KEYMAN Security key and certificate management

Syntax Development Group (SDG)

KEYMAN is a message providing for security key and certificate management. A key may be a secret key used with symmetric algorithms, or a public or private key used with asymmetric algorithms.

Header

Position
Segment
Name
Max use
  1. To head, identify and specify a message.

  2. Segment group 1
    Repeat 999
    1. To specify the relation to earlier security messages, such as response to a particular request, or request for a particular answer.

    2. To refer to the secured EDIFACT structure and its associated date and time.

      1. D5(050, 040) If first, then all
      2. D1(070, 090) One and only one
      3. D5(060, 040) If first, then all
      4. D5(080, 070) If first, then all
    3. Segment group 2
      Repeat 9
      1. To specify the type of key management function and the status of a corresponding key or certificate.

      2. To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.

        1. S503, provides space for one parameter. The number of repetitions of S503
        actually used will depend on the algorithm used. The order of the
        parameters is arbitrary but, in each case, the actual value is preceded by
        a coded algorithm parameter qualifier.
      3. Segment group 3
        Repeat 1
        1. To convey the public key and the credentials of its owner.

          1. D5(110, 100) If first, then all
          2. 0536, if a full certificate (including the USR segment) is not used, the
          only data elements of the certificate shall be a unique certificate
          reference made of: the certificate reference (0536), the S500 identifying
          the issuer certification authority or the S500 identifying the certificate
          owner, including its public key name. In the case of a non-EDIFACT
          certificate data element 0545 shall also be present.
          3. S500/0538, identifies a public key: either of the owner of this
          certificate, or the public key related to the private key used by the
          certificate issuer (certification authority or CA) to sign this
          certificate.
          4. 0507, the original character set encoding of the certificate when it was
          signed. If no value is specified, the character set encoding corresponds
          to that identified by the character set repertoire standard.
          5. 0543, the original character set repertoire of the certificate when it was
          signed. If no value is specified, the default is defined in the
          interchange header.
          6. S505, when this certificate is transferred, it will use the default
          service characters defined in part 1 of ISO 9735, or those defined in the
          service string advice, if used. This data element may specify the service
          characters used when the certificate was signed. If this data element is
          not used then they are the default service characters.
          7. S501, dates and times involved in the certification process. Four
          occurrences of this composite data element are possible: one for the
          certificate generation date and time, one for the certificate start of
          validity period, one for the certificate end of validity period, one for
          revocation date and time.
        2. To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.

          1. S503, provides space for one parameter. The number of repetitions of S503
          actually used will depend on the algorithm used. The order of the
          parameters is arbitrary but, in each case, the actual value is preceded by
          a coded algorithm parameter qualifier.
        3. To contain the result of the security mechanisms.

          1. S508, two occurrences shall be used in the case of signature algorithms
          requiring two parameters to express the result.
          In the case of an RSA signature, only one occurrence of S508 shall be
          used.
          In the case of a DSA signature two occurrences of S508 shall be used.
  3. Segment group 4
    Repeat 99
    1. To specify the status of security objects, such as keys or certificates to be delivered in a list, and the corresponding list parameters.

    2. Segment group 5
      Repeat 9999
      1. To convey the public key and the credentials of its owner.

        1. D5(110, 100) If first, then all
        2. 0536, if a full certificate (including the USR segment) is not used, the
        only data elements of the certificate shall be a unique certificate
        reference made of: the certificate reference (0536), the S500 identifying
        the issuer certification authority or the S500 identifying the certificate
        owner, including its public key name. In the case of a non-EDIFACT
        certificate data element 0545 shall also be present.
        3. S500/0538, identifies a public key: either of the owner of this
        certificate, or the public key related to the private key used by the
        certificate issuer (certification authority or CA) to sign this
        certificate.
        4. 0507, the original character set encoding of the certificate when it was
        signed. If no value is specified, the character set encoding corresponds
        to that identified by the character set repertoire standard.
        5. 0543, the original character set repertoire of the certificate when it was
        signed. If no value is specified, the default is defined in the
        interchange header.
        6. S505, when this certificate is transferred, it will use the default
        service characters defined in part 1 of ISO 9735, or those defined in the
        service string advice, if used. This data element may specify the service
        characters used when the certificate was signed. If this data element is
        not used then they are the default service characters.
        7. S501, dates and times involved in the certification process. Four
        occurrences of this composite data element are possible: one for the
        certificate generation date and time, one for the certificate start of
        validity period, one for the certificate end of validity period, one for
        revocation date and time.
      2. To identify a security algorithm, the technical usage made of it, and to contain the technical parameters required.

        1. S503, provides space for one parameter. The number of repetitions of S503
        actually used will depend on the algorithm used. The order of the
        parameters is arbitrary but, in each case, the actual value is preceded by
        a coded algorithm parameter qualifier.
      3. To contain the result of the security mechanisms.

        1. S508, two occurrences shall be used in the case of signature algorithms
        requiring two parameters to express the result.
        In the case of an RSA signature, only one occurrence of S508 shall be
        used.
        In the case of a DSA signature two occurrences of S508 shall be used.
  4. To end and check the completeness of a message.

    1. 0062, the value shall be identical to the value in 0062 in the
    corresponding UNH segment.

Stedi is a registered trademark of Stedi, Inc. Stedi's EDI Reference is provided for marketing purposes and is free of charge. All names, logos, and brands of third parties listed on our site are trademarks of their respective owners (including “X12”, which is a trademark of X12 Incorporated). Stedi, Inc. and its products and services are not endorsed by, sponsored by, or affiliated with these third parties. Our use of these names, logos, and brands is for identification purposes only, and does not imply any such endorsement, sponsorship, or affiliation.