KEYMAN Security key and certificate management
Syntax Development Group (SDG)
KEYMAN is a message providing for security key and certificate management. A key may be a secret key used with symmetric algorithms, or a public or private key used with asymmetric algorithms.
Header
- 0010Message headerMandatoryMax 1
To head, identify and specify a message.
- Segment group 1Repeat 999
- 0030Security message relationMandatoryMax 1
To specify the relation to earlier security messages, such as response to a particular request, or request for a particular answer.
- 0040Security referencesConditionalMax 1
To refer to the secured EDIFACT structure and its associated date and time.
1. D5(050, 040) If first, then all2. D1(070, 090) One and only one3. D5(060, 040) If first, then all4. D5(080, 070) If first, then all - Segment group 2Repeat 9
- 0060Key management functionMandatoryMax 1
To specify the type of key management function and the status of a corresponding key or certificate.
- 0070Security algorithmConditionalMax 1
To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.
1. S503, provides space for one parameter. The number of repetitions of S503actually used will depend on the algorithm used. The order of theparameters is arbitrary but, in each case, the actual value is preceded bya coded algorithm parameter qualifier. - Segment group 3Repeat 1
- 0090CertificateMandatoryMax 1
To convey the public key and the credentials of its owner.
1. D5(110, 100) If first, then all2. 0536, if a full certificate (including the USR segment) is not used, theonly data elements of the certificate shall be a unique certificatereference made of: the certificate reference (0536), the S500 identifyingthe issuer certification authority or the S500 identifying the certificateowner, including its public key name. In the case of a non-EDIFACTcertificate data element 0545 shall also be present.3. S500/0538, identifies a public key: either of the owner of thiscertificate, or the public key related to the private key used by thecertificate issuer (certification authority or CA) to sign thiscertificate.4. 0507, the original character set encoding of the certificate when it wassigned. If no value is specified, the character set encoding correspondsto that identified by the character set repertoire standard.5. 0543, the original character set repertoire of the certificate when it wassigned. If no value is specified, the default is defined in theinterchange header.6. S505, when this certificate is transferred, it will use the defaultservice characters defined in part 1 of ISO 9735, or those defined in theservice string advice, if used. This data element may specify the servicecharacters used when the certificate was signed. If this data element isnot used then they are the default service characters.7. S501, dates and times involved in the certification process. Fouroccurrences of this composite data element are possible: one for thecertificate generation date and time, one for the certificate start ofvalidity period, one for the certificate end of validity period, one forrevocation date and time. - 0100Security algorithmConditionalMax 3
To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.
1. S503, provides space for one parameter. The number of repetitions of S503actually used will depend on the algorithm used. The order of theparameters is arbitrary but, in each case, the actual value is preceded bya coded algorithm parameter qualifier. - 0110Security resultConditionalMax 1
To contain the result of the security mechanisms.
1. S508, two occurrences shall be used in the case of signature algorithmsrequiring two parameters to express the result.In the case of an RSA signature, only one occurrence of S508 shall beused.In the case of a DSA signature two occurrences of S508 shall be used.
- 0090CertificateMandatoryMax 1
- 0060Key management functionMandatoryMax 1
- 0030Security message relationMandatoryMax 1
- Segment group 4Repeat 99
- 0130Security list statusMandatoryMax 1
To specify the status of security objects, such as keys or certificates to be delivered in a list, and the corresponding list parameters.
- Segment group 5Repeat 9999
- 0150CertificateMandatoryMax 1
To convey the public key and the credentials of its owner.
1. D5(110, 100) If first, then all2. 0536, if a full certificate (including the USR segment) is not used, theonly data elements of the certificate shall be a unique certificatereference made of: the certificate reference (0536), the S500 identifyingthe issuer certification authority or the S500 identifying the certificateowner, including its public key name. In the case of a non-EDIFACTcertificate data element 0545 shall also be present.3. S500/0538, identifies a public key: either of the owner of thiscertificate, or the public key related to the private key used by thecertificate issuer (certification authority or CA) to sign thiscertificate.4. 0507, the original character set encoding of the certificate when it wassigned. If no value is specified, the character set encoding correspondsto that identified by the character set repertoire standard.5. 0543, the original character set repertoire of the certificate when it wassigned. If no value is specified, the default is defined in theinterchange header.6. S505, when this certificate is transferred, it will use the defaultservice characters defined in part 1 of ISO 9735, or those defined in theservice string advice, if used. This data element may specify the servicecharacters used when the certificate was signed. If this data element isnot used then they are the default service characters.7. S501, dates and times involved in the certification process. Fouroccurrences of this composite data element are possible: one for thecertificate generation date and time, one for the certificate start ofvalidity period, one for the certificate end of validity period, one forrevocation date and time. - 0160Security algorithmConditionalMax 3
To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.
1. S503, provides space for one parameter. The number of repetitions of S503actually used will depend on the algorithm used. The order of theparameters is arbitrary but, in each case, the actual value is preceded bya coded algorithm parameter qualifier. - 0170Security resultConditionalMax 1
To contain the result of the security mechanisms.
1. S508, two occurrences shall be used in the case of signature algorithmsrequiring two parameters to express the result.In the case of an RSA signature, only one occurrence of S508 shall beused.In the case of a DSA signature two occurrences of S508 shall be used.
- 0150CertificateMandatoryMax 1
- 0130Security list statusMandatoryMax 1
- 0180Message trailerMandatoryMax 1
To end and check the completeness of a message.