ATIS 0800016-2011 Standard PKI Certificate Format Interoperability Specification (Version 2 0).pdf

1、 ATIS-0800016.v002 STANDARD PKI CERTIFICATE FORMAT INTEROPERABILITY SPECIFICATION ATIS is the leading technical planning and standards development organization committed to the rapid development of ATIS is the leading technical planning and standards development organization committed to the rapid d

2、evelopment of global, market-driven standards for the information, entertainment and communications industry. More than 200 companies actively formulate standards in ATIS Committees, covering issues including: IPTV, Cloud Services, Energy Efficiency, IP-Based and Wireless Technologies, Quality of Se

3、rvice, Billing and Operational Support, Emergency Services, Architectural Platforms and Emerging Networks. In addition, numerous Incubators, Focus and Exploratory Groups address evolving industry priorities including Smart Grid, Machine-to-Machine, Networked Car, IP Downloadable Security, Policy Man

4、agement and Network Optimization. ATIS is the North American Organizational Partner for the 3rd Generation Partnership Project (3GPP), a member and major U.S. contributor to the International Telecommunication Union (ITU) Radio and Telecommunications Sectors, and a member of the Inter-American Telec

5、ommunication Commission (CITEL). ATIS is accredited by the American National Standards Institute (ANSI). For more information, please visit . Notice of Disclaimer & Limitation of Liability The information provided in this document is directed solely to professionals who have the appropriate degree o

6、f experience to understand and interpret its contents in accordance with generally accepted engineering or other professional standards and applicable regulations. No recommendation as to products or vendors is made or should be implied. NO REPRESENTATION OR WARRANTY IS MADE THAT THE INFORMATION IS

7、TECHNICALLY ACCURATE OR SUFFICIENT OR CONFORMS TO ANY STATUTE, GOVERNMENTAL RULE OR REGULATION, AND FURTHER, NO REPRESENTATION OR WARRANTY IS MADE OF MERCHANTABILITY OR FITNESS FOR ANY PARTICULAR PURPOSE OR AGAINST INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS. ATIS SHALL NOT BE LIABLE, BEYOND THE AM

8、OUNT OF ANY SUM RECEIVED IN PAYMENT BY ATIS FOR THIS DOCUMENT, WITH RESPECT TO ANY CLAIM, AND IN NO EVENT SHALL ATIS BE LIABLE FOR LOST PROFITS OR OTHER INCIDENTAL OR CONSEQUENTIAL DAMAGES. ATIS EXPRESSLY ADVISES ANY AND ALL USE OF OR RELIANCE UPON THIS INFORMATION PROVIDED IN THIS DOCUMENT IS AT TH

9、E RISK OF THE USER. NOTE - The users attention is called to the possibility that compliance with this standard may require use of an invention covered by patent rights. By publication of this standard, no position is taken with respect to whether use of an invention covered by patent rights will be

10、required, and if any such use is required no position is taken regarding the validity of this claim or any patent rights in connection therewith. ATIS-0800016.v002, Standard PKI Certificate Format Interoperability Specification Is an ATIS Standard developed by the IPTV Security Solutions (ISS) Commi

11、ttee under the ATIS IPTV Interoperability Forum (IIF). Published by Alliance for Telecommunications Industry Solutions 1200 G Street, NW, Suite 500 Washington, DC 20005 Copyright 2011 by Alliance for Telecommunications Industry Solutions All rights reserved. No part of this publication may be reprod

12、uced in any form, in an electronic retrieval system or otherwise, without the prior written permission of the publisher. For information contact ATIS at 202.628.6380. ATIS is online at . Printed in the United States of America. ATIS Standard on STANDARD PKI CERTIFICATE FORMAT INTEROPERABILITY SPECIF

13、ICATION Alliance for Telecommunications Industry Solutions Approved June 1, 2011 Abstract This document specifies the default ATIS IIF certificate format, the IPTV Security Solution/Certificate (ISS/C), that can be used as part of the IPTV Security Solution (ISS). ATIS-0800016.v002 ii FOREWORD The A

14、lliance for Telecommunication Industry Solutions (ATIS) serves the public through improved understanding between carriers, customers, and manufacturers. The IPTV Interoperability Forum (IIF) develops requirements, standards, and specifications that will determine the industrys end-to-end solution fo

15、r Internet Protocol Television (IPTV). The mandatory requirements are designated by the word shall and recommendations by the word should. Where both a mandatory requirement and a recommendation are specified for the same criterion, the recommendation represents a goal currently identifiable as havi

16、ng distinct compatibility or performance advantages. Suggestions for improvement of this document are welcome. They should be sent to the Alliance for Telecommunications Industry Solutions, IIF Secretariat, 1200 G Street NW, Suite 500, Washington, DC 20005. Alcatel-Lucent ARRIS Group AT&T BNI Video

17、British Telecom Brocade Communications CableLabs CenturyLink Cisco Systems DTS Ericsson Electronics and Telecommunications Research Institute (ETRI) Huawei Technologies IneoQuest Technologies Intel Corporation JDSU Juniper Networks LG Electronics Microsoft Motorola Nagravision NEC Corporation of Ame

