BS ISO/IEC 9594-8:2017

$215.11

Information technology. Open Systems Interconnection. The Directory – Public-key and attribute certificate frameworks

Published By	Publication Date	Number of Pages
BSI	2017	258

Guaranteed Safe Checkout

Categories: 35.100.70 - Application layer, BSI

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

Description

PDF Catalog

PDF Pages	PDF Title
2	National foreword
13	1 Scope 2 Normative references 2.1 Identical Recommendations \| International Standards
14	2.2 Paired Recommendations \| International Standards equivalent in technical content 2.3 Recommendations 2.4 Other references 3 Definitions 3.1 OSI Reference Model security architecture definitions
15	3.2 Baseline identity management terms and definitions 3.3 Directory model definitions 3.4 Access control framework definitions 3.5 Public-key and attribute certificate definitions
19	4 Abbreviations
20	5 Conventions 6 Frameworks overview
21	6.1 Digital signatures
22	6.2 Public-key cryptography and cryptographic algorithms 6.2.1 Formal specification of public-key cryptography 6.2.2 Formal definitions of cryptographic algorithms
23	6.3 Distinguished encoding of basic encoding rules
24	6.4 Applying distinguished encoding 6.5 Using repositories
25	7 Public keys and public-key certificates 7.1 Introduction 7.2 Public-key certificate
27	7.3 Public-key certificate extensions
28	7.4 Types of public-key certificates 7.5 Trust anchor
29	7.6 Entity relationship
30	7.7 Certification path
31	7.8 Generation of key pairs 7.9 Public-key certificate creation
32	7.10 Certificate revocation list 7.10.1 Certificate revocation list principles
33	7.10.2 Certificate revocation list syntax
34	7.11 Uniqueness of names 7.12 Indirect CRLs 7.12.1 Introduction
35	7.12.2 Indirect CRL contents
36	7.13 Repudiation of a digital signing 8 Trust models 8.1 Three-cornered trust model
37	8.2 Four cornered trust model
38	9 Public-key certificate and CRL extensions 9.1 Policy handling 9.1.1 Certificate policy
39	9.1.2 Cross-certificates and policy handling 9.1.3 Policy mapping
40	9.1.4 Certification path processing 9.1.5 Self-issued certificates
41	9.2 Key and policy information extensions 9.2.1 Requirements 9.2.2 Public-key certificate and CRL extensions
42	9.2.2.1 Authority key identifier extension 9.2.2.2 Subject key identifier extension 9.2.2.3 Key usage extension
44	9.2.2.4 Extended key usage extension 9.2.2.5 Private key usage period extension
45	9.2.2.6 Certificate policies extension
46	9.2.2.7 Policy mappings extension
47	9.2.2.8 Authorization and validation extension 9.3 Subject and issuer information extensions 9.3.1 Requirements 9.3.2 Certificate and CRL extensions 9.3.2.1 Subject alternative name extension
48	9.3.2.2 Issuer alternative name extension
49	9.3.2.3 Subject directory attributes extension 9.4 Certification path constraint extensions 9.4.1 Requirements
50	9.4.2 Public-key certificate extensions 9.4.2.1 Basic constraints extension
51	9.4.2.2 Name constraints extension
52	9.4.2.3 Policy constraints extension
53	9.4.2.4 Inhibit any policy extension 9.5 Basic CRL extensions 9.5.1 Requirements
54	9.5.2 CRL extensions 9.5.2.1 CRL number extension 9.5.2.2 Status referral extension
56	9.5.2.3 CRL stream identifier extension 9.5.2.4 Ordered list extension 9.5.2.5 Delta Information extension 9.5.2.6 To be revoked extension
58	9.5.2.7 Revoked group of certificates extension
59	9.5.2.8 Expired certificates on CRL extension 9.5.3 CRL entry extension 9.5.3.1 Reason code extension
60	9.5.3.2 Hold instruction code extension 9.5.3.3 Invalidity date extension
61	9.6 CRL distribution points and delta CRL extensions 9.6.1 Requirements 9.6.2 CRL distribution point and delta CRL extensions
62	9.6.2.1 CRL distribution points extension
63	9.6.2.2 Issuing distribution point extension
64	9.6.2.3 Certificate issuer extension
65	9.6.2.4 Delta CRL indicator extension 9.6.2.5 Base update time extension 9.6.2.6 Freshest CRL extension 10 Delta CRL relationship to base
67	11 Authorization and validation lists 11.1 Authorization and validation list concept 11.2 The authorizer 11.3 Authorization and validation list syntax
69	11.4 Authorization and validation restrictions 11.4.3 Protocol restrictions 12 Certification path processing procedure 12.1 Path processing inputs
70	12.2 Path processing outputs
