Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
CAN/CSA-ISO/IEC 11586-5:00 — The SESE Protocol Implementation Conformance Statement (PICS) Proforma Guide
Ensuring Interoperability in OSI Upper Layers Security Through Standardized Conformance Declarations
Scope and Context of CAN/CSA-ISO/IEC 11586-5:00
CAN/CSA-ISO/IEC 11586-5:00 is the Canadian adoption of the international standard ISO/IEC 11586-5:1996, titled Information technology — Open Systems Interconnection — Generic upper layers security: Security Exchange Service Element (SESE) protocol implementation conformance statement proforma. This standard is a critical component of the Generic Upper Layers Security (GULS) series, providing the formal mechanism for declaring the conformance of an implementation to the SESE protocol specified in ISO/IEC 11586-3.
The SESE protocol enables the secure exchange of data in OSI upper-layer communications, supporting essential security services such as authentication, access control, confidentiality, and integrity. The Protocol Implementation Conformance Statement (PICS) proforma serves as a standardized checklist. It allows implementers, system integrators, and testing laboratories to unequivocally define the exact capabilities, roles, and options supported by a given product or system. Mandating this proforma ensures that diverse implementations can be objectively evaluated for interoperability and formal compliance.
The scope of Part 5 strictly covers the PICS proforma structure, notation, and tabular requirements. It does not define the protocol itself but is a mandatory companion document for any entity claiming conformance to ISO/IEC 11586-3. This standard remains relevant in legacy OSI environments and secure government identity management systems where the GULS protocols are deployed.
Key Technical Elements of the SESE PICS Proforma
The PICS proforma is divided into logical sections, each covering a distinct aspect of the SESE protocol implementation. The proforma is designed to be a self-contained document, guiding the implementer through a systematic declaration of support.
| PICS Section | Core Content | Conformance Status |
|---|---|---|
| Implementation Identification | Supplier name, product identifier, version number, contact information | Mandatory (M) |
| Global Statement of Conformance | Explicit declaration of conformance to ISO/IEC 11586-3 base standard requirements | Mandatory (M) |
| Protocol Version / Roles | Supported version numbers (e.g., Version 1), Initiator and/or Responder roles | Mandatory (M) |
| SESE Protocol Data Units (PDUs) | Support for SESE-INITIALIZE, SESE-TRANSFER, SESE-EXCEPTION, etc. | Conditional (C) |
| Security Context Tokens | Support for algorithm identifiers, token types, and security attributes | Optional / Conditional (O/C) |
| Error Handling | Support for exception reporting and abort mechanisms | Conditional (C) |
The proforma uses a specific notation for statuses: M (Mandatory), O (Optional), C (Conditional), and X (Excluded or Not Applicable). Conditional items are often tied to the declared protocol roles. For instance, the SESE-INITIALIZE PDU is mandatory for an Initiator but may be excluded for a pure Responder.
Implementation Tip: When populating the PICS proforma, pay very close attention to conditional status items. A common error is incorrectly supporting a mandatory feature for a specific role. Use the protocol state machine diagrams in ISO/IEC 11586-3 to validate your PICS entries against the expected behavior of your declared role(s).
Protocol Versions, Roles, and PDU Declaration
A deep technical understanding of the SESE protocol directly influences the accuracy of the PICS proforma. The proforma distinguishes between the two primary protocol roles: Initiator and Responder. An implementation may support one or both roles, and the mandatory features differ accordingly.
The PDU declaration table is the core of the proforma. The key PDUs include:
- SESE-INITIALIZE / SESE-INITIALIZE-ACK: Used to establish a security exchange context.
- SESE-TRANSFER / SESE-TRANSFER-ACK: Used to securely transfer data within an established context.
- SESE-EXCEPTION / SESE-ABORT: Used for error handling and unexpected termination of the exchange.
Documentation Warning: The PICS proforma is a legal declaration of capabilities. If a product declares support for a PDU (e.g., SESE-TRANSFER) in the proforma, it must implement that PDU in strict accordance with the protocol specification. Over-declaration can be used strategically, but must be factually supported by the implementation to avoid false conformance claims.
Compliance Requirements and Certification Pathways
Compliance with CAN/CSA-ISO/IEC 11586-5:00 is demonstrated through the completion and submission of the PICS proforma, followed by conformance testing against the declared capabilities.
The compliance criteria are as follows:
- Mandatory Items: All items marked as Mandatory (M) must be supported. A single unsupported mandatory item invalidates a conformance claim.
- Conditional Items: The conditions for each item must be evaluated against the implementation. If the condition is met, the item must be supported as indicated.
- Optional Items: These may be supported or omitted. The implementation is tested only against the options it declares.
- Static Conformance Review: The PICS proforma forms the basis for static conformance testing. A test laboratory will verify the proforma against the protocol specification.
Testing Efficiency: Providing a complete and accurate PICS proforma is the single most effective way to streamline conformance testing. Test labs rely on the PICS to generate a tailored test suite. A well-structured PICS can significantly reduce the time and cost of formal OSI security certification.
Critical Non-Conformance: It is a fundamental non-conformance to claim adherence to ISO/IEC 11586-3 without a properly completed PICS proforma as defined in Part 5. The PICS is not an optional document; it is a mandatory deliverable for formal compliance. Incomplete or inaccurate PICS submissions are grounds for immediate disqualification in most certification programs.
For organizations operating in Canada, CAN/CSA-ISO/IEC 11586-5:00 aligns exactly with the ISO text. It is managed by the CSA Group and represents the normative reference for OSI upper layers security