GOOGLE-MIB DEFINITIONS ::= BEGIN
-- The root MIB for Google Inc.
IMPORTS
MODULE-IDENTITY, enterprises
FROM SNMPv2-SMI;
google MODULE-IDENTITY
LAST-UPDATED "202504302200Z" -- April 30, 2025
ORGANIZATION "Google Inc."
CONTACT-INFO
"
Postal: Warren Kumari
1600 Amphitheatre Pkwy
Mountain View, CA 94035
email: mib-mgmt@google.com
"
DESCRIPTION
"This MIB is the root for all enterprise specific SNMP variables exposed by Google's
products. It also documents all Google OIDs."
::= { enterprises 11129 }
-- Following are the different groups in Google's MIB tree.
--
-- Google Search Appliance
-- gsa OBJECT IDENTIFIER ::= { google 1 }
-- Google Security Team
googleSecurity OBJECT IDENTIFIER ::= { google 2 }
-- Certificate Extensions
certificateExtensions OBJECT IDENTIFIER ::= { googleSecurity 1 }
waveFederation OBJECT IDENTIFIER ::= { certificateExtensions 1 }
openidDiscovery OBJECT IDENTIFIER ::= { certificateExtensions 2 }
-- proxyGeneratedCertificate is used to signal that a PKIX, end-entity
-- certificate has been generated by a MITM proxy.
proxyGeneratedCertificate OBJECT IDENTIFIER ::= { certificateExtensions 3 }
-- dnssecEmbeddedChain contains a chain of DNSSEC entries which result in a
-- proof of an embedded RRSet.
dnssecEmbeddedChain OBJECT IDENTIFIER ::= { certificateExtensions 4 }
-- internalRestrictions is an extension used in internal Google certificates,
-- containing a single OCTETSTRING
internalRestrictions OBJECT IDENTIFIER ::= { certificateExtensions 5 }
-- originBinding is an extension used by CertAuth to signal
-- that this certificate should be used with a single web origin,
-- it contains an IA5String identifying the origin as a canonicalized URI
originBinding OBJECT IDENTIFIER ::= { certificateExtensions 6 }
-- clientBinding is an extension used by CertAuth when cross-certifying
-- keys belonging to a single client, it contains a single OCTETSTRING
clientBinding OBJECT IDENTIFIER ::= { certificateExtensions 7 }
-- gnubbyAttestation is an EKU OID used to restrict use of the subject
-- key to CSR attestation purposes.
gnubbyAttestation OBJECT IDENTIFIER ::= { certificateExtensions 8 }
-- gnubbyAccessConditions is a BIT STRING describing the ACL attached
-- to a gnubby keypair.
gnubbyAccessConditions OBJECT IDENTIFIER ::= { certificateExtensions 9 }
-- gnubbyTUP is an EKU OID allowing this key to be used for
-- Test of User Presence.
gnubbyTUP OBJECT IDENTIFIER ::= { certificateExtensions 10 }
-- gnubbySignatureCounter is an EKU OID which specifies that a 32 bit
-- increasing counter will be included in signatures using this key.
gnubbySignatureCounter OBJECT IDENTIFIER ::= { certificateExtensions 11 }
-- gnubbyAuthData is an OCTET STRING containing [wrapped] gnubby state.
-- The data is opaque to the RP.
gnubbyAuthData OBJECT IDENTIFIER ::= { certificateExtensions 12 }
-- portunusKeyTicket is an OCTET STRING containing a Portunus key ticket.
portunusKeyTicket OBJECT IDENTIFIER ::= { certificateExtensions 13 }
-- androidWrappedKey is an OCTET STRING containing a device-bound key blob.
