-- This file contributed anonymously

MSPDirectoryAdditions {joint-iso-ccitt(2) 16 840 1 101 2 
				id-infosec(1) id-modules(0) 
id-directory(3)}
DEFINITIONS IMPLICIT TAGS    ::=

BEGIN
IMPORTS 
-- X.501  The Directory Models
	OBJECT-CLASS, ATTRIBUTE
		FROM InformationFramework {joint-iso-ccitt ds(5) modules(1) 
					informationFramework (1) 

	ORName
		FROM MTSAbstractService {joint-iso-ccitt mhs-motis(6) 
mts(3) 
					modules(0) 
mts-abstract-service(1)} 

	octetStringSyntax
		FROM SelectedAttributeTypes {joint-iso-ccitt ds(5) 
					modules(1) 
selectedAttributeTypes(5)}

	AlgorithmIdentifier, Name, SerialNumber, Certificate 
		FROM AuthenticationFramework {joint-iso-ccitt ds(5) 
					modules(1) 
authentication-framework(7)};
 msp-user-sdns OBJECT-CLASS 
	SUBCLASS OF top 

	MUST CONTAIN { } 

	MAY CONTAIN {
		sdnsKeyManagementCertificate,
		sdnsUserSignatureCertificate 
		sdnsKMandSigCertificate,
		auxiliaryVector,
		janUKMs,
		febUKMs,
		marUKMs,
		aprUKMs,
		mayUKMs,
		junUKMs,
		julUKMs,
		augUKMs,
		sepUKMs,
		octUKMs,
		novUKMs,
		decUKMs,
		snsGuardGateway,
		algorithmsSupported,
		suiteAKeyManagementCertificate,
		suiteAUserSignatureCertificate,
		suiteAKMandSigCertificate  }

	::= {id-msp-user-sdns}

  -- Although each of the UKMs is optional, the msp-user-sdns
  -- entry should contain the UKMs for the current month.  This is not
  -- a schema constraint.

mail-list OBJECT-CLASS
	SUBCLASS OF top

	MUST CONTAIN { }

	MAY CONTAIN {
		mlid,
		mlReceiptPolicy,
		mlMembership,
		mlAdministrator,
		mlExemptedAddressProcessor }

	::= {id-mail-list}
 
dsa-sdns OBJECT-CLASS
	SUBCLASS OF dSA

	MUST CONTAIN { }

	MAY CONTAIN {
		sdnsUserSignatureCertificate,
		sdnsKMandSigCertificate,

	::= {id-dsa-sdns}

crls-sdns OBJECT-CLASS
	SUBCLASS of top

	MUST CONTAIN { }

	MAY CONTAIN {
		metaSDNScrl,
		sdnsCRL,
		metaSDNSsignatureCRL,
		sdnsSignatureCRL

	::= {id-crls-sdns}

  -- These are the crls issued by the KMS.
  -- Meta in this case refers to "later in time", hence the current crl
  -- or when two universals are active, the CRL from the new universal.

ca-sdns OBJECT-CLASS
	SUBCLASS OF top

	MUST CONTAIN { }

	MAY CONTAIN {
		sdnsCASignatureCertificate,
		sdnsKMandSigCertificate,
		sdnsCertificateRevocationList }

	::= {id-ca-sdns}

strong-authenticate-user-sdns OBJECT-CLASS
	SUBCLASS OF top

	MUST CONTAIN { }

	MAY CONTAIN { 
		sdnsUserSignatureCertificate}

	::= {id-strong-auth-user-sdns  }

msp-user-mosaic OBJECT-CLASS
	SUBCLASS OF top

	MUST CONTAIN { }

	MAY CONTAIN {
		mosaicKeyManagementCertificate,
		mosaicUserSignatureCertificate,
		mosaicKMandSigCertificate,
		auxiliaryVector,
		snsGuardGateway,
		algorithmsSupported}

	::= {id-msp-user-mosaic}

dsa-mosaic OBJECT-CLASS
	SUBCLASS OF dSA

	MUST CONTAIN { }

	MAY CONTAIN {
		mosaicKMandSigCertificate,  
		mosaicUserSignatureCertificate 

	::= {id-dsa-mosaic}

ca-mosaic OBJECT-CLASS
	SUBCLASS OF top

	MUST CONTAIN { }

	MAY CONTAIN {
		mosaicCASignatureCertificate,
		mosaicKMandSigCertificate	
		mosaicCertificateRevocationList,
		mosaicKRL}

