iTeh StandardsiTeh Standards
EURUSD
Your shopping cart is empty.
ISO

ISO 15782-2:2001

(Main)

Banking — Certificate management — Part 2: Certificate extensions

Banking — Certificate management — Part 2: Certificate extensions

Banque — Gestion des certificats — Partie 2: Extensions des certificats

General Information

Status
Withdrawn
Publication Date
31-Oct-2001
Withdrawal Date
31-Oct-2001
ICS
35.240.40 - IT applications in banking
Technical Committee
ISO/TC 68/SC 2 - Financial Services, security
Drafting Committee
ISO/TC 68/SC 2/WG 8 - Public key infrastructure management for financial services
Current Stage
9599 - Withdrawal of International Standard
Start Date
09-Apr-2018
Completion Date
09-Apr-2018
Ref Project

Relations

Revised
ISO 21188:2018 - Public key infrastructure for financial services — Practices and policy framework
Effective Date
04-Nov-2015

Buy Standard

ISO 15782-2:2001 - Banking -- Certificate managementISO 15782-2:2001 - Banking -- Certificate management
PreviousNext
Standard
ISO 15782-2:2001 - Banking -- Certificate management
English language
38 pages
sale 15% off
Preview
sale 15% off
Preview

Standards Content (Sample)


INTERNATIONAL ISO
STANDARD 15782-2
First edition
2001-11-01
Banking — Certificate management —
Part 2:
Certificate extensions
Banque — Gestion des certificats —
Partie 2: Extensions des certificats

Reference number
©
ISO 2001
PDF disclaimer
This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not
be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this
file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISO Central Secretariat accepts no liability in this
area.
Adobe is a trademark of Adobe Systems Incorporated.
Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters
were optimized for printing. Every care has been taken to ensure that the file is suitable for use by ISO member bodies. In the unlikely event
that a problem relating to it is found, please inform the Central Secretariat at the address given below.

©  ISO 2001
All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic
or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body
in the country of the requester.
ISO copyright office
Case postale 56 • CH-1211 Geneva 20
Tel. + 41 22 749 01 11
Fax + 41 22 749 09 47
E-mail copyright@iso.ch
Web www.iso.ch
Printed in Switzerland
ii © ISO 2001 – All rights reserved

Contents Page
Foreword.iv
Introduction.v
1 Scope.1
2 Normative references.1
3 Terms and definitions .2
4 Abbreviations.6
5 Extensions.7
6 Key and policy information .8
6.1 Requirements.8
6.2 Certificate and CRL extensions .9
7 Certificate subject and certificate issuer attributes.14
7.1 Requirements.14
7.2 Certificate and CRL extensions .15
8 Certification path constraints.17
8.1 Requirements.17
8.2 Certificate extensions.19
8.3 Certification path processing procedure .21
9 Basic CRL extensions.24
9.1 Management requirements.24
9.2 Basic CRL and CRL entry extensions .25
10 CRL distribution points and delta-CRLs .27
10.1 Requirements.27
10.2 Certificate extensions.28
10.3 CRL and CRL entry extensions.29
10.4 Matching rules.31
Annex A (informative) Examples of the use of certification path constraints.36
Bibliography.38

Foreword
ISO (the International Organization for Standardization) is a worldwide federation of national standards bodies (ISO
member bodies). The work of preparing International Standards is normally carried out through ISO technical
committees. Each member body interested in a subject for which a technical committee has been established has
the right to be represented on that committee. International organizations, governmental and non-governmental, in
liaison with ISO, also take part in the work. ISO collaborates closely with the International Electrotechnical
Commission (IEC) on all matters of electrotechnical standardization.
International Standards are drafted in accordance with the rules given in the ISO/IEC Directives, Part 3.
Draft International Standards adopted by the technical committees are circulated to the member bodies for voting.
Publication as an International Standard requires approval by at least 75 % of the member bodies casting a vote.
Attention is drawn to the possibility that some of the elements of this part of ISO 15782 may be the subject of
patent rights. ISO shall not be held responsible for identifying any or all such patent rights.
International Standard ISO 15782-2 was prepared by Technical Committee ISO/TC 68, Banking, securities and
other financial services, Subcommittee SC 2, Security management and general banking operations.
ISO 15782 consists of the following parts, under the general title Banking — Certificate management:
— Part 1: Public key certificates
— Part 2: Certificate extensions
Annex A of this part of ISO 15782 is for information only.
iv © ISO 2001 – All rights reserved

