Technical Standards for Digital Identity (Draft for...

Snapshot of Technical Standards for Digital Identity SystemsTechnical Standards

for Digital IdentityDRAFT FOR DISCUSSION

© 2017 International Bank for Reconstruction and Development/The World Bank 1818 H Street NW Washington DC 20433 Telephone: 202-473-1000 Internet: www.worldbank.org

This work is a product of the staff of The World Bank with external contributions. The findings, interpretations, and conclusions expressed in this work do not necessarily reflect the views of The World Bank, its Board of Executive Directors, or the governments they represent.

The World Bank does not guarantee the accuracy of the data included in this work. The boundaries, colors, denominations, and other information shown on any map in this work do not imply any judgment on the part of The World Bank concerning the legal status of any territory or the endorsement or acceptance of such boundaries.

Rights and Permissions

The material in this work is subject to copyright. Because The World Bank encourages dissemination of its knowl-edge, this work may be reproduced, in whole or in part, for noncommercial purposes as long as full attribution to this work is given.

Any queries on rights and licenses, including subsidiary rights, should be addressed to World Bank Publications, The World Bank Group, 1818 H Street NW, Washington, DC 20433, USA; fax: 202-522-2625; e-mail: [email protected].

Cover photo: © Digital Storm.

iiiDraft for Discussion

TABLE OF CONTENTSABBREVIATIONS v

ACKNOWLEDGMENTS vii

1. INTRODUCTION 1

2. OBJECTIVE 2

3. SCOPE 2

4. THE IDENTITY LIFECYCLE 3

4.1 RegistRation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

4 1 1 Enrollment 3

4 1 2 Validation 4

4.2 issuance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4.3 authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

4.4 LifecycLe ManageMent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

4.5 fedeRation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

5. DIGITAL ID RELATED TECHNICAL STANDARDS 6

5.1 Why aRe standaRds iMpoRtant? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

5.2 standaRds-setting Bodies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

ISO Technical Committees and Working Groups 7

5.3 technicaL standaRds . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Technical Standards for Interoperability 9

Technical Standards for Robust Identity Systems 18

5.4 fRaMeWoRks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .19

5 4 1 Levels of Assurance 19

6. COUNTRY USE CASES 22

6.1 aadhaaR identity systeM of india—BioMetRic Based . . . . . . . . . . . . . . . . . . . . . . . . . . 22

6.2 sMaRt eid in pakistan—BioMetRics and sMaRt caRd . . . . . . . . . . . . . . . . . . . . . . . . . . 23

6.3 eid With digitaL ceRtificate in peRu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

6.4 id-kaaRt in estonia—sMaRt caRd and MoBiLe id . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

7. CONSIDERATIONS WHILE ADOPTING STANDARDS FOR IDENTITY SYSTEMS 25

a Protecting Biometrics from Security Breaches 25

b Single or Multimodal Systems 25

iv Draft for Discussion

c Lack of Biometric Device Standards 25

d Modernizing Legacy Identification Systems 26

e Cost Effectiveness 26

f Interoperability and Interconnectivity 26

g Foundational Legal Identification Systems 27

h Privacy and Security 27

i New Standards Compliance 27

j Role of Development Partners 28

8. THE WAY FORWARD 28

BIBLIOGRAPHY 29

APPENDIX A ISO/IEC JTC SUBCOMMITTEE, WORKING GROUPS AND THEIR MANDATE 30

APPENDIX B STANDARDS DESCRIPTION 32

ENDNOTES 38

LIST OF FIGURESFIGURE 1 ISO/IEC JOINT TECHNICAL COMMITTEE 1: SUBCOMMITTEES AND WORKING GROUPS FOR ID MANAGEMENT 8

WG 5 IDENTITY MANAGEMENT & PRIVACY TECHNOLOGIES PRIVACY/PII STANDARDS IN SC 27/WG 5 AND ELSEWHERE 19

FIGURE 2 ISO AND EIDAS AUTHENTICATION LEVELS 21

vDraft for Discussion

ABBREVIATIONSAFNOR Association Française de Normalisation (Organisation of the French Standardisation System)

ANSI American National Standard Institute

ASN.1 Abstract syntax notation one

BAPI Biometric Application Programming Interface

CAP Chip Authentication Program

CBEFF Common Biometric Exchange Formats Framework

CEN European Committee for Standards

CITeR Center for Identification Technology Research

DHS Department of Homeland Security

DIN German Institute of Standardization

eID Electronic Identification Card

EMV Europay, MasterCard and Visa—Payment Smart Card Standard

EMVCo EMV Company

FIDO Fast IDentity Online

GSM Global System for Mobile Communication

GSMA The GSM Association

IBIA International Biometrics and Identification Association

ICAO International Civil Aviation Organization

ICT Information and Communication Technologies

ID Identification

ID4D Identification for Development

IEC The International Electrotechnical Commission

ILO International Labor Organization

INCITS International Committee for Information Technology Standards

ISO The International Organization for Standardization

IT Information Technologies

ITU-T ITU’s Telecommunication Standardization Sector

JTC Joint Technical Commission

MRZ Machine-Readable Zone

NADRA National Database and Registration Authority (of Pakistan)

NICOP National Identity Cards for Overseas Pakistanis

NIST National Institute of Standards and Technology

OASIS Organization for the Advancement of Structural Information Standards

OpenID Open ID Foundation

PSA Pakistan Standards Authority

vi Draft for Discussion

PIN Personal Identification Number

PKI Public key infrastructure

RFID Radio-Frequency Identification

RMG Registration Management Group

SA Standards Australia

SDGs Sustainable Development Goals

SIS Swedish Standards Institute

SNBA Swedish National Biometrics Association

UIN Unique Identity Number

UIDAI Unique Identification Authority of India

WB The World Bank

WG Working Group

viiDraft for Discussion

ACKNOWLEDGMENTSThis report was prepared by the Identification for Development (ID4D) initiative, the World Bank Group’s cross-departmental effort to support progress towards identification systems using 21st century solutions. The report was prepared by Tariq Malik and Anita Mittal with inputs from Julia Clark, Vyjayanti Desai, Samia Melhem and Yasin Janjua. The team also wishes to thank the reviewers who offered helpful suggestions, including Dr. Narjees Adennebi (ICAO), Daniel Bachenheimer (Accenture), Sanjay Dharwadker (WCC Group), Marta Ienco (Mobile-Connect/GSMA), Flex Ortega De La Tora (RENIEC), Stephanie de Labriolle (SIA), Waleed Malik (World Bank), and Dr. Adeel Malik (Oxford University).

This report was presented and discussed with the following organizations in September 2017: American National Standards Institute (ANSI); Center for Global Development; Digital Impact Alliance; European Commission; FIDO Alliance; Bill & Melinda Gates Foundation; Government Digital Service; GSMA; ICAO; IOM; National Institute of Standards and Technology (NIST); Omidyar Network; One World Identity; Open Identity Exchange; Open Soci-ety Foundation; Plan International; The World Economic Forum; UNDP; UNHCR; UNICEF; USAID; and WFP.

1Draft for Discussion

1. INTRODUCTIONRobust, inclusive identification systems are crucial for development, as enshrined in Sustainable Development Goal (SDG) Target 16.9, which mandates countries to provide “legal identity for all, including birth registration.” For individuals, proof of legal identity is necessary to access rights, entitlements, and services. Without it, they may face exclusion from political, economic, and social life. For governments, modern identification systems allow for more efficient and transparent administration and service delivery, a reduction in fraud and leakage related to transfers and benefits payments, increased security, accurate vital statistics for planning purposes, and greater capacity to respond to disasters and epidemics.1

Despite these benefits, however, some 1.1 billion individuals around the world lack proof of identity.2 In order to close this “identity gap,” many countries have therefore begun to reform existing identification systems and build new ones. In doing so, most have attempted to capitalize on the promise of new, digital identification technolo-gies, including biometric identification, electronic credentials including smart cards and mobile IDs, and online authentication infrastructure.

These advancements, particularly when combined with related digital technologies such as online and mobile payments systems, have the potential to leapfrog the inefficiencies of paper-based identification systems. At the same time, digital identification poses many challenges related to data protection and privacy, fiscal sustainabil-ity, and the choice and use of different technology options.

