1、American National Standard for Financial Services ANS X9.79-1:2001 Part 1: PKI Practices and Policy Framework Secretariat American Bankers Association Approved: January 2001 American National Standards InstituteANS x9.79-1:2001, Public Key Infrastructure - Practices and Policy Framework 2001 America
2、n Bankers Associationii American National Standard Approval of an American National Standard requires verification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the
3、 ANSI Board of Standards Review, directly and materially affected interests have reached substantial agreement. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be
4、made toward their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to
5、 the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of
6、 the American National Standards Institute. Requests for interpretations should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American Na
7、tional Standards Institute require that action be taken to reaffirm, revise, or withdraw this standard no later than five years from the date of approval. Published by: American Bankers Association 1120 Connecticut Ave., NW Washington, DC 20036 USA Customer Service Center + 1 800 338 0626 or + 1 202
8、 663 5087 Fax + 1 202 663 7543 Email X9 Online: http:/www.x9.org Copyright (X9 2000) by American Bankers Association All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Pri
9、nted in the United States of America 2001 American Bankers Association ANS x9.79-1:2001, Public Key Infrastructure - Practices and Policy Frameworkiii Contents 1 SCOPE OF THIS STANDARD . 1 2 NORMATIVE REFERENCE(S) . 2 3 DEFINITIONS. 3 4 SYMBOLS (AND ABBREVIATIONS) 10 5 ORGANIZATION. 11 6 PKI CERTIFI
10、CATE POLICY AND CERTIFICATION PRACTICE STATEMENT. 12 6.1 WHAT IS PKI (PUBLIC-KEY INFRASTRUCTURE)? 12 6.2 PKI MODELS 13 6.2.1 Closed Model 13 6.2.2 Network Model 13 6.2.3 Open Model. 13 6.3 PKI PERSPECTIVES . 14 6.3.1 Functional Perspective 14 6.3.2 Legal Perspective 16 6.3.3 Regulatory Perspective .
11、 16 6.3.4 Business Usage Perspective 16 6.4 RELATIONSHIP BETWEEN CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT 17 6.4.1 Authorship. 17 6.4.2 Purpose . 17 6.4.3 Level of Specificity 17 6.4.4 Approach. 18 6.4.5 Public and Private Access. 18 6.5 CERTIFICATE POLICY (CP) . 19 6.6 CERTIFICATION
12、PRACTICE STATEMENT (CPS) 20 6.7 CERTIFICATE POLICY, CPS, AND CA INTEROPERABILITY 21 7 GENERAL REQUIREMENTS 21 7.1 CERTIFICATE POLICY (CP) . 21 7.2 CERTIFICATION PRACTICE STATEMENTS 23 7.2.1 Segmentation of a Certification Practice Statement. 23 ANNEX A (NORMATIVE) ELEMENTS OF POLICY AND PRACTICE 26
13、A.1 INTRODUCTION . 26 A.1.1 Overview . 26 A.1.2 Identification . 26 A.1.3 Community and Applicability 26 A.1.4 Contact Details 27 A.2 GENERAL PROVISIONS 27 A.2.1 Liability . 27 A.2.2 Obligations 28 ANS x9.79-1:2001, Public Key Infrastructure - Practices and Policy Framework 2001 American Bankers Ass
14、ociationiv A.2.3 Interpretation and Enforcement 29 A.2.4 Publication and Repositories 29 A.2.5 Compliance Audit 29 A.2.6 Confidentiality Policy 29 A.3 IDENTIFICATION AND AUTHENTICATION 30 A.3.1 Initial Registration 30 A.3.2 Routine Re-key 31 A.3.3 Re-key after Revocation - No Key Compromise. 31 A.3.
15、4 Revocation Request . 31 A.4 OPERATIONAL REQUIREMENTS 32 A.4.1 Certificate Application 32 A.4.2 Certificate Issuance. 32 A.4.3 Certificate Acceptance 32 A.4.4 Certificate Suspension and Revocation. 32 A.4.5 Security Audit Procedures. 33 A.4.6 Records Archival. 34 A.4.7 Key Changeover 34 A.4.8 Compr
16、omise and Disaster Recovery . 34 A.4.9 CA Termination. 35 A.5 PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS. 35 A.5.1 Physical Security Controls 35 A.5.2 Procedural Controls 36 A.5.3 Personnel Security Controls 36 A.6 TECHNICAL SECURITY CONTROLS 37 A.6.1 Key Pair Generation and Installation.
