《ISO-21188-2006.pdf》由会员分享,可在线阅读,更多相关《ISO-21188-2006.pdf(114页珍藏版)》请在三一文库上搜索。
1、 Reference number ISO 21188:2006(E) ISO 2006 INTERNATIONAL STANDARD ISO 21188 First edition 2006-05-01 Public key infrastructure for financial services Practices and policy framework Infrastructure de cl publique pour services financiers Pratique et cadre politique Copyright International Organizati
2、on for Standardization Provided by IHS under license with ISO Licensee=IHS Employees/1111111001, User=Wing, Bernie Not for Resale, 04/03/2007 22:55:40 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 21188:2006(E) PDF disclaimer This PDF file may contain embedded typefac
3、es. In accordance with Adobes licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringi
4、ng Adobes licensing policy. The ISO Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimiz
5、ed for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event that a problem relating to it is found, please inform the Central Secretariat at the address given below. ISO 2006 All rights reserved. Unless otherwise specified, no pa
6、rt of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISOs member body in the country of the requester. ISO copyright office Case postale
7、56 CH-1211 Geneva 20 Tel. + 41 22 749 01 11 Fax + 41 22 749 09 47 E-mail copyrightiso.org Web www.iso.org Published in Switzerland ii ISO 2006 All rights reserved Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=IHS Employees/1111111001, User=W
8、ing, Bernie Not for Resale, 04/03/2007 22:55:40 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 21188:2006(E) ISO 2006 All rights reserved iii Contents Page Foreword iv Introduction v 1 Scope . 1 2 Normative references. 1 3 Terms and definitions. 2 4 Abbreviated terms 8
9、 5 Public key infrastructure (PKI) 9 5.1 General. 9 5.2 What is PKI? 9 5.3 Business requirement impact on PKI environment 10 5.4 Functional perspectives. 14 5.5 Business perspectives. 19 5.6 Certificate policy (CP). 21 5.7 Certification practice statement (CPS). 23 5.8 Relationship between certifica
10、te policy and certification practice statement . 24 5.9 Agreements . 25 5.10 Time-stamping 26 6 Certificate policy and certification practice statement requirements. 27 6.1 Certificate policy (CP). 27 6.2 Certification practice statement (CPS). 29 7 Certification authority control objectives. 29 7.1
11、 General. 29 7.2 CA environmental control objectives. 30 7.3 CA key life cycle management control objectives 32 7.4 Subject key life cycle management control objectives 33 7.5 Certificate life cycle management control objectives. 34 7.6 CA certificate life cycle management controls 36 8 Certificatio
12、n authority control procedures. 36 8.1 General. 36 8.2 CA environmental controls 36 8.3 CA key life cycle management controls. 51 8.4 Subject key life cycle management controls. 55 8.5 Certificate life cycle management controls . 60 8.6 CA certificate life cycle management controls 67 Annex A (infor
13、mative) Management by certificate policy 69 Annex B (informative) Elements of a certification practice statement . 78 Annex C (informative) Object identifiers (OID) 94 Annex D (informative) CA key generation ceremony . 96 Annex E (informative) Mapping of RFC 2527 to RFC 3647. 100 Bibliography. 106 C
14、opyright International Organization for Standardization Provided by IHS under license with ISO Licensee=IHS Employees/1111111001, User=Wing, Bernie Not for Resale, 04/03/2007 22:55:40 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 21188:2006(E) iv ISO 2006 All rights r
15、eserved Foreword ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO member bodies). The work of preparing International Standards is normally carried out through ISO technical committees. Each member body interested in a subject for w
16、hich a technical committee has been established has the right to be represented on that committee. International organizations, governmental and non-governmental, in liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical Commission (IEC) on all
17、 matters of electrotechnical standardization. International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 2. The main task of technical committees is to prepare International Standards. Draft International Standards adopted by the technical committees are c
18、irculated to the member bodies for voting. Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote. Attention is drawn to the possibility that some of the elements of this document may be the subject of patent rights. ISO shall not be held resp
19、onsible for identifying any or all such patent rights. ISO 21188 was prepared by Technical Committee ISO/TC 68, Financial services, Subcommittee SC 2, Security management and general banking operations. Copyright International Organization for Standardization Provided by IHS under license with ISO L
20、icensee=IHS Employees/1111111001, User=Wing, Bernie Not for Resale, 04/03/2007 22:55:40 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 21188:2006(E) ISO 2006 All rights reserved v Introduction Institutions and intermediaries are building infrastructures to provide new
21、electronic financial transaction capabilities for consumers, corporations and government entities. As the volume of electronic financial transactions continues to grow, advanced security technology using digital signatures and authority systems can become part of the financial transaction process. F
22、inancial transaction systems incorporating advanced security technology have requirements to ensure the privacy, authenticity and integrity of financial transactions conducted over communications networks. The financial services industry relies on several time-honoured methods of electronically iden
23、tifying, authorizing and authenticating entities and protecting financial transactions. These methods include, but are not limited to, Personal Identification Numbers (PINs) and Message Authentication Codes (MACs) for retail and wholesale financial transactions, user IDs and passwords for network an
24、d computer access, and key management for network connectivity. Over the last twenty years the financial services industry has developed risk management processes and policies to support the use of these technologies in financial applications. The expanded use of Internet technologies by the financi
25、al services industry and the needs of the industry in general to provide safe, private and reliable financial transaction and computing systems have given rise to advanced security technology incorporating public key cryptography. Public key cryptography requires a business-optimized infrastructure
