ANSI ASC X9 X9.79-1-2001 Part 1 PKI Practices and Policy Framework.pdf

上传人:wealthynice100 文档编号:431355 上传时间:2018-11-11 格式:PDF 页数:111 大小:767.29KB
下载 相关 举报
ANSI ASC X9 X9.79-1-2001 Part 1 PKI Practices and Policy Framework.pdf_第1页
第1页 / 共111页
ANSI ASC X9 X9.79-1-2001 Part 1 PKI Practices and Policy Framework.pdf_第2页
第2页 / 共111页
ANSI ASC X9 X9.79-1-2001 Part 1 PKI Practices and Policy Framework.pdf_第3页
第3页 / 共111页
ANSI ASC X9 X9.79-1-2001 Part 1 PKI Practices and Policy Framework.pdf_第4页
第4页 / 共111页
ANSI ASC X9 X9.79-1-2001 Part 1 PKI Practices and Policy Framework.pdf_第5页
第5页 / 共111页
点击查看更多>>
资源描述

1、American National Standard for Financial Services ANS X9.79-1:2001 Part 1: PKI Practices and Policy Framework Secretariat American Bankers Association Approved: January 2001 American National Standards InstituteANS x9.79-1:2001, Public Key Infrastructure - Practices and Policy Framework 2001 America

2、n Bankers Associationii American National Standard Approval of an American National Standard requires verification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. Consensus is established when, in the judgment of the

3、 ANSI Board of Standards Review, directly and materially affected interests have reached substantial agreement. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be

4、made toward their resolution. The use of American National Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to

5、 the standards. The American National Standards Institute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of

6、 the American National Standards Institute. Requests for interpretations should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American Na

7、tional Standards Institute require that action be taken to reaffirm, revise, or withdraw this standard no later than five years from the date of approval. Published by: American Bankers Association 1120 Connecticut Ave., NW Washington, DC 20036 USA Customer Service Center + 1 800 338 0626 or + 1 202

8、 663 5087 Fax + 1 202 663 7543 Email X9 Online: http:/www.x9.org Copyright (X9 2000) by American Bankers Association All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Pri

9、nted in the United States of America 2001 American Bankers Association ANS x9.79-1:2001, Public Key Infrastructure - Practices and Policy Frameworkiii Contents 1 SCOPE OF THIS STANDARD . 1 2 NORMATIVE REFERENCE(S) . 2 3 DEFINITIONS. 3 4 SYMBOLS (AND ABBREVIATIONS) 10 5 ORGANIZATION. 11 6 PKI CERTIFI

10、CATE POLICY AND CERTIFICATION PRACTICE STATEMENT. 12 6.1 WHAT IS PKI (PUBLIC-KEY INFRASTRUCTURE)? 12 6.2 PKI MODELS 13 6.2.1 Closed Model 13 6.2.2 Network Model 13 6.2.3 Open Model. 13 6.3 PKI PERSPECTIVES . 14 6.3.1 Functional Perspective 14 6.3.2 Legal Perspective 16 6.3.3 Regulatory Perspective .

11、 16 6.3.4 Business Usage Perspective 16 6.4 RELATIONSHIP BETWEEN CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT 17 6.4.1 Authorship. 17 6.4.2 Purpose . 17 6.4.3 Level of Specificity 17 6.4.4 Approach. 18 6.4.5 Public and Private Access. 18 6.5 CERTIFICATE POLICY (CP) . 19 6.6 CERTIFICATION

12、PRACTICE STATEMENT (CPS) 20 6.7 CERTIFICATE POLICY, CPS, AND CA INTEROPERABILITY 21 7 GENERAL REQUIREMENTS 21 7.1 CERTIFICATE POLICY (CP) . 21 7.2 CERTIFICATION PRACTICE STATEMENTS 23 7.2.1 Segmentation of a Certification Practice Statement. 23 ANNEX A (NORMATIVE) ELEMENTS OF POLICY AND PRACTICE 26

13、A.1 INTRODUCTION . 26 A.1.1 Overview . 26 A.1.2 Identification . 26 A.1.3 Community and Applicability 26 A.1.4 Contact Details 27 A.2 GENERAL PROVISIONS 27 A.2.1 Liability . 27 A.2.2 Obligations 28 ANS x9.79-1:2001, Public Key Infrastructure - Practices and Policy Framework 2001 American Bankers Ass

14、ociationiv A.2.3 Interpretation and Enforcement 29 A.2.4 Publication and Repositories 29 A.2.5 Compliance Audit 29 A.2.6 Confidentiality Policy 29 A.3 IDENTIFICATION AND AUTHENTICATION 30 A.3.1 Initial Registration 30 A.3.2 Routine Re-key 31 A.3.3 Re-key after Revocation - No Key Compromise. 31 A.3.

