absent, the number of seconds (fractional seconds) is assumed to be zero.

如果属性值表示的时间与显示的值相同,则规则返回TRUE。如果指定的时间没有秒(或分数秒),则秒数(分数秒)假定为零。

Where the strings being matched are of different ASN.1 syntax, the comparison proceeds as follows:

如果要匹配的字符串具有不同的ASN.1语法,则比较过程如下:

a) Convert both values to DER-encoded values of type GeneralizedTime, coordinated universal time. If this is not possible the matching fails.

a) 将这两个值转换为GeneratedTime、CoordinatedUniversal time类型的DER编码值。如果不可能,则匹配失败。

b) Compare the strings for equality. The rule returns TRUE if and only if the strings are of the same length and corresponding octets are identical.

b) 比较字符串是否相等。当且仅当字符串长度相同且对应的八位字节相同时,该规则才返回TRUE。

7. Security Considerations
7. 安全考虑

Attributes of directory entries are used to provide descriptive information about the real-world objects they represent, which can be people, organizations or devices. Most countries have privacy laws regarding the publication of information about people.

目录项的属性用于提供有关它们所表示的真实对象的描述性信息,这些对象可以是人、组织或设备。大多数国家都有关于发布个人信息的隐私法。

The challengePassword attribute should not be stored un-encrypted in a directory.

challengePassword属性不应未加密地存储在目录中。

Users of directory-aware applications making use of attributes defined for use with the pkcsEntity object class should make sure that the class's attributes are adequately protected, since they may potentially be read by third parties. If a password-protected value is stored (PKCS #8, #12 or #15), the directory should authenticate the requester before delivering the value to prevent an off-line password-search attack. Note that this potentially raises non-repudiation issues since the directory itself can try a password search to recover a private value, if stored this way.

使用为pkcsEntity对象类定义的属性的目录感知应用程序的用户应确保该类的属性得到充分保护,因为它们可能被第三方读取。如果存储了受密码保护的值(PKCS#8、#12或#15),则目录应在传递值之前对请求者进行身份验证,以防止离线密码搜索攻击。请注意,这可能会引起不可否认性问题,因为如果以这种方式存储,目录本身可以尝试密码搜索来恢复私有值。

8. Authors' Addresses
8. 作者地址

Magnus Nystrom RSA Security Box 10704 S-121 29 Stockholm Sweden

Magnus Nystrom RSA安全信箱10704 S-121 29瑞典斯德哥尔摩

   EMail: magnus@rsasecurity.com
        
   EMail: magnus@rsasecurity.com
        

Burt Kaliski RSA Security 20 Crosby Drive Bedford, MA 01730 USA

美国马萨诸塞州贝德福德克罗斯比大道20号Burt Kaliski RSA Security 01730

   EMail: bkaliski@rsasecurity.com
        
   EMail: bkaliski@rsasecurity.com
        

APPENDICES

附录

A. ASN.1 module

A.ASN.1模块

This appendix includes all of the ASN.1 type and value definitions contained in this document in the form of the ASN.1 module PKCS-9.

本附录包括本文件中以ASN.1模块PKCS-9的形式包含的所有ASN.1类型和值定义。

   PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
   pkcs-9(9) modules(0) pkcs-9(1)}
        
   PKCS-9 {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1)
   pkcs-9(9) modules(0) pkcs-9(1)}
        
   DEFINITIONS IMPLICIT TAGS ::=
        
   DEFINITIONS IMPLICIT TAGS ::=
        

BEGIN

开始

   -- EXPORTS All --
   -- All types and values defined in this module is exported for use
   -- in other ASN.1 modules.
        
   -- EXPORTS All --
   -- All types and values defined in this module is exported for use
   -- in other ASN.1 modules.
        

IMPORTS

进口

informationFramework, authenticationFramework, selectedAttributeTypes, upperBounds , id-at FROM UsefulDefinitions {joint-iso-itu-t ds(5) module(1) usefulDefinitions(0) 3}

informationFramework,authenticationFramework,SelectedAttributeType,upperBounds,id at FROM UsefulDefinitions{joint-iso-itu-t ds(5)module(1)UsefulDefinitions(0)3}

ub-name FROM UpperBounds upperBounds

来自上限的ub名称上限

OBJECT-CLASS, ATTRIBUTE, MATCHING-RULE, Attribute, top, objectIdentifierMatch FROM InformationFramework informationFramework

对象类、属性、匹配规则、属性、顶部、objectIdentifierMatch来自InformationFramework InformationFramework

ALGORITHM, Extensions, Time FROM AuthenticationFramework authenticationFramework

算法、扩展、来自AuthenticationFramework的时间AuthenticationFramework

DirectoryString, octetStringMatch, caseIgnoreMatch, caseExactMatch, generalizedTimeMatch, integerMatch, serialNumber FROM SelectedAttributeTypes selectedAttributeTypes

DirectoryString、octetStringMatch、caseIgnoreMatch、caseExactMatch、GeneraledTimeMatch、integerMatch、SelectedAttribute类型中的序列号SelectedAttribute类型SelectedAttribute类型

   ContentInfo, SignerInfo
           FROM CryptographicMessageSyntax {iso(1) member-body(2) us(840)
           rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1)}
        
   ContentInfo, SignerInfo
           FROM CryptographicMessageSyntax {iso(1) member-body(2) us(840)
           rsadsi(113549) pkcs(1) pkcs-9(9) smime(16) modules(0) cms(1)}
        
   EncryptedPrivateKeyInfo
           FROM PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549)
           pkcs(1) pkcs-8(8) modules(1) pkcs-8(1)}
        
   EncryptedPrivateKeyInfo
           FROM PKCS-8 {iso(1) member-body(2) us(840) rsadsi(113549)
           pkcs(1) pkcs-8(8) modules(1) pkcs-8(1)}
        
   PFX
           FROM PKCS-12 {iso(1) member-body(2) us(840) rsadsi(113549)
           pkcs(1) pkcs-12(12) modules(0) pkcs-12(1)}
        
   PFX
           FROM PKCS-12 {iso(1) member-body(2) us(840) rsadsi(113549)
           pkcs(1) pkcs-12(12) modules(0) pkcs-12(1)}
        
   PKCS15Token
           FROM PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549)
           pkcs(1) pkcs-15(15) modules(1) pkcs-15(1)};
        
   PKCS15Token
           FROM PKCS-15 {iso(1) member-body(2) us(840) rsadsi(113549)
           pkcs(1) pkcs-15(15) modules(1) pkcs-15(1)};
        

-- Upper bounds

--上界

   pkcs-9-ub-pkcs9String         INTEGER ::= 255
   pkcs-9-ub-emailAddress        INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-unstructuredName    INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-unstructuredAddress INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-challengePassword   INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-friendlyName        INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-signingDescription  INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-match               INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-pseudonym           INTEGER ::= ub-name
   pkcs-9-ub-placeOfBirth        INTEGER ::= ub-name
        
   pkcs-9-ub-pkcs9String         INTEGER ::= 255
   pkcs-9-ub-emailAddress        INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-unstructuredName    INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-unstructuredAddress INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-challengePassword   INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-friendlyName        INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-signingDescription  INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-match               INTEGER ::= pkcs-9-ub-pkcs9String
   pkcs-9-ub-pseudonym           INTEGER ::= ub-name
   pkcs-9-ub-placeOfBirth        INTEGER ::= ub-name
        

