BS ISO IEC 17960 pdf download

BS ISO IEC 17960 pdf download.Information technology — Programming languages, their environments and system software interfaces — Code signing for source code
1 Scope
This International Standard specifies a language-neutral and environment-neutral description to define the methodology needed to support the signing of software source code, to enable it to be uniquely identified, and to enable roll-back to signed previous versions. It is intended to be used by originators of software source code and the recipients of their signed source code. This International Standard is designed for transfers of source code among disparate entities. The following areas are outside the scope of this International Standard: — Determination of the trust level of a certification authority; — Format used to track revisions of source code files; — Digital signing of object or binary code; — System configuration and resource availability; — Metadata — This is partially addressed by ISO/IEC 19770-2; — Transmission and representation issues — Though this could be an issue in implementation, there are techniques such as Portable Document Format (PDF) 1) that can be used to mitigate these issues. This applies in particular to the transmission of digital signatures.
4 Terms and definitions
For the purposes of this document, the following terms and definitions apply. 4.1 certificate entity’s data rendered unforgeable with the private or secret key of a certification authority [SOURCE: ISO/IEC 13888-1:2009] 4.2 certification authority authority trusted by one or more users to create and assign certificates [SOURCE: ISO/IEC 13888-1:2009] 4.3 changeset set of all changes that are applied to a configuration to derive a new configuration 4.4 digital signature data appended to, or a cryptographic transformation of, a data unit that allows the recipient of the data unit to prove the source and integrity of the data unit and protect against forgery, e.g. by the recipient [SOURCE: ISO/IEC 13888-1:2009] 4.5 hash code string of bits that is the output of a hash-function [SOURCE: ISO/IEC 13888-1:2009] 4.6 hash-function function which maps strings of bits to fixed-length strings of bits, satisfying the following two properties: 1) it is computationally infeasible to find for a given output an input which maps to this output; 2) it is computationally infeasible to find for a given input a second input which maps to the same output [SOURCE: ISO/IEC 13888-1:2009] 4.7 originator entity that sends a message to the recipient or makes available a message for which non-repudiation services are to be provided [SOURCE: ISO/IEC 13888-1:2009] 4.8 private key key of an entity’s asymmetric key pair which should only be used by that entity [SOURCE: ISO/IEC 13888-1:2009]4.9 public key key of an entity’s asymmetric key pair which can be made public [SOURCE: ISO/IEC 13888-1:2009] 4.10 public key certificate public key information of an entity signed by the certification authority and thereby rendered unforgeable [SOURCE: ISO/IEC 13888-1:2009] 4.11 recipient entity that gets (receives or fetches) a message for which non-repudiation services are to be provided [SOURCE: ISO/IEC 13888-1:2009] 4.12 snapshot complete copy of a configuration
5 Concepts
This clause provides an overview of the concepts of code signing. Code signing is a technique for providing a digital signature for source code to support a verification of the originator and a verification that the code has not been altered since it was signed. Code signing can provide several valuable functions such as: — knowledge of the history of the source code — confidence that the source code has not been accidentally or maliciously altered — verification of the identity of the responsible party for the source code — accountability for the source code — non-repudiation of the originator of the source code Code signing identifies to customers the responsible party for the source code and confirms that it has not been modified since the signature was applied. Verification of the originator of the source code of the software is extremely important since the security and integrity of the receiving systems can be compromised by faulty or malicious code. In addition to protecting the security and integrity of the software, code signing provides authentication of the author, originator or distributor of the source code, and protects the brand and the intellectual property of the developer of the software by making applications uniquely identifiable and more difficult to falsify or alter maliciously. When source code is associated with an originator’s unique signature, distributing source code on the Internet is no longer an anonymous activity. Digital signatures ensure accountability, just as a manufacturer’s brand name ensures accountability with packaged software. Distributions on the Internet lack this accountability and code signing provides a means to offer the needed accountability. Accountability can be a strong deterrent to the distribution of harmful code.