1、 Reference numberISO/IEC TR 14516:2002(E)ISO/IEC 2002Information technology Security techniques Guidelines for the use and management of Trusted Third Party services Technologies de linformation Techniques de scurit Lignes directrices pour lemploi et la gestion des services TTP National Standard of
2、CanadaCAN/CSA-ISO/IEC TR 14516:04(ISO/IEC TR 14516:2002)Technical Report ISO/IEC TR 14516:2002 (first edition, 2002-06-15) has been adopted without modification(IDT) as CSA Standard CAN/CSA-ISO/IEC TR 14516:04, which has been approved as a National Standard of Canadaby the Standards Council of Canad
3、a.ISBN 1-55397-261-9 January 2004The Canadian Standards Association (CSA), The Standards Council of Canada is theunder whose auspices this National Standard has been coordinating body of the National Standards system, produced, was chartered in 1919 and accredited by a federation of independent, aut
4、onomousthe Standards Council of Canada to the National organizations working towards the furtherStandards system in 1973. It is a not-for-profit, development and improvement of voluntarynonstatutory, voluntary membership association standardization in the national interest.engaged in standards devel
5、opment and certification The principal objects of the Council are to foster activities. and promote voluntary standardization as a means CSA standards reflect a national consensus of of advancing the national economy, benefiting theproducers and users including manufacturers, health, safety, and wel
6、fare of the public, assisting consumers, retailers, unions and professional and protecting the consumer, facilitating domestic organizations, and governmental agencies. The and international trade, and furthering internationalstandards are used widely by industry and commerce cooperation in the fiel
7、d of standards.and often adopted by municipal, provincial, and A National Standard of Canada is a standard whichfederal governments in their regulations, particularly in has been approved by the Standards Council ofthe fields of health, safety, building and construction, Canada and one which reflect
8、s a reasonableand the environment. agreement among the views of a number of capableIndividuals, companies, and associations across individuals whose collective interests provide to theCanada indicate their support for CSAs standards greatest practicable extent a balance ofdevelopment by volunteering
9、 their time and skills to representation of producers, users, consumers, andCSA Committee work and supporting the Associations others with relevant interests, as may be appropriateobjectives through sustaining memberships. The more to the subject in hand. It normally is a standardthan 7000 committee
10、 volunteers and the 2000 which is capable of making a significant and timelysustaining memberships together form CSAs total contribution to the national interest.membership from which its Directors are chosen. Approval of a standard as a National Standard ofSustaining memberships represent a major s
11、ource of Canada indicates that a standard conforms to theincome for CSAs standards development activities. criteria and procedures established by the StandardsThe Association offers certification and testing Council of Canada. Approval does not refer to theservices in support of and as an extension
12、to its technical content of the standard; this remains thestandards development activities. To ensure the continuing responsibility of the accreditedintegrity of its certification process, the Association standards-development organization.regularly and continually audits and inspects products Those
13、 who have a need to apply standards arethat bear the CSA Mark. encouraged to use National Standards of CanadaIn addition to its head office and laboratory complex whenever practicable. These standards are subject in Toronto, CSA has regional branch offices in major to periodic review; therefore, use
14、rs are cautioned centres across Canada and inspection and testing to obtain the latest edition from the organizationagencies in eight countries. Since 1919, the preparing the standard.Association has developed the necessary expertise to The responsibility for approving National Standards meet its co
15、rporate mission: CSA is an independent of Canada rests with theservice organization whose mission is to provide an Standards Council of Canadaopen and effective forum for activities facilitating the 270 Albert Street, Suite 200exchange of goods and services through the use of Ottawa, Ontario, K1P 6N