-- Object Identifiers

--对象标识符

   pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
                                 rsadsi(113549) pkcs(1) 9}
        
   pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
                                 rsadsi(113549) pkcs(1) 9}
        
     -- Main arcs
   pkcs-9-mo OBJECT IDENTIFIER ::= {pkcs-9 0}  -- Modules branch
   pkcs-9-oc OBJECT IDENTIFIER ::= {pkcs-9 24} -- Object class branch
   pkcs-9-at OBJECT IDENTIFIER ::= {pkcs-9 25} -- Attribute branch, for
                                               -- new  attributes
   pkcs-9-sx OBJECT IDENTIFIER ::= {pkcs-9 26} -- For syntaxes (RFC 2252)
   pkcs-9-mr OBJECT IDENTIFIER ::= {pkcs-9 27} -- Matching rules
        
     -- Main arcs
   pkcs-9-mo OBJECT IDENTIFIER ::= {pkcs-9 0}  -- Modules branch
   pkcs-9-oc OBJECT IDENTIFIER ::= {pkcs-9 24} -- Object class branch
   pkcs-9-at OBJECT IDENTIFIER ::= {pkcs-9 25} -- Attribute branch, for
                                               -- new  attributes
   pkcs-9-sx OBJECT IDENTIFIER ::= {pkcs-9 26} -- For syntaxes (RFC 2252)
   pkcs-9-mr OBJECT IDENTIFIER ::= {pkcs-9 27} -- Matching rules
        
     -- Object classes
   pkcs-9-oc-pkcsEntity    OBJECT IDENTIFIER ::= {pkcs-9-oc 1}
   pkcs-9-oc-naturalPerson OBJECT IDENTIFIER ::= {pkcs-9-oc 2}
        
     -- Object classes
   pkcs-9-oc-pkcsEntity    OBJECT IDENTIFIER ::= {pkcs-9-oc 1}
   pkcs-9-oc-naturalPerson OBJECT IDENTIFIER ::= {pkcs-9-oc 2}
        
     -- Attributes
   pkcs-9-at-emailAddress        OBJECT IDENTIFIER ::= {pkcs-9 1}
   pkcs-9-at-unstructuredName    OBJECT IDENTIFIER ::= {pkcs-9 2}
   pkcs-9-at-contentType         OBJECT IDENTIFIER ::= {pkcs-9 3}
   pkcs-9-at-messageDigest       OBJECT IDENTIFIER ::= {pkcs-9 4}
   pkcs-9-at-signingTime         OBJECT IDENTIFIER ::= {pkcs-9 5}
   pkcs-9-at-counterSignature    OBJECT IDENTIFIER ::= {pkcs-9 6}
   pkcs-9-at-challengePassword   OBJECT IDENTIFIER ::= {pkcs-9 7}
   pkcs-9-at-unstructuredAddress OBJECT IDENTIFIER ::= {pkcs-9 8}
        
     -- Attributes
   pkcs-9-at-emailAddress        OBJECT IDENTIFIER ::= {pkcs-9 1}
   pkcs-9-at-unstructuredName    OBJECT IDENTIFIER ::= {pkcs-9 2}
   pkcs-9-at-contentType         OBJECT IDENTIFIER ::= {pkcs-9 3}
   pkcs-9-at-messageDigest       OBJECT IDENTIFIER ::= {pkcs-9 4}
   pkcs-9-at-signingTime         OBJECT IDENTIFIER ::= {pkcs-9 5}
   pkcs-9-at-counterSignature    OBJECT IDENTIFIER ::= {pkcs-9 6}
   pkcs-9-at-challengePassword   OBJECT IDENTIFIER ::= {pkcs-9 7}
   pkcs-9-at-unstructuredAddress OBJECT IDENTIFIER ::= {pkcs-9 8}
        
   pkcs-9-at-extendedCertificateAttributes
                                 OBJECT IDENTIFIER ::= {pkcs-9 9}
        
   pkcs-9-at-extendedCertificateAttributes
                                 OBJECT IDENTIFIER ::= {pkcs-9 9}
        
   -- Obsolete (?) attribute identifiers, purportedly from "tentative
   -- PKCS #9 draft"
   -- pkcs-9-at-issuerAndSerialNumber OBJECT IDENTIFIER ::= {pkcs-9 10}
   -- pkcs-9-at-passwordCheck         OBJECT IDENTIFIER ::= {pkcs-9 11}
   -- pkcs-9-at-publicKey             OBJECT IDENTIFIER ::= {pkcs-9 12}
        
   -- Obsolete (?) attribute identifiers, purportedly from "tentative
   -- PKCS #9 draft"
   -- pkcs-9-at-issuerAndSerialNumber OBJECT IDENTIFIER ::= {pkcs-9 10}
   -- pkcs-9-at-passwordCheck         OBJECT IDENTIFIER ::= {pkcs-9 11}
   -- pkcs-9-at-publicKey             OBJECT IDENTIFIER ::= {pkcs-9 12}
        
   pkcs-9-at-signingDescription       OBJECT IDENTIFIER ::= {pkcs-9 13}
   pkcs-9-at-extensionRequest         OBJECT IDENTIFIER ::= {pkcs-9 14}
   pkcs-9-at-smimeCapabilities        OBJECT IDENTIFIER ::= {pkcs-9 15}
        
   pkcs-9-at-signingDescription       OBJECT IDENTIFIER ::= {pkcs-9 13}
   pkcs-9-at-extensionRequest         OBJECT IDENTIFIER ::= {pkcs-9 14}
   pkcs-9-at-smimeCapabilities        OBJECT IDENTIFIER ::= {pkcs-9 15}
        
   -- Unused (?)
   -- pkcs-9-at-?                     OBJECT IDENTIFIER ::= {pkcs-9 17}
   -- pkcs-9-at-?                     OBJECT IDENTIFIER ::= {pkcs-9 18}
   -- pkcs-9-at-?                     OBJECT IDENTIFIER ::= {pkcs-9 19}
        