Robust Digital ID systems, if developed in a highly interoperable and scalable manner, can produce savings for citizens, government and businesses. Conversely, disparate initiatives and siloed investments in Digital ID sys-tems are likely to be wasteful and duplicative, detracting from the far-reaching public and private sector implica-tions of universal Digital IDs. Pooled approaches and federated ID systems at the regional or sub-regional level can also help strengthening the value proposition of Digital IDs programs. Trust in data security will be critical to achieving tangible results. The robustness and interoperability of an identification system depends on the degree to which it adheres to technical standards—henceforth “standards.”

Standards establish universally understood and consistent interchange protocols, testing regimes, quality mea-sures, and best practices with regard to the capture, storage, transmission, and use of identity data, as well as the format and features of identity credentials and authentication protocols.3 They are therefore crucial at each stage of the identity lifecycle, including enrollment, validation, deduplication, and authentication. Standards help ensure that the building blocks of identity systems are interoperable and testable, and can meet desired performance targets. The effectiveness of an interconnected and interoperable identification system cannot be ensured without standards.

However, the standards used for identification systems can vary significantly by country and economic region or trading bloc. This diversity presents a significant challenge with respect to interoperability and compatibility both within countries and across borders (Gomes de Andrade, Nuno, Monteleone and Martin 2013). Without a com-mon set of standards, countries with underdeveloped identification systems may not know which standards to follow, and may end up using sub-par technologies, and/or proprietary technology that results in vendor lock-in. The lack of a set of standards therefore poses a challenge for countries, as well as development partners who support country identification systems and provide technical assistance.

2 Draft for Discussion

2. OBJECTIVEStandards are critical for Identification systems to be robust, interoperable and sustainable. Process standards, data standards and technical standards are the three types of standards for ensuring interoperability at the orga-nizational, semantic and technical layers. The objective of this report is to identify the existing international tech-nical standards and frameworks applicable across the identity life cycle. This catalogue of technical standards could serve as a source of reference for the stakeholders in the identification systems ecosystem. This catalogue would also be the first step of a broader multi-stakeholder engagement to convene and explore the possibility of developing a minimal set of core technical standards for identification systems. It is envisaged that an analysis of the catalogue of existing standards, organized by category and subcategory, would help in a) identification of areas where standards are missing, b) identify areas where there are competing standards and choice needs to be made and c) assess applicability of standards in a developing country context. This could also help share experiences across countries and avoid reinvention of the wheel by each country/stakeholder.

3. SCOPE“Digital identity” is a broad term, with different meanings depending on the context. For this document, we con-sider digital identity as a set of electronically captured and stored attributes and credentials that can uniquely identify a person (World Bank, 2016, GSMA and SIA, Oct. 2014). Digital identity systems may take a variety of forms, each with different applicable standards. This report focuses on technical standards; data and process standards are not in scope of this document. The technical standards that are in scope of this report are those that are required to build robust interoperable digital identification systems which enables creation of digital iden-tities for individuals after validating their identity through defined processes, issuance of credentials linked to their identity and mechanisms to establish their identity (authenticate) using their digital identity/credentials.

The report is organized as follows:

• Section 4 reviews the identity lifecycle and the processes/stages in this lifecycle to contextualize the relevant technical standards;

• Section 5 then gives an overview of international organizations developing standards and a list of the most commonly used standards for digital identification systems with focus on applicability of standards;

• Section 6 discusses the use case of different identity systems of a few countries;

• Section 7 discusses the issues and challenges to be considered while adopting standards;

• Section 8 provides recommendations for future work on developing minimum technical standards for identification systems to ensure interoperability and avoid vendor lock in;

• The appendices provide details on the standard organization, standards mapping, table giving details on each standard.


4. THE IDENTITY LIFECYCLEGlobally, digital identity ecosystems are increasingly complex, and consist of a wide range of identity models and actors with diverse responsibilities, interests, and priorities.4 Understanding the processes and technology involved in digital identification is crucial for identifying the standards which are applicable in a given system. To that end, this section provides a general overview of the digital identity lifecycle (WB, GSMA and SIA, Oct. 2014)and describes briefly the various stages (WB, GSMA and SIA, Oct. 2014). This framework is then used to analyze relevant identification standards in Section 6.

Service Provider

Citizen/End-User

Digital Identity Lifecycle and Key Roles

Service Authentication

AuthenticationProvider

Updating Enrollment

Validation

RegistrationUse

Digital Identity

Issuance

Credential

Identity Provider

Attribute Provider

LifecycleManagement

?

Digital identities are created and used as part of a lifecycle that includes three fundamental stages: (a) registra-tion, including enrollment and validation, (b) issuance of documents or credentials, and (c) authentication for service delivery or transactions. Identity providers also engage in ongoing management of the system, includ-ing updating and revocation or termination of identities/credentials (see figure above (WB, GSMA and SIA, Oct. 2014)). The description of the various phases below has been included from the same report (WB, GSMA and SIA, Oct. 2014).

4.1 RegistRation

This is the most important step in creating a digital identity. The process begins with enrollment followed by validation.

4.1.1 Enrollment

This process involves capturing and recording key identity attributes from a person who claims a certain identity, which may include biographical data (e.g., name, date of birth, gender, address, email), biometrics (e.g., finger-prints, iris scan) and an increasing number of other attributes. Which attributes are captured during this phase and the method used to capture them have important implications for the trustworthiness of the identity (see the discussion of levels of assurance below) as well as its utility and interoperability with other domestic and inter-national identity systems.


4.1.2 Validation

Once the person has claimed an identity during enrollment, this identity is then validated by checking the attri-butes presented against existing data. The validation process ensures that the identity exists (i.e., that the per-son is alive) and is claimed by one person (i.e., it is unique in the database). In modern digital identity systems, uniqueness is ensured through a deduplication process using biometric data. Links between the claimed identity and identities in other databases (e.g., civil registries, population registries, and so on) may also be established.

4.2 issuance

Before a credential can be used to assert identity by a person, a registered identity goes through an issuance or credentialing process, where identity providers may issue a variety of credentials (e.g., identifying numbers, smart cards, certificates, etc.). For an ID to be considered digital, the credentials issued must be electronic, in the sense that they store and communicate data electronically. Common types of electronic credentials used fall into these three categories

• Something you know (for example, a password).

• Something you have (for example, an ID card, mobile phone or a cryptographic key).

• Something you are (for example, a fingerprint or other biometric data).

Types of electronic credential systems include

• Smart cards: cards offer advanced security features and record digital cryptographic key and/or biometric on an embedded computer chip. Smart cards can come in the form of a contact/contactless card, or Near Field Communication (NFC)-enabled SIM card. Data stored on a smart card can be accessed offline for authentication where there is no internet connection or mobile network.

• 2D bar code card: Cards can be personalized with an encrypted 2D bar code containing a person’s personal data and biometrics, either instead of or in addition to a chip. The 2D bar code is a cost-efficient mean to provide a digital identity and to authenticate holders by comparing live biometric with that on the card. It has been widely deployed in Africa, Latin America, and the Middle East, includ-ing Lebanon, Mali, and Ghana, and more recently in Egypt to authenticate holders during the last elections.

• Mobile identity: Mobile phones and other devices can be used to provide portable digital identity and authentication for a variety of online transactions. For example, providers can issue SIM cards with digital certificates or use other mobile network assets that can enable secure and convenient identity and authentication of users for eGovernment (eGov) services and other public or private platforms.

• Identity (credential) in a central store/Cloud: Unlike portable credentials such as smart cards and SIM cards, some systems store certificates and biometrics on a server only. In this case, a physical credential storage device may not be issued. Identity number may be issued in non-electronic form (e.g., India’s Aadhaar program issues only a paper receipt). A tamper-resistant environment of crypto-graphic key generation and management to secure the ID credential in the central store against theft will increase the security and assurance level of the identity system.

4.3 authentication

Once a person has been registered and credentialed, they can use their digital identity to access the associated benefits and services. For example, citizens may use their eID number to pay taxes through an eGov portal, while bank customers can use smart debit cards or mobile financial services to make purchases. In order to


access services, the user must be authenticated using one or more factors that generally fall into one of three categories—something you know, something you have, something you are. Authentication using these attributes can occur through various pathways, including

• Smart cards: People with smart cards can authenticate their identity using multiple authentication factors for varying levels of assurance. For example, a simple PIN for low risk use cases or a digital signature based on public key infrastructure (PKI) technology for high risk use cases. Fingerprints can be used to establish a non-ambiguous link with the user. Because they store data locally on a chip, smart cards can also be used for offline digital authentication or remote locations where connectivity is limited.

