标准摘要
[中文适用范围]: 本文件列出了通过证书政策和认证实践声明管理 PKI 的要求框架,并允许在金融服务行业中使用公钥证书。它还定义了控制目标和支持程序来管理风险。虽然本文件涉及可能用于数字签名或密钥建立的公钥证书的生成,但它并未涉及身份验证方法、不可否认性要求或密钥管理协议。本文件区分了封闭、开放和合同环境中使用的 PKI 系统。它进一步定义了与金融服务行业接受的信息系统控制目标相关的操作实践。本文件旨在帮助实施者定义可以支持多种证书政策的 PKI 实践,包括使用数字签名、远程身份验证、密钥交换和数据加密。本文件有助于实施满足金融服务行业在合同环境中要求的操作性、基本 PKI 控制实践。虽然本文件的重点是合同环境,但并不特别排除将本文件应用于其他环境。就本文件而言,“证书”一词是指公钥证书。属性证书不在本文档的讨论范围内。本文档面向具有不同需求的若干受众,因此本文档的使用针对不同的受众有不同的侧重点。业务经理和分析师是那些需要有关在其不断发展的业务(例如电子商务)中使用 PKI 技术的信息的人;请参阅条款 1 至 6。技术设计人员和实施人员是那些编写证书政策和认证实践声明的人;请参阅条款 6 至 7 和附件 A 至 G。运营管理和审计人员是那些负责 PKI 日常运营和验证对本文档的遵守情况的人;请参阅条款 6 至 7。 [外文原描述]: ISO 21188:2018 sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. While this document addresses the generation of public key certificates that might be used for digital signatures or key establishment, it does not address authentication methods, non-repudiation requirements or key management protocols. ISO 21188:2018 draws a distinction between PKI systems used in closed, open and contractual environments. It further defines the operational practices relative to financial-services-industry-accepted information systems control objectives. This document is intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication, key exchange and data encryption. ISO 21188:2018 facilitates the implementation of operational, baseline PKI control practices that satisfy the requirements for the financial services industry in a contractual environment. While the focus of this document is on the contractual environment, application of this document to other environments is not specifically precluded. For the purposes of this document, the term "certificate" refers to public key certificates. Attribute certificates are outside the scope of this document ISO 21188:2018 is targeted for several audiences with different needs and therefore the use of this document will have a different focus for each. Business managers and analysts are those who require information regarding using PKI technology in their evolving businesses (e.g. electronic commerce); see Clauses 1 to 6. Technical designers and implementers are those who are writing their certificate policies and certification practice statement(s); see Clauses 6 to 7 and Annexes A to G. Operational management and auditors are those who are responsible for day-to-day operations of the PKI and validating compliance to this document; see Clauses 6 to 7.
英文名称Public key infrastructure for financial services — Practices and policy framework