etc-gentoo/openldap/schema/._cfg0000_pmi.schema

# OpenLDAP X.509 PMI schema
# $OpenLDAP$
## This work is part of OpenLDAP Software <http://www.openldap.org/>.
##
## Copyright 1998-2015 The OpenLDAP Foundation.
## All rights reserved.
##
## Redistribution and use in source and binary forms, with or without
## modification, are permitted only as authorized by the OpenLDAP
## Public License.
##
## A copy of this license is available in the file LICENSE in the
## top-level directory of the distribution or, alternatively, at
## <http://www.OpenLDAP.org/license.html>.
#
## Portions Copyright (C) The Internet Society (1997-2006).
## All Rights Reserved.
##
## This document and translations of it may be copied and furnished to
## others, and derivative works that comment on or otherwise explain it
## or assist in its implementation may be prepared, copied, published
## and distributed, in whole or in part, without restriction of any
## kind, provided that the above copyright notice and this paragraph are
## included on all such copies and derivative works.  However, this
## document itself may not be modified in any way, such as by removing
## the copyright notice or references to the Internet Society or other
## Internet organizations, except as needed for the purpose of
## developing Internet standards in which case the procedures for
## copyrights defined in the Internet Standards process must be         
## followed, or as required to translate it into languages other than
## English.
##                                                                      
## The limited permissions granted above are perpetual and will not be  
## revoked by the Internet Society or its successors or assigns.        
## 
## This document and the information contained herein is provided on an 
## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

#
#
# Includes LDAPv3 schema items from:
# ITU X.509 (08/2005)
#
## X.509 (08/2005) pp. 120-121
## 
## -- object identifier assignments --
## -- object classes --
## id-oc-pmiUser                            OBJECT IDENTIFIER ::= {id-oc 24}
## id-oc-pmiAA                              OBJECT IDENTIFIER ::= {id-oc 25}
## id-oc-pmiSOA                             OBJECT IDENTIFIER ::= {id-oc 26}
## id-oc-attCertCRLDistributionPts          OBJECT IDENTIFIER ::= {id-oc 27}
## id-oc-privilegePolicy                    OBJECT IDENTIFIER ::= {id-oc 32}
## id-oc-pmiDelegationPath                  OBJECT IDENTIFIER ::= {id-oc 33}
## id-oc-protectedPrivilegePolicy           OBJECT IDENTIFIER ::= {id-oc 34}
## -- directory attributes --
## id-at-attributeCertificate               OBJECT IDENTIFIER ::= {id-at 58}
## id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59}
## id-at-aACertificate                      OBJECT IDENTIFIER ::= {id-at 61}
## id-at-attributeDescriptorCertificate     OBJECT IDENTIFIER ::= {id-at 62}
## id-at-attributeAuthorityRevocationList   OBJECT IDENTIFIER ::= {id-at 63}
## id-at-privPolicy                         OBJECT IDENTIFIER ::= {id-at 71}
## id-at-role                               OBJECT IDENTIFIER ::= {id-at 72}
## id-at-delegationPath                     OBJECT IDENTIFIER ::= {id-at 73}
## id-at-protPrivPolicy                     OBJECT IDENTIFIER ::= {id-at 74}
## id-at-xMLPrivilegeInfo                   OBJECT IDENTIFIER ::= {id-at 75}
## id-at-xMLPprotPrivPolicy                 OBJECT IDENTIFIER ::= {id-at 76}
## -- attribute certificate extensions --
## id-ce-authorityAttributeIdentifier       OBJECT IDENTIFIER ::= {id-ce 38}
## id-ce-roleSpecCertIdentifier             OBJECT IDENTIFIER ::= {id-ce 39}
## id-ce-basicAttConstraints                OBJECT IDENTIFIER ::= {id-ce 41}
## id-ce-delegatedNameConstraints           OBJECT IDENTIFIER ::= {id-ce 42}
## id-ce-timeSpecification                  OBJECT IDENTIFIER ::= {id-ce 43}
## id-ce-attributeDescriptor                OBJECT IDENTIFIER ::= {id-ce 48}
## id-ce-userNotice                         OBJECT IDENTIFIER ::= {id-ce 49}
## id-ce-sOAIdentifier                      OBJECT IDENTIFIER ::= {id-ce 50}
## id-ce-acceptableCertPolicies             OBJECT IDENTIFIER ::= {id-ce 52}
## id-ce-targetInformation                  OBJECT IDENTIFIER ::= {id-ce 55}
## id-ce-noRevAvail                         OBJECT IDENTIFIER ::= {id-ce 56}
## id-ce-acceptablePrivilegePolicies        OBJECT IDENTIFIER ::= {id-ce 57}
## id-ce-indirectIssuer                     OBJECT IDENTIFIER ::= {id-ce 61}
## id-ce-noAssertion                        OBJECT IDENTIFIER ::= {id-ce 62}
## id-ce-issuedOnBehalfOf                   OBJECT IDENTIFIER ::= {id-ce 64}
## -- PMI matching rules --
## id-mr-attributeCertificateMatch          OBJECT IDENTIFIER ::= {id-mr 42}
## id-mr-attributeCertificateExactMatch     OBJECT IDENTIFIER ::= {id-mr 45}
## id-mr-holderIssuerMatch                  OBJECT IDENTIFIER ::= {id-mr 46}
## id-mr-authAttIdMatch                     OBJECT IDENTIFIER ::= {id-mr 53}
## id-mr-roleSpecCertIdMatch                OBJECT IDENTIFIER ::= {id-mr 54}
## id-mr-basicAttConstraintsMatch           OBJECT IDENTIFIER ::= {id-mr 55}
## id-mr-delegatedNameConstraintsMatch      OBJECT IDENTIFIER ::= {id-mr 56}
## id-mr-timeSpecMatch                      OBJECT IDENTIFIER ::= {id-mr 57}
## id-mr-attDescriptorMatch                 OBJECT IDENTIFIER ::= {id-mr 58}
## id-mr-acceptableCertPoliciesMatch        OBJECT IDENTIFIER ::= {id-mr 59}
## id-mr-delegationPathMatch                OBJECT IDENTIFIER ::= {id-mr 61}
## id-mr-sOAIdentifierMatch                 OBJECT IDENTIFIER ::= {id-mr 66}
## id-mr-indirectIssuerMatch                OBJECT IDENTIFIER ::= {id-mr 67}
## 
## 
## X.509 (08/2005) pp. 71, 86-89
##
## 14.4.1 Role attribute
## role  ATTRIBUTE ::= {
##       WITH SYNTAX         RoleSyntax
##       ID                  id-at-role }
## RoleSyntax ::= SEQUENCE {
## roleAuthority     [0]     GeneralNames  OPTIONAL,
## roleName          [1]     GeneralName }
## 
## 14.5     XML privilege information attribute
##    xmlPrivilegeInfo ATTRIBUTE ::= {
##      WITH SYNTAX UTF8String -- contains XML-encoded privilege information
##      ID                 id-at-xMLPrivilegeInfo }
## 
## 17.1 PMI directory object classes
## 
## 17.1.1   PMI user object class
##    pmiUser OBJECT-CLASS ::= {
##    -- a PMI user (i.e., a "holder")
##      SUBCLASS OF          {top}
##      KIND                 auxiliary
##      MAY CONTAIN          {attributeCertificateAttribute}
##      ID                   id-oc-pmiUser }
## 
## 17.1.2     PMI AA object class
##     pmiAA OBJECT-CLASS ::= {
##     -- a PMI AA
##       SUBCLASS OF          {top}
##       KIND                 auxiliary
##       MAY CONTAIN          {aACertificate |
##                            attributeCertificateRevocationList |
##                            attributeAuthorityRevocationList}
##       ID                   id-oc-pmiAA }
## 
## 17.1.3     PMI SOA object class
##     pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority
##       SUBCLASS OF {top}
##       KIND                 auxiliary
##       MAY CONTAIN          {attributeCertificateRevocationList |
##                            attributeAuthorityRevocationList |
##                            attributeDescriptorCertificate}
##       ID                   id-oc-pmiSOA }
## 
## 17.1.4     Attribute certificate CRL distribution point object class
##     attCertCRLDistributionPt          OBJECT-CLASS ::= {
##       SUBCLASS OF {top}
##       KIND                 auxiliary
##       MAY CONTAIN          { attributeCertificateRevocationList |
##                            attributeAuthorityRevocationList }
##       ID                   id-oc-attCertCRLDistributionPts }
## 
## 17.1.5     PMI delegation path
##     pmiDelegationPath            OBJECT-CLASS ::= {
##         SUBCLASS OF              {top}
##         KIND                     auxiliary
##         MAY CONTAIN              { delegationPath }
##         ID                       id-oc-pmiDelegationPath }
## 
## 17.1.6     Privilege policy object class
##     privilegePolicy        OBJECT-CLASS ::= {
##         SUBCLASS OF              {top}
##         KIND                     auxiliary
##         MAY CONTAIN              {privPolicy }
##         ID                       id-oc-privilegePolicy }
## 
## 17.1.7     Protected privilege policy object class
##     protectedPrivilegePolicy               OBJECT-CLASS       ::= {
##         SUBCLASS OF              {top}
##         KIND                     auxiliary
##         MAY CONTAIN            {protPrivPolicy }
##         ID                     id-oc-protectedPrivilegePolicy }
## 
## 17.2       PMI Directory attributes
## 
## 17.2.1     Attribute certificate attribute
##     attributeCertificateAttribute ATTRIBUTE ::= {
##         WITH SYNTAX                            AttributeCertificate
##         EQUALITY MATCHING RULE                 attributeCertificateExactMatch
##         ID                                     id-at-attributeCertificate }
## 
## 17.2.2     AA certificate attribute
##     aACertificate         ATTRIBUTE ::= {
##         WITH SYNTAX                            AttributeCertificate
##         EQUALITY MATCHING RULE                 attributeCertificateExactMatch
##         ID                                     id-at-aACertificate }
## 
## 17.2.3     Attribute descriptor certificate attribute
##     attributeDescriptorCertificate        ATTRIBUTE ::= {
##         WITH SYNTAX                            AttributeCertificate
##         EQUALITY MATCHING RULE                 attributeCertificateExactMatch
##         ID                                     id-at-attributeDescriptorCertificate }
## 
## 17.2.4     Attribute certificate revocation list attribute
##     attributeCertificateRevocationList         ATTRIBUTE ::= {
##         WITH SYNTAX                            CertificateList
##         EQUALITY MATCHING RULE                 certificateListExactMatch
##         ID                                     id-at-attributeCertificateRevocationList}