16、7standards, certification and related services to meet Canadanational and international needs.For further information on CSA services, write toCanadian Standards Association5060 Spectrum Way, Suite 100Mississauga, Ontario, L4W 5N6CanadaCette Norme nationale du Canada est offerte en anglais et en fra
17、nais.Although the intended primary application of this Standard is stated in its Scope, it is importantto note that it remains the responsibility of the users to judge its suitability for their particular purpose.Registered trade-mark of Canadian Standards AssociationCAN/CSA-ISO/IEC TR 14516:04 use
18、and management of Trusted Third Party servicesInformation technology Security techniques Guidelines for theJanuary 2004 Canadian Standards Association CSA/1CAN/CSA-ISO/IEC TR 14516:04Information technology Security techniques Guidelines forthe use and managment of TrustedThird Party servicesCSA Pref
19、aceStandards development within the Information Technology sector is harmonized with internationalstandards development. Through the CSA Technical Committee on Information Technology (TCIT),Canadians serve as the Canadian Advisory Committee (CAC) on ISO/IEC Joint Technical Committee 1 on Information
20、 Technology (ISO/IEC JTC1) for the Standards Council of Canada (SCC), the ISO memberbody for Canada and sponsor of the Canadian National Committee of the IEC. Also, as a member of theInternational Telecommunication Union (ITU), Canada participates in the International Telegraph andTelephone Consulta
21、tive Committee (ITU-T).This Technical Report was reviewed by the CSA TCIT under the jurisdiction of the Strategic SteeringCommittee on Information Technology and deemed acceptable for use in Canada. (A committeemembership list is available on request from the CSA Project Manager.) From time to time,
22、 ISO/IEC maypublish addenda, corrigenda, etc. The CSA TCIT will review these documents for approval andpublication. For a listing, refer to the CSA Information Products catalogue or CSA Info Update or contacta CSA Sales representative. This Technical Report has been formally approved, without modifi
23、cation, bythe Technical Committee and has been approved as a National Standard of Canada by the StandardsCouncil of Canada.January 2004 Canadian Standards Association 2004All rights reserved. No part of this publication may be reproduced in any form whatsoever without the prior permission ofthe publ
24、isher. ISO/IEC material is reprinted with permission. Where the words “this Technical Report” appear in the text,they should be interpreted as “this National Standard of Canada”. Inquiries regarding this National Standard of Canada should be addressed to Canadian Standards Association 5060 Spectrum
25、Way, Suite 100, Mississauga, Ontario, Canada L4W 5N6 1-800-463-6727 416-747-4044www.csa.caReference numberISO/IEC TR 14516:2002(E)ISO/IEC 2002TECHNICAL REPORT ISO/IECTR14516First edition2002-06-15Information technology Security techniques Guidelines for the use and management of Trusted Third Party
26、services Technologies de linformation Techniques de scurit Lignes directrices pour lemploi et la gestion des services TTP ISO/IEC TR 14516:2002(E) PDF disclaimer This PDF file may contain embedded typefaces. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not
27、 be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe
28、 is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO me
29、mber bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO/IEC 2002 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
30、 or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale 56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.ch Web
31、 www.iso.ch ii ISO/IEC 2002 All rights reservedISO/IEC TR 14516:2002(E) ISO/IEC 2002 All rights reserved iiiCONTENTS Page 1 Scope . 1 2 References 1 2.1 Identical Recommendations | International Standards 1 2.2 Paired Recommendations | International Standards equivalent in technical content 1 2.3 Ad
32、ditional References 1 3 Definitions 2 4 General Aspects 3 4.1 Basis of Security Assurance and Trust 3 4.2 Interaction between a TTP and Entities Using its Services 4 4.2.1 In-line TTP Services . 4 4.2.2 On-line TTP Services 4 4.2.3 Off-line TTP Services. 5 4.3 Interworking of TTP Services 5 5 Manage
33、ment and Operational Aspects of a TTP 5 5.1 Legal Issues. 6 5.2 Contractual Obligations 6 5.3 Responsibilities 7 5.4 Security Policy. 7 5.4.1 Security Policy Elements 8 5.4.2 Standards 8 5.4.3 Directives and Procedures. 8 5.4.4 Risk Management. 8 5.4.5 Selection of Safeguards. 9 5.4.5.1 Physical and
34、 Environmental Measures . 9 5.4.5.2 Organisational and Personnel Measures . 9 5.4.5.3 IT Specific Measures. 9 5.4.6 Implementation Aspects of IT Security 10 5.4.6.1 Awareness and Training 10 5.4.6.2 Trustworthiness and Assurance 10 5.4.6.3 Accreditation of TTP Certification Bodies 11 5.4.7 Operation