	::= {id-ca-mosaic}

strong-authenticate-user-mosaic OBJECT-CLASS
	SUBCLASS OF top

	MUST CONTAIN { }

	MAY CONTAIN {
		mosaicUserSignatureCertificate}

	::= {id-strong-auth-user-mosaic  }

 sdnsKeyManagementCertificate  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Certificate
	::= id-sdnsKeyManagementCertificate

sdnsKMandSigCertificate  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Certificate
	::= id-sdnsKMandSigCertificate

sdnsUserSignatureCertificate  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Certificate
	::= id-sdnsUserSignatureCertificate

auxiliaryVector  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX octetStringSyntax
	::= id-auxiliaryVector

janUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-janUKMs

febUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-febUKMs

marUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-marUKMs

aprUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-aprUKMs

mayUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-mayUKMs

junUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-junUKMs

julUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-julUKMs

augUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-augUKMs

sepUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-sepUKMs

octUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-octUKMs

novUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-novUKMs

decUKMs  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MonthlyUKMs
	::= id-decUKMs

mlReceiptPolicy  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX MLReceiptPolicy 
	::= id-mlReceiptPolicy

mlMembership ATTRIBUTE
	WITH ATTRIBUTE SYNTAX ORNameList
	::= id-mlMembership

mlAdministrators  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX ORNameList
	::= id-mlAdministrators

mlid  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Kmid
	MATCHES FOR EQUALITY
	::= id-mlid

metaSDNScrl  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX CRLinfo
	::= id-metaSDNScrl

sdnsCRL  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX CRLinfo
	::= id-sdnsCRL

metaSDNSsignatureCRL  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX CRLinfo
	::= id-metaSDNSsignatureCRL

sdnsSignatureCRL  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX CRLinfo
	::= id-SDNSsignatureCRL 

sdnsCASignatureCertificate  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Certificate
	::= id-sdnsCASignatureCertificate

sdnsCertificateRevocationList  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX CaCertificateRevocationList
	::= id-sdnsCertificateRevocationList  

mosaicCertificateRevocationList  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX CaCertificateRevocationList
	::= id-mosaicCertificateRevocationList  

mosaicKeyManagementCertificate  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Certificate
	::= id-mosaicKeyManagementCertificate

mosaicKMandSigCertificate  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Certificate
	::= id-mosaicKMandSigCertificate

mosaicUserSignatureCertificate  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Certificate
	::= id-mosaicUserSignatureCertificate

mosaicCASignatureCertificate  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Certificate
	::= id-mosaicCASignatureCertificate

mosaicKRL  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX KmidRevocationList 
	::= id-mosaicKRL

mlExemptedAddressProcessor  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX ORName 
	::= id-mlExemptedAddressProcessor

snsGuardGateway  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX NameList
	::= id-snsGuardGateway

algorithmsSupported  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX AlgorithmList
	::= id-algorithmsSupported

suiteAKeyManagementCertificate  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Certificate
	::= id-suiteAKeyManagementCertificate

suiteAKMandSigCertificate  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Certificate
	::= id-suiteAKMandSigCertificate

suiteAUserSignatureCertificate  ATTRIBUTE
	WITH ATTRIBUTE SYNTAX Certificate
	::= id-suiteAUserSignatureCertificate
 --  The following are Attribute Syntaxes.

MonthlyUKMs  ::= SIGNED SEQUENCE OF UKMEntry

UKMEntry ::= SEQUENCE {
	tag	Tag,	
	ukm	OCTET STRING }

Tag ::= SEQUENCE {
	kmid		Kmid 
	edition	INTEGER,
	date		UTCTime }

Kmid ::= OCTET STRING

MLReceiptPolicy ::= CHOICE {
	none			[0] NULL,
	insteadOf		[1] ORNameList,
	inAdditionTo	[2] ORNameList }

ORNameList ::= SEQUENCE OF ORName

NameList ::= SEQUENCE OF Name

AlgorithmList  ::= SEQUENCE OF AlgorithmIdentifier

CRLinfo ::= SEQUENCE 
	universalID		INTEGER,
	crl			OCTET STRING }

CaCertificateRevocationList ::= SIGNED SEQUENCE{
	signature			AlgorithmIdentifier,
	issuer			Name,
	lastUpdate			UTCTime,
	nextUpdate			UTCTime,
	revokedCertificates	SEQUENCE OF CRLEntry OPTIONAL}