17、 38 A.6.2 Private Key Protection 38 A.6.3 Other Aspects of Key Pair Management . 39 A.6.4 Activation Data . 40 A.6.5 Computer Security Controls 40 A.6.6 Life Cycle Security Controls . 40 A.6.7 Network Security Controls 40 A.6.8 Cryptographic Module Engineering Controls. 40 A.7 CERTIFICATE AND CRL PR
18、OFILES 41 A.7.1 Certificate Profile 41 A.7.2 CRL Profile . 41 A.7.3 OCSP Profile. 41 A.8 PRACTICES ADMINISTRATION . 42 A.8.1 Change procedures . 42 A.8.2 Publication and Notification Procedures 43 A.8.3 Approval Procedures 43 ANNEX B (NORMATIVE) CERTIFICATION AUTHORITY CONTROL OBJECTIVES. 44 B.1 CA
19、ENVIRONMENTAL CONTROLS. 47 B.1.1 Certification Practice Statement and Certificate Policy Management . 47 B.1.2 Security Management 48 B.1.3 Asset Classification and Management 50 B.1.4 Personnel Security 50 B.1.5 Physical and Environmental Security . 51 B.1.6 Operations Management. 54 B.1.7 System A
20、ccess Management 56 B.1.8 Systems Development and Maintenance .58 B.1.9 Business Continuity Management . 58 B.1.10 Monitoring and Compliance. 61 B.1.11 Event Journaling 62 2001 American Bankers Association ANS x9.79-1:2001, Public Key Infrastructure - Practices and Policy Frameworkv B.2 KEY MANAGEME
21、NT LIFE CYCLE CONTROLS 67 B.2.1 CA Key Generation . 67 B.2.2 CA Key Storage, Backup and Recovery 68 B.2.3 CA Public Key Distribution. 69 B.2.4 CA Key Escrow (if supported). 70 B.2.5 CA Key Usage . 70 B.2.6 CA Key Destruction. 70 B.2.7 CA Key Archival 71 B.2.8 CA Cryptographic Hardware Life Cycle Man
22、agement. 72 B.2.9 CA-Provided Subscriber Key Management Services (if supported). 74 B.3 CERTIFICATE LIFE CYCLE CONTROLS. 76 B.3.1 Subscriber Registration. 76 B.3.2 Certificate Renewal (if supported) 78 B.3.3 Certificate Rekey . 79 B.3.4 Certificate Issuance. 81 B.3.5 Certificate Distribution . 82 B.
23、3.6 Certificate Revocation. 82 B.3.7 Certificate Suspension (if supported) 83 B.3.8 Certificate Status Information Processing 85 B.3.9 Integrated Circuit Card (ICC) Life Cycle Management (if supported). 86 B.4. MAPPING TO RFC 2527 AND X9.79 ANNEX A . 89 ANNEX C (INFORMATIVE) X.509 CERTIFICATE FIELDS
24、. 91 C.1 EXPLANATION OF X.509 EXTENTIONS. 91 C.1.1 Certificate Policies Extension . 91 C.1.2 Policy Mappings Extension. 92 C.1.3 Policy Constraints Extension 92 C.2 POLICY QUALIFIERS. 93 ANNEX D (INFORMATIVE) BIBLIOGRAPHY . 94 D.1 IETF REQUEST FOR COMMENT DRAFTS 94 D.2 NATIONAL AUTOMATED CLEARING HO
25、USE ASSOCIATION (NACHA) . 94 D.3 DRAFT GUIDELINE FROM OFFICE COMPTROLLER OF CURRENCY 94 D.4 AMERICAN BAR ASSOCIATION (ABARA), INFORMATION SECURITY COMMITTEE 94 D.5 AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS (AICPA) AND CANADIAN INSTITUTE OF CHARTERED ACCOUNTANTS (CICA) 94 D.6 BRITISH STANDAR
26、DS INSTITUTION . 95 D.7 INTERNATIONAL ORGANISATION FOR STANDARDISATION 95 ANNEX E (INFORMATIVE) OBJECT IDENTIFIERS (OID) . 96 E.1 WHAT IS AN OID? 96 E.2 OIDS SHALL BE REGISTERED:. 96 E.3 ESTABLISHING AN OID.96 E.4 OID LOOKUP 97 E.5 INTERNATIONAL NAME REGISTRATION 97 ANS x9.79-1:2001, Public Key Infr
27、astructure - Practices and Policy Framework 2001 American Bankers Associationvi Figures FIGURE 1: MODEL CA HIERARCHY . 45 FIGURE 2: REGISTRATION PROCESS WITH AN RA 45 FIGURE 3: REGISTRATION PROCESS WITHOUT AN RA 46 2001 American Bankers Association ANS x9.79-1:2001, Public Key Infrastructure - Pract
