BS ISO/IEC TR 14516:2002

1 Scope
2 References
   2.1 Identical Recommendations | International Standards
   2.2 Paired Recommendations | International Standards
        equivalent in technical content
   2.3 Additional References
3 Definitions
4 General Aspects
   4.1 Basis of Security Assurance and Trust
   4.2 Interaction between a TTP and Entities Using its
        Services
        4.2.1 In-line TTP Services
        4.2.2 On-line TTP Services
        4.2.3 Off-line TTP Services
   4.3 Interworking of TTP Services
5 Management and Operational Aspects of a TTP
   5.1 Legal Issues
   5.2 Contractual Obligations
   5.3 Responsibilities
   5.4 Security Policy
        5.4.1 Security Policy Elements
        5.4.2 Standards
        5.4.3 Directives and Procedures
        5.4.4 Risk Management
        5.4.5 Selection of Safeguards
               5.4.5.1 Physical and Environmental Measures
               5.4.5.2 Organisational and Personnel Measures
               5.4.5.3 IT Specific Measures
        5.4.6 Implementation Aspects of IT Security
               5.4.6.1 Awareness and Training
               5.4.6.2 Trustworthiness and Assurance
               5.4.6.3 Accreditation of TTP Certification Bodies
        5.4.7 Operational Aspects of IT Security
               5.4.7.1 Audit/Assessment
               5.4.7.2 Incident Handling
               5.4.7.3 Contingency Planning
   5.5 Quality of Service
   5.6 Ethics
   5.7 Fees
6 Interworking
   6.1 TTP-Users
   6.2 User-User
   6.3 TTP-TTP
   6.4 TTP-Law Enforcement Agency
7 Major Categories of TTP Services
   7.1 Time Stamping Service
        7.1.1 Time Stamping Authority
   7.2 Non-repudiation Services
   7.3 Key Management Services
        7.3.1 Key Generation Service
        7.3.2 Key Registration Service
        7.3.3 Key Certification Service
        7.3.4 Key Distribution Service
        7.3.5 Key Installation Service
        7.3.6 Key Storage Service
        7.3.7 Key Derivation Service
        7.3.8 Key Archiving Service
        7.3.9 Key Revocation Service
        7.3.10 Key Destruction Service
   7.4 Certificate Management Services
        7.4.1 Public Key Certificate Service
        7.4.2 Privilege Attribute Service
        7.4.3 On-line Authentication Service Based on
               Certificates
        7.4.4 Revocation of Certificates Service
   7.5 Electronic Notary Public Services
        7.5.1 Evidence Generation Service
        7.5.2 Evidence Storage Service
        7.5.3 Arbitration Service
        7.5.4 Notary Authority
   7.6 Electronic Digital Archiving Service
   7.7 Other Services
        7.7.1 Directory Service
        7.7.2 Identification and Authentication Service
               7.7.2.1 On-line Authentication Service
               7.7.2.2 Off-line Authentication Service
               7.7.2.3 In-line Authentication Service
        7.7.3 In-line Translation Service
        7.7.4 Recovery Services
               7.7.4.1 Key Recovery Services
               7.7.4.2 Data Recovery Services
        7.7.5 Personalisation Service
        7.7.6 Access Control Service
        7.7.7 Incident Reporting and Alert Management Service
Annex A - Security Requirements for Management of TTPs
Annex B - Aspects of CA management
   B.1 Example of Registration Process Procedures
   B.2 An example of requirements for Certification Authorities
   B.3 Certification Policy and Certification Practice
        Statement (CPS)
Annex C - Bibliography

Specifies guidance on issued regarding the roles, positions and relationships of TTPs and the entities using TTP services. Associated with the provision and operation of a Trusted Third Party (TTP) are a number of security-related issued for which general guidance is necessary to assist business entities, developers and providers of systems and services, etc. Gives guidance for the use and management of TTPs, a clear definition of the basic duties and services provided, their description and their purpose, and the roles and liabilities of TTPs and entities using their services. Identifies different major categories of TTP services including: time stamping, non-repudiation, key management, certificate management, and electronic notary public. Each of these major categories consists of several services which logically belong together.

Associated with the provision and operation of a Trusted Third Party (TTP) are a number of security-related issues for which general guidance is necessary to assist business entities, developers and providers of systems and services, etc. This includes guidance on issues regarding the roles, positions and relationships of TTPs and the entities using TTP services, the generic security requirements, who should provide what type of security, what the possible security solutions are, and the operational use and management of TTP service security.

This Recommendation | Technical Report provides guidance for the use and management of TTPs, a clear definition of the basic duties and services provided, their description and their purpose, and the roles and liabilities of TTPs and entities using their services. It is intended primarily for system managers, developers, TTP operators and enterprise users to select those TTP services needed for particular requirements, their subsequent management, use and operational deployment, and the establishment of a Security Policy within a TTP. It is not intended to be used as a basis for a formal assessment of a TTP or a comparison of TTPs.

This Recommendation | Technical Report identifies different major categories of TTP services including: time stamping, non-repudiation, key management, certificate management, and electronic notary public. Each of these major categories consists of several services which logically belong together.