GOOGLE-MIB DEFINITIONS ::= BEGIN
-- The root MIB for Google LLC
IMPORTS
MODULE-IDENTITY, enterprises
FROM SNMPv2-SMI;
google MODULE-IDENTITY
LAST-UPDATED "202311070900Z" -- November 07, 2023
ORGANIZATION "Google LLC"
CONTACT-INFO
"
Postal: Warren Kumari
1600 Amphitheatre Pkwy
Mountain View, CA 94035
email: mib-mgmt@google.com
"
DESCRIPTION
"This MIB is the root for all enterprise
specific SNMP variables exposed by Google's
products. It also documents all Google OIDs."
::= { enterprises 11129 }
-- Following are the different groups in Google's MIB tree.
--
-- Google Search Appliance
-- gsa OBJECT IDENTIFIER ::= { google 1 }
-- Google Security Team
googleSecurity OBJECT IDENTIFIER ::= { google 2 }
-- Certificate Extensions
certificateExtensions OBJECT IDENTIFIER ::= { googleSecurity 1 }
waveFederation OBJECT IDENTIFIER ::= { certificateExtensions 1 }
openidDiscovery OBJECT IDENTIFIER ::= { certificateExtensions 2 }
-- proxyGeneratedCertificate is used to signal that a PKIX, end-entity
-- certificate has been generated by a MITM proxy.
proxyGeneratedCertificate OBJECT IDENTIFIER ::= { certificateExtensions 3 }
-- dnssecEmbeddedChain contains a chain of DNSSEC entries which result in a
-- proof of an embedded RRSet.
dnssecEmbeddedChain OBJECT IDENTIFIER ::= { certificateExtensions 4 }
-- internalRestrictions is an extension used in internal Google certificates,
-- containing a single OCTETSTRING
internalRestrictions OBJECT IDENTIFIER ::= { certificateExtensions 5 }
-- originBinding is an extension used by CertAuth to signal
-- that this certificate should be used with a single web origin,
-- it contains an IA5String identifying the origin as a canonicalized URI
originBinding OBJECT IDENTIFIER ::= { certificateExtensions 6 }
-- clientBinding is an extension used by CertAuth when cross-certifying
-- keys belonging to a single client, it contains a single OCTETSTRING
clientBinding OBJECT IDENTIFIER ::= { certificateExtensions 7 }
-- gnubbyAttestation is an EKU OID used to restrict use of the subject
-- key to CSR attestation purposes.
gnubbyAttestation OBJECT IDENTIFIER ::= { certificateExtensions 8 }
-- gnubbyAccessConditions is a BIT STRING describing the ACL attached
-- to a gnubby keypair.
gnubbyAccessConditions OBJECT IDENTIFIER ::= { certificateExtensions 9 }
-- gnubbyTUP is an EKU OID allowing this key to be used for
-- Test of User Presence.
gnubbyTUP OBJECT IDENTIFIER ::= { certificateExtensions 10 }
-- gnubbySignatureCounter is an EKU OID which specifies that a 32 bit
-- increasing counter will be included in signatures using this key.
gnubbySignatureCounter OBJECT IDENTIFIER ::= { certificateExtensions 11 }
-- gnubbyAuthData is an OCTET STRING containing [wrapped] gnubby state.
-- The data is opaque to the RP.
gnubbyAuthData OBJECT IDENTIFIER ::= { certificateExtensions 12 }
-- portunusKeyTicket is an OCTET STRING containing a Portunus key ticket.
-- Identifies the algorithm in PKCS#8 PrivateKeyInfo. See go/portunus.
portunusKeyTicket OBJECT IDENTIFIER ::= { certificateExtensions 13 }
-- androidWrappedKey is an OCTET STRING containing a device-bound key blob.
-- It is used as the algorithm OID in PKCS#8 and other containers on Android.
androidWrappedKey OBJECT IDENTIFIER ::= { certificateExtensions 14 }
-- chromeAttestationValue is an extension used in Chrome Attestation
-- certificates, containing a single OCTET STRING (deprecated)
chromeAttestationValue OBJECT IDENTIFIER ::= { certificateExtensions 15 }
-- chromeAttestationProtoValue is an certificate extension used in Chrome
-- Attestation, containing a proto message wrapped in a single OCTET STRING.
chromeAttestationProtoValue OBJECT IDENTIFIER ::= { certificateExtensions 16 }
-- androidAttestationValue is an extension used in Android Keystore Attestation.
