ANSI INCITS ISO IEC 15945-2002 Information technology Security techniques Specification of TTP services to support the application of digital signatures (Adopted by INCITS).pdf

1、 Reference numberISO/IEC 15945:2002(E)ISO/IEC 2002INTERNATIONAL STANDARD ISO/IEC15945First edition2002-02-01Information technology Security techniques Specification of TTP services to support the application of digital signatures Technologies de linformation Techniques de scurit Spcifications des se

2、rvices TTP pour supporter lapplication des signatures numriques Adopted by INCITS (InterNational Committee for Information Technology Standards) as an American National Standard.Date of ANSI Approval: 8/28/02Published by American National Standards Institute,25 West 43rd Street, New York, New York 1

3、0036Copyright 2002 by Information Technology Industry Council (ITI).All rights reserved.These materials are subject to copyright claims of International Standardization Organization (ISO), InternationalElectrotechnical Commission (IEC), American National Standards Institute (ANSI), and Information T

4、echnology Industry Council(ITI). Not for resale. No part of this publication may be reproduced in any form, including an electronic retrieval system, withoutthe prior written permission of ITI. All requests pertaining to this standard should be submitted to ITI, 1250 Eye Street NW,Washington, DC 200

5、05.Printed in the United States of AmericaISO/IEC 15945:2002(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on

6、 the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products use

7、d to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please i

8、nform the Central Secretariat at the address given below. ISO/IEC 2002 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing

9、 from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.ch Web www.iso.ch Printed in Switzerland ii ISO/IEC 2002 All rights reservedISO/IEC 15945

10、:2002(E) ISO/IEC 2002 All rights reserved iiiCONTENTS Page 1 Scope 1 2 Normative references 1 2.1 Identical Recommendations | International Standards. 2 2.2 Additional references. 2 3 Definitions 3 4 Abbreviations 4 5 Descriptive classification of services 5 5.1 Certificate management services . 5 5

11、.2 Key management services . 8 5.3 Other services 9 6 Minimal certificate and CRL profile. 10 6.1 Minimal certificate profile. 10 6.2 Minimal CRL profile. 11 7 Certificate management messages 11 7.1 Overview of certificate management services and messages 12 7.2 Assumptions and restrictions for some

12、 of the services 15 8 Data structures for certificate management messages 19 8.1 Overall message 19 8.2 Common Data Structures 22 8.3 Data structures specific for Certificate Request Messages of type CertReq 24 8.4 Data structures specific for other messages. 29 8.5 Transport protocols 32 8.6 Comple

13、te ASN.1 Module 32 9 Online Certificate Status Protocol 40 9.1 Protocol Overview. 40 9.2 Functional Requirements. 42 9.3 Detailed Protocol. 43 9.4 ASN.1 Module for OCSP 47 Annex A Interworking 50 Annex B Algorithms . 51 B.1 Hash Algorithms 51 B.2 Digital Signature Algorithms. 51 Annex C Bibliography

14、 52 ISO/IEC 15945:2002(E) iv ISO/IEC 2002 All rights reservedForeword ISO (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate

15、 in the development of International Standards through technical committees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and

16、non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3. The ma

17、in task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies cast

18、ing a vote. Attention is drawn to the possibility that some of the elements of this International Standard may be the subject of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 15945 was prepared by Joint Technical Committee ISO/IEC JTC

19、 1, Information technology, Subcommittee SC 27, IT Security techniques, in collaboration with ITU-T. The identical text is published as ITU-T Rec. X.843. Annexes A to C of this International Standard are for information only. ISO/IEC 15945:2002(E) ISO/IEC 2002 All rights reserved vIntroduction Today

20、 the development of information technology, as well as that of the worldwide communication infrastructure, opens the possibility to implement electronic commerce in economically relevant dimensions. Digital signatures are an important technique to add security to these commercial applications and to

21、 other application fields with a need for legally effective electronic transactions. Digital signatures are suitable to assure the integrity of data and the authentication of participants in transactions. They can supply an analogue of the handwritten signature for digital orders, offers and contrac

22、ts. The most important property of digital signatures in this context is that a person who signed a document cannot successfully deny this fact. This property is called “non-repudiation of creation“ of a document. In several countries and in international contexts, legislation concerning digital sig

23、natures is being pushed forward with the aim to support the development of electronic commerce and other application fields with a need for legally effective electronic transactions. A number of standards exist that specify digital signatures, as well as their use for different purposes, like non-re

24、pudiation or authentication. A number of commercial applications, as well as TTPs offering services in connection with digital signatures, are implemented or planned. Interoperability of these TTPs, among each other and with the commercial applications, is needed for an economically and legally effe

25、ctive worldwide use of digital signatures. The goal of this Recommendation | International Standard is to define the services required to support the application of digital signatures for non-repudiation of creation. Since the use of digital signature mechanisms for non-repudiation of creation of a

26、document implies integrity of the document and authenticity of the creator, the services described in this Recommendation | International Standard can also be combined to implement integrity and authenticity services. This is done in a way to promote interoperability among TTPs as well as between TT

27、Ps and commercial applications. NOTE There is no inherent reason why every TTP planning to support the application of digital signatures should be required to offer all of these services. It is possible that a number of TTPs offering different services cooperate in supporting the use of digital sign

28、atures. But, from the view of the potential commercial applications, the whole range of the services may be required and interoperability becomes even more important in this scenario. This is an additional justification to collect all these services together in one document. ISO/IEC 15945:2002 (E) I

