《ANSI-X9.79-2000.pdf》由会员分享,可在线阅读,更多相关《ANSI-X9.79-2000.pdf(111页珍藏版)》请在三一文库上搜索。
1、American National Standard for Financial Services PKI Practices and Policy Framework (ASC X9.79) Secretariat American Bankers Association Approved: September 2000 American National Standards Institute Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IH
2、S Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:23:57 MDTNo reproduction or networking permitted without license from IHS -,-,- I ANS x9.79:2000, Public Key Infrastructure - I Practices and Policy Framework O2Oo0 American Bankers Association America National Approval of a
3、n American National Standard requires verification by ANSI that the requirements for due process, consensus, and other criteria for approval have been met by the standards developer. .n Standard Consensus is established when, in the judgment of the ANSI Board of Standards Review, directly and materi
4、ally affected interests have reached substantial agreement. Substantial agreement means much more than a simple majority, but not necessarily unanimity. Consensus requires that all views and objections be considered, and that a concerted effort be made toward their resolution. The use of American Na
5、tional Standards is completely voluntary; their existence does not in any respect preclude anyone, whether he has approved the standards or not from manufacturing, marketing, purchasing, or using products, processes, or procedures not conforming to the standards. The American National Standards Inst
6、itute does not develop standards and will in no circumstances give an interpretation of any American National Standard. Moreover, no person shall have the right or authority to issue an interpretation of an American National Standard in the name of the American National Standards Institute. Requests
7、 for interpretations should be addressed to the secretariat or sponsor whose name appears on the title page of this standard. CAUTION NOTICE: This American National Standard may be revised or withdrawn at any time. The procedures of the American National Standards Institute require that action be ta
8、ken to reaffirm, revise, or withdraw this standard no later than five years from the date of approval. Published by: American Bankers Association 1120 Connecticut Ave., NW Washington, DC 20036 USA Customer Service Center + 1 800 338 0626 or + 1 202 663 5087 Fax + 1 202 663 7543 Email X9 Online: htt
9、p:/www.x9.org Copyright O (X9 2000) by American Bankers Association All rights reserved. No part of this publication may be reproduced in any form, in an electronic retrieval system or otherwise, without prior written permission of the publisher. Printed in the United States of America ii Copyright
10、American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:23:57 MDTNo reproduction or networking permitted without license from IHS -,-,- American Bankers Association I ANS x9.79:2000, Public K
11、ey Infrastructure -1 02000 I I Practices and Policy Frameworq Con tents I SCOPE OF THIS STANDARD . 1 2 NORMATIVE REFERENCE(S) . 2 3 DEFINITIONS . 3 4 SYMBOLS (AND ABBREVIATIONS) . 10 5 ORGANIZATION 11 6 PKI CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT 12 6.1 WHAT IS PKI (PUBLIC-KEY INFRAS
12、TRUCTURE)? 12 6.2 PKIMODEL 13 6.2.1 Closed 13 6.2.2 Networ 13 6.2.3 OpenMo 13 6.3 PKIPERSPE 14 6.3.1 Function 14 6.3.2 Legal Perspective 16 6.3.3 Regulatory Perspective 16 6.3.4 Business Usage Perspective 16 6.4 RELATIONSHIP BETWEEN CERTIFICATE POLICY AND CERTIFICATION PRACTICE STATEMENT 17 6.4.1 Au
13、thorshiy . 17 6.4.2 Purpose . 17 6.4.3 Level o f Specijcity 17 6.4.4 Approach . 18 6.4.5 Public and Private Access . 18 CERTIFICATE POLICY (CP) . 19 CERTIFICATION PRACTICE STATEMENT (CPS) . 20 CERTIFICATE POLICY, CPS, AND CA INTEROPERABILI TY 21 6.5 6.6 6.7 7 GENERAL REQUIREMENTS . 21 7.1 CERTIFICAT
14、E POLICY (CP) 21 7.2 CERTIFICATION PRACTICE 23 23 ANNEX A (NORMATIVE) ELEMENTS OF POLICY AND PRACTICE 26 INTRODUCTION . 26 A . 1.1 Overview . 26 A.1.2 Identification . 26 A.1.3 Community and Applicability 26 A . 1.4 Contact Details . 27 A.2 GENERAL PROVISIONS 27 A.2.1 Liability . 27 A.2.2 Obligation
15、s 28 7.2.1 Segmentation o f a Certific A . 1 . Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:23:57 MDTNo reproduction or networking permitted without license from IHS -,-,
16、- I ANS x9.79:2000, Public Key Infrastructure . I Prsirtirpc sind Pnlirv PrsimPwnrk I O2Oo0 American Bankers Association A.2.3 Interpretation and Enforcement 29 A.2.4 Publication and Repositories 29 A.2.5 Compliance Au 29 IDENTIFICATION AND AUTHENTICATION 30 A.3.1 Initial Registration 30 A.3.2 Routi
