rfc9654v2.txt   rfc9654.txt 
skipping to change at line 154 skipping to change at line 154
32-octet Nonce in hexadecimal format. 32-octet Nonce in hexadecimal format.
30 2f 06 09 2b 06 01 05 05 07 30 01 02 04 22 04 30 2f 06 09 2b 06 01 05 05 07 30 01 02 04 22 04
20 dd 49 d4 07 2c 44 9d a1 c3 17 bd 1c 1b df fe 20 dd 49 d4 07 2c 44 9d a1 c3 17 bd 1c 1b df fe
db e1 50 31 2e c4 cd 0a dd 18 e5 bd 6f 84 bf 14 db e1 50 31 2e c4 cd 0a dd 18 e5 bd 6f 84 bf 14
c8 c8
Here is the decoded version of the above example. Offset, Length, Here is the decoded version of the above example. Offset, Length,
and Object Identifier are in decimal. and Object Identifier are in decimal.
Offset Length Offset Length
0 47 : SEQUENCE { 0 47 : SEQUENCE {
2 9 : OBJECT IDENTIFIER ocspNonce (1 3 6 1 5 5 7 48 1 2) 2 9 : OBJECT IDENTIFIER ocspNonce
13 34 : OCTET STRING, encapsulates { : (1 3 6 1 5 5 7 48 1 2)
15 32 : OCTET STRING 13 34 : OCTET STRING, encapsulates {
: DD 49 D4 07 2C 44 9D A1 C3 17 BD 1C 1B DF FE DB 15 32 : OCTET STRING
: E1 50 31 2E C4 CD 0A DD 18 E5 BD 6F 84 BF 14 C8 : DD 49 D4 07 2C 44 9D A1 C3 17 BD 1C 1B DF FE DB
: } : E1 50 31 2E C4 CD 0A DD 18 E5 BD 6F 84 BF 14 C8
: } : }
: }
3. Security Considerations 3. Security Considerations
The security considerations of OCSP, in general, are described in The security considerations of OCSP, in general, are described in
[RFC6960]. During the interval in which the previous OCSP response [RFC6960]. During the interval in which the previous OCSP response
for a certificate is not expired but the responder has a changed for a certificate is not expired but the responder has a changed
status for that certificate, a copy of that OCSP response can be used status for that certificate, a copy of that OCSP response can be used
to indicate that the status of the certificate is still valid. to indicate that the status of the certificate is still valid.
Including a requester's nonce value in the OCSP response ensures that Including a requester's nonce value in the OCSP response ensures that
the response is the most recent response from the server and not an the response is the most recent response from the server and not an
skipping to change at line 270 skipping to change at line 271
Appendix A.2 includes an ASN.1 module, corresponding to the module Appendix A.2 includes an ASN.1 module, corresponding to the module
present in Appendix A.1, that conforms to the 2008 version of ASN.1. present in Appendix A.1, that conforms to the 2008 version of ASN.1.
This module replaces the modules in Section 4 of [RFC5912] and This module replaces the modules in Section 4 of [RFC5912] and
Appendix B.2 of [RFC6960]. Although a 2008 ASN.1 module is provided, Appendix B.2 of [RFC6960]. Although a 2008 ASN.1 module is provided,
the module in Appendix A.1 remains the normative module per the the module in Appendix A.1 remains the normative module per the
policy of the PKIX Working Group. policy of the PKIX Working Group.
