1、 INTERNATIONAL TELECOMMUNICATION UNION ITU-T X.842TELECOMMUNICATION STANDARDIZATION SECTOR OF ITU (10/2000) SERIES X: DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS Security Information technology Security techniques Guidelines for the use and management of trusted third party services ITU-T Recommend
2、ation X.842 (Formerly CCITT Recommendation) ITU-T X-SERIES RECOMMENDATIONS DATA NETWORKS AND OPEN SYSTEM COMMUNICATIONS PUBLIC DATA NETWORKS Services and facilities X.1X.19 Interfaces X.20X.49 Transmission, signalling and switching X.50X.89 Network aspects X.90X.149 Maintenance X.150X.179 Administra
3、tive arrangements X.180X.199 OPEN SYSTEMS INTERCONNECTION Model and notation X.200X.209 Service definitions X.210X.219 Connection-mode protocol specifications X.220X.229 Connectionless-mode protocol specifications X.230X.239 PICS proformas X.240X.259 Protocol Identification X.260X.269 Security Proto
4、cols X.270X.279 Layer Managed Objects X.280X.289 Conformance testing X.290X.299 INTERWORKING BETWEEN NETWORKS General X.300X.349 Satellite data transmission systems X.350X.399 MESSAGE HANDLING SYSTEMS X.400X.499 DIRECTORY X.500X.599 OSI NETWORKING AND SYSTEM ASPECTS Networking X.600X.629 Efficiency
5、X.630X.639 Quality of service X.640X.649 Naming, Addressing and Registration X.650X.679 Abstract Syntax Notation One (ASN.1) X.680X.699 OSI MANAGEMENT Systems Management framework and architecture X.700X.709 Management Communication Service and Protocol X.710X.719 Structure of Management Information
6、 X.720X.729 Management functions and ODMA functions X.730X.799 SECURITY X.800X.849 OSI APPLICATIONS Commitment, Concurrency and Recovery X.850X.859 Transaction processing X.860X.879 Remote operations X.880X.899 OPEN DISTRIBUTED PROCESSING X.900X.999 For further details, please refer to the list of I
7、TU-T Recommendations. ITU-T Rec. X.842 (10/2000) (E) i TECHNICAL REPORT ISO/IEC TR 14516 ITU-T RECOMMENDATION X.842 INFORMATION TECHNOLOGY SECURITY TECHNIQUES GUIDELINES FOR THE USE AND MANAGEMENT OF TRUSTED THIRD PARTY SERVICES Summary This Recommendation | Technical Report provides guidance for th
8、e use and management of Trusted Third Party (TTP) services, a clear definition of the basic duties and services provided, their description and their purpose, and the roles and liabilities of TTPs and entities using their services. This Recommendation | Technical Report identifies different major ca
9、tegories of TTP services including time stamping, non-repudiation, key management, certificate management, and electronic notary public. Source ITU-T Recommendation X.842 was prepared by ITU-T Study Group 7 (1997-2000) and approved by the World Telecommunication Standardization Assembly (Montreal, 2
10、7 September 6 October 2000). An identical text is published as ISO/IEC TR 14516. ii ITU-T Rec. X.842 (10/2000) (E) FOREWORD The International Telecommunication Union (ITU) is the United Nations specialized agency in the field of telecommunications. The ITU Telecommunication Standardization Sector (I
11、TU-T) is a permanent organ of ITU. ITU-T is responsible for studying technical, operating and tariff questions and issuing Recommendations on them with a view to standardizing telecommunications on a worldwide basis. The World Telecommunication Standardization Assembly (WTSA), which meets every four
12、 years, establishes the topics for study by the ITU-T study groups which, in turn, produce Recommendations on these topics. The approval of ITU-T Recommendations is covered by the procedure laid down in WTSA Resolution 1. In some areas of information technology which fall within ITU-Ts purview, the
13、necessary standards are prepared on a collaborative basis with ISO and IEC. NOTE In this Recommendation, the expression “Administration“ is used for conciseness to indicate both a telecommunication administration and a recognized operating agency. INTELLECTUAL PROPERTY RIGHTS ITU draws attention to
14、the possibility that the practice or implementation of this Recommendation may involve the use of a claimed Intellectual Property Right. ITU takes no position concerning the evidence, validity or applicability of claimed Intellectual Property Rights, whether asserted by ITU members or others outside
15、 of the Recommendation development process. As of the date of approval of this Recommendation, ITU had not received notice of intellectual property, protected by patents, which may be required to implement this Recommendation. However, implementors are cautioned that this may not represent the lates
16、t information and are therefore strongly urged to consult the TSB patent database. ITU 2002 All rights reserved. No part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from I
17、TU. ITU-T Rec. X.842 (10/2000) (E) iii CONTENTS Page 1 Scope . 1 2 References 1 2.1 Identical Recommendations | International Standards 1 2.2 Paired Recommendations | International Standards equivalent in technical content 1 2.3 Additional References 1 3 Definitions 2 4 General Aspects 3 4.1 Basis o
