id-qt-cps      OBJECT IDENTIFIER ::=  { id-qt 1 }
   id-qt-unotice  OBJECT IDENTIFIER ::=  { id-qt 2 }

   PolicyQualifierId ::=
        OBJECT IDENTIFIER ( id-qt-cps | id-qt-unotice )

   Qualifier ::= CHOICE {
        cPSuri           CPSuri,
        userNotice       UserNotice }

   CPSuri ::= IA5String

   UserNotice ::= SEQUENCE {
        noticeRef        NoticeReference OPTIONAL,
        explicitText     DisplayText OPTIONAL}

   NoticeReference ::= SEQUENCE {
        organization     DisplayText,
        noticeNumbers    SEQUENCE OF INTEGER }

   DisplayText ::= CHOICE {
        visibleString    VisibleString  (SIZE (1..200)),
        bmpString        BMPString      (SIZE (1..200)),
        utf8String       UTF8String     (SIZE (1..200)) }

4.2.1.6  Policy Mappings

   This extension is used in CA certificates.  It lists one or more
   pairs of OIDs; each pair includes an issuerDomainPolicy and a
   subjectDomainPolicy. The pairing indicates the issuing CA considers
   its issuerDomainPolicy equivalent to the subject CA's
   subjectDomainPolicy.






 
RFC 2459        Internet X.509 Public Key Infrastructure    January 1999


   The issuing CA's users may accept an issuerDomainPolicy for certain
   applications. The policy mapping tells the issuing CA's users which
   policies associated with the subject CA are comparable to the policy
   they accept.

   This extension may be supported by CAs and/or applications, and it
   MUST be non-critical.

   id-ce-policyMappings OBJECT IDENTIFIER ::=  { id-ce 33 }

   PolicyMappings ::= SEQUENCE SIZE (1..MAX) OF SEQUENCE {
        issuerDomainPolicy      CertPolicyId,
        subjectDomainPolicy     CertPolicyId }

4.2.1.7  Subject Alternative Name

   The subject alternative names extension allows additional identities
   to be bound to the subject of the certificate.  Defined options
   include an Internet electronic mail address, a DNS name, an IP
   address, and a uniform resource identifier (URI).  Other options
   exist, including completely local definitions.  Multiple name forms,
   and multiple instances of each name form, may be included.  Whenever
   such identities are to be bound into a certificate, the subject
   alternative name (or issuer alternative name) extension MUST be used.

   Because the subject alternative name is considered to be
   definitiviely bound to the public key, all parts of the subject
   alternative name MUST be verified by the CA.

   Further, if the only subject identity included in the certificate is
   an alternative name form (e.g., an electronic mail address), then the
   subject distinguished name MUST be empty (an empty sequence), and the
   subjectAltName extension MUST be present. If the subject field
   contains an empty sequence, the subjectAltName extension MUST be
   marked critical.

   When the subjectAltName extension contains an Internet mail address,
   the address MUST be included as an rfc822Name. The format of an
   rfc822Name is an "addr-spec" as defined in RFC 822 [RFC 822]. An
   addr-spec has the form "local-part@domain". Note that an addr-spec
   has no phrase (such as a common name) before it, has no comment (text
   surrounded in parentheses) after it, and is not surrounded by "<" and
   ">". Note that while upper and lower case letters are allowed in an
   RFC 822 addr-spec, no significance is attached to the case.

   When the subjectAltName extension contains a iPAddress, the address
   MUST be stored in the octet string in "network byte order," as
   specified in RFC 791 [RFC 791]. The least significant bit (LSB) of




 
RFC 2459        Internet X.509 Public Key Infrastructure    January 1999


   each octet is the LSB of the corresponding byte in the network
   address. For IP Version 4, as specified in RFC 791, the octet string