BS ISO 15782-1-2009 Certificate management for financial services - Public key certificates《金融业务的证书管理 公共密钥证书》.pdf

1、BS ISO 15782-1:2009ICS 03.060; 35.240.40NO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBRITISH STANDARDCertificate management for financial servicesPart 1: Public key certificatesThis British Standardwas published under theauthority of the StandardsPolicy and StrategyCommittee

2、 on 31 December2009 BSI 2009ISBN 978 0 580 59821 0Amendments/corrigenda issued since publicationDate CommentsBS ISO 15782-1:2009National forewordThis British Standard is the UK implementation of ISO 15782-1:2009.The UK participation in its preparation was entrusted to TechnicalCommittee IST/12, Fina

3、ncial services.A list of organizations represented on this committee can be obtained onrequest to its secretary.This publication does not purport to include all the necessary provisionsof a contract. Users are responsible for its correct application.Compliance with a British Standard cannot confer i

4、mmunityfrom legal obligations.BS ISO 15782-1:2009Reference numberISO 15782-1:2009(E)ISO 2009INTERNATIONAL STANDARD ISO15782-1Second edition2009-10-15Certificate management for financial services Part 1: Public key certificates Gestion de certificats pour les services financiers Partie 1: Certificats

5、 de cl publique BS ISO 15782-1:2009ISO 15782-1:2009(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the comp

6、uter performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to crea

7、te this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the

8、 Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO 2009 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permi

9、ssion in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2009 All rights reser

10、vedBS ISO 15782-1:2009ISO 15782-1:2009(E) ISO 2009 All rights reserved iiiContents Page Foreword iv Introduction.v 1 Scope1 2 Normative references2 3 Terms and definitions .2 4 Symbols and abbreviations8 5 Public key infrastructure 8 5.1 Overview.8 5.2 Public key management infrastructure process fl

11、ow9 5.3 Certification Authority (CA)9 5.4 Registration Authority (RA)10 5.5 End entities 10 6 Certification Authority systems .10 6.1 General .10 6.2 Responsibilities in CA systems .12 6.3 Certificate life cycle requirements.15 6.4 Security quality assurance and audit requirements29 6.5 Business con

12、tinuity planning 30 7 Data elements and relationships .30 8 Public key certificate and Certificate Revocation List extensions.30 Annex A (normative) Certification Authority audit journal contents and use 31 Annex B (informative) Alternative trust models.34 Annex C (informative) Suggested requirement

13、s for the acceptance of certificate request data .40 Annex D (informative) Multiple algorithm certificate validation example .42 Annex E (informative) Certification Authority techniques for disaster recovery.44 Annex F (informative) Distribution of certificates and Certificate Revocation Lists .47 B

14、ibliography48 BS ISO 15782-1:2009ISO 15782-1:2009(E) iv ISO 2009 All rights reservedForeword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out thro

15、ugh ISO technical committees. Each member body interested in a subject for which a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collabor

16、ates closely with the International Electrotechnical Commission (IEC) on all matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standa

17、rds. Draft International Standards adopted by the technical committees are circulated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of t

18、his document may be the subject of patent rights. ISO shall not be held responsible for identifying any or all such patent rights. ISO 15782-1 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2, Security management and general banking operations. This second edition

19、 cancels and replaces the first edition (ISO 15782-1:2003), which has been technically revised. ISO 15782 consists of the following parts, under the general title Certificate management for financial services: Part 1: Public key certificates Part 2: Certificate extensions BS ISO 15782-1:2009ISO 1578

20、2-1:2009(E) ISO 2009 All rights reserved vIntroduction This part of ISO 15782 adopts ISO/IEC 9594-8 for the financial services industry and defines certificate management procedures and data elements. Detailed requirements for the financial industry for the individual extensions are given in ISO 157

21、82-2. While the techniques specified in this part of ISO 15782 are designed to maintain the integrity of financial messages and support the service of non-repudiation, this part of ISO 15782 does not guarantee that a particular implementation is secure. It is the responsibility of the financial inst

22、itution to put an overall process in place with the necessary controls to ensure that the process is securely implemented, with these controls including the application of appropriate audit tests in order to validate compliance. The binding association between the identity of the owner of a public k

23、ey and that key is documented in order to prove the ownership of the corresponding private key. This binding is called a public key certificate. Public key certificates are generated by a trusted entity known as a Certification Authority (CA). The proper implementation of this part of ISO 15782 is i

24、ntended to provide assurances of the binding of the identity of an entity to the key used by that entity to sign documents, including wire transfers and contracts. This part of ISO 15782 defines a certificate management framework for authentication, including the authentication of keys for encryptio

25、n. The techniques specified by this part of ISO 15782 can be used when initiating a business relationship between legal entities (entities). BS ISO 15782-1:2009BS ISO 15782-1:2009INTERNATIONAL STANDARD ISO 15782-1:2009(E) ISO 2009 All rights reserved 1Certificate management for financial services Pa

26、rt 1: Public key certificates 1 Scope This part of ISO 15782 defines a certificate management system for financial industry use for legal and natural persons that includes credentials and certificate contents, Certification Authority systems, including certificates for digital signatures and for enc

27、ryption key management, certificate generation, distribution, validation and renewal, authentication structure and certification paths, and revocation and recovery procedures. This part of ISO 15782 also recommends some useful operational procedures (e.g. distribution mechanisms, acceptance criteria

