ISO 21188:2018 金融服务用公用密钥的基础 规范和政策构架

标准编号：ISO 21188:2018

中文名称：金融服务用公用密钥的基础 规范和政策构架

英文名称：Public key infrastructure for financial services — Practices and policy framework

发布日期：2018-04

标准范围

ISO 21188:2018规定了通过证书政策和认证实践声明管理PKI的要求框架，并允许在金融服务行业使用公钥证书。它还定义了控制目标和管理风险的支持程序。虽然本文件涉及可能用于数字签名或密钥建立的公钥证书的生成，但并未涉及身份验证方法、不可否认性要求或密钥管理协议。ISO 21188:2018对封闭、开放和合同环境中使用的PKI系统进行了区分。它进一步定义了与金融服务业公认的信息系统控制目标相关的操作实践。本文档旨在帮助实施者定义可支持多种证书策略的PKI实践，包括使用数字签名、远程身份验证、密钥交换和数据加密。ISO 21188:2018促进了运营、基准PKI控制实践的实施，以满足合同环境下金融服务行业的要求。虽然本文件的重点是合同环境，但并未明确禁止将本文件应用于其他环境。在本文件中，术语“证书”指公钥证书。属性证书不在本文档的范围内ISO 21188:2018针对具有不同需求的多个受众，因此本文件的使用将针对每个受众有不同的侧重点。业务经理和分析师是指那些需要在其不断发展的业务（如电子商务）中使用PKI技术的信息的人；见第1至6条。技术设计人员和实施人员是指编写认证政策和认证实践声明的人员；见第6至7条和附件A至G。运营管理层和审计员负责PKI的日常运营，并验证是否符合本文件；见第6至7条。

ISO 21188:2018 sets out a framework of requirements to manage a PKI through certificate policies and certification practice statements and to enable the use of public key certificates in the financial services industry. It also defines control objectives and supporting procedures to manage risks. While this document addresses the generation of public key certificates that might be used for digital signatures or key establishment, it does not address authentication methods, non-repudiation requirements or key management protocols.ISO 21188:2018 draws a distinction between PKI systems used in closed, open and contractual environments. It further defines the operational practices relative to financial-services-industry-accepted information systems control objectives. This document is intended to help implementers to define PKI practices that can support multiple certificate policies that include the use of digital signature, remote authentication, key exchange and data encryption.ISO 21188:2018 facilitates the implementation of operational, baseline PKI control practices that satisfy the requirements for the financial services industry in a contractual environment. While the focus of this document is on the contractual environment, application of this document to other environments is not specifically precluded. For the purposes of this document, the term "certificate" refers to public key certificates. Attribute certificates are outside the scope of this documentISO 21188:2018 is targeted for several audiences with different needs and therefore the use of this document will have a different focus for each.Business managers and analysts are those who require information regarding using PKI technology in their evolving businesses (e.g. electronic commerce); see Clauses 1 to 6.Technical designers and implementers are those who are writing their certificate policies and certification practice statement(s); see Clauses 6 to 7 and Annexes A to G.Operational management and auditors are those who are responsible for day-to-day operations of the PKI and validating compliance to this document; see Clauses 6 to 7.

标准预览图