   -- Unused (?)
   -- pkcs-9-at-?                     OBJECT IDENTIFIER ::= {pkcs-9 17}
   -- pkcs-9-at-?                     OBJECT IDENTIFIER ::= {pkcs-9 18}
   -- pkcs-9-at-?                     OBJECT IDENTIFIER ::= {pkcs-9 19}
        
   pkcs-9-at-friendlyName             OBJECT IDENTIFIER ::= {pkcs-9 20}
   pkcs-9-at-localKeyId               OBJECT IDENTIFIER ::= {pkcs-9 21}
   pkcs-9-at-userPKCS12               OBJECT IDENTIFIER ::=
                                         {2 16 840 1 113730 3 1 216}
   pkcs-9-at-pkcs15Token              OBJECT IDENTIFIER ::= {pkcs-9-at 1}
   pkcs-9-at-encryptedPrivateKeyInfo  OBJECT IDENTIFIER ::= {pkcs-9-at 2}
   pkcs-9-at-randomNonce              OBJECT IDENTIFIER ::= {pkcs-9-at 3}
   pkcs-9-at-sequenceNumber           OBJECT IDENTIFIER ::= {pkcs-9-at 4}
   pkcs-9-at-pkcs7PDU                 OBJECT IDENTIFIER ::= {pkcs-9-at 5}
        
   pkcs-9-at-friendlyName             OBJECT IDENTIFIER ::= {pkcs-9 20}
   pkcs-9-at-localKeyId               OBJECT IDENTIFIER ::= {pkcs-9 21}
   pkcs-9-at-userPKCS12               OBJECT IDENTIFIER ::=
                                         {2 16 840 1 113730 3 1 216}
   pkcs-9-at-pkcs15Token              OBJECT IDENTIFIER ::= {pkcs-9-at 1}
   pkcs-9-at-encryptedPrivateKeyInfo  OBJECT IDENTIFIER ::= {pkcs-9-at 2}
   pkcs-9-at-randomNonce              OBJECT IDENTIFIER ::= {pkcs-9-at 3}
   pkcs-9-at-sequenceNumber           OBJECT IDENTIFIER ::= {pkcs-9-at 4}
   pkcs-9-at-pkcs7PDU                 OBJECT IDENTIFIER ::= {pkcs-9-at 5}
        
     -- IETF PKIX Attribute branch
   ietf-at                            OBJECT IDENTIFIER ::=
                                         {1 3 6 1 5 5 7 9}
        
     -- IETF PKIX Attribute branch
   ietf-at                            OBJECT IDENTIFIER ::=
                                         {1 3 6 1 5 5 7 9}
        
   pkcs-9-at-dateOfBirth              OBJECT IDENTIFIER ::= {ietf-at 1}
   pkcs-9-at-placeOfBirth             OBJECT IDENTIFIER ::= {ietf-at 2}
   pkcs-9-at-gender                   OBJECT IDENTIFIER ::= {ietf-at 3}
   pkcs-9-at-countryOfCitizenship     OBJECT IDENTIFIER ::= {ietf-at 4}
   pkcs-9-at-countryOfResidence       OBJECT IDENTIFIER ::= {ietf-at 5}
        
   pkcs-9-at-dateOfBirth              OBJECT IDENTIFIER ::= {ietf-at 1}
   pkcs-9-at-placeOfBirth             OBJECT IDENTIFIER ::= {ietf-at 2}
   pkcs-9-at-gender                   OBJECT IDENTIFIER ::= {ietf-at 3}
   pkcs-9-at-countryOfCitizenship     OBJECT IDENTIFIER ::= {ietf-at 4}
   pkcs-9-at-countryOfResidence       OBJECT IDENTIFIER ::= {ietf-at 5}
        
     -- Syntaxes (for use with LDAP accessible directories)
   pkcs-9-sx-pkcs9String              OBJECT IDENTIFIER ::= {pkcs-9-sx 1}
   pkcs-9-sx-signingTime              OBJECT IDENTIFIER ::= {pkcs-9-sx 2}
        
     -- Syntaxes (for use with LDAP accessible directories)
   pkcs-9-sx-pkcs9String              OBJECT IDENTIFIER ::= {pkcs-9-sx 1}
   pkcs-9-sx-signingTime              OBJECT IDENTIFIER ::= {pkcs-9-sx 2}
        
     -- Matching rules
   pkcs-9-mr-caseIgnoreMatch          OBJECT IDENTIFIER ::= {pkcs-9-mr 1}
   pkcs-9-mr-signingTimeMatch         OBJECT IDENTIFIER ::= {pkcs-9-mr 2}
        
     -- Matching rules
   pkcs-9-mr-caseIgnoreMatch          OBJECT IDENTIFIER ::= {pkcs-9-mr 1}
   pkcs-9-mr-signingTimeMatch         OBJECT IDENTIFIER ::= {pkcs-9-mr 2}
        
     -- Arcs with attributes defined elsewhere
   smime                              OBJECT IDENTIFIER ::= {pkcs-9 16}
        
     -- Arcs with attributes defined elsewhere
   smime                              OBJECT IDENTIFIER ::= {pkcs-9 16}
        
     -- Main arc for S/MIME (RFC 2633)
   certTypes                          OBJECT IDENTIFIER ::= {pkcs-9 22}
        
     -- Main arc for S/MIME (RFC 2633)
   certTypes                          OBJECT IDENTIFIER ::= {pkcs-9 22}
        
     -- Main arc for certificate types defined in PKCS #12
   crlTypes                           OBJECT IDENTIFIER ::= {pkcs-9 23}
        
     -- Main arc for certificate types defined in PKCS #12
   crlTypes                           OBJECT IDENTIFIER ::= {pkcs-9 23}
        

-- Main arc for crl types defined in PKCS #12

--PKCS#12中定义的crl类型的主弧

     -- Other object identifiers
   id-at-pseudonym                    OBJECT IDENTIFIER ::= {id-at 65}
        
     -- Other object identifiers
   id-at-pseudonym                    OBJECT IDENTIFIER ::= {id-at 65}
        

-- Useful types

--有用类型

   PKCS9String {INTEGER : maxSize} ::= CHOICE {
           ia5String IA5String (SIZE(1..maxSize)),
           directoryString DirectoryString {maxSize}
   }
        
   PKCS9String {INTEGER : maxSize} ::= CHOICE {
           ia5String IA5String (SIZE(1..maxSize)),
           directoryString DirectoryString {maxSize}
   }
        

-- Object classes

--对象类

   pkcsEntity OBJECT-CLASS ::= {
           SUBCLASS OF     { top }
           KIND            auxiliary
           MAY CONTAIN     { PKCSEntityAttributeSet }
           ID              pkcs-9-oc-pkcsEntity
   }
        
   pkcsEntity OBJECT-CLASS ::= {
           SUBCLASS OF     { top }
           KIND            auxiliary
           MAY CONTAIN     { PKCSEntityAttributeSet }
           ID              pkcs-9-oc-pkcsEntity
   }
        
   naturalPerson OBJECT-CLASS ::= {
           SUBCLASS OF     { top }
           KIND            auxiliary
           MAY CONTAIN     { NaturalPersonAttributeSet }
           ID              pkcs-9-oc-naturalPerson
   }
        
   naturalPerson OBJECT-CLASS ::= {
           SUBCLASS OF     { top }
           KIND            auxiliary
           MAY CONTAIN     { NaturalPersonAttributeSet }
           ID              pkcs-9-oc-naturalPerson
   }
        

-- Attribute sets

--属性集

   PKCSEntityAttributeSet ATTRIBUTE ::= {
           pKCS7PDU |
           userPKCS12 |
           pKCS15Token |
           encryptedPrivateKeyInfo,
           ... -- For future extensions
   }
        
   PKCSEntityAttributeSet ATTRIBUTE ::= {
           pKCS7PDU |
           userPKCS12 |
           pKCS15Token |
           encryptedPrivateKeyInfo,
           ... -- For future extensions
   }
        