-- It is used as the algorithm OID in PKCS#8 and other containers on Android.
androidWrappedKey OBJECT IDENTIFIER ::= { certificateExtensions 14 }
-- chromeAttestationValue is an extension used in Chrome Attestation
-- certificates, containing a single OCTET STRING (deprecated)
chromeAttestationValue OBJECT IDENTIFIER ::= { certificateExtensions 15 }
-- chromeAttestationProtoValue is an certificate extension used in Chrome
-- Attestation, containing a proto message wrapped in a single OCTET STRING.
chromeAttestationProtoValue OBJECT IDENTIFIER ::= { certificateExtensions 16 }
-- androidAttestationValue is an extension used in Android Keystore Attestation.
androidAttestationValue OBJECT IDENTIFIER ::= { certificateExtensions 17 }
-- androidThingsProduct is an extension used in Android Things Attestation.
androidThingsProduct OBJECT IDENTIFIER ::= { certificateExtensions 18 }
-- chromeAttestationInfoValue is a certificate extension used in Chrome
-- Attestation, containing a proto message wrapped in a single OCTET STRING.
chromeAttestationInfoValue OBJECT IDENTIFIER ::= { certificateExtensions 19 }
-- securityKeyUnblindingToken is an OCTET STRING that contains a value
-- inserted by our Security Key Privacy CA that can be used to unblind
-- certificates for Security Keys found to be flawed.
securityKeyUnblindingToken OBJECT IDENTIFIER ::= { certificateExtensions 20 }
-- cloudComputeInstanceIdentifier is an ASN.1 structure that contains
-- information (a human-readable and a machine-parsable version) to uniquely
-- identify a Google Compute Engine instance.
-- The structure is as follows:
-- SEQUENCE {
-- zone UTF8String,
-- project_num INTEGER,
-- project_name UTF8String,
-- instance_num INTEGER,
-- instance_name UTF8String
-- }
cloudComputeInstanceIdentifier OBJECT IDENTIFIER ::= { certificateExtensions 21 }
-- canSignHttpExchanges is a certificate extension used by drafts of the
-- Signed HTTP Exchanges specification to indicate that a given certificate
-- can be safely used with Signed HTTP exchanges.
-- It contains an ASN.1 NULL (0x05 0x00) within the extension OCTET STRING.
-- (See https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html )
canSignHttpExchanges OBJECT IDENTIFIER ::= { certificateExtensions 22 }
-- chromeEnrollmentData is a certificate extension used in Chrome Attestation
-- and Chrome OS Zero-Touch, containing a proto message holding attested enrollment data
-- wrapped in a single OCTET STRING.
chromeEnrollmentData OBJECT IDENTIFIER ::= { certificateExtensions 23 }
-- diceAttestationData is a certificate extension used in the Google DICE
-- Profile. DICE refers to the TCG Device Identifier Composition Engine. The
-- certificates are generated on-the-fly by a device and this extension
-- includes information about the device and the program on the device which
-- generated the certificate.
diceAttestationData OBJECT IDENTIFIER ::= { certificateExtensions 24 }
-- androidEntityAttestationToken is an extension used in Android Keystore Attestation.
androidEntityAttestationToken OBJECT IDENTIFIER ::= { certificateExtensions 25 }
-- androidIdentityCredentialAuthenticationKey is an extension used in Android
-- Identity Credential for Authentication Keys.
androidIdentityCredentialAuthenticationKey OBJECT IDENTIFIER ::= { certificateExtensions 26 }
-- chromeOsDeviceSetupData is an extension used by ChromeOS for automated device setup.
chromeOsDeviceSetupData OBJECT IDENTIFIER ::= { certificateExtensions 27}
-- chromeOsVtpmEkAttestedDeviceId is an extension used by ChromeOS for host
-- device ID in VTPM EK certificate.
chromeOsVtpmEkAttestedDeviceId OBJECT IDENTIFIER ::= { certificateExtensions 28}
-- avfAttestationExtensions is an extension used by the Android Virtualization
-- Framework to describe the root of trust and payload of a virtual machine.
avfAttestationExtensions OBJECT IDENTIFIER ::= { certificateExtensions 29 }
avfAttestationExtensionV1 OBJECT IDENTIFIER ::= { avfAttestationExtensions 1 }
-- androidRemoteKeyProvisioningInfo is an extension used by the remote key
-- provisioning service in Android so that the server providing provisioning
-- may describe additional security details relevant to the device in
-- question.
androidRemoteKeyProvisioningInfo OBJECT IDENTIFIER ::= { certificateExtensions 30 }
-- instanceInfo is an extension used to encode a GCE VM's instance info proto.