17、ne Re-key 31 A.3.3 Re-key after Revocation - No Key Compromise 31 A.3.4 Revocation Request . 31 A.4 OPERATIONAL REQUIREMENTS 32 A.4.1 Certijicate Application 32 A . 4.2 Certijicate Issuance 32 A.4.3 Certijicate Acceptance 32 A.4.4 Certijicate Suspension and Revocation . 32 A.4.5 Security Audit Proce
18、dures 33 A.4.6 Records Archival . 34 A.4. 7 Key Changeover 34 A.4.8 Compromise and Disaster Recovery . 34 A.4.9 CA Termination . 35 PHYSICAL, PROCEDURAL, AND PERSONNEL SECURITY CONTROLS 35 A.5.1 Physical Security Controls 35 A.5.2 Procedural Controls . 36 A.5.3 Personnel Security Controls . 36 TECHN
19、ICAL SECURITY CONTROLS 37 A . 6.1 Key Pair Generation and Installation . 38 A . 6.2 Private Key Protection 38 A . 6.3 Other Aspects o f Key Pair Management . 39 A.6.4 Activation Data . 40 A . 6.5 Computer Security Controls 40 A . 6.6 Life Cycle Security Controls . 40 A.6. 7 Network Security Controls
20、 40 A . 6.8 Cryptographic Module Engineering Controls 40 CERTIFICATE AND CRL PROFILES 41 A . 7.1 Certijicate ProJile . 41 A . 7.2 CRL ProJile . 41 A . 7.3 OCSP ProJile 41 A.8 PRACTICES ADMWISTRATION . 42 A.8.1 Change procedures . 42 A.2.6 Confidentiality . 29 A.3 . . A.5 A.6 A.7 A.8.2 Publication an
21、d Notification Procedures 43 A.8.3 Approval Procedures 43 ANNEX B (NORMATIVE) CERTIFICATION AUTHORITY CONTROL OBJECTIVES 44 CA ENVIRONMENTAL CONTROLS 47 B . 1.1 Certijication Practice Statement and Certificate Policy Management . 47 B.1.2 Security Management 48 B . 1.3 Asset Classification and Manag
22、ement 50 B . 1.4 Personnel Security 50 B.1.5 Physical and Environmental Security . 51 B . 1.6 Operations Management . 54 B.1. 7 System Access Management 56 B . 1.8 Systems Development and Maintenance . 58 B . 1.9 Business Continuity Management . 58 B . 1.1 O Monitoring and Compliance 61 B . 1.11 Eve
23、nt Journaling 62 B . 1 iv Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:23:57 MDTNo reproduction or networking permitted without license from IHS -,-,- American Bankers As
24、sociation I ANS x9.79:2000, Public Key Infrastructure -1 02000 I I Practices and Policy Frameworq B.2 KEY MANAGEMENT LIFE CYCLE CONTROLS 67 B.2.1 CA Key Generation B.2.2 CA Key Storage, Backup and Recovery B.2.3 CA Public Key Dist B.2.4 CA Key Escrow (jsupported) 70 B.2.5 CA Key Usage . 70 B.2.6 CA
25、Key Destruction 70 B.2. 7 CA Key Archival . 71 B.2.8 CA Cryptographic Hardware Life Cycle Management . 72 B.2.9 CA-Provided Subscriber Key Management Services (jsupported) 74 CERTIFICATE LIFE CYCLE CONTROLS 76 B.3.1 Subscriber Registration 76 B.3.2 Certijicate Renewal (jsupported) 78 B.3.3 Certijica
26、te Rekey . 79 B.3.4 Certijicate Issuance 81 B.3.5 Certijicate Distribution . 82 B.3.6 Certijicate Revocation 82 B.3. 7 Certijicate Suspension (jsupported) 83 B.3.8 Certijicate Status Information Processing 85 B.3.9 Integrated Circuit Card (ICC) Life Cycle Management (jsupported) 86 MAPPING TO FWC 25
27、27 AND X9.79 A”EX A . 89 ANNEX C (INFORMATIVE) X.509 CERTIFICATE FIELDS . 91 C.l EXPLANATION OF X.509 EXTENTIONS 91 C.1.2 Policy Mappings Extension 92 C.1.3 Policy Constraints Extensi 92 C.2 POLICY QUALIFIERS . 93 ANNEX D (INFORMATIVE) BIBLIOGRAPHY . 94 B.3 . B.4. C . 1.1 Certijicate Policies Extens
28、ion 91 D.l D.2 D.4 IETF REQUEST FOR COMMENT DRAFTS 94 NATIONAL AUTOMATED CLEARING HOUSE ASSOCIATION (NACHA) . 94 AMERICAN BAR ASSOCIATION (ABARA), INFORMATION SECURITY COMMITTEE 94 D.3 D.5 CHARTERED ACCOUNTANTS (CICA) 94 DRAFT GUIDELINE FROM OFFICE COMFTROLLER OF CURRENCY . 94 AMERICAN INSTITUTE OF
29、CERTIFIED PUBLIC ACCOUNTANTS (AICPA) AND CANADIAN INSTITUTE OF D.6 D.7 BRITISH STANDARDS INSTITUTION . 95 INTERNATIONAL ORGANISATION FOR STANDARDISATION 95 ANNEX E (INFORMATIVE) OBJECT IDENTIFIERS (OID) . 96 E.l WHAT IS AN OID? 96 E.3 ESTABLISHING AN OID . 96 E.4 OID LOOKW 97 E.5 INTERNATIONAL NAME
30、REGISTRATION 97 E.2 OIDS SHALL BE REGISTERED: 96 V Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:23:57 MDTNo reproduction or networking permitted without license from IHS
31、-,-,- O2Oo0 American Bankers Association ANS x9.79:2000, Public Key Infrastructure - Practices and Policy Framework Figures FIGURE 1: MODEL CA HIERARCHY FIGURE 2: REGISTRATION PROCESS WITH AN and (2) the message has not been altered since its Digital Signature was created. 9 Copyright American Natio
32、nal Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:23:57 MDTNo reproduction or networking permitted without license from IHS -,-,- O2Oo0 American Bankers Association ANS x9.79:2000, Public Key Infrast
33、ructure - Practices and Policy Framework 4 Symbols (And Abbreviations) Symbol or Abbreviation ABA ABarA CA CARAT CP CPS CRL DAM FIPS Ientratlon / Veritcation senlices : Confidentiality I x I I Authentication I I x I x Integrity I I x I x 12 Copyright American National Standards Institute Provided by
