标准摘要
[中文适用范围]: 本文件规定了通过证书策略、证书操作声明和(如适用)其内部支撑的信息安全管理体系(ISMS),对公钥基础设施(PKI)信任服务提供商进行信息安全管要求的框架。 本文件旨在帮助信任服务提供商支持多个证书策略。 本文件涵盖用于数字签名、身份验证或基于数据加密的密钥建立的公共密钥证书的生命周期。不涉及认证方法、非否认要求或基于公钥证书使用的密钥管理协议。 在本文件中,术语“证书”指代公钥证书。本文件不适用于属性证书。 本文件采用信息安全管理体系(ISMS)的概念和要求,如ISO/IEC 27000系列标准所定义。它使用了ISO/IEC 27002中信息安控的实施守则。 具体PKI要求(如证书内容、身份验证、证书吊销处理等)不由ISO/IEC 27001之类的ISMS直接规定。ISMS或其替代方案的应用应适应本文件所述证书策略中规定的PKI服务要求。 PKI信任服务提供商是一类特殊信任服务,用于公钥证书的使用。 本文件区分了在封闭、开放和合同环境中使用的PKI系统。 本文件旨在促进合同环境下操作性、基线控制和实践的实施。尽管本文件的重点是合同环境,但将其应用于开放或封闭环境并未特别排除。 [外文原描述]: This document sets out a framework of requirements to manage information security for Public key infrastructure (PKI) trust service providers through certificate policies, certificate practice statements, and, where applicable, their internal underpinning by an information security management system (ISMS). The framework of requirements includes the assessment and treatment of information security risks, tailored to meet the agreed service requirements of its users as specified through the certificate policy. This document is also intended to help trust service providers to support multiple certificate policies. This document addresses the life cycle of public key certificates that are used for digital signatures, authentication, or key establishment for data encryption. It does not address authentication methods, non-repudiation requirements, or key management protocols based on the use of public key certificates. For the purposes of this document, the term “certificate” refers to public key certificates. This document is not applicable to attribute certificates. This document uses concepts and requirements of an ISMS as defined in the ISO/IEC 27000 family of standards. It uses the code of practice for information security controls as defined in ISO/IEC 27002. Specific PKI requirements (e.g. certificate content, identity proofing, certificate revocation handling) are not addressed directly by an ISMS such as defined by ISO/IEC 27001 [26]. The use of an ISMS or equivalent is adapted to the application of PKI service requirements specified in the certificate policy as described in this document. A PKI trust service provider is a special class of trust service for the use of public key certificates. This document draws a distinction between PKI systems used in closed, open and contractual environments. This document is intended to facilitate the implementation of operational, baseline controls and practices in a contractual environment. While the focus of this document is on the contractual environment, application of this document to open or closed environments is not specifically precluded.
英文名称Information technology - Public key infrastructure - Practices and policy framework