-- It will be included in LOAS3 certificates for GCE VMs.
instanceInfo OBJECT IDENTIFIER ::= {certificateExtensions 31}
-- scribeProvisioningInfo is an extension used to encode provisioning details
-- in the certificate used by the scribe.
scribeProvisioningInfo OBJECT IDENTIFIER ::= {certificateExtensions 32}
-- chromeOsDeviceType is an extension used by ChromeOS to encode Board ID Type
-- and Flags.
chromeOsDeviceType OBJECT IDENTIFIER ::= {certificateExtensions 33}
-- chromeOsApRoVerificationStatus is an extension used by ChromeOS to encode
-- the AP RO verification status.
chromeOsApRoVerificationStatus OBJECT IDENTIFIER ::= {certificateExtensions 34}
-- chromeOsBootMode is an extension used by ChromeOS to encode the current
-- boot mode.
chromeOsBootMode OBJECT IDENTIFIER ::= {certificateExtensions 35}
-- chromeOsFirmwareVersion is an extension used by ChromeOS to encode the
-- current firmware version.
chromeOsFirmwareVersion OBJECT IDENTIFIER ::= {certificateExtensions 36}
-- chromeOsKernelVersion is an extension used by ChromeOS to encode the
-- current kernel version.
chromeOsKernelVersion OBJECT IDENTIFIER ::= {certificateExtensions 37}
-- chromeOsGscvdVersion is an extension used by ChromeOS to encode the current
-- GSCVD version.
chromeOsGscvdVersion OBJECT IDENTIFIER ::= {certificateExtensions 38}
-- isLoas3CloudContext is an extension that will be marked as critical for
-- LOAS3/Zatar certs. Presense of this extension is supposed to fail
-- certificate verification as general cert verifiers wouldn't know about this
-- critical extension. This extension is supposed to make LOAS3 Cloud context
-- certificates less valuable for majority of Google Prod except for few
-- endpoints that'll have custom implemenation to understand this extension.
isLoas3CloudContext OBJECT IDENTIFIER ::= {certificateExtensions 39}
waymo_bv_uniqueECUID OBJECT IDENTIFIER ::= {certificateExtensions 40}
-- waymo_bv_uniqueECUID is an extension to uniquely identify a device and achieve
-- per device authentication
waymo_bv_PKIRole OBJECT IDENTIFIER ::= {certificateExtensions 41}
-- waymo_bv_PKIRole is an extension that differentiates project CAs and
-- leaf certificates
waymo_bv_WaymoUserRole OBJECT IDENTIFIER ::= {certificateExtensions 42}
-- waymo_bv_WaymoUserRole is an extension that regulates role based authentication for
-- various types of authentication client entities
waymo_bv_DiagRouting OBJECT IDENTIFIER ::= {certificateExtensions 43}
-- waymo_bv_DiagRouting is an extension that implements authorization policies on
-- diagnostics traffic on base vehicle gateway module
waymo_bv_CsrType OBJECT IDENTIFIER ::= {certificateExtensions 44}
-- waymo_bv_CsrType is an extension that differentiates initial device identity CSR
-- vs replacement type of identity CSR
waymo_bv_CustomerMetaData OBJECT IDENTIFIER ::= {certificateExtensions 45}
-- waymo_bv_CustomerMetaData is an extension that provides sufficient randomness to make
-- the identity CSR non-deterministic
waymo_bv_POO_DeviceIdentityKey OBJECT IDENTIFIER ::= {certificateExtensions 46}
-- waymo_bv_POO_DeviceIdentityKey is an extension that is used for verifying replacement
-- type of device identity CSR
waymo_bv_Auth_Client_Identity OBJECT IDENTIFIER ::= {certificateExtensions 47}
