ДСТУ ISO/IEC 9594-8:2021 Информационные технологии. Взаимосвязь открытых систем. Часть 8. Каталог. Структура сертификатов открытых ключей и атрибутов (ISO/IEC 9594-8:2020, IDT)

ПІДТВЕРДЖУВАЛЬНЕ ПОВІДОМЛЕННЯ

Державне підприємство
«Український науково-дослідний і навчальний центр
проблем стандартизації, сертифікації та якості»
(ДП «УкрНДНЦ»)

Наказ від 16.12.2021 №512

ISO/IEC 9594-8:2020

Information technology — Open systems interconnection —
Part 8: The Directory: Public-key and attribute certificate frameworks

прийнято як національний стандарт
методом «підтвердження» за позначенням

ДСТУ ISO/IEC 9594-8:2021
(ISO/IEC 9594-8:2020, IDT)

Інформаційні технології. Взаємозв’язок відкритих систем.
Частина 8. Каталог, структура сертифікатів відкритих ключів та атрибутів

З наданням чинності від 2021-12-22

 
 
Не є офіційним виданням.
Офіційне видання розповсюджує національний орган стандартизації
(ДП «УкрНДНЦ» http://uas.gov.ua) 

Contents

SECTION I - General

1 Scope

2 Normative references

2.1 Identical Recommendations | International Standards

2.2 Paired Recommendations | International Standards equivalent in technical content

2.3 Recommendations

2.4 Other references

3 Definitions

3.1 OS1 Reference Model security architecture definitions

3.2 Baseline identity management terms and definitions

3.3 Directory model definitions

3.4 Access control framework definitions

3.5 Public-key and attribute certificate definitions

4 Abbreviations

5 Conventions

6 Frameworks overview

6.1 Digital signatures

6.2 Public-key cryptography and cryptographic algorithms

6.3 Distinguished encoding of basic encoding rules

6.4 Applying distinguished encoding

6.5 Using repositories

SECTION 2 - PUBLIC-KEY CERTIFICATE FRAMEWORK

7 Public keys and public-key certificates

7.1 Introduction

7.2 Public-key certificate

7.3 Public-key certificate extensions

7.4 Types of public-key certificates

7.5 Trust anchor

7.6 Entity relationship

7.7 Certification path

7.8 Generation of key pairs

7.9 Public-key certificate creation

7.10 Certificate revocation list

7.11 Uniqueness of names

7.12 Indirect CRLs

7.13 Repudiation of a digital signing

8 Trust models

8.1 Three-cornered trust model

8.2 Four cornered trust model

9 Public-key certificate and CRL extensions

9.1 Policy handling

9.2 Key and policy information extensions

9.3 Subject and issuer information extensions

9.4 Certification path constraint extensions

9.5 Basic CRL extensions

9.6 CRL distribution points and delta CRL extensions

9.7 Authorization and validation list extensions

9.8 Alternative cryptographic algorithms and digital signature extensions

10 Delta CRL relationship to base

11 Authorization and validation lists

11.1 Authorization and validation list concept

11.2 The authorizer

11.3 Authorization and validation list syntax

11.4 Multiple cryptographic algorithms for authorization and validation list

12 Certification path processing procedure

12.1 Path processing inputs

12.2 Path processing outputs

12.3 Path processing variables

12.4 Initialization step

12.5 Public-key certificate processing

13 PKI directory schema

13.1 PKI directory object classes and name forms

13.2 PKI directory attributes

13.3 PKI directory matching rules

13.4 PKI directory syntax definitions

SECTION 3 - ATTRIBUTE CERTIFICATE FRAMEWORK

14 Attribute certificates

14.1 General

14.2 Attribute certificate syntax

14.3 Multiple cryptographic algorithms for attribute certificates

14.4 Delegation paths

14.5 Attribute certificate revocation lists

15 Attribute authority, source of authority and certification authority relationship

15.1 Privilege in attribute certificates

15.2 Privilege in public-key certificates

16 PM I models

16.1 General model

16.2 Control model

16.3 Delegation model

16.4 Group assignment model

16.5 Roles model

16.6 Recognition of Authority Model

16.7 XML privilege information attribute

16.8 Permission attribute and matching rule

17 Attribute certificate and attribute certificate revocation list extensions

17.1 Basic privilege management extensions

17.2 Privilege revocation extensions

17.3 Source of authority extensions

17.4 Role extensions

17.5 Delegation extensions

17.6 Recognition of authority extensions

17.7 Use of alternative digital signature algorithm and digital signature extensions

18 Delegation path processing procedure

18.1 Basic processing procedure

18.2 Role processing procedure

18.3 Delegation processing procedure

19 PM I directory schema

19.1 PM I directory object classes

19.2 PM I directory attributes

19.3 PMI general directory matching rules

Annex A - Public-key and attribute certificate frameworks

Annex В - Reference definition of cryptographic algorithms

Annex C - Certificate extension attribute types

Annex D - External ASN.1 modules

Annex E - CRL generation and processing rules

Annex F - Examples of delta CRL issuance

Annex G - Privilege policy and privilege attribute definition examples

Annex H - An introduction to public key cryptography

Annex I - Examples of use of certification path constraints

Annex J - Guidance on determining for which policies a certification path is valid

Annex К - Key usage certificate extension issues

Annex L - Deprecated extensions

Annex M - Directory concepts

Annex N - Considerations on strong authentication

Annex О - Alphabetical list of information item definitions

Annex P - Amendments and corrigenda

Bibliography