   NaturalPersonAttributeSet ATTRIBUTE ::= {
           emailAddress |
           unstructuredName |
           unstructuredAddress |
           dateOfBirth |
           placeOfBirth |
           gender |
           countryOfCitizenship |
           countryOfResidence |
           pseudonym |
           serialNumber,
           ... -- For future extensions
   }
        
   NaturalPersonAttributeSet ATTRIBUTE ::= {
           emailAddress |
           unstructuredName |
           unstructuredAddress |
           dateOfBirth |
           placeOfBirth |
           gender |
           countryOfCitizenship |
           countryOfResidence |
           pseudonym |
           serialNumber,
           ... -- For future extensions
   }
        

-- Attributes

--属性

   pKCS7PDU ATTRIBUTE ::= {
           WITH SYNTAX ContentInfo
           ID pkcs-9-at-pkcs7PDU
   }
        
   pKCS7PDU ATTRIBUTE ::= {
           WITH SYNTAX ContentInfo
           ID pkcs-9-at-pkcs7PDU
   }
        
   userPKCS12 ATTRIBUTE ::= {
           WITH SYNTAX PFX
           ID pkcs-9-at-userPKCS12
   }
        
   userPKCS12 ATTRIBUTE ::= {
           WITH SYNTAX PFX
           ID pkcs-9-at-userPKCS12
   }
        
   pKCS15Token ATTRIBUTE ::= {
           WITH SYNTAX PKCS15Token
           ID pkcs-9-at-pkcs15Token
   }
        
   pKCS15Token ATTRIBUTE ::= {
           WITH SYNTAX PKCS15Token
           ID pkcs-9-at-pkcs15Token
   }
        
   encryptedPrivateKeyInfo ATTRIBUTE ::= {
           WITH SYNTAX EncryptedPrivateKeyInfo
           ID pkcs-9-at-encryptedPrivateKeyInfo
   }
        
   encryptedPrivateKeyInfo ATTRIBUTE ::= {
           WITH SYNTAX EncryptedPrivateKeyInfo
           ID pkcs-9-at-encryptedPrivateKeyInfo
   }
        
   emailAddress ATTRIBUTE ::= {
           WITH SYNTAX IA5String (SIZE(1..pkcs-9-ub-emailAddress))
           EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
           ID pkcs-9-at-emailAddress
   }
        
   emailAddress ATTRIBUTE ::= {
           WITH SYNTAX IA5String (SIZE(1..pkcs-9-ub-emailAddress))
           EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
           ID pkcs-9-at-emailAddress
   }
        
   unstructuredName ATTRIBUTE ::= {
           WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName}
           EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
           ID pkcs-9-at-unstructuredName
   }
        
   unstructuredName ATTRIBUTE ::= {
           WITH SYNTAX PKCS9String {pkcs-9-ub-unstructuredName}
           EQUALITY MATCHING RULE pkcs9CaseIgnoreMatch
           ID pkcs-9-at-unstructuredName
   }
        
   unstructuredAddress ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-unstructuredAddress}
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-unstructuredAddress
   }
        
   unstructuredAddress ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-unstructuredAddress}
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-unstructuredAddress
   }
        
   dateOfBirth ATTRIBUTE ::= {
           WITH SYNTAX GeneralizedTime
           EQUALITY MATCHING RULE generalizedTimeMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-dateOfBirth
   }
        
   dateOfBirth ATTRIBUTE ::= {
           WITH SYNTAX GeneralizedTime
           EQUALITY MATCHING RULE generalizedTimeMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-dateOfBirth
   }
        
   placeOfBirth ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-placeOfBirth}
           EQUALITY MATCHING RULE caseExactMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-placeOfBirth
   }
        
   placeOfBirth ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-placeOfBirth}
           EQUALITY MATCHING RULE caseExactMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-placeOfBirth
   }
        
   gender ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(1) ^
                       FROM ("M" | "F" | "m" | "f"))
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-gender
   }
        
   gender ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(1) ^
                       FROM ("M" | "F" | "m" | "f"))
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-gender
   }
        
   countryOfCitizenship ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY {
           -- Must be a two-letter country acronym in accordance with
           -- ISO/IEC 3166 --})
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-countryOfCitizenship
   }
        
   countryOfCitizenship ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY {
           -- Must be a two-letter country acronym in accordance with
           -- ISO/IEC 3166 --})
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-countryOfCitizenship
   }
        
   countryOfResidence ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY {
           -- Must be a two-letter country acronym in accordance with
           -- ISO/IEC 3166 --})
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-countryOfResidence
   }
        
   countryOfResidence ATTRIBUTE ::= {
           WITH SYNTAX PrintableString (SIZE(2))(CONSTRAINED BY {
           -- Must be a two-letter country acronym in accordance with
           -- ISO/IEC 3166 --})
           EQUALITY MATCHING RULE caseIgnoreMatch
           ID pkcs-9-at-countryOfResidence
   }
        
   pseudonym ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-pseudonym}
           EQUALITY MATCHING RULE caseExactMatch
           ID id-at-pseudonym
   }
        
   pseudonym ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-pseudonym}
           EQUALITY MATCHING RULE caseExactMatch
           ID id-at-pseudonym
   }
        
   contentType ATTRIBUTE ::= {
           WITH SYNTAX ContentType
           EQUALITY MATCHING RULE objectIdentifierMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-contentType
   }
        
   contentType ATTRIBUTE ::= {
           WITH SYNTAX ContentType
           EQUALITY MATCHING RULE objectIdentifierMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-contentType
   }
        
   ContentType ::= OBJECT IDENTIFIER
        
   ContentType ::= OBJECT IDENTIFIER
        
   messageDigest ATTRIBUTE ::= {
           WITH SYNTAX MessageDigest
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-messageDigest
   }
        
   messageDigest ATTRIBUTE ::= {
           WITH SYNTAX MessageDigest
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-messageDigest
   }
        
   MessageDigest ::= OCTET STRING
        
   MessageDigest ::= OCTET STRING
        
   signingTime ATTRIBUTE ::= {
           WITH SYNTAX SigningTime
           EQUALITY MATCHING RULE signingTimeMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-signingTime
   }
        
   signingTime ATTRIBUTE ::= {
           WITH SYNTAX SigningTime
           EQUALITY MATCHING RULE signingTimeMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-signingTime
   }
        
   SigningTime ::= Time -- imported from ISO/IEC 9594-8
        
   SigningTime ::= Time -- imported from ISO/IEC 9594-8
        
   randomNonce ATTRIBUTE ::= {
           WITH SYNTAX RandomNonce
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-randomNonce
   }
        
   randomNonce ATTRIBUTE ::= {
           WITH SYNTAX RandomNonce
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-randomNonce
   }
        
   RandomNonce ::= OCTET STRING (SIZE(4..MAX))
           -- At least four bytes long
        
