1、 INTERNATIONAL TELECOMMUNICATION UNION ITU-T Q.817 TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (01/2001) SERIES Q: SWITCHING AND SIGNALLING Q3 interface TMN PKI Digital certificates and certificate revocation lists profiles ITU-T Recommendation Q.817 (Formerly CCITT Recommendation) ITU-T Q-SERIE
2、S RECOMMENDATIONS SWITCHING AND SIGNALLING SIGNALLING IN THE INTERNATIONAL MANUAL SERVICE Q.1Q.3 INTERNATIONAL AUTOMATIC AND SEMI-AUTOMATIC WORKING Q.4Q.59 FUNCTIONS AND INFORMATION FLOWS FOR SERVICES IN THE ISDN Q.60Q.99 CLAUSES APPLICABLE TO ITU-T STANDARD SYSTEMS Q.100Q.119 SPECIFICATIONS OF SIGN
3、ALLING SYSTEMS No. 4 AND No. 5 Q.120Q.249 SPECIFICATIONS OF SIGNALLING SYSTEM No. 6 Q.250Q.309 SPECIFICATIONS OF SIGNALLING SYSTEM R1 Q.310Q.399 SPECIFICATIONS OF SIGNALLING SYSTEM R2 Q.400Q.499 DIGITAL EXCHANGES Q.500Q.599 INTERWORKING OF SIGNALLING SYSTEMS Q.600Q.699 SPECIFICATIONS OF SIGNALLING S
4、YSTEM No. 7 Q.700Q.799 Q3 INTERFACE Q.800Q.849 DIGITAL SUBSCRIBER SIGNALLING SYSTEM No. 1 Q.850Q.999 PUBLIC LAND MOBILE NETWORK Q.1000Q.1099 INTERWORKING WITH SATELLITE MOBILE SYSTEMS Q.1100Q.1199 INTELLIGENT NETWORK Q.1200Q.1699 SIGNALLING REQUIREMENTS AND PROTOCOLS FOR IMT-2000 Q.1700Q.1799 BROADB
5、AND ISDN Q.2000Q.2999 For further details, please refer to the list of ITU-T Recommendations. ITU-T Q.817 (01/2001) i ITU-T Recommendation Q.817 TMN PKI Digital certificates and certificate revocation lists profiles Summary This Recommendation explains how Digital Certificates and Certificate Revoca
6、tion Lists can be used in the TMN and provides requirements on the use of Certificate and Certificate Revocation List extensions. Source ITU-T Recommendation Q.817 was prepared by ITU-T Study Group 4 (2001-2004) and approved under the WTSA Resolution 1 procedure on 19 January 2001. ii ITU-T Q.817 (0
7、1/2001) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (ITU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questi
8、ons and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations
9、on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, th
10、e expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to the possibility that the practice or implementation of this Recommendation may involve the use of a claimed
11、 Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not
12、received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementors are cautioned that this may not represent the latest information and are therefore strongly urged to consult the TSB patent database. ITU 2001 All rights rese
13、rved. No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from ITU. ITU-T Q.817 (01/2001) iii CONTENTS Page 1 Scope, purpose and application 1 1.1 Scope. 1 1.2 Purpose 1 1
14、.3 Application 1 2 Normative references 1 2.1 ITU-T and ISO/IEC standards 2 2.2 Other standards . 2 3 Definitions 2 4 Abbreviations 2 5 Overview. 3 6 Certificate extensions 4 6.1 Authority Key Identifier . 5 6.2 Subject Key Identifier. 5 6.3 Key Usage. 5 6.4 Private Key Usage Period. 5 6.5 Certifica
15、te Policies 6 6.6 Policy Mapping. 6 6.7 Subject Alternative Name. 6 6.8 Issuer Alternative Name . 6 6.9 Subject Directory Attributes . 6 6.10 Basic Constraints 6 6.11 Name Constraints 6 6.12 Policy Constraints. 7 6.13 Extended Key Usage. 7 6.14 CRL Distribution Points . 7 6.15 Authority Information
16、Access 7 7 Certificate Revocation List (CRL) Extensions . 7 7.1 Authority Key Identifier . 7 7.2 Issuer Alternative Name . 7 7.3 CRL Number. 7 7.4 Delta CRL Indicator 8 7.5 Issuing Distribution Point . 8 8 Extensions for Individual Entries in CRLs. 8 iv ITU-T Q.817 (01/2001) Page 8.1 Reason Code . 8
17、 8.2 Hold Instruction Code. 8 8.3 Invalidity Date 8 8.4 Certificate Issuer . 8 ITU-T Q.817 (01/2001) 1 ITU-T Recommendation Q.817 TMN PKI Digital certificates and certificate revocation lists profiles 1 Scope, purpose and application 1.1 Scope This Recommendation is intended to promote interoperabil
18、ity among TMN elements that use Public Key Infrastructure (PKI) to support security-related functions. It applies to all TMN interfaces and applications. It is independent of which communications protocol stack or which network management protocol is being used. PKI facilities can be used for a broa
19、d range of security functions, such as, authentication, integrity, non-repudiation, and key exchange (ITU-T M.3016). However, this Recommendation does not specify how such functions should be implemented, with or without PKI. PKI has emerged as an efficient, scalable method for secure authentication