-- See go/android-keystore-attestation-extension for the content.
androidAttestationValue OBJECT IDENTIFIER ::= { certificateExtensions 17 }
-- androidThingsProduct is an extension used in Android Things Attestation.
-- See go/android-things-attestation#heading=h.pqye5p6lp2on for the content.
androidThingsProduct OBJECT IDENTIFIER ::= { certificateExtensions 18 }
-- chromeAttestationInfoValue is a certificate extension used in Chrome
-- Attestation, containing a proto message wrapped in a single OCTET STRING.
-- See go/tpm-2017-pca for more details.
chromeAttestationInfoValue OBJECT IDENTIFIER ::= { certificateExtensions 19 }
-- securityKeyUnblindingToken is an OCTET STRING that contains a value
-- inserted by our Security Key Privacy CA that can be used to unblind
-- certificates for Security Keys found to be flawed.
securityKeyUnblindingToken OBJECT IDENTIFIER ::= { certificateExtensions 20 }
-- cloudComputeInstanceIdentifier is an ASN.1 structure that contains
-- information (a human-readable and a machine-parsable version) to uniquely
-- identify a Google Compute Engine instance.
-- The structure is as follows:
-- SEQUENCE {
-- zone UTF8String,
-- project_num INTEGER,
-- project_name UTF8String,
-- instance_num INTEGER,
-- instance_name UTF8String
-- }
cloudComputeInstanceIdentifier OBJECT IDENTIFIER ::= { certificateExtensions 21 }
-- canSignHttpExchanges is a certificate extension used by drafts of the
-- Signed HTTP Exchanges specification to indicate that a given certificate
-- can be safely used with Signed HTTP exchanges.
-- It contains an ASN.1 NULL (0x05 0x00) within the extension OCTET STRING.
-- (See https://wicg.github.io/webpackage/draft-yasskin-http-origin-signed-responses.html )
canSignHttpExchanges OBJECT IDENTIFIER ::= { certificateExtensions 22 }
-- chromeEnrollmentData is a certificate extension used in Chrome Attestation
-- and Chrome OS Zero-Touch, containing a proto message holding attested enrollment data
-- wrapped in a single OCTET STRING.
chromeEnrollmentData OBJECT IDENTIFIER ::= { certificateExtensions 23 }
-- diceAttestationData is a certificate extension used in the Google DICE
-- Profile. DICE refers to the TCG Device Identifier Composition Engine. The
-- certificates are generated on-the-fly by a device and this extension
-- includes information about the device and the program on the device which
-- generated the certificate.
diceAttestationData OBJECT IDENTIFIER ::= { certificateExtensions 24 }
-- androidEntityAttestationToken is an extension used in Android Keystore Attestation.
-- See go/keymint-eat for the content.
androidEntityAttestationToken OBJECT IDENTIFIER ::= { certificateExtensions 25 }
-- androidIdentityCredentialAuthenticationKey is an extension used in Android
-- Identity Credential for Authentication Keys. See go/identity-credential
-- for more information.
androidIdentityCredentialAuthenticationKey OBJECT IDENTIFIER ::= { certificateExtensions 26 }
-- chromeOsDeviceSetupData is an extension used by ChromeOS for automated device setup.
chromeOsDeviceSetupData OBJECT IDENTIFIER ::= { certificateExtensions 27}
-- chromeOsVtpmEkAttestedDeviceId is an extension used by ChromeOS for host
-- device ID in VTPM EK certificate.
chromeOsVtpmEkAttestedDeviceId OBJECT IDENTIFIER ::= { certificateExtensions 28}
-- androidVirtualizationFrameworkAttestationValue is an extension used by the
-- Android Virtualization Framework to describe the root of trust and payload
-- of a virtual machine.
androidVirtualizationFrameworkAttestationValue OBJECT IDENTIFIER ::= { certificateExtensions 29 }
-- androidRemoteKeyProvisioningInfo is an extension used by the remote key
-- provisioning service in Android so that the server providing provisioning
-- may describe additional security details relevant to the device in
-- question.
androidRemoteKeyProvisioningInfo ::= { certificateExtensions 30 }
-- instanceInfo is an extension used to encode a GCE VM's instance info proto.
