ImageVerifierCode 换一换
格式:PDF , 页数:24 ,大小:340.36KB ,
资源ID:803475      下载积分:10000 积分
快捷下载
登录下载
邮箱/手机:
温馨提示:
如需开发票,请勿充值!快捷下载时,用户名和密码都是您填写的邮箱或者手机号,方便查询和重复下载(系统自动生成)。
如填写123,账号就是123,密码也是123。
特别说明:
请自助下载,系统不会自动发送文件的哦; 如果您已付费,想二次下载,请登录后访问:我的下载记录
支付方式: 支付宝扫码支付 微信扫码支付   
注意:如需开发票,请勿充值!
验证码:   换一换

加入VIP,免费下载
 

温馨提示:由于个人手机设置不同,如果发现不能下载,请复制以下地址【http://www.mydoc123.com/d-803475.html】到电脑端继续下载(重复下载不扣费)。

已注册用户请登录:
账号:
密码:
验证码:   换一换
  忘记密码?
三方登录: 微信登录  

下载须知

1: 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。
2: 试题试卷类文档,如果标题没有明确说明有答案则都视为没有答案,请知晓。
3: 文件的所有权益归上传用户所有。
4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
5. 本站仅提供交流平台,并不能对任何下载内容负责。
6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

版权提示 | 免责声明

本文(ITU-T SERIES Y SUPP 18-2012 ITU-T Y 2700-series C Supplement on next generation network certificate management (Study Group 13)《ITU-T Y 2700系列 下一代网络证书管理补充 13号研究组》.pdf)为本站会员(花仙子)主动上传,麦多课文库仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对上载内容本身不做任何修改或编辑。 若此文所含内容侵犯了您的版权或隐私,请立即通知麦多课文库(发送邮件至master@mydoc123.com或直接QQ联系客服),我们立即给予删除!

ITU-T SERIES Y SUPP 18-2012 ITU-T Y 2700-series C Supplement on next generation network certificate management (Study Group 13)《ITU-T Y 2700系列 下一代网络证书管理补充 13号研究组》.pdf

1、 International Telecommunication Union ITU-T Series YTELECOMMUNICATION STANDARDIZATION SECTOR OF ITU Supplement 18(06/2012) SERIES Y: GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS ITU-T Y.2700-series Supplement on next generation network certificate manage

2、ment ITU-T Y-series Recommendations Supplement 18 ITU-T Y-SERIES RECOMMENDATIONS GLOBAL INFORMATION INFRASTRUCTURE, INTERNET PROTOCOL ASPECTS AND NEXT-GENERATION NETWORKS GLOBAL INFORMATION INFRASTRUCTURE General Y.100Y.199 Services, applications and middleware Y.200Y.299 Network aspects Y.300Y.399

3、Interfaces and protocols Y.400Y.499 Numbering, addressing and naming Y.500Y.599 Operation, administration and maintenance Y.600Y.699 Security Y.700Y.799 Performances Y.800Y.899 INTERNET PROTOCOL ASPECTS General Y.1000Y.1099 Services and applications Y.1100Y.1199 Architecture, access, network capabil

4、ities and resource management Y.1200Y.1299 Transport Y.1300Y.1399 Interworking Y.1400Y.1499 Quality of service and network performance Y.1500Y.1599 Signalling Y.1600Y.1699 Operation, administration and maintenance Y.1700Y.1799 Charging Y.1800Y.1899 IPTV over NGN Y.1900Y.1999 NEXT GENERATION NETWORKS

5、 Frameworks and functional architecture models Y.2000Y.2099 Quality of Service and performance Y.2100Y.2199 Service aspects: Service capabilities and service architecture Y.2200Y.2249 Service aspects: Interoperability of services and networks in NGN Y.2250Y.2299 Numbering, naming and addressing Y.23

6、00Y.2399 Network management Y.2400Y.2499 Network control architectures and protocols Y.2500Y.2599 Smart ubiquitous networks Y.2600Y.2699 Security Y.2700Y.2799 Generalized mobility Y.2800Y.2899 Carrier grade open environment Y.2900Y.2999 Future networks Y.3000Y.3099 For further details, please refer

7、to the list of ITU-T Recommendations. Y series Supplement 18 (06/2012) i Supplement 18 to ITU-T Y-series Recommendations ITU-T Y.2700-series Supplement on next generation network certificate management Summary Supplement 18 to ITU-T Y-series Recommendations provides guidelines for managing ITU-T X.5

8、09 certificates for NGN security based on the trust model defined in ITU-T Y.2701 to supplement the information in ITU-T Y.2704. This Supplement is applicable to any next generation network (NGN) using certificates based on the framework for public key infrastructure (PKI) and privilege management i

