Labels (9644338b) · Commits · STAN4CRA / EN 304 624 Public key infrastructure and digital certificate issuance software

EN-304-624.md

+36 −36

Original line number	Diff line number	Diff line
		@@ -402,15 +402,15 @@ Table 4.1 provides a list of system administrations assets for the PKI product.

		\| Asset \| Description \|
		\|---\|---\|
		\| System configuration data \| Includes settings for software updates, event logging, component <br> services, and the secure cryptographic device, if used \|
		\| User account data \| Includes user authentation credentials and access rights \|
		\| Event log data \| Includes system administration and component service event logs\|
		\| System configuration management <br> function \| Used to change to system configuration settings and reset to <br> default values \|
		\| Software update function \| Used to manage installation of a software updates \|
		\| User account management function \| Used to create new accounts, and change authentication credentials <br> and access rights for existing accounts \|
		\| Event log management function \| Used to view event log data \|
		\| Remote administration interface \| E.g., remotely accessible web portal \|
		\| Local administration interface \| E.g., locally accessible command line interface \|
		\| SYS01: System configuration data \| Includes settings for software updates, event logging, component <br> services, and the secure cryptographic device, if used \|
		\| SYS02: User account data \| Includes user authentation credentials and access rights \|
		\| SYS03: Event log data \| Includes system administration and component service event logs\|
		\| SYS11: System configuration management <br> function \| Used to change to system configuration settings and reset to <br> default values \|
		\| SYS12: Software update function \| Used to manage installation of a software updates \|
		\| SYS13: User account management function \| Used to create new accounts, and change authentication credentials <br> and access rights for existing accounts \|
		\| SYS14: Event log management function \| Used to view event log data \|
		\| SYS21: Remote administration interface \| E.g., remotely accessible web portal \|
		\| SYS22: Local administration interface \| E.g., locally accessible command line interface \|

		<strong>Table 4.1.</strong> System administration assets
		</div>
		@@ -424,12 +424,12 @@ Table 4.2 provides a list of assets for a PKI product that supports registration

		\| Asset \| Description \|
		\| --- \| --- \|
		\| Subscriber data \| Includes subscriber personal data \|
		\| Certificate request \| Subject certificate signing request \|
		\| Subscriber management function \| Used to register subscribers and change subscriber details \|
		\| Cerificate request approval function \| Used to approve or reject subject certificate requests \|
		\| Registration user interface \| E.g., remotely accessible web portal \|
		\| Certificate request API \| E.g., remotely accessible logical interface \|
		\| REG01: Subscriber data \| Includes subscriber personal data \|
		\| REG02: Certificate request \| Subject certificate signing request \|
		\| REG11: Subscriber management function \| Used to register subscribers and change subscriber details \|
		\| REG12: Cerificate request approval function \| Used to approve or reject subject certificate requests \|
		\| REG21: Registration user interface \| E.g., remotely accessible web portal \|
		\| REG22: Certificate request API \| E.g., remotely accessible logical interface \|

		<strong>Table 4.2.</strong> Registration assets
		</div>
		@@ -444,12 +444,12 @@ Table 4.3 provides a list of assets for a PKI product that supports certificate

		\| Asset \| Description \|
		\| --- \| --- \|
		\| CA private key data \| CA private signing keys. Can be stored on the secure cryptographic <br> module, if used \|
		\| Subject private key data \| Subject private decryption keys, if key recovery is supported \|
		\| Key management function \| Used to manage CA and subject private keys \|
		\| Certificate generation function \| Used to sign certificates and CRLs \|
		\| Certificate generation user interface \| E.g., remotely accessible web portal or locally accessible command <br> line interface \|
		\|Secure cryprographic device API \| Logical interface for the secure cryptographic device \|
		\| GEN01: CA private key data \| CA private signing keys. Can be stored on the secure cryptographic <br> module, if used \|
		\| GEN02: Subject private key data \| Subject private decryption keys, if key recovery is supported \|
		\| GEN11: Key management function \| Used to manage CA and subject private keys \|
		\| GEN12: Certificate generation function \| Used to sign certificates and CRLs \|
		\| GEN21: Certificate generation user interface \| E.g., remotely accessible web portal or locally accessible command <br> line interface \|
		\| GEN22: Secure cryprographic device API \| Logical interface for the secure cryptographic device \|