28、ices and Policy Frameworkvii Tables TABLE 1: NORMATIVE ANNEXES. 11 TABLE 2: INFORMATIVE ANNEXES 11 TABLE 3: CROSS-REFERENCE OF BASIC CRYPTOGRAPHIC FUNCTIONS TO SECURITY SERVICES. 12 TABLE B-4: CONTROL PROCEDURES CERTIFICATION PRACTICE STATEMENT AND CERTIFICATE POLICY MANAGEMENT . 47 TABLE B-5: CONTR
29、OL PROCEDURES SECURITY MANAGEMENT . 48 TABLE B-6: CONTROL PROCEDURES ASSET CLASSIFICATION AND MANAGEMENT 50 TABLE B-7: CONTROL PROCEDURES PERSONNEL SECURITY 50 TABLE B-8: CONTROL PROCEDURES PHYSICAL AND ENVIRONMENT SECURITY. 52 TABLE B-9: CONTROL PROCEDURES OPERATIONS MANAGEMENT. 54 TABLE B-10: CONT
30、ROL PROCEDURES SYSTEM ACCESS MANAGEMENT. 56 TABLE B-11: CONTROL PROCEDURES SYSTEMS DEVELOPMENT AND MAINTENANCE 58 TABLE B-12: CONTROL PROCEDURES BUSINESS CONTINUITY MANAGEMENT. 59 TABLE B-13: CONTROL PROCEDURES MONITORING AND COMPLIANCE. 61 TABLE B-14: CONTROL PROCEDURES EVENT JOURNALING 62 TABLE B-
31、15: CONTROL PROCEDURES CA KEY GENERATION 67 TABLE B-16: CONTROL PROCEDURES CA KEY STORAGE, BACKUP AND RECOVERY. 68 TABLE B-17: CONTROL PROCEDURES CA PUBLIC KEY DISTRIBUTION 69 TABLE B-18: CONTROL PROCEDURES CA KEY ESCROW 70 TABLE B-19: CONTROL PROCEDURES CA KEY USAGE 70 TABLE B-20: CONTROL PROCEDURE
32、S CA KEY DESTRUCTION. 70 TABLE B-21: CONTROL PROCEDURES CA KEY ARCHIVAL 71 TABLE B-22: CONTROL PROCEDURES CA CRYPTOGRAPHIC HARDWARE LIFE CYCLE MANAGEMENT 72 TABLE B-23: CONTROL PROCEDURES CA-PROVIDED SUBSCRIBER KEY MANAGEMENT SERVICES . 74 TABLE B-24: CONTROL PROCEDURES SUBSCRIBER REGISTRATION . 76
33、TABLE B-25: CONTROL PROCEDURES CERTIFICATE RENEWAL 78 TABLE B-26: CONTROL PROCEDURES CERTIFICATE REKEY. 79 TABLE B-27: CONTROL PROCEDURES CERTIFICATE ISSUANCE 81 TABLE B-28: CONTROL PROCEDURES CERTIFICATE DISTRIBUTION . 82 TABLE B-29: CONTROL PROCEDURES CERTIFICATE REVOCATION. 82 TABLE B-30: CONTROL
34、 PROCEDURES CERTIFICATE SUSPENSION 83 TABLE B-31: CONTROL PROCEDURES CERTIFICATE STATUS INFORMATION PROCESSING 85 TABLE B-32: CONTROL PROCEDURES INTEGRATED CIRCUIT LIFE CYCLE MANAGEMENT . 87 TABLE B-33: CROSS-REFERENCE RFC 2527 SECTIONS AND CONTROL OBJECTIVES 89 ANS x9.79-1:2001, Public Key Infrastr
35、ucture - Practices and Policy Framework 2001 American Bankers Associationviii Foreword Institutions and intermediaries are building infrastructures to provide new electronic financial transaction capabilities to consumers, corporations, and government entities. As the volume of electronic financial
36、transactions continues to grow, advanced security technology employing digital signatures and authority systems can become part of the financial transaction process. Financial transaction systems incorporating advance security technology have requirements to ensure the privacy, authenticity, and int
37、egrity of financial transactions conducted over communications networks. The financial services industry relies on several time-honored methods of electronically identifying, authorizing, and authenticating entities and protect financial transactions. These methods include, but are not limited to: P
38、ersonal Identification Numbers (PINs) and Message Authentication Codes (MACs) for retail and wholesale financial transactions, user IDs and passwords for network and computer access, and key management for network connectivity. Over the last twenty years banks, investment, and insurance companies ha