26、of technology, management and policy (a public key infrastructure or PKI, as defined in this document) to satisfy requirements of electronic identification, authentication, message integrity protection and authorization in financial application systems. The use of standard practices for electronic i
27、dentification, authentication and authorization in a PKI ensures more consistent and predictable security in these systems and confidence in electronic communications. Confidence (e.g. trust) can be achieved when compliance to standard practices can be ascertained. Applications serving the financial
28、 services industry can be developed with digital signature and PKI capabilities. The safety and the soundness of these applications are based, in part, on implementations and practices designed to ensure the overall integrity of the infrastructure. Users of authority-based systems that electronicall
29、y bind the identity of individuals and other entities to cryptographic materials (e.g. cryptographic keys) benefit from standard risk management systems and the base of auditable practices defined in this International Standard. Members of the International Organization of Standardization Technical
30、Committee 68 have made a commitment to public key technology by developing technical standards and guidelines for digital signatures, key management, certificate management and data encryption. ISO 15782 parts 1 and 2 define a certificate management system for financial industry use, but does not in
31、clude certificate policy and certification practices requirements. This International Standard complements ISO 15782 parts 1 and 2 by providing a framework for managing a PKI through certificate policies, certification practice statements, control objectives and supporting procedures. For implemente
32、rs of these International Standards, the degree to which any entity in a financial transaction can rely on the implementation of public key infrastructure standards and the extent of interoperability between PKI-based systems using these International Standards will depend partly on factors relative
33、 to policy and practices defined in this document. Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=IHS Employees/1111111001, User=Wing, Bernie Not for Resale, 04/03/2007 22:55:40 MDTNo reproduction or networking permitted without license from
34、IHS -,-,- Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=IHS Employees/1111111001, User=Wing, Bernie Not for Resale, 04/03/2007 22:55:40 MDTNo reproduction or networking permitted without license from IHS -,-,- INTERNATIONAL STANDARD ISO 2118
35、8:2006(E) ISO 2006 All rights reserved 1 Public key infrastructure for financial services Practices and policy framework 1 Scope This International Standard sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use o
36、f public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. This International Standard draws a distinction between PKI systems used in open, closed and contractual environments. It further defines the operational practi
37、ces relative to financial services industry accepted information systems control objectives. This International Standard is intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication and data e
38、ncryption. This International Standard facilitates the implementation of operational, baseline PKI control practices that satisfy the requirements for the financial services industry in a contractual environment. While the focus of this International Standard is on the contractual environment, appli
39、cation of this document to other environments is not specifically precluded. For the purposes of this document, the term “certificate” refers to public key certificates. Attribute certificates are outside the scope of this International Standard. This International Standard is targeted for several a
40、udiences having dissimilar needs and therefore the use of this document will have a different focus for each. Business Managers and Analysts are those who require information regarding using PKI technology in their evolving businesses (e.g., electronic commerce) and should focus on Clauses 1 to 6. T
41、echnical Designers and Implementers are those who are writing their certificate policy(ies) and certification practice statement(s) and should focus on Clauses 6 to 8 and Annexes A to F. Operational Management and Auditors are those who are responsible for day-to-day operations of the PKI and valida
42、ting compliance to this document and should focus on Clauses 6 to 8. 2 Normative references The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced do
43、cument (including any amendments) applies. ISO/IEC 7810, Identification cards Physical characteristics ISO/IEC 7811, Identification cards Recording technique (parts 1 to 5) ISO/IEC 7813, Identification cards Financial transaction cards ISO/IEC 7816, Identification cards Integrated circuit cards (par
44、ts 1 to 12 and 15) ISO/IEC 9594-8:1995, Information Technology Open Systems Interconnection The Directory: Authentication Framework Copyright International Organization for Standardization Provided by IHS under license with ISO Licensee=IHS Employees/1111111001, User=Wing, Bernie Not for Resale, 04/
45、03/2007 22:55:40 MDTNo reproduction or networking permitted without license from IHS -,-,- ISO 21188:2006(E) 2 ISO 2006 All rights reserved ISO/IEC 9834-1:1993, Information technology Open Systems Interconnection Procedures for the operation of OSI Registration Authorities: General procedures Part 1
46、 ISO 10202, Financial transaction cards Security architecture of financial transaction systems using integrated circuit cards (eight parts) ISO/IEC 10646-1, Information technology Universal Multiple-Octet Coded Character Set (UCS) Part 1: Architecture and Basic Multilingual Plane ISO/IEC 15408, Info
47、rmation technology Security techniques Evaluation criteria for IT security (three parts) ISO 15782-1:2003, Certificate management for financial services Part 1: Public key certificates ISO 15782-2, Banking Certificate Management Part 2: Certificate Extensions ISO/IEC 17799, Information technology Se
48、curity techniques Code of practice for information security management ISO 18014-2, Information technology Security techniques Time-stamping services Part 2: Mechanisms producing independent tokens ISO 18014-3, Information technology Security techniques Time-stamping services Part 3: Mechanisms producing linked tokens ISO/IEC 18032, Information technology Security techniques Prime number generation ISO 18033, Information technology Security techniques Encryption algorithms (parts 1 to 4)