## 
## 17.2.5     AA certificate revocation list attribute
##     attributeAuthorityRevocationList           ATTRIBUTE ::= {
##         WITH SYNTAX                            CertificateList
##         EQUALITY MATCHING RULE                 certificateListExactMatch
##         ID                                     id-at-attributeAuthorityRevocationList }
## 
## 17.2.6     Delegation path attribute
##     delegationPath        ATTRIBUTE ::= {
##         WITH SYNTAX                  AttCertPath
##         ID                           id-at-delegationPath }
##     AttCertPath      ::= SEQUENCE OF AttributeCertificate
## 
## 17.2.7     Privilege policy attribute
##     privPolicy ATTRIBUTE ::= {
##         WITH SYNTAX             PolicySyntax
##         ID                      id-at-privPolicy }
## 
## 17.2.8     Protected privilege policy attribute
##        protPrivPolicy       ATTRIBUTE        ::= {
##         WITH SYNTAX                          AttributeCertificate
##         EQUALITY MATCHING RULE               attributeCertificateExactMatch
##         ID                                   id-at-protPrivPolicy }
## 
## 17.2.9     XML Protected privilege policy attribute
##        xmlPrivPolicy        ATTRIBUTE ::= {
##         WITH SYNTAX         UTF8String -- contains XML-encoded privilege policy information
##         ID                  id-at-xMLPprotPrivPolicy }
## 

## -- object identifier assignments --
## -- object classes --
objectidentifier	id-oc-pmiUser 2.5.6.24
objectidentifier	id-oc-pmiAA 2.5.6.25
objectidentifier	id-oc-pmiSOA 2.5.6.26
objectidentifier	id-oc-attCertCRLDistributionPts 2.5.6.27
objectidentifier	id-oc-privilegePolicy 2.5.6.32
objectidentifier	id-oc-pmiDelegationPath 2.5.6.33
objectidentifier	id-oc-protectedPrivilegePolicy 2.5.6.34
## -- directory attributes --
objectidentifier	id-at-attributeCertificate 2.5.4.58
objectidentifier	id-at-attributeCertificateRevocationList 2.5.4.59
objectidentifier	id-at-aACertificate 2.5.4.61
objectidentifier	id-at-attributeDescriptorCertificate 2.5.4.62
objectidentifier	id-at-attributeAuthorityRevocationList 2.5.4.63
objectidentifier	id-at-privPolicy 2.5.4.71
objectidentifier	id-at-role 2.5.4.72
objectidentifier	id-at-delegationPath 2.5.4.73
objectidentifier	id-at-protPrivPolicy 2.5.4.74
objectidentifier	id-at-xMLPrivilegeInfo 2.5.4.75
objectidentifier	id-at-xMLPprotPrivPolicy 2.5.4.76
## -- attribute certificate extensions --
## id-ce-authorityAttributeIdentifier       OBJECT IDENTIFIER ::= {id-ce 38}
## id-ce-roleSpecCertIdentifier             OBJECT IDENTIFIER ::= {id-ce 39}
## id-ce-basicAttConstraints                OBJECT IDENTIFIER ::= {id-ce 41}
## id-ce-delegatedNameConstraints           OBJECT IDENTIFIER ::= {id-ce 42}
## id-ce-timeSpecification                  OBJECT IDENTIFIER ::= {id-ce 43}
## id-ce-attributeDescriptor                OBJECT IDENTIFIER ::= {id-ce 48}
## id-ce-userNotice                         OBJECT IDENTIFIER ::= {id-ce 49}
## id-ce-sOAIdentifier                      OBJECT IDENTIFIER ::= {id-ce 50}
## id-ce-acceptableCertPolicies             OBJECT IDENTIFIER ::= {id-ce 52}
## id-ce-targetInformation                  OBJECT IDENTIFIER ::= {id-ce 55}
## id-ce-noRevAvail                         OBJECT IDENTIFIER ::= {id-ce 56}
## id-ce-acceptablePrivilegePolicies        OBJECT IDENTIFIER ::= {id-ce 57}
## id-ce-indirectIssuer                     OBJECT IDENTIFIER ::= {id-ce 61}
## id-ce-noAssertion                        OBJECT IDENTIFIER ::= {id-ce 62}
## id-ce-issuedOnBehalfOf                   OBJECT IDENTIFIER ::= {id-ce 64}
## -- PMI matching rules --
objectidentifier	id-mr 2.5.13
objectidentifier	id-mr-attributeCertificateMatch id-mr:42
objectidentifier	id-mr-attributeCertificateExactMatch id-mr:45
objectidentifier	id-mr-holderIssuerMatch id-mr:46
objectidentifier	id-mr-authAttIdMatch id-mr:53
objectidentifier	id-mr-roleSpecCertIdMatch id-mr:54
objectidentifier	id-mr-basicAttConstraintsMatch id-mr:55
objectidentifier	id-mr-delegatedNameConstraintsMatch id-mr:56
objectidentifier	id-mr-timeSpecMatch id-mr:57
objectidentifier	id-mr-attDescriptorMatch id-mr:58
objectidentifier	id-mr-acceptableCertPoliciesMatch id-mr:59
objectidentifier	id-mr-delegationPathMatch id-mr:61
objectidentifier	id-mr-sOAIdentifierMatch id-mr:66
objectidentifier	id-mr-indirectIssuerMatch id-mr:67
## -- syntaxes --
## NOTE: 1.3.6.1.4.1.4203.666.11.10 is the oid arc assigned by OpenLDAP
## to this work in progress
objectidentifier	AttributeCertificate 1.3.6.1.4.1.4203.666.11.10.2.1
objectidentifier	CertificateList 1.3.6.1.4.1.1466.115.121.1.9
objectidentifier	AttCertPath 1.3.6.1.4.1.4203.666.11.10.2.4
objectidentifier	PolicySyntax 1.3.6.1.4.1.4203.666.11.10.2.5
objectidentifier	RoleSyntax 1.3.6.1.4.1.4203.666.11.10.2.6
#  NOTE: OIDs from <draft-ietf-pkix-ldap-schema-02.txt> (expired)
#objectidentifier	AttributeCertificate 1.2.826.0.1.3344810.7.5
#objectidentifier	AttCertPath 1.2.826.0.1.3344810.7.10
#objectidentifier	PolicySyntax 1.2.826.0.1.3344810.7.17