71	12.3 Path processing variables 12.4 Initialization step 12.5 Public-key certificate processing 12.5.1 Basic public-key certificate checks
72	12.5.2 Processing intermediate certificates
73	12.5.3 Explicit policy indicator processing 12.5.4 Final processing
74	13 PKI directory schema 13.1 PKI directory object classes and name forms 13.1.1 PKI user object class 13.1.2 PKI CA object class 13.1.3 CRL distribution points object class and name form 13.1.4 Delta CRL object class
75	13.1.5 Certificate Policy and CPS object class 13.1.6 PKI certification path object class 13.2 PKI directory attributes 13.2.1 User certificate attribute 13.2.2 CA certificate attribute 13.2.3 Cross-certificate pair attribute type
76	13.2.4 Public-key certificate revocation list attribute type 13.2.5 End-entity public-key certificate revocation list attribute type 13.2.6 CA revocation list attribute type 13.2.7 Delta revocation list attribute
77	13.2.7 Supported algorithms attribute 13.2.8 Certification practice statement attribute 13.2.9 Certificate policy attribute
78	13.2.10 PKI path attribute 13.3 PKI directory matching rules 13.3.1 Certificate exact match 13.3.2 Certificate match
80	13.3.3 Certificate pair exact match 13.3.4 Certificate pair match 13.3.5 Certificate list exact match 13.3.6 Certificate list match
81	13.3.7 Algorithm identifier match 13.3.8 Policy match 13.3.9 PKI path match
82	13.3.10 Enhanced certificate match
83	13.4 PKI directory syntax definitions 13.4.1 X.509 Certificate syntax 13.4.2 X.509 Certificate List syntax 13.4.3 X.509 Certificate Pair syntax 13.4.4 X.509 Supported Algorithm 13.4.5 X.509 Certificate Exact Assertion
84	13.4.6 X.509 Certificate Assertion 13.4.7 X.509 Certificate Pair Exact Assertion 13.4.8 X.509 Certificate Pair Assertion 13.4.9 X.509 Certificate List Exact Assertion syntax 13.4.10 X.509 Certificate List Assertion syntax 13.4.11 X.509 Algorithm Identifier syntax
85	14 Attribute certificates 14.1 Attribute certificate structure
88	14.2 Delegation paths 14.3 Attribute certificate revocation lists 14.3.1 Attribute certificate revocation list principles
89	14.3.2 Attribute certificate revocation list syntax 15 Attribute authority, source of authority and certification authority relationship
91	15.1 Privilege in attribute certificates 15.2 Privilege in public-key certificates 16 PMI models 16.1 General model
92	16.1.1 PMI in access control context
93	16.1.2 PMI in a non-repudiation context 16.2 Control model 16.3 Delegation model
94	16.4 Group assignment model 16.4.1 Direct group naming
95	16.4.2 Group role naming 16.5 Roles model 16.5.1 Role attribute type
96	16.6 Recognition of Authority Model
100	16.7 XML privilege information attribute
101	16.8 Permission attribute and matching rule 16.8.1 Permission attribute 16.8.2 Dual string matching rule 17 Attribute certificate and attribute certificate revocation list extensions
102	17.1 Basic privilege management extensions 17.1.1 Requirements 17.1.2 Basic privilege management extension 17.1.2.1 Time specification extension 17.1.2.1.1 Time specification extension definition
103	17.1.2.1.2 Time specification matching rule 17.1.2.2 Targeting information extension 17.1.2.3 User notice extension
104	17.1.2.4 Acceptable privilege policies extension 17.1.2.5 Single use extension
105	17.1.2.6 Group attribute certificate extension 17.1.2.7 Authority key identifier extension 17.2 Privilege revocation extensions 17.2.1 Requirements 17.2.2 Privilege revocation extensions 17.2.2.1 Use of CRL distribution points extension 17.2.2.2 AA issuing distribution point extension
106	17.2.2.3 Use of certificate issuer extension
107	17.2.2.4 Use of delta CRL indicator extension 17.2.2.5 Use of base update extension 17.2.2.6 Use of freshest CRL extension 17.2.2.7 No revocation information available extension 17.3 Source of authority extensions 17.3.1 Requirements 17.3.2 SOA extensions 17.3.2.1 SOA identifier extension 17.3.2.1.1 SOA identifier extension definition
108	17.3.2.1.2 SOA identifier matching rule 17.3.2.2 Attribute descriptor extension 17.3.2.2.1 Attribute descriptor extension definition
109	17.3.2.2.2 Attribute descriptor matching rule 17.4 Role extensions 17.4.1 Requirements 17.4.2 Role extensions 17.4.2.1 Role specification certificate identifier extension 17.4.2.1.1 Role specification certificate identifier extension definition
