Return to EDIFACT 40100 Messages page.
UN/EDIFACT
UNITED NATIONS STANDARD MESSAGE (UNSM)
Security key and certificate management message
Version: | 4 |
---|
Release: | V4R1 |
---|
Contr. Agency: | UN |
---|
Revision: | 1 |
---|
Date: | 2001-11-01 |
---|
SOURCE: | Joint Syntax Working Group (JSWG) |
---|
CONTENTS
Security key and certificate management message
- INTRODUCTION
- SCOPE
- Functional definition
- Field of application
- Principles
- REFERENCES
- TERMS AND DEFINITIONS
- Standard terms and definitions
- MESSAGE DEFINITION
- Data segment clarification
- Data segment index (alphabetical sequence)
- Message structure
- Segment table
For general information on UN standard message types see UN Trade Data Interchange Directory, UNTDID, Part 4, Section 2.6, UN/ECE UNSM General Introduction
|
This message also occurs in the following versions of this standard:
40000, 40100 |
0. INTRODUCTION
This is a new part, which has been added to ISO 9735. It provides an optional capability of managing security keys and certificates.
1. SCOPE
This part of ISO 9735International Standard for batch EDIFACT security defines the security key and certificate management message KEYMAN.
1.1. Functional Definition
KEYMAN is a message providing for security key and certificate management. A key may be a secret key used with symmetric algorithms, or a public or private key used with asymmetric algorithms.
1.2. Field of Application
The security key and certificate management message (KEYMAN) may be used for both national and international trade. It is based on universal practice related to administration, commerce and transport, and is not dependent on the type of business or industry.
1.3. Principles
The message may be used to request or deliver security keys, certificates, or certification paths (this includes requesting other key and certificate management actions, for example renewing, replacing or revoking certificates, and delivering other information, such as certificate status), and it may be used to deliver lists of certificates (for example to indicate which certificates have been revoked). The KEYMAN message may be secured by the use of security header and trailer segment groups. Security header and trailer segment group structures are defined in Part 5 of ISO 9735this international standard.
A security key and certificate management message can be used to:
- request actions in relation to keys and certificates
- deliver keys, certificates, and related information
2. REFERENCES
See UNTDID, Part 4, Chapter 2.6 UN/ECE UNSM - General Introduction, Section 1.
3. TERMS AND DEFINITIONS
3.1. Standard terms and definitions
See UNTDID, Part 4, Chapter 2.6 UN/ECE UNSM - General Introduction, Section 2.
4. MESSAGE DEFINITION
4.1. Data Segment Clarification
This section should be read in conjunction with the Branching Diagram and Segment Table which indicate mandatory, conditional and repeating requirements.
0010 UNH, Message header
A service segment starting and uniquely identifying a message. The message type code for the security key and certificate management message is KEYMAN. Note: messages conforming to this document must contain the following data in segment UNH, composite S009:
0020 Segment Group 1: USE-USX-SG2A group of segments containing all information necessary to carry key, certificate or certification path management requests, deliveries and notices. 0030 USE, Security message relation
A segment identifying a relationship to an earlier message, such as a KEYMAN request. 0040 USX, Security references
A segment identifying a link to an earlier message, such as a request. The composite data element "security date and time" may contain the original generation date and time of the referenced message. 0050 Segment Group 2: USF-USA-SG3A group of segments containing a single key, single certificate, or group of certificates forming a certification path. 0060 USF, Key management function
A segment identifying the function of the group it triggers, either a request or a delivery. When used for indicating elements of the certification paths, the certificate sequence number shall indicate the position of the following certificate within the certification path. It may be used on its own for list retrieval, with no certificate present. There may be several different USF segments within the same message, if more than one key or certificate is handled. However, there shall be no mixture of request functions and delivery functions. The USF segment may also specify the filter function used for binary fields of the USA segment immediately following this segment. 0070 USA, Security algorithm