18、rica Nielsen Company Nokia Siemens Networks RGB Networks Rogers Wireless SeaChange International Telephone and Data Systems (TDS) Telchemy Telcordia Technologies TELUS Time Warner Cable Verivue, Inc. Verizon ZTE IncorporatedThe IPTV Security Solutions (ISS) Committee was responsible for the developm

19、ent of this document, with the leadership of the following people: S. Wright, IIF Chair D. OCallaghan, IIF Vice Chair M. Nakhjiri, ISS Committee Co-Chair and Version 2 Technical Editor T. Wasilewski, ISS Committee Co-Chair H. Hayes, Version 1 Technical Editor C.A. Underkoffler, ATIS Chief Editor A.

20、Blasgen, IIF Committee Administrator ATIS-0800016.v002 iii TABLE OF CONTENTS 1 INTRODUCTION . 1 1.1 ABBREVIATIONS AND DEFINITIONS 1 1.1.1 Abbreviations . 1 1.1.2 Definitions 1 1.2 OBJECTIVE . 2 1.3 OVERVIEW . 2 2 ANALYSIS FOR INTEROPERABILITY . 3 2.1 ATIS IIF DEFAULT CERTIFICATE FORMAT . 3 2.2 USE C

21、ASES . 3 3 DESIGN FOR INTEROPERABILITY 3 3.1 COMMON CERTIFICATE FIELD SEMANTICS 4 3.1.1 version 4 3.1.2 serial Number . 4 3.1.3 signature 4 3.1.4 issuer 5 3.1.5 validity 5 3.1.6 subject 5 3.1.7 subjectPublicKeyInfo . 6 3.1.8 issuerUniqueID . 6 3.1.9 subjectUniqueId 6 3.1.10 extensions . 6 3.1.11 sig

22、natureAlgorithm 7 3.1.12 signatureValue . 7 3.2 ISS/C CERTIFICATE FORMAT . 7 3.2.1 ISS/C Certificate Extensions 8 3.3 ISS/CA CERTIFICATE FORMAT . 9 3.3.1 ISS/CA Certificate Extensions 10 3.4 ISS/R CERTIFICATE FORMAT . 11 3.4.1 ISS/R Certificate Extensions 12 4 REQUIREMENTS TO SPECIFICATION MAPPING .

23、 13 5 REFERENCES . 14 6 OID DEFINITIONS . 14 TABLE OF TABLES TABLE 1: ISS/C CERTIFICATE FORMAT 8 TABLE 2: ISS/CA CERTIFICATE FORMAT 10 TABLE 3: ISS/R CERTIFICATE FORMAT 12 ATIS STANDARD ATIS-0800016.v002 ATIS Standard on Standard PKI Certificate Format Interoperability Specification 1 1 INTRODUCTION

24、 1.1 Abbreviations and Definitions 1.1.1 Abbreviations ATIS Alliance for Telecommunications Industry Solutions CA Certificate Authority CAS Conditional Access System CEK Content Encryption Key CRL Certificate Revocation List CVC Code Verification Certificate DRM Digital Rights Management IPTV Intern

25、et Protocol Television IIF IPTV Interoperability Forum IP Internet Protocol ISS IPTV Security Solution ISS/C IPTV Security Solution/Certificate ISS/CA IPTV Security Solution/Certificate Authority ISS/E IPTV Security Solution/Encryption ISS/R IPTV Security Solution/Root Certificate MVC Message Verifi

26、cation Certificate OAM Operations, Administration, And Maintenance PKI Public Key Infrastructure SEE Secure Execution Environment SSE Separable Security Element URL Uniform Resource Locator 1.1.2 Definitions Term Definition Authentication A mechanism that allows verifying an entitys identity in orde

27、r to ensure that they are who they claim to be. Certificate Authority An entity that issues and manages digital certificates. ATIS-0800016.v002 2 Term Definition Code Verification Certificate A CVC is issued to a software code signer or to each code signing server of a software code signer. The CVC

28、is issued by a CVC Certificate Authority (CA) that it is trusted by a CVC root. Device A Device is the entity (hardware, software, or some combination thereof) within a Users equipment that implements a Digital Rights Management (DRM) Client. The Device is also conformant to the specifications of th

29、e DRM it supports. DRM A collection of technologies that technically enable the definition of and the enforcement of secure content transportation as well as secure content licensing, including: Protection and control of the viewing of content that is delivered over IP transport. Rights Management f

30、or the delivered content. Integrity The property that data (Contents, Rights, etc.) has not been altered or destroyed in an unauthorized manner. IPTV Device A device implementing IPTV functions. It can be part of infrastructure, and in that case can be referred to as a server-side IPTV device. It ca

31、n also be an IPTV Receiving Device. Message Verification Certificate A MVC is issued to a message signer or to each message signing server of the network operators. The MVC is issued by a MVC CA. 1.2 Objective The ATIS IIF has identified security solutions that utilize Public Key Infrastructure (PKI