#objectidentifier	RoleSyntax 1.2.826.0.1.3344810.7.13
##
## Substitute syntaxes
##
## AttCertPath
ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.4
	NAME 'AttCertPath'
	DESC 'X.509 PMI attribute cartificate path: SEQUENCE OF AttributeCertificate'
	X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
##
## PolicySyntax
ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.5
	NAME 'PolicySyntax'
	DESC 'X.509 PMI policy syntax'
	X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
##
## RoleSyntax
ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.6
	NAME 'RoleSyntax'
	DESC 'X.509 PMI role syntax'
	X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )
##
## X.509 (08/2005) pp. 71, 86-89
## 
## 14.4.1 Role attribute
attributeType ( id-at-role
	NAME 'role'
	DESC 'X.509 Role attribute, use ;binary'
	SYNTAX RoleSyntax )
## 
## 14.5     XML privilege information attribute
##  -- contains XML-encoded privilege information
attributeType ( id-at-xMLPrivilegeInfo
	NAME 'xmlPrivilegeInfo'
	DESC 'X.509 XML privilege information attribute'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
## 
## 17.2       PMI Directory attributes
## 
## 17.2.1     Attribute certificate attribute
attributeType ( id-at-attributeCertificate
	NAME 'attributeCertificateAttribute'
	DESC 'X.509 Attribute certificate attribute, use ;binary'
	SYNTAX AttributeCertificate
	EQUALITY attributeCertificateExactMatch )
## 
## 17.2.2     AA certificate attribute
attributeType ( id-at-aACertificate
	NAME 'aACertificate'
	DESC 'X.509 AA certificate attribute, use ;binary'
	SYNTAX AttributeCertificate
	EQUALITY attributeCertificateExactMatch )
## 
## 17.2.3     Attribute descriptor certificate attribute
attributeType ( id-at-attributeDescriptorCertificate
	NAME 'attributeDescriptorCertificate'
	DESC 'X.509 Attribute descriptor certificate attribute, use ;binary'
	SYNTAX AttributeCertificate
	EQUALITY attributeCertificateExactMatch )
## 
## 17.2.4     Attribute certificate revocation list attribute
attributeType ( id-at-attributeCertificateRevocationList
	NAME 'attributeCertificateRevocationList'
	DESC 'X.509 Attribute certificate revocation list attribute, use ;binary'
	SYNTAX CertificateList 
	X-EQUALITY 'certificateListExactMatch, not implemented yet' )
## 
## 17.2.5     AA certificate revocation list attribute
attributeType ( id-at-attributeAuthorityRevocationList
	NAME 'attributeAuthorityRevocationList'
	DESC 'X.509 AA certificate revocation list attribute, use ;binary'
	SYNTAX CertificateList
	X-EQUALITY 'certificateListExactMatch, not implemented yet' )
## 
## 17.2.6     Delegation path attribute
attributeType ( id-at-delegationPath
	NAME 'delegationPath'
	DESC 'X.509 Delegation path attribute, use ;binary'
	SYNTAX AttCertPath )
##     AttCertPath      ::= SEQUENCE OF AttributeCertificate
## 
## 17.2.7     Privilege policy attribute
attributeType ( id-at-privPolicy
	NAME 'privPolicy'
	DESC 'X.509 Privilege policy attribute, use ;binary'
	SYNTAX PolicySyntax )
## 
## 17.2.8     Protected privilege policy attribute
attributeType ( id-at-protPrivPolicy
	NAME 'protPrivPolicy'
	DESC 'X.509 Protected privilege policy attribute, use ;binary'
	SYNTAX AttributeCertificate
	EQUALITY attributeCertificateExactMatch )
## 
## 17.2.9     XML Protected privilege policy attribute
## -- contains XML-encoded privilege policy information
attributeType ( id-at-xMLPprotPrivPolicy
	NAME 'xmlPrivPolicy'
	DESC 'X.509 XML Protected privilege policy attribute'
	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
##
## 17.1 PMI directory object classes
## 
## 17.1.1   PMI user object class
##    -- a PMI user (i.e., a "holder")
objectClass ( id-oc-pmiUser
	NAME 'pmiUser'
	DESC 'X.509 PMI user object class'
	SUP top
	AUXILIARY
	MAY ( attributeCertificateAttribute ) )
## 
## 17.1.2     PMI AA object class
##     -- a PMI AA
objectClass ( id-oc-pmiAA
	NAME 'pmiAA'
	DESC 'X.509 PMI AA object class'
	SUP top
	AUXILIARY
	MAY ( aACertificate $
		attributeCertificateRevocationList $
		attributeAuthorityRevocationList
	) )
## 
## 17.1.3     PMI SOA object class
##     -- a PMI Source of Authority
objectClass ( id-oc-pmiSOA
	NAME 'pmiSOA'
	DESC 'X.509 PMI SOA object class'
	SUP top
	AUXILIARY
	MAY ( attributeCertificateRevocationList $
		attributeAuthorityRevocationList $
		attributeDescriptorCertificate
	) )
## 
## 17.1.4     Attribute certificate CRL distribution point object class
objectClass ( id-oc-attCertCRLDistributionPts
	NAME 'attCertCRLDistributionPt'
	DESC 'X.509 Attribute certificate CRL distribution point object class'
	SUP top
	AUXILIARY
	MAY ( attributeCertificateRevocationList $
		attributeAuthorityRevocationList
	) )
## 
## 17.1.5     PMI delegation path
objectClass ( id-oc-pmiDelegationPath
	NAME 'pmiDelegationPath'
	DESC 'X.509 PMI delegation path'
	SUP top
	AUXILIARY
	MAY ( delegationPath ) )
## 
## 17.1.6     Privilege policy object class
objectClass ( id-oc-privilegePolicy
	NAME 'privilegePolicy'
	DESC 'X.509 Privilege policy object class'
	SUP top