15、4 Revocation Request . 31 A.4 OPERATIONAL REQUIREMENTS 32 A.4.1 Certificate Application 32 A.4.2 Certificate Issuance. 32 A.4.3 Certificate Acceptance 32 A.4.4 Certificate Suspension and Revocation. 32 A.4.5 Security Audit Procedures. 33 A.4.6 Records Archival. 34 A.4.7 Key Changeover 34 A.4.8 Compr

16、omise and Disaster Recovery . 34 A.4.9 CA Termination. 35 A.5 PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS. 35 A.5.1 Physical Security Controls 35 A.5.2 Procedural Controls 36 A.5.3 Personnel Security Controls 36 A.6 TECHNICAL SECURITY CONTROLS 37 A.6.1 Key Pair Generation and Installation.

17、 38 A.6.2 Private Key Protection 38 A.6.3 Other Aspects of Key Pair Management . 39 A.6.4 Activation Data . 40 A.6.5 Computer Security Controls 40 A.6.6 Life Cycle Security Controls . 40 A.6.7 Network Security Controls 40 A.6.8 Cryptographic Module Engineering Controls. 40 A.7 CERTIFICATE AND CRL PR

18、OFILES 41 A.7.1 Certificate Profile 41 A.7.2 CRL Profile . 41 A.7.3 OCSP Profile. 41 A.8 PRACTICES ADMINISTRATION . 42 A.8.1 Change procedures . 42 A.8.2 Publication and Notification Procedures 43 A.8.3 Approval Procedures 43 ANNEX B (NORMATIVE) CERTIFICATION AUTHORITY CONTROL OBJECTIVES. 44 B.1 CA

19、ENVIRONMENTAL CONTROLS. 47 B.1.1 Certification Practice Statement and Certificate Policy Management . 47 B.1.2 Security Management 48 B.1.3 Asset Classification and Management 50 B.1.4 Personnel Security 50 B.1.5 Physical and Environmental Security . 51 B.1.6 Operations Management. 54 B.1.7 System A

20、ccess Management 56 B.1.8 Systems Development and Maintenance .58 B.1.9 Business Continuity Management . 58 B.1.10 Monitoring and Compliance. 61 B.1.11 Event Journaling 62 2001 American Bankers Association ANS x9.79-1:2001, Public Key Infrastructure - Practices and Policy Frameworkv B.2 KEY MANAGEME

21、NT LIFE CYCLE CONTROLS 67 B.2.1 CA Key Generation . 67 B.2.2 CA Key Storage, Backup and Recovery 68 B.2.3 CA Public Key Distribution. 69 B.2.4 CA Key Escrow (if supported). 70 B.2.5 CA Key Usage . 70 B.2.6 CA Key Destruction. 70 B.2.7 CA Key Archival 71 B.2.8 CA Cryptographic Hardware Life Cycle Man

22、agement. 72 B.2.9 CA-Provided Subscriber Key Management Services (if supported). 74 B.3 CERTIFICATE LIFE CYCLE CONTROLS. 76 B.3.1 Subscriber Registration. 76 B.3.2 Certificate Renewal (if supported) 78 B.3.3 Certificate Rekey . 79 B.3.4 Certificate Issuance. 81 B.3.5 Certificate Distribution . 82 B.

23、3.6 Certificate Revocation. 82 B.3.7 Certificate Suspension (if supported) 83 B.3.8 Certificate Status Information Processing 85 B.3.9 Integrated Circuit Card (ICC) Life Cycle Management (if supported). 86 B.4. MAPPING TO RFC 2527 AND X9.79 ANNEX A . 89 ANNEX C (INFORMATIVE) X.509 CERTIFICATE FIELDS

24、. 91 C.1 EXPLANATION OF X.509 EXTENTIONS. 91 C.1.1 Certificate Policies Extension . 91 C.1.2 Policy Mappings Extension. 92 C.1.3 Policy Constraints Extension 92 C.2 POLICY QUALIFIERS. 93 ANNEX D (INFORMATIVE) BIBLIOGRAPHY . 94 D.1 IETF REQUEST FOR COMMENT DRAFTS 94 D.2 NATIONAL AUTOMATED CLEARING HO