-- It will be included in LOAS3 certificates for GCE VMs
-- (see go/zatar-prod-certificates and go/cloud-task-cert-profile) for more
-- information.
instanceInfo OBJECT IDENTIFIER ::= {certificateExtensions 31}
-- scribeProvisioningInfo is an extension used to encode provisioning details
-- in the certificate used by the scribe.
scribeProvisioningInfo ::= {certificateExtensions 32}
-- chromeOsDeviceType is an extension used by ChromeOS to encode Board ID Type
-- and Flags.
chromeOsDeviceType ::= {certificateExtensions 33}
-- chromeOsApRoVerificationStatus is an extension used by ChromeOS to encode
-- the AP RO verification status.
chromeOsApRoVerificationStatus ::= {certificateExtensions 34}
-- chromeOsBootMode is an extension used by ChromeOS to encode the current
-- boot mode.
chromeOsBootMode ::= {certificateExtensions 35}
-- chromeOsFirmwareVersion is an extension used by ChromeOS to encode the
-- current firmware version.
chromeOsFirmwareVersion ::= {certificateExtensions 36}
-- chromeOsKernelVersion is an extension used by ChromeOS to encode the
-- current kernel version.
chromeOsKernelVersion ::= {certificateExtensions 37}
-- chromeOsGscvdVersion is an extension used by ChromeOS to encode the current
-- GSCVD version.
chromeOsGscvdVersion ::= {certificateExtensions 38}
-- androidIdentityCredentialCloudSecureAreaAttestationValue is an extension
-- used to convey attestation information. The format of the data in this
-- extension is described at https://github.com/google/identity-credential
androidIdentityCredentialCloudSecureAreaAttestationValue ::= {certificateExtensions 39}
-- CRL Extensions
crlExtensions OBJECT IDENTIFIER ::= { googleSecurity 2 }
crlRevocationRange OBJECT IDENTIFIER ::= { crlExtensions 1 }
-- Hash targets
--
-- Hash targets are simply things that can be hashed. In order to avoid
-- attacks where a hash over type X can be substituted into a situation where
-- a verifier expects a hash of Y, but X can be made to look like a Y, it's
-- good practice to be explicit about the type of object that is getting
-- hashed.
hashTargets OBJECT IDENTIFIER ::= { googleSecurity 3 }
-- subjectPublicKeyInfo identifies a SubjectPublicKeyInfo from RFC 5280,
-- section 4.1.
subjectPublicKeyInfo OBJECT IDENTIFIER ::= { hashTargets 1 }
-- Certificate Transparency (see RFC 6962-bis)
certificateTransparency OBJECT IDENTIFIER ::= { googleSecurity 4 }
-- X.509v3 extension for an SCT in a superfluous certificate
superfluousCertificateExtension OBJECT IDENTIFIER ::= { certificateTransparency 1 }
-- X.509v3 extension for an SCT included in the certificate it applies to
sctExtension OBJECT IDENTIFIER ::= { certificateTransparency 2 }
-- X.509v3 extension to poison a pre-certificate
poisonExtension OBJECT IDENTIFIER ::= { certificateTransparency 3 }
-- X.509v3 EKU OID for pre-certificate signing
precertificateSigning OBJECT IDENTIFIER ::= { certificateTransparency 4 }
-- X.509v3 extension OID for OCSP
ocspExtension OBJECT IDENTIFIER ::= { certificateTransparency 5 }
-- X.509v3 extension OID for redacted labels
redactedLabels OBJECT IDENTIFIER ::= { certificateTransparency 6 }
-- X.509v3 extension OID for "OK to not log certs below this intermediate"
intermediateIsFinal OBJECT IDENTIFIER ::= { certificateTransparency 7 }
-- Policy Identifiers
certificatePolicies OBJECT IDENTIFIER ::= { googleSecurity 5 }
-- Google Internet Authority G2 certificatePolicy
googleInternetAuthority OBJECT IDENTIFIER ::= { certificatePolicies 1 }
-- Cast Audio certificate policy
googleCastAudio OBJECT IDENTIFIER ::= { certificatePolicies 2 }
-- Google Trust Services certificatePolicy
googleTrustServices OBJECT IDENTIFIER ::= { certificatePolicies 3 }
-- Google Trust Services certificatePolicy for signedHTTPExchanges
signedHTTPExchanges OBJECT IDENTIFIER ::= { googleTrustServices 1 }
