ISO 21188:2018
(Main)Public key infrastructure for financial services — Practices and policy framework
Public key infrastructure for financial services — Practices and policy framework
ISO 21188:2018 sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. While this document addresses the generation of public key certificates that might be used for digital signatures or key establishment, it does not address authentication methods, non-repudiation requirements or key management protocols. ISO 21188:2018 draws a distinction between PKI systems used in closed, open and contractual environments. It further defines the operational practices relative to financial-services-industry-accepted information systems control objectives. This document is intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication, key exchange and data encryption. ISO 21188:2018 facilitates the implementation of operational, baseline PKI control practices that satisfy the requirements for the financial services industry in a contractual environment. While the focus of this document is on the contractual environment, application of this document to other environments is not specifically precluded. For the purposes of this document, the term "certificate" refers to public key certificates. Attribute certificates are outside the scope of this document ISO 21188:2018 is targeted for several audiences with different needs and therefore the use of this document will have a different focus for each. Business managers and analysts are those who require information regarding using PKI technology in their evolving businesses (e.g. electronic commerce); see Clauses 1 to 6. Technical designers and implementers are those who are writing their certificate policies and certification practice statement(s); see Clauses 6 to 7 and Annexes A to G. Operational management and auditors are those who are responsible for day-to-day operations of the PKI and validating compliance to this document; see Clauses 6 to 7.
Infrastructure de clé publique pour services financiers — Pratique et cadre politique
General Information
Relations
Standards Content (Sample)
INTERNATIONAL ISO
STANDARD 21188
Second edition
2018-04
Public key infrastructure for financial
services — Practices and policy
framework
Infrastructure de clé publique pour services financiers — Pratique et
cadre politique
Reference number
©
ISO 2018
© ISO 2018
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Fax: +41 22 749 09 47
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2018 – All rights reserved
Contents Page
Foreword .v
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 2
4 Abbreviated terms . 8
5 Public key infrastructure (PKI) . 9
5.1 General . 9
5.2 What is PKI? . .10
5.2.1 General.10
5.2.2 Public key infrastructure process flow .11
5.3 Business requirement impact on PKI environment .11
5.3.1 General.11
5.3.2 Illustration of certificate application in a closed environment .11
5.3.3 Illustration of certificate application in a contractual PKI environment.12
5.3.4 Illustration of certificate application in an open environment .13
5.4 Certification authority (CA) .14
5.5 Business perspectives .15
5.5.1 General.15
5.5.2 Business risks .16
5.5.3 Applicability .16
5.5.4 Legal issues .16
5.5.5 Regulatory issues .16
5.5.6 Business usage issues .16
5.5.7 Interoperability issues .16
5.5.8 Audit journal requirements .18
5.6 Certificate policy (CP) .18
5.6.1 General.18
5.6.2 Certificate policy usage .19
5.6.3 Certificate policies within a hierarchy of trust .19
5.6.4 Certificate status .20
5.7 Certification practice statement (CPS) .21
5.7.1 General.21
5.7.2 Authority .21
5.7.3 Purpose .21
5.7.4 Level of specificity .22
5.7.5 Approach .22
5.7.6 Audience and access .22
5.8 Agreements .22
5.9 Time-stamping .23
5.10 Trust models .24
5.10.1 Trust model considerations .24
5.10.2 Wildcard considerations .25
5.10.3 Relying party considerations .25
6 Certificate policy and certification practice statement requirements .26
6.1 Certificate policy (CP) .26
6.2 Certification practice statement (CPS) .28
7 Certification authority control procedures .28
7.1 General .28
7.2 CA environmental controls .29
7.2.1 Certification practice statement and certificate policy management .29
7.2.2 Security management .30
7.2.3 Asset classification and management .31
7.2.4 Personnel security .31
7.2.5 Physical and environmental security .33
7.2.6 Operations management .34
7.2.7 System access management .35
7.2.8 Systems development and maintenance .37
7.2.9 Business continuity management .37
7.2.10 Monitoring and compliance .38
7.2.11 Audit logging .39
7.3 CA key life cycle management controls .42
7.3.1 CA key generation .42
7.3.2 CA key storage, back-up and recovery . .43
7.3.3 CA public key distribution .45
7.3.4 CA key usage .45
7.3.5 CA key archival and destruction .46
7.3.6 CA key compromise .46
7.4 Subject key life cycle management controls .47
7.4.1 CA-provided subject key generation services (if supported) .47
7.4.2 CA-provided subject key storage and recovery services (if supported) .48
7.4.3 Integrated circuit card (ICC) life cycle management (if supported) .49
7.4.4 Requirements for subject key management.50
7.5 Certificate life cycle management controls .51
7.5.1 Subject registration .51
7.5.2 Certificate renewal (if supported) .53
7.5.3 Certificate rekey .54
7.5.4 Certificate issuance .54
7.5.5 Certificate distribution .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.