9、nfrastructure (PMI) specified in ITU-T X.509 for identification, authentication, privilege/attribute management and/or encryption between network elements and between user end-devices and the NGN provider customer premises equipment (CPE) provisioning element. History Edition Recommendation Approval

10、 Study Group 1.0 ITU-T Y Suppl. 18 2012-06-15 13 Keywords Next generation network, privilege management infrastructure, public key infrastructure, security and ITU-T X.509 certificates. ii Y series Supplement 18 (06/2012) FOREWORD The International Telecommunication Union (ITU) is the United Nations

11、 specialized agency in the field of telecommunications, information and communication technologies (ICTs). The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on

12、them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of IT

13、U-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this publication, the expression “Administration“ is used

14、for conciseness to indicate both a telecommunication administration and a recognized operating agency. Compliance with this publication is voluntary. However, the publication may contain certain mandatory provisions (to ensure, e.g., interoperability or applicability) and compliance with the publica

15、tion is achieved when all of these mandatory provisions are met. The words “shall“ or some other obligatory language such as “must“ and the negative equivalents are used to express requirements. The use of such words does not suggest that compliance with the publication is required of any party. INT

16、ELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this publication may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whe

17、ther asserted by ITU members or others outside of the publication development process. As of the date of approval of this publication, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this publication. However, implementers are cautioned

18、that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database at http:/www.itu.int/ITU-T/ipr/. ITU 2013 All rights reserved. No part of this publication may be reproduced, by any means whatsoever, without the prior written permission of ITU. Y

19、 series Supplement 18 (06/2012) iii Table of Contents Page 1 Scope 1 2 References. 1 3 Definitions 1 3.1 Terms defined elsewhere 1 3.2 Terms defined in this Supplement 1 4 Abbreviations and acronyms 2 5 Conventions 2 6 Reference model . 3 7 Certificate management 3 7.1 Obtaining certificates 3 7.2 C

20、ertificate verification 4 7.3 Certificate contents for NGN infrastructure . 4 7.4 Expected content of service provider certificate for peering 8 7.5 Certificate revocation . 9 Appendix I ITU-T X.509-based authorization privilege management . 10 I.1 Overview of ITU-T X.509-based privilege management

21、infrastructure 10 I.2 Applicability of the PMI to NGN security . 14 Bibliography. 15 iv Y series Supplement 18 (06/2012) Introduction Recommendation ITU-T Y.2704 identified the use of ITU-T X.509 certificates as a means of identification, authentication, privilege/attribute management and/or encrypt

22、ion between network elements, and between user end-devices and the NGN provider customer premises equipment (CPE) provisioning element. This document supplements ITU-T Y.2704 by providing additional guidelines for managing these ITU-T X.509 certificates. Y series Supplement 18 (06/2012) 1 Supplement

23、 18 to ITU-T Y-series Recommendations ITU-T Y.2700-series Supplement on next generation network certificate management 1 Scope This Supplement defines procedures for managing ITU-T X.509 certificates used for NGN security based on the trust model defined in ITU-T Y.2701. It provides guidance to supp

24、lement ITU-T Y.2704 regarding the use by the NGN of certificates based on the framework for public key infrastructure (PKI) and privilege management infrastructure (PMI) specified in ITU-T X.509. This Supplement is applicable to any NGN using ITU-T X.509 certificates for identification, authenticati

25、on, privilege/attribute management and/or encryption between network elements, and between user end-devices and the NGN provider customer premises equipment (CPE) provisioning element, based on the trust model defined in ITU-T Y.2701. This includes use of ITU-T X.509 certificates between network ele

26、ments of peering providers based on policy and business agreements. This Supplement assumes that the NGN provider is the certificate agent (CA). Scenarios where the CA is another entity are not within the scope of this Supplement. NOTE NGN certificate management is viewed as part of the broader topi

27、c of NGN identity management (IdM). 2 References ITU-T X.509 Recommendation ITU-T X.509 (2008) | ISO/IEC 9594-8:2008, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T Y.2701 Recommendation ITU-T Y.2701 (2007), Security requirem

28、ents for NGN release 1. ITU-T Y.2704 Recommendation ITU-T Y.2704 (2010), Security mechanisms and procedures for NGN. 3 Definitions 3.1 Terms defined elsewhere This Supplement uses the following terms defined elsewhere: 3.1.1 authentication b-ITU-T X.811: The provision of assurance of the claimed ide

29、ntity of an entity. 3.1.2 authorization b-ITU-T X.800: The granting of rights, which includes the granting of access based on access rights. 3.1.3 border element ITU-T Y.2701: Network element providing functions connecting different security and administrative domains. 3.1.4 trust b-ITU-T X.810: Ent

30、ity X is said to trust entity Y for a set of activities if and only if entity X relies upon entity Y behaving in a particular way with respect to the activities. 3.2 Terms defined in this Supplement None. 2 Y series Supplement 18 (06/2012) 4 Abbreviations and acronyms This Supplement uses the follow