-- Google Trust Services certificatePolicy for clientAuthentication
clientAuthentication OBJECT IDENTIFIER ::= { googleTrustServices 2 }
-- Google Trust Services certificatePolicy for documentSigning
documentSigning OBJECT IDENTIFIER ::= { googleTrustServices 3 }
-- Google Trust Services certificatePolicy for emailProtection
emailProtection OBJECT IDENTIFIER ::= { googleTrustServices 4 }
-- Google Production certificatePolicy
googleProductionPolicy OBJECT IDENTIFIER ::= { certificatePolicies 4 }
-- Google Network Switch AIK certificatePolicy
googleProductionPolicy OBJECT IDENTIFIER ::= { certificatePolicies 5 }
-- Kubernetes Identifiers
kubernetes OBJECT IDENTIFIER ::= { googleSecurity 6 }
-- Kubernetes Certificate Extensions
kubernetesExtensions OBJECT IDENTIFIER ::= { kubernetes 1 }
-- Kubernetes service account UID (ASN1:UTF8String)
kubernetesExtensionServiceAccountUid OBJECT IDENTIFIER ::= { kubernetesExtensions 1 }
-- Kubernetes pod name (ASN1:UTF8String)
kubernetesExtensionPodName OBJECT IDENTIFIER ::= { kubernetesExtensions 2 }
-- Kubernetes pod UID (ASN1:UTF8String)
kubernetesExtensionPodUid OBJECT IDENTIFIER ::= { kubernetesExtensions 3 }
-- Key Purpose Identifiers
keyPurposeId OBJECT IDENTIFIER ::= { googleSecurity 7 }
-- Google Production keyPurposeId for authentication
googleProductionAuth OBJECT IDENTIFIER ::= { keyPurposeId 1 }
-- Google Production Identifiers
googleProduction OBJECT IDENTIFIER ::= {googleSecurity 8}
-- Google Production AttributeType for epochs (ASN1:UTF8String)
googleProductionEpoch OBJECT IDENTIFIER ::= { googleProduction 1 }
-- Google LDAP Identifiers
googleLdap OBJECT IDENTIFIER ::= { google 3 }
-- Widevine DRM System
widevine OBJECT IDENTIFIER ::= { google 4 }
-- Widevine Certificate Extensions
wvCertificateExtensions OBJECT IDENTIFIER ::= { widevine 1 }
-- System ID (ASN1:INTEGER)
wvSystemId OBJECT IDENTIFIER ::= { wvCertificateExtensions 1 }
-- Development Certificate Flag (ASN1:BOOLEAN)
wvDevelopmentCertFlag OBJECT IDENTIFIER ::= { wvCertificateExtensions 2 }
-- Secure Storage Verified Flag (ASN1:BOOLEAN)
wvSecureStorageVerifiedFlag OBJECT IDENTIFIER ::= { wvCertificateExtensions 3 }
-- Widevine Root Of Trust ID (ASN1:UTF8String)
wvRootOdTrustId OBJECT IDENTIFIER ::= { wvCertificateExtensions 4 }
-- Google Cloud Healthcare Identifiers
googleCloudHealthcare OBJECT IDENTIFIER ::= { google 5 }
-- Google Communications eUICC Identifiers
googleCommunicationsEuicc OBJECT IDENTIFIER ::= { google 6 }
-- Verily Life Science Identifiers
verily OBJECT IDENTIFIER ::= { google 7 }
-- Verily Automated Retinal Diagnosis System (ARDA) Identifiers
verilyArda OBJECT IDENTIFIER ::= { verily 1 }
-- Verily Retinal Camera Identifiers
verilyRetinalCamera OBJECT IDENTIFIER ::= { verily 2 }
-- Google Distributed Cloud Hosted (GDCH) Identifiers
gdch OBJECT IDENTIFIER ::= { google 8 }
-- GDCH Policy Identifiers
gdchPolicies OBJECT IDENTIFIER ::= { gdch 1 }
-- USG1 Certificate Policy
gdchCertificatePolicyUSG1 OBJECT IDENTIFIER ::= { gdchPolicies 1 }
-- USG2 Certificate Policy
gdchCertificatePolicyUSG2 OBJECT IDENTIFIER ::= { gdchPolicies 2 }
-- Google AlloyDB Database Identifiers
alloydb OBJECT IDENTIFIER ::= { googleSecurity 9 }
-- AlloyDB certificate extensions
alloydbExtensions OBJECT IDENTIFIER ::= { alloydb 1 }
-- Metadata exchange (ASN1:BOOLEAN)
-- Metadata exchange certificate extension is a non-critical extension to
-- identify clients that can exchange metadata with the server after a TLS
-- handshake. This metadata includes an IAM token, which is used to
-- authenticate users based on their IAM identity. The proxy server uses
-- this extension to distinguish between clients that support IAM
-- authentication and legacy clients that do not.
alloydbMetadataExchangeFlag OBJECT IDENTIFIER ::= { alloydbExtensions 1 }
END