CRLEntry ::= SEQUENCE{
	userCertificate	SerialNumber,
	revocationDate	UTCTime}

KmidRevocationList ::= SIGNED SEQUENCE{
	signature		AlgorithmIdentifier,
	issuer		Name,
	lastUpdate		UTCTime,
	nextUpdate		UTCTime,
	revokedKmids	SEQUENCE OF KRLEntry OPTIONAL}

KRLEntry ::= SEQUENCE{
	userCertificate	Kmid,
	revocationDate	UTCTime}


--  Object Identifiers

ID ::= OBJECT IDENTIFIER
-- hey - this is illegal!
-- id-infosec 		ID ::= 	
-- 	{joint-iso-ccitt (2) country (16) us (840) organization (1)
--					u.s. government (101) dod 
-- (2) 1}
id-infosec 		ID ::= 	
	{joint-iso-ccitt (2) country (16) us (840) organization (1)
				us-government (101) dod 
(2) 1}

id-modules	ID ::= {id-infosec 0}
id-algorithms 	ID ::= {id-infosec 1}
id-formats 	ID ::= {id-infosec 2}
id-policy 	ID ::= {id-infosec 3}
id-object-classes	ID ::= {id-infosec 4}
id-attributes 	ID ::= {id-infosec 5}

id-sdnsSignatureAlgorithm 	ID  ::= {id-algorithms 1}
id-mosaicSignatureAlgorithm 	ID  ::= {id-algorithms 2}
id-sdnsConfidentialityAlgorithm 	ID  ::= {id-algorithms 3}
id-mosaicConfidentialityAlgorithm 	ID  ::= {id-algorithms 4}
id-sdnsIntegrityAlgorithm 	ID  ::= {id-algorithms 5}
id-mosaicIntegrityAlgorithm 	ID  ::= {id-algorithms 6}
id-sdnsTokenProtectionAlgorithm 	ID  ::= {id-algorithms 7}
id-mosaicTokenProtectionAlgorithm 	ID  ::= {id-algorithms 8}
id-sdnsKeyManagementAlgorithm 	ID  ::= {id-algorithms 9}
id-mosaicKeyManagementAlgorithm 	ID  ::= {id-algorithms 10}
id-sdnsKMandSigAlgorithms 	ID  ::= {id-algorithms 11}
id-mosaicKMandSigAlgorithms 	ID  ::= {id-algorithms 12}
id-SuiteASignatureAlgorithm 	ID  ::= {id-algorithms 13}
id-SuiteAConfidentialityAlgorithm 	ID  ::= {id-algorithms 14}
id-SuiteAIntegrityAlgorithm 	ID  ::= {id-algorithms 15}
id-SuiteATokenProtectionAlgorithm 	ID  ::= {id-algorithms 16}
id-SuiteAKeyManagementAlgorithm 	ID  ::= {id-algorithms 17}
id-SuiteAKMandSigAlgorithms 	ID  ::= {id-algorithms 18}
id-mosaicUpdatedSigAlgorithm 	ID  ::= {id-algorithms 19}
id-mosaicKMandUpdSigAlgorithms 	ID  ::= {id-algorithms 20}
id-mosaicUpdatedIntegAlgorithm	ID  ::= {id-algorithms 21}

id-msp-content-type	ID  ::= {id-formats 48}
id-msp-rev3-content-type	ID  ::= {id-formats 42}
id-msp-rekey-agent-protocol	ID  ::= {id-formats 49}
id-rfc822-message-format	ID  ::= {id-formats 1}
id-empty-content	ID  ::= {id-formats 2}
forwarded-MSP-message-body-part  	ID  ::= {id-formats 72}
 id-sdns-security-policy-id	ID  ::= {id-policy 1}
id-sdns-prbac-id	ID  ::= {id-policy 2}
id-mosaic-prbac-id	ID  ::= {id-policy 3}

id-msp-user-sdns	ID  ::= {id-object-classes 1}
id-mail-list	ID  ::= {id-object-classes 2}
id-dsa-sdns	ID  ::= {id-object-classes 3}
id-ca-sdns	ID  ::= {id-object-classes 4}
id-crls-sdns	ID  ::= {id-object-classes 5}
id-msp-user-mosaic	ID  ::= {id-object-classes 6}
id-dsa-mosaic	ID  ::= {id-object-classes 7}
id-ca-mosaic	ID  ::= {id-object-classes 8}
-- RESERVED  id-krl-mosaic 	ID  ::= {id-object-classes 9}
id-strong-auth-user-sdns	ID  ::= {id-object-classes 10}
id-strong-auth-user-mosaic	ID  ::= {id-object-classes 11}