• Mobile identity: Using smartphone applications, USSD or SMS-based authenticators, or SIM cards, mobile identity can incorporate multiple authentication factors for varying levels of assurance. For example, a simple PIN for low risk use cases, multiple-factor authentication solutions (including with the use of biometrics) or a mobile signature based on public key infrastructure (PKI) technology with a secure element (SE) for high-risk use cases. Authentication can be strengthened by using third and fourth factors such as the individual’s location or behaviour.

• ID in the central store/Cloud: Instead of issuing an identity document or mobile credential, a digital identity system can rely on biometrics for remote authentication. In this case, an identity is asserted and verified via a computer or other device with a biometric reader that connects to the Cloud. A Cloud-based system eliminates the need and cost of physical credentials, but requires robust ICT infrastructure for connectivity and security of the central storage.

4.4 LifecycLe ManageMent

Throughout the lifecycle, digital identity providers manage and organize the identity system, including facilities and staff, record keeping, compliance and auditing, and updating the status and content of digital identities. For example, users may need to update various identity attributes, such as address, marital status, profession, etc. In addition, identity providers may need to revoke an identity, which involves invalidating the digital identity for either fraud or security reasons, or terminate an identity in the case of the individual’s death.

4.5 fedeRation

Federation is the ability of one organization to accept another organization’s identity. Federation is based on inter-organizational trust. The trusting organization must be comfortable that the trusted organization has similar policies, and that those policies are being followed. Federation protocols and assurance framework facilitate fed-eration of digital identity intra and inter organizations/countries. Federation protocols like SAML (Security Asser-tion Mark-up Language) are used to convey the authentication result by the credential provider to the trusting organization. The trusting organization sends captures and sends the credential to the issuing organization for verification. After verification of the credential the issuing organizations sends a set of claims giving information about the user, result of authentication and the strength of the credentials used to authenticate the user. For fed-eration to be effectively used globally, agreement and mapping with the ISO defined assurance framework and adoption of federation protocols as standards are critical.

Federation can occur at multiple levels

• An organization can accept credentials issued by another organization, but still authenticate and authorize the individual locally:

• A passport issued by the U.S. Department of State is accepted as a valid credential by a foreign country, but that country’s immigration office still authenticates the holder and requires a visa (authorization).


• An organization can accept specific characteristics (attributes) describing an individual from another organization:

• Your bank will request your credit score from one of the credit bureaus, rather than maintaining that information itself.

• An organization can accept an authorization decision from another organization:

• A driver’s license authorizing you to drive in one state is accepted by another.

The identity lifecycle requires technical standards at each stage and sub-stage, as discussed further in Section 6. Importantly, the type of attributes (biometrics, biographic, and others) captured during enrollment and the meth-odologies used to record them have important implications for the assurance and trust in the identity system as well as its utility and interoperability with other domestic and international identity systems.

5. DIGITAL ID RELATED TECHNICAL STANDARDS5.1 Why aRe standaRds iMpoRtant?

In general, technical standards contain a set of specifications and procedures with respect to the operation, maintenance, and reliability of materials, products, methods, and services used by individuals or organizations. Standards ensure the implementation of universally understood protocols necessary for operation, compatibility, and interoperability, which are in turn necessary for product development and adoption. While the adoption of standards has a positive impact in market penetration and international trade, a lack of standards creates issues for the effectiveness and robustness of an identity system, including problems with interoperability, interconnec-tivity and vendor lock-in.

As electronic IDs have begun to replace paper-based systems, the technologies, inter-device communication and security requirements underpinning identity systems have become more complex—increasing the impor-tance of standards for identity management. However, choosing between standards is challenging due to rapid technological innovation and disruption, product diversification, changing interoperability and interconnectivity requirements, and the need to continuously improve the implementation of standards.

5.2 standaRds-setting Bodies

Standards are rigorously defined by organizations that are created and tasked specifically for this purpose. In the case of ICT-related standards, these organizations—with the help of experts—set up, monitor, and continuously update technical standards to address a range of issues, including but not limited to various protocols that help ensure product functionality and compatibility, as well as facilitate interoperability. These standards and related updates are regularly published for the general benefit of the public.5

According to the International Telecommunication Union’s (ITU) Technology Watch, several organizations are actively developing technical standards for digital identification systems, including international organizations such as the United Nations’ specialized agencies, industry consortia, and country-specific (national) organiza-tions. Each are described briefly below.

• International Organizations. The following prominent international organizations are actively involved in setting relevant technical standards: the International Organization for Standardization (ISO); the International Electrotechnical Commission (IEC); ITU’s Telecommunication Standardization Sector (ITU-T); the International Civil Aviation Organization (ICAO); International Labor Organization (ILO); and the European Committee for Standards (CEN), World Wide Web Consortium (W3C), Inter-net Engineering Task Force (IETF)/Internet Society.


• National Organizations. In addition to international organizations, country-specific organizations also develop technical standards based on their needs and systems of measurement. Some impor-tant organizations include the American National Standard Institute (ANSI); the U.S. National Institute of Standards and Technology (NIST); the U.S.-based International Committee for Information Tech-nology Standards (INCITS), the U.S. Department of Homeland Security (DHS); the U.S. Department of Defense (DoD); Standards Australia (SA); the Swedish Standards Institute (SIS); the Swedish National Biometrics Association (SNBA); the German Institute of Standardization (DIN); Organiza-tion of the French Standardization System (AFNOR); the Dutch Standards Organization (NEN); the Unique Identification Authority of India (UIDAI); the Bureau of Indian Standards (BIS); and the Paki-stan Standards Authority (PSA).

• Industry Consortia. Finally, industry consortia and some nonprofit organizations are also involved in either developing standards or promoting best practices to meet the needs of their members. Promi-nent examples include: the U.S. government-sponsored consortium known as the Biometric Con-sortium; Secure Identity Alliance (SIA), Center for Identification Technology Research (CITeR); IEEE Biometrics Council; Biometrics Institute, Australia; Smart Card Alliance; International Biometrics and Identification Association (IBIA); Kantara Initiative; Open Identity Exchange; Open Security Exchange; Asian Pacific Smart Card Association (APSCA); Organization for the Advancement of Structural Infor-mation of Standards (OASIS); Fast IDentity Online (FIDO) Alliance; and Open ID Foundation.

Among the major-standard setting bodies, this review has found that most prominent countries and industry consortia are connected to and collaborate with ISO (for example, through subcommittees and working groups (WG)) to modify or confirm standards for their requirements. In addition, ISO standards have been followed by most large-scale ID programs and are widely supported and used by industry consortia. As the nucleus of major industry standard contributions, this study therefore focuses on the work of the ISO.

ISO Technical Committees and Working Groups

ISO has established technical committees, subcommittees, and working groups that are in continuous commu-nication with other international and national organizations, as well as industry consortia involved in reviewing or establishing standards. A Joint Technical Committee, ISO/IEC JTC 1, has been formed by ISO and IEC to ensure a comprehensive and worldwide approach for the development and approval of international biometric standards. Within JTC1, subcommittees 37, 27, and 17 are relevant for any country that is planning to undertake a digital identity system. Various working groups within these subcommittees focus on the development and updating of specific standards relevant to the digital identity lifecycle, including:

1. ISO/IEC JTC 1/SC 37: Biometrics

2. ISO/IEC JTC 1/SC 27: IT Security Techniques

3. ISO/IEC JTC 1/SC 17: Cards and Personal Identification

4. ISO/IEC JTC 1/SC 6: Telecommunications and information exchange between systems (standards on digital signature/PKI)

These subcommittees work with other subcommittees within the ISO (liaison committees) as well as external organizations (organizations in liaison), some of whom are also involved in preparation of related standards. Figure 1 identifies the role, scope, and mandate of the technical subcommittees and their subsequent working groups. For detailed description of these subcommittees, see Appendix A.


