1 pki systems concepts, processes, components tÜrktrust information security services inc. mert...
Post on 26-Dec-2015
222 Views
Preview:
TRANSCRIPT
1
PKI SYSTEMS
Concepts, Processes, Components
TÜRKTRUST Information Security Services Inc.
Mert ÖZARARProject Senior Engineer
mert.ozarar@turktrust.com.tr
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 2
AgendaCertification Authority (CA) / Certification Service Provider (CSP)Electronic Signature and Legal ValidityElectronic CertificatePKI Functions and TechnologyPKI Components and Business ModelsTrust Models and PKI ArchitecturesCertificate Life Cycle – Certificate Application, Registration, Issuance, Dissemination, Renewal, Rekey, Suspension and Revocation Processes
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 3
Certification Authority (CA)Certification Service Provider (CSP)
Certification Authority: Authority trusted by one or more users to create and assign certificates (ITU-T Recommendation X.509) – definition of “ETSI TS 101 456 – Policy requirements for certification authorities issuing qualified certificates”‘Certification-service-provider’ means an entity or a legal or natural person who issues certificates or provides other services related to electronic signatures – definiton of “EU Directive 1999/93/EC on a Community framework for electronic signatures”
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 4
Electronic CertificateService Provider (ECSP)Article 8 (Turkish Electronic Signature Law no. 5070)Electronic certificate service providers shall be public entities and establishments and natural persons or private law legal entities that provide electronic certificates, time-stamping and other services related to electronic signatures
Related servicesManagement of electronic certificate application, generation, dissemination, revocation and renewal processesCertificate status information services (CRL/OCSP)Keeping the records for certification operationsTime stamping services
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 5
Electronic CertificateService Provider (ECSP)
It is indispensable for an ECSP to own the following principles in order to be able to maintain its processes appropriately:
Trust and reliabilityCapability and expertiseStability and continuityImpartialityTechnical and physical infrastructureQuality focused customer services
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 6
“Electronic Signature” Definition
EU Directive 1999/93/EC‘electronic signature’ means data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication;
(also ETSI TS 101 456 definition)
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 7
“Advanced Electronic Signature” Definition
EU Directive 1999/93/EC‘Advanced electronic signature’ means an electronic signature which meets the following requirements:
(a) it is uniquely linked to the signatory;(b) it is capable of identifying the signatory;(c) it is created using means that the signatory can
maintain under his sole control; and(d) it is linked to the data to which it relates in such
amanner that any subsequent change of the data isdetectable.
(also ETSI TS 101 456 definition)
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 8
“Qualified Electronic Signature” Definition
EU Directive 1999/93/ECQualified Electronic Signature: Advanced electronic signature which is based on a qualified certificate and which is created by a secure-signature-creation device.
(also ETSI TS 101 456 definition)
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 9
Electronic Signature in Turkish Legislation
Turkish Electronic Signature Law (No. 5070) has been put into effect on July 23, 2005.Regulations have been published by Turkish Telecommunications Authority on January 6, 2005.
Electronic Signature Law (no.5070) – TURKEY
Article 3.b – Electronic Signature
Data in electronic form that are attached to other electronic data or logically linked to that electronic data and used for authentication.
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 10
Secure Electronic Signature
a) is exclusively assigned to the owner of signature
b) is generated with the secure electronic signature creation device which is kept under sole control of the signature owner
c) enables the identification of the signature owner based on the qualified electronic certificate
d) enables to detect whether signed electronic data is altered or not subsequently
Article 4 – Secure Electronic Signature (Law no. 5070)
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 11
Legal Validity of Secure Electronic SignatureEU Directive 1999/93/EC
Member States shall ensure that advanced electronic signatures which are based on a qualified certificate and which are created by a secure-signature-creation device:
(a) satisfy the legal requirements of a signature in relation to data in electronic form in the same manner as a handwritten signature satisfies those requirements in relation to paper-based data; and
(b) are admissible as evidence in legal proceedings.
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 12
Legal Validity of Secure Electronic Signature
Article 5. (Law no. 5070)
Secure electronic signature shall have the same legal effect with that of handwritten signature.
Secure electronic signature shall not be applicable to legal proceedings subject to a special procedure or an official form pursuant to laws and warranty contracts.
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 13
“Certificate” DefinitionEU Directive 1999/93/EC
‘Certificate’ means an electronic attestation which links signature-verification data to a person and confirms the identity of that person.
ETSI TS 101 456Certificate: Public key of a user, together with some other information, rendered un-forgeable by encipherment with the private key of the certification authority which issued it (see ITU-T Recommendation X.509).