A.1. OCSP in ASN.1 - 1998 Syntax A.1. OCSP in ASN.1 - 1998 Syntax
<CODE BEGINS>
OCSP-2024-88 OCSP-2024-88
{iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-ocsp-2024-88(111)} id-mod-ocsp-2024-88(111) }
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
AuthorityInfoAccessSyntax, CRLReason, GeneralName
FROM PKIX1Implicit88 -- From [RFC5280]
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-implicit(19) }
-- PKIX Certificate Extensions Name, CertificateSerialNumber, Extensions,
AuthorityInfoAccessSyntax, CRLReason, GeneralName id-kp, id-ad-ocsp, Certificate, AlgorithmIdentifier
FROM PKIX1Implicit88 { iso(1) identified-organization(3) FROM PKIX1Explicit88 -- From [RFC5280]
dod(6) internet(1) security(5) mechanisms(5) pkix(7) { iso(1) identified-organization(3) dod(6)
id-mod(0) id-pkix1-implicit(19) } internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit(18) } ;
Name, CertificateSerialNumber, Extensions,
id-kp, id-ad-ocsp, Certificate, AlgorithmIdentifier
FROM PKIX1Explicit88 { iso(1) identified-organization(3)
dod(6) internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-pkix1-explicit(18) };
OCSPRequest ::= SEQUENCE { OCSPRequest ::= SEQUENCE {
tbsRequest TBSRequest, tbsRequest TBSRequest,
optionalSignature [0] EXPLICIT Signature OPTIONAL } optionalSignature [0] EXPLICIT Signature OPTIONAL }
TBSRequest ::= SEQUENCE { TBSRequest ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1, version [0] EXPLICIT Version DEFAULT v1,
requestorName [1] EXPLICIT GeneralName OPTIONAL, requestorName [1] EXPLICIT GeneralName OPTIONAL,
requestList SEQUENCE OF Request, requestList SEQUENCE OF Request,
requestExtensions [2] EXPLICIT Extensions OPTIONAL } requestExtensions [2] EXPLICIT Extensions OPTIONAL }
Signature ::= SEQUENCE { Signature ::= SEQUENCE {
signatureAlgorithm AlgorithmIdentifier, signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING, signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } certs [0] EXPLICIT SEQUENCE OF
Certificate OPTIONAL }
Version ::= INTEGER { v1(0) } Version ::= INTEGER { v1(0) }
Nonce ::= OCTET STRING(SIZE(1..128)) Nonce ::= OCTET STRING (SIZE(1..128))
Request ::= SEQUENCE { Request ::= SEQUENCE {
reqCert CertID, reqCert CertID,
singleRequestExtensions [0] EXPLICIT Extensions OPTIONAL } singleRequestExtensions [0] EXPLICIT
Extensions OPTIONAL }
CertID ::= SEQUENCE { CertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier, hashAlgorithm AlgorithmIdentifier,
issuerNameHash OCTET STRING, -- Hash of issuer's DN issuerNameHash OCTET STRING, -- Hash of issuer's DN
issuerKeyHash OCTET STRING, -- Hash of issuer's public key issuerKeyHash OCTET STRING, -- Hash of issuer's public key
serialNumber CertificateSerialNumber } serialNumber CertificateSerialNumber }
OCSPResponse ::= SEQUENCE { OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus, responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
OCSPResponseStatus ::= ENUMERATED { OCSPResponseStatus ::= ENUMERATED {
successful (0), -- Response has valid confirmations successful (0), -- Response has valid confirmations
malformedRequest (1), -- Illegal confirmation request malformedRequest (1), -- Illegal confirmation request
internalError (2), -- Internal error in issuer internalError (2), -- Internal error in issuer
tryLater (3), -- Try again later tryLater (3), -- Try again later
-- (4) is not used -- (4) is not used
sigRequired (5), -- Must sign the request sigRequired (5), -- Must sign the request
unauthorized (6) -- Request unauthorized unauthorized (6) -- Request unauthorized