FIGURE 1 ISO/IEC Joint Technical Committee 1: Subcommittees and Working Groups for ID Management

Joint Technical CommitteeISO/IEC JTC 1

SubcommitteeISO/IEC JTC 1/SC 37

Biometrics

ISO/IEC JTC 1/SC 37/WG 1Harmonized Biometric

Vocabulary

ISO/IEC JTC 1/SC 37/WG 2Biometric Technical

Interfaces

ISO/IEC JTC 1/SC 37/WG 3Biometric Data

Interchange Formats

ISO/IEC JTC 1/SC 37/WG 4Technical Implementation

of Biometric Systems

ISO/IEC JTC 1/SC 37/WG 5Biometric Testing

and Reporting

ISO/IEC JTC 1/SC 37/WG 6Cross Jurisdictional &

Societal Aspectsof Biometrics

SubcommitteeISO/IEC JTC 1/SC 27Security Techniques

ISO/IEC JTC 1/SC 27/SWG-MManagement

ISO/IEC JTC 1/SC 27/SWG-TTransversal Items

ISO/IEC JTC 1/SC 27/WG 1Information Security

Management Systems

ISO/IEC JTC 1/SC 27/WG 2Cryptography and Security

Mechanisms

ISO/IEC JTC 1/SC 27/WG 3Security Evaluation,

Testing and Specification

ISO/IEC JTC 1/SC 27/WG 4Security Controls

and Services

ISO/IEC JTC 1/SC 27/WG 5Identity Management and

Privacy Technologies

SubcommitteeISO/IEC JTC 1/SC 17Cards and Personal

Identification

ISO/IEC JTC 1/SC 17/WG 1Physical Characteristics & Test Method for ID Cards

ISO/IEC JTC 1/SC 17/WG 3ID Cards—Machine

Readable Travel Documents

SubcommitteeISO/IEC JTC 1/SC 6

ISO/IEC JTC 1/SC 6/WG 1Physical and Data Link

Layers

ISO/IEC JTC 1/SC 6/WG 7Network, Transport and

Future Network

ISO/IEC JTC 1/SC 17/WG 4Integrated Circuit Cards

ISO/IEC JTC 1/SC 6/WG 10Directory, ASN.1 and

Registration

ISO/IEC JTC 1/SC 17/WG 5Registration Management

Group

ISO/IEC JTC 1/SC 17/WG 8Integrated Circuit Cards

without Contacts

ISO/IEC JTC 1/SC 17/WG 9Optical Memory Cards

and Devices

ISO/IEC JTC 1/SC 17/WG 10Motor Vehicle Driver

Licence and Related Documents

ISO/IEC JTC 1/SC 17/WG 11Application of Biometricsto Cards and Personal ID

Source: Author’s Analysis


5.3 technicaL standaRds

This section contains a compilation of technical standards identified for identity systems. Most of them relate to the credential to be used for authenticating the user. Technical standards which are applicable to identity applica-tions that are common with any software application (web application/desktop/portal) are not listed/discussed in this report. The Technical Standards are grouped in two tables. The first table lists standards which are required for interoperability of systems and the second table of standards lists standards for robustness of identification systems which address the requirements like security, quality. The standards are continuously revised by the standards organizations. The standards in the table have hyperlinks to the website providing information about the standard. The ISO standards page provides information and link to the newer version of the standard if avail-able. For addition of any missing information/standard or correction required to the table of standards/report, please send your feedback to [email protected]

Technical Standards for Interoperability

The major categories of standards listed below fall into the following areas.

1. Biometrics—Image standard—Multiple competing standards are in use for capturing face image (PNG, JPEG, JPEG2000 in most of the systems while GIF/TIFF (proprietary standards) may be in use in a few). For fingerprint image (JPEG, JPEG2000 and WSQ) standard are in use. Comments provide guidelines on selection of image standard for images like face, fingerprint.

2. Biometrics—Data interchange format—ISO standards for different types of biometrics like fingerprint, iris, face are listed. The type(s) of biometrics selected for implementation of identity systems would dic-tate the standards to be complied with

3. Card/Smart Card—Different standards exist for the different types of card—card with chip and without chip and within chip category we have contact and contactless cards. Each identity system would select a card based on various criteria like cost, features. The standard to be selected depends on the category of card used for the identity system.

4. Digital Signatures—Multiple non-competing standards are listed which are applicable based on the use of digital signature for the identity systems.

5. 2D bar code—The standards commonly used PDF417 and QR code are listed. Comments provide guidelines on selection of standard for 2D bar code.

6. Federation protocols—Open ID connect and OAuth combination are being increasingly used for federa-tion while SAML has been used extensively earlier.


S.N

O

INTE

R-

OP

ER

AB

ILIT

Y A

RE

AS

UB

AR

EA

STA

ND

AR

D

SP

EC

IFIC

ATIO

N/

(CO

MM

ON

NA

ME

)S

TAN

DA

RD

D

ES

CR

IPTI

ON

S

TAN

DA

RD

S

BO

DY

OTH

ER

CO

MP

ETI

NG

S

TAN

DA

RD

S

(IF A

NY

)C

OM

ME

NTS

A.1

Bio

met

rics

Imag

e S

tand

ard

ISO

/IEC

154

44-1

(J

PE

G20

00)

Imag

e C

odin

g S

tand

ard

(bot

h lo

ssy

and

loss

less

co

mpr

essi

on)

ISO

and

IEC

JPE

G (O

pen

with

so

me

parts

hav

ing

pate

nt is

sues

)

PN

G (O

pen)

GIF

(Pro

prie

tary

))

TIFF

(Pro

prie

tary

)

Use

d fo

r fac

e im

age,

fing

er-

prin

t, Iri

s im

age.

Exc

hang

e Fo

rmat

for R

estri

cted

M

emor

y D

evic

e ca

ses

like

Sm

art C

ards

.

A.2

Bio

met

rics

Imag

e S

tand

ard

ISO

/IEC

159

48,

(PN

G)

Tech

nolo

gy—

Com

-pu

ter g

raph

ics

and

imag

e pr

oces

sing

—

Por

tabl

e N

etw

ork

Gra

phic

s—lo

ssle

ss

com

pres

sion

W3C

JPE

G

JPE

G20

00

GIF

, TIF

F

Ext

ensi

ble

file

form

at fo

r lo

ssle

ss, p

orta

ble,

wel

l-co

mpr

esse

d st

orag

e of

rast

er

imag

es. P

NG

pro

vide

s a

pate

nt-fr

ee re

plac

emen

t for

G

IF a

nd c

an a

lso

repl

ace

man

y co

mm

on u

ses

of T

IFF.

A.3

Bio

met

rics

Imag

e S

tand

ard

ISO

/IEC

10

918:

1994

JP

EG

Imag

e C

odin

g S

tand

ard—

loss

y co

mpr

essi

on

ISO

and

IEC

JPE

G20

00

GIF

, TIF

F

Gra

phic

s—R

aste

r (Lo

ssy

Com

pres

sion

)—E

xcha

nge

Form

at fo

r Web

, Des

ktop

A

pplic

atio

ns

A.4

Bio

met

rics

Imag

e S

tand

ard

WS

QC

ompr

essi

on

algo

rithm

use

d fo

r gr

ay-s

cale

fing

erpr

int

imag

es

NIS

TJP

EG

2000

, JP

EG

WS

Q fo

r effi

cien

t sto

rage

of

com

pres

sed

finge

rprin

t im

ages

at 5

00 p

ixel

s pe

r in

ch (p

pi).

For f

inge

rprin

ts

reco

rded

at 1

000

ppi,

law

en

forc

emen

t (in

clud

ing

the

FBI)

uses

JP

EG

200

0 in

stea

d of

WS

Q.

(con

tinue

d)


S.N

O

INTE

R-

OP

ER

AB

ILIT

Y A

RE

AS

UB

AR

EA

STA

ND

AR

D

SP

EC

IFIC

ATIO

N/

(CO

MM

ON

NA

ME

)S

TAN

DA

RD

D

ES

CR

IPTI

ON

S

TAN

DA

RD

S

BO

DY

OTH

ER

CO

MP

ETI

NG

S

TAN

DA

RD

S

(IF A

NY

)C

OM

ME

NTS

B.1

Bio

met

rics

Dat

a in

ter-

chan

ge—

Face

ISO

/IEC

197

94-

5:20

11 (F

ace

Imag

e)

Bio

met

ric d

ata

inte

r-ch

ange

form

ats

for

Face

imag

e sp

ecifi

es

data

sce

ne, p

hoto

-gr

aphi

c, d

igiti

zatio

n an

d fo

rmat

requ

ire-

men

ts fo

r im

ages

of

face

s to

be

used

in

the

cont

ext o

f bot

h hu

man

ver

ifica

tion

and

com

pute

r aut

o-m

ated

reco

gniti

on

ISO

and

IEC

The

imag

e co

mpr

essi

on

algo

rithm

can

be

in a

ny o

f the

fo

llow

ing:

JP

EG

2000

, PN

G,

JPE

G e

tc.