		<strong>Table 4.3.</strong> Certificate generation assets
		</div>
		@@ -466,12 +466,12 @@ Table 4.4 provides a list of assets for a PKI product that supports disseminatio

		\| Asset \| Description \|
		\| --- \| --- \|
		\| Certificate store data \| Issued subject certificates and related information \|
		\| Certificate store management function \| Used to manage certificates in the certificate store \|
		\| Certificate store look-up function \| Used to handle requests for certificates from relying parties \|
		\| Dissemination user interface \| E.g., remotely accessible web portal \|
		\| Subscriber dissemination interface \| E.g., email client interface \|
		\| Relying party dissemination interface \| E.g., remotely accessible logical interface \|
		\| DIS01: Certificate store data \| Issued subject certificates and related information \|
		\| DIS11: Certificate store management function \| Used to manage certificates in the certificate store \|
		\| DIS12: Certificate store look-up function \| Used to handle requests for certificates from relying parties \|
		\| DIS21: Dissemination user interface \| E.g., remotely accessible web portal \|
		\| DIS22: Subscriber dissemination interface \| E.g., email client interface \|
		\| DIS23: Relying party dissemination interface \| E.g., remotely accessible logical interface \|

		<strong>Table 4.4.</strong> Dissemination assets
		</div>
		@@ -486,9 +486,9 @@ Table 4.5 provides a list of assets for a PKI product that supports revocation m

		\| Asset \| Description \|
		\| --- \| --- \|
		\| Revocation request \| Request to revoke an issued subject certificate \|
		\| Revocation management function \| Used to approve or reject revocation requests \|
		\| Revocation management user interface \| E.g., remotely accessible web portal \|
		\| REV01: Revocation request \| Request to revoke an issued subject certificate \|
		\| REV11: Revocation management function \| Used to approve or reject revocation requests \|
		\| REV21: Revocation management user interface \| E.g., remotely accessible web portal \|

		<strong>Table 4.5.</strong> Revocation management assets
		</div>
		@@ -503,10 +503,10 @@ Table 4.5 provides a list of assets for a PKI product that supports certificate

		\| Asset \| Description \|
		\| --- \| --- \|
		\| Certificate status data \| Revocation status of issued certificates \|
		\| Certificate status management function \| Used to update certificate statuses and issue CRLs \|
		\| Certificate status user interface \| E.g., remotely accessible web portal \|
		\| Relying party certificate status interface \| E.g., remotely accessible logical interface \|
		\| STA01: Certificate status data \| Revocation status of issued certificates \|
		\| STA11: Certificate status management function \| Used to update certificate statuses and issue CRLs \|
		\| STA21: Certificate status user interface \| E.g., remotely accessible web portal \|
		\| STA22: Relying party certificate status interface \| E.g., remotely accessible logical interface \|

		<strong>Table 4.5.</strong> Certificate status assets
		</div>
		@@ -518,8 +518,8 @@ Table 4.5 provides a list of assets for a PKI product that supports certificate

		\| Threat \| Asset \| Property \|
		\| --- \| --- \| --- \|
		\| An attacker modifies a parameter in unprotected system configuration <br> data \| System configuration <br> data \| Integrity \|
		\| An attacker modifies a parameter via unprotected system configuration <br> management function \| System configuration <br> management function \| Authorisation, <br> Authentication \|
		\| An attacker modifies a parameter in unprotected system configuration <br> data \| SYS01 System configuration <br> data \| Integrity \|
		\| An attacker modifies a parameter via an unprotected system configuration <br> management function \| System configuration <br> management function \| Authorisation, <br> Authentication \|
		\| An attacker \| \|

		</div>

Original line number	Diff line number	Diff line
		@@ -402,15 +402,15 @@ Table 4.1 provides a list of system administrations assets for the PKI product.