} }
ResponseBytes ::= SEQUENCE { ResponseBytes ::= SEQUENCE {
responseType OBJECT IDENTIFIER, responseType OBJECT IDENTIFIER,
response OCTET STRING } response OCTET STRING }
BasicOCSPResponse ::= SEQUENCE { BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData, tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier, signatureAlgorithm AlgorithmIdentifier,
signature BIT STRING, signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } certs [0] EXPLICIT SEQUENCE OF
Certificate OPTIONAL }
ResponseData ::= SEQUENCE { ResponseData ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1, version [0] EXPLICIT Version DEFAULT v1,
responderID ResponderID, responderID ResponderID,
producedAt GeneralizedTime, -- The format for producedAt GeneralizedTime,
-- GeneralizedTime is as -- The format for GeneralizedTime is
-- specified in Section -- as specified in Section 4.1.2.5.2
-- 4.1.2.5.2 of [RFC5280] -- [RFC5280]
responses SEQUENCE OF SingleResponse, responses SEQUENCE OF SingleResponse,
responseExtensions [1] EXPLICIT Extensions OPTIONAL } responseExtensions [1] EXPLICIT Extensions OPTIONAL }
ResponderID ::= CHOICE { ResponderID ::= CHOICE {
byName [1] Name, byName [1] Name,
byKey [2] KeyHash } byKey [2] KeyHash }
KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key KeyHash ::= OCTET STRING
-- (i.e., the SHA-1 hash of the value of the -- SHA-1 hash of responder's public key (i.e., the
-- BIT STRING subjectPublicKey [excluding -- SHA-1 hash of the value of the BIT STRING
-- the tag, length, and number of unused -- subjectPublicKey [excluding the tag, length, and
-- bits] in the responder's certificate) -- number of unused bits] in the responder's
-- certificate)
SingleResponse ::= SEQUENCE { SingleResponse ::= SEQUENCE {
certID CertID, certID CertID,
certStatus CertStatus, certStatus CertStatus,
thisUpdate GeneralizedTime, thisUpdate GeneralizedTime,
nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
singleExtensions [1] EXPLICIT Extensions OPTIONAL } singleExtensions [1] EXPLICIT Extensions OPTIONAL }
CertStatus ::= CHOICE { CertStatus ::= CHOICE {
good [0] IMPLICIT NULL, good [0] IMPLICIT NULL,
revoked [1] IMPLICIT RevokedInfo, revoked [1] IMPLICIT RevokedInfo,
unknown [2] IMPLICIT UnknownInfo } unknown [2] IMPLICIT UnknownInfo }
RevokedInfo ::= SEQUENCE { RevokedInfo ::= SEQUENCE {
revocationTime GeneralizedTime, revocationTime GeneralizedTime,
revocationReason [0] EXPLICIT CRLReason OPTIONAL } revocationReason [0] EXPLICIT CRLReason OPTIONAL }
UnknownInfo ::= NULL UnknownInfo ::= NULL
ArchiveCutoff ::= GeneralizedTime ArchiveCutoff ::= GeneralizedTime
AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER AcceptableResponses ::= SEQUENCE OF OBJECT IDENTIFIER
ServiceLocator ::= SEQUENCE { ServiceLocator ::= SEQUENCE {
issuer Name, issuer Name,
locator AuthorityInfoAccessSyntax } locator AuthorityInfoAccessSyntax }
CrlID ::= SEQUENCE { CrlID ::= SEQUENCE {
crlUrl [0] EXPLICIT IA5String OPTIONAL, crlUrl [0] EXPLICIT IA5String OPTIONAL,
crlNum [1] EXPLICIT INTEGER OPTIONAL, crlNum [1] EXPLICIT INTEGER OPTIONAL,
crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
PreferredSignatureAlgorithms ::= SEQUENCE OF PreferredSignatureAlgorithm PreferredSignatureAlgorithms ::= SEQUENCE OF
PreferredSignatureAlgorithm
PreferredSignatureAlgorithm ::= SEQUENCE { PreferredSignatureAlgorithm ::= SEQUENCE {
sigIdentifier AlgorithmIdentifier, sigIdentifier AlgorithmIdentifier,
certIdentifier AlgorithmIdentifier OPTIONAL } certIdentifier AlgorithmIdentifier OPTIONAL }
