BS ISO IEC 24727-6-2011 Identification cards Integrated circuit card programming interfaces Registration authority procedures for the authentication protocols for interoperability《.pdf

1、raising standards worldwideNO COPYING WITHOUT BSI PERMISSION EXCEPT AS PERMITTED BY COPYRIGHT LAWBSI Standards PublicationBS ISO/IEC 24727-6:2010Identification cards Integrated circuit cardprogramming interfacesPart 6: Registration authority proceduresfor the authentication protocols forinteroperabi

2、lityBS ISO/IEC 24727-6:2010 BRITISH STANDARDNational forewordThis British Standard is the UK implementation of ISO/IEC24727-6:2010.The UK participation in its preparation was entrusted to TechnicalCommittee IST/17, Cards and personal identification.A list of organizations represented on this committ

3、ee can beobtained on request to its secretary.This publication does not purport to include all the necessaryprovisions of a contract. Users are responsible for its correctapplication. BSI 2011ISBN 978 0 580 62871 9ICS 35.240.15Compliance with a British Standard cannot confer immunity fromlegal oblig

4、ations.This British Standard was published under the authority of theStandards Policy and Strategy Committee on 28 February 2011.Amendments issued since publicationDate Text affectedBS ISO/IEC 24727-6:2010Reference numberISO/IEC 24727-6:2010(E)ISO/IEC 2010INTERNATIONAL STANDARD ISO/IEC24727-6First e

5、dition2010-12-15Identification cards Integrated circuit card programming interfaces Part 6: Registration authority procedures for the authentication protocols for interoperability Cartes didentification Interfaces programmables de cartes puce Partie 6: Procdures de lautorit denregistrement des proto

6、coles dauthentification pour linteroprabilit BS ISO/IEC 24727-6:2010ISO/IEC 24727-6:2010(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are

7、licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details

8、of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relat

9、ing to it is found, please inform the Central Secretariat at the address given below. COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2010 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including

10、photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in

11、 Switzerland ii ISO/IEC 2010 All rights reservedBS ISO/IEC 24727-6:2010ISO/IEC 24727-6:2010(E) ISO/IEC 2010 All rights reserved iiiContents Page Foreword iv Introduction.v 1 Scope1 2 Normative references1 3 Terms and definitions .1 4 Symbols (and abbreviated terms)2 5 General .2 5.1 Purpose 2 5.2 De

12、pendencies 2 5.3 Authentication protocol OID arcs 3 5.4 Authentication protocol registration.3 5.5 Authentication protocol adoption registration.4 6 Appointment of the registration authority 4 7 Review of applications5 7.1 Procedure.5 7.2 Response time .5 7.3 Confirmation process .5 8 Content of app

13、lications.5 8.1 General .5 8.2 Applications .5 8.3 Maintenance of a web-based register .6 Annex A (normative) Application for registration of an ISO 24727 registered authentication protocol 7 Annex B (normative) Authentication protocol template .11 Annex C (normative) Authentication protocol certifi

14、cation form 15 Annex D (normative) Registration of authentication protocol adoption application.18 Annex E (informative) Registration Authority22 BS ISO/IEC 24727-6:2010ISO/IEC 24727-6:2010(E) iv ISO/IEC 2010 All rights reservedForeword ISO (the International Organization for Standardization) and IE

15、C (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committees established by the respective organization to deal with p

16、articular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the work. In the field of information technology, ISO and IEC have e

17、stablished a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of the joint technical committee is to prepare International Standards. Draft International Standards adopted by the joint te

18、chnical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO

19、 and IEC shall not be held responsible for identifying any or all such patent rights. ISO/IEC 24727-6 was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, Subcommittee SC 17, Cards and personal identification. ISO/IEC 24727 consists of the following parts, under the gener

20、al title Identification cards Integrated circuit card programming interfaces: Part 1: Architecture Part 2: Generic card interface Part 3: Application interface Part 4: Application programming interface (API) administration Part 5: Testing procedures Part 6: Registration authority procedures for the

21、authentication protocols for interoperability BS ISO/IEC 24727-6:2010ISO/IEC 24727-6:2010(E) ISO/IEC 2010 All rights reserved vIntroduction ISO/IEC 24727 is a set of programming interfaces for interactions between integrated circuit cards and external applications to include generic services for mul

22、ti-sector use. The organization and the operation of the ICC conform to ISO/IEC 7816-4. ISO/IEC 24727 is relevant to ICC applications desiring interoperability among diverse application domains. This document specifies a language independent and implementation independent application level interface

23、 that allows information and transaction interchange with a card. The Open Systems Interconnect Reference Model ISO/IEC 7498-1:1994 is used as the layered architecture of the Application Interface. That is, the Application Interface assumes that there is a protocol stack through which it will exchan

24、ge information and transactions among cards using commands conveyed through the message structures defined in ISO 7816. The semantics of commands accessed by the Application Interface refers to application protocol data units (APDUs) as characterized in ISO/IEC 24727-2, and in the following Internat

25、ional Standards: ISO/IEC 7816-4:2005, Identification cards Integrated circuit cards Part 4: Organization, security and commands for interchange. ISO/IEC 7816-8:2004, Identification cards Integrated circuit cards Part 8: Commands for security operations. ISO/IEC 7816-9:2004, Identification cards Inte

26、grated circui t cards Part 9: Commands for card management. The purpose of this part of ISO/IEC 24727 is to maximize the applicability and solution space of software tools that provide Application Interface support to card-aware applications. This effort includes supporting the evolution of card sys

27、tems as the cards become more powerful peer-level partners with existing and future applications while minimizing the impact to existing solutions conforming to this part of ISO/IEC 24727. This part of ISO/IEC 24727 extends the function of ISO/IEC 24727-3, Annex A authentication protocols (APs), by