JPE

G20

00 o

r PN

G o

pen

stan

dard

s ar

e re

com

men

ded

B.2

Bio

met

rics

Dat

a In

ter-

chan

ge—

Fing

erpr

int

ISO

/IEC

197

94-

4:20

11 (F

inge

r pr

int)

Dat

a re

cord

inte

r-ch

ange

form

at fo

r st

orin

g, re

cord

ing,

an

d tra

nsm

ittin

g th

e in

form

atio

n fro

m o

ne

or m

ore

finge

r or

palm

imag

e ar

eas

for e

xcha

nge

or

com

paris

on

ISO

and

IEC

JPE

G20

00, P

NG

, JP

EG

, W

SQ

etc

. for

mat

s al

low

ed

JPE

G20

00 re

com

men

ded

as

it is

ope

n st

anda

rd a

nd a

llow

s fo

r bot

h lo

ssy

and

loss

less

co

mpr

essi

on

B.3

Bio

met

rics

Dat

a In

ter-

chan

ge—

Iris

ISO

/IEC

197

94-

6:20

11 (I

ris)

Iris

imag

e in

ter-

chan

ge fo

rmat

s fo

r bi

omet

ric e

nrol

lmen

t, ve

rific

atio

n an

d id

en-

tific

atio

n sy

stem

ISO

and

IEC

(con

tinue

d)

Con

tinu

ed


(con

tinue

d)

S.N

O

INTE

R-

OP

ER

AB

ILIT

Y A

RE

AS

UB

AR

EA

STA

ND

AR

D

SP

EC

IFIC

ATIO

N/

(CO

MM

ON

NA

ME

)S

TAN

DA

RD

D

ES

CR

IPTI

ON

S

TAN

DA

RD

S

BO

DY

OTH

ER

CO

MP

ETI

NG

S

TAN

DA

RD

S

(IF A

NY

)C

OM

ME

NTS

B.4

Bio

met

rics

Dat

a In

ter-

chan

ge—

Min

utia

e

ISO

/IEC

197

94-

2:20

11 (M

inut

iae)

3 da

ta fo

rmat

s fo

r re

pres

enta

tion

of

finge

rprin

ts u

sing

th

e fu

ndam

enta

l no

tion

of m

inut

iae

for

inte

rcha

nge

and

stor

-ag

e of

this

dat

a: a

) re

cord

-bas

ed fo

rmat

, an

d b)

nor

mal

and

c)

com

pact

form

ats

for u

se o

n a

smar

t ca

rd in

a m

atch

-on-

card

app

licat

ion

ISO

and

IEC

B.5

Bio

met

rics

Dat

a in

ter-

chan

ge—

Sig

natu

re

ISO

/IEC

197

94-

7:20

14 (S

igna

ture

)D

ata

inte

rcha

nge

form

ats

for s

igna

ture

/si

gn b

ehav

iora

l dat

a ca

ptur

ed in

the

form

of

a m

ulti-

dim

en-

sion

al ti

me

serie

s us

ing

devi

ces

such

as

dig

itizi

ng ta

blet

s or

adv

ance

d pe

n sy

stem

s

ISO

and

IEC

C.1

Car

dIS

O/IE

C 7

810

Iden

tific

atio

n C

ards

—P

hysi

cal

Cha

ract

eris

tics

ISO

and

IEC

Pla

stic

car

d w

ithou

t chi

p

C.2

Sm

art C

ard

ISO

/IEC

781

6e-

IDs/

Sm

art C

ards

—C

onta

ct C

ard

Sta

ndar

ds

ISO

and

IEC

C.3

Sm

art C

ard

ISO

/IEC

144

43e-

IDs/

Sm

art C

ards

—

Con

tact

less

Car

d S

tand

ards

ISO

and

IEC

Con

tinu

ed


S.N

O

INTE

R-

OP

ER

AB

ILIT

Y A

RE

AS

UB

AR

EA

STA

ND

AR

D

SP

EC

IFIC

ATIO

N/

(CO

MM

ON

NA

ME

)S

TAN

DA

RD

D

ES

CR

IPTI

ON

S

TAN

DA

RD

S

BO

DY

OTH

ER

CO

MP

ETI

NG

S

TAN

DA

RD

S

(IF A

NY

)C

OM

ME

NTS

C.4

Sm

art C

ard

ICA

O 9

303

adop

ted

as IS

O/IE

C 7

501

Sta

ndar

d fo

r M

achi

ne R

eada

ble

Trav

el D

ocum

ents

ICA

O

ISO

and

IEC

C.5

Sm

art C

ard

ISO

/IEC

247

27S

et o

f pro

gram

min

g in

terfa

ces

for i

nter

ac-

tions

bet

wee

n in

te-

grat

ed c

ircui

t car

ds

(ICC

s) a

nd e

xter

nal

appl

icat

ions

ISO

and

IEC

D.1

Bar

Cod

e2

DIS

O/IE

C

1800

4:20

15—

Qui

ck

Res

pons

e (Q

R)

code

QR

Cod

e sy

mbo

logy

ch

arac

teris

tics,

dat

a ch

arac

ter e

ncod

ing

met

hods

, sym

bol

form

ats,

dim

ensi

onal

ch

arac

teris

tics,

err

or

corr

ectio

n ru

les,

re

fere

nce

deco

ding

al

gorit

hm, p

rodu

ctio

n qu

ality

requ

irem

ents

, an

d us

er-s

elec

t-ab

le a

pplic

atio

n pa

ram

eter

s

ISO

and

IEC

Dat

a M

atrix

, PD

F417

A ba

rcod

e is

a m

achi

ne-r

ead-

able

opt

ical

labe

l tha

t con

-ta

ins

info

rmat

ion

abou

t the

ite

m to

whi

ch it

is a

ttach

ed

D.2

Bar

Cod

e2

DIS

O/IE

C 1

5438

: 20

15—

PD

F417

Req

uire

men

ts fo

r the

ba

r cod

e sy

mbo

logy

ch

arac

teris

tics,

dat

a ch

arac

ter e

ncod

a-tio

n, s

ymbo

l for

mat

s,

dim

ensi

ons,

err

or

corr

ectio

n ru

les,

re

fere

nce

deco

d-in

g al

gorit

hm, a

nd

man

y ap

plic

atio

n pa

ram

eter

s.

ISO

and

IEC

Dat

a M

atrix

QR

cod

e

PD

F417

is a

sta

cked

bar

code

th

at c

an b

e re

ad w

ith a

sim

-pl

e lin

ear s

can

bein

g sw

ept

over

the

sym

bol.

4 tim

es le

ss

capa

city

than

QR

cod

e.

Con

tinu

ed

(con

tinue

d)


(con

tinue

d)

S.N

O

INTE

R-

OP

ER

AB

ILIT

Y A

RE

AS

UB

AR

EA

STA

ND

AR

D

SP

EC

IFIC

ATIO

N/

(CO

MM

ON

NA

ME

)S

TAN

DA

RD

D

ES

CR

IPTI

ON

S

TAN

DA

RD

S

BO

DY

OTH

ER

CO

MP

ETI

NG

S

TAN

DA

RD

S

(IF A

NY

)C

OM

ME

NTS

E.1

Dig

ital S

ig-

natu

res/

cryp

togr

aphy

Dig

ital

Sig

natu

re

Sta

ndar

d

FIP

S 1

86-4

DS

S

This

Sta

ndar

d de

fines

met

hods

fo

r dig

ital s

igna

ture

ge

nera

tion

that

can

be

use

d fo

r the

pro

-te

ctio

n of

bin

ary

data

(c

omm

only

cal

led

a m

essa

ge),

and

for

the

verif

icat

ion

and

valid

atio

n of

thos

e di

gita

l sig

natu

res

NIS

T

E.2

Dig

ital S

ig-

natu

res/

cryp

togr

aphy

Dig

ital

Sig

natu

re

Alg

orith

m

RFC

344

7 R

SA

(PK

CS

#1)