		\| Asset \| Description \|
		\|---\|---\|
		\| System configuration data \| Includes settings for software updates, event logging, component <br> services, and the secure cryptographic device, if used \|
		\| User account data \| Includes user authentation credentials and access rights \|
		\| Event log data \| Includes system administration and component service event logs\|
		\| System configuration management <br> function \| Used to change to system configuration settings and reset to <br> default values \|
		\| Software update function \| Used to manage installation of a software updates \|
		\| User account management function \| Used to create new accounts, and change authentication credentials <br> and access rights for existing accounts \|
		\| Event log management function \| Used to view event log data \|
		\| Remote administration interface \| E.g., remotely accessible web portal \|
		\| Local administration interface \| E.g., locally accessible command line interface \|
		\| SYS01: System configuration data \| Includes settings for software updates, event logging, component <br> services, and the secure cryptographic device, if used \|
		\| SYS02: User account data \| Includes user authentation credentials and access rights \|
		\| SYS03: Event log data \| Includes system administration and component service event logs\|
		\| SYS11: System configuration management <br> function \| Used to change to system configuration settings and reset to <br> default values \|
		\| SYS12: Software update function \| Used to manage installation of a software updates \|
		\| SYS13: User account management function \| Used to create new accounts, and change authentication credentials <br> and access rights for existing accounts \|
		\| SYS14: Event log management function \| Used to view event log data \|
		\| SYS21: Remote administration interface \| E.g., remotely accessible web portal \|
		\| SYS22: Local administration interface \| E.g., locally accessible command line interface \|

		<strong>Table 4.1.</strong> System administration assets
		</div>
		@@ -424,12 +424,12 @@ Table 4.2 provides a list of assets for a PKI product that supports registration

		\| Asset \| Description \|
		\| --- \| --- \|
		\| Subscriber data \| Includes subscriber personal data \|
		\| Certificate request \| Subject certificate signing request \|
		\| Subscriber management function \| Used to register subscribers and change subscriber details \|
		\| Cerificate request approval function \| Used to approve or reject subject certificate requests \|
		\| Registration user interface \| E.g., remotely accessible web portal \|
		\| Certificate request API \| E.g., remotely accessible logical interface \|
		\| REG01: Subscriber data \| Includes subscriber personal data \|
		\| REG02: Certificate request \| Subject certificate signing request \|
		\| REG11: Subscriber management function \| Used to register subscribers and change subscriber details \|
		\| REG12: Cerificate request approval function \| Used to approve or reject subject certificate requests \|
		\| REG21: Registration user interface \| E.g., remotely accessible web portal \|
		\| REG22: Certificate request API \| E.g., remotely accessible logical interface \|

		<strong>Table 4.2.</strong> Registration assets
		</div>
		@@ -444,12 +444,12 @@ Table 4.3 provides a list of assets for a PKI product that supports certificate

		\| Asset \| Description \|
		\| --- \| --- \|
		\| CA private key data \| CA private signing keys. Can be stored on the secure cryptographic <br> module, if used \|
		\| Subject private key data \| Subject private decryption keys, if key recovery is supported \|
		\| Key management function \| Used to manage CA and subject private keys \|
		\| Certificate generation function \| Used to sign certificates and CRLs \|
		\| Certificate generation user interface \| E.g., remotely accessible web portal or locally accessible command <br> line interface \|
		\|Secure cryprographic device API \| Logical interface for the secure cryptographic device \|
		\| GEN01: CA private key data \| CA private signing keys. Can be stored on the secure cryptographic <br> module, if used \|
		\| GEN02: Subject private key data \| Subject private decryption keys, if key recovery is supported \|
		\| GEN11: Key management function \| Used to manage CA and subject private keys \|
		\| GEN12: Certificate generation function \| Used to sign certificates and CRLs \|
		\| GEN21: Certificate generation user interface \| E.g., remotely accessible web portal or locally accessible command <br> line interface \|
		\| GEN22: Secure cryprographic device API \| Logical interface for the secure cryptographic device \|

