1、Information technology Open Systems Interconnection The Directory Part 8: Public-key and attribute certificate frameworks BS ISO/IEC 95948:2017 BSI Standards Publication WB11885_BSI_StandardCovs_2013_AW.indd 1 15/05/2013 15:06Information technology Open Systems Interconnection The Directory Part 8:
2、Public-key and attribute certificate frameworks Technologies de linformation Interconnexion de systmes ouverts (OSI) L annuaire Partie 8: Cadre gnral des certificats de cl publique et dattribut INTERNATIONAL STANDARD ISO/IEC 9594-8 Reference number ISO/IEC 9594-8:2017(E) Eighth edition 2017-05 ISO/I
3、EC 2017 National foreword This British Standard is the UK implementation of ISO/IEC 9594-8:2017. It supersedes BS ISO/IEC 9594-8:2014, which is withdrawn. The UK participation in its preparation was entrusted to Technical Committee IST/6, Data communications. A list of organizations represented on t
4、his committee can be obtained on request to its secretary. This publication does not purport to include all the necessary provisions of a contract. Users are responsible for its correct application. The British Standards Institution 2017 Published by BSI Standards Limited 2017 ISBN 978 0 580 96323 0
5、 ICS 35.100.70 Compliance with a British Standard cannot confer immunity from legal obligations. This British Standard was published under the authority of the Standards Policy and Strategy Committee on 31 July 2017. Amendments/corrigenda issued since publication Date Text affected BRITISH STANDARD
6、BS ISO/IEC 95948:2017Information technology Open Systems Interconnection The Directory Part 8: Public-key and attribute certificate frameworks Technologies de linformation Interconnexion de systmes ouverts (OSI) L annuaire Partie 8: Cadre gnral des certificats de cl publique et dattribut INTERNATION
7、AL STANDARD ISO/IEC 9594-8 Reference number ISO/IEC 9594-8:2017(E) Eighth edition 2017-05 ISO/IEC 2017 BS ISO/IEC 95948:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017, Published in Switzerland All rights reserved. Unless otherwise specified, no part of this public
8、ation may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below or ISOs member body in the countr
9、y of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 9594-8:2017(E) BS ISO/IEC 95948:2017 ii ISO/IEC 2017 All rights reserved COPYRIGHT PROTECTED DOCUMENT ISO/IEC 2017,
10、 Published in Switzerland All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior written permission. P
11、ermission can be requested from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Ch. de Blandonnet 8 CP 401 CH-1214 Vernier, Geneva, Switzerland Tel. +41 22 749 01 11 Fax +41 22 749 09 47 copyrightiso.org www.iso.org ISO/IEC 9594-8:2017(E)ISO/
12、IEC 9594-8:2017(E) ISO/IEC 2017 All rights reserved ii-1 Foreword ISO (the I nternation al O rgani z atio n fo r Standard iz ation) a nd I EC (the I nter nation al E lec trotechnical C om m i ssi o n ) f orm the s pe c i a l i z e d s ystem for worldwide s tandardiz at ion. N ational bo dies that a
13、r e mem b ers of I SO o r IEC participate in t he d evelop ment o f Int e rna tion al S tandards through technic al committ ees e stablished by the resp ective o r g an ization to d eal w ith par ticular f i e l d s o f technical a ct iv it y . IS O a nd IE C technical committees c o l l ab or at e
14、in fields of m utual interest. Other internati onal organiz a tio n s, g overn m ental and no ngovern mental, i n l i a i s o n w i th I S O a n d I E C , a l s o ta ke p art in the w ork. In the field of i nformatio n technolo g y, I SO an d IEC have e stab li shed a jo i n t technical committee, I
15、SO /IEC J TC 1. The pr oce du r es used to d evelop this document a nd those i nt ended f or its f u r th e r m a i n te n a n c e a r e d e s c r ib e d in the I S O / I E C Dir e c ti ves, Part 1. In p articul ar the d ifferent a pproval criter ia needed f or the differ e nt types o f document s h
16、ould be noted. T his document w as d rafted in accordance w ith the e di to ri a l rul e s of the ISO /I EC Directives, Part 2 (see www.iso.org/directives ). A tt en ti o n is d rawn to t he possibility t hat some o f the el ements of t h i s d oc u men t m a y b e t h e s u bj ec t of p atent right
17、s. ISO and IEC shall not be he l d r e sponsible f or identifying a ny or all such patent rig h ts. D e ta i l s o f a n y pa t e n t rig h ts i d e n tif i e d d u rin g th e d e v el opment o f th e document w ill be i n the Introduction and/or on t he ISO list of patent declarations rec e ived (s
18、ee ww w.iso.org/patents ). Any t r ade na me used in this document is information given for t h e co n v e n i e n c e o f us e r s a n d d o e s not constitu t e an endorsement. For an e xpl a nati on on t he meanin g of I SO s peci fic terms an d expr essions related to c on f or mi t y a ss es s