32、) operations and related certificates. The basis of trust for PKI operations is established by ATIS-0800015, Certificate Trust Hierarchy Interoperability Specification 2. To provide interoperability, it is desirable to have a consistent set of profiles based on a standard certificate format. This do

33、cument specifies the default ATIS IIF certificate profiles and formats that can be used as part of the solution, which meets the following objectives: 1. To focus on interoperability solutions only. 2. To produce a common standard to be used by all elements of the ATIS IIF IPTV solutions that requir

34、e PKI certificates. 3. To ensure that there are standard certificate formats that can serve for all elements in the ATIS IIF architecture requiring the use of PKI operations and certificates. 4. To ensure that certificate profiles are well defined. 5. To identify existing industry specifications tha

35、t could be referenced and used by this standard. 1.3 Overview The ATIS IIF has specified the use of public key cryptography for the purpose of authentication. Public key cryptography can be used to produce digital signatures that validate the source and ATIS-0800016.v002 3 integrity of data. To be s

36、ecure, public keys must be bound in a trusted manner with the entities that own/use those keys. An industry standard mechanism for this type of trusted binding is the public key certificate. This document defines the specifications for the interoperability of systems and components for the ATIS IIF

37、IPTV solutions and specifically for the IPTV Security Solution (ISS) with respect to profiles of a standard PKI certificate format. 2 ANALYSIS FOR INTEROPERABILITY 2.1 ATIS IIF Default Certificate Format Public key certificates are the generally accepted method of binding trusted keys with the disti

38、nguished name of an organization or other entity by endorsement of an issuing authority using a digital signature. An advantage of using a standard certificate format is that there are readily available software utilities for the generation, distribution, and validation of such certificates. Commerc

39、ial Certificate Authorities have widely adopted a limited number of certificate formats, of which the X.509 format is the most pervasive. Public key certificates are one element used in establishing a trust hierarchy. Note that the detailed specification for the ATIS IIF Certificate Trust Hierarchy

40、is addressed in ATIS-0800015 2. 2.2 Use Cases Some of the ATIS IIF functions or elements that require security solutions that influence the selection and specification of the certificate formats and profiles in this document are: Device Identity. Message Signing and Authentication. Secure Session. C

41、ode Image Signing and Authentication for Applications. Management Information Signing. Operations, Administration, and Maintenance (OAM) Functions Including Device Management. Code Image Signing for CAS/DRM components. Separable Security Element (SSE). Downloadable Security Element. Further elaborat

42、ion of use cases relevant to these ATIS IIF functions or elements may be found in ATIS-0800015 2. 3 DESIGN FOR INTEROPERABILITY This section describes the system interoperability specification for the IPTV Security Solution certificate format for the three ISS-defined certificate types: ATIS-0800016

43、.v002 4 1. ISS/R: IPTV Security Solution/Root. 2. ISS/CA: IPTV Security Solution/Certificate Authority. 3. ISS/C: IPTV Security Solution/Certificate. ITU-T Recommendation X.509, as profiled in RFC 5280 1, is specified as the basis of the ATIS IIF certificate format because of its widespread use and

44、implementation. The first subsection below restates the RFC 5280 1 certificate fields common to each ISS certificate type and profiles their usage. Three additional subsections specify the format of each ISS certificate type and profile the usage of certificate extensions in these formats. 3.1 Commo

45、n Certificate Field Semantics This section profiles the RFC 5280 1 fields that are common to all ISS certificate formats. 3.1.1 version The version field for all ISS certificate types shall be the value 2 to indicate a v3 X.509 certificate format. 3.1.2 serial Number The serialNumber field for all I

46、SS certificate types shall be handled per section 4.1.2.2 of RFC 5280 1 and its value set by the issuing CA. The serialNumber shall be generated such that it is unique for each certificate issued by that issuing CA. 3.1.3 signature The signature field for all ISS certificate types shall be handled p

47、er section 4.1.2.3 of RFC 5280 1. This is an object identifier for the algorithm used by the issuing CA. In the context of the robustness rules defined in ATIS-0800024 ref, the use of an approved algorithm as is required to qualify the Secure Execution Environment (SEE) “approved algorithm” element

48、in an IPTV Device as “high-robustness.” The use of other digest algorithms in issuing ISS certificates is permitted but results in a “low-robustness” level for the SEE “approved algorithm” element. Also, such use of non-approved algorithms shall be signaled through an OID in the signature field. The

49、 approved algorithm for signing ISS certificates is: SHA256WithRSAEncryption (no expiration date is specified currently). Each Certificate Authority shall employ an RSA key as defined in RFC 3447 3 with length of public modulus of 2048 bits and value of public exponent of decimal 65537, hexadecimal 0x010001 (the fourth Fermat number). ATIS-0800016.v002 5 3.1.4 issuer The issuer field for all ISS/C certificate types shall be handled per section 4.1.2.4 of RFC 5280 1 and its value set by