The

use

of th

e R

SA

algo

rithm

for d

igita

l si

gnat

ure

gene

ratio

n an

d ve

rific

atio

n

IETF

Inte

rnet

S

ocie

tyP

KC

S #

1 pu

blis

hed

by R

SA

labo

rato

ries—

repu

blis

hed

as

RFC

for i

nter

net c

omm

unity

E.3

Dig

ital S

ig-

natu

res/

cryp

togr

aphy

Sec

ure

Has

h S

tand

ard

SH

S (F

IPS

PU

B

180-

4)Th

is S

tand

ard

spec

i-fie

s se

cure

has

h al

gorit

hms—

SH

A-1

, S

HA

-224

, SH

A-2

56,

SH

A-3

84, S

HA

-512

, S

HA

-512

/224

and

S

HA

-512

/256

NIS

T

E.4

Dig

ital S

ig-

natu

res/

cryp

togr

aphy

Sec

urity

FIP

S 1

40-2

Sec

urity

Req

uire

-m

ents

for C

rypt

o-gr

aphi

c M

odul

es

NIS

T

Con

tinu

ed


S.N

O

INTE

R-

OP

ER

AB

ILIT

Y A

RE

AS

UB

AR

EA

STA

ND

AR

D

SP

EC

IFIC

ATIO

N/

(CO

MM

ON

NA

ME

)S

TAN

DA

RD

D

ES

CR

IPTI

ON

S

TAN

DA

RD

S

BO

DY

OTH

ER

CO

MP

ETI

NG

S

TAN

DA

RD

S

(IF A

NY

)C

OM

ME

NTS

E.5

Dig

ital S

ig-

natu

res/

cryp

togr

aphy

Pub

lic K

ey

Infra

stru

c-tu

re

ITU

-T X

.509

| IS

O/

IEC

959

4-8

The

publ

ic-k

ey

certi

ficat

e fra

mew

ork

defin

ed in

this

Rec

-om

men

datio

n | I

nter

-na

tiona

l Sta

ndar

d sp

ecifi

es th

e in

form

a-tio

n ob

ject

s an

d da

ta

type

s fo

r a p

ublic

-key

in

frast

ruct

ure

(PK

I),

incl

udin

g pu

blic

-key

ce

rtific

ates

, cer

tifi-

cate

revo

catio

n lis

ts

(CR

Ls),

trust

bro

ker

and

auth

oriz

atio

n an

d va

lidat

ion

lists

(A

VLs

)

ITU

-T, I

SO

an

d IE

C

E.6

Dig

ital S

ig-

natu

res/

cryp

togr

aphy

XM

L A

dvan

ced

Ele

ctro

nic

Sig

natu

res

XA

dES

W3C

Whi

le X

ML-

DS

ig is

a

gene

ral f

ram

ewor

k fo

r dig

itally

sig

ning

do

cum

ents

, XA

dES

sp

ecifi

es p

reci

se

prof

iles

of X

ML-

DS

ig

mak

ing

it co

mpl

iant

w

ith th

e E

urop

ean

eID

AS

regu

latio

n

W3C

Est

onia

Dig

ital I

D fo

llow

s th

is

stan

dard

Con

tinu

ed

(con

tinue

d)


(con

tinue

d)

S.N

O

INTE

R-

OP

ER

AB

ILIT

Y A

RE

AS

UB

AR

EA

STA

ND

AR

D

SP

EC

IFIC

ATIO

N/

(CO

MM

ON

NA

ME

)S

TAN

DA

RD

D

ES

CR

IPTI

ON

S

TAN

DA

RD

S

BO

DY

OTH

ER

CO

MP

ETI

NG

S

TAN

DA

RD

S

(IF A

NY

)C

OM

ME

NTS

F.1

Fede

ratio

n P

roto

col

SA

ML

v2—

2005

Sec

urity

Ass

ertio

n M

arku

p La

ngua

ge

(SA

ML)

def

ines

an

XM

L ba

sed

fram

e-w

ork

for c

omm

u-ni

catin

g se

curit

y an

d id

entit

y (e

.g.,

auth

entic

atio

n,

entit

lem

ents

, and

at

tribu

te) i

nfor

mat

ion

betw

een

com

putin

g en

titie

s. S

AM

L pr

o-m

otes

inte

rope

rabi

lity

betw

een

disp

arat

e se

curit

y sy

stem

s,

prov

idin

g th

e fra

me-

wor

k fo

r sec

ure

e-bu

sine

ss tr

ansa

c-tio

ns a

cros

s co

m-

pany

bou

ndar

ies.

OA

SIS

Ope

n ID

con

nect

and

O

Aut

h

F.2

Fede

ratio

n P

roto

col

RFC

674

9/

OA

UTH

2O

Aut

h 2.

0 is

the

indu

stry

-sta

ndar

d pr

otoc

ol fo

r aut

ho-

rizat

ion

prov

idin

g sp

ecifi

c au

thor

iza-

tion

flow

s fo

r web

ap

plic

atio

ns, d

eskt

op

appl

icat

ions

, mob

ile

phon

es, a

nd li

ving

ro

om d

evic

es

IETF

SA

ML

Mob

ile C

onne

ct s

olut

ion

prov

idin

g pa

ssw

ord

less

au

then

ticat

ion

tied

to th

e m

obile

pho

ne o

f the

use

r is

base

d on

the

Ope

nID

Con

-ne

ct &

OA

uth2

Con

tinu

ed


S.N

O

INTE

R-

OP

ER

AB

ILIT

Y A

RE

AS

UB

AR

EA

STA

ND

AR

D

SP

EC

IFIC

ATIO

N/

(CO

MM

ON

NA

ME

)S

TAN

DA

RD

D

ES

CR

IPTI

ON

S

TAN

DA

RD

S

BO

DY

OTH

ER

CO

MP

ETI

NG

S

TAN

DA

RD

S

(IF A

NY

)C

OM

ME

NTS

F.3

Fede

ratio

n P

roto

col

Ope

n ID

con

nect

Ope

nID

Con

nect

1.0

is

a s

impl

e id

entit

y la

yer o

n to

p of

the

OA

uth

2.0

prot

ocol

. It

allo

ws

Clie

nts

to

verif

y th

e id

entit

y of

th

e E

nd-U

ser b

ased

on

the

auth

entic

a-tio

n pe

rform

ed b

y an

Aut

horiz

atio

n S

erve

r, as

wel

l as

to

obta

in b

asic

pro

file

info

rmat

ion

abou

t th

e E

nd-U

ser i

n an

in

tero

pera

ble

and

Web

Ser

vice

s-lik

e m

anne

r.

The

Ope

nID

Fo

unda

tion

SA

ML

Mob

ile C

onne

ct s

olut

ion

prov

idin

g pa

ssw

ord

less

au

then

ticat

ion

tied

to th

e m

obile

pho

ne o

f the

use

r is

base

d on

the

Ope

nID

Con

-ne

ct &

OA

uth2

Con

tinu

ed


Tech

nica

l Sta

ndar

ds fo

r Rob

ust I

dent

ity S

yste

ms

S. N

O

STA

ND

AR

D

SP

EC

IFIC

ATIO

N/

(CO

MM

ON

NA

ME

)S

TAN

DA

RD

DE

SC

RIP

TIO

N

STA

ND

AR

DS

BO

DY

CO

MM

EN

TS1

ISO

/IEC

297

94 S

erie

sB

iom

etric

Sam

ple

Qua

lity—

M

atch

ing

Per

form

ance

ISO

and

IEC

Qua

lity

2IS

O/IE

C 2

9100

Priv

acy

fram

ewor

kIS

O a

nd IE

CIS

O/IE

C 2

9100

pro

vide

s a

priv

acy

fram

ewor

k w

hich

:

• sp

ecifi

es a

com

mon

priv

acy

term

inol

ogy;

• de

fines

the

acto

rs a

nd th

eir r

oles

in p

roce

ssin

g pe

r-so

nally

iden

tifia

ble

info

rmat

ion

(PII)

;

• de

scrib

es p

rivac

y sa

fegu

ardi

ng c

onsi

dera

tions

; and

• pr

ovid

es re

fere

nces

to k

now

n pr

ivac

y pr

inci

ples

fo

r IT

3IS

O/IE

C 2

7018

Cod

e of

pra

ctic

e fo

r PII

prot

ec-

tion

in p

ublic

clo

uds

actin

g as

P

II pr

oces

sors

ISO

and

IEC

ISO

/IEC

270

18 e

stab

lishe

s co

mm

only

acc

epte

d co

ntro

l ob

ject

ives

, con

trols

and

gui

delin

es fo

r im

plem

entin

g m

easu

res

to p

rote

ct P

erso

nally

Iden

tifia

ble

Info

rmat

ion

(PII)

in a

ccor

danc

e w

ith th

e pr

ivac

y pr

inci

ples

in IS

O/IE

C

2910

0 fo

r the

pub

lic c

loud

com

putin

g en

viro

nmen

t4

ISO

/IEC

291

90P

rivac

y ca

pabi

lity

asse

ssm

ent

mod

elIS

O a

nd IE

CIS

O/IE

C 2

9190

:201

5 pr

ovid

es o

rgan

izat

ions

with

hig

h-le

vel g

uida

nce

abou

t how

to a

sses

s th

eir c

apab

ility

to

man

age

priv

acy-

rela

ted

proc

esse

s5

ISO

/IEC

291

46A

fram

ewor

k fo

r acc

ess

man

agem

ent

ISO

and

IEC

ISO

/IEC

291

46 d

efin

es a

nd e

stab

lishe

s a

fram

ewor

k fo

r ac

cess

man

agem

ent (

AM

) and

the

secu

re m

anag

emen

t of

the

proc

ess

to a

cces

s in

form

atio

n an

d In

form

atio

n an

d C

omm

unic

atio

ns T

echn

olog

ies

(ICT)