25、USE ASSOCIATION (NACHA) . 94 D.3 DRAFT GUIDELINE FROM OFFICE COMPTROLLER OF CURRENCY 94 D.4 AMERICAN BAR ASSOCIATION (ABARA), INFORMATION SECURITY COMMITTEE 94 D.5 AMERICAN INSTITUTE OF CERTIFIED PUBLIC ACCOUNTANTS (AICPA) AND CANADIAN INSTITUTE OF CHARTERED ACCOUNTANTS (CICA) 94 D.6 BRITISH STANDAR

26、DS INSTITUTION . 95 D.7 INTERNATIONAL ORGANISATION FOR STANDARDISATION 95 ANNEX E (INFORMATIVE) OBJECT IDENTIFIERS (OID) . 96 E.1 WHAT IS AN OID? 96 E.2 OIDS SHALL BE REGISTERED:. 96 E.3 ESTABLISHING AN OID.96 E.4 OID LOOKUP 97 E.5 INTERNATIONAL NAME REGISTRATION 97 ANS x9.79-1:2001, Public Key Infr

27、astructure - Practices and Policy Framework 2001 American Bankers Associationvi Figures FIGURE 1: MODEL CA HIERARCHY . 45 FIGURE 2: REGISTRATION PROCESS WITH AN RA 45 FIGURE 3: REGISTRATION PROCESS WITHOUT AN RA 46 2001 American Bankers Association ANS x9.79-1:2001, Public Key Infrastructure - Pract

28、ices and Policy Frameworkvii Tables TABLE 1: NORMATIVE ANNEXES. 11 TABLE 2: INFORMATIVE ANNEXES 11 TABLE 3: CROSS-REFERENCE OF BASIC CRYPTOGRAPHIC FUNCTIONS TO SECURITY SERVICES. 12 TABLE B-4: CONTROL PROCEDURES CERTIFICATION PRACTICE STATEMENT AND CERTIFICATE POLICY MANAGEMENT . 47 TABLE B-5: CONTR

29、OL PROCEDURES SECURITY MANAGEMENT . 48 TABLE B-6: CONTROL PROCEDURES ASSET CLASSIFICATION AND MANAGEMENT 50 TABLE B-7: CONTROL PROCEDURES PERSONNEL SECURITY 50 TABLE B-8: CONTROL PROCEDURES PHYSICAL AND ENVIRONMENT SECURITY. 52 TABLE B-9: CONTROL PROCEDURES OPERATIONS MANAGEMENT. 54 TABLE B-10: CONT

30、ROL PROCEDURES SYSTEM ACCESS MANAGEMENT. 56 TABLE B-11: CONTROL PROCEDURES SYSTEMS DEVELOPMENT AND MAINTENANCE 58 TABLE B-12: CONTROL PROCEDURES BUSINESS CONTINUITY MANAGEMENT. 59 TABLE B-13: CONTROL PROCEDURES MONITORING AND COMPLIANCE. 61 TABLE B-14: CONTROL PROCEDURES EVENT JOURNALING 62 TABLE B-

31、15: CONTROL PROCEDURES CA KEY GENERATION 67 TABLE B-16: CONTROL PROCEDURES CA KEY STORAGE, BACKUP AND RECOVERY. 68 TABLE B-17: CONTROL PROCEDURES CA PUBLIC KEY DISTRIBUTION 69 TABLE B-18: CONTROL PROCEDURES CA KEY ESCROW 70 TABLE B-19: CONTROL PROCEDURES CA KEY USAGE 70 TABLE B-20: CONTROL PROCEDURE

32、S CA KEY DESTRUCTION. 70 TABLE B-21: CONTROL PROCEDURES CA KEY ARCHIVAL 71 TABLE B-22: CONTROL PROCEDURES CA CRYPTOGRAPHIC HARDWARE LIFE CYCLE MANAGEMENT 72 TABLE B-23: CONTROL PROCEDURES CA-PROVIDED SUBSCRIBER KEY MANAGEMENT SERVICES . 74 TABLE B-24: CONTROL PROCEDURES SUBSCRIBER REGISTRATION . 76