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 14
X.509 Identitiy Certificates1988: ITU-T X.509 version 1 (v1) certificates1993: ITU-T X.509 version 2 (v2) certificates1996: ITU-T X.509 version 3 (v3) certificates
More fields were needed to carry information. The v3 format extends the v2 format by adding provision for additional extension fields. (IETF RFC 3280 – Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile)
Current use X.509 v3 certificate format X.509 v2 CRL format
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 15
“Qualified Certificate” Profile
IETF RFC 3739 – Internet X.509 Public Key Infrastructure Qualified Certificates Profile
It is based on [X.509] and [RFC 3280], which defines underlying certificate formats and semantics needed for a full implementation of this standard.This profile includes specific mechanisms intended for use with Qualified Certificates.
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 16
“Qualified Certificate” ProfileETSI TS 101 862 – Qualified Certificate Profile
The following statements are defined in the document:
Statement claiming that the certificate is issued as a Qualified Certificate;Statement regarding limits on the value of transactions for which the certificate can be used;Statement indicating the duration of the retention period during which registration information is archived;Statement claiming that the private key associated with the public key in the certificate resides within a Secure Signature Creation Device.
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 17
Electronic Certificate
Article 3.i – Electronic CertificateElectronic data binding the signature verification data of the signature owner to identity data of that person
Name Surname
X.509
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 18
Qualified Electronic Certificate
Certificate serial numberIssuer and country information A statement identifying the certificate as qualifiedCertificate owner’s identification informationProof of authority to act on behalf of someone else Occupation informationCertificate usage conditionsCertificate validity period
Qualified Electronic Certificate
Signature Verification
Data(Public Key)
ECSP’s Electronic Signature
Article 9 (Law no.
5070)
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 19
Common Certificate Types
Qualified Electronic Certificates (QEC)SSL Server CertificatesObject Signing CertificatesSecurity Certificates / Simple Electronic Certificates
Root Certificates
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 20
Why Electronic Signature?Electronic signature allows secure transactions through electronic media in the following applications while enabling time, money and human resources savings.
Electronic correspondence and agreements Legal processesFinancial and banking applications Electronic transactions with governmental bodiesInsurance applicationsBusiness processes running on ERP or document management applicationsE-government, e-commerce, e-business applications
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 21
Identity FraudIdentity Fraud ((IdentityIdentity))
Eavesdropping Eavesdropping ((ConfidentialityConfidentiality))
InternetInternet
Barış Ayşe
Bora
ModificationModification((IntegrityIntegrity))
InternetInternet
AyşeBarış
Bora
BankInternetInternet
Barış
InternetInternet
AyşeBarış
Bora
Send 10.000 USD to my account!
Payment should be
done!
I will receive the payment
soon!
Bora
Where is the payment?
?!?
I didn’t withdraw the money!
Send 100.000 USD!
Barış (Bora): Send the payment to this account.
What is going on?
People can repudiate People can repudiate ((Non-repudiationNon-repudiation))
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 22
Basic PKI Functions
Confidentiality
IdentityIntegrityNon-repudiation
E-signature
Encryption
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 23
Key Pair
Article 3.d – Signature Creation Data (Law no. 5070)Unique data such as password and cryptographic keys belonging to signature owners and being used by signature owner in order to create electronic signatures
Article 3.f – Signature Verification Data (Law no. 5070) Data such as passwords and cryptographic public keys used for the verification of electronic signatures
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 24
Hashing AlgorithmsHashing Algorithms
Always downsizes the message to a fixed length hash valueThe message could not be regenerated using the hash valueNo two different messages have the same hash value
Hallo
F&r
Hello
$½HASH
Output
Inp
ut
Inp
ut Output
SHA-1, SHA-2, MD5
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 25
E-Signature Technique
?= Y Sign
?=NSign X
Hello
=?
;+?(^!’;+?(^!’
RSA
;+?(^!’Output
Input
$½
$½
$½
RSA
Input
Input
InputHello
Output
SHA-1SHA-1
Signature creation
device
Signature verificatio
n device
Signature creation
data
Signature verificatio
n data
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 26
Secure Electronic SignatureCreation Devices
a) Electronic signature creation data produced by those devices are unique
b) Electronic signature creation data recorded in those devices cannot be derived in any means and their secrecy is assured
c) Electronic signature creation data recorded in those devices can not be obtained or used by third parties and electronic signatures are protected against forgery
d) The data to be signed can not be altered by anyone except the signature owner and can be seen by the signature owner before the generation of signature
Article 6 (Law no. 5070)
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 27
Secure Electronic SignatureCreation Devices
According to technical and legal requirements, secure electronic signature creation devices are selected as smart cards and tokens that possess specific security standards (EAL4+).