   RandomNonce ::= OCTET STRING (SIZE(4..MAX))
           -- At least four bytes long
        
   sequenceNumber ATTRIBUTE ::= {
           WITH SYNTAX SequenceNumber
           EQUALITY MATCHING RULE integerMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-sequenceNumber
   }
        
   sequenceNumber ATTRIBUTE ::= {
           WITH SYNTAX SequenceNumber
           EQUALITY MATCHING RULE integerMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-sequenceNumber
   }
        
   SequenceNumber ::= INTEGER (1..MAX)
        
   SequenceNumber ::= INTEGER (1..MAX)
        
   counterSignature ATTRIBUTE ::= {
           WITH SYNTAX SignerInfo
           ID pkcs-9-at-counterSignature
   }
        
   counterSignature ATTRIBUTE ::= {
           WITH SYNTAX SignerInfo
           ID pkcs-9-at-counterSignature
   }
        
   challengePassword ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-challengePassword}
           EQUALITY MATCHING RULE caseExactMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-challengePassword
   }
        
   challengePassword ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-challengePassword}
           EQUALITY MATCHING RULE caseExactMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-challengePassword
   }
        
   extensionRequest ATTRIBUTE ::= {
           WITH SYNTAX ExtensionRequest
           SINGLE VALUE TRUE
           ID pkcs-9-at-extensionRequest
   }
        
   extensionRequest ATTRIBUTE ::= {
           WITH SYNTAX ExtensionRequest
           SINGLE VALUE TRUE
           ID pkcs-9-at-extensionRequest
   }
        
   ExtensionRequest ::= Extensions
        
   ExtensionRequest ::= Extensions
        
   extendedCertificateAttributes ATTRIBUTE ::= {
           WITH SYNTAX SET OF Attribute
           SINGLE VALUE TRUE
           ID pkcs-9-at-extendedCertificateAttributes
   }
        
   extendedCertificateAttributes ATTRIBUTE ::= {
           WITH SYNTAX SET OF Attribute
           SINGLE VALUE TRUE
           ID pkcs-9-at-extendedCertificateAttributes
   }
        
   friendlyName ATTRIBUTE ::= {
           WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-friendlyName
   }
        
   friendlyName ATTRIBUTE ::= {
           WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-friendlyName
   }
        
   localKeyId ATTRIBUTE ::= {
           WITH SYNTAX OCTET STRING
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-localKeyId
   }
        
   localKeyId ATTRIBUTE ::= {
           WITH SYNTAX OCTET STRING
           EQUALITY MATCHING RULE octetStringMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-localKeyId
   }
        
   signingDescription ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-signingDescription}
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-signingDescription
   }
        
   signingDescription ATTRIBUTE ::= {
           WITH SYNTAX DirectoryString {pkcs-9-ub-signingDescription}
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-signingDescription
   }
        
   smimeCapabilities ATTRIBUTE ::= {
           WITH SYNTAX SMIMECapabilities
           SINGLE VALUE TRUE
           ID pkcs-9-at-smimeCapabilities
   }
        
   smimeCapabilities ATTRIBUTE ::= {
           WITH SYNTAX SMIMECapabilities
           SINGLE VALUE TRUE
           ID pkcs-9-at-smimeCapabilities
   }
        
   SMIMECapabilities ::= SEQUENCE OF SMIMECapability
        
   SMIMECapabilities ::= SEQUENCE OF SMIMECapability
        
   SMIMECapability ::= SEQUENCE {
           algorithm  ALGORITHM.&id ({SMIMEv3Algorithms}),
           parameters ALGORITHM.&Type ({SMIMEv3Algorithms}{@algorithm})
   }
        
   SMIMECapability ::= SEQUENCE {
           algorithm  ALGORITHM.&id ({SMIMEv3Algorithms}),
           parameters ALGORITHM.&Type ({SMIMEv3Algorithms}{@algorithm})
   }
        
   SMIMEv3Algorithms ALGORITHM ::= {...-- See RFC 2633 --}
        
   SMIMEv3Algorithms ALGORITHM ::= {...-- See RFC 2633 --}
        

-- Matching rules

--匹配规则

   pkcs9CaseIgnoreMatch MATCHING-RULE ::= {
           SYNTAX PKCS9String {pkcs-9-ub-match}
           ID pkcs-9-mr-caseIgnoreMatch
   }
        
   pkcs9CaseIgnoreMatch MATCHING-RULE ::= {
           SYNTAX PKCS9String {pkcs-9-ub-match}
           ID pkcs-9-mr-caseIgnoreMatch
   }
        
   signingTimeMatch MATCHING-RULE ::= {
           SYNTAX SigningTime
           ID pkcs-9-mr-signingTimeMatch
   }
        
   signingTimeMatch MATCHING-RULE ::= {
           SYNTAX SigningTime
           ID pkcs-9-mr-signingTimeMatch
   }
        

END

终止

B. BNF schema summary This appendix provides augmented BNF [2] definitions of the object class and most attribute types specified in this document along with their associated syntaxes and matching rules. The ABNF definitions have been done in accordance with [21], in an attempt to ease integration with LDAP-accessible Directory systems. Lines have been folded in some cases to improve readability.

B.BNF模式摘要本附录提供了本文档中指定的对象类和大多数属性类型的扩充BNF[2]定义,以及它们的相关语法和匹配规则。ABNF定义是根据[21]进行的,旨在简化与LDAP可访问目录系统的集成。在某些情况下,行被折叠以提高可读性。

B.1 Syntaxes
B.1语法

This section defines all syntaxes that are used in this document.

本节定义了本文档中使用的所有语法。

B.1.1 PKCS9String
B.1.1 PKCS9String

( 1.2.840.113549.1.9.26.1 DESC 'PKCS9String' )

(1.2.840.113549.1.9.26.1描述“PKCS9String”)

The encoding of a value in this syntax is the string value itself.

此语法中的值编码是字符串值本身。

B.1.2 SigningTime
B.1.2 签约时间

( 1.2.840.113549.1.9.26.2 DESC 'SigningTime' )

(1.2.840.113549.1.9.26.2说明“签字时间”)

Values in this syntax are encoded as printable strings, represented as specified in [5]. Note that the time zone must be specified. For example, "199412161032Z".

此语法中的值编码为可打印字符串,如[5]中所述。请注意,必须指定时区。例如,“199412161032Z”。

B.2 Object classes
B.2对象类
B.2.1 pkcsEntity
B.2.1 pkcsEntity

( 1.2.840.113549.1.9.24.1 NAME 'pkcsEntity' SUP top AUXILIARY MAY ( pKCS7PDU $ userPKCS12 $ pKCS15Token $ encryptedPrivateKeyInfo ) )

(1.2.840.113549.1.9.24.1名称“pkcsEntity”支持顶级辅助MAY(pKCS7PDU$userPKCS12$pKCS15Token$encryptedPrivateKeyInfo))

B.2.2 naturalPerson
B.2.2 自然人

( 1.2.840.113549.1.9.24.2 NAME 'naturalPerson' SUP top AUXILIARY MAY ( emailAddress $ unstructuredName $ unstructuredAddress $ dateOfBirth & placeOfBirth & gender & countryOfCitizenship & countryOfResidence & pseudonym & serialNumber ) )

(1.2.840.113549.1.9.24.2姓名“自然人”SUP top Assistant MAY(电子邮件地址$unstructuredName$unstructuredAddress$出生日期和地点、性别、国籍、居住国、笔名和序列号))

B.3 Attribute types
B.3属性类型
B.3.1 pKCS7PDU
B.3.1 pKCS7PDU

This attribute is to be stored and requested in binary form, as pKCS7PDU;binary. The attribute values are BER- or DER-encoded ContentInfo values.