-- waymo_bv_Auth_Client_Identity is an extension that differentiates various authentication
-- client entities
waymo_bv_Dynamic_ACL OBJECT IDENTIFIER ::= {certificateExtensions 48}
-- waymo_bv_Dynamic_ACL is an extension that provides additional authorization of
-- certain diagnostics functions beyond the statically defined ACL
-- from a given waymo_bv_WaymoUserRole
androidIdentityCredentialCloudSecureAreaAttestationValue OBJECT IDENTIFIER ::= {certificateExtensions 49}
-- androidIdentityCredentialCloudSecureAreaAttestationValue is an extension
-- used to convey attestation information. The format of the data in this
-- extension is described at https://github.com/google/identity-credential
rpcRestrictions OBJECT IDENTIFIER ::= {certificateExtensions 50}
-- rpcRestrictions is an extension used to encode RPC restrictions within
-- LOAS3 certificates to specify what RPCs this credential is allowed to be used for
isHardwareBacked OBJECT IDENTIFIER ::= {certificateExtensions 51}
-- isHardwareBacked is an extension that specifies is the key material is
-- hardware backed (ie resident and non-exportable from hardware)
-- subjectTinkKeyID is a non-critical extension that holds the
-- Subject's Tink Key ID
subjectTinkKeyID OBJECT IDENTIFIER ::= {certificateExtensions 52}
-- issuerTinkKeyID is a non-critical extension that holds the
-- Issuer's Tink Key ID
issuerTinkKeyID OBJECT IDENTIFIER ::= {certificateExtensions 53}
-- androidProductIdentityData is a certificate extension used by Android product
-- identity certificates, containing a proto message holding various Android
-- product properties wrapped in a single OCTET STRING.
androidProductIdentityData OBJECT IDENTIFIER ::= { certificateExtensions 54 }
-- CRL Extensions
crlExtensions OBJECT IDENTIFIER ::= { googleSecurity 2 }
crlRevocationRange OBJECT IDENTIFIER ::= { crlExtensions 1 }
-- Hash targets
--
-- Hash targets are simply things that can be hashed. In order to avoid
-- attacks where a hash over type X can be substituted into a situation where
-- a verifier expects a hash of Y, but X can be made to look like a Y, it's
-- good practice to be explicit about the type of object that is getting
-- hashed.
hashTargets OBJECT IDENTIFIER ::= { googleSecurity 3 }
-- subjectPublicKeyInfo identifies a SubjectPublicKeyInfo from RFC 5280,
-- section 4.1.
subjectPublicKeyInfo OBJECT IDENTIFIER ::= { hashTargets 1 }
-- Certificate Transparency (see RFC 6962-bis)
certificateTransparency OBJECT IDENTIFIER ::= { googleSecurity 4 }
-- X.509v3 extension for an SCT in a superfluous certificate
superfluousCertificateExtension OBJECT IDENTIFIER ::= { certificateTransparency 1 }
-- X.509v3 extension for an SCT included in the certificate it applies to
sctExtension OBJECT IDENTIFIER ::= { certificateTransparency 2 }
-- X.509v3 extension to poison a pre-certificate
poisonExtension OBJECT IDENTIFIER ::= { certificateTransparency 3 }
-- X.509v3 EKU OID for pre-certificate signing
precertificateSigning OBJECT IDENTIFIER ::= { certificateTransparency 4 }
-- X.509v3 extension OID for OCSP
ocspExtension OBJECT IDENTIFIER ::= { certificateTransparency 5 }
-- X.509v3 extension OID for redacted labels
redactedLabels OBJECT IDENTIFIER ::= { certificateTransparency 6 }
-- X.509v3 extension OID for "OK to not log certs below this intermediate"
