must be unique for the subject, and must be maintained under the   subject's sole control.  That is, a CA should not issue a qualified   certificate if the means to use the private key is not protected   against unintended usage.  This implies that the CA have some   knowledge about the subject's cryptographic module.   The CA must further verify that the public key contained in the   certificate is legitimately representing the subject.   CAs should not issue CA certificates with policy mapping extensions   indicating acceptance of another CA's policy unless these conditions   are met.   Combining the nonRepudiation bit in the keyUsage certificate   extension with other keyUsage bits may have security implications and   this specification therefore recommends against such practices.   The ability to compare two qualified certificates to determine if   they represent the same physical entity is dependent on the semantics   of the subjects' names.  The semantics of a particular attribute may   be different for different issuers.  Comparing names without   knowledge of the semantics of names in these particular certificates   may provide misleading results.   This specification is a profile of RFC 2459.  The security   considerations section of that document applies to this specification   as well.Santesson, et al.           Standards Track                    [Page 14]RFC 3039             Qualified Certificates Profile         January 20015 References   [RFC 2119] Bradner, S., "Key words for use in RFCs to Indicate              Requirement Levels", BCP 14, RFC 2119, March 1997.   [RFC 2247] Kille, S., Wahl, M., Grimstad, A., Huber, R. and S.              Sataluri, "Using Domains in LDAP/X.500 Distinguished              Names", RFC 2247, January 1998.   [RFC 2459] Housley, R., Ford, W., Polk, W. and D. Solo, "Internet              X.509 Public Key Infrastructure: Certificate and CRL              Profile", RFC 2459, January 1999.   [RFC 2985] Nystrom, M. and B. Kaliski, "PKCS #9: Selected Object              Classes and Attribute Types Version 2.0", RFC 2985,              November 2000.   [X.501]    ITU-T Recommendation X.501: Information Technology - Open              Systems Interconnection - The Directory: Models, June              1993.   [X.509]    ITU-T Recommendation X.509: Information Technology - Open              Systems Interconnection - The Directory: Authentication              Framework, June 1997.   [X.520]    ITU-T Recommendation X.520: Information Technology - Open              Systems Interconnection - The Directory: Selected              Attribute Types, June 1993.   [X.680]    ITU-T Recommendation X.680: Information Technology -              Abstract Syntax Notation One, 1997.   [ISO 3166] ISO Standard 3166: Codes for the representation of names              of countries, 1993.Santesson, et al.           Standards Track                    [Page 15]RFC 3039             Qualified Certificates Profile         January 20016 Intellectual Property Rights   The IETF takes no position regarding the validity or scope of any   intellectual property or other rights that might be claimed to   pertain to the implementation or use of the technology described in   this document or the extent to which any license under such rights   might or might not be available; neither does it represent that it   has made any effort to identify any such rights.  Information on the   IETF's procedures with respect to rights in standards-track and   standards related documentation can be found in BCP-11.  Copies of   claims of rights made available for publication and any assurances of   licenses to be made available, or the result of an attempt made to   obtain a general license or permission for the use of such   proprietary rights by implementors or users of this specification can   be obtained from the IETF Secretariat.   The IETF invites any interested party to bring to its attention any   copyrights, patents or patent applications, or other proprietary   rights which may cover technology that may be required to practice   this standard.  Please address the information to the IETF Executive   Director.Santesson, et al.           Standards Track                    [Page 16]RFC 3039             Qualified Certificates Profile         January 2001A. ASN.1 definitions   As in RFC 2459, ASN.1 modules are supplied in two different variants   of the ASN.1 syntax.   Appendix A.1 is in the 1988 syntax, and does not use macros.   However, since the module imports type definitions from modules in   RFC 2459 which are not completely in the 1988 syntax, the same   comments as in RFC 2459 regarding its use applies here as well; i.e.,   Appendix A.1 may be parsed by an 1988 ASN.1-parser by removing the   definitions for the UNIVERSAL types and all references to them in RFC   2459's 1988 modules.   Appendix A.2 is in the 1993 syntax.  However, since the module   imports type definitions from modules in RFC 2459 which are not   completely in the 1993 syntax, the same comments as in RFC 2459   regarding its use applies here as well; i.e., Appendix A.2 may be   parsed by an 1993 ASN.1-parser by removing the UTF8String choice from   the definition of DirectoryString in the module PKIX1Explicit93 in   RFC 2459.  Appendix A.2 may be parsed "as is" by an 1997 ASN.1   parser, however.   