该属性以二进制形式存储和请求,如pKCS7PDU;二进制的属性值是BER或DER编码的ContentInfo值。

( 1.2.840.113549.1.9.25.5 NAME 'pKCS7PDU' DESC 'PKCS #7 ContentInfo PDU' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

(1.2.840.113549.1.9.25.5名称'pKCS7PDU'说明'PKCS#7 ContentInfo PDU'语法1.3.6.1.4.1.1466.115.121.1.5)

B.3.2 userPKCS12
B.3.2 用户PKCS12

This attribute is to be stored and requested in binary form, as userPKCS12;binary. The attribute values are PFX PDUs stored as binary (BER- or DER-encoded) data.

该属性以二进制形式存储和请求,如userPKCS12;二进制的属性值是作为二进制(BER或DER编码)数据存储的PFX PDU。

( 2.16.840.1.113730.3.1.216 NAME 'userPKCS12' DESC 'PKCS #12 PFX PDU for exchange of personal information' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

(2.16.840.1.113730.3.1.216名称“userPKCS12”描述“PKCS#12用于交换个人信息的PFX PDU”语法1.3.6.1.4.1.1466.115.121.1.5)

B.3.3 pKCS15Token
B.3.3 pKCS15Token

This attribute is to be stored and requested in binary form, as pKCS15Token;binary. The attribute values are PKCS15Token PDUs stored as binary (BER- or DER-encoded) data.

该属性以二进制形式存储和请求,如pKCS15Token;二进制的属性值是存储为二进制(BER或DER编码)数据的PKCS15Token PDU。

( 1.2.840.113549.1.9.25.1 NAME 'pKCS15Token' DESC 'PKCS #15 token PDU' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

(1.2.840.113549.1.9.25.1名称“pKCS15Token”说明“PKCS#15 token PDU”语法1.3.6.1.4.1.1466.115.121.1.5)

B.3.4 encryptedPrivateKeyInfo
B.3.4 加密PrivateKeyInfo

This attribute is to be stored and requested in binary form, as encryptedPrivateKeyInfo;binary. The attribute values are EncryptedPrivateKeyInfo PDUs stored as binary (BER- or DER-encoded) data.

该属性以二进制形式存储和请求,如encryptedPrivateKeyInfo;二进制的属性值是加密的PrivateKeyInfo PDU,存储为二进制(BER或DER编码)数据。

( 1.2.840.113549.1.9.25.2 NAME 'encryptedPrivateKeyInfo' DESC 'PKCS #8 encrypted private key info' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

(1.2.840.113549.1.9.25.2名称“encryptedPrivateKeyInfo”描述“PKCS#8加密私钥信息”语法1.3.6.1.4.1.1466.115.121.1.5)

B.3.5 emailAddress
B.3.5 电子邮件地址

( 1.2.840.113549.1.9.1 NAME 'emailAddress' DESC 'Email address' EQUALITY pkcs9CaseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )

(1.2.840.113549.1.9.1名称“emailAddress”描述“emailAddress”相等pkcs9CaseIgnoreMatch语法1.3.6.1.4.1.1466.115.121.1.26)

B.3.6 unstructuredName
B.3.6 非结构化名称

( 1.2.840.113549.1.9.2 NAME 'unstructuredName' DESC 'PKCS #9 unstructured name' EQUALITY pkcs9CaseIgnoreMatch SYNTAX 1.2.840.113549.1.9.26.1 )

(1.2.840.113549.1.9.2名称“非结构化名称”描述“PKCS”#9非结构化名称”相等pkcs9CaseIgnoreMatch语法1.2.840.113549.1.9.26.1)

B.3.7 unstructuredAddress
B.3.7 非结构化地址

( 1.2.840.113549.1.9.8 NAME 'unstructuredAddress' DESC 'PKCS #9 unstructured address' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

(1.2.840.113549.1.9.8名称“非结构化地址”描述“PKCS#9非结构化地址”相等caseIgnoreMatch语法1.3.6.1.4.1.1466.115.121.1.15)

B.3.8 dateOfBirth
B.3.8 出生日期

( 1.3.6.1.5.5.7.9.1 NAME 'dateOfBirth' DESC 'Date of birth' EQUALITY generalizedTimeMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 SINGLE-VALUE )

(1.3.6.1.5.5.7.9.1名称“出生日期”描述“出生日期”相等一般化时间匹配语法1.3.6.1.4.1.1466.115.121.1.24单值)

B.3.9 placeOfBirth
B.3.9 出生地点

( 1.3.6.1.5.5.7.9.2 NAME 'placeOfBirth' DESC 'Place of birth' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

(1.3.6.1.5.5.7.9.2名称“出生地”描述“出生地”相等情况匹配语法1.3.6.1.4.1.1466.115.121.1.15单值)

B.3.10 gender
B.3.10 性别

( 1.3.6.1.5.5.7.9.3 NAME 'gender' DESC 'Gender' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 SINGLE-VALUE )

(1.3.6.1.5.5.7.9.3名称“性别”描述“性别”平等案例ignorematch语法1.3.6.1.4.1.1466.115.121.1.44单值)

B.3.11 countryOfCitizenship
B.3.11 公民国

( 1.3.6.1.5.5.7.9.4 NAME 'countryOfCitizenship' DESC 'Country of citizenship' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )

(1.3.6.1.5.5.7.9.4名称“国籍国”描述“国籍国”平等案例匹配语法1.3.6.1.4.1.1466.115.121.1.44)

B.3.12 countryOfResidence
B.3.12 居住国

( 1.3.6.1.5.5.7.9.5 NAME 'countryOfResidence' DESC 'Country of residence' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )

(1.3.6.1.5.5.7.9.5名称“居住国”描述“居住国”平等案例匹配语法1.3.6.1.4.1.1466.115.121.1.44)

B.3.13 pseudonym
B.3.13 假名

( 2.5.4.65 NAME 'pseudonym' DESC 'Pseudonym' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )

(2.5.4.65名称“假名”描述“假名”语法1.3.6.1.4.1.1466.115.121.1.15)

B.3.14 contentType
B.3.14 内容类型

In the (highly unlikely) event of this attribute being stored in a Directory it is to be stored and requested in binary form, as contentType;binary. Attribute values shall be OCTET STRINGs stored as binary (BER- or DER-encoded) data.

