Table of Contents

FOREWORD
1. SCOPE
2. DEFINITIONS AND COMMON ABBREVIATIONS
   2.1. DEFINITIONS
   2.2. ACRONYMS
   2.3. NOTATION
3. INTRODUCTION
4. CERTIFICATE MANAGEMENT
   4.1. GENERAL
   4.2. THE CERTIFICATION AUTHORITY
        4.2.1. Certification Authority Responsibilities
        4.2.2. Entity's Responsibility Regarding Key Integrity
        4.2.3. Distribution Of A CA's Public Key
        4.2.4. Security Requirements For A CA's Private Key
   4.3. TRUST MODELS
   4.4. CERTIFICATE GENERATION
   4.5. CERTIFICATE VALIDATION
   4.6. CERTIFICATE REVOCATION LIST (CRL)
        4.6.1. General Requirements
        4.6.2. Actions To Be Taken Whenever A Certificate is
                Revoked or Held
        4.6.3. Compromise Or Suspected Compromise Of An
                Entity's Private Key
        4.6.4. Request For Revocation Of an Entity's
                Certificate(s) Because Of A Cessation of
                Operations
        4.6.5. Request For Revocation Of Entity's
                Certificate(s) Because Of A Change Of
                Affiliation Of The Entity
        4.6.6. Revocation Of Certificates For Reasons Other
                Than For Key Compromise, Cessation Of
                Operations, Or A Change Of Affiliation
        4.6.7. Revocation or Holding Of Certificates For
                Public Keys Which Are Used To Protect Symmetric
                Algorithm Key Exchanges
        4.6.8. Certificate Holds Due to Unauthenticated
                Revocation Requests or Other Business Reasons
        4.6.9. Implied Release of Certificate Hold via Natural
                Expiration of the Hold
        4.6.10. Reissuance of a Certificate Hold with an
                Extended Expiration Date
        4.6.11. Revocation of a Certificate Superseding a
                Prior Certificate Hold Expiration Date
        4.6.12. Certificate Hold Release to Cancel Certificate
                Hold Prior to Expiration
        4.6.13. Expiration of Certificate Prior to the
                Expiration of a Hold
   4.7. THE LOCAL REGISTRATION AGENT (LRA)
        4.7.1. Applying for Certificates
        4.7.2. Requesting Certificate Revocation
   4.8. ATTRIBUTE CERTIFICATES
5. DATA ELEMENTS AND RELATIONSHIPS
   5.1. GENERAL
   5.2. DSA PUBLIC KEYS
   5.3. SIGNATURES
        5.3.1. Single Signatures
        5.3.2. Multiple Signatures
   5.4. CERTIFICATION REQUEST DATA (CERTREQDATA)
   5.5. PUBLIC KEY CERTIFICATES
   5.6. ATTRIBUTE CERTIFICATES
   5.7. CERTIFICATE REVOCATION AND HOLD/RELEASE
        5.7.1. Certificate Revocation
        5.7.2. Certificate Hold/Release
        5.7.3. Hold Instruction Codes
        5.7.4. CRL Data Structures
6. AUDIT JOURNAL REQUIREMENTS
7. REFERENCES
8. ASN.1 MODULE
ANNEX A: SUGGESTED REQUIREMENTS FOR THE ACCEPTANCE OF
         CERTIFICATE REQUEST DATA
   A.1. INTRODUCTION
   A.2. ACCEPTANCE OF THE CERTIFICATE REQUEST DATA OF AN
        INDIVIDUAL
        A.2.1. LOW RISK APPLICATIONS
        A.2.2. MEDIUM RISK APPLICATIONS
        A.2.3. HIGH RISK APPLICATIONS
   A.3. ACCEPTANCE OF THE CERTIFICATION REQUEST DATA OF A
        LEGAL ENTITY
        A.3.1. A FINANCIAL INSTITUTION IN A PEER-TO-PEER
               RELATIONSHIP
        A.3.2. A BUSINESS CUSTOMER OF A FINANCIAL INSTITUTION
   A.4. ACCEPTANCE OF THE CERTIFICATE REQUEST DATA OF A
        HARDWARE DEVICE
ANNEX B: ALTERNATIVE TRUST MODELS
   B.1. OVERVIEW
   B.2. TRUST MODELS
   B.3. CENTRALIZED AND DECENTRALIZED MODELS
   B.4. EXAMPLES
   B.5. ISSUES INVOLVING MULTIPLE DOMAINS
        B.5.1. MULTIPLE LEVELS OF ASSURANCE
        B.5.2. MULTIPLE TRUST MODELS
   B.6. SUBSCRIBER AND ORGANIZATIONAL CERTIFICATES
ANNEX C: OBJECT IDENTIFIERS AND ATTRIBUTES
   C.1. ALGORITHMS
   C.2. MODULES
   C.3. ATTRIBUTES
   C.4. CERTIFICATE AND CRL EXTENSIONS
   C.5. CERTIFICATE HOLD INSTRUCTIONS
ANNEX D: RECOMMENDED CERTIFICATION AUTHORITY AUDIT JOURNAL
         CONTENTS AND USE
   D.1. AUDIT JOURNAL CONTENTS AND PROTECTION
        D.1.1. ELEMENTS TO BE INCLUDED IN ALL JOURNAL ENTRIES
        D.1.2. CERTIFICATE APPLICATION INFORMATION TO BE
               JOURNALIZED BY AN LRA, CA OR AA
        D.1.3. EVENTS TO BE JOURNALIZED
        D.1.4. ACTIONS TO BE JOURNALIZED
        D.1.5. SECURITY-SENSITIVE EVENTS TO BE JOURNALIZED
        D.1.6. MESSAGES AND DATA TO BE JOURNALIZED
   D.2. AUDIT JOURNAL BACKUP
   D.3. AUDIT JOURNAL USE
ANNEX E: DISTRIBUTION OF CERTIFICATES AND CERTIFICATE
         REVOCATION LISTS
   E.1. INTRODUCTION
   E.2. CERTIFICATE DISTRIBUTION
   E.3. CRL DISTRIBUTION
ANNEX F: MULTIPLE ALGORITHM CERTIFICATE VALIDATION
   F.1. MULTIPLE ALGORITHM CERTIFICATION PATHS
   F.2. UNWRAPPING DSA/RSA MULTIPLE ALGORITHM CERTIFICATION
        PATHS
ANNEX G: CERTIFICATE AUTHORITY TECHNIQUES FOR DISASTER
         RECOVERY
   G.1. INTRODUCTION
   G.2. NOTIFICATION WITH CA'S SECONDARY KEY PAIR
   G.3. REISSUANCE WITH CA'S SECONDARY KEY PAIR
   G.4. REISSUANCE WITH CA'S NEW PRIMARY KEY PAIR
   G.5. NOTIFICATION WITH MULTIPLY SIGNED CERTIFICATES

Abstract

Defines certificate management procedures and data elements. Specifies the contents of certificates, the credentials required to obtain a certificate, and procedures for certificate generation, validation, and revocation, for Digital Signature Algorithm (DSA) public key certificates and attribute certificates.

General Product Information

Published
Document Type	Standard
Status	Current
Publisher	American Bankers Association
Pages
ISBN
Committee	X9