20、, for non-repudiation, and for the distribution and management of encryption keys and other security-related parameters. A PKI is based on digital certificates. ITU-T X.509 specifies the format of such certificates. X.509 digital certificates can contain any number of extensions. In order for a PKI
21、to support interoperability among TMN elements, all such elements must be able to process the same set of certificate extensions. Ideally, all TMN elements should also exhibit the same behaviour in processing certificate extensions. In order to promote secure interoperability among TMN elements this
22、 Recommendation specifies the certificate extensions that are to be supported by a TMN PKI. It further provides default behaviours for the processing of those extensions. In order to promote harmonization with other industries, this Recommendation is based on ITU-T X.500-series Recommendations, in p
23、articular ITU-T X.509 and PKI-related Request for Comments (RFC) 2459 from the Internet Engineering Task Force (IETF). 1.2 Purpose The purpose of this Recommendation is to provide interoperable, scalable mechanism for key distribution and management within a TMN, across all interfaces, as well as in
24、 support of non-repudiation service over the X interface. 1.3 Application This Recommendation applies to all Q and X interfaces of the TMN, regardless of the communication protocol. It pertains to information about public keys and revocation of public keys that is used by or exchanged among TMN elem
25、ents. Depending on application specific requirements, TMN might use predefined public keys that are distributed by means outside the scope of this Recommendation rather than use certificates. 2 Normative references The following ITU-T Recommendations and other references contain provisions which, th
26、rough reference in this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated were valid. All Recommendations and other references are subject to revision; users of this Recommendation are therefore encouraged to investigate the possibility of applyin
27、g the most recent edition of the Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is regularly published. 2 ITU-T Q.817 (01/2001) 2.1 ITU-T and ISO/IEC standards ITU-T M.3016 (1998), TMN Security Overview. ITU-T Q.812 (1997), Upper layer protocol
28、 profiles for the Q3 and X interfaces. ITU-T X.500 (2001) | ISO/IEC 9594-1:2001, Information technology Open Systems Interconnection The Directory: Overview of concepts, models and services. ITU-T X.509 (2000) | ISO/IEC 9594-8:2001, Information technology Open Systems Interconnection The Directory:
29、Public-key and attribute certificate frameworks. ITU-T X.680 (1997) | ISO/IEC 8824-1:1998, Information technology Abstract Syntax Notation One (ASN.1): Specification of basic notation. ITU-T X.681 (1997) | ISO/IEC 8824-2:1998, Information technology Abstract Syntax Notation One (ASN.1): Information
30、object specification. ITU-T X.682 (1997) | ISO/IEC 8824-3:1998, Information technology Abstract Syntax Notation One (ASN.1): Constraint specification. ITU-T X.683 (1997) | ISO/IEC 8824-4:1998, Information technology Abstract Syntax Notation One (ASN.1): Parameterization of ASN.1 specification. ITU-T
31、 X.690 (1997) | ISO/IEC 8825-1:1998, Information technology ASN.1 encoding rules: Specification of Basic Encoding Rules (BER), Canonical Encoding Rules (CER) and Distinguished Encoding Rules (DER). ITU-T X.736 (1992) | ISO/IEC 10164-7:1992, Information technology Open Systems Interconnection Systems
32、 Management: Security alarm reporting function. ITU-T X.740 (1992) | ISO/IEC 10164-8:1993, Information technology Open Systems Interconnection Systems Management: Security audit trail function. 2.2 Other standards IETF RFC 2459 (1999), Internet X.509 Public Key Infrastructure Certificate and CRL Pro
33、file. IETF RFC 2251 (1997), Lightweight Directory Access Protocol (v3). 3 Definitions This Recommendation uses the definitions of security services and security mechanisms as specified in ITU-T M.3016. This Recommendation further uses the definitions of elements of a Public Key Infrastructures as sp
34、ecified in RFC 2459. 4 Abbreviations This Recommendation uses the following abbreviations: ASN.1 Abstract Syntax Notation One BER Basic Encoding Rules CA Certification Authority CRL Certificate Revocation List DER Distinguished Encoding Rules IETF Internet Engineering Task Force ITU-T Q.817 (01/2001
35、) 3 ITU-T International Telecommunication Union Telecommunication Standardization Sector OID Object Identifier PKCS Public Key Cryptography Standard PKI Public Key Infrastructure RA Registration Authority RFC Request for Comments RSA Rivest Shamir Adelman 5 Overview Public Key Infrastructure (PKI) i