		<strong>Table 4.3.</strong> Certificate generation assets
		</div>
		@@ -466,12 +466,12 @@ Table 4.4 provides a list of assets for a PKI product that supports disseminatio

		\| Asset \| Description \|
		\| --- \| --- \|
		\| Certificate store data \| Issued subject certificates and related information \|
		\| Certificate store management function \| Used to manage certificates in the certificate store \|
		\| Certificate store look-up function \| Used to handle requests for certificates from relying parties \|
		\| Dissemination user interface \| E.g., remotely accessible web portal \|
		\| Subscriber dissemination interface \| E.g., email client interface \|
		\| Relying party dissemination interface \| E.g., remotely accessible logical interface \|
		\| DIS01: Certificate store data \| Issued subject certificates and related information \|
		\| DIS11: Certificate store management function \| Used to manage certificates in the certificate store \|
		\| DIS12: Certificate store look-up function \| Used to handle requests for certificates from relying parties \|
		\| DIS21: Dissemination user interface \| E.g., remotely accessible web portal \|
		\| DIS22: Subscriber dissemination interface \| E.g., email client interface \|
		\| DIS23: Relying party dissemination interface \| E.g., remotely accessible logical interface \|

		<strong>Table 4.4.</strong> Dissemination assets
		</div>
		@@ -486,9 +486,9 @@ Table 4.5 provides a list of assets for a PKI product that supports revocation m

		\| Asset \| Description \|
		\| --- \| --- \|
		\| Revocation request \| Request to revoke an issued subject certificate \|
		\| Revocation management function \| Used to approve or reject revocation requests \|
		\| Revocation management user interface \| E.g., remotely accessible web portal \|
		\| REV01: Revocation request \| Request to revoke an issued subject certificate \|
		\| REV11: Revocation management function \| Used to approve or reject revocation requests \|
		\| REV21: Revocation management user interface \| E.g., remotely accessible web portal \|

		<strong>Table 4.5.</strong> Revocation management assets
		</div>
		@@ -503,10 +503,10 @@ Table 4.5 provides a list of assets for a PKI product that supports certificate

		\| Asset \| Description \|
		\| --- \| --- \|
		\| Certificate status data \| Revocation status of issued certificates \|
		\| Certificate status management function \| Used to update certificate statuses and issue CRLs \|
		\| Certificate status user interface \| E.g., remotely accessible web portal \|
		\| Relying party certificate status interface \| E.g., remotely accessible logical interface \|
		\| STA01: Certificate status data \| Revocation status of issued certificates \|
		\| STA11: Certificate status management function \| Used to update certificate statuses and issue CRLs \|
		\| STA21: Certificate status user interface \| E.g., remotely accessible web portal \|
		\| STA22: Relying party certificate status interface \| E.g., remotely accessible logical interface \|

		<strong>Table 4.5.</strong> Certificate status assets
		</div>
		@@ -518,8 +518,8 @@ Table 4.5 provides a list of assets for a PKI product that supports certificate

		\| Threat \| Asset \| Property \|
		\| --- \| --- \| --- \|
		\| An attacker modifies a parameter in unprotected system configuration <br> data \| System configuration <br> data \| Integrity \|
		\| An attacker modifies a parameter via unprotected system configuration <br> management function \| System configuration <br> management function \| Authorisation, <br> Authentication \|
		\| An attacker modifies a parameter in unprotected system configuration <br> data \| SYS01 System configuration <br> data \| Integrity \|
		\| An attacker modifies a parameter via an unprotected system configuration <br> management function \| System configuration <br> management function \| Authorisation, <br> Authentication \|
		\| An attacker \| \|

		</div>