-- Object Identifiers -- Object Identifiers
id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp } id-pkix-ocsp OBJECT IDENTIFIER ::= { id-ad-ocsp }
id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 }
id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 } id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 }
END END
<CODE ENDS>
A.2. OCSP in ASN.1 - 2008 Syntax A.2. OCSP in ASN.1 - 2008 Syntax
<CODE BEGINS>
OCSP-2024-08 OCSP-2024-08
{iso(1) identified-organization(3) dod(6) internet(1) { iso(1) identified-organization(3) dod(6) internet(1)
security(5) mechanisms(5) pkix(7) id-mod(0) security(5) mechanisms(5) pkix(7) id-mod(0)
id-mod-ocsp-2024-08(112)} id-mod-ocsp-2024-08(112) }
DEFINITIONS EXPLICIT TAGS ::= DEFINITIONS EXPLICIT TAGS ::=
BEGIN BEGIN
IMPORTS IMPORTS
Extensions{}, EXTENSION
FROM PKIX-CommonTypes-2009 -- From [RFC5912]
{ iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-mod-pkixCommon-02(57) }
Extensions{}, EXTENSION AlgorithmIdentifier{}, DIGEST-ALGORITHM,
FROM PKIX-CommonTypes-2009 -- From [RFC5912] SIGNATURE-ALGORITHM, PUBLIC-KEY
{iso(1) identified-organization(3) dod(6) internet(1) security(5) FROM AlgorithmInformation-2009 -- From [RFC5912]
mechanisms(5) pkix(7) id-mod(0) id-mod-pkixCommon-02(57)} { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7)
AlgorithmIdentifier{}, DIGEST-ALGORITHM, SIGNATURE-ALGORITHM, PUBLIC-KEY id-mod(0) id-mod-algorithmInformation-02(58) }
FROM AlgorithmInformation-2009 -- From [RFC5912]
{iso(1) identified-organization(3) dod(6) internet(1) security(5)
mechanisms(5) pkix(7) id-mod(0)
id-mod-algorithmInformation-02(58)}
AuthorityInfoAccessSyntax, GeneralName, CrlEntryExtensions, CRLReason AuthorityInfoAccessSyntax, GeneralName,
FROM PKIX1Implicit-2009 -- From [RFC5912] CrlEntryExtensions, CRLReason
{iso(1) identified-organization(3) dod(6) internet(1) security(5) FROM PKIX1Implicit-2009 -- From [RFC5912]
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-implicit-02(59)} { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-mod-pkix1-implicit-02(59) }
Name, CertificateSerialNumber, id-kp, id-ad-ocsp, Certificate Name, Certificate, CertificateSerialNumber,
FROM PKIX1Explicit-2009 -- From [RFC5912] id-kp, id-ad-ocsp
{iso(1) identified-organization(3) dod(6) internet(1) security(5) FROM PKIX1Explicit-2009 -- From [RFC5912]
mechanisms(5) pkix(7) id-mod(0) id-mod-pkix1-explicit-02(51)} { iso(1) identified-organization(3) dod(6)
internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-mod-pkix1-explicit-02(51) }
sa-dsaWithSHA1, sa-rsaWithMD2, sa-rsaWithMD5, sa-rsaWithSHA1 sa-dsaWithSHA1, sa-rsaWithMD2,
FROM PKIXAlgs-2009 -- From [RFC5912] sa-rsaWithMD5, sa-rsaWithSHA1
{iso(1) identified-organization(3) dod(6) internet(1) security(5) FROM PKIXAlgs-2009 -- From [RFC5912]
mechanisms(5) pkix(7) id-mod(0) { iso(1) identified-organization(3) dod(6)
id-mod-pkix1-algorithms2008-02(56)}; internet(1) security(5) mechanisms(5) pkix(7)
id-mod(0) id-mod-pkix1-algorithms2008-02(56) } ;
OCSPRequest ::= SEQUENCE { OCSPRequest ::= SEQUENCE {
tbsRequest TBSRequest, tbsRequest TBSRequest,
optionalSignature [0] EXPLICIT Signature OPTIONAL } optionalSignature [0] EXPLICIT Signature OPTIONAL }
TBSRequest ::= SEQUENCE { TBSRequest ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1, version [0] EXPLICIT Version DEFAULT v1,
requestorName [1] EXPLICIT GeneralName OPTIONAL, requestorName [1] EXPLICIT GeneralName OPTIONAL,
requestList SEQUENCE OF Request, requestList SEQUENCE OF Request,
