BS ISO 21188:2018

$215.11

Public key infrastructure for financial services. Practices and policy framework

Published By	Publication Date	Number of Pages
BSI	2018	120

Guaranteed Safe Checkout

Categories: 35.240.40 - IT applications in banking, BSI

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

Description

This document sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. While this document addresses the generation of public key certificates that might be used for digital signatures or key establishment, it does not address authentication methods, non-repudiation requirements or key management protocols.

This document draws a distinction between PKI systems used in closed, open and contractual environments. It further defines the operational practices relative to financial-services-industry-accepted information systems control objectives. This document is intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication, key exchange and data encryption.

This document facilitates the implementation of operational, baseline PKI control practices that satisfy the requirements for the financial services industry in a contractual environment. While the focus of this document is on the contractual environment, application of this document to other environments is not specifically precluded. For the purposes of this document, the term “certificate” refers to public key certificates. Attribute certificates are outside the scope of this document

This document is targeted for several audiences with different needs and therefore the use of this document will have a different focus for each.

Business managers and analysts are those who require information regarding using PKI technology in their evolving businesses (e.g. electronic commerce); see Clauses 1 to 6.

Technical designers and implementers are those who are writing their certificate policies and certification practice statement(s); see Clauses 6 to 7 and Annexes A to G.

Operational management and auditors are those who are responsible for day-to-day operations of the PKI and validating compliance to this document; see Clauses 6 to 7.

PDF Catalog

PDF Pages	PDF Title
2	National foreword
7	Foreword
9	Introduction
11	1 Scope 2 Normative references
12	3 Terms and definitions
18	4 Abbreviated terms
19	5 Public key infrastructure (PKI) 5.1 General
20	5.2 What is PKI? 5.2.1 General
21	5.2.2 Public key infrastructure process flow 5.3 Business requirement impact on PKI environment 5.3.1 General 5.3.2 Illustration of certificate application in a closed environment
22	5.3.3 Illustration of certificate application in a contractual PKI environment
23	5.3.4 Illustration of certificate application in an open environment
25	5.4 Certification authority (CA)
26	5.5 Business perspectives 5.5.1 General 5.5.2 Business risks 5.5.3 Applicability 5.5.4 Legal issues 5.5.5 Regulatory issues 5.5.6 Business usage issues
27	5.5.7 Interoperability issues
28	5.5.8 Audit journal requirements
29	5.6 Certificate policy (CP) 5.6.1 General 5.6.2 Certificate policy usage
30	5.6.3 Certificate policies within a hierarchy of trust
31	5.6.4 Certificate status 5.7 Certification practice statement (CPS) 5.7.1 General 5.7.2 Authority
32	5.7.3 Purpose 5.7.4 Level of specificity 5.7.5 Approach 5.7.6 Audience and access 5.8 Agreements
33	5.9 Time-stamping
34	5.10 Trust models 5.10.1 Trust model considerations
35	5.10.2 Wildcard considerations 5.10.3 Relying party considerations
36	6 Certificate policy and certification practice statement requirements 6.1 Certificate policy (CP)
38	6.2 Certification practice statement (CPS) 7 Certification authority control procedures 7.1 General
39	7.2 CA environmental controls 7.2.1 Certification practice statement and certificate policy management
40	7.2.2 Security management
41	7.2.3 Asset classification and management
42	7.2.4 Personnel security
43	7.2.5 Physical and environmental security
44	7.2.6 Operations management
45	7.2.7 System access management
47	7.2.8 Systems development and maintenance 7.2.9 Business continuity management
49	7.2.10 Monitoring and compliance 7.2.11 Audit logging
53	7.3 CA key life cycle management controls 7.3.1 CA key generation
54	7.3.2 CA key storage, back-up and recovery
55	7.3.3 CA public key distribution
56	7.3.4 CA key usage 7.3.5 CA key archival and destruction
57	7.3.6 CA key compromise
58	7.4 Subject key life cycle management controls 7.4.1 CA-provided subject key generation services (if supported) 7.4.2 CA-provided subject key storage and recovery services (if supported)
59	7.4.3 Integrated circuit card (ICC) life cycle management (if supported)
61	7.4.4 Requirements for subject key management
62	7.5 Certificate life cycle management controls 7.5.1 Subject registration
63	7.5.2 Certificate renewal (if supported)
64	7.5.3 Certificate rekey 7.5.4 Certificate issuance
65	7.5.5 Certificate distribution
66	7.5.6 Certificate revocation 7.5.7 Certificate suspension (if supported)
67	7.5.8 Certificate validation services
68	7.6 Controlled CA termination
69	7.7 CA certificate life cycle management controls — subordinate CA certificate
71	Annex A (informative) Management by certificate policy
80	Annex B (informative) Elements of a certification practice statement
95	Annex C (informative) Object identifiers (OID)
97	Annex D (informative) CA key generation ceremony
101	Annex E (informative) Mapping of RFC 2527 to RFC 3647
102	Annex F (normative) Certification authority audit journal contents and use
105	Annex G (informative) Alternative trust models
117	Bibliography

Additional information

Status	Revision Underway
Pages	120
Publication Date	2018-04-17
ISBN	978 0 580 82629 0
Standard Number	BS ISO 21188:2018
Title	Public key infrastructure for financial services. Practices and policy framework
Identical National Standard Of	ISO 21188:2018
Replaces	BS ISO 21188:2006, BS ISO 15782-1:2009
Descriptors	Cryptography, Organizations, Data security, Acceptance (approval), Certification (approval), Keys (cryptographic), Banks, Management, Financial institutions, Certification bodies, Information exchange, Finance, Data storage protection
Publisher	BSI
Committee	IST/12
ICS Codes	35.240.40 - IT applications in banking

Preview PDF


PDF Format	Searchable	Printable	Preview Now

BS ISO 21188:2018

PDF Catalog

Related products