35、al Aspects of IT Security 11 5.4.7.1 Audit/Assessment 11 5.4.7.2 Incident Handling 12 5.4.7.3 Contingency Planning 12 5.5 Quality of Service 12 5.6 Ethics 12 5.7 Fees. 12 6 Interworking. 12 6.1 TTP-Users . 13 6.2 User-User 13 6.3 TTP-TTP. 13 6.4 TTP-Law Enforcement Agency 14 7 Major Categories of TT
36、P Services. 14 7.1 Time Stamping Service 14 7.1.1 Time Stamping Authority 14 7.2 Non-repudiation Services . 15 7.3 Key Management Services. 16 7.3.1 Key Generation Service 16 7.3.2 Key Registration Service. 16 7.3.3 Key Certification Service 16 7.3.4 Key Distribution Service. 17 7.3.5 Key Installati
37、on Service 17 7.3.6 Key Storage Service 17 7.3.7 Key Derivation Service. 17 7.3.8 Key Archiving Service 17 ISO/IEC TR 14516:2002(E) iv ISO/IEC 2002 All rights reservedPage 7.3.9 Key Revocation Service 17 7.3.10 Key Destruction Service . 17 7.4 Certificate Management Services . 18 7.4.1 Public Key Ce
38、rtificate Service 18 7.4.2 Privilege Attribute Service 18 7.4.3 On-line Authentication Service Based on Certificates 19 7.4.4 Revocation of Certificates Service. 19 7.5 Electronic Notary Public Services 19 7.5.1 Evidence Generation Service 20 7.5.2 Evidence Storage Service 20 7.5.3 Arbitration Servi
39、ce 20 7.5.4 Notary Authority 20 7.6 Electronic Digital Archiving Service 21 7.7 Other Services . 22 7.7.1 Directory Service 22 7.7.2 Identification and Authentication Service 23 7.7.2.1 On-line Authentication Service 23 7.7.2.2 Off-line Authentication Service . 25 7.7.2.3 In-line Authentication Serv
40、ice 25 7.7.3 In-line Translation Service 25 7.7.4 Recovery Services 25 7.7.4.1 Key Recovery Services 25 7.7.4.2 Data Recovery Services . 26 7.7.5 Personalisation Service . 26 7.7.6 Access Control Service. 26 7.7.7 Incident Reporting and Alert Management Service 26 Annex A Security Requirements for M
41、anagement of TTPs 28 Annex B Aspects of CA management . 29 B.1 Example of Registration Process Procedures. 29 B.2 An example of requirements for Certification Authorities. 29 B.3 Certification Policy and Certification Practice Statement (CPS) 31 Annex C Bibliography 32 Table of Figures Figure 1 In-l
42、ine TTP Service Between Entities 4 Figure 2 On-line TTP Service Between Entities 5 Figure 3 Off-line TTP Service Between Entities 5 Figure 4 Interworking of TTPs in Different Domains 13 Figure 5 Example of Non-repudiation Architecture . 16 Figure 6 Link Between an Attribute Certificate and a Public
43、Key Certificate . 19 Figure 7 Directory Service Architecture 23 Figure 8 Example for On-line Authentication Services 24 Figure 9 Example for In-line TTP Authentication Service . 25 Figure 10 Example of Alert Management Service 27 ISO/IEC TR 14516:2002(E) ISO/IEC 2002 All rights reserved vForeword IS
44、O (the International Organization for Standardization) and IEC (the International Electrotechnical Commission) form the specialized system for worldwide standardization. National bodies that are members of ISO or IEC participate in the development of International Standards through technical committ
45、ees established by the respective organization to deal with particular fields of technical activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the wor
46、k. In the field of information technology, ISO and IEC have established a joint technical committee, ISO/IEC JTC 1. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3. The main task of the joint technical committee is to prepare International Sta
47、ndards. Draft International Standards adopted by the joint technical committee are circulated to national bodies for voting. Publication as an International Standard requires approval by at least 75 % of the national bodies casting a vote. In exceptional circumstances, the joint technical committee
48、may propose the publication of a Technical Report of one of the following types: type 1, when the required support cannot be obtained for the publication of an International Standard, despite repeated efforts; type 2, when the subject is still under technical development or where for any other reaso
49、n there is the future but not immediate possibility of an agreement on an International Standard; type 3, when the joint technical committee has collected data of a different kind from that which is normally published as an International Standard (“state of the art”, for example). Technical Reports of types 1 and 2 are subject to review within three years of publication, to decide whether they can be transformed into International Standards. Technical Reports of type 3 do not necessaril
