Certificate Management defines the certificate profile, the management of root certificates, and test certificates, and the distribution of Certificate Revocation Lists (CRL).
Every certificate used in the context of this specification MUST follow the "Security Norm NO5 - Volume two ( 00:001.85-005/2 )"
Every terminal compliant to this specification MUST support the storage of root certificate in non volatile memory. Further information can be found in "Security Norm 05 - Volume two ( 00:001.85-005/2 )"
The terminal MUST support a mechanism to install root certificates for the purpose of testing the terminal. Test root certificates MUST expire after the testing period and all Objects signed with a test root certificate MUST not be used for other purposes then testing.
is defined in "Security Norm 05 - Volume two ( 00:001.85-005/2 )".
Every CRL used in the context of this specification MUST follow the CRL profile and policies defined "Security Norm 05 - Volume two ( 00:001.85-005/2 )".
Is defined in "Security Norm 05 - Volume two ( 00:001.85-005/2 )".
CRLs shall be kept in non-volatile memory in the terminal.
During the validation of a certificate chain, the CRL of each certification authority in the certificate path MUST be checked.
Terminals that support a return channel SHOULD support the OCSP protocol defined in [RFC 2560] to determine the current status of a certificate without requiring the storage of CRLs on the terminal.