29、TU-T X.843 (10/2000 E) 1 INTERNATIONAL STANDARD ISO/IEC 15945:2001 (E) ITU-T RECOMMENDATION INFORMATION TECHNOLOGY SECURITY TECHNIQUES SPECIFICATION OF TTP SERVICES TO SUPPORT THE APPLICATION OF DIGITAL SIGNATURES 1 Scope This Recommendation | International Standard will define those TTP services ne

30、eded to support the application of digital signatures for the purpose of non-repudiation of creation of documents. This Recommendation | International Standard will also define interfaces and protocols to enable interoperability between entities associated with these TTP services. Definitions of tec

31、hnical services and protocols are required to allow for the implementation of TTP services and related commercial applications. This Recommendation | International Standard focuses on: implementation and interoperability; service specifications; and technical requirements. This Recommendation | Inte

32、rnational Standard does not describe the management of TTPs or other organizational, operational or personal issues. Those topics are mainly covered in ITU-T Rec. X.842 | ISO/IEC TR 14516, Information technology Security techniques Guidelines on the use and management of Trusted Third Party services

33、. NOTE 1 Because interoperability is the main issue of this Recommendation | International Standard, the following restrictions hold: i) Only those services which may be offered by a TTP, either to end entities or to another TTP, are covered in this Recommendation | International Standard. ii) Only

34、those services which may be requested and/or delivered by means of standardizable digital messages are covered. iii) Only those services for which widely acceptable standardized messages can be agreed upon at the time this Recommendation | International Standard is published are specified in detail.

35、 Further services will be specified in separate documents when widely acceptable standardized messages are available for them. In particular, time stamping services will be defined in a separate document. NOTE 2 The data structures and messages in this Recommendation | International Standard will be

36、 specified in accordance to RFC documents, RFC 2510 and RFC 2511 (for certificate management services) and to RFC 2560 (for OCSP services). The certificate request format also allows interoperability with PKCS#10. See Annex C for references to the documents mentioned in this Note. NOTE 3 Other stand

37、ardization efforts for TTP services in specific environments and applications, like SET or EDIFACT, exist. These are outside of the scope of this Recommendation | International Standard. NOTE 4 This Recommendation | International Standard defines technical specifications for services. These specific

38、ations are independent of policies, specific legal regulations, and organizational models (which, for example, might define how duties and responsibilities are shared between Certification Authorities and Registration Authorities). Of course, the policy of TTPs offering the services described in thi

39、s Recommendation | International Standard will need to specify how legal regulations and the other aspects mentioned before will be fulfilled by the TTP. In particular, the policy has to specify how the validity of digital signatures and certificates is determined. 2 Normative references The followi

40、ng normative documents contain provisions which, through reference in this text, constitute provisions of this Recommendation | International Standard. For dated references, subsequent amendments to, or revisions of, any of these publications do not apply. However, parties to agreements based on thi

41、s Recommendation | International Standard are encouraged to investigate the possibility of applying the most recent editions of the normative documents indicated below. For undated references, the latest edition of the normative document referred to applies. Members of ISO and IEC maintain registers

42、 of currently valid International Standards. The Telecommunication Standardization Bureau of ITU maintains a list of currently valid ITU-T Recommendations. ISO/IEC 15945:2002 (E) 2 ITU-T X.843 (10/2000 E) 2.1 Identical Recommendations | International Standards ITU-T Recommendation X.501 (1997) | ISO

43、/IEC 9594-2:1998, Information technology Open Systems Interconnection The Directory: Models. ITU-T Recommendation X.509 (2000) | ISO/IEC 9594-8:2001, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T Recommendation X.520 (1997)

44、| ISO/IEC 9594-6:1998, Information technology Open Systems Interconnection The Directory: Selected attribute types. ITU-T Recommendation X.680 (1997) | ISO/IEC 8824-1:1998, Information technology Abstract Syntax Notation One (ASN.1): Specification of basic notation. ITU-T Recommendation X.681 (1997)

45、 | ISO/IEC 8824-2:1998, Information technology Abstract Syntax Notation One (ASN.1): Information object specification. ITU-T Recommendation X.682 (1997) | ISO/IEC 8824-3:1998, Information technology Abstract Syntax Notation One (ASN.1): Constraint specification. ITU-T Recommendation X.683 (1997) | I

46、SO/IEC 8824-4:1998, Information technology Abstract Syntax Notation One (ASN.1): Parameterization of ASN.1 specifications. ITU-T Recommendation X.690 (1997) | ISO/IEC 8825-1:1998, Information technology ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER)

47、 and Distinguished Encoding Rules (DER). ITU-T Recommendation X.810 (1995) | ISO/IEC 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Overview. ITU-T Recommendation X.813 (1996) | ISO/IEC 10181-4:1997, Information technology Open Systems Interco

48、nnection Security frameworks for open systems: Non-repudiation framework. 2.2 Additional references ISO/IEC 9796-2:1997, Information technology Security techniques Digital signature schemes giving message recovery Part 2: Mechanisms using a hash-function. ISO/IEC 9796-3:2000, Information technology

49、Security techniques Digital signature schemes giving message recovery Part 3: Discrete logarithm based mechanisms. ISO/IEC 10118-1:1994, Information technology Security techniques Hash-functions Part 1: General. ISO/IEC 10118-2:1994, Information technology Security techniques Hash-functions Part 2: Hash-functions using an n-bit block cipher algorithm. ISO/IEC 10118-3:1998, Information technology Security techniques Hash-functions Part 3