Public key infrastructure for financial services — Practices and policy framework

Available format(s)

Hardcopy , PDF , PDF 3 Users , PDF 5 Users , PDF 9 Users

Language(s)

English

Published date

04-09-2018

Publisher

International Organization for Standardization

ISO 21188:2018 sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. While this document addresses the generation of public key certificates that might be used for digital signatures or key establishment, it does not address authentication methods, non-repudiation requirements or key management protocols.

ISO 21188:2018 draws a distinction between PKI systems used in closed, open and contractual environments. It further defines the operational practices relative to financial-services-industry-accepted information systems control objectives. This document is intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication, key exchange and data encryption.

ISO 21188:2018 facilitates the implementation of operational, baseline PKI control practices that satisfy the requirements for the financial services industry in a contractual environment. While the focus of this document is on the contractual environment, application of this document to other environments is not specifically precluded. For the purposes of this document, the term "certificate" refers to public key certificates. Attribute certificates are outside the scope of this document

ISO 21188:2018 is targeted for several audiences with different needs and therefore the use of this document will have a different focus for each.

Business managers and analysts are those who require information regarding using PKI technology in their evolving businesses (e.g. electronic commerce); see Clauses 1 to 6.

Technical designers and implementers are those who are writing their certificate policies and certification practice statement(s); see Clauses 6 to 7 and Annexes A to G.

Operational management and auditors are those who are responsible for day-to-day operations of the PKI and validating compliance to this document; see Clauses 6 to 7.

Committee	ISO/TC 68/SC 2
DevelopmentNote	Supersedes ISO/DIS 21188. Supersedes and incorporates ISO 15782-1 & ISO 15782-2. (04/2018)
DocumentType	Standard
Pages	108
PublisherName	International Organization for Standardization
Status	Current
Supersedes	ISO 15782-1:2009 ISO 15782-2:2001 ISO 21188:2006

Standards	Relationship
BS ISO 21188:2006	Identical
BS ISO 21188:2018	Identical

ISO/IEC 18033-1:2015	Information technology Security techniques Encryption algorithms Part 1: General
ISO/IEC 18032:2005	Information technology Security techniques Prime number generation
ISO/IEC 18014-3:2009	Information technology Security techniques Time-stamping services Part 3: Mechanisms producing linked tokens
ISO/IEC 15945:2002	Information technology — Security techniques — Specification of TTP services to support the application of digital signatures
ISO/IEC 7813:2006	Information technology Identification cards Financial transaction cards
ISO/IEC 9834-1:2012	Information technology — Procedures for the operation of object identifier registration authorities — Part 1: General procedures and top arcs of the international object identifier tree
ISO/IEC 18033-2:2006	Information technology — Security techniques — Encryption algorithms — Part 2: Asymmetric ciphers
ISO/IEC 18033-3:2010	Information technology Security techniques Encryption algorithms Part 3: Block ciphers
ISO/IEC 18014-2:2009	Information technology Security techniques Time-stamping services Part 2: Mechanisms producing independent tokens
ISO 13491-1:2016	Financial services Secure cryptographic devices (retail) Part 1: Concepts, requirements and evaluation methods
FIPS PUB 140-2 : 0	SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
ISO/IEC 19790:2012	Information technology — Security techniques — Security requirements for cryptographic modules
ISO/IEC 27002:2013	Information technology Security techniques Code of practice for information security controls
ISO/IEC 8824:1990	Information technology — Open Systems Interconnection — Specification of Abstract Syntax Notation One (ASN.1)
ISO/TR 13569:2005	Financial services Information security guidelines
ISO/IEC 9594-8:2017	Information technology Open Systems Interconnection The Directory Part 8: Public-key and attribute certificate frameworks
TS 101 456 : 1.4.3	ELECTRONIC SIGNATURES AND INFRASTRUCTURES (ESI); POLICY REQUIREMENTS FOR CERTIFICATION AUTHORITIES ISSUING QUALIFIED CERTIFICATES
ISO/IEC 10118-3:2004	Information technology Security techniques Hash-functions Part 3: Dedicated hash-functions
ISO/IEC 7810:2003	Identification cards Physical characteristics
ISO/IEC 10646-1:2000	Information technology Universal Multiple-Octet Coded Character Set (UCS) Part 1: Architecture and Basic Multilingual Plane
TS 102 042 : 2.4.1	ELECTRONIC SIGNATURES AND INFRASTRUCTURES (ESI); POLICY REQUIREMENTS FOR CERTIFICATION AUTHORITIES ISSUING PUBLIC KEY CERTIFICATES
ISO/IEC 18033-4:2011	Information technology — Security techniques — Encryption algorithms — Part 4: Stream ciphers