0. INTRODUCTION
1. SCOPE
   1. Functional definition
   2. Field of application
   3. Principles
2. REFERENCES
3. TERMS AND DEFINITIONS
   1. Standard terms and definitions
4. MESSAGE DEFINITION
   1. Data segment clarification
   2. Data segment index (alphabetical sequence)
   3. Message structure
      1. Segment table

This is a new part, which has been added to ISO 9735. It provides an optional capability of managing security keys and certificates.

This part of ISO 9735International Standard for batch EDIFACT security defines the security key and certificate management message KEYMAN.

KEYMAN is a message providing for security key and certificate management. A key may be a secret key used with symmetric algorithms, or a public or private key used with asymmetric algorithms.

The security key and certificate management message (KEYMAN) may be used for both national and international trade. It is based on universal practice related to administration, commerce and transport, and is not dependent on the type of business or industry.

The message may be used to request or deliver security keys, certificates, or certification paths (this includes requesting other key and certificate management actions, for example renewing, replacing or revoking certificates, and delivering other information, such as certificate status), and it may be used to deliver lists of certificates (for example to indicate which certificates have been revoked). The KEYMAN message may be secured by the use of security header and trailer segment groups. Security header and trailer segment group structures are defined in Part 5 of ISO 9735this international standard.

A security key and certificate management message can be used to:

1. request actions in relation to keys and certificates
2. deliver keys, certificates, and related information

See UNTDID, Part 4, Chapter 2.6 UN/ECE UNSM - General Introduction, Section 1.

See UNTDID, Part 4, Chapter 2.6 UN/ECE UNSM - General Introduction, Section 2.

This section should be read in conjunction with the Branching Diagram and Segment Table which indicate mandatory, conditional and repeating requirements.

0010 UNH, Message header

A service segment starting and uniquely identifying a message. The message type code for the security key and certificate management message is KEYMAN.

Note: messages conforming to this document must contain the following data in segment UNH, composite S009:

0020 Segment Group 1: USE-USX-SG2

A group of segments containing all information necessary to carry key, certificate or certification path management requests, deliveries and notices.

0030 USE, Security message relation

A segment identifying a relationship to an earlier message, such as a KEYMAN request.

0040 USX, Security references

A segment identifying a link to an earlier message, such as a request. The composite data element "security date and time" may contain the original generation date and time of the referenced message.

0050 Segment Group 2: USF-USA-SG3

A group of segments containing a single key, single certificate, or group of certificates forming a certification path.

0060 USF, Key management function

A segment identifying the function of the group it triggers, either a request or a delivery. When used for indicating elements of the certification paths, the certificate sequence number shall indicate the position of the following certificate within the certification path. It may be used on its own for list retrieval, with no certificate present. There may be several different USF segments within the same message, if more than one key or certificate is handled. However, there shall be no mixture of request functions and delivery functions. The USF segment may also specify the filter function used for binary fields of the USA segment immediately following this segment.

0070 USA, Security algorithm

A segment identifying a security algorithm, the technical usage made of it, and containing the technical parameters required (as defined in Part 5 of ISO 9735). This segment shall be used for symmetric key requests, discontinuation or delivery. It may also be used for an asymmetric key pair request.

0080 Segment Group 3: USC-USA-USR

A group of segments containing the data necessary to validate the security methods applied to the message/package, when asymmetric algorithms are used (as defined in Part 5 of ISO 9735). This group shall be used in the request or delivery of keys and certificates.

Either the full certificate segment group (including the USR segment), or the only data elements necessary to identify unambiguously the asymmetric key pair used, shall be present in the USC segment. The presence of a full certificate may be avoided if the certificate has already been exchanged by the two parties, or if it may be retrieved from a database.

Where it is desired to refer to a non-EDIFACT certificate (such as X.509), the certificate syntax and version shall be identified in data element 0545 of the USC segment.. Such certificates may be conveyed in an EDIFACT packagereference in USC (0536) shall contain the reference identification number (0802) from the UNO segment of the package containing the non-EDIFACT certificate, and no other data elements (in order to distinguish it from an EDIFACT certificate reference).

0090 USC, Certificate

A segment containing the credentials of the certificate owner and identifying the certification authority which has generated the certificate (as defined in Part 5 of ISO 9735). This segment shall be used for certificate requests such as renewal, or asymmetric key requests such as discontinuation, and for certificate deliveries.

0100 USA, Security algorithm

A segment identifying a security algorithm, the technical usage made of it, and containing the technical parameters required (as defined in Part 5 of ISO 9735). This segment shall be used for certificate requests such as credentials registration, and for certificate deliveries.

0110 USR, Security result

A segment containing the result of the security functions applied to the certificate by the certification authority (as defined in Part 5 of ISO 9735). This segment shall be used for certificate validation or certificate deliveries.

0120 Segment Group 4: USL-SG5

A group of segments containing lists of certificates or public keys. The group shall be used to group together certificates of similar status - ie which are still valid, or which may be invalid for some reason.

0130 USL, Security list status

A segment identifying valid, revoked, unknown or discontinued items. These items may be certificates (eg valid, revoked) or public keys (eg valid or discontinued). There may be several different USL segments within this message, if the delivery implies more than one list of certificates or public keys. The different lists may be identified by the list parameters.

0140 Segment Group 5: USC-USA-USR

A group of segments containing the data necessary to validate the security methods applied to the message/package, when asymmetric algorithms are used (as defined in Part 5 of ISO 9735). This group shall be used in the delivery of lists of keys or certificates of similar status.

0150 USC, Certificate

A segment containing the credentials of the certificate owner and identifying the certification authority which has generated the certificate (as defined in Part 5 of ISO 9735). This segment shall be used either in the full certificate using in addition the USA and USR segments, or may alternatively indicate the certificate reference number or key name, in which case the message shall be signed using security header and trailer segment groups.

0160 USA, Security algorithm

A segment identifying a security algorithm, the technical usage made of it, and containing the technical parameters required (as defined in Part 5 of ISO 9735). If it is required to indicate the algorithms used with a certificate, this segment shall be used.

0170 USR, Security result

A segment containing the result of the security functions applied to the certificate by the certification authority (as defined in Part 5 of ISO 9735). If it is required to sign a certificate, this segment shall be used.

0180 UNT, Message trailer

A service segment ending a message, giving the total number of segments and the control reference number of the message.