18、f Security Assurance and Trust 3 4.2 Interaction between a TTP and Entities Using its Services 4 4.2.1 In-line TTP Services . 4 4.2.2 On-line TTP Services 4 4.2.3 Off-line TTP Services. 5 4.3 Interworking of TTP Services 5 5 Management and Operational Aspects of a TTP 5 5.1 Legal Issues. 6 5.2 Contr
19、actual Obligations 6 5.3 Responsibilities 7 5.4 Security Policy. 7 5.4.1 Security Policy Elements 8 5.4.2 Standards 8 5.4.3 Directives and Procedures. 8 5.4.4 Risk Management. 8 5.4.5 Selection of Safeguards. 9 5.4.5.1 Physical and Environmental Measures . 9 5.4.5.2 Organisational and Personnel Meas
20、ures . 9 5.4.5.3 IT Specific Measures. 9 5.4.6 Implementation Aspects of IT Security 10 5.4.6.1 Awareness and Training 10 5.4.6.2 Trustworthiness and Assurance 10 5.4.6.3 Accreditation of TTP Certification Bodies 11 5.4.7 Operational Aspects of IT Security 11 5.4.7.1 Audit/Assessment 11 5.4.7.2 Inci
21、dent Handling 12 5.4.7.3 Contingency Planning 12 5.5 Quality of Service 12 5.6 Ethics 12 5.7 Fees. 12 6 Interworking. 12 6.1 TTP-Users . 13 6.2 User-User 13 6.3 TTP-TTP. 13 6.4 TTP-Law Enforcement Agency 14 7 Major Categories of TTP Services. 14 7.1 Time Stamping Service 14 7.1.1 Time Stamping Autho
22、rity 14 7.2 Non-repudiation Services . 15 7.3 Key Management Services. 16 7.3.1 Key Generation Service 16 7.3.2 Key Registration Service. 16 7.3.3 Key Certification Service 16 7.3.4 Key Distribution Service. 17 7.3.5 Key Installation Service 17 7.3.6 Key Storage Service 17 7.3.7 Key Derivation Servi
23、ce. 17 7.3.8 Key Archiving Service 17 iv ITU-T Rec. X.842 (10/2000) (E) Page 7.3.9 Key Revocation Service 17 7.3.10 Key Destruction Service . 17 7.4 Certificate Management Services . 18 7.4.1 Public Key Certificate Service 18 7.4.2 Privilege Attribute Service 18 7.4.3 On-line Authentication Service
24、Based on Certificates 19 7.4.4 Revocation of Certificates Service. 19 7.5 Electronic Notary Public Services 19 7.5.1 Evidence Generation Service 20 7.5.2 Evidence Storage Service 20 7.5.3 Arbitration Service 20 7.5.4 Notary Authority 20 7.6 Electronic Digital Archiving Service 21 7.7 Other Services
25、. 22 7.7.1 Directory Service 22 7.7.2 Identification and Authentication Service 23 7.7.2.1 On-line Authentication Service 23 7.7.2.2 Off-line Authentication Service . 25 7.7.2.3 In-line Authentication Service 25 7.7.3 In-line Translation Service 25 7.7.4 Recovery Services 25 7.7.4.1 Key Recovery Ser
26、vices 25 7.7.4.2 Data Recovery Services . 26 7.7.5 Personalisation Service . 26 7.7.6 Access Control Service. 26 7.7.7 Incident Reporting and Alert Management Service 26 Annex A Security Requirements for Management of TTPs 28 Annex B Aspects of CA management . 29 B.1 Example of Registration Process
27、Procedures. 29 B.2 An example of requirements for Certification Authorities. 29 B.3 Certification Policy and Certification Practice Statement (CPS) 31 Annex C Bibliography 32 Table of Figures Figure 1 In-line TTP Service Between Entities 4 Figure 2 On-line TTP Service Between Entities 5 Figure 3 Off
28、-line TTP Service Between Entities 5 Figure 4 Interworking of TTPs in Different Domains 13 Figure 5 Example of Non-repudiation Architecture . 16 Figure 6 Link Between an Attribute Certificate and a Public Key Certificate . 19 Figure 7 Directory Service Architecture 23 Figure 8 Example for On-line Au
29、thentication Services 24 Figure 9 Example for In-line TTP Authentication Service . 25 Figure 10 Example of Alert Management Service 27 ITU-T Rec. X.842 (10/2000) (E) v Introduction Achievement of adequate levels of business confidence in the operation of IT systems is underpinned by the provision of
30、 practical and appropriate legal and technical controls. Business must have confidence that IT systems will offer positive advantages and that such systems can be relied upon to sustain business obligations and create business opportunities. An exchange of information between two entities implies an
31、 element of trust, e.g. with the recipient assuming that the identity of the sender is in fact the sender, and in turn, the sender assuming that the identity of the recipient is in fact the recipient for whom the information is intended. This “implied element of trust“ may not be enough and may requ
32、ire the use of a Trusted Third Party (TTP) to facilitate the trusted exchange of information. The role of TTPs includes providing assurance that business and other trustworthy (e.g. governmental activities) messages and transactions are being transferred to the intended recipient, at the correct loc
33、ation, that messages are received in a timely and accurate manner, and that for any business dispute that may arise, there exist appropriate methods for the creation and delivery of the required evidence for proof of what happened. Services provided by TTPs may include those necessary for key manage