在(极不可能)该属性存储在目录中的事件中,它将以二进制形式存储和请求,如contentType;二进制的属性值应为存储为二进制(BER或DER编码)数据的八位字符串。

( 1.2.840.113549.1.9.3 NAME 'contentType' DESC 'PKCS #7 content type attribute' EQUALITY objectIdentifierMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.38 SINGLE-VALUE )

(1.2.840.113549.1.9.3名称'contentType'DESC'PKCS#7内容类型属性'EQUALITY objectIdentifierMatch语法1.3.6.1.4.1.1466.115.121.1.38单值)

B.3.15 messageDigest
B.3.15 消息摘要

In the (highly unlikely) event of this attribute being stored in a Directory it is to be stored and requested in binary form, as messageDigest;binary. Attribute values shall be OCTET STRINGs stored as binary (BER- or DER-encoded) data.

在(极不可能)该属性存储在目录中的事件中,它将以二进制形式存储和请求,如messageDigest;二进制的属性值应为存储为二进制(BER或DER编码)数据的八位字符串。

( 1.2.840.113549.1.9.4 NAME 'messageDigest' DESC 'PKCS #7 mesage digest attribute' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 SINGLE-VALUE )

(1.2.840.113549.1.9.4名称'messageDigest'DESC'PKCS#7 mesage digest属性'EQUALITY octetStringMatch语法1.3.6.1.4.1.1466.115.121.1.5单值)

B.3.16 signingTime
B.3.16 签约时间

( 1.2.840.113549.1.9.5 NAME 'signingTime' DESC 'PKCS #7 signing time' EQUALITY signingTimeMatch SYNTAX 1.2.840.113549.1.9.26.2 SINGLE-VALUE )

(1.2.840.113549.1.9.5名称“signingTime”DESC“PKCS#7 signing time”相等性signingTimeMatch语法1.2.840.113549.1.9.26.2单值)

B.3.17 counterSignature
B.3.17 会签

In the (highly unlikely) event that this attribute is to be stored in a directory, it is to be stored and requested in binary form, as counterSignature;binary. Attribute values shall be stored as binary (BER- or DER-encoded) data.

在(极不可能)将该属性存储在目录中的事件中,将以二进制形式存储和请求该属性,作为会签;二进制的属性值应存储为二进制(BER或DER编码)数据。

( 1.2.840.113549.1.9.6 NAME 'counterSignature' DESC 'PKCS #7 countersignature' SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )

(1.2.840.113549.1.9.6名称“会签”说明“PKCS#7会签”语法1.3.6.1.4.1.1466.115.121.1.5)

B.3.18 challengePassword
B.3.18 挑战者密码

( 1.2.840.113549.1.9.7 NAME 'challengePassword' DESC 'Challenge password for certificate revocations' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )

(1.2.840.113549.1.9.7名称'challengePassword'DESC'证书撤销的质询密码'EQUALITY caseExactMatch语法1.3.6.1.4.1.1466.115.121.1.15单值)

Note - It is not recommended to store unprotected values of this attribute in a directory.

注意-不建议将此属性的未保护值存储在目录中。

B.4 Matching rules
B.4匹配规则
B.4.1 pkcs9CaseIgnoreMatch
B.4.1 pkcs9CaseIgnoreMatch

( 1.2.840.113549.1.9.27.1 NAME 'pkcs9CaseIgnoreMatch' SYNTAX 1.2.840.113549.1.9.26.1 )

(1.2.840.113549.1.9.27.1名称“pkcs9CaseIgnoreMatch”语法1.2.840.113549.1.9.26.1)

B.4.2 signingTimeMatch
B.4.2 签约时间赛

( 1.2.840.113549.1.9.27.3 NAME 'signingTimeMatch' SYNTAX 1.2.840.113549.1.9.26.2 )

(1.2.840.113549.1.9.27.3名称“signingTimeMatch”语法1.2.840.113549.1.9.26.2)

C. Intellectual property considerations

C.知识产权方面的考虑

RSA Security makes no patent claims on the general constructions described in this document, although specific underlying techniques may be covered.

RSA Security未就本文档中描述的一般结构提出专利要求,尽管可能涉及特定的底层技术。

License to copy this document is granted provided that it is identified as "RSA Security Inc. Public-Key Cryptography Standards (PKCS)" in all material mentioning or referencing this document.

如果在提及或引用本文档的所有材料中,本文档被标识为“RSA Security Inc.公钥加密标准(PKCS)”,则授予复制本文档的许可证。

RSA Security makes no representations regarding intellectual property claims by other parties. Such determination is the responsibility of the user.

RSA Security不对其他方的知识产权主张作出任何陈述。此类确定由用户负责。

D. Revision history

D.修订历史

Version 1.0

版本1.0

Version 1.0 was part of the June 3, 1991 initial public release of PKCS. Version 1.0 was also published as NIST/OSI Implementors' Workshop document SEC-SIG-91-24.

版本1.0是1991年6月3日PKCS首次公开发布的一部分。版本1.0也作为NIST/OSI实施者研讨会文件SEC-SIG-91-24发布。

Version 1.1

版本1.1

Version 1.1 incorporated several editorial changes, including updates to the references and the addition of a revision history. The following substantive changes were made:

版本1.1包含了一些编辑性更改,包括对参考文件的更新和添加修订历史记录。作出了以下实质性修改:

- Section 6: challengePassword, unstructuredAddress, and extendedCertificateAttributes attribute types were added - Section 7: challengePassword, unstructuredAddress, and extendedCertificateAttributes object identifiers were added

- 第6节:添加了challengePassword、unstructuredAddress和extendedCertificateAttributes属性类型-第7节:添加了challengePassword、unstructuredAddress和extendedCertificateAttributes对象标识符

Version 2.0

版本2.0

Version 2.0 incorporates several editorial changes as well. In addition, the following substantive changes have been made:

版本2.0也包含了一些编辑性的修改。此外,还作了以下实质性修改:

- Addition of a Section defining two new auxiliary object classes, pkcsEntity and naturalPerson - Addition of several new attribute types and matching rules for use in conjunction with these object classes and elsewhere - Update of all ASN.1 to be in line with the 1997 version of this syntax - Addition a "compilable" ASN.1 module - Addition, in accordance with [21], an ABNF description of all attributes and object classes - Addition of an intellectual property considerations section

- 增加了定义两个新辅助对象类pkcsEntity和naturalPerson的部分-增加了几个新的属性类型和匹配规则,以便与这些对象类和其他地方一起使用-更新所有ASN.1,使其符合1997年版本的语法-增加了“可编译”ASN.1模块-增加,根据[21],所有属性和对象类的ABNF描述-添加知识产权注意事项部分

E. References

E.参考资料

[1] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.

[1] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。

[2] Crocker, D. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", RFC 2234, November 1997.

[2] Crocker,D.和P.Overell,“语法规范的扩充BNF:ABNF”,RFC 2234,1997年11月。

[3] Housley, R., "Cryptographic Message Syntax CMS", RFC 2630, June 1999.

[3] Housley,R.,“加密消息语法CMS”,RFC 2630,1999年6月。

[4] ISO/IEC 3166-1:Codes for the representation of names of countries and their subdivisions - Part 1: Country codes. 1997.

[4] ISO/IEC 3166-1:国家及其分支机构名称表示代码-第1部分:国家代码。1997

[5] ISO/IEC 8824-1:1999: Information technology - Abstract Syntax Notation One (ASN.1) - Specification of basic notation.1999.