requestExtensions [2] EXPLICIT Extensions {{re-ocsp-nonce | requestExtensions [2] EXPLICIT Extensions
re-ocsp-response, ..., {{ re-ocsp-nonce | re-ocsp-response |
re-ocsp-preferred-signature-algorithms}} OPTIONAL } re-ocsp-preferred-signature-algorithms,
... }} OPTIONAL }
Signature ::= SEQUENCE { Signature ::= SEQUENCE {
signatureAlgorithm AlgorithmIdentifier signatureAlgorithm AlgorithmIdentifier
{ SIGNATURE-ALGORITHM, {...}}, { SIGNATURE-ALGORITHM, {...}},
signature BIT STRING, signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } certs [0] EXPLICIT SEQUENCE OF
Certificate OPTIONAL }
Version ::= INTEGER { v1(0) } Version ::= INTEGER { v1(0) }
Nonce ::= OCTET STRING(SIZE(1..128)) Nonce ::= OCTET STRING (SIZE(1..128))
Request ::= SEQUENCE { Request ::= SEQUENCE {
reqCert CertID, reqCert CertID,
singleRequestExtensions [0] EXPLICIT Extensions singleRequestExtensions [0] EXPLICIT Extensions
{ {re-ocsp-service-locator, {{ re-ocsp-service-locator,
...}} OPTIONAL } ... }} OPTIONAL }
CertID ::= SEQUENCE { CertID ::= SEQUENCE {
hashAlgorithm AlgorithmIdentifier hashAlgorithm AlgorithmIdentifier
{DIGEST-ALGORITHM, {...}}, { DIGEST-ALGORITHM, {...}},
issuerNameHash OCTET STRING, -- Hash of issuer's DN issuerNameHash OCTET STRING, -- Hash of issuer's DN
issuerKeyHash OCTET STRING, -- Hash of issuer's public key issuerKeyHash OCTET STRING, -- Hash of issuer's public key
serialNumber CertificateSerialNumber } serialNumber CertificateSerialNumber }
OCSPResponse ::= SEQUENCE { OCSPResponse ::= SEQUENCE {
responseStatus OCSPResponseStatus, responseStatus OCSPResponseStatus,
responseBytes [0] EXPLICIT ResponseBytes OPTIONAL } responseBytes [0] EXPLICIT ResponseBytes OPTIONAL }
OCSPResponseStatus ::= ENUMERATED { OCSPResponseStatus ::= ENUMERATED {
successful (0), -- Response has valid confirmations successful (0), -- Response has valid confirmations
malformedRequest (1), -- Illegal confirmation request malformedRequest (1), -- Illegal confirmation request
internalError (2), -- Internal error in issuer internalError (2), -- Internal error in issuer
tryLater (3), -- Try again later tryLater (3), -- Try again later
-- (4) is not used -- (4) is not used
sigRequired (5), -- Must sign the request sigRequired (5), -- Must sign the request
unauthorized (6) -- Request unauthorized unauthorized (6) -- Request unauthorized
} }
RESPONSE ::= TYPE-IDENTIFIER RESPONSE ::= TYPE-IDENTIFIER
ResponseSet RESPONSE ::= {basicResponse, ...} ResponseSet RESPONSE ::= { basicResponse, ... }
ResponseBytes ::= SEQUENCE { ResponseBytes ::= SEQUENCE {
responseType RESPONSE. responseType RESPONSE.&id ({ResponseSet}),
&id ({ResponseSet}), response OCTET STRING (CONTAINING RESPONSE.
response OCTET STRING (CONTAINING RESPONSE. &Type({ResponseSet}{@responseType}))}
&Type({ResponseSet}{@responseType}))}
basicResponse RESPONSE ::= basicResponse RESPONSE ::=
{ BasicOCSPResponse IDENTIFIED BY id-pkix-ocsp-basic } { BasicOCSPResponse IDENTIFIED BY id-pkix-ocsp-basic }
BasicOCSPResponse ::= SEQUENCE { BasicOCSPResponse ::= SEQUENCE {
tbsResponseData ResponseData, tbsResponseData ResponseData,
signatureAlgorithm AlgorithmIdentifier{SIGNATURE-ALGORITHM, signatureAlgorithm AlgorithmIdentifier
{sa-dsaWithSHA1 | sa-rsaWithSHA1 | { SIGNATURE-ALGORITHM,
sa-rsaWithMD5 | sa-rsaWithMD2, ...}}, { sa-dsaWithSHA1 |
sa-rsaWithSHA1 |
sa-rsaWithMD5 |
sa-rsaWithMD2,
... }},
signature BIT STRING, signature BIT STRING,
certs [0] EXPLICIT SEQUENCE OF Certificate OPTIONAL } certs [0] EXPLICIT SEQUENCE OF
Certificate OPTIONAL }
ResponseData ::= SEQUENCE { ResponseData ::= SEQUENCE {
