ISO 17090-2:2015

INTERNATIONAL ISO
STANDARD 17090-2
Second edition
2015-11-15
Health informatics — Public key
infrastructure —
Part 2:
Certificate profile
Informatique de santé — Infrastructure de clé publique —
Partie 2: Profil de certificat
Reference number
©
ISO 2015
© ISO 2015, Published in Switzerland
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized otherwise in any form
or by any means, electronic or mechanical, including photocopying, or posting on the internet or an intranet, without prior
written permission. Permission can be requested from either ISO at the address below or ISO’s member body in the country of
the requester.
ISO copyright office
Ch. de Blandonnet 8 • CP 401
CH-1214 Vernier, Geneva, Switzerland
Tel. +41 22 749 01 11
Fax +41 22 749 09 47
copyright@iso.org
www.iso.org
ii © ISO 2015 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 1
5 Healthcare CPs . 2
5.1 Certificate types required for healthcare . 2
5.2 CA certificates . 2
5.2.1 Root CA certificates . 2
5.2.2 Subordinate CA certificates . 2
5.3 Cross/Bridge certificates . 3
5.4 End entity certificates . 3
5.4.1 Individual identity certificates . 3
5.4.2 Organization identity certificate . 4
5.4.3 Device identity certificate . 4
5.4.4 Application certificate . 4
5.4.5 AC . 4
5.4.6 Role certificates . 5
6 General certificate requirements . 6
6.1 Certificate compliance . 6
6.2 Common fields for each certificate type . 6
6.3 Specifications for common fields . 7
6.3.1 General. 7
6.3.2 Signature . 8
6.3.3 Validity . 8
6.3.4 Subject public key information . 8
6.3.5 Issuer name field . 9
6.3.6 The subject name field .10
6.4 Requirements for each healthcare certificate type .11
6.4.1 Issuer fields .11
6.4.2 Subject fields .11
7 Use of certificate extensions .14
7.1 General .14
7.2 General extensions.14
7.2.1 authorityKeyIdentifier .14
7.2.2 subjectKeyIdentifier .14
7.2.3 keyUsage .14
7.2.4 privateKeyUsagePeriod .14
7.2.5 certificatePolicies .14
7.2.6 subjectAltName .14
7.2.7 basicConstraints .15
7.2.8 CRLDistributionPoints .15
7.2.9 ExtKeyUsage .15
7.2.10 Authority information access .15
7.2.11 Subject information access .15
7.3 Special subject directory attributes .15
7.3.1 hcRole attribute .15
7.3.2 subjectDirectoryAttributes .17
7.4 Qualified certificate statements extension .17
7.5 Requirements for each health industry certificate type.17
7.5.1 Extension fields .17
Annex A (informative) Certificate profile examples .19
Bibliography .31
iv © ISO 2015 – All rights reserved

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards
bodies (ISO member bodies). The work of preparing International Standards is normally carried out
through ISO technical committees. Each member body interested in a subject for which a technical
committee has been established has the right to be represented on that committee. International
organizations, governmental and non-governmental, in liaison with ISO, also take part in the work.
ISO collaborates closely with the International Electrotechnical Commission (IEC) on all matters of
electrotechnical standardization.
The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular the different approval criteria needed for the
different types of ISO documents should be noted. This document was drafted in accordance with the
editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights. Details of
any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents).
Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.
For an explanation on the meaning of ISO specific terms and expressions related to conformity
assessment, as well as information about ISO’s adherence to the WTO principles in the Technical
Barriers to Trade (TBT), see the following URL: Foreword — Supplementary information.
The committee responsible for this document is ISO/TC 215, Health informatics.
This second edition cancels and replaces the first edition (ISO 17090-2:2008), which has been
technically revised.
ISO 17090 consists of the following parts, under the general title Health informatics — Public Key
Infrastructure:
— Part 1: Overview of digital certificate services
— Part 2: Certificate profile
— Part 3: Policy management of certification authority
— Part 4: Digital Signatures for healthcare documents
The following document is under preparation:
— Part 5: Authentication using Healthcare PKI credentials
Annex A of this part of ISO 17090 is for information only.
Introduction
The healthcare industry is faced with the challenge of reducing costs by moving from paper-based
processes to automated electronic processes. New models of healthcare delivery are emphasizing the
need for patient information to be shared among a growing number of specialist healthcare providers
and across traditional organizational boundaries.
Healthcare information concerning individual citizens is commonly interchanged by means of electronic
mail, remote database access, electronic data interchange and other applications. The Internet provides
a highly cost-effective and accessible means of interchanging information, but is also an insecure vehicle
that demands additional measures be taken to maintain the privacy and confidentiality of information.
Threats to the security of health information through unauthorized access (either inadvertent or
deliberate) are increasing. It is essential
...