39、ve developed risk management processes and policies to support the use of these technologies in financial applications. The expanded use of Internet technologies by the financial services industry and the needs of the industry in general to provide safe, private, and reliable financial transaction a
40、nd computing systems have given rise to advanced security technology incorporating public key cryptography. Public-key cryptography requires a business-optimized infrastructure of technology, management, and policy (a public-key infrastructure or PKI, as defined in this Standard) to satisfy requirem
41、ents of electronic identification, authentication, and authorization in financial application systems. The use of standard practices for electronic identification, authentication, and authorization in a PKI ensures more consistent and predictable security in these systems and confidence in electroni
42、c communications. Confidence (e.g., trust) can be achieved when compliance to standard practices can be ascertained. Applications serving the financial services industry can be developed with digital signature and PKI capabilities. The safety and the soundness of these applications are based in part
43、 on implementations and practices designed to ensure the overall integrity of the infrastructure. Users of authority-based systems that electronically bind the identity of individuals and other entities to cryptographic materials (e.g., cryptographic keys) benefit from standard risk management syste
44、ms and the base of auditable practices defined in this Standard. Members of the Accredited Standards Committee (ASC) X9 have made a commitment to public-key technology by developing technical standards and guidelines for digital signatures, key management, certificate management and data encryption.
45、 For implementers of these standards, the degree to which any entity in a payment transaction can rely on the implementation of public-key infrastructure standards and the extent of interoperability between PKI-based systems using 2001 American Bankers Association ANS x9.79-1:2001, Public Key Infras
46、tructure - Practices and Policy Frameworkix these standards will depend partly on factors relative to policy and practices defined in this Standard. Suggestions for the improvement or revision of this Standard are welcome. They should be sent to the X9 Committee Secretariat, American Bankers Associa
47、tion, 1120 Connecticut Avenue NW, Washington, DC, 20036. This standard was processed and approved for submittal to ANSI by the Accredited Standards Committee - X9 Financial Services. Committee approval of the Standard does not necessarily imply that all the committee members voted for its approval.
48、Cynthia L. Fuller, Associate Director Darlene Schubert, Assistant Division Manager The X9 committee had the following members: Harold Deal, Chairman Bil Lyons, Vice-Chairman Organization Represented Representative ACI Worldwide. Jim Shaffer American Bankers Association . Stephen Schutze American Exp
49、ress Company. Bonnie Howard Bank of America . Harold Deal Bank One Corporation Bil Lyons Certicom Corporation Don Johnson Chase Manhattan Bank Arlene Gariboldi Check Solutions. Ron Schultz Check Solutions. Harry Hankla Citibank . David Budinger Cybersafe Corporation Glenda Barnes Deloitte and (2) the message has not been altered since its Digital Signature was created. ANS x9.79-1:2001, Public Key Infrastructure - Practices and Policy Framework 2001 American Bankers Association10 4 Symbols (And Abbreviations