id-sdnsKeyManagementCertificate	ID  ::= {id-attributes 1}
id-sdnsUserSignatureCertificate	ID  ::= {id-attributes 2}
id-sdnsKMandSigCertificate	ID  ::= {id-attributes 3}
id-mosaicKeyManagementCertificate	ID  ::= {id-attributes 4}
id-mosaicKMandSigCertificate	ID  ::= {id-attributes 5}
id-mosaicUserSignatureCertificate	ID  ::= {id-attributes 6}
id-mosaicCASignatureCertificate	ID  ::= {id-attributes 7}
id-sdnsCASignatureCertificate	ID  ::= {id-attributes 8}
id-auxiliaryVector	ID  ::= {id-attributes 10}
id-mlReceiptPolicy	ID  ::= {id-attributes 11}
id-mlMembership	ID  ::= {id-attributes 12}
id-mlAdministrators	ID  ::= {id-attributes 13}
id-mlid	ID  ::= {id-attributes 14}
id-janUKMs	ID  ::= {id-attributes 20}
id-febUKMs	ID  ::= {id-attributes 21}
id-marUKMs	ID  ::= {id-attributes 22}
id-aprUKMs	ID  ::= {id-attributes 23}
id-mayUKMs	ID  ::= {id-attributes 24}
id-junUKMs	ID  ::= {id-attributes 25}
id-julUKMs	ID  ::= {id-attributes 26}
id-augUKMs	ID  ::= {id-attributes 27}
id-sepUKMs	ID  ::= {id-attributes 28}
id-octUKMs	ID  ::= {id-attributes 29}
id-novUKMs	ID  ::= {id-attributes 30}
id-decUKMs	ID  ::= {id-attributes 31}
id-metaSDNScrl	ID  ::= {id-attributes 40}
id-sdnsCRL	ID  ::= {id-attributes 41}
id-metaSDNSsignatureCRL	ID  ::= {id-attributes 42}
id-SDNSsignatureCRL 	ID  ::= {id-attributes 43}
id-sdnsCertificateRevocationList	ID  ::= {id-attributes 44}
id-mosaicCertificateRevocationList	ID  ::= {id-attributes 45}
id-mosaicKRL	ID  ::= {id-attributes 46}
id-mlExemptedAddressProcessor	ID  ::= {id-attributes 47}
id-snsGuardGateway	ID  ::= {id-attributes 48}
id-algorithmsSupported	ID  ::= {id-attributes 49}
id-suiteAKeyManagementCertificate	ID  ::= {id-attributes 50}
id-suiteAKMandSigCertificate	ID  ::= {id-attributes 51}
id-suiteAUserSignatureCertificate	ID  ::= {id-attributes 52}

--

END  --MSPDirectoryAdditions 
 Appendix I
Attribute Syntaxes

The following notation assigned Object Identifiers to Attribute syntaxes.  The 1993 
CCITT X.500 Series has removed the requirement to assign identifiers to attribute 
syntaxes.  The notation is preserved here for information purposes only.

id-attribute-syntax	ID ::= {id-infosec 6}
id-monthlyUKMsyntax	ID  ::= {id-attribute-syntax 1}
id-mLReceiptPolicy	ID  ::= {id-attribute-syntax 2}
id-oRNameListSyntax	ID  ::= {id-attribute-syntax 3}
id-kmidSyntax	ID  ::= {id-attribute-syntax 4}
id-cRLinfoSyntax	ID  ::= {id-attribute-syntax 5}
id-cAcrlSyntax	ID  ::= {id-attribute-syntax 6}


monthlyUKMsyntax			ATTRIBUTE-SYNTAX
					MonthlyUKMs
				::=	{id-monthlyUKMsyntax}

mLReceiptPolicySyntax		ATTRIBUTE-SYNTAX
					MLReceiptPolicy
				::=	{id-mLReceiptPolicy}

oRNameListSyntax			ATTRIBUTE-SYNTAX
					ORNameList
				::=	{id-oRNameListSyntax}

kmidSyntax				ATTRIBUTE-SYNTAX 
					Kmid 
				::=	{id-kmidSyntax}

cRLinfoSyntax			ATTRIBUTE-SYNTAX
					CRLinfo 
				::=	{id-cRLinfoSyntax}

cAcrlSyntax				ATTRIBUTE-SYNTAX
					CaCertificateRevocationList
				::=	{id-cAcrlSyntax}


				::= {id-krl-mosaic}