	AUXILIARY
	MAY ( privPolicy ) )
## 
## 17.1.7     Protected privilege policy object class
objectClass ( id-oc-protectedPrivilegePolicy
	NAME 'protectedPrivilegePolicy'
	DESC 'X.509 Protected privilege policy object class'
	SUP top
	AUXILIARY
	MAY ( protPrivPolicy ) )
committing changes in /etc after emerge run Package changes: +net-nds/openldap-2.4.42-r1 2015-09-20 16:17:41 +00:00			`# OpenLDAP X.509 PMI schema`
			`# $OpenLDAP$`
			`## This work is part of OpenLDAP Software <http://www.openldap.org/>.`
			`##`
			`## Copyright 1998-2015 The OpenLDAP Foundation.`
			`## All rights reserved.`
			`##`
			`## Redistribution and use in source and binary forms, with or without`
			`## modification, are permitted only as authorized by the OpenLDAP`
			`## Public License.`
			`##`
			`## A copy of this license is available in the file LICENSE in the`
			`## top-level directory of the distribution or, alternatively, at`
			`## <http://www.OpenLDAP.org/license.html>.`
			`#`
			`## Portions Copyright (C) The Internet Society (1997-2006).`
			`## All Rights Reserved.`
			`##`
			`## This document and translations of it may be copied and furnished to`
			`## others, and derivative works that comment on or otherwise explain it`
			`## or assist in its implementation may be prepared, copied, published`
			`## and distributed, in whole or in part, without restriction of any`
			`## kind, provided that the above copyright notice and this paragraph are`
			`## included on all such copies and derivative works. However, this`
			`## document itself may not be modified in any way, such as by removing`
			`## the copyright notice or references to the Internet Society or other`
			`## Internet organizations, except as needed for the purpose of`
			`## developing Internet standards in which case the procedures for`
			`## copyrights defined in the Internet Standards process must be`
			`## followed, or as required to translate it into languages other than`
			`## English.`
			`##`
			`## The limited permissions granted above are perpetual and will not be`
			`## revoked by the Internet Society or its successors or assigns.`
			`##`
			`## This document and the information contained herein is provided on an`
			`## "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING`
			`## TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING`
			`## BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION`
			`## HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF`
			`## MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.`

			`#`
			`#`
			`# Includes LDAPv3 schema items from:`
			`# ITU X.509 (08/2005)`
			`#`
			`## X.509 (08/2005) pp. 120-121`
			`##`
			`## -- object identifier assignments --`
			`## -- object classes --`
			`## id-oc-pmiUser OBJECT IDENTIFIER ::= {id-oc 24}`
			`## id-oc-pmiAA OBJECT IDENTIFIER ::= {id-oc 25}`
			`## id-oc-pmiSOA OBJECT IDENTIFIER ::= {id-oc 26}`
			`## id-oc-attCertCRLDistributionPts OBJECT IDENTIFIER ::= {id-oc 27}`
			`## id-oc-privilegePolicy OBJECT IDENTIFIER ::= {id-oc 32}`
			`## id-oc-pmiDelegationPath OBJECT IDENTIFIER ::= {id-oc 33}`
			`## id-oc-protectedPrivilegePolicy OBJECT IDENTIFIER ::= {id-oc 34}`
			`## -- directory attributes --`
			`## id-at-attributeCertificate OBJECT IDENTIFIER ::= {id-at 58}`
			`## id-at-attributeCertificateRevocationList OBJECT IDENTIFIER ::= {id-at 59}`
			`## id-at-aACertificate OBJECT IDENTIFIER ::= {id-at 61}`
			`## id-at-attributeDescriptorCertificate OBJECT IDENTIFIER ::= {id-at 62}`
			`## id-at-attributeAuthorityRevocationList OBJECT IDENTIFIER ::= {id-at 63}`
			`## id-at-privPolicy OBJECT IDENTIFIER ::= {id-at 71}`
			`## id-at-role OBJECT IDENTIFIER ::= {id-at 72}`
			`## id-at-delegationPath OBJECT IDENTIFIER ::= {id-at 73}`
			`## id-at-protPrivPolicy OBJECT IDENTIFIER ::= {id-at 74}`
			`## id-at-xMLPrivilegeInfo OBJECT IDENTIFIER ::= {id-at 75}`
			`## id-at-xMLPprotPrivPolicy OBJECT IDENTIFIER ::= {id-at 76}`
			`## -- attribute certificate extensions --`
			`## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}`
			`## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}`
			`## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}`
			`## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}`
			`## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}`
			`## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}`
			`## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}`
			`## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}`
			`## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}`
			`## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55}`
			`## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}`
			`## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}`
			`## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}`
			`## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}`
			`## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}`
			`## -- PMI matching rules --`