version [0] EXPLICIT Version DEFAULT v1, version [0] EXPLICIT Version DEFAULT v1,
responderID ResponderID, responderID ResponderID,
producedAt GeneralizedTime, producedAt GeneralizedTime,
responses SEQUENCE OF SingleResponse, responses SEQUENCE OF SingleResponse,
responseExtensions [1] EXPLICIT Extensions responseExtensions [1] EXPLICIT Extensions
{{re-ocsp-nonce, ..., {{ re-ocsp-nonce |
re-ocsp-extended-revoke}} OPTIONAL } re-ocsp-extended-revoke,
... }} OPTIONAL }
ResponderID ::= CHOICE { ResponderID ::= CHOICE {
byName [1] Name, byName [1] Name,
byKey [2] KeyHash } byKey [2] KeyHash }
KeyHash ::= OCTET STRING -- SHA-1 hash of responder's public key KeyHash ::= OCTET STRING
-- (excluding the tag and length fields) -- SHA-1 hash of responder's public key
-- (excluding the tag and length and number
-- of unused bits)
SingleResponse ::= SEQUENCE { SingleResponse ::= SEQUENCE {
certID CertID, certID CertID,
certStatus CertStatus, certStatus CertStatus,
thisUpdate GeneralizedTime, thisUpdate GeneralizedTime,
nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL, nextUpdate [0] EXPLICIT GeneralizedTime OPTIONAL,
singleExtensions [1] EXPLICIT Extensions{{re-ocsp-crl | singleExtensions [1] EXPLICIT Extensions
re-ocsp-archive-cutoff | {{ re-ocsp-crl |
CrlEntryExtensions, ...} re-ocsp-archive-cutoff |
} OPTIONAL } CrlEntryExtensions,
... }} OPTIONAL }
CertStatus ::= CHOICE { CertStatus ::= CHOICE {
good [0] IMPLICIT NULL, good [0] IMPLICIT NULL,
revoked [1] IMPLICIT RevokedInfo, revoked [1] IMPLICIT RevokedInfo,
unknown [2] IMPLICIT UnknownInfo } unknown [2] IMPLICIT UnknownInfo }
RevokedInfo ::= SEQUENCE { RevokedInfo ::= SEQUENCE {
revocationTime GeneralizedTime, revocationTime GeneralizedTime,
revocationReason [0] EXPLICIT CRLReason OPTIONAL } revocationReason [0] EXPLICIT CRLReason OPTIONAL }
UnknownInfo ::= NULL UnknownInfo ::= NULL
ArchiveCutoff ::= GeneralizedTime ArchiveCutoff ::= GeneralizedTime
AcceptableResponses ::= SEQUENCE OF RESPONSE.&id({ResponseSet}) AcceptableResponses ::= SEQUENCE OF RESPONSE.&id({ResponseSet})
ServiceLocator ::= SEQUENCE { ServiceLocator ::= SEQUENCE {
issuer Name, issuer Name,
locator AuthorityInfoAccessSyntax } locator AuthorityInfoAccessSyntax }
CrlID ::= SEQUENCE { CrlID ::= SEQUENCE {
crlUrl [0] EXPLICIT IA5String OPTIONAL, crlUrl [0] EXPLICIT IA5String OPTIONAL,
crlNum [1] EXPLICIT INTEGER OPTIONAL, crlNum [1] EXPLICIT INTEGER OPTIONAL,
crlTime [2] EXPLICIT GeneralizedTime OPTIONAL } crlTime [2] EXPLICIT GeneralizedTime OPTIONAL }
PreferredSignatureAlgorithms ::= SEQUENCE OF PreferredSignatureAlgorithm PreferredSignatureAlgorithms ::= SEQUENCE OF
PreferredSignatureAlgorithm
PreferredSignatureAlgorithm ::= SEQUENCE { PreferredSignatureAlgorithm ::= SEQUENCE {
sigIdentifier AlgorithmIdentifier{SIGNATURE-ALGORITHM, {...}}, sigIdentifier AlgorithmIdentifier
certIdentifier AlgorithmIdentifier{PUBLIC-KEY, {...}} OPTIONAL { SIGNATURE-ALGORITHM, {...} },
} certIdentifier AlgorithmIdentifier {PUBLIC-KEY, {...}}
OPTIONAL }
-- Certificate Extensions -- Certificate Extensions
ext-ocsp-nocheck EXTENSION ::= { SYNTAX NULL IDENTIFIED ext-ocsp-nocheck EXTENSION ::= {
BY id-pkix-ocsp-nocheck } SYNTAX NULL IDENTIFIED BY id-pkix-ocsp-nocheck }
-- Request Extensions -- Request Extensions
re-ocsp-nonce EXTENSION ::= { SYNTAX Nonce re-ocsp-nonce EXTENSION ::= {
IDENTIFIED BY id-pkix-ocsp-nonce } SYNTAX Nonce IDENTIFIED BY id-pkix-ocsp-nonce }
re-ocsp-response EXTENSION ::= { SYNTAX AcceptableResponses IDENTIFIED re-ocsp-response EXTENSION ::= {
BY id-pkix-ocsp-response } SYNTAX AcceptableResponses IDENTIFIED BY
id-pkix-ocsp-response }
re-ocsp-service-locator EXTENSION ::= { SYNTAX ServiceLocator re-ocsp-service-locator EXTENSION ::= {
IDENTIFIED BY SYNTAX ServiceLocator IDENTIFIED BY
id-pkix-ocsp-service-locator } id-pkix-ocsp-service-locator }
re-ocsp-preferred-signature-algorithms EXTENSION ::= { re-ocsp-preferred-signature-algorithms EXTENSION ::= {
SYNTAX PreferredSignatureAlgorithms SYNTAX PreferredSignatureAlgorithms IDENTIFIED BY
IDENTIFIED BY id-pkix-ocsp-pref-sig-algs } id-pkix-ocsp-pref-sig-algs }
-- Response Extensions -- Response Extensions
re-ocsp-crl EXTENSION ::= { SYNTAX CrlID IDENTIFIED BY re-ocsp-crl EXTENSION ::= {
id-pkix-ocsp-crl } SYNTAX CrlID IDENTIFIED BY id-pkix-ocsp-crl }
re-ocsp-archive-cutoff EXTENSION ::= { SYNTAX ArchiveCutoff re-ocsp-archive-cutoff EXTENSION ::= {
IDENTIFIED BY SYNTAX ArchiveCutoff IDENTIFIED BY
id-pkix-ocsp-archive-cutoff } id-pkix-ocsp-archive-cutoff }
re-ocsp-extended-revoke EXTENSION ::= { SYNTAX NULL IDENTIFIED BY re-ocsp-extended-revoke EXTENSION ::= {
id-pkix-ocsp-extended-revoke } SYNTAX NULL IDENTIFIED BY id-pkix-ocsp-extended-revoke }
-- Object Identifiers -- Object Identifiers
id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 } id-kp-OCSPSigning OBJECT IDENTIFIER ::= { id-kp 9 }
id-pkix-ocsp OBJECT IDENTIFIER ::= id-ad-ocsp id-pkix-ocsp OBJECT IDENTIFIER ::= id-ad-ocsp
id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 } id-pkix-ocsp-basic OBJECT IDENTIFIER ::= { id-pkix-ocsp 1 }
id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 } id-pkix-ocsp-nonce OBJECT IDENTIFIER ::= { id-pkix-ocsp 2 }
id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 } id-pkix-ocsp-crl OBJECT IDENTIFIER ::= { id-pkix-ocsp 3 }
id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 } id-pkix-ocsp-response OBJECT IDENTIFIER ::= { id-pkix-ocsp 4 }
id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 } id-pkix-ocsp-nocheck OBJECT IDENTIFIER ::= { id-pkix-ocsp 5 }
id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 } id-pkix-ocsp-archive-cutoff OBJECT IDENTIFIER ::= { id-pkix-ocsp 6 }
id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 } id-pkix-ocsp-service-locator OBJECT IDENTIFIER ::= { id-pkix-ocsp 7 }
id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 } id-pkix-ocsp-pref-sig-algs OBJECT IDENTIFIER ::= { id-pkix-ocsp 8 }
id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 } id-pkix-ocsp-extended-revoke OBJECT IDENTIFIER ::= { id-pkix-ocsp 9 }
END END
<CODE ENDS>
Acknowledgements Acknowledgements
The authors of this document thank Mohit Sahni for his work to The authors of this document thank Mohit Sahni for his work to
produce [RFC8954]. produce [RFC8954].
The authors also thank Russ Housley, Corey Bonnell, Michael StJohns, The authors also thank Russ Housley, Corey Bonnell, Michael StJohns,
and Carl Wallace for their feedback and suggestions. Tomas Gustavsson, and Carl Wallace for their feedback and
suggestions.
Author's Address Author's Address
Himanshu Sharma (editor) Himanshu Sharma (editor)
Netskope Inc Netskope Inc
2445 Augustine Dr 3rd floor 2445 Augustine Dr 3rd floor
Santa Clara, California 95054 Santa Clara, California 95054
United States of America United States of America
Email: himanshu@netskope.com Email: himanshu@netskope.com
URI: www.netskope.com URI: www.netskope.com
 End of changes. 62 change blocks. 
176 lines changed or deleted 204 lines changed or added

This html diff was produced by rfcdiff 1.48.