33、TABLE B-25: CONTROL PROCEDURES CERTIFICATE RENEWAL 78 TABLE B-26: CONTROL PROCEDURES CERTIFICATE REKEY. 79 TABLE B-27: CONTROL PROCEDURES CERTIFICATE ISSUANCE 81 TABLE B-28: CONTROL PROCEDURES CERTIFICATE DISTRIBUTION . 82 TABLE B-29: CONTROL PROCEDURES CERTIFICATE REVOCATION. 82 TABLE B-30: CONTROL

34、 PROCEDURES CERTIFICATE SUSPENSION 83 TABLE B-31: CONTROL PROCEDURES CERTIFICATE STATUS INFORMATION PROCESSING 85 TABLE B-32: CONTROL PROCEDURES INTEGRATED CIRCUIT LIFE CYCLE MANAGEMENT . 87 TABLE B-33: CROSS-REFERENCE RFC 2527 SECTIONS AND CONTROL OBJECTIVES 89 ANS x9.79-1:2001, Public Key Infrastr

35、ucture - Practices and Policy Framework 2001 American Bankers Associationviii Foreword Institutions and intermediaries are building infrastructures to provide new electronic financial transaction capabilities to consumers, corporations, and government entities. As the volume of electronic financial

36、transactions continues to grow, advanced security technology employing digital signatures and authority systems can become part of the financial transaction process. Financial transaction systems incorporating advance security technology have requirements to ensure the privacy, authenticity, and int

37、egrity of financial transactions conducted over communications networks. The financial services industry relies on several time-honored methods of electronically identifying, authorizing, and authenticating entities and protect financial transactions. These methods include, but are not limited to: P

38、ersonal Identification Numbers (PINs) and Message Authentication Codes (MACs) for retail and wholesale financial transactions, user IDs and passwords for network and computer access, and key management for network connectivity. Over the last twenty years banks, investment, and insurance companies ha

39、ve developed risk management processes and policies to support the use of these technologies in financial applications. The expanded use of Internet technologies by the financial services industry and the needs of the industry in general to provide safe, private, and reliable financial transaction a

40、nd computing systems have given rise to advanced security technology incorporating public key cryptography. Public-key cryptography requires a business-optimized infrastructure of technology, management, and policy (a public-key infrastructure or PKI, as defined in this Standard) to satisfy requirem

41、ents of electronic identification, authentication, and authorization in financial application systems. The use of standard practices for electronic identification, authentication, and authorization in a PKI ensures more consistent and predictable security in these systems and confidence in electroni

42、c communications. Confidence (e.g., trust) can be achieved when compliance to standard practices can be ascertained. Applications serving the financial services industry can be developed with digital signature and PKI capabilities. The safety and the soundness of these applications are based in part

43、 on implementations and practices designed to ensure the overall integrity of the infrastructure. Users of authority-based systems that electronically bind the identity of individuals and other entities to cryptographic materials (e.g., cryptographic keys) benefit from standard risk management syste

44、ms and the base of auditable practices defined in this Standard. Members of the Accredited Standards Committee (ASC) X9 have made a commitment to public-key technology by developing technical standards and guidelines for digital signatures, key management, certificate management and data encryption.

45、 For implementers of these standards, the degree to which any entity in a payment transaction can rely on the implementation of public-key infrastructure standards and the extent of interoperability between PKI-based systems using 2001 American Bankers Association ANS x9.79-1:2001, Public Key Infras

46、tructure - Practices and Policy Frameworkix these standards will depend partly on factors relative to policy and practices defined in this Standard. Suggestions for the improvement or revision of this Standard are welcome. They should be sent to the X9 Committee Secretariat, American Bankers Associa

47、tion, 1120 Connecticut Avenue NW, Washington, DC, 20036. This standard was processed and approved for submittal to ANSI by the Accredited Standards Committee - X9 Financial Services. Committee approval of the Standard does not necessarily imply that all the committee members voted for its approval.