			`## id-mr-attributeCertificateMatch OBJECT IDENTIFIER ::= {id-mr 42}`
			`## id-mr-attributeCertificateExactMatch OBJECT IDENTIFIER ::= {id-mr 45}`
			`## id-mr-holderIssuerMatch OBJECT IDENTIFIER ::= {id-mr 46}`
			`## id-mr-authAttIdMatch OBJECT IDENTIFIER ::= {id-mr 53}`
			`## id-mr-roleSpecCertIdMatch OBJECT IDENTIFIER ::= {id-mr 54}`
			`## id-mr-basicAttConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 55}`
			`## id-mr-delegatedNameConstraintsMatch OBJECT IDENTIFIER ::= {id-mr 56}`
			`## id-mr-timeSpecMatch OBJECT IDENTIFIER ::= {id-mr 57}`
			`## id-mr-attDescriptorMatch OBJECT IDENTIFIER ::= {id-mr 58}`
			`## id-mr-acceptableCertPoliciesMatch OBJECT IDENTIFIER ::= {id-mr 59}`
			`## id-mr-delegationPathMatch OBJECT IDENTIFIER ::= {id-mr 61}`
			`## id-mr-sOAIdentifierMatch OBJECT IDENTIFIER ::= {id-mr 66}`
			`## id-mr-indirectIssuerMatch OBJECT IDENTIFIER ::= {id-mr 67}`
			`##`
			`##`
			`## X.509 (08/2005) pp. 71, 86-89`
			`##`
			`## 14.4.1 Role attribute`
			`## role ATTRIBUTE ::= {`
			`## WITH SYNTAX RoleSyntax`
			`## ID id-at-role }`
			`## RoleSyntax ::= SEQUENCE {`
			`## roleAuthority [0] GeneralNames OPTIONAL,`
			`## roleName [1] GeneralName }`
			`##`
			`## 14.5 XML privilege information attribute`
			`## xmlPrivilegeInfo ATTRIBUTE ::= {`
			`## WITH SYNTAX UTF8String -- contains XML-encoded privilege information`
			`## ID id-at-xMLPrivilegeInfo }`
			`##`
			`## 17.1 PMI directory object classes`
			`##`
			`## 17.1.1 PMI user object class`
			`## pmiUser OBJECT-CLASS ::= {`
			`## -- a PMI user (i.e., a "holder")`
			`## SUBCLASS OF {top}`
			`## KIND auxiliary`
			`## MAY CONTAIN {attributeCertificateAttribute}`
			`## ID id-oc-pmiUser }`
			`##`
			`## 17.1.2 PMI AA object class`
			`## pmiAA OBJECT-CLASS ::= {`
			`## -- a PMI AA`
			`## SUBCLASS OF {top}`
			`## KIND auxiliary`
			`## MAY CONTAIN {aACertificate \|`
			`## attributeCertificateRevocationList \|`
			`## attributeAuthorityRevocationList}`
			`## ID id-oc-pmiAA }`
			`##`
			`## 17.1.3 PMI SOA object class`
			`## pmiSOA OBJECT-CLASS ::= { -- a PMI Source of Authority`
			`## SUBCLASS OF {top}`
			`## KIND auxiliary`
			`## MAY CONTAIN {attributeCertificateRevocationList \|`
			`## attributeAuthorityRevocationList \|`
			`## attributeDescriptorCertificate}`
			`## ID id-oc-pmiSOA }`
			`##`
			`## 17.1.4 Attribute certificate CRL distribution point object class`
			`## attCertCRLDistributionPt OBJECT-CLASS ::= {`
			`## SUBCLASS OF {top}`
			`## KIND auxiliary`
			`## MAY CONTAIN { attributeCertificateRevocationList \|`
			`## attributeAuthorityRevocationList }`
			`## ID id-oc-attCertCRLDistributionPts }`
			`##`
			`## 17.1.5 PMI delegation path`
			`## pmiDelegationPath OBJECT-CLASS ::= {`
			`## SUBCLASS OF {top}`
			`## KIND auxiliary`
			`## MAY CONTAIN { delegationPath }`
			`## ID id-oc-pmiDelegationPath }`
			`##`
			`## 17.1.6 Privilege policy object class`
			`## privilegePolicy OBJECT-CLASS ::= {`
			`## SUBCLASS OF {top}`
			`## KIND auxiliary`
			`## MAY CONTAIN {privPolicy }`
			`## ID id-oc-privilegePolicy }`
			`##`
			`## 17.1.7 Protected privilege policy object class`
			`## protectedPrivilegePolicy OBJECT-CLASS ::= {`
			`## SUBCLASS OF {top}`
			`## KIND auxiliary`
			`## MAY CONTAIN {protPrivPolicy }`
			`## ID id-oc-protectedPrivilegePolicy }`
			`##`
			`## 17.2 PMI Directory attributes`
			`##`
			`## 17.2.1 Attribute certificate attribute`
			`## attributeCertificateAttribute ATTRIBUTE ::= {`
			`## WITH SYNTAX AttributeCertificate`
			`## EQUALITY MATCHING RULE attributeCertificateExactMatch`
			`## ID id-at-attributeCertificate }`
			`##`
			`## 17.2.2 AA certificate attribute`
			`## aACertificate ATTRIBUTE ::= {`
			`## WITH SYNTAX AttributeCertificate`
			`## EQUALITY MATCHING RULE attributeCertificateExactMatch`
			`## ID id-at-aACertificate }`
			`##`
			`## 17.2.3 Attribute descriptor certificate attribute`
			`## attributeDescriptorCertificate ATTRIBUTE ::= {`
			`## WITH SYNTAX AttributeCertificate`
			`## EQUALITY MATCHING RULE attributeCertificateExactMatch`
			`## ID id-at-attributeDescriptorCertificate }`
			`##`
			`## 17.2.4 Attribute certificate revocation list attribute`
			`## attributeCertificateRevocationList ATTRIBUTE ::= {`
			`## WITH SYNTAX CertificateList`
			`## EQUALITY MATCHING RULE certificateListExactMatch`
			`## ID id-at-attributeCertificateRevocationList}`
			`##`
			`## 17.2.5 AA certificate revocation list attribute`
			`## attributeAuthorityRevocationList ATTRIBUTE ::= {`
			`## WITH SYNTAX CertificateList`
			`## EQUALITY MATCHING RULE certificateListExactMatch`
			`## ID id-at-attributeAuthorityRevocationList }`
			`##`
			`## 17.2.6 Delegation path attribute`
			`## delegationPath ATTRIBUTE ::= {`
			`## WITH SYNTAX AttCertPath`
			`## ID id-at-delegationPath }`
			`## AttCertPath ::= SEQUENCE OF AttributeCertificate`
			`##`
			`## 17.2.7 Privilege policy attribute`
			`## privPolicy ATTRIBUTE ::= {`
			`## WITH SYNTAX PolicySyntax`
			`## ID id-at-privPolicy }`
			`##`
