KEYMAN Security key and certificate management

Syntax Development Group (SDG)

KEYMAN is a message providing for security key and certificate management. A key may be a secret key used with symmetric algorithms, or a public or private key used with asymmetric algorithms.

Header

1. 0010 · UNH · Message header · Max 1 · Mandatory

   To head, identify and specify a message.

2. Segment group 1 Repeat 999

   1. 0030 · USE · Security message relation · Max 1 · Mandatory

      To specify the relation to earlier security messages, such as response to a particular request, or request for a particular answer.

   2. 0040 · USX · Security references · Max 1 · Conditional

      To refer to the secured EDIFACT structure and its associated date and time.

      1. D5(050, 040) If first, then all
      2. D1(070, 090) One and only one
      3. D5(060, 040) If first, then all
      4. D5(080, 070) If first, then all

   3. Segment group 2 Repeat 9

      1. 0060 · USF · Key management function · Max 1 · Mandatory

         To specify the type of key management function and the status of a corresponding key or certificate.

      2. 0070 · USA · Security algorithm · Max 1 · Conditional

         To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.

         1. S503, provides space for one parameter. The number of repetitions of S503
         actually used will depend on the algorithm used. The order of the
         parameters is arbitrary but, in each case, the actual value is preceded by
         a coded algorithm parameter qualifier.

      3. Segment group 3 Repeat 1

         1. 0090 · USC · Certificate · Max 1 · Mandatory

            To convey the public key and the credentials of its owner.

            1. D5(110, 100) If first, then all
            2. 0536, if a full certificate (including the USR segment) is not used, the
            only data elements of the certificate shall be a unique certificate
            reference made of: the certificate reference (0536), the S500 identifying
            the issuer certification authority or the S500 identifying the certificate
            owner, including its public key name. In the case of a non-EDIFACT
            certificate data element 0545 shall also be present.
            3. S500/0538, identifies a public key: either of the owner of this
            certificate, or the public key related to the private key used by the
            certificate issuer (certification authority or CA) to sign this
            certificate.
            4. 0507, the original character set encoding of the certificate when it was
            signed. If no value is specified, the character set encoding corresponds
            to that identified by the character set repertoire standard.
            5. 0543, the original character set repertoire of the certificate when it was
            signed. If no value is specified, the default is defined in the
            interchange header.
            6. S505, when this certificate is transferred, it will use the default
            service characters defined in part 1 of ISO 9735, or those defined in the
            service string advice, if used. This data element may specify the service
            characters used when the certificate was signed. If this data element is
            not used then they are the default service characters.
            7. S501, dates and times involved in the certification process. Four
            occurrences of this composite data element are possible: one for the
            certificate generation date and time, one for the certificate start of
            validity period, one for the certificate end of validity period, one for
            revocation date and time.

         2. 0100 · USA · Security algorithm · Max 3 · Conditional

            To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.

            1. S503, provides space for one parameter. The number of repetitions of S503
            actually used will depend on the algorithm used. The order of the
            parameters is arbitrary but, in each case, the actual value is preceded by
            a coded algorithm parameter qualifier.

         3. 0110 · USR · Security result · Max 1 · Conditional

            To contain the result of the security mechanisms.

            1. S508, two occurrences shall be used in the case of signature algorithms
            requiring two parameters to express the result.
            In the case of an RSA signature, only one occurrence of S508 shall be
            used.
            In the case of a DSA signature two occurrences of S508 shall be used.

3. Segment group 4 Repeat 99

   1. 0130 · USL · Security list status · Max 1 · Mandatory

      To specify the status of security objects, such as keys or certificates to be delivered in a list, and the corresponding list parameters.

   2. Segment group 5 Repeat 9999

      1. 0150 · USC · Certificate · Max 1 · Mandatory

         To convey the public key and the credentials of its owner.

         1. D5(110, 100) If first, then all
         2. 0536, if a full certificate (including the USR segment) is not used, the
         only data elements of the certificate shall be a unique certificate
         reference made of: the certificate reference (0536), the S500 identifying
         the issuer certification authority or the S500 identifying the certificate
         owner, including its public key name. In the case of a non-EDIFACT
         certificate data element 0545 shall also be present.
         3. S500/0538, identifies a public key: either of the owner of this
         certificate, or the public key related to the private key used by the
         certificate issuer (certification authority or CA) to sign this
         certificate.
         4. 0507, the original character set encoding of the certificate when it was
         signed. If no value is specified, the character set encoding corresponds
         to that identified by the character set repertoire standard.
         5. 0543, the original character set repertoire of the certificate when it was
         signed. If no value is specified, the default is defined in the
         interchange header.
         6. S505, when this certificate is transferred, it will use the default
         service characters defined in part 1 of ISO 9735, or those defined in the
         service string advice, if used. This data element may specify the service
         characters used when the certificate was signed. If this data element is
         not used then they are the default service characters.
         7. S501, dates and times involved in the certification process. Four
         occurrences of this composite data element are possible: one for the
         certificate generation date and time, one for the certificate start of
         validity period, one for the certificate end of validity period, one for
         revocation date and time.

      2. 0160 · USA · Security algorithm · Max 3 · Conditional

         To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.

         1. S503, provides space for one parameter. The number of repetitions of S503
         actually used will depend on the algorithm used. The order of the
         parameters is arbitrary but, in each case, the actual value is preceded by
         a coded algorithm parameter qualifier.

      3. 0170 · USR · Security result · Max 1 · Conditional

         To contain the result of the security mechanisms.

         1. S508, two occurrences shall be used in the case of signature algorithms
         requiring two parameters to express the result.
         In the case of an RSA signature, only one occurrence of S508 shall be
         used.
         In the case of a DSA signature two occurrences of S508 shall be used.

4. 0180 · UNT · Message trailer · Max 1 · Mandatory

   To end and check the completeness of a message.