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 28
Administrative Security
Which key pair belongs to whomKey pair generationTrue identification
Declaration of someone’s possession of the public key (signature verification data) by a trusted third party
Electronic certificate Electronic Certificate Service Provider –
ECSP (Certification Authority – CA)
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 29
Repository of an ECSPEnd user certificates issued by the ECSPCertificate Revocation Lists (CRL)Root certificates of the ECSPCertificate Policy (CP)Certification Practice Statement (CPS)Time Stamping PoliciesTime Stamping Practice Statement Agreements (subscriber, relying party, etc.)
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 30
PKI ComponentsPKI components are the elements that comprise a public key infrastructure, including entities (such as CAs and RAs) and individuals (such as subscribers and relying parties) participating within the system, technologies (such as algorithms and key generation software), processes (such as key management procedures and directives), records (such as digital certificates, operational logs), and policy instruments (such as CPs, CPSs and agreements).
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 31
• Laws• Ordinances• Communiques• Decrees
• Subscribers• Relying Parties
COURTS REGULATORY BODY
PEOPLE / ORGANIZATIONS
LEGISLATION
CERTIFICATION SERVICE PROVIDERS
S o f t w a r e a n d H a r d w a r e P r o d u c t s
TECHNOLOGY
AGREEMENT
ASDLFKJSDLKFSDFKJSDLKJFSLDKJFSDKFJSLDFSDLFSKDFHSKDFHSDKFHSKDJFHSDK IUTYITYTIYIYIYIYIYTIYITYITYRITYIUTYIETYEIRTYT
POLICY DOCUMENTS AND AGREEMENTS
• CP and CPS• Subscriber Agreements
Certificate Revocation Lists
PROCESSES
• Key Management• Certificate Issuance• Certificate Revocation• Other Records
Name
Title
CERTIFICATE
MECHANISMS
• Digitial Signature• Encryption• Messaging
CRYPTOGRAPHIC ALGORITHMS• Single Key Methods• Public Key Methods• Hashing Methods
3$½{2STANDARDS
• ISO• ITU• ANSI• RSA Labs• NIST• ETSI
PKI COMPONENTS
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 32
PKI Business ModelsOrganizational (Closed) PKI Models
The ECSP itself is the relying partyThe relying party can outsource the PKI services to third parties for issuing certificates for the subscribers on its behalfProvides offering PKI services and certificates to the personnel, clients, suppliers, etc. of organizations. The PKI service provider forms a legal bond via a contract with the users and the relying parties of the system.
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 33
PKI Business ModelsPublic (Open) PKI Models
More than one ECSPOpen to public usage for general purposesECSPs stand as a trusted third party against the subscribers (certificate users) and relying partiesLegislation guarantees the service quality of the ECSPs and protects the subscribers and relying parties
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 34
Trust Models and PKI Architectures
HierarchyA central Certification Authority recognises each CARelying parties just trust the central CA
MeshCAs directly recognise each otherEach relying party just trusts its own CA that in turn trusts the remote CA
Web / trust model A repository of trusted Certification AuthoritiesEach relying party trusts all distributed certificates of the list
Bridge infrastructureA central technical infrastructure cross-recognises each concerned CAEach relying party just trusts its own CA that trusts the bridge that in turn trusts the remote CA
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 35
Hierarchical PKI Architecture
Central CA
Issuing CAs
End entity certificates
CA-1 CA-2 CA-3
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 36
Mesh PKI Architecture
CA-1
CA-2
CA-3
CA-3
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 37
Web / Trust PKI Architecture
CA-1 CA-2 CA-3
List of Trusted CAs
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 38
Bridge PKI Architecture
CA-1 CA-2 CA-3
CA-a
CA-b
CA-c
Hierarchical PKI Architecture
Mesh PKI Architecture
Bridge
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 39
Certificate Life CycleCertificate application and registration
Certificate issuance, delivery and dissemination
Certificate renewal and rekey
Certificate revocation and suspension
Certificate status services
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 40
Certificate Application and Registration Process
Registration Authority (RA)
ECSPCertificate content information
•Certificate application form •Subscriber agreement•Legal documents•First controls
Application documents
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 41
Critical Issues about Application and Registration
People who wish to obtain qualified electronic certificates or other personal certificates can apply personallyCompanies that wish to obtain certificates on behalf of their employees can file applications provided that personal application documents existServer administrators or authorized representatives may apply for server certificatesPersonal or organizational identity validation should be done appropriately by the ECSPApplication documents should be collected by the ECSP and the applicant should be registered accordingly
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 42
Certificate Issuance, Delivery and Dissemination Process
DirectoryServer (LDAP)
ECSP Policies/Certificate Profiles•Distinguished name (DN) content•Validity period•Key length•Usage constraints
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 43
Critical Issues about Generation and Dissemination