			`## 17.2.8 Protected privilege policy attribute`
			`## protPrivPolicy ATTRIBUTE ::= {`
			`## WITH SYNTAX AttributeCertificate`
			`## EQUALITY MATCHING RULE attributeCertificateExactMatch`
			`## ID id-at-protPrivPolicy }`
			`##`
			`## 17.2.9 XML Protected privilege policy attribute`
			`## xmlPrivPolicy ATTRIBUTE ::= {`
			`## WITH SYNTAX UTF8String -- contains XML-encoded privilege policy information`
			`## ID id-at-xMLPprotPrivPolicy }`
			`##`

			`## -- object identifier assignments --`
			`## -- object classes --`
			`objectidentifier id-oc-pmiUser 2.5.6.24`
			`objectidentifier id-oc-pmiAA 2.5.6.25`
			`objectidentifier id-oc-pmiSOA 2.5.6.26`
			`objectidentifier id-oc-attCertCRLDistributionPts 2.5.6.27`
			`objectidentifier id-oc-privilegePolicy 2.5.6.32`
			`objectidentifier id-oc-pmiDelegationPath 2.5.6.33`
			`objectidentifier id-oc-protectedPrivilegePolicy 2.5.6.34`
			`## -- directory attributes --`
			`objectidentifier id-at-attributeCertificate 2.5.4.58`
			`objectidentifier id-at-attributeCertificateRevocationList 2.5.4.59`
			`objectidentifier id-at-aACertificate 2.5.4.61`
			`objectidentifier id-at-attributeDescriptorCertificate 2.5.4.62`
			`objectidentifier id-at-attributeAuthorityRevocationList 2.5.4.63`
			`objectidentifier id-at-privPolicy 2.5.4.71`
			`objectidentifier id-at-role 2.5.4.72`
			`objectidentifier id-at-delegationPath 2.5.4.73`
			`objectidentifier id-at-protPrivPolicy 2.5.4.74`
			`objectidentifier id-at-xMLPrivilegeInfo 2.5.4.75`
			`objectidentifier id-at-xMLPprotPrivPolicy 2.5.4.76`
			`## -- attribute certificate extensions --`
			`## id-ce-authorityAttributeIdentifier OBJECT IDENTIFIER ::= {id-ce 38}`
			`## id-ce-roleSpecCertIdentifier OBJECT IDENTIFIER ::= {id-ce 39}`
			`## id-ce-basicAttConstraints OBJECT IDENTIFIER ::= {id-ce 41}`
			`## id-ce-delegatedNameConstraints OBJECT IDENTIFIER ::= {id-ce 42}`
			`## id-ce-timeSpecification OBJECT IDENTIFIER ::= {id-ce 43}`
			`## id-ce-attributeDescriptor OBJECT IDENTIFIER ::= {id-ce 48}`
			`## id-ce-userNotice OBJECT IDENTIFIER ::= {id-ce 49}`
			`## id-ce-sOAIdentifier OBJECT IDENTIFIER ::= {id-ce 50}`
			`## id-ce-acceptableCertPolicies OBJECT IDENTIFIER ::= {id-ce 52}`
			`## id-ce-targetInformation OBJECT IDENTIFIER ::= {id-ce 55}`
			`## id-ce-noRevAvail OBJECT IDENTIFIER ::= {id-ce 56}`
			`## id-ce-acceptablePrivilegePolicies OBJECT IDENTIFIER ::= {id-ce 57}`
			`## id-ce-indirectIssuer OBJECT IDENTIFIER ::= {id-ce 61}`
			`## id-ce-noAssertion OBJECT IDENTIFIER ::= {id-ce 62}`
			`## id-ce-issuedOnBehalfOf OBJECT IDENTIFIER ::= {id-ce 64}`
			`## -- PMI matching rules --`
			`objectidentifier id-mr 2.5.13`
			`objectidentifier id-mr-attributeCertificateMatch id-mr:42`
			`objectidentifier id-mr-attributeCertificateExactMatch id-mr:45`
			`objectidentifier id-mr-holderIssuerMatch id-mr:46`
			`objectidentifier id-mr-authAttIdMatch id-mr:53`
			`objectidentifier id-mr-roleSpecCertIdMatch id-mr:54`
			`objectidentifier id-mr-basicAttConstraintsMatch id-mr:55`
			`objectidentifier id-mr-delegatedNameConstraintsMatch id-mr:56`
			`objectidentifier id-mr-timeSpecMatch id-mr:57`
			`objectidentifier id-mr-attDescriptorMatch id-mr:58`
			`objectidentifier id-mr-acceptableCertPoliciesMatch id-mr:59`
			`objectidentifier id-mr-delegationPathMatch id-mr:61`
			`objectidentifier id-mr-sOAIdentifierMatch id-mr:66`
			`objectidentifier id-mr-indirectIssuerMatch id-mr:67`
			`## -- syntaxes --`
			`## NOTE: 1.3.6.1.4.1.4203.666.11.10 is the oid arc assigned by OpenLDAP`
			`## to this work in progress`
			`objectidentifier AttributeCertificate 1.3.6.1.4.1.4203.666.11.10.2.1`
			`objectidentifier CertificateList 1.3.6.1.4.1.1466.115.121.1.9`
			`objectidentifier AttCertPath 1.3.6.1.4.1.4203.666.11.10.2.4`
			`objectidentifier PolicySyntax 1.3.6.1.4.1.4203.666.11.10.2.5`
			`objectidentifier RoleSyntax 1.3.6.1.4.1.4203.666.11.10.2.6`
			`# NOTE: OIDs from <draft-ietf-pkix-ldap-schema-02.txt> (expired)`
			`#objectidentifier AttributeCertificate 1.2.826.0.1.3344810.7.5`
			`#objectidentifier AttCertPath 1.2.826.0.1.3344810.7.10`
			`#objectidentifier PolicySyntax 1.2.826.0.1.3344810.7.17`
			`#objectidentifier RoleSyntax 1.2.826.0.1.3344810.7.13`
			`##`
			`## Substitute syntaxes`
			`##`
			`## AttCertPath`
			`ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.4`
			`NAME 'AttCertPath'`
			`DESC 'X.509 PMI attribute cartificate path: SEQUENCE OF AttributeCertificate'`
			`X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )`
			`##`
			`## PolicySyntax`
			`ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.5`
			`NAME 'PolicySyntax'`
			`DESC 'X.509 PMI policy syntax'`
			`X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )`
			`##`
			`## RoleSyntax`
			`ldapsyntax ( 1.3.6.1.4.1.4203.666.11.10.2.6`
			`NAME 'RoleSyntax'`
			`DESC 'X.509 PMI role syntax'`
			`X-SUBST '1.3.6.1.4.1.1466.115.121.1.15' )`
			`##`
			`## X.509 (08/2005) pp. 71, 86-89`
			`##`
			`## 14.4.1 Role attribute`
			`attributeType ( id-at-role`
			`NAME 'role'`