Introduction
This part of ISO 15782 extracts and adopts selected definitions of certificate extensions from ISO 9594-8 and adds
control requirements and other information required for financial institution use.
While the techniques specified in this part of ISO 15782 are designed to maintain the integrity of financial
messages, the Standard does not guarantee that a particular implementation is secure. It is the responsibility of the
financial institution to put an overall process in place with the necessary controls to ensure that the process is
securely implemented. Furthermore, the controls should include the application of appropriate audit tests in order to
validate compliance.
The binding association between the identity of the owner of a public key and that key shall be documented in
order to prove the ownership of a public key. This binding is called a “public key certificate”. Public key certificates
are generated by a trusted third entity known as a Certification Authority (CA).
INTERNATIONAL STANDARD ISO 15782-2:2001(E)

Banking — Certificate management —
Part 2:
Certificate extensions
1 Scope
This part of ISO 15782
 extracts and adopts selected definitions of certificate extensions from ISO/IEC 9594-8;
 specifies additional requirements when certificate extensions are used by the financial services industry.
This part of ISO 15782 is to be used with financial institution standards, including ISO 15782-1.
NOTE Distinguished Encoding Rules (DER) of ASN.1 for encoding of ASN.1-defined certificate extensions are specified in
ISO/IEC 8825-1. The DER rules defined by ISO/IEC 9594-8 are incomplete and can lead to ambiguities when encoding some
values.
2 Normative references
The following normative documents contain provisions which, through reference in this text, constitute provisions of
this part of ISO 15782. For dated references, subsequent amendments to, or revisions of, any of these publications
do not apply. However, parties to agreements based on this part of ISO 15782 are encouraged to investigate the
possibility of applying the most recent editions of the normative documents indicated below. For undated
references, the latest edition of the normative document referred to applies. Members of ISO and IEC maintain
registers of currently valid International Standards.
ISO/IEC 9594-2 | ITU-T Recommendation X.501, Information technology — Open Systems Interconnection — The
Directory: Models
ISO/IEC 9594-8:1998 | ITU-T Recommendation X.509 (1997), Information technology — Open Systems
Interconnection — The Directory: Authentication framework
ISO/IEC 9834-1 | CCITT Recommendation X.660 Information technology — Open Systems Interconnection —
Procedures for the operation of OSI Registration Authorities: General procedures
ISO/IEC 10021-4 | ITU-T Recommendation X.411, Information technology — Message Handling Systems
(MHS) — Message transfer system: Abstract service definition and procedures
1)
ISO 15782-1:— , Banking — Certificate management — Part 1: Public key certificates
2)
RFC 791:1981 , Internet protocol

1) To be published.
2) Obsoletes RFC 760; obsoleted by RFC 1060.
3)
RFC 822:1982 , Standard for the format of ARPA Internet text messages
4)
RFC 1035:1987 , Domain names — Implementation and specification
RFC 1630:1994, Universal resource identifiers in WWW: A unifying syntax for the expression of names and
addresses of objects on the network as used in the world-wide web
FIPS-PUB 140-1:1993, Security requirements for cryptographic modules
3 Terms and definitions
For the purposes of this part of ISO 15782, the following terms and definitions apply.
3.1
attribute
characteristic of an entity
3.2
CA certificate
certificate whose subject is a Certification Authority (CA) and whose associated private key is used to sign
certificates
3.3
certificate
public key and identity of an entity together with some other information, rendered unforgeable by signing the
certificate information with the private key of the certifying authority that issued that public key certificate
3.4
certificate hold
suspension of the validity of a certificate
3.5
certificate policy
named set of rules that indicates the applicability of a certificate to a particular community and/or class of
application with common security requirements
EXAMPLE A particular certificate policy might indicate the applicability of a type of certificate to the authentication of
electronic data interchange transactions for the trading of goods within a given price range.
NOTE 1 The certificate policy should be used by the user of the certificate to decide whether or not to accept the binding
between the subject (of the certificate) and the public key. A subset of the components in the certificate policy framework are
given concrete values to define a certificate policy. The certificate policy is represented by a registered object identifier in the
X.509, version 3 certificate. The object owner also registers a textual description of the policy and makes it available to the
relying parties.
NOTE 2 The certificate policy object identifier can be included in the following extensions in the X.509, version 3 certificates:
certificate policies, policy mappings and policy constraints. The object identifier(s) may appear in none, some, or all of these
fields. These object identifiers may be the same (referring to the same certificate policy) or may be different (referring to different
certificate policies).
3.6
Certificate Revocation List
CRL
list of revoked certificates
3) Obsoletes RFC 733; updated by RFC 987; updated by RFC 1327.
4) Obsoletes RFC 973; obsoleted by RFC 2136; obsoleted by RFC 2137; updated by RFC 1348; updated by RFC 1995;
updated by RFC 1996; updated by RFC 2065; updated by RFC 2181; updated by RFC 2308.
2 © ISO 2001 – All rights reserved