34、 IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:23:57 MDTNo reproduction or networking permitted without license from IHS -,-,- O2Oo0 American Bankers Association 6.2 PKI Models ANS x9.79:2000, Public Key Infrastructure - Practices
35、and Policy Framework Public Key Infrastructure is not an end unto itself, but it enables the supporting cryptographic functions for the requisite security services. Most real-world activities take place within some context, often referred to as a community. For example, a single company with its emp
36、loyees and contractors comprises a community. Similarly, a set of trading partners may comprise a Business-to-Business (B2B) trading community involving each of the discrete businesses and their employees who directly participate in the trading community. The purpose for deploying a PKI should be to
37、 facilitate secure interactions amongst members of a community in compliance with a set of policies governing community interactions. It is therefore useful to defiie models for PKI systems in terms of communities and associated policies. For the purposes of this document, three high-level models fo
38、r community interaction are presented which will be used to establish the scope for this standard. 6.2.1 Closed Model Some communities are, by their nature, self-contained with their own well-defined policies. For example, a business (or enterprise) and its employees and management would represent s
39、uch a self-contained community with policies dictated by the management. A PKI for such communities need not extend beyond this narrowly defined community context, and can be considered a “closed” model-i.e., the PKI policies, practices and procedures are of only local interest to the community serv
40、ed. While this document may serve as guidance to implementers of closed PKI systems, such systems are outside the scope of this standard. 6.2.2 Network Model There are also communities that can best be described as a union or conglomeration of multiple distinct communities. Industry associations, tr
41、ading partnerships, and market exchanges are all typical examples of such communities of communities. For instance, a stock exchange can be said to comprise a conglomeration of multiple communities of different types, such as brokerage fiis, investment bankers, traders, and investors. Another exampl
42、e would be a financial services transaction-interchange network for either corporate or retail consumer funds transfer transactions involving customers, merchants, acquiring banks and issuer banks. A PKI deployed to support the interactions between members of such extended communities is defined as
43、a “network” model. This document intends to directly address the issues associated with defining policies, practices and procedures for PKI systems that comply with this network model, particularly for the financial services industry. 6.2.3 Open Model Some communities are very broad in nature, and m
44、ay be associated with policies that are either informal, or largely specified in regulations and legislation. Some examples are the community of all retail consumers or the community that comprises everyone who corresponds via email. A PKI model serving such broad communities is referred to as “open
45、.” This standard does not address the policies, practices and procedures appropriate for open model PKI systems. 13 Copyright American National Standards Institute Provided by IHS under license with ANSI Licensee=IHS Employees/1111111001, User=OConnor, Maurice Not for Resale, 04/29/2007 13:23:57 MDT
46、No reproduction or networking permitted without license from IHS -,-,- O2Oo0 American Bankers Association ANS x9.79:2000, Public Key Infrastructure - Practices and Policy Framework 6.3 PKI Perspectives PKI may be viewed from a number of different perspectives. Functional, legal, regulatory and busin
47、ess perspectives are presented below. 6.3.1 Functional Perspective The hardware, software and security procedures provide a rich set of PKI fwictions that can be logically grouped into PKI roles. The roles and their corresponding functions are listed below. 1. Policy Authority (PA) performs the foll
48、owing functions: - - - - - - - Authorizes parties to act as Certification Authorities under the Policies Creates, maintains and approves the Certificate Policies Distributes and promotes Certificate Policies Interprets adherence to the Policies Specifies the content of public-key certificates Resolves or causes resolution of disputes related to Certificate Policies Remains current regarding potential security threats and policy inadequacies 2. Certificate Issuer (CI) performs the following functions: - Issues public-key certifi