110	17.4.2.1.2 Role specification certificate ID matching rule 17.5 Delegation extensions 17.5.1 Requirements
111	17.5.2 Delegation extensions 17.5.2.1 Basic attribute constraints extension 17.5.2.1.1 Basic attribute constraints extension definition
112	17.5.2.1.2 Basic attribute constraints matching rule 17.5.2.2 Delegated name constraints extension 17.5.2.2.1 Delegated name constraints extension definition 17.5.2.2.2 Delegated name constraints matching rule
113	17.5.2.3 Acceptable certificate policies extension 17.5.2.3.1 Acceptable certificate policies extension definition 17.5.2.3.2 Acceptable certificate policies matching rule 17.5.2.4 Authority attribute identifier extension 17.5.2.4.1 Authority attribute identifier extension definition
114	17.5.2.4.2 AA identifier matching rule 17.5.2.5 Indirect issuer extension 17.5.2.6 Issued on behalf of extension 17.5.2.7 No assertion extension
115	17.6 Recognition of authority extensions 17.6.1 Requirements 17.6.2 RoA extensions 17.6.2.1 Allowed attribute assignments extension 17.6.2.2 Attribute mappings extension
116	17.6.2.3 Holder name constraints extension
117	17.6.2.4 Relationship of delegated name constraints to holder name constraints 17.7 Use of basic CRL extension for ACRLs 17.7.1 Requirements 17.7.2 Use of CRL extensions 17.7.2.1 Use of CRL number extension for ACRL 17.7.2.2 Use of status referral extension for ACRL
118	17.7.2.3 Use of CRL stream identifier for ACRL 17.7.2.4 Use of order list extension for ACRL 17.7.2.5 Use of delta information extension for ACRL 17.7.2.6 Use of to be revoked extension for ACRL
119	17.7.2.7 Use of revoked group of certificates extension
120	17.7.2.8 Use of expired certificates on ACRL extension 17.7.3 Use of CRL entry extensions 17.7.3.1 Use of reason code extension
121	17.7.3.2 Use of hold instruction code extension 18 Delegation path processing procedure 18.1 Basic processing procedure
122	18.2 Role processing procedure 18.3 Delegation processing procedure
123	18.3.1 Verify integrity of domination rule 18.3.2 Establish valid delegation path 18.3.2.1 Use of authority information access extension
124	18.3.2.2 Use of authority key identifier 18.3.3 Verify privilege delegation 18.3.4 Pass/fail determination 19 PMI directory schema
125	19.1 PMI directory object classes 19.1.1 PMI user object class 19.1.2 PMI AA object class 19.1.3 PMI SOA object class 19.1.4 Attribute certificate CRL distribution point object class 19.1.5 PMI delegation path object class
126	19.1.6 Privilege policy object class 19.1.7 Protected privilege policy object class 19.2 PMI directory attributes 19.2.1 Attribute certificate attribute 19.2.2 AA certificate attribute 19.2.3 Attribute descriptor certificate attribute 19.2.4 Attribute certificate revocation list attribute 19.2.5 End-entity attribute certificate revocation list attribute type
127	19.2.6 AA certificate revocation list attribute 19.2.7 Delegation path attribute 19.2.8 Privilege policy attribute 19.2.9 Protected privilege policy attribute 19.2.10 XML Protected privilege policy attribute
128	19.3 PMI general directory matching rules 19.3.1 Attribute certificate exact match 19.3.2 Attribute certificate match 19.3.3 Holder issuer match
129	19.3.4 Delegation path match 19.3.5 Extension presence match
130	20 Protocol support for public-key and privilege management infrastructures 20.1 General syntax 20.2 Wrapping of non-encrypted protocol data units
131	20.3 Wrapping of encrypted protocol data unit 20.3.1 Use of the Diffie-Hellman key agreement method 20.3.2 Encryption information syntax 20.3.3 Key agreement specification
132	20.3.4 Generation of keying material
133	20.3.5 Encryption encoding 20.4 Check of PKI-PMI-Wrapper protocol elements 20.4.1 General checking 20.4.2 Specific checking when not encrypting the wrapped PDU
134	20.4.3 Specific checking when encrypting the wrapped PDU 20.4.3.1 Checking of the key agreement specification 20.4.3.2 Checking of the encrypted PDU information 20.5 PKI-PMI-Wrapper error codes
135	21 Authorization and validation list management 21.1 General 21.2 Defined protocol data unit (PDU) types 21.3 Checking of received PDU