3.7
certificate-using system
implementation of those functions defined in this part of ISO 15782 that are used by a certificate user
3.8
certification
process of creating a public key or attribute certificate for an entity
3.9
Certification Authority
CA
entity trusted by one or more entities to create assign and revoke or hold public key certificates
3.10
certification path
ordered sequence of certificates of entities which, together with the public key of the initial entity in the path, can be
processed to obtain the public key of the final entity in the path
3.11
Certification Practice Statement
CPS
statement of the practices which a certification authority e
...

Questions, Comments and Discussion

Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.

This May Also Interest You

ISO
ISO/TS 9546:2024(Main)
Guidelines for security framework of information systems of third-party payment services

This document provides guidelines for a security framework to address the implementation of security mechanisms in technical infrastructures designed for the provision of third-party payment (TPP) services in order to achieve the security objectives defined in ISO 23195. The security framework is intended to protect critical systems and objects within the TPP system environment, either under the direct control of the third-party payment service provider (TPPSP) or by another entity (e.g. a bank). This document is applicable to the provision of any TPP service, including: — the TPP logical structural model; — the definition of the security framework; — the design principles, responsibilities and functional recommendations to support the security mechanism; — guidelines for applying the security framework defined in this document.

  • Technical specification
    24 pages
    English language
    sale 15% off
ISO
ISO 13491-1:2024(Main)
Financial services — Secure cryptographic devices (retail) — Part 1: Concepts and requirements

This document specifies the security characteristics for secure cryptographic devices (SCDs) based on the cryptographic processes defined in the ISO 9564 series, ISO 16609 and ISO 11568. This document states the security characteristics concerning both the operational characteristics of SCDs and the management of such devices throughout all stages of their life cycle. This document does not address issues arising from the denial of service of an SCD. This document does not address software services that use multi-party computation (MPC) to achieve some security objectives and, relying on these, offer cryptographic services. NOTE These are sometimes called “soft” or software hardware security modules (HSMs) in common language, which is misleading and does not correspond to the definition of HSM in this document.

  • Standard
    27 pages
    English language
    sale 15% off
ISO
ISO 5201:2024(Main)
Financial services — Code-scanning payment security

This document provides an overview, risk assessment, minimum security requirements and extended security guidelines for code-scanning payment in which the payer uses a mobile device to operate the payment transaction. This document is applicable to cases where the payment code is used to initiate a mobile payment and presented by either the payer or the payee. The following is excluded from the scope of this document: — details of payer and payee onboarding; — details of the supporting payment infrastructure, as described in 5.1.

  • Standard
    30 pages
    English language
    sale 15% off
ISO
ISO/TS 23526:2023(Main)
Security aspects for digital currencies

This document specifies an acceptable security framework for the issuance and management of digital currencies using cryptographic mechanisms standardized by ISO/TC 68/SC 2 and other references. This document proposes a framework approach based on standards for mitigating vulnerabilities for digital currency systems. The objective is that security aspects are integrated by design and not added afterwards as an extra processing layer that needs to accommodate legacy infrastructures.