intermediateIsFinal OBJECT IDENTIFIER ::= { certificateTransparency 7 }
-- Policy Identifiers
certificatePolicies OBJECT IDENTIFIER ::= { googleSecurity 5 }
-- Google Internet Authority G2 certificatePolicy
googleInternetAuthority OBJECT IDENTIFIER ::= { certificatePolicies 1 }
-- Cast Audio certificate policy
googleCastAudio OBJECT IDENTIFIER ::= { certificatePolicies 2 }
-- Google Trust Services certificatePolicy
googleTrustServices OBJECT IDENTIFIER ::= { certificatePolicies 3 }
-- Google Trust Services certificatePolicy for signedHTTPExchanges
signedHTTPExchanges OBJECT IDENTIFIER ::= { googleTrustServices 1 }
-- Google Trust Services certificatePolicy for clientAuthentication
clientAuthentication OBJECT IDENTIFIER ::= { googleTrustServices 2 }
-- Google Trust Services certificatePolicy for documentSigning
documentSigning OBJECT IDENTIFIER ::= { googleTrustServices 3 }
-- Google Trust Services certificatePolicy for emailProtection
emailProtection OBJECT IDENTIFIER ::= { googleTrustServices 4 }
-- Google Production certificatePolicy
googleProductionPolicy OBJECT IDENTIFIER ::= { certificatePolicies 4 }
-- Google Network Switch AIK certificatePolicy
googleProductionPolicy OBJECT IDENTIFIER ::= { certificatePolicies 5 }
-- Google Network Switch OIDevID certificatePolicy
googleProductionPolicy OBJECT IDENTIFIER ::= { certificatePolicies 6 }
-- Kubernetes Identifiers
kubernetes OBJECT IDENTIFIER ::= { googleSecurity 6 }
-- Kubernetes Certificate Extensions
kubernetesExtensions OBJECT IDENTIFIER ::= { kubernetes 1 }
-- Kubernetes service account UID (ASN1:UTF8String)
kubernetesExtensionServiceAccountUid OBJECT IDENTIFIER ::= { kubernetesExtensions 1 }
-- Kubernetes pod name (ASN1:UTF8String)
kubernetesExtensionPodName OBJECT IDENTIFIER ::= { kubernetesExtensions 2 }
-- Kubernetes pod UID (ASN1:UTF8String)
kubernetesExtensionPodUid OBJECT IDENTIFIER ::= { kubernetesExtensions 3 }
-- Contains a proto message holding the pod UID wrapped in a single
-- OCTET STRING
kubernetesPod1pInfo OBJECT IDENTIFIER ::= { kubernetesExtensions 4 }
-- Key Purpose Identifiers
keyPurposeId OBJECT IDENTIFIER ::= { googleSecurity 7 }
-- Google Production keyPurposeId for authentication
googleProductionAuth OBJECT IDENTIFIER ::= { keyPurposeId 1 }
-- Google Production Identifiers
googleProduction OBJECT IDENTIFIER ::= {googleSecurity 8}
-- Google Production AttributeType for epochs (ASN1:UTF8String)
googleProductionEpoch OBJECT IDENTIFIER ::= { googleProduction 1 }
-- Google LDAP Identifiers
googleLdap OBJECT IDENTIFIER ::= { google 3 }
-- Widevine DRM System
widevine OBJECT IDENTIFIER ::= { google 4 }
-- Widevine Certificate Extensions
wvCertificateExtensions OBJECT IDENTIFIER ::= { widevine 1 }
-- System ID (ASN1:INTEGER)
wvSystemId OBJECT IDENTIFIER ::= { wvCertificateExtensions 1 }
-- Development Certificate Flag (ASN1:BOOLEAN)
wvDevelopmentCertFlag OBJECT IDENTIFIER ::= { wvCertificateExtensions 2 }
-- Secure Storage Verified Flag (ASN1:BOOLEAN)
wvSecureStorageVerifiedFlag OBJECT IDENTIFIER ::= { wvCertificateExtensions 3 }
-- Widevine Root Of Trust ID (ASN1:UTF8String)
wvRootOdTrustId OBJECT IDENTIFIER ::= { wvCertificateExtensions 4 }
-- Google Cloud Healthcare Identifiers
googleCloudHealthcare OBJECT IDENTIFIER ::= { google 5 }
-- Google Communications eUICC Identifiers
