< Previous standard ^ Up a level ^ Next standard >
ISO/IEC 27099 — Information technology — Public key infrastructure — Practices and policy framework [DRAFT]
“This document sets out a framework of requirements to manage information security for PKI Trust Service Providers through Certificate Policies, Certificate Practice Statements, and, where applicable, their internal underpinning by an ISMS. The framework of requirements includes the assessment and treatment of information security risks, tailored to meet the agreed service requirements of its users as specified through the certificate policy.”
[Source: SC 27 Standing Document 11 (2022)]
The standard will identify information risk and security management requirements for Public Key Infrastructure Trust Service Providers and Certification Authorities through one or more Certificate Policies, Certification Practice Statements and (if applicable) Information Security Management Systems.
The standard will describe a PKI management framework, building on and generalising ISO 21188:
“This document is derived from the earlier standard ISO 21188 on Public key infrastructure for financial services — Practices and policy framework, which has been generalised in this document to be applicable to any application domain and to take into account general standards for information security.” [Source: 2nd CD]
Scope of the standard
The standard will support the full lifecycle of public key certificates used for digital signatures, authentication and the key establishment/exchange element of encryption.
It will not address authentication methods, non-repudiation requirements, or key management protocols based on the use of public key certificates.
It will distinguish PKI systems used in closed, open and contractual environments.
It will facilitate the implementation of operational, baseline controls and practices in a contractual, open or closed environments, using an ISMS.
It will be applicable to root and intermediate CAs, not just those issuing certificates directly to users.
Content of the standard
Over 90 pages, the DIS version has 3 main sections and 6 informative annexes:
Section 5: an introduction to PKI general concepts.
Section 6: CP, CPS and their relation to ISMS. It specifies requirements concerning the management of CA policies and practices.
Section 7: CA control objectives and controls. It specifies other requirements concerning the operation of a CA, structured similarly to ISO/IEC 27002:2013 (not the new 2022 version).
Annex A: Management by CP.
Annex B: Elements of a CPS (mapping this standard to IETF RFC 3647).
Annex C: CA key generation ceremony.
Annex D: CA audit journal contents and use.
Annex E: Certificate and PKI roles.
Annex F: Changes from ISO 21188 into ISO/IEC 27099.
Development of the standard started in 2018.
The standard is at Final Draft International Standard stage and will hopefully be published by November 2022, once the remaining editorial points are resolved.
As with PKIs in general, this standard uses numerous abbreviations of obscure terms of art, making it tough for non-specialists to comprehend - even tougher than PKI itself and cryptography in general. It is a detailed standard on an advanced, technical topic.
Several of the control objectives in section 7 concern assurance, for example the control objective under 7.5 Human resources security is “To reasonably assure that personnel and employment practices enhance and support the trustworthiness of the CA’s operations”. Ignoring the split infinitive, I’m not convinced that ‘reasonable assurance’ is the primary control objective here. It is just another way of saying ‘ensure’, an unhelpful and over-used term in this context. To me, assurance (reasonable or otherwise!) is a subsidiary concern, and in fact a valuable form of control in its own right (deserving its own, separate control objective). To me, the HR security control objective is for PKI-related personnel to act appropriately, in accordance with applicable policies, procedures, instructions, laws and regulations, contractual terms etc., acting in the organisation’s best interests and so justifying the trust placed in them.
Section 7.9 is a similar example. The system acquisition development and maintenance control objective is phrased “to provide reasonable assurance that CA systems development and maintenance activities are authorized to maintain CA system integrity”. Both assurance and authorization are forms of control, leaving just ‘maintain CA system integrity’ as the stated control objective ... and again I’m not convinced that is right. Isn’t it important that the PKI (not just the CA) is designed, developed, used and maintained appropriately? And isn’t there more to this than integrity?
Use of the reserved word “shall” in the controls in section 7 suggests that this standard may be used for conformity auditing, perhaps even accredited certification, of Certification Authorities etc., although that possibility or intent is not explicit in the standard (at least I haven’t spotted it). To confuse matters, it also speaks of ‘recommended practices’, and uses “should” and other verb forms.
[You might feel that I am splitting hairs here, being far too picky ... but I’m writing about an international standard, a formal document, not a casual piece such as this very web page. Although the way things are expressed is subsidiary to what as being said, both aspects are important in the standards.]
< Previous standard ^ Up a level ^ Next standard >