ISO 17090-3:2021

INTERNATIONAL ISO
STANDARD 17090-3
Second edition
2021-03
Health informatics — Public key
infrastructure —
Part 3:
Policy management of certification
authority
Informatique de santé — Infrastructure de clé publique —
Partie 3: Gestion politique d'autorité de certification
Reference number
©
ISO 2021
© ISO 2021
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting
on the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address
below or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii © ISO 2021 – All rights reserved

Contents Page
Foreword .v
Introduction .vi
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviations. 1
5 Requirements for digital certificate policy management in a healthcare context.2
5.1 General . 2
5.2 Need for a high level of assurance . 2
5.3 Need for a high level of infrastructure availability . 2
5.4 Need for a high level of trust . 2
5.5 Need for Internet compatibility. 3
5.6 Need to facilitate evaluation and comparison of CPs . 3
6 Structure of healthcare CPs and healthcare CPSs . 3
6.1 General requirements for CPs . 3
6.2 General requirements for CPSs . 4
6.3 Relationship between a CP and a CPS . 4
6.4 Applicability . 4
7 Minimum requirements for a healthcare CP . 5
7.1 General requirements . 5
7.2 Publication and repository responsibilities. 5
7.2.1 Repositories . 5
7.2.2 Publication of certification information . 5
7.2.3 Frequency of publication . 5
7.2.4 Access controls on repositories . 5
7.3 Identification and authentication . 6
7.3.1 Initial registration . 6
7.3.2 Initial identity validation . 7
7.3.3 Identification and authentication for re-keying requests . 8
7.3.4 Identification and authentication for revocation request . 8
7.4 Certificate life-cycle operational requirements . 9
7.4.1 Certificate application . 9
7.4.2 Certificate application processing .10
7.4.3 Certificate issuance .10
7.4.4 Certificate acceptance .11
7.4.5 Key pair and certificate usage .11
7.4.6 Certificate renewal .12
7.4.7 Certificate re-key .13
7.4.8 Certificate modification .13
7.4.9 Certificate revocation and suspension .14
7.4.10 Certificate status services .17
7.4.11 End of subscription . .18
7.4.12 Private key escrow .18
7.5 Physical controls .18
7.5.1 General.18
7.5.2 Physical controls .18
7.5.3 Procedural controls .18
7.5.4 Personnel controls .18
7.5.5 Security audit logging procedures .18
7.5.6 Record archive .18
7.5.7 Key changeover .19
7.5.8 Compromise and disaster recovery .19
7.5.9 CA termination .19
7.6 Technical security controls .19
7.6.1 Key pair generation and installation .19
7.6.2 Private key protection .20
7.6.3 Other aspects of key management .22
7.6.4 Activation data .23
7.6.5 Computer security controls .23
7.6.6 Life-cycle technical controls .23
7.6.7 Network security controls .23
7.6.8 Time stamping .24
7.7 Certificate, CRL and OCSP profiles .24
7.8 Compliance audit .24
7.8.1 General.24
7.8.2 Frequency of CA compliance audit .24
7.8.3 Identity/qualifications of auditor .24
7.8.4 Auditor's relationship to audited party.24
7.8.5 Topics covered by audit .24
7.8.6 Actions taken as a result of deficiency .25
7.8.7 Communication of audit results .26
7.9 Other business and legal matters .26
7.9.1 Fees .26
7.9.2 Financial responsibility .26
7.9.3 Confidentiality of business information .26
7.9.4 Privacy of personal information .26
7.9.5 Intellectual property rights .27
7.9.6 Representations and warranties .
...