48、Cynthia L. Fuller, Associate Director Darlene Schubert, Assistant Division Manager The X9 committee had the following members: Harold Deal, Chairman Bil Lyons, Vice-Chairman Organization Represented Representative ACI Worldwide. Jim Shaffer American Bankers Association . Stephen Schutze American Exp

49、ress Company. Bonnie Howard Bank of America . Harold Deal Bank One Corporation Bil Lyons Certicom Corporation Don Johnson Chase Manhattan Bank Arlene Gariboldi Check Solutions. Ron Schultz Check Solutions. Harry Hankla Citibank . David Budinger Cybersafe Corporation Glenda Barnes Deloitte and (2) the message has not been altered since its Digital Signature was created. ANS x9.79-1:2001, Public Key Infrastructure - Practices and Policy Framework 2001 American Bankers Association10 4 Symbols (And Abbreviations

展开阅读全文
相关资源
  • ANSI Z97 1-2009 American National Standard for Safety Glazing Materials used in Buildings - Safety Performance Specifications and Methods of Test《建筑物中窗用玻璃材料安全性用.pdfANSI Z97 1-2009 American National Standard for Safety Glazing Materials used in Buildings - Safety Performance Specifications and Methods of Test《建筑物中窗用玻璃材料安全性用.pdf
  • ANSI Z97 1 ERTA-2010 Re ANSI Z97 1 - 2009 Errata《修订版 美国国家标准学会Z97 1-2009标准的勘误表》.pdfANSI Z97 1 ERTA-2010 Re ANSI Z97 1 - 2009 Errata《修订版 美国国家标准学会Z97 1-2009标准的勘误表》.pdf
  • ANSI Z21 40 2a-1997 Gas-Fired Work Activated Air-Conditioning and Heat Pump Appliances (Same as CGA 2 92a)《燃气、工作激活空气调节和热泵器具(同 CGA 2 92a)》.pdfANSI Z21 40 2a-1997 Gas-Fired Work Activated Air-Conditioning and Heat Pump Appliances (Same as CGA 2 92a)《燃气、工作激活空气调节和热泵器具(同 CGA 2 92a)》.pdf
  • ANSI Z124 9-2004 American National Standard for Plastic Urinal Fixtures《塑料小便器用美国国家标准》.pdfANSI Z124 9-2004 American National Standard for Plastic Urinal Fixtures《塑料小便器用美国国家标准》.pdf
  • ANSI Z124 4-2006 American National Standard for Plastic Water Closet Bowls and Tanks《塑料抽水马桶和水箱用美国国家标准》.pdfANSI Z124 4-2006 American National Standard for Plastic Water Closet Bowls and Tanks《塑料抽水马桶和水箱用美国国家标准》.pdf
  • ANSI Z124 3-2005 American National Standard for Plastic Lavatories《塑料洗脸盆用美国国家标准》.pdfANSI Z124 3-2005 American National Standard for Plastic Lavatories《塑料洗脸盆用美国国家标准》.pdf
  • ANSI T1 659-1996 Telecommunications - Mobility Management Application Protocol (MMAP) RCF-RACF Operations《电信 可移动管理应用协议(MMAP) RCF-RACF操作》.pdfANSI T1 659-1996 Telecommunications - Mobility Management Application Protocol (MMAP) RCF-RACF Operations《电信 可移动管理应用协议(MMAP) RCF-RACF操作》.pdf
  • ANSI T1 651-1996 Telecommunications – Mobility Management Application Protocol (MMAP)《电信 可移动性管理应用协议》.pdfANSI T1 651-1996 Telecommunications – Mobility Management Application Protocol (MMAP)《电信 可移动性管理应用协议》.pdf
  • ANSI T1 609-1999 Interworking between the ISDN User-Network Interface Protocol and the Signalling System Number 7 ISDN User Part《电信 ISDN用户间网络接口协议和7号信令系统ISDN用户部分.pdfANSI T1 609-1999 Interworking between the ISDN User-Network Interface Protocol and the Signalling System Number 7 ISDN User Part《电信 ISDN用户间网络接口协议和7号信令系统ISDN用户部分.pdf
  • ANSI T1 605-1991 Integrated Services Digital Network (ISDN) - Basic Access Interface for S and T Reference Points (Layer 1 Specification)《综合服务数字网络(ISDN) S和T基准点的.pdfANSI T1 605-1991 Integrated Services Digital Network (ISDN) - Basic Access Interface for S and T Reference Points (Layer 1 Specification)《综合服务数字网络(ISDN) S和T基准点的.pdf
  • 猜你喜欢
    相关搜索

    当前位置:首页 > 标准规范 > 国际标准 > ANSI

    copyright@ 2008-2019 麦多课文库(www.mydoc123.com)网站版权所有
    备案/许可证编号:苏ICP备17064731号-1