  • Technical specification
    14 pages
    English language
    sale 15% off
ISO
ISO/TR 24374:2023(Main)
Financial services — Security information for PKI in blockchain and DLT implementations

This document describes the management of cryptographic keys in a blockchain, or distributed system used in the financial sector The objective of this document is to consider the impact of different types of key management processes that are required for PKI implementations in Blockchain and DLT projects

  • Technical report
    18 pages
    English language
    sale 15% off
ISO
ISO 19092:2023(Main)
Financial services — Biometrics — Security framework

This document specifies the security framework for using biometrics for authentication of customers in financial services, focusing exclusively on retail payments. It introduces the most common types of biometric technologies and addresses issues concerning their application. This document also describes representative architectures for the implementation of biometric authentication and associated minimum control objectives. The following are within the scope of this document: — use of biometrics for the purpose of: — verification of a claimed identity; — identification of an individual; — biometric authentication threats, vulnerabilities and controls; — validation of credentials presented at enrolment to support authentication; — management of biometric information across its life cycle, comprising enrolment, transmission and storage, verification, identification and termination processes; — security requirements for hardware used in conjunction with biometric capture and biometric data processing; — biometric authentication architectures and associated security requirements. The following are not within the scope of this document: — detailed specifications for data collection, feature extraction and comparison of biometric data and the biometric decision-making process; — use of biometric technology for non-financial transaction applications, such as physical or logical system access control.

  • Standard
    65 pages
    English language
    sale 15% off
ISO
ISO 11568:2023(Main)
Financial services — Key management (retail)

This document describes the management of symmetric and asymmetric cryptographic keys that can be used to protect sensitive information in financial services related to retail payments. The document covers all aspects of retail financial services, including connections between a card-accepting device and an Acquirer, between an Acquirer and a card Issuer, and between an ICC and a card-accepting device. It covers all phases of the key life cycle, including the generation, distribution, utilization, archiving, replacement and destruction of the keying material. This document covers manual and automated management of keying material, and any combination thereof, used for retail financial services. It includes guidance and requirements related to key separation, substitution prevention, identification, synchronization, integrity, confidentiality and compromise, as well as logging and auditing of key management events. Requirements associated with hardware used to manage keys have also been included in this document.

  • Standard
    115 pages
    English language
    sale 15% off
ISO
ISO 13491-2:2023(Main)
Financial services — Secure cryptographic devices (retail) — Part 2: Security compliance checklists for devices used in financial transactions

This document specifies checklists to be used to evaluate secure cryptographic devices (SCDs) incorporating cryptographic processes as specified in ISO 9564‑1, ISO 9564‑2, ISO 16609, and ISO 11568 in the financial services environment. Integrated circuit (IC) payment cards are subject to the requirements identified in this document up until the time of issue, after which they are to be regarded as a “personal” device and outside of the scope of this document.

  • Standard
    39 pages
    English language
    sale 15% off
ISO
ISO 16609:2022(Main)
Financial services — Requirements for message authentication using symmetric techniques

This document specifies procedures, independent of the transmission process, for protecting the integrity of transmitted financial-service-related messages and for verifying that a message has originated from an authorized source, or that stored data has retained integrity. A list of block ciphers approved for the calculation of a message authentication code (MAC) is also provided. The authentication methods defined in this document are applicable to stored data and to messages formatted and transmitted both as coded character sets or as binary data. This document is designed for use with symmetric algorithms where both sender and receiver use the same key. It does not specify methods for establishing the shared key. Its application will not protect the user against internal fraud perpetrated by the sender or the receiver, nor against forgery of a MAC by the receiver.

  • Standard
    13 pages
    English language
    sale 15% off
ISO
ISO 23195:2021(Main)
Security objectives of information systems of third-party payment services

This document defines a common terminology to be used in the context of third-party payment (TPP). Next, it establishes two logical structural models in which the assets to be protected are clarified. Finally, it specifies security objectives based on the analysis of the logical structural models and the interaction of the assets affected by threats, organizational security policies and assumptions. These security objectives are set out in order to counter the threats resulting from the intermediary nature of TPPSPs offering payment services compared with simpler payment models where the payer and the payee directly interact with their respective account servicing payment service provider (ASPSP). This document assumes that TPP-centric payments rely on the use of TPPSP credentials and the corresponding certified processes for issuance, distribution and renewal purposes. However, security objectives for such processes are out of the scope of this document. NOTE This document is based on the methodology specified in the ISO/IEC 15408 series. Therefore, the security matters that do not belong to the TOE are dealt with as assumptions, such as the security required by an information system that provides TPP services and the security of communication channels between the entities participating in a TPP business.

  • Standard
    40 pages
    English language
    sale 15% off
  • Standard
    40 pages
    English language
    sale 15% off