googleCommunicationsEuicc OBJECT IDENTIFIER ::= { google 6 }
-- Verily Life Science Identifiers
verily OBJECT IDENTIFIER ::= { google 7 }
-- Verily Automated Retinal Diagnosis System (ARDA) Identifiers
verilyArda OBJECT IDENTIFIER ::= { verily 1 }
-- Verily Retinal Camera Identifiers
verilyRetinalCamera OBJECT IDENTIFIER ::= { verily 2 }
-- Google Distributed Cloud Hosted (GDCH) Identifiers
gdch OBJECT IDENTIFIER ::= { google 8 }
-- GDCH Policy Identifiers
gdchPolicies OBJECT IDENTIFIER ::= { gdch 1 }
-- USG1 Certificate Policy
gdchCertificatePolicyUSG1 OBJECT IDENTIFIER ::= { gdchPolicies 1 }
-- USG2 Certificate Policy
gdchCertificatePolicyUSG2 OBJECT IDENTIFIER ::= { gdchPolicies 2 }
-- Google AlloyDB Database Identifiers
alloydb OBJECT IDENTIFIER ::= { googleSecurity 9 }
-- AlloyDB certificate extensions
alloydbExtensions OBJECT IDENTIFIER ::= { alloydb 1 }
-- Metadata exchange (ASN1:BOOLEAN)
-- Metadata exchange certificate extension is a non-critical extension to
-- identify clients that can exchange metadata with the server after a TLS
-- handshake. This metadata includes an IAM token, which is used to
-- authenticate users based on their IAM identity. The proxy server uses
-- this extension to distinguish between clients that support IAM
-- authentication and legacy clients that do not.
alloydbMetadataExchangeFlag OBJECT IDENTIFIER ::= { alloydbExtensions 1 }
-- Google Trust Anchor Identifiers (see https://datatracker.ietf.org/doc/draft-beck-tls-trust-anchor-ids/)
trustAnchorIdentifiers OBJECT IDENTIFIER ::= { google 9 }
-- TAI for CN=GTS Root R1,O=Google Trust Services LLC,C=US
taiGTSRootR1 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 1 }
-- TAI for CN=GTS Root R2,O=Google Trust Services LLC,C=US
taiGTSRootR2 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 2 }
-- TAI for CN=GTS Root R3,O=Google Trust Services LLC,C=US
taiGTSRootR3 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 3 }
-- TAI for CN=GTS Root R4,O=Google Trust Services LLC,C=US
taiGTSRootR4 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 4 }
-- TAI for C=US, O=Google Trust Services, CN=WR1
taiWR1 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 5 }
-- TAI for C=US, O=Google Trust Services, CN=WR2
taiWR2 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 6 }
-- TAI for C=US, O=Google Trust Services, CN=WR3
taiWR3 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 7 }
-- TAI for C=US, O=Google Trust Services, CN=WR4
taiWR4 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 8 }
-- TAI for C=US, O=Google Trust Services, CN=WR5
taiWR5 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 9 }
-- TAI for C=US, O=Google Trust Services, CN=WE1
taiWE1 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 10 }
-- TAI for C=US, O=Google Trust Services, CN=WE2
taiWE2 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 11 }
-- TAI for C=US, O=Google Trust Services, CN=WE3
taiWE3 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 12 }
-- TAI for C=US, O=Google Trust Services, CN=WE4
taiWE4 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 13 }
-- TAI for C=US, O=Google Trust Services, CN=WE5
taiWE5 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 14 }
-- TAI for C=US, O=Google Trust Services, CN=AE1
taiAE1 OBJECT IDENTIFIER ::= { trustAnchorIdentifiers 15 }
END