19、me nt, as well a s informati o n about ISOs a d h e r e n c e to the W o r l d T r a d e O rgan izat ion (WTO) principles in the Technic a l B a r r i e r s to T r a d e (TBT) s e e the f o l lowing URL: www.iso.org/iso/foreword.html. This e ight h e dition c ancels a nd r eplaces t he s eventh e di
20、tion ( ISO/IEC 95948:2014), w hich has been t e c h n i c a l l y r e v i s e d . te This d ocum ent was pr e p ared b y IS O/IEC J T C 1 , Information technology, SC 6, Telecommunications and information exchange between systems , i n c o ll a b o r a ti o n w i th I T U T . T he i d e n ti c a l t
21、e x t i s published as ITU T X.5 09 (10/ 20 16). A li st o f al l pa rt s in t he ISO/I E C 9 5 94 s e rie s, publishe d unde r t h e g en eral ti t le Information technology Open Systems Interconnection The Directory , c a n be fou nd on t h e IS O w e bsite. BS ISO/IEC 95948:2017 BS ISO/IEC 95948:
22、2017 Rec. ITU-T X.509 (10/2016) iii CONTENTS Page 1 Scope 1 2 Normative references 1 2.1 Identical Recommendations | International Standards 1 2.2 Paired Recommendations | International Standards equivalent in technical content . 2 2.3 Recommendations . 2 2.4 Other references 2 3 Definitions 2 3.1 O
23、SI Reference Model security architecture definitions. 2 3.2 Baseline identity management terms and definitions 3 3.3 Directory model definitions 3 3.4 Access control framework definitions . 3 3.5 Public-key and attribute certificate definitions 3 4 Abbreviations . 7 5 Conventions 8 6 Frameworks over
24、view 8 6.1 Digital signatures 9 6.2 Public-key cryptography and cryptographic algorithms 10 6.3 Distinguished encoding of basic encoding rules . 11 6.4 Applying distinguished encoding 12 6.5 Using repositories 12 7 Public keys and public-key certificates 13 7.1 Introduction . 13 7.2 Public-key certi
25、ficate. 13 7.3 Public-key certificate extensions . 15 7.4 Types of public-key certificates 16 7.5 Trust anchor 16 7.6 Entity relationship . 17 7.7 Certification path . 18 7.8 Generation of key pairs . 19 7.9 Public-key certificate creation . 19 7.10 Certificate revocation list 20 7.11 Uniqueness of
26、names . 22 7.12 Indirect CRLs 22 7.13 Repudiation of a digital signing 24 8 Trust models . 24 8.1 Three-cornered trust model . 24 8.2 Four cornered trust model . 25 9 Public-key certificate and CRL extensions . 26 9.1 Policy handling 26 9.2 Key and policy information extensions . 29 9.3 Subject and
27、issuer information extensions 35 9.4 Certification path constraint extensions 37 9.5 Basic CRL extensions . 41 9.6 CRL distribution points and delta CRL extensions . 49 10 Delta CRL relationship to base . 53 11 Authorization and validation lists . 55 11.1 Authorization and validation list concept 55
28、 11.2 The authorizer . 55 11.3 Authorization and validation list syntax 55 11.4 Authorization and validation restrictions 57 BS ISO/IEC 95948:2017 iv Rec. ITU-T X.509 (10/2016) Page 12 Certification path processing procedure . 57 12.1 Path processing inputs . 57 12.2 Path processing outputs . 58 12.
29、3 Path processing variables 59 12.4 Initialization step . 59 12.5 Public-key certificate processing . 59 13 PKI directory schema . 62 13.1 PKI directory object classes and name forms 62 13.2 PKI directory attributes . 63 13.3 PKI directory matching rules 66 13.4 PKI directory syntax definitions 71 1
30、4 Attribute certificates . 73 14.1 Attribute certificate structure. 73 14.2 Delegation paths 76 14.3 Attribute certificate revocation lists 76 15 Attribute authority, source of authority and certification authority relationship 77 15.1 Privilege in attribute certificates 79 15.2 Privilege in public-
31、key certificates 79 16 PMI models 79 16.1 General model . 79 16.2 Control model 81 16.3 Delegation model 81 16.4 Group assignment model . 82 16.5 Roles model . 83 16.6 Recognition of Authority Model . 84 16.7 XML privilege information attribute . 88 16.8 Permission attribute and matching rule . 89 1
32、7 Attribute certificate and attribute certificate revocation list extensions . 89 17.1 Basic privilege management extensions 90 17.2 Privilege revocation extensions . 93 17.3 Source of authority extensions 95 17.4 Role extensions . 97 17.5 Delegation extensions . 98 17.6 Recognition of authority ext
33、ensions 103 17.7 Use of basic CRL extension for ACRLs . 105 18 Delegation path processing procedure 109 18.1 Basic processing procedure . 109 18.2 Role processing procedure 110 18.3 Delegation processing procedure 110 19 PMI directory schema. 112 19.1 PMI directory object classes . 113 19.2 PMI dire
34、ctory attributes 114 19.3 PMI general directory matching rules . 116 20 Protocol support for public-key and privilege management infrastructures . 118 20.1 General syntax . 118 20.2 Wrapping of non-encrypted protocol data units 118 20.3 Wrapping of encrypted protocol data unit . 119 20.4 Check of PK