34、ment, certificate management, identification and authentication support, privilege attribute service, non-repudiation, time stamping services, electronic public notary services, and directory services. TTPs may provide some or all of these services. A TTP has to be designed, implemented and operated
35、 to provide assurance in the security services it provides, and to satisfy applicable legal and regulatory requirements. The types and levels of protection adopted or required will vary according to the type of service provided and the context within which the business application is operating. The
36、objectives of this Recommendation | Technical Report are to provide: a) Guidelines to TTP managers, developers and operations personnel and to assist them in the use and management of TTPs; and b) Guidance to entities regarding the services performed by TTPs, and the respective roles and responsibil
37、ities of TTPs and entities using their services. Additional aspects covered by this Recommendation | Technical Report are to provide: a) An overview of the description of services provided; b) An understanding of the role of TTPs and their functional features; c) To provide a basis for the mutual re
38、cognition of services provided by different TTPs; and d) Guidance of interworking between entities and TTPs. ISO/IEC TR 14516:2002 (E) ITU-T Rec. X.842 (10/2000) (E) 1 TECHNICAL REPORT ISO/IEC TR 14516 ITU-T RECOMMENDATION X.842 INFORMATION TECHNOLOGY SECURITY TECHNIQUES GUIDELINES FOR THE USE AND M
39、ANAGEMENT OF TRUSTED THIRD PARTY SERVICES 1 Scope Associated with the provision and operation of a Trusted Third Party (TTP) are a number of security-related issues for which general guidance is necessary to assist business entities, developers and providers of systems and services, etc. This includ
40、es guidance on issues regarding the roles, positions and relationships of TTPs and the entities using TTP services, the generic security requirements, who should provide what type of security, what the possible security solutions are, and the operational use and management of TTP service security. T
41、his Recommendation | Technical Report provides guidance for the use and management of TTPs, a clear definition of the basic duties and services provided, their description and their purpose, and the roles and liabilities of TTPs and entities using their services. It is intended primarily for system
42、managers, developers, TTP operators and enterprise users to select those TTP services needed for particular requirements, their subsequent management, use and operational deployment, and the establishment of a Security Policy within a TTP. It is not intended to be used as a basis for a formal assess
43、ment of a TTP or a comparison of TTPs. This Recommendation | Technical Report identifies different major categories of TTP services including: time stamping, non-repudiation, key management, certificate management, and electronic notary public. Each of these major categories consists of several serv
44、ices which logically belong together. 2 References 2.1 Identical Recommendations | International Standards IT U-T Recommendation X.509 (2001) | ISO/IEC 9594-8:2001, Information technology Open Systems Interconnection The Directory: Public-key and attribute certificate frameworks. ITU-T Recommendatio
45、n X.810 (1995) | ISO/IEC 10181-1:1996, Information technology Open Systems Interconnection Security frameworks for open systems: Overview. ITU-T Recommendation X.813 (1996) | ISO/IEC 10181-4:1997, Information technology Open Systems Interconnection Security frameworks for open systems: Non-repudiati
46、on framework. 2.2 Paired Recommendations | International Standards equivalent in technical content CCITT Recommendation X.800 (1991), Security architecture for Open Systems Interconnection for CCITT applications. ISO 7498-2:1989, Information processing systems Open Systems Interconnection Basic Refe
47、rence Model Part 2: Security Architecture. 2.3 Additional References ISO/IEC 9798-1:1997, Information technology Security techniques Entity authentication Part 1: General. ISO/IEC 11770-1:1996, Information technology Security techniques Key management Part 1: Framework. ISO/IEC 11770-2:1996, Informa
48、tion technology Security techniques Key management Part 2: Mechanisms using symmetric techniques. ISO/IEC 11770-3:1999, Information technology Security techniques Key management Part 3: Mechanisms using asymmetric techniques. ISO/IEC TR 13335-1:1996, Information technology Guidelines for the managem
49、ent of IT Security Part 1: Concepts and models for IT Security. ISO/IEC TR 14516:2002 (E) 2 ITU-T Rec. X.842 (10/2000) (E) ISO/IEC TR 13335-2:1997, Information technology Guidelines for the management of IT Security Part 2: Managing and planning IT Security. ISO/IEC TR 13335-3:1998, Information technology Guidelines for the management of IT Security Part 3: Techniques for the management of IT Security. ISO/IEC TR 13335-4:2000, Information te