In case of discrepancies between these modules, the 1988 module is   the normative one.A.1 1988 ASN.1 ModulePKIXqualified88 {iso(1) identified-organization(3) dod(6)    internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)    id-mod-qualified-cert-88(10) }DEFINITIONS EXPLICIT TAGS ::=BEGIN-- EXPORTS ALL --IMPORTSGeneralName    FROM PKIX1Implicit88 {iso(1) identified-organization(3) dod(6)    internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)    id-pkix1-implicit-88(2)}AlgorithmIdentifier, DirectoryString, Attribute, AttributeType,    id-pkix, id-pe, id-at    FROM PKIX1Explicit88 {iso(1) identified-organization(3) dod(6)    internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)Santesson, et al.           Standards Track                    [Page 17]RFC 3039             Qualified Certificates Profile         January 2001    id-pkix1-explicit-88(1)};-- Locally defined OIDs-- Arc for QC personal data attributesid-pda  OBJECT IDENTIFIER ::= { id-pkix 9 }-- Arc for QC statementsid-qcs  OBJECT IDENTIFIER ::= { id-pkix 11 }-- Attributesid-at-serialNumber          AttributeType ::= { id-at 5 }SerialNumber ::=            PrintableString (SIZE(1..64))id-at-postalAddress         AttributeType ::= { id-at 16 }PostalAddress ::=           SEQUENCE SIZE (1..6) OF DirectoryStringid-at-pseudonym             AttributeType ::= { id-at 65 }Pseudonym ::=               DirectoryStringdomainComponent             AttributeType ::=                            { 0 9 2342 19200300 100 1 25 }DomainComponent ::=         IA5Stringid-pda-dateOfBirth          AttributeType ::= { id-pda 1 }DateOfBirth ::=             GeneralizedTimeid-pda-placeOfBirth         AttributeType ::= { id-pda 2 }PlaceOfBirth ::=            DirectoryStringid-pda-gender               AttributeType ::= { id-pda 3 }Gender ::=                  PrintableString (SIZE(1))                            -- "M", "F", "m" or "f"id-pda-countryOfCitizenship AttributeType ::= { id-pda 4 }CountryOfCitizenship ::=    PrintableString (SIZE (2))                            -- ISO 3166 Country Codeid-pda-countryOfResidence   AttributeType ::= { id-pda 5 }CountryOfResidence ::=      PrintableString (SIZE (2))                            -- ISO 3166 Country Code-- Private extensions-- Biometric info extensionid-pe-biometricInfo OBJECT IDENTIFIER  ::= {id-pe 2}Santesson, et al.           Standards Track                    [Page 18]RFC 3039             Qualified Certificates Profile         January 2001BiometricSyntax ::= SEQUENCE OF BiometricDataBiometricData ::= SEQUENCE {    typeOfBiometricData  TypeOfBiometricData,    hashAlgorithm        AlgorithmIdentifier,    biometricDataHash    OCTET STRING,    sourceDataUri        IA5String OPTIONAL }TypeOfBiometricData ::= CHOICE {    predefinedBiometricType   PredefinedBiometricType,    biometricDataOid          OBJECT IDENTIFIER }PredefinedBiometricType ::= INTEGER {    picture(0),handwritten-signature(1)}    (picture|handwritten-signature)-- QC Statements Extensionid-pe-qcStatements OBJECT IDENTIFIER ::= { id-pe 3}QCStatements ::= SEQUENCE OF QCStatementQCStatement ::= SEQUENCE {    statementId        OBJECT IDENTIFIER,    statementInfo      ANY DEFINED BY statementId OPTIONAL}-- QC statementsid-qcs-pkixQCSyntax-v1   OBJECT IDENTIFIER ::= { id-qcs 1 }--  This statement identifies conformance with syntax and--  semantics defined in this Qualified Certificate profile--  (Version 1). This statement may optionally contain--  additional semantics information as specified below.SemanticsInformation  ::= SEQUENCE {    semanticsIndentifier        OBJECT IDENTIFIER OPTIONAL,    nameRegistrationAuthorities NameRegistrationAuthorities OPTIONAL    } -- At least one field shall be presentNameRegistrationAuthorities ::= SEQUENCE SIZE (1..MAX) OF GeneralNameENDA.2 1993 ASN.1  ModulePKIXqualified93 {iso(1) identified-organization(3) dod(6)    internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)    id-mod-qualified-cert-93(11) }Santesson, et al.           Standards Track                    [Page 19]RFC 3039             Qualified Certificates Profile         January 2001DEFINITIONS EXPLICIT TAGS ::=BEGIN-- EXPORTS ALL --IMPORTSauthorityKeyIdentifier, subjectKeyIdentifier, keyUsage,    extendedKeyUsage, privateKeyUsagePeriod, certificatePolicies,    policyMappings, subjectAltName, issuerAltName, basicConstraints,    nameConstraints, policyConstraints, cRLDistributionPoints,    subjectDirectoryAttributes, authorityInfoAccess, GeneralName,    OTHER-NAME    FROM PKIX1Implicit93 {iso(1) identified-organization(3) dod(6)    internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)    id-pkix1-implicit-93(4)}id-pkix, AlgorithmIdentifier, ATTRIBUTE, Extension, EXTENSION,    DirectoryString{}, ub-name, id-pe, id-at, id-at-commonName,    id-at-surname, id-at-countryName, id-at-localityName,    id-at-stateOrProvinceName, id-at-organizationName,    id-at-organizationalUnitName, id-at-givenName, id-at-dnQualifier,    pkcs9email, title, organizationName, organizationalUnitName,    stateOrProvinceName, localityName, countryName,    generationQualifier, dnQualifier, initials, givenName, surname,    commonName, name    FROM PKIX1Explicit93 {iso(1) identified-organization(3) dod(6)    internet(1) security(5) mechanisms(5) pkix(7) id-mod(0)    id-pkix1-explicit-93(3)};-- Object Identifiers-- Externally defined OIDsid-at-serialNumber  OBJECT IDENTIFIER ::= { id-at 5}id-at-postalAddress OBJECT IDENTIFIER ::= { id-at 16 }id-at-pseudonym     OBJECT IDENTIFIER ::= { id-at 65 }id-domainComponent  OBJECT IDENTIFIER ::= { 0 9 2342 19200300 100 1 25 }-- Locally defined OIDs-- Arc for QC personal data attributesid-pda  OBJECT IDENTIFIER ::= { id-pkix 9 }-- Arc for QC statementsid-qcs  OBJECT IDENTIFIER ::= { id-pkix 11 }-- Private extensionsSantesson, et al.           Standards Track                    [Page 20]RFC 3039             Qualified Certificates Profile         January 2001