136	21.4 Authorization and validation management protocol 21.4.1 Authorization validation management introduction 21.4.2 Authorization and validation management protocol common components 21.4.3 Public-key certificate management
137	21.4.4 Add authorization and validation list
139	21.4.4 Replace authorization and validation list 21.4.5 Delete authorization and validation list
140	21.4.6 Authorization and validation list reject
141	21.4.7 Authorization and validation list error codes
142	21.5 Certification authority subscription protocol 21.5.1 Certification authority subscription introduction 21.5.2 Certification authority subscription common components
143	21.5.3 Public-key certificate subscription
144	21.5.4 Public-key certificate un-subscription
146	21.5.5 Public-key certificate replacements
147	21.5.6 End-entity public-key certificate updates
148	21.5.7 Certification authority subscription reject
149	21.5.8 Certification authority subscription error codes 22 Trust broker protocol
194	C.1 Certificate extension attribute concept C.2 Formal specification for certificate extension attribute types
211	E.1 Introduction E.1.1 CRL types
212	E.1.2 CRL processing E.2 Determine parameters for CRLs
213	E.3 Determine CRLs required E.3.1 End-entity public-key certificate with critical CRL distribution point extension E.3.2 End-entity public-key certificate with no critical CRL distribution point extension E.3.3 CA with critical CRL DP
214	E.3.4 CA with no critical CRL DP E.4 Obtain CRLs E.5 Process CRLs E.5.1 Validate base CRL scope E.5.1.1 Complete CRL
215	E.5.1.2 Complete EPRL E.5.1.3 Complete CARL E.5.1.4 Distribution point based CRL/EPRL/CARL
216	E.5.2 Validate delta CRL scope
217	E.5.3 Validity and currency checks on the base CRL E.5.4 Validity and checks on the delta CRL
220	G.1 Introduction G.2 Sample syntaxes G.2.1 First example
222	G.2.2 Second example
224	G.3 Privilege attribute example
227	I.1 Example 1: Use of basic constraints I.2 Example 2: Use of policy mapping and policy constraints I.3 Use of name constraints extension I.3.1 Examples of public-key certificate format with name constraints extension
228	I.3.1.1 Examples of permittedsubtrees
229	I.3.1.2 Examples of excludedsubtrees
230	I.3.1.3 Examples of permittedsubtrees and excludedsubtrees I.3.2 Examples of certificate handling with name constraints extension I.3.2.1 Name spaces constraints by permitted-subtrees indistinguished name form
232	I.3.2.2 Name spaces constraints by excluded-subtrees in distinguished name form
233	I.3.2.3 Name spaces constraints by permitted-subtrees in multiple name forms
234	I.3.2.4 Name spaces constraints by excluded-subtrees in multiple name forms I.3.3 Examples where multiple cross-certificates with name constraints extension are needed
235	I.3.3.1 Conflicting name space constraints requirements I.3.3.2 Disjunctive evaluation of name space constraints
236	J.1 Certification path valid for a user-specified policy required
237	J.2 Certification path valid for any policy required J.3 Certification path valid regardless of policy J.4 Certification path valid for a user-specific policy desired, but not required
239	L.1 CRL scope extension
242	M.1 Scope M.2 Basic directory concepts M.3 Directory schema
243	M.4 Directory distinguished names M.5 Subtrees
244	N.1 Introduction
245	N.2 One-way authentication N.3 Two-way authentication
246	N.4 Three-way authentication
247	N.5 Five-way authentication (initiated by A)
248	N.6 Five-way authentication (initiated by B)

Additional information

Status	Withdrawn
Title	Information technology. Open Systems Interconnection. The Directory – Public-key and attribute certificate frameworks
Replaces	BS ISO/IEC 9594-8:2014, BS ISO/IEC 9594-8:2014
Publisher	BSI
Committee	IST/6
Pages	258
Publication Date	2017-07-12
Withdrawn Date	2020-12-08
Replaced By	BS ISO/IEC 9594-8:2020, BS ISO/IEC 9594-8:2020, BS ISO/IEC 9594-8:2020
ISBN	978 0 580 96323 0
Standard Number	BS ISO/IEC 9594-8:2017
Identical National Standard Of	ISO/IEC 9594-8:2017
Descriptors	Communication procedures, Communication networks, Data transmission, Information systems, Computer networks, Information exchange, Data transfer, Data processing, Open systems interconnection, Authentication, Security
ICS Codes	35.100.70 - Application layer

Preview PDF


PDF Format	Searchable	Printable	Preview Now

BS ISO/IEC 9594-8:2017

PDF Catalog

Related products