35、I-PMI-Wrapper protocol elements 121 20.5 PKI-PMI-Wrapper error codes 122 21 Authorization and validation list management . 123 21.1 General 123 21.2 Defined protocol data unit (PDU) types 123 21.3 Checking of received PDU 123 BS ISO/IEC 95948:2017 iv Rec. ITU-T X.509 (10/2016) Page 12 Certification
36、path processing procedure . 57 12.1 Path processing inputs . 57 12.2 Path processing outputs . 58 12.3 Path processing variables 59 12.4 Initialization step . 59 12.5 Public-key certificate processing . 59 13 PKI directory schema . 62 13.1 PKI directory object classes and name forms 62 13.2 PKI dire
37、ctory attributes . 63 13.3 PKI directory matching rules 66 13.4 PKI directory syntax definitions 71 14 Attribute certificates . 73 14.1 Attribute certificate structure. 73 14.2 Delegation paths 76 14.3 Attribute certificate revocation lists 76 15 Attribute authority, source of authority and certific
38、ation authority relationship 77 15.1 Privilege in attribute certificates 79 15.2 Privilege in public-key certificates 79 16 PMI models 79 16.1 General model . 79 16.2 Control model 81 16.3 Delegation model 81 16.4 Group assignment model . 82 16.5 Roles model . 83 16.6 Recognition of Authority Model
39、. 84 16.7 XML privilege information attribute . 88 16.8 Permission attribute and matching rule . 89 17 Attribute certificate and attribute certificate revocation list extensions . 89 17.1 Basic privilege management extensions 90 17.2 Privilege revocation extensions . 93 17.3 Source of authority exte
40、nsions 95 17.4 Role extensions . 97 17.5 Delegation extensions . 98 17.6 Recognition of authority extensions 103 17.7 Use of basic CRL extension for ACRLs . 105 18 Delegation path processing procedure 109 18.1 Basic processing procedure . 109 18.2 Role processing procedure 110 18.3 Delegation proces
41、sing procedure 110 19 PMI directory schema. 112 19.1 PMI directory object classes . 113 19.2 PMI directory attributes 114 19.3 PMI general directory matching rules . 116 20 Protocol support for public-key and privilege management infrastructures . 118 20.1 General syntax . 118 20.2 Wrapping of non-e
42、ncrypted protocol data units 118 20.3 Wrapping of encrypted protocol data unit . 119 20.4 Check of PKI-PMI-Wrapper protocol elements 121 20.5 PKI-PMI-Wrapper error codes 122 21 Authorization and validation list management . 123 21.1 General 123 21.2 Defined protocol data unit (PDU) types 123 21.3 Ch
43、ecking of received PDU 123 Rec. ITU-T X.509 (10/2016) v Page 21.4 Authorization and validation management protocol . 124 21.5 Certification authority subscription protocol . 130 22 Trust broker protocol 137 Annex A Public-key and attribute certificate frameworks 140 Annex B Reference definition of c
44、ryptographic algorithms . 176 Annex C Certificate extension attribute types 182 C.1 Certificate extension attribute concept 182 C.2 Formal specification for certificate extension attribute types 182 Annex D External ASN.1 modules . 190 Annex E CRL generation and processing rules 199 E.1 Introduction
45、 . 199 E.2 Determine parameters for CRLs 200 E.3 Determine CRLs required . 201 E.4 Obtain CRLs 202 E.5 Process CRLs 202 Annex F Examples of delta CRL issuance 206 Annex G Privilege policy and privilege attribute definition examples . 208 G.1 Introduction . 208 G.2 Sample syntaxes 208 G.3 Privilege a
46、ttribute example 212 Annex H An introduction to public key cryptography 2). 213 Annex I Examples of use of certification path constraints . 215 I.1 Example 1: Use of basic constraints 215 I.2 Example 2: Use of policy mapping and policy constraints . 215 I.3 Use of name constraints extension 215 Anne
47、x J Guidance on determining for which policies a certification path is valid . 224 J.1 Certification path valid for a user-specified policy required . 224 J.2 Certification path valid for any policy required 225 J.3 Certification path valid regardless of policy . 225 J.4 Certification path valid for
48、 a user-specific policy desired, but not required . 225 Annex K Key usage certificate extension issues 226 Annex L Deprecated extensions . 227 L.1 CRL scope extension . 227 Annex M Directory concepts 230 M.1 Scope . 230 M.2 Basic directory concepts 230 M.3 Directory schema 230 M.4 Directory distingu
49、ished names 231 M.5 Subtrees . 231 Annex N Considerations on strong authentication . 232 N.1 Introduction . 232 N.2 One-way authentication . 233 N.3 Two-way authentication 233 N.4 Three-way authentication 234 N.5 Five-way authentication (initiated by A) . 235 N.6 Five-way authentication (initiated by B) . 236 Annex O Alphabetical list of information item definitions 238 Annex P Amendments and corrigenda . 241 Bibliography 242 BS ISO/IEC 95948:2017