[5] ISO/IEC 8824-1:1999:信息技术-抽象语法符号1(ASN.1)-基本符号规范.1999。

[6] ISO/IEC 8825-1:1999: Information technology - ASN.1 Encoding Rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). 1999.

[6] ISO/IEC 8825-1:1999:信息技术ASN.1编码规则:基本编码规则(BER)、规范编码规则(CER)和区分编码规则(DER)规范。1999

[7] ISO/IEC 9594-2:1997: Information technology - Open Systems Interconnection - The Directory: Models. 1997.

[7] ISO/IEC 9594-2:1997:信息技术-开放系统互连-目录:模型。1997

[8] ISO/IEC 9594-6:1997: Information technology - Open Systems Interconnection - The Directory: Selected attribute types. 1997.

[8] ISO/IEC 9594-6:1997:信息技术-开放系统互连-目录:选定属性类型。1997

[9] ISO/IEC 9594-7:1997: Information technology - Open Systems Interconnection - The Directory: Selected object classes. 1997.

[9] ISO/IEC 9594-7:1997:信息技术-开放系统互连-目录:选定对象类。1997

[10] ISO/IEC 9594-8:1997: Information technology - Open Systems Interconnection - The Directory: Authentication framework. 1997.

[10] ISO/IEC 9594-8:1997:信息技术-开放系统互连-目录:认证框架。1997

[11] ISO/IEC 10646-1: Information Technology - Universal Multiple-Octet Coded Character Set (UCS) - Part 1: Architecture and Basic Multilingual Plane. 1993.

[11] ISO/IEC 10646-1:信息技术-通用多八位编码字符集(UCS)-第1部分:体系结构和基本多语言平面。1993

[12] Ramsdell, R., "S/MIME Version 3 Message Specification", RFC 2633, June 1999.

[12] Ramsdell,R.,“S/MIME版本3消息规范”,RFC 2633,1999年6月。

[13] RSA Laboratories. PKCS #6: Extended-Certificate Syntax Standard. Version 1.5, November 1993.

[13] RSA实验室。PKCS#6:扩展证书语法标准。1.5版,1993年11月。

[14] RSA Laboratories. PKCS #7: Cryptographic Message Syntax Standard. Version 1.5, November 1993.

[14] RSA实验室。PKCS#7:加密消息语法标准。1.5版,1993年11月。

[15] RSA Laboratories. PKCS #8: Private-Key Information Syntax Standard. Version 1.2, November 1993.

[15] RSA实验室。PKCS#8:私钥信息语法标准。1.2版,1993年11月。

[16] RSA Laboratories. PKCS #10: Certification Request Syntax Standard. Version 1.0, November 1993.

[16] RSA实验室。PKCS#10:认证请求语法标准。1.0版,1993年11月。

[17] RSA Laboratories. PKCS #12: Personal Information Exchange Syntax Standard. Version 1.0, June 1999.

[17] RSA实验室。PKCS#12:个人信息交换语法标准。1.0版,1999年6月。

[18] RSA Laboratories. PKCS #15: Cryptographic Token Information Format Standard. Version 1.1, June 2000.

[18] RSA实验室。PKCS#15:加密令牌信息格式标准。1.1版,2000年6月。

[19] Santesson, S., Polk, W., Barzin, P. and M. Nystrom, "Internet X.509 Public Key Infrastructure - Qualified Certificates Profile", Work in Progress.

[19] Santesson,S.,Polk,W.,Barzin,P.和M.Nystrom,“互联网X.509公钥基础设施-合格证书档案”,正在进行的工作。

[20] Smith, M. "Definition of the inetOrgPerson LDAP Object Class", RFC 2798, April 2000.

[20] Smith,M.“inetOrgPerson LDAP对象类的定义”,RFC 2798,2000年4月。

[21] Wahl, M., Coulbeck, A., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3): Attribute Syntax Definitions", RFC 2252, December 1997.

[21] Wahl,M.,Coulbeck,A.,Howes,T.和S.Kille,“轻量级目录访问协议(v3):属性语法定义”,RFC2252,1997年12月。

[22] Wahl, M., Howes, T. and S. Kille, "Lightweight Directory Access Protocol (v3)", RFC 2251, December 1997.

[22] Wahl,M.,Howes,T.和S.Kille,“轻量级目录访问协议(v3)”,RFC 2251,1997年12月。

F. Contact information & About PKCS

F.关于PKCS的联系信息

The Public-Key Cryptography Standards are specifications produced by RSA Laboratories in cooperation with secure systems developers worldwide for the purpose of accelerating the deployment of public-key cryptography. First published in 1991 as a result of meetings with a small group of early adopters of public-key technology, the PKCS documents have become widely referenced and implemented. Contributions from the PKCS series have become part of many formal and de facto standards, including ANSI X9 documents, PKIX, SET, S/MIME, and SSL.

公钥加密标准是RSA实验室与全球安全系统开发人员合作制定的规范,旨在加速公钥加密的部署。PKCS文件于1991年首次出版,是与一小群早期采用公钥技术的人举行会议的结果。PKCS文件已被广泛引用和实施。PKCS系列的贡献已成为许多正式和事实标准的一部分,包括ANSI X9文档、PKIX、SET、S/MIME和SSL。

Further development of PKCS occurs through mailing list discussions and occasional workshops, and suggestions for improvement are welcome. For more information, contact:

通过邮件列表讨论和偶尔的研讨会进一步开发PKCS,欢迎提出改进建议。有关详细信息,请联系:

PKCS Editor RSA Laboratories 20 Crosby Drive Bedford, MA 01730 USA pkcs-editor@rsasecurity.com http://www.rsasecurity.com/rsalabs/PKCS

PKCS编辑器RSA实验室美国马萨诸塞州贝德福德克罗斯比大道20号PKCS 01730-editor@rsasecurity.com http://www.rsasecurity.com/rsalabs/PKCS

Full Copyright Statement

完整版权声明

Copyright (C) The Internet Society (2000). All Rights Reserved.

版权所有(C)互联网协会(2000年)。版权所有。

This document and translations of it may be copied and furnished to others provided that the above copyright notice and this paragraph are included on all such copies. However, this document itself may not be modified in any way, such as by removing the copyright notice or references to the Internet Society or other Internet organizations, except as required to translate it into languages other than English.

只要上述版权声明和本段包含在所有此类副本中,本文件及其译本可复制并提供给其他人。但是,不得以任何方式修改本文件本身,例如删除版权通知或对互联网协会或其他互联网组织的引用,除非需要将其翻译成英语以外的语言。

The limited permissions granted above are perpetual and will not be revoked by the Internet Society or its successors or assigns.

上述授予的有限许可是永久性的,互联网协会或其继承人或受让人不会撤销。

This document and the information contained herein is provided on an "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

本文件和其中包含的信息是按“原样”提供的,互联网协会和互联网工程任务组否认所有明示或暗示的保证,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。

Acknowledgement

确认

Funding for the RFC Editor function is currently provided by the Internet Society.

RFC编辑功能的资金目前由互联网协会提供。