reso

urce

s, a

ssoc

i-at

ed w

ith th

e ac

coun

tabi

lity

of a

sub

ject

with

in s

ome

cont

ext

6IS

O/IE

C 2

9134

Priv

acy

impa

ct

asse

ssm

ent—

Gui

delin

esIS

O a

nd IE

CIS

O/IE

C 2

9134

:201

7 gi

ves

guid

elin

es fo

r a p

roce

ss o

n pr

ivac

y im

pact

ass

essm

ents

, and

a s

truct

ure

and

cont

ent

of a

PIA

repo

rt7

ISO

/IEC

291

84G

uide

lines

for o

nlin

e pr

ivac

y no

tice

and

cons

ent

ISO

and

IEC

Und

er d

evel

opm

ent

(con

tinue

d)


S. N

O

STA

ND

AR

D

SP

EC

IFIC

ATIO

N/

(CO

MM

ON

NA

ME

)S

TAN

DA

RD

DE

SC

RIP

TIO

N

STA

ND

AR

DS

BO

DY

CO

MM

EN

TS8

ISO

/IEC

247

61A

uthe

ntic

atio

n

Con

text

for B

iom

etric

sIS

O a

nd IE

CR

emot

e si

te b

iom

etric

s au

then

ticat

ion

9IS

O/IE

C 2

4760

Ser

ies

Fram

ewor

k fo

r Man

agem

ent o

f Id

entit

y In

form

atio

nIS

O a

nd IE

CP

rote

ctin

g P

rivac

y &

Sec

urity

—fu

rther

dis

cuss

ion

need

ed

on u

se o

f thi

s st

anda

rd

10IS

O/IE

C 2

9109

Ser

ies

Test

ing

Met

hodo

logy

for B

iom

et-

ric D

ata

Inte

rcha

nge

ISO

and

IEC

11IS

O/IE

C 2

4745

Sec

urity

Tec

hniq

ues—

B

iom

etric

Info

rmat

ion

Pro

tect

ion

ISO

and

IEC

Con

tinu

ed

Sour

ce: h

ttps

://rm

coe

int/

wor

k-an

d-pr

ojec

ts-i

n-is

o-ie

c-jt

c-1-

sc-2

7-w

g-5-

iden

tity

-man

agem

ent-

priv

/16

80

73ff

03

WG

5 Id

enti

ty M

anag

emen

t & P

rivac

y Te

chno

logi

es P

rivac

y/PI

I sta

ndar

ds in

SC

27/W

G 5

and

els

ewhe

re


5.4 fRaMeWoRks

ISO/IEC 29115 and eIDAS provide assurance levels framework for identity systems. Ideally the National Identity system should conform to the highest level. Further discussion on this would facilitate preparation of guidelines on options for implementation of Identity systems of the highest assurance levels. Also, guidelines on the dif-ferent options with their strengths and weaknesses with some example scenarios would help in selecting the appropriate identity system and relevant technical standards.

STANDARD NAME

STANDARD DESCRIPTION

STANDARD BODY COMMENTS

ISO/IEC 29115 Entity Authentica-tion Assurance Framework

ISO and IEC Sets out four levels of assurances for scalable iden-tity management and authentication services

FIDO UAF Universal Authentication framework

FIDO alliance Password less authentication experience

eIDAS Electronic identi-fication and trust services

European Union regulation

Regulation for Identification and trust services for the European union—framework for interoperability of EU identity systems

5.4.1 Levels of Assurance

When a person identifies or authenticates herself using one or multiple identity attributes, the degree of confi-dence that she is who she claims to be depends on the degree of security assurance provided and the context in which the information is captured, referred to as the level of assurance (LOA). Assurance levels depend on the strength of the identification and authentication processes, and are critical to access control and reducing identity theft. The higher the LOA, the lower is the risk that service providers will rely on a compromised credential during a transaction. For “identity proofing,” the LOA is dependent on the method of identification, including the scope of personal information and attributes collected about an individual during enrollment, and the degree of certainty with which these attributes are ascertained (i.e., have been validated). For example, if personal data are collected during enrollment but not de-duplicated or checked against existing databases for veracity, this would constitute a low LOA because there is no validation of the identity information.

ISO/IEC 29115 provides a framework for entity authentication assurance. Assurance within this Recommenda-tion | International Standard refers to the confidence placed in all the processes, management activities, and technologies used to establish and manage the identity of an entity for use in authentication transactions. This framework also identifies three phases enrollment, credentialing and authentication phases mapping to the three key activities listed in Identity Lifecycle. It also lists the organizational and management activities which map with Governance phase of Identity and addresses requirements of federation and role of assurance framework in the same without listing it as a separate process.


ISO 29115 sets out four levels of assurances for scalable identity management and authentication services. These levels are shown in Figure 2, along with corresponding definitions from the European Union’s eIDAS framework, and range from weak authentication protocols with extremely high security risk levels, to strong authentication protocols with minimal risk levels. The level of risk is based not only on the credentials and pro-cesses used for authentication, but also on the robustness of identity proofing during the registration phase. Depending on the type of application, countries may implement a variety of authentication protocols to meet the standards necessary for the use case.

FIGURE 2 ISO and eIDAS Authentication Levels

elDASdefinition

HIGH/SUBSTANTIAL+

SUBSTANTIAL/LOW+

LEVEL 4

LEVEL 3 LEVEL 3

In-personregistration with

verification

Presentation ofIdentity

Information

No IdentityProofing

MinimalMinimalLowMitigatedExtremely high

Verification of Identity Information

Very StrongAuthentication

StrongAuthentication • SIM Applet

with PKI• Smartphone

App in TEEwith PKI

• PKI eID (PIN)• PKI ID (PIN +

SE) (SIM/eSE)• Biometrics

• USSD• SIM Applet• Smartphone

App• Token OTP +

pw• Biometrics

LEVEL 2

LOW

LEVEL 1

Out ofScope

SecureAuthentication

• Seamless• SMS + URL• USSD• SIM Applet• Smartphone

App• Token or OTP

WeakAuthentication

Legacy password

StrongAuthentication

• SIM Applet• Smartphone

App in TEE• Token OTP

(PIN + certifiedTEE or SE)

• Biometrics

ISO 29115 levels

Authentication/electronic ID

Identity proofingduring registration

Risk level

Source: World Bank, 2016


6. COUNTRY USE CASES Depending on the country-specific environment, which standards should be adopted and which should be ignored? The answer depends on the objectives, scope, and proposed use for the identity system. Examples of India, Pakistan, Peru, and Estonia are briefly discussed in Boxes 6.1, 6.2, 6.3 and 6.4 to illustrate the choice of relevant standards by respective national governments to meet their requirements. When designing an identi-fication system, however, a priority always to ensure that the choice of technologies and related standards are following existing regulatory frameworks within a country.

Three standards are vital for any legal identification system that involves biometrics: the ISO 19794, 29794 and 29109 series. The ISO 19794 series defines biometric interchange format for various types of biometric data (face image, fingerprint, iris), the ISO/IEC 29794 series refers to biometric quality, and the ISO 29109 series concerns conformance testing that could cover inter alia, testing, surveillance, inspection, audit, certification and accreditation.

ISO 19794 is crucial for cryptographic protection in interchange environments as biometric data are sensi-tive to cyber-attack or identity-theft. Since ID systems are tested rigorously before and after deployment, the use of the ISO 19794 series coupled with ISO/IEC the 29109 series becomes important because the latter describes and specifies conformance-testing methodology for biometric data interchange formats defined in ISO/IEC 19794. It also specifies elements of test assertions and test procedures as applicable to the biometric data interchange format standard.

