KS X ISO 15782-2-2007 Banking－Certificate management－Part 2：Certificate extensions《银行 证书管理 第2部分 证书加长件》.pdf

1、 KS X ISO 157822 KSKSKSKS SKSKSKS KSKSKS SKSKS KSKS SKS KS 2： KS X ISO 157822 : 2007 (2012 ) 2007 11 30 http:/www.kats.go.krKS X ISO 157822：2007 : e- ( ) ( ) () () ( ) : (http:/www.standard.go.kr) ： ：2002 11 20 ：2007 11 30 ：2012 12 28 ： e- 2012-0863 ： ( 02-509-7262) (http:/www.kats.go.kr). 10 5 , .

2、KS X ISO 157822：2007 i e . KS X ISO 157822：2007 . A() KS X ISO 15782 “ ” . 1： 2： KS X ISO 157822 : 2007 (2012 ) 2： Banking Certificate management Part 2 ：Certificate extensions 2001 1 ISO 157822, BankingCertificate managementPart 2：Certi ficate extensions , . 1 KS X ISO/IEC 95948 . . KS X ISO 157821

3、 . ASN.1 (Distinguished Encoding Rules： DER) KS X ISO/IEC 88251_2002 . KS X ISO/IEC 95948 DER . 2 . . ( ) . KS X 41012, 2： (ISO/IEC 95942 |ITUT Recommendation X.501, Information technologyOpen Systems Interconnection The Directory：Models) KS X ISO/IEC 95948：2007 |ITU-T Recommendation X.509(1997), In

4、formation technologyOpen Systems InterconnectionThe Directory：Authentication framework KS X ISO/IEC 98341 |CCITT Recommendation X.660, Information technologyOpen System Intercon nectionProcedures for the operation of OSI Registration Authorities：General procedures KS X ISO/IEC 100214 |ITU-T Recommen

5、dation X.411, Information technologyMessage Handling Systems(MHS)Message transfer system : Abstract service definition and procedures KS X ISO 157821, 1： RFC 791：1981 1) , Internet protocol RFC 822：1982 2) , Standard for the format of ARPA Internet text message 1) RFC 760 , RFC 1060 2) RFC 733 , RFC

6、 987 , RFC 1327 KS X ISO 157822：2007 2 RFC 1035：1987 3) , Domain namesImplementation and specification RFC 1630：1994, Universal resource identifiers in WWW：A unifying syntax for the expression of names and addresses of objects on the network as used in the world-wide web FIPS-PUB 1401：1993, Security

7、 requirements for cryptographic modules 3 . 3.1 (attribute) 3.2 (CA certificate) 3.3 (certificate) , 3.4 (certificate hold) 3.5 (certificate policy) / . 1 ( ) . . X.509 3 (object identifier) . . 2 X.509 3 , , . . ( ) ( ). 3.6 (Certificate Revocation List：CRL) 3) RFC 973 , RFC 2136 , RFC 2137 , RFC 1

8、348 , RFC 1995 , RFC 1996 , RFC 2065 , RFC 2181 , RFC 2308 KS X ISO 157822：2007 3 3.7 (certificate-using system) 3.8 (certification) 3.9 (Certification Authority：CA) 3.10 (certification path) , 3.11 (Certification Practice Statement：CPS) 3.12 (compromise) 3.13 (CRL distribution point) . 3.14 (cross

9、certification) (3.37) 3.15 (cryptographic key, key) . 3.16 (cryptographic module) KS X ISO 157822：2007 4 , , , 3.17 (cryptography) , , , 3.18 (data integrity) 3.19 CRL (delta-CRL) CRL (CRL) 3.20 (digital signature, signature) , 3.21 (directory, repository) X.500 3.22 (distinguished name) . . 3.23 (e

10、nd certificate) 3.24 (end entity) 3.25 (entity) , 3.26 (financial message) KS X ISO 157822：2007 5 3.27 (intermediate certificates) 3.28 (key) (3.15) 3.29 (key agreement) 3.30 (key pair) 3.31 (keying material) , 3.32 (key pair updating) / 3.33 (message) 3.34 (module) (3.16) 3.35 (non-repudiation) 3 .