28、 for submitted credentials). Implementation of this part of ISO 15782 will also be based on business risks and legal requirements. This part of ISO 15782 does not include the protocol messages used between the participants in the certificate management process, requirements for notary and time stamp

29、ing, Certificate Policy and Certification Practices requirements, or Attribute Certificates. While this part of ISO 15782 provides for the generation of certificates that could include a public key used for encryption key management, it does not address the generation or transport of keys used for e

30、ncryption. Implementers wishing to comply with ISO/IEC 9594-8 can utilize the certificate structures defined by that International Standard. Those wishing to implement compatible certificate and certificate revocation structures but without the overhead associated with the X.500 series can utilize t

31、he ASN.1 structures defined in ISO 15782-2. ISO 15782-2 can also be referred to for a financial services profile of certificate and CRL extensions. ISO 21188 provides additional information for implementers on Certificate Policies, Certification Practice Statements, and PKI controls. ISO 21188 sets

32、out a framework of requirements to manage a PKI through Certificate Policies and Certification Practice Statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. NOTE The use of a bold

33、 sans serif font, such as CertReqData or CRLEntry, denotes the use of abstract syntax notation (ASN.1), as defined in ISO/IEC 8824-1 to ISO/IEC 8824-4 and ISO/IEC 8825-1 and ISO/IEC 8825-2. Where it makes sense to do so, the ASN.1 term is used in place of normal text. Refer to ISO 15782-2 for relate

34、d ASN.1 modules. BS ISO 15782-1:2009ISO 15782-1:2009(E) 2 ISO 2009 All rights reserved2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of

35、the referenced document (including any amendments) applies. ISO/IEC 8824-1, Information technology Abstract Syntax Notation One (ASN.1): Specification of basic notation Part 1 ISO/IEC 8824-2, Information technology Abstract Syntax Notation One (ASN.1): Information object specification Part 2 ISO/IEC

36、 8824-3, Information technology Abstract Syntax Notation One (ASN.1): Constraint specification Part 3 ISO/IEC 8824-4, Information technology Abstract Syntax Notation One (ASN.1): Parameterization of ASN.1 specifications Part 4 ISO/IEC 8825-1, Information technology ASN.1 encoding rules: Specificatio

37、n of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER) Part 1 ISO/IEC 8825-2, Information technology ASN.1 encoding rules: Specification of Packed Encoding Rules (PER) Part 2 ISO/IEC 9594-8, Information Technology Open Systems Interconnection The Direc

38、tory: Public-key and attribute certificate frameworks Part 8 ISO/IEC 15408 (all parts), Information technology Security techniques Evaluation criteria for IT security ISO 15782-2:2001, Banking Certificate Management Part 2: Certificate extensions ISO 16609, Banking Requirements for message authentic

39、ation using symmetric techniques ISO 21188:2006, Public key infrastructure for financial services Practices and policy framework 3 Terms and definitions For the purposes of this document, the following terms and definitions apply. 3.1 ASN.1 module identifiable collection of ASN.1 types and values 3.

40、2 attribute characteristic of an entity 3.3 audit journal chronological record of system activities which is sufficient to enable the reconstruction, review and examination of the sequence of environments and activities surrounding or leading to each event in the path of a transaction from its incep

41、tion to the output of the final results 3.4 authorization granting of rights 3.5 CA certificate certificate whose subject is a CA, and whose associated private key is used to sign certificates BS ISO 15782-1:2009ISO 15782-1:2009(E) ISO 2009 All rights reserved 33.6 certificate hold certificate suspe

42、nsion temporary interruption of the validity of a certificate by the CA 3.7 certificate information information in a certificate which is signed 3.8 certificate policy named set of rules that indicates the applicability of a certificate to a particular community and/or class of application with comm

43、on security requirements EXAMPLE A particular Certificate Policy might indicate the applicability of a type of certificate to the authentication of electronic data interchange transactions for the trading of goods within a given price range. NOTE 1 The Certificate Policy should be used by the user o

44、f the certificate to decide whether or not to accept the binding between the subject (of the certificate) and the public key. Some of the components in the Certificate Policy framework are given concrete values and represented by a registered object identifier in the X.509, Version 3 certificate. Th

45、e object owner also registers a textual description of the policy and makes it available to the Relying Parties. NOTE 2 The Certificate Policy object identifier can be included in the following extensions in the X.509, Version 3 certificates: Certificate Policies, policy mappings, and policy constra

46、ints. The object identifier(s) may appear in none, some, or all of these fields. These object identifiers may be the same (referring to the same Certificate Policy) or may be different (referring to different Certificate Policies). 3.9 certificate policy framework comprehensive set of security- and

47、liability-related components that can be used to define a Certificate Policy NOTE A subset of the components in the Certificate Policy framework are given concrete values to define a Certificate Policy. 3.10 certificate re-key process whereby an entity with an existing key pair and certificate recei

48、ves a new certificate for a new public-key, following the generation of a new key pair 3.11 certificate renewal process whereby an entity is issued for a new instance of an existing certificate with a new validity period 3.12 certificate request data credentials signed information in a certificate r

49、equest, including the entitys public key, entity identity and other information included in the certificate 3.13 certificate revocation list CRL list of revoked certificates 3.14 certification process of creating a public key certificate for an entity 3.15 certification authority CA entity trusted by one or more entities to create, assign, and revoke or hold public key certificates BS ISO 15782-1:2009ISO 15782-1:2009(E) 4 ISO 2009 All rights reserved3.16 certification authority sys