			`DESC 'X.509 Role attribute, use ;binary'`
			`SYNTAX RoleSyntax )`
			`##`
			`## 14.5 XML privilege information attribute`
			`## -- contains XML-encoded privilege information`
			`attributeType ( id-at-xMLPrivilegeInfo`
			`NAME 'xmlPrivilegeInfo'`
			`DESC 'X.509 XML privilege information attribute'`
			`SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )`
			`##`
			`## 17.2 PMI Directory attributes`
			`##`
			`## 17.2.1 Attribute certificate attribute`
			`attributeType ( id-at-attributeCertificate`
			`NAME 'attributeCertificateAttribute'`
			`DESC 'X.509 Attribute certificate attribute, use ;binary'`
			`SYNTAX AttributeCertificate`
			`EQUALITY attributeCertificateExactMatch )`
			`##`
			`## 17.2.2 AA certificate attribute`
			`attributeType ( id-at-aACertificate`
			`NAME 'aACertificate'`
			`DESC 'X.509 AA certificate attribute, use ;binary'`
			`SYNTAX AttributeCertificate`
			`EQUALITY attributeCertificateExactMatch )`
			`##`
			`## 17.2.3 Attribute descriptor certificate attribute`
			`attributeType ( id-at-attributeDescriptorCertificate`
			`NAME 'attributeDescriptorCertificate'`
			`DESC 'X.509 Attribute descriptor certificate attribute, use ;binary'`
			`SYNTAX AttributeCertificate`
			`EQUALITY attributeCertificateExactMatch )`
			`##`
			`## 17.2.4 Attribute certificate revocation list attribute`
			`attributeType ( id-at-attributeCertificateRevocationList`
			`NAME 'attributeCertificateRevocationList'`
			`DESC 'X.509 Attribute certificate revocation list attribute, use ;binary'`
			`SYNTAX CertificateList`
			`X-EQUALITY 'certificateListExactMatch, not implemented yet' )`
			`##`
			`## 17.2.5 AA certificate revocation list attribute`
			`attributeType ( id-at-attributeAuthorityRevocationList`
			`NAME 'attributeAuthorityRevocationList'`
			`DESC 'X.509 AA certificate revocation list attribute, use ;binary'`
			`SYNTAX CertificateList`
			`X-EQUALITY 'certificateListExactMatch, not implemented yet' )`
			`##`
			`## 17.2.6 Delegation path attribute`
			`attributeType ( id-at-delegationPath`
			`NAME 'delegationPath'`
			`DESC 'X.509 Delegation path attribute, use ;binary'`
			`SYNTAX AttCertPath )`
			`## AttCertPath ::= SEQUENCE OF AttributeCertificate`
			`##`
			`## 17.2.7 Privilege policy attribute`
			`attributeType ( id-at-privPolicy`
			`NAME 'privPolicy'`
			`DESC 'X.509 Privilege policy attribute, use ;binary'`
			`SYNTAX PolicySyntax )`
			`##`
			`## 17.2.8 Protected privilege policy attribute`
			`attributeType ( id-at-protPrivPolicy`
			`NAME 'protPrivPolicy'`
			`DESC 'X.509 Protected privilege policy attribute, use ;binary'`
			`SYNTAX AttributeCertificate`
			`EQUALITY attributeCertificateExactMatch )`
			`##`
			`## 17.2.9 XML Protected privilege policy attribute`
			`## -- contains XML-encoded privilege policy information`
			`attributeType ( id-at-xMLPprotPrivPolicy`
			`NAME 'xmlPrivPolicy'`
			`DESC 'X.509 XML Protected privilege policy attribute'`
			`SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )`
			`##`
			`## 17.1 PMI directory object classes`
			`##`
			`## 17.1.1 PMI user object class`
			`## -- a PMI user (i.e., a "holder")`
			`objectClass ( id-oc-pmiUser`
			`NAME 'pmiUser'`
			`DESC 'X.509 PMI user object class'`
			`SUP top`
			`AUXILIARY`
			`MAY ( attributeCertificateAttribute ) )`
			`##`
			`## 17.1.2 PMI AA object class`
			`## -- a PMI AA`
			`objectClass ( id-oc-pmiAA`
			`NAME 'pmiAA'`
			`DESC 'X.509 PMI AA object class'`
			`SUP top`
			`AUXILIARY`
			`MAY ( aACertificate $`
			`attributeCertificateRevocationList $`
			`attributeAuthorityRevocationList`
			`) )`
			`##`
			`## 17.1.3 PMI SOA object class`
			`## -- a PMI Source of Authority`
			`objectClass ( id-oc-pmiSOA`
			`NAME 'pmiSOA'`
			`DESC 'X.509 PMI SOA object class'`
			`SUP top`
			`AUXILIARY`
			`MAY ( attributeCertificateRevocationList $`
			`attributeAuthorityRevocationList $`
			`attributeDescriptorCertificate`
			`) )`
			`##`
			`## 17.1.4 Attribute certificate CRL distribution point object class`
			`objectClass ( id-oc-attCertCRLDistributionPts`
			`NAME 'attCertCRLDistributionPt'`
			`DESC 'X.509 Attribute certificate CRL distribution point object class'`
			`SUP top`
			`AUXILIARY`
			`MAY ( attributeCertificateRevocationList $`
			`attributeAuthorityRevocationList`
			`) )`
			`##`
			`## 17.1.5 PMI delegation path`
			`objectClass ( id-oc-pmiDelegationPath`
			`NAME 'pmiDelegationPath'`
			`DESC 'X.509 PMI delegation path'`
			`SUP top`
			`AUXILIARY`
			`MAY ( delegationPath ) )`
			`##`
			`## 17.1.6 Privilege policy object class`
			`objectClass ( id-oc-privilegePolicy`
			`NAME 'privilegePolicy'`
			`DESC 'X.509 Privilege policy object class'`
			`SUP top`
			`AUXILIARY`
			`MAY ( privPolicy ) )`
			`##`
			`## 17.1.7 Protected privilege policy object class`
			`objectClass ( id-oc-protectedPrivilegePolicy`
			`NAME 'protectedPrivilegePolicy'`
			`DESC 'X.509 Protected privilege policy object class'`
			`SUP top`
			`AUXILIARY`
			`MAY ( protPrivPolicy ) )`