Certificate generation is done under appropriate security proceduresSuitable certificate profiles are used according to the applicant’s certificate requestSmart cards or tokens that contain the generated certificates and the signature creation data are prepared for delivery under strict security conditionsSmart cards, tokens and the access codes are sent to the subscriber separately and delivered by identity validationCertificates are published for public access if the subscriber has given written consent
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 44
Certificate Renewal and Rekey Processes
Registration Authority (RA)ECSP
Controls
Renewal request
ControlsUser authentication and renewal application(digitally signed)
Renewal or Rekey
Operations
Renewal request
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 45
Critical Issues about Renewal and Rekey
Certificates can be renewed before the end of their expiry dateCertificates are not renewed beyond 3 (three) years with the same key pairProper identity checks are done during renewal and rekeyIf certificate content changes, the certificate can not be renewed but it can only be rekeyed with new personal information
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 46
Certificate Revocation and Suspension Processes
ECSP
User authenticationCertificate information (content, serial no)Revocation/Suspension reasonRevocation/Suspension date and time
CRL
DirectoryServer
OCSPResponder
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 47
Critical Issues about Suspension and Revocation
Circumstances for revocation:Upon request by the subscriberInformation within the certificate is false or incorrect,A change occurs in the information regarding the subject included in a certificate’s contentIt is learned that the subject’s legal capacity is restricted, or the subject is bankrupt or lost in danger of death, or died,The private key has been lost, stolen, disclosed or a risk of access or use by a third party arises,The secure electronic signature creation device in which the private key is located has been lost, broken down or compromised,It is understood that the certificate has been used in contradiction to the provisions of the CP and CPS documents and the Subscriber’s Agreement,ECSP suspends provision of certification services.
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 48
Critical Issues about Suspension and Revocation
Circumstances for suspension:
Where the source of a certificate revocation request could not be verified, ECSP shall suspend, rather than revoke, the certificate in question until the verification is finalized, or upon a request where the end user is unsure whether any circumstance that requires revocation does exist.
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 49
Critical Issues about Suspension and Revocation
Who can request revocation or suspension?
The subject himself, for personal certificates,The server administrator, for server certificates,An authorized person of a company or an institution to which the subject or server is associated, for certificates in organizational use,ECSP’s authorized personnel for end user certificates and root and subroot certificates where security concerns with respect to the ECSP necessitate.
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 50
Critical Issues about Suspension and Revocation
The certificate owner (subscriber):during the course of certificate registration process or until the end of the certificate life time, shall notify the ECSP as soon as possible to ensure that the certificate is revoked for the changes of any kind in his/her personal information that is contained in the certificate itselfin cases where there is a risk of usage by other person or persons of the signature creation device or the data required for accessing the device or even the conditions which may bring about such a risk emerge, shall immediately notify the ECSP in order the certificate to be revoked
(from the “TURKTRUST Letter Of Commitment by the Qualified Certificate Owner – Subscriber Agreement”)
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 51
Critical Issues about Suspension and Revocation
The ECSP should immediately resolve all certificate revocation requests transmitted over the web, by telephone or on paper, following the approval of the request and authentication of the request.
Relying parties are under obligation to verify the related certificate to rely on an electronic signature transmitted. To verify a certificate’s status, updated CRLs published by the ECSP or the on-line certificate status inquiry service OCSP should be used. It is recommended that relying parties should use secure signature verification devices when verifying electronic signatures
The duration of suspension may not exceed a certain period. Those still in suspension at the end of this period shall be automatically revoked for security reasons
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 52
Certificate Status Services
Certificate controls during e-signature verification
Certificate validity periodSignature of the issuing ECSPStatus of the certificate (whether revoked or not)Usage constraints
CRL
DirectoryServer
OCSPResponder
Relying partySubscriber
(Certificate user) ECSP
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 53
Critical Issues about Certificate Status Services
ECSPs should issue a new CRL periodically even if there is no change in the status of current certificates. Generally, the CRLs are published daily.
ECSPs have to provide uninterrupted on-line certificate status protocol OCSP support. By the real time certificate status inquiry that is more reliable than CRLs, customers may inquire the status of certificates online and get immediate status response by using appropriate software on the customer side.
It is recommended that relying parties when inquiring the status of certificates should prefer OCSP if their technical capabilities allow and opt for CRL as a second alternative.