11、 ( , , , , ). 3.36 (optional) . ASN.1 “OPTIONAL” . KS X ISO 157822：2007 6 3.37 (policy mapping) , ( .) (3.14) 3.38 (policy qualifier) X.509 3.39 (private key) 3.40 (public key) 3.41 (Registration Authority：RA) . . , . . 3.42 (relying party) , 3.43 (signature) (3.20) 3.44 (subject) 3.45 (subject CA)

12、3.46 (subject end entity) 3.47 (user) (3.42) KS X ISO 157822：2007 7 4 . ASN.1 (Abstract Syntax Notation) CA (Certification Authority) DIT (Directory Information Tree) CRL (Certification Revocation List) ITU (International Telecommunication Union) 1 , X.509 . 2 CertReqData CRLEntry (ASN.1) . ASN.1 .

13、5 KS X ISO/IEC 95948 3 CA . CRLs . . a) ： CRL , , . b) ： CRL , CRL . . c) ： CA , CA CA . . CA . d) CRL ： CRL CRL , CRL CRL CRL CRL . e) CRL CRLs： CRL CA CRL , CA CRL . CRL CRL . CRL CRL . CRL, critical non-critical . critical KS X ISO 157822：2007 8 . non-critical . critical, non-critical CRL critica

14、l . non-critical . . . non-critical . a) b) critical CA . , CRL CRL . 10.4 CRLs CRLs . . (6.2.8 ) (8.2.3 ) (8.2.4 ) (10.4 ) . 6 6.1 . a) CA . . CA . b) , , . CA . KS X ISO 157822：2007 9 c) . . . d) . . . e) . f) , . CA CA . . g) KS X ISO 157821 . 6.2 CRL 6.2.1 . a) (authority key identifier) b) (sub

15、ject key identifier) c) (key usage) d) (extended key usage) e) (private key usage period) f) (certificate policies) g) (policy mappings) CRL . , CA . KS X ISO 157821 . 6.2.2 CRL CRL . CA ( ). . authorityKeyIdentifier EXTENSION := SYNTAX AuthorityKeyIdentifier IDENTIFIED BY id-ce-authorityKeyIdentifi

16、er AuthorityKeyIdentifier := SEQUENCE keyIdentifier 0 KeyIdentifier OPTIONAL, authorityCertIssuer 1 GeneralNames OPTIONAL, authorityCertSerialNumber 2 CertificateSerialNumber OPTIONAL KS X ISO 157822：2007 10 ( WITH COMPONENTS ., authorityCertIssuer PRESENT, authorityCertSerialNumber PRESENT | WITH C

17、OMPONENTS ., authorityCertIssuer ABSENT, authorityCertSerialNumber ABSENT ) KeyIdentifier := OCTET STRING . keyIdentifier (authorityCertIssuer authorityCertSerialN umber ) CRL . CRL . authorityCertIssuer . GeneralNames 7.2.2 . (, ) . non-critical. 6.2.3 . ( ). . subjectKeyIdentifier EXTENSION := SYN

18、TAX SubjectKeyIdentifier IDENTIFIED BY id-ce-subjectKeyIdentifier SubjectKeyIdentifier := KeyIdentifier . non-critical. 6.2.4 . keyUsage EXTENSION := SYNTAX KeyUsage IDENTIFIED BY id-ce-keyUsage KeyUsage := BIT STRING digitalSignature (0), nonRepudiation (1), KS X ISO 157822：2007 11 keyEncipherment

19、(2), dataEncipherment (3), keyAgreement (4), keyCertSign (5), cRLSign (6), encipherOnly (7), decipherOnly (8) KeyUsage . a) digitalSignature： ( 1), ( 5) ( 6) . . b) nonRepudiation： f) g) CRL 4)c) keyEncipherment： , . CA keyEncipherment . d) dataEncipherment： . c) . CA dataEncipherment . e) keyAgreement： CA keyAgreement . f) keyCertSign： CA CA keyCertSign . CA . g) cRLSign：CRL CA CRL cRLSign . h) encipherOnly decipherOnly . 7(encipherOnly) 8(decipherOnly)