## from RFC 2587
##
## pkiUser   OBJECT-CLASS   ::= {
##    SUBCLASS OF   { top}
##    KIND          auxiliary
##    MAY CONTAIN   {userCertificate}
##    ID    joint-iso-ccitt(2) ds(5) objectClass(6) pkiUser(21)}
##
## pkiCA   OBJECT-CLASS   ::= {
##    SUBCLASS OF   { top}
##    KIND          auxiliary
##    MAY CONTAIN   {cACertificate |
##                   certificateRevocationList |
##                   authorityRevocationList |
##                   crossCertificatePair }
##    ID    joint-iso-ccitt(2) ds(5) objectClass(6) pkiCA(22)}
##
## copied from Entrust because serialNumber is not manageable by standards
##
## uniquelyIdentifiedUser   OBJECT-CLASS   ::= {
##    SUBCLASS OF   { top}
##    KIND          auxiliary
##    MUST CONTAIN  {serialNumber }
##    ID    id-nsn-oc-uniquelyIdentifiedUser(1.2.840.113533.7.67.4)}
##
## copied from Entrust because emailAddress for CAs is not manageable by standards
##
## rfc822MailUser   OBJECT-CLASS   ::= {
##    SUBCLASS OF   { top}
##    KIND          auxiliary
##    MUST CONTAIN  {rfc822Mailbox }
##    ID    id-nsn-oc-rfc822MailUser(1.2.840.113533.7.67.7)}
##
## FIXME: should we add support for PKCS#9 emailAddress to?

objectclass ( 2.5.6.21 NAME 'pkiUser' SUP top AUXILIARY
	MAY ( userCertificate )
	)

objectclass ( 2.5.6.22 NAME 'pkiCA' SUP top AUXILIARY
	MAY ( cACertificate $ certificateRevocationList $ authorityRevocationList $ crossCertificatePair )
	)

objectclass ( 1.2.840.113533.7.67.4 NAME 'uniquelyIdentifiedUser' SUP top AUXILIARY
	MUST ( serialNumber )
	)

objectclass ( 1.2.840.113533.7.67.7 NAME 'rfc822MailUser' SUP top AUXILIARY
	MUST ( mail )
	)