36、s emerging as the lowest cost, scalable solution for TMN security. This Recommendation is intended to promote interoperability among PKI components from different product suppliers and service providers, and to promote interoperability among different companies or administrations. This clause provid
37、es a high level overview of the TMN PKI. The TMN PKI consists of the following components: A Certification Authority (CA) produces public key certificates for all the TMN entities that need to have secure communications, as well as for any external entities that need to communicate securely with TMN
38、 entities. A CA also issues certificates to CAs outside the TMN. The CA issues Certificate Revocation Lists (CRLs) as necessary. A CRL includes the serial numbers of certificates that have been revoked (for example, because the key has been compromised or because the subject is no longer with the co
39、mpany) and whose validity period has not yet expired. The CA typically employs a tamper-proof computer kept under the highest security1. The term CA is also used to refer to an organization (rather than a device) that issues certificates as a service, usually for a fee. The most common format of a c
40、ertificate is as defined in ITU-T X.509. ITU-T X.509 defines several mandatory fields. It further provides for the addition of any number of extensions. Each extension is marked critical or non-critical. If an entity processing a certificate encounters a non-critical extension it does not recognize,
41、 it may ignore that extension. If an entity processing a certificate encounters a critical extension it does not recognize, it must reject the certificate. ITU-T X.509 also allows extensions to CRLs and to individual CRL entries. Interoperability in a TMN or between TMNs requires, at a minimum, full
42、 agreement on all critical extensions (if any) in certificates used in TMN applications. A Registration Authority (RA) verifies the authenticity of every entity (NE, OS, WS, employee, customer, supplier, etc.) that should receive a public key certificate from the TMNs CA. The RA typically consists o
43、f a small number of security administrators with access to the CA. An RA typically publishes a Certification Policy Statement (CPS) that specifies under what conditions (e.g. identity check) it would issue a certificate. PKI includes a directory for the storage and distribution of certificates and C
44、RLs. ITU-T X.500 provides the basis for the directory. ITU-T Q.812 includes a profile for the use of the X.500 Directory Access Protocol (DAP). However, directories based on the IETF PKI profile of LDAPv3 (Lightweight DAP, a subset of DAP) may be more readily available than directories based on ITU-
45、T X.500. _ 1The requirements for physical security and system security for a tamper-proof computer are outside the scope of this Recommendation. 4 ITU-T Q.817 (01/2001) Each TMN entity would need to interact with the TMN PKI directory in order to retrieve and receive certificates of other entities a
46、s well as CRLs. It would need the capability of processing certificates and CRLs. Each TMN entity will also need the capability of constructing and processing certification paths. The TMN PKI components need to interact through standard protocols. The interactions among TMN PKI components are illust
47、rated in Figure 1. T0414250-00DirectoryCertificateSelf posting, certificate and CRL requestsCertificates, CRLsOwncertificaterevocationrequestCertificate,CA public keyTMNentityCertificationAuthorityRegistrationAuthorityCertificate requestCertificate revocation requestCertificates, CRLsCertificate req
48、uestFigure 1/Q.817 Interactions among TMN PKI components 6 Certificate extensions The IETF PKI uses the certificates defined in ITU-T X.509. This format allows for any number of extensions. The IETF PKI includes numerous extensions, listed below. (The extensions are defined in: IETF Request for Comm
49、ents 2459.) This Recommendation is based on RFC 2459, which is a normative part of this standard by reference. This Recommendation provides a TMN-specific profile of RFC 2459 without repeating text from that RFC. This Recommendation provides the following default guidelines for the processing of certificate extensions, each administration can choose different behaviours based on its security policy: If a non-critical extension that MUST be present is absent or has an invalid value, then t
