KEYMAN Security key and certificate management

Syntax Development Group (SDG)

KEYMAN is a message providing for security key and certificate management. A key may be a secret key used with symmetric algorithms, or a public or private key used with asymmetric algorithms.

Send feedback Share via email

Header

Position

Segment

Name

Max use

0010Message headerMandatory->Max 1
To head, identify and specify a message.
1. Data element S009/0057 is retained for upward compatibility. The use of
S016 and/or S017 is encouraged in preference.
2. The combination of the values carried in data elements 0062 and S009 shall
be used to identify uniquely the message within its group (if used) or if
not used, within its interchange, for the purpose of acknowledgement.
Segment group 1
Repeat 999
1. 0030Security message relationMandatory->Max 1
  To specify the relation to earlier security messages, such as response to a particular request, or request for a particular answer.
2. 0040Security referencesConditional->Max 1
  To refer to the secured EDIFACT structure and its associated date and time.
  1. D5(050, 040) If first, then all
  2. D1(070, 090) One and only one
  3. D5(060, 040) If first, then all
  4. D5(080, 070) If first, then all
3. Segment group 2
  Repeat 9
  1. 0060Key management functionMandatory->Max 1
    To specify the type of key management function and the status of a corresponding key or certificate.
  2. 0070Security algorithmConditional->Max 1
    To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.
    1. S503, provides space for one parameter. The number of repetitions of S503
    actually used will depend on the algorithm used. The order of the
    parameters is arbitrary but, in each case, the actual value is preceded by
    a coded algorithm parameter qualifier.
  3. Segment group 3
    Repeat 1
    0090CertificateMandatory->Max 1
    To convey the public key and the credentials of its owner.
    1. D5(110, 100) If first, then all
    2. 0536, if a full certificate (including the USR segment) is not used, the
    only data elements of the certificate shall be a unique certificate
    reference made of: the certificate reference (0536), the S500 identifying
    the issuer certification authority or the S500 identifying the certificate
    owner, including its public key name. In the case of a non-EDIFACT
    certificate data element 0545 shall also be present.
    3. S500/0538, identifies a public key: either of the owner of this
    certificate, or the public key related to the private key used by the
    certificate issuer (certification authority or CA) to sign this
    certificate.
    4. 0507, the original character set encoding of the certificate when it was
    signed. If no value is specified, the character set encoding corresponds
    to that identified by the character set repertoire standard.
    5. 0543, the original character set repertoire of the certificate when it was
    signed. If no value is specified, the default is defined in the
    interchange header.
    6. S505, when this certificate is transferred, it will use the default
    service characters defined in part 1 of ISO 9735, or those defined in the
    service string advice, if used. This data element may specify the service
    characters used when the certificate was signed. If this data element is
    not used then they are the default service characters.
    7. S501, dates and times involved in the certification process. Four
    occurrences of this composite data element are possible: one for the
    certificate generation date and time, one for the certificate start of
    validity period, one for the certificate end of validity period, one for
    revocation date and time.
    0100Security algorithmConditional->Max 3
    To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.
    1. S503, provides space for one parameter. The number of repetitions of S503
    actually used will depend on the algorithm used. The order of the
    parameters is arbitrary but, in each case, the actual value is preceded by
    a coded algorithm parameter qualifier.
    0110Security resultConditional->Max 1
    To contain the result of the security mechanisms.
    1. S508, two occurrences shall be used in the case of signature algorithms
    requiring two parameters to express the result.
    In the case of an RSA signature, only one occurrence of S508 shall be
    used.
    In the case of a DSA signature two occurrences of S508 shall be used.
Segment group 4
Repeat 99
1. 0130Security list statusMandatory->Max 1
  To specify the status of security objects, such as keys or certificates to be delivered in a list, and the corresponding list parameters.
2. Segment group 5
  Repeat 9999
  1. 0150CertificateMandatory->Max 1
    To convey the public key and the credentials of its owner.
    1. D5(110, 100) If first, then all
    2. 0536, if a full certificate (including the USR segment) is not used, the
    only data elements of the certificate shall be a unique certificate
    reference made of: the certificate reference (0536), the S500 identifying
    the issuer certification authority or the S500 identifying the certificate
    owner, including its public key name. In the case of a non-EDIFACT
    certificate data element 0545 shall also be present.
    3. S500/0538, identifies a public key: either of the owner of this
    certificate, or the public key related to the private key used by the
    certificate issuer (certification authority or CA) to sign this
    certificate.
    4. 0507, the original character set encoding of the certificate when it was
    signed. If no value is specified, the character set encoding corresponds
    to that identified by the character set repertoire standard.
    5. 0543, the original character set repertoire of the certificate when it was
    signed. If no value is specified, the default is defined in the
    interchange header.
    6. S505, when this certificate is transferred, it will use the default
    service characters defined in part 1 of ISO 9735, or those defined in the
    service string advice, if used. This data element may specify the service
    characters used when the certificate was signed. If this data element is
    not used then they are the default service characters.
    7. S501, dates and times involved in the certification process. Four
    occurrences of this composite data element are possible: one for the
    certificate generation date and time, one for the certificate start of
    validity period, one for the certificate end of validity period, one for
    revocation date and time.
  2. 0160Security algorithmConditional->Max 3
    To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.
    1. S503, provides space for one parameter. The number of repetitions of S503
    actually used will depend on the algorithm used. The order of the
    parameters is arbitrary but, in each case, the actual value is preceded by
    a coded algorithm parameter qualifier.
  3. 0170Security resultConditional->Max 1
    To contain the result of the security mechanisms.
    1. S508, two occurrences shall be used in the case of signature algorithms
    requiring two parameters to express the result.
    In the case of an RSA signature, only one occurrence of S508 shall be
    used.
    In the case of a DSA signature two occurrences of S508 shall be used.
0180Message trailerMandatory->Max 1
To end and check the completeness of a message.
1. 0062, the value shall be identical to the value in 0062 in the
corresponding UNH segment.