TECHNICAL ISO/IEC REPORT TR 14516 First edition 2002-06-15 Information technology Security techniques Guidelines for the use and management of Trusted Third Party services Technologies de Il'information Techniques de sécurite. -Lignes directrices pour I'emploi et la gestion des services TTP Reference number ISO/IEC TR 14516:2002(E) IEC @ISO/IEC2002 py IHS under ted without license from IHS Not for Resale ISO/IECTR14516:2002(E) PDFdisclaimer This PDF file may contain embedded typefaces. In accordance with Adobe's licensing policy, this file may be printed or viewed but shall not be edited unless the typefaces which are embedded are licensed to and installed on the computer performing the editing. In downloading this file, parties accept therein the responsibility of not infringing Adobe's licensing policy. The ISo Central Secretariat accepts no liability in this area. Adobe is a trademark of Adobe Systems Incorporated. Details of the software products used to create this PDF file can be found in the General Info relative to the file; the PDF-creation parameters were optimized for printing. Every care has been taken to ensure that the file is suitable for use by isO member bodies. In the unlikely event ?ISO/IEC2002 All rights reserved. Unless otherwise specified, no part of this publication may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm, without permission in writing from either ISO at the address below or ISO's member body in the country of the requester. ISO copyright office Case postale 56. CH-1211 Geneva 20 Tel. + 4122 749 01 11 Fax + 41 22 749 09 47 E-mail [email protected] Web www.iso.ch Printed in Switzerland @ISO/IEC2002-Allrightsreserved ermittedwithoutlicense from IHS Not for Resale ISO/IEC TR 14516:2002(E) CONTENTS Page 1 Scope ... 1 2 References.. 1 2.1 Identical Recommendations I International Standards......... 2.2 Paired Recommendations I International Standards equivalent in technical content... 2.3 Additional References .. 3 Definitions..... 2 4 General Aspects... 3 4.1 3 4.2 Interaction between a TTP and Entities Using its Services ..... 4 4.2.1 In-line TTP Services.. 4 4.2.2 On-line TTP Services. 4 4.2.3 Off-line TTP Services 5 4.3 Interworking of TTP Services 5 5 Management and Operational Aspects of a TTP 5 5.1 Legal Issues... 6 5.2 Contractual Obligations... 6 5.3 5.4 Security Policy.... 5.4.1 Security Policy Elements 8 5.4.2 Standards.. 8 5.4.3 Directives and Procedures.. 5.4.4 Risk Management.. 8 5.4.5 Selection of Safeguards... 9 5.4.5.1 Physical and Environmental Measures.. 9 5.4.5.2 Organisational and Personnel Measures ... 9 5.4.5.3 IT Specific Measures............... 9 5.4.6 Implementation Aspects of IT Security.. 10 5.4.6.1 Awareness and Training ... 10 5.4.6.2 Trustworthiness and Assurance.. 10 5.4.6.3 Accreditation of TTP Certification Bodies.... 11 5.4.7 Operational Aspects of IT Security.... 11 5.4.7.1 Audit/Assessment... 11 5.4.7.2 Incident Handling..... 12 5.4.7.3 Contingency Planning......... 12 5.5 Quality of Service .. 12 5.6 Ethics 12 5.7 Fees 12 6 Interworking 12 6.1 TTP-Users .. 13 6.2 13 6.3 TTP-TTP.. 13 6.4 TTP-Law Enforcement Agency.. 14 7 Major Categories of TTP Services..... 14 7.1 Time Stamping Service... 14 7.1.1 Time Stamping Authority... 14 7.2 Non-repudiation Services.. 15 7.3 Key Management Services 16 7.3.1 Key Generation Service .. 16 7.3.2 Key Registration Service... 16 7.3.3 Key Certification Service. 16 7.3.4 Key Distribution Service. 17 7.3.5 Key Installation Service. 17 7.3.6 Key Storage Service... 17 7.3.7 Key Derivation Servic 17 7.3.8 Key Archiving Service. 17 CopyrightIneagaizatoSiandardizat'reeved ili Not for Resale