31、ing abbreviations and acronyms: AA Attribute Authority AC Attribute Certificate BE Border Element CA Certification Authority CPE Customer Premises Equipment CPE-BE Customer Premises Equipment Border Element CPS Certification Practice Statement CRL Certificate Revocation List CSR Certificate Signing

32、Request DNS Domain Name System ECC Elliptic Curve Cryptography ECDSA Elliptic Curve Digital Signature Algorithm FQDN Fully Qualified Domain Name HTTP Hypertext Transfer Protocol IdM Identity Management MAC Media Access Control NE Network Element NGN Next Generation Network OAM authentication of netw

33、ork entities; attributes and privilege management of network entities; establishing secure associations between communicating network entities (e.g., encryption); providing identification and authentication of the NGN provider to customer devices and to peering NGN providers. All certificates of the

34、 NGN providers network elements are issued by the NGN providers certification authority (CA). The CA certificates (root CA certificate or its subordinate CA certificate) have to be securely delivered to, and stored by, the relying party of the CA (e.g., subscribers of the NGN provider or peering NGN

35、 providers). The certification authority is maintained by the NGN provider. Certificates in the NGN providers infrastructure should comply with ITU-T X.509, b-IETF RFC 3279 and b-IETF RFC 5280. NGN network elements obtain certificates from a certification authority by the procedures given in clause

36、7.1. When a certificate is exchanged as part of establishing a secure connection, the certificate contents are checked according to the procedures of clause 7.2. Certificates used for setting up security associations also form the basis of end-user and device identification and authentication. For e

37、xample, in the case of use of the session initiation protocol (SIP), this translates into a mapping between the certificate contents and the allowable values of originator identity for SIP requests. The guidance and requirements provided in b-CA/Browser Forum should be taken into consideration for N

38、GN provider issuance and management of ITU-T X.509 certificates. Each of the following clauses giving certificate contents explains how the originator identity can be determined from the fields in that certificate. 7.1 Obtaining certificates 7.1.1 NGN providers network element certificates The NGN n

39、etwork element should securely generate and store a public/private key pair. Use of Public-Key Cryptographic Standard #10 (PKCS #10) b-IETF RFC 2986 is preferred; however, other mechanisms are possible based on the NGN providers security policy. The key generation may either be done on the device by

40、 the system administrator who then generates a certificate signing request (CSR) (e.g., PKCS #10 request) or performed separately on a secured machine that then is used to generate the CSR. If the key generation is performed on a separate machine, steps should be taken to ensure that the private key

41、 is not compromised. If the key pair is generated on a separate machine, the public/private key pair will need to be securely installed on the network 4 Y series Supplement 18 (06/2012) element as well as the certificate. All key generation and storage should be in compliance with the NGN provider s

42、ecurity policy. Generation of public/private key pairs should be done using an algorithm approved by the NGN provider, to ensure sufficient randomness. After the CSR is generated, the network element sends a CSR to the certification authority (i.e., the request can be sent automatically or by a syst

43、em administrator). This request should contain a distinguishing name, the public key generated as described above, and a set of attributes, which depend on the type of network element. The CSR is sent to the certification authority (CA) using an authenticated communication channel that verifies that

44、 the request is coming from an authenticated user. Some examples of this include a signed e-mail where the signature is checked before the request is passed on to the CA, or a web form that is only accessible through some authentication method that limits access to only authorized certificate reques

45、tors. The CA verifies the signature on the CSR and builds an ITU-T X.509 certificate from the information provided. See clause 7.3 for the basic structure of NGN provider certificates. The CA then returns the certificate to the requesting system administrator. The request may occur through an HTTP r

46、equest or it may be downloaded later by the system administrator, or it may be provided by e-mail. The system administrator will install the device certificate and the root certificate of the CA. 7.1.2 End-user and subscriber certificates End-user certificates may be downloaded into the end-device t

47、hrough the NGN provider provisioning process. Use of PKCS #10 b-IETF RFC 2986 is preferred; however, other mechanisms are possible based on the NGN providers security policy. For these certificates, a CSR is generated with the end-user information and the private key, and the resulting certificate i

48、s sent to the end-user device over a secured channel that should have been authenticated by some other method. Alternatively, memory devices such as a universal integrated circuit card (UICC) may be used to issue end-user certificates. 7.2 Certificate verification All network elements should verify

49、the complete certificate chain of all received certificates up to a known certification authority. If any step in this chain fails, then the certificate is considered invalid and is rejected. The network element should reject the certificate if it has expired. 7.3 Certificate contents for NGN infrastructure This clause describes example certificate profiles for NGN infrastructure using ITU-T X.509 version 3 certificates. All certificates should indicate the following: Ve

copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
备案/许可证编号:苏ICP备17064731号-1