A segment identifying a security algorithm, the technical usage made of it, and containing the technical parameters required (as defined in Part 5 of ISO 9735). This segment shall be used for symmetric key requests, discontinuation or delivery. It may also be used for an asymmetric key pair request. 0080 Segment Group 3: USC-USA-USRA group of segments containing the data necessary to validate the security methods applied to the message/package, when asymmetric algorithms are used (as defined in Part 5 of ISO 9735). This group shall be used in the request or delivery of keys and certificates. Either the full certificate segment group (including the USR segment), or the only data elements necessary to identify unambiguously the asymmetric key pair used, shall be present in the USC segment. The presence of a full certificate may be avoided if the certificate has already been exchanged by the two parties, or if it may be retrieved from a database. Where it is desired to refer to a non-EDIFACT certificate (such as X.509), the certificate syntax and version shall be identified in data element 0545 of the USC segment.. Such certificates may be conveyed in an EDIFACT packagereference in USC (0536) shall contain the reference identification number (0802) from the UNO segment of the package containing the non-EDIFACT certificate, and no other data elements (in order to distinguish it from an EDIFACT certificate reference). 0090 USC, Certificate
A segment containing the credentials of the certificate owner and identifying the certification authority which has generated the certificate (as defined in Part 5 of ISO 9735). This segment shall be used for certificate requests such as renewal, or asymmetric key requests such as discontinuation, and for certificate deliveries. 0100 USA, Security algorithm
A segment identifying a security algorithm, the technical usage made of it, and containing the technical parameters required (as defined in Part 5 of ISO 9735). This segment shall be used for certificate requests such as credentials registration, and for certificate deliveries. 0110 USR, Security result
A segment containing the result of the security functions applied to the certificate by the certification authority (as defined in Part 5 of ISO 9735). This segment shall be used for certificate validation or certificate deliveries. 0120 Segment Group 4: USL-SG5A group of segments containing lists of certificates or public keys. The group shall be used to group together certificates of similar status - ie which are still valid, or which may be invalid for some reason. 0130 USL, Security list status
A segment identifying valid, revoked, unknown or discontinued items. These items may be certificates (eg valid, revoked) or public keys (eg valid or discontinued). There may be several different USL segments within this message, if the delivery implies more than one list of certificates or public keys. The different lists may be identified by the list parameters. 0140 Segment Group 5: USC-USA-USRA group of segments containing the data necessary to validate the security methods applied to the message/package, when asymmetric algorithms are used (as defined in Part 5 of ISO 9735). This group shall be used in the delivery of lists of keys or certificates of similar status. 0150 USC, Certificate
A segment containing the credentials of the certificate owner and identifying the certification authority which has generated the certificate (as defined in Part 5 of ISO 9735). This segment shall be used either in the full certificate using in addition the USA and USR segments, or may alternatively indicate the certificate reference number or key name, in which case the message shall be signed using security header and trailer segment groups. 0160 USA, Security algorithm
A segment identifying a security algorithm, the technical usage made of it, and containing the technical parameters required (as defined in Part 5 of ISO 9735). If it is required to indicate the algorithms used with a certificate, this segment shall be used. 0170 USR, Security result
A segment containing the result of the security functions applied to the certificate by the certification authority (as defined in Part 5 of ISO 9735). If it is required to sign a certificate, this segment shall be used. 0180 UNT, Message trailer
A service segment ending a message, giving the total number of segments and the control reference number of the message.
4.2. Data segment index (Alphabetical sequence by tag)
|
UNH |
Message header |
|
UNT |
Message trailer |
|
USA |
Security algorithm |
|
USC |
Certificate |
|
USE |
Security message relation |
|
USF |
Key management function |
|
USL |
Security list status |
|
USR |
Security result |
|
USX |
Security references |
4.3. Message structure
4.3.1. Segment table
├─UNH Message header | ×1 | (M) |
├─Segment Group 1 | ×999 | (C) |
│─├─USE Security message relation | ×1 | (M) |
│─├─USX Security references | ×1 | (C) |
│─└─Segment Group 2 | ×9 | (M) |
│───├─USF Key management function | ×1 | (M) |
│───├─USA Security algorithm | ×1 | (C) |
│───└─Segment Group 3 | ×1 | (C) |
│─────├─USC Certificate | ×1 | (M) |
│─────├─USA Security algorithm | ×3 | (C) |
│─────└─USR Security result | ×1 | (C) |
├─Segment Group 4 | ×99 | (C) |
│─├─USL Security list status | ×1 | (M) |
│─└─Segment Group 5 | ×9999 | (M) |
│───├─USC Certificate | ×1 | (M) |
│───├─USA Security algorithm | ×3 | (C) |
│───└─USR Security result | ×1 | (C) |
└─UNT Message trailer | ×1 | (M) |
Return to EDIFACT 40100 Messages page.
|