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 54
Directory ServicesA directory service is a software application that makes resources on a network accessible to users and other applicationsAlmost all directory services are based on the X.500 ITU standardUsually more than one namespace (trees of objects) are used to form the directory serviceA directory service is highly optimized for reads and provides advanced search possibilities on many different attributes that can be associated with objects in a directory
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 55
Directory Service Application Protocol
Common directory services used by ECSPs enablingeffective certificate search utilize
Lightweight Directory Access Protocol (LDAP) Based on X.500 standardSupports TCP/IPAn open protocolIETF RFC 4510 specifies LDAPv3The Lightweight Directory Access Protocol (LDAP) is an Internet protocol for accessing distributed directory services that act in accordance with X.500 data and service models
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 56
BibliographyCWA 14167-1 – Security Requirements for Trustworthy Systems Managing Certificates for Electronic Signatures - Part 1: System Security Requirements (June 2003)CWA 14169 – Secure Signature-Creation Devices "EAL 4+“ (March 2002)Digitial Signature Law Survey (https://dsls.rechten.uvt.nl)ETSI TS 101 456 – Policy requirements for certification authorities issuing qualified certificates (April 2002)ETSI TS 101 733 – Electronic Signatures and Infrastructures (ESI); Electronic Signature Formats (December 2003)ETSI TS 101 862 – Qualified Certificate Profile (January 2006)EU Directive 1999/93/EC on a Community framework for electronic signatures (December 1999)FIPS PUB 140-2 – Security Requirements for Cryptographic Modules (March 2002) (Supercedes FIPS PUB 140-1, January 1994)IETF RFC 2634 – Enhanced Security Services for S/MIME (June 1999)IETF RFC 3161 – Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) (August 2001)IETF RFC 3280 – Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (April 2002)IETF RFC 3369 – Cryptographic Message Syntax (CMS) (August 2002)IETF RFC 3647 – Internet X.509 Public Key Infrastructure Certificate Policy and Certification Practices Framework (November 2003)IETF RFC 3739 – Internet X.509 Public Key Infrastructure Qualified Certificates Profile (March 2004)IETF RFC 4510 – Lightweight Directory Access Protocol (LDAP): Technical Specification Road Map (June 2006)
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 57
BibliographyISO 15408 Part 1 – Information technology — Security techniques — Evaluation criteria for IT security — Part 1: Introduction and general model (October 2005)ISO 15408 Part 2 – Information technology — Security techniques — Evaluation criteria for IT security — Part 2: Security functional requirements (October 2005)ISO 15408 Part 3 – Information technology — Security techniques — Evaluation criteria for IT security — Part 3: Security assurance requirements (October 2005)ISO/IEC 27001:2005 – Information technology – Security techniques – Information security management systems – Requirements (former BS 7799-2:2002 – Information security management systems — Specification with guidance for use)ISO/IEC 27002:2005 – Information technology – Security techniques – Code of practice for information security management (former ISO/IEC 17799:2005 – Information technology — Security techniques — Code of practice for information security management)ISO/IEC 17025, EN 45001 – General requirements for the competence of testing and calibration laboratoriesISO/IEC Guide 62, EN 45012 – General requirements for bodies operating assessment and certification/registration of quality systemsISO/IEC Guide 65, EN 45011 – General requirements for bodies operating product certification systems
© 2005-2008 TÜRKTRUST Information Security Services Inc. All Rights Reserved. 58
BibliographyITU-T Recommendation X.500 – Information technology - Open Systems Interconnection - The Directory: Overview of concepts, models and servicesITU-T Recommendation X.509 – Information technology - Open systems interconnection - The directory: Authentication frameworkEuropean Electronic Signature Standardisation Initiative (EESSI) – Final Report of the EESSI Expert Team (July 1999)PKI Assessement Guidelines – American Bar Association – Guidelines to Help Assess and Facilitate Interoperable Trustworthy Public Key Infrastructures (June 2001)TURKEY - Electronic Signature Law no. 5070 (January 2004)TURKEY - Ordinance on the Procedures and Principles Pertaining to the Implementation of Electronic Signature Law (January 2005)TURKEY - Communiqué on Processes and Technical Criteria Regarding Electronic Signatures (January 2005)TÜRKTRUST Certificate Policies (CP) Version 01 (May 2005)TÜRKTRUST Certification Practice Statement (CPS) Version 01 (May 2005)
59
PKI SYSTEMS
Concepts, Processes, Components
TÜRKTRUST Information Security Services Inc.
Mert ÖZARARProject Senior Engineer
mert.ozarar@turktrust.com.tr
top related