28、providing a means for publication and management of an interoperable framework for new or modified APs using a standardized ISO/IEC registration authority (RA). APs submitted carry no warranty or guarantee in regard to their fitness for any purpose including security. It is incumbent on the end user

29、 to ascertain the APs suitability for the purpose proposed, including the validity of any claims made by the applicant. BS ISO/IEC 24727-6:2010BS ISO/IEC 24727-6:2010INTERNATIONAL STANDARD ISO/IEC 24727-6:2010(E) ISO/IEC 2010 All rights reserved 1Identification cards Integrated circuit card programm

30、ing interfaces Part 6: Registration authority procedures for the authentication protocols for interoperability 1 Scope This part of ISO/IEC 24727 defines the procedures for registration of APs, including related cryptographic algorithms, test methods and conformance assessment criteria, and registra

31、tion of the adoption of ISO/IEC 24727 APs by parties desiring to advertise AP interoperability. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest e

32、dition of the referenced document (including any amendments) applies. ISO/IEC 24727-3, Identification cards Integrated circuit card programming interfaces Part 3: Application interface ISO/IEC 9834-2, Information technology Open Systems Interconnection Procedures for the operation of OSI Registratio

33、n Authorities Part 2: R egistration procedures for OSI document types 3 Terms and definitions For the purposes of this document, the terms and definitions given in ISO/IEC 24727-3, and the following, apply. 3.1 applicant organization or person requesting registration 3.2 authentication-protocol-adop

34、tion use of ISO/IEC 24727-3 or ISO/IEC 24727-6 APs (either in operations or referenced in dependent specifications or standards or recommendations) 3.3 registration authority organization nominated and appointed by the ISO/IEC Technical Management Board to prepare and maintain ISO/IEC 24727-6 regist

35、ers BS ISO/IEC 24727-6:2010ISO/IEC 24727-6:2010(E) 2 ISO/IEC 2010 All rights reserved3.4 registrant organization or person that has either registered an authentication protocol or registered the adoption of an authentication protocol 4 Symbols (and abbreviated terms) For the purposes of this documen

36、t, the symbols and abbreviated terms given in ISO/IEC 24727-3, and the following, apply. AP authentication protocol APDU application protocol data unit APT authentication protocol template APTP authentication protocol test plan OID object identifier RA registration authority RAP registered authentic

37、ation protocol URL uniform resource locator 5 General 5.1 Purpose This part of ISO/IEC 24727 defines the ISO procedures for: the registration of new or revised APs in accordance with ISO/IEC 24727-3 and this part. These APs are extensions to the ISO/IEC 24727-3, Annex A suite of APs; registration of

38、 related cryptographic algorithms, APTP and conformance assessment criteria; registration of the adoption of ISO/IEC 24727 APs by parties desiring to advertise AP interoperability. 5.2 Dependencies This part of ISO/IEC 24727 relies on two other parts of the ISO/IEC 24727 standards suite: ISO/IEC 247

39、27-3: a standardized method for the un-ambiguous description of a range of differing APs; a standardized method for the un-ambiguous description of a range of differing cryptographic algorithms used by the APs. ISO/IEC 24727-5: to be published a standardized method for the conformance testing of a r

40、ange of differing APs; the testing requirements for an authentication protocol. BS ISO/IEC 24727-6:2010ISO/IEC 24727-6:2010(E) ISO/IEC 2010 All rights reserved 35.3 Authentication protocol OID arcs The OID method set out in ISO/IEC 24727-3 is limited to the standards arc of ISO/IEC 9834-2 and does n

41、ot support the extension of the arc by registration authority procedures. This part extends these capabilities using a registration authority arc in order to manage the full extensibility and interoperability requirements for new ISO/IEC 24727 APs under the ISO/IEC 9834-2 registration authority arc.

42、 The ISO 24727-6 Registration Authority arc is iso(1) registration-authority (1) iso24727(24727) part6(6) new-protocol-short-name (new-protocol-number) 5.4 Authentication protocol registration In order for implementations of ISO/IEC 24727 using different APs to achieve interoperability, there is a n

43、eed to unambiguously identify the implemented APs. In order to achieve interoperability with a range of APs, implementers require the details of APs to be published in a form which may be referenced. This clause provides a procedure for the registration of APs, and for those registration details to

44、be made publicly available at a URL, in a format managed by an ISO/IEC RA. 5.4.1 Authentication protocol registration procedures The procedure supported by this part is compliant with the ISO/IEC 9834-2 ASN.1 Object Identifier (OID) method. The registration and procedural requirements for registrati

45、on of APs are as follows and occur in sequence: the applicant duly completes all documents which form part of the AP registration; the RA checks the AP registration for completeness and that the documentation provided indicates compliance with this standard. The RA is only responsible for the admini

46、strative operations for the purpose of maintenance of the register which does not include technical content contained in the applicants application; should there be doubt about any data submitted, or the completeness or accuracy or consistency or ownership of the application then the RA shall initia

47、te an investigation where any doubt exists. The RA should initially consult with the applicant; if all requirements are met then the application is accepted and the applicant so advised by the RA; if the RA determines that the AP application is not complete or does not meet the requirements of this

48、standard then the applicant is so advised and given the opportunity to revise and re-apply subject to conditions set out in the conditions for application set by the Registration Authority; when the application is successful the RA allocates an OID using ISO/IEC 9834 procedures and advises the appli

49、cant that they are the formal registrant of the allocated OID from the date of first publication; the RA includes the new AP and registrant details in a publicly available and up-to-date database of registered OIDs and ISO/IEC 24727-6 APs on the Internet in a web based service. Details are provided in Annex E; once the registration has been successful, the registrant may optionally flag the registration as “Draft Only”, for a period determined by