Box 6.1: aadhaaR identity systeM of india—BioMetRic Based

The Unique Identification Authority of India (UIDAI) has issued a unique ID number, known as Aadhaar, to more than 1 billion residents. Photograph, fingerprints and irises of each resident are captured before issuing an Aadhaar. It is the world’s largest multimodal biometric database, and more than 93 percent of Indians now have a digital identity as a result of this system. UIDAI set up a Biometric Standards Commit-tee in 2009 to provide direction on biometric standards, suggest best practices, and recommend biometric procedures for the system. The committee recommended ISO/IEC 19794 Series (parts 1, 2, 4, 5, 6) and ISO/IEC 19785 for biometric data interchange formats and a common biometric exchange framework to ensure interoperability. ISO/IEC 15444 (all parts) was selected as a coding system (JPEG 2000 image) for both photo, fingerprint and iris image. Additionally, UIDAI uses open source software as a principle, which have also been used successfully in the United States and Europe. An important security standard, ISO 24745, which provides guidance for the protection of biometric information for confidentiality and integrity during storage or managing identities, was not implemented due to the complexity of applicable compliance procedures. UIDAI had also come up with standards (demographic standards committee) for the data standards for the identity attributes captured during registration and subsequently used for demographic authentication. Aadhaar system also makes extensive use of PKI/HSM for encryption of data during transmission and storage and for protecting access to API.

Aadhaar Authentication can be performed in one or more of the following modes with yes/no responses:

• Demographic authentication.

• Biometric authentication

• One-time PIN mobile based authentication

• Multifactor authentication is a combination of two or three factors listed above

Source: UIDAI Website & Biometrics Standard Committee Recommendations 2009.


Any system that uses biometric enrollment and/or authentication is advised to consider these biometric stan-dards. However, for countries that issue biometric-based unique identity numbers without ID cards (e.g., India, see Box 6.1), the standards for creating and managing biometric-based identities are of primary concern.

Smart Cards Related Standards

For countries that issue a tangible credential such as a physical eID card, standards such as ISO-7810 to ISO-7813 also become relevant to ensure interoperability and interconnectivity. For contact cards, where the chip is embossed on the card, the ISO/IEC 7816 standard is followed globally; for contactless cards, where the chip is embedded inside the card, the ISO/IEC 14443 standard is followed.

For cards that can also be used as electronic travel documents—including eID cards, passports, drivers’ licenses, or any other machine-readable travel documents (MRTDs) used for crossing borders—then compliance with ICAO 9303 should be followed. In addition, ICAO is developing an international framework of standards for MRTDs as part of their strategy, known as the Travelers Identification Program (TRIP) Strategy, which includes interoperable application standards. For travel ID cards used by seafarers, the guidelines issued by the Interna-tional Labor Organization (ILO) become relevant.

Box 6.2: sMaRt eid in pakistan—BioMetRics and sMaRt caRd

Pakistan’s National Database and Registration Authority (NADRA) has issued over 121 million ID cards and hence registered 98 percent of its adult citizens over the age of 18. Over the years, Pakistan’s ID card has evolved into a smart eID that contains multi-biometric features to meet the challenges of a digitally connected world. NADRA is now one of the world’s leading suppliers of eID services. It also designed its cards to meet the needs of its citizens living outside the country. As a result, its smart eID, known as the National Identity Card for Overseas Pakistanis (NICOP), complies with ICAO standard 9303 part 3 vol. 1 and is also ISO 7816-4 compliant. An ICAO compliant smart NICOP can be accepted as a form of digital ID in all international airports and at points of entry and departure. NADRA also uses open source as a guideline/principle for application development. Demographic data is used along with biometric data to improve the deduplication process. NADRA Quality Management and ID Card Production departments are also ISO 9001:2000 certified.

Source: Author’s Analysis.

Box 6.3: eid With digitaL ceRtificate in peRu

Peru’s National Electronic ID Card (DNIe), issued by the National Registry of Identification and Civil Status (RENIEC), was considered to be the best ID card in Latin America during the 2015 High Security Printing Latin American Conference in Lima. RENIEC, an autonomous entity with functions including civil registra-tion, identification, and digital signatures, has issued 30 million eIDs covering almost the entire population of the country. The DNIe provides Peruvian citizens with a digital identity, which can be authenticated physi-cally and virtually. The DNIe includes two digital certificates, which allows the cardholder to sign electronic documents with the same probative value as a handwritten signature. Peru’s eID complies with the ISO/IEC-7816 standard and its biometrics system follows ISO/IEC 19794. Because the card is also used as a machine-readable travel document (MRTD), it also complies with ICAO 9303.

Source: Interview with RENIEC official.


If a Smart card such as an eID is intended to be used as a bank card, then EMV standards6 also become appli-cable. ISO 8583 defines the physical characteristics such as magnetic strip on the card if it is intended to be used as payment card. In countries where drivers’ licenses are the primary identity document used to confirm identity, the drivers’ license standard known as ISO 18103 is followed. As more functionality is added to an eID card, conforming with all relevant standards may become a complex or difficult task. For example, if an ID-card that is used as payment card and an ICAO compliant travel document as well, it may be cumbersome to fit a magnetic strip and ICAO machine readable zone on the card, in addition to a financial institution logo and details necessary for recognition as a valid payment instrument.

Box 6.4: id-kaaRt in estonia—sMaRt caRd and MoBiLe id

Estonia has the most highly developed national ID card system in the world (Williams-Grut 2016). It has issued 1.3 million of its smart ID-Kaarts, each with a unique identifier that allows citizens to access over 1,000 public services, such as health care, online tax filing, and online voting. Estonia is now one of the most digitally advanced nations in the world with regard to public services. It wants to become a “country as a service,” where secure digital identity plays a central role. Key identifying data such as signatures are stored in the system alongside a unique number, used by citizens as a unique identifier to sign documents online and verify online identity. The ID-Kaart has advanced electronic functions that facilitate secure authentication and legally binding digital signatures that may be used for nationwide online services. The e-ID infrastructure is scalable, flexible, interoperable, and standards-based. All certificates issued in asso-ciation with the ID card scheme are qualified certificates conforming with European Directive 1999/93/EC on the use of electronic signatures in electronic contracts within the European Union (EU). The card complies with the ICAO 9303 travel document standard.

The ID-Kaart is a secure credential for accessing public services. To sign a document digitally, a communi-cation model using standardized workflows in the form of a common document format (DigiDoc) has been employed. DigiDoc is based on XML Advanced Electronic Signatures Standard (XAdes), which is a profile of that standard. XAdes defines a format that enables structurally storing data signatures and security attri-butes associated with digital signatures and hence caters for common understanding and interoperability.

Source: e-Estonia.com and the paper titled ‘The Estonian ID Card and Digital Signature Concept’ Ver 20030307.


7. CONSIDERATIONS WHILE ADOPTING STANDARDS FOR IDENTITY SYSTEMSThe preceding sections highlight relevant standards that have been used for leading digital identification systems in a number of countries. These pioneering countries have spent considerable effort in studying and adopting standards to benchmark and test technology before deploying it, which underscores the value of adopting and implementing specific standards. There are also some lessons to be learnt from other countries which missed adopting standards leading to issues relating to interoperability, robustness and vendor lock-in. As various coun-tries embark on implementation of the digital identification systems for sustainable it would be prudent to identify and advocate a set of minimum technical standards for common good and enable development of robust interop-erable identity systems which are not plagued by vendor lock in

In addition, it underscores the need to review new solutions developed by industry consortia, such as Mobile Con-nect,7 and new regulations such as eIDAS,8 which are in the developmental stage and may become standards in near future as more countries adopt them. It is important to benchmark new standards before large-scale imple-mentation to see if these may compromise or hinder scalability, connectivity, interoperability, and compatibility.

Any forthcoming strategy on developing minimum standards for digital identity systems should address the fol-lowing issues and challenges:

a. Protecting Biometrics from Security Breaches

Digital biometric identification is fast becoming a standard tool to uniquely enroll a population, particularly given the diminishing costs of the technology. Heavy reliance on biometrics poses a challenge in protecting the per-sonal data of citizens, particularly where security infrastructure, technological capacity, and legal protections are weak. Unlike other forms of credentials (passwords and PINs, which can be replaced), breach of biometric data is costly and the consequences may be severe in the case of a hostile attack or hacking. This requires adoption and implementation of relevant security standards and a strong legal framework for privacy and data protection.

b. Single or Multimodal Systems

The choice between using a single or multiple biometric identifiers (fingerprints, iris, face, etc.) may require dif-ferent standards, and depends on many factors (for example, IT infrastructure cost, and cultural considerations). Multimodal systems have become increasingly popular because they produce more accurate results, as multiple unique attributes are authenticated instead of reliance on a single attribute. They also enable help in deduplica-tion of identities with greater accuracy. This is advantageous in terms of ensuring inclusiveness,9 which is an important consideