OBJECT IDENTIFIER 类型的子类型约束：如何将 OID 约束到某个弧？

Question

I am writing a specification in ASN.1. What is the formally correct syntax to restrict the range of values of an attribute with type OBJECT IDENTIFIER to a particular OID arc? Eg I would like to achieve something like

foo OBJECT IDENTIFIER ( BELOW SUBTREE { 2 1 1 } )

The keyword BELOW SUBTREE has been made up by me for the sake of an example to make clear what I am looking for.

Elaborated example

Seemingly, my question above is not sufficiently clear as some answers suggest solutions that do not address the problem. I'll elaborate a little bit more on what I am doing and what I want to achieve. I am writing a X.509 certificate policy and must specify a X.509 profile in chapter 7. This means I have to substantiate some choices or degree of freedom which exist in the general syntax for the scope of my application. Especially, I cannot nor must not change any attribute types because this would make the result incompatible to a X.509 certificate, ie I can only specialize some types as long as the specialization remains compatible to the generalization.

Object identifiers are used all over the place in X.509.

As a tangible example, let's take the attribute policyIdentifier whose type is an alias of OBJECT IDENTIFIER within the object of type PolicyInformation within the certificate extention CertificatePolicies .

CertificatePolicies ::= SEQUENCE SIZE (1) OF PolicyInformation

PolicyInformation ::= SEQUENCE {
  policyIdentifier   CertPolicyId,
}

CertPolicyId ::= OBJECT IDENTIFIER

(I have already shortened down the ASN.1 syntax to the needs of my application.)

Let's assume I have defined the following constants

id-cp-my-policies OBJECT IDENTIFIER -- some OID arc in the private enterprise arc under my control
id-cp-my-policy-v10 OBJECT IDENTIFIER ::= { id-cp-my-policies 1 0 }
id-cp-my-policy-v11 OBJECT IDENTIFIER ::= { id-cp-my-policies 1 1 }
id-cp-my-policy-v12 OBJECT IDENTIFIER ::= { id-cp-my-policies 1 2 }
id-cp-my-policy-v20 OBJECT IDENTIFIER ::= { id-cp-my-policies 2 0 }
id-cp-my-policy-v30 OBJECT IDENTIFIER ::= { id-cp-my-policies 3 0 }
id-cp-my-policy-v31 OBJECT IDENTIFIER ::= { id-cp-my-policies 3 1 }

I want to express that CertPolicyId is a specialization of OBJECT IDENTIFIER which can only take values from the list above. Of course, I could explicitly enumerate all policy IDs by the "OR"-sytax, ie I could write

CertPolicyId ::= OBJECT IDENTIFIER ( id-cp-my-policy-v10 | id-cp-my-policy-v11 | id-cp-my-policy-v12 | id-cp-my-policy-v20 | id-cp-my-policy-v30 | id-cp-my-policy-v31 )

However, this does not seem very future-proof. Instead, I would like to write something like

CertPolicyId ::= OBJECT IDENTIFIER ( BELOW SUBTREE id-cp-my-policies )

I hope this example helps to understand what I want to do.

Answer 1

没有正式的方法可以将 OBJECT IDENTIFIER 类型限制在某个范围内。

Answer 2

You can use the RELATIVE-OID type

You can either make the root oid implicit (let's say foo is a component of a SEQUENCE)

{
  foo RELATIVE-OID  -- relative to root { 2 1 1 }
}

or explicit

{ 
   foo SEQUENCE {
      root OBJECT IDENTIFIER DEFAULT { 2 1 1 },
      object-id RELATIVE-OID  -- relative to root
   }
}

Answer 3

You can use this approach:

foo OBJECT IDENTIFIER ::= { 1 2 3 }
foo-bar OBJECT IDENTIFIER ::= { foo 4 }

thus, foo-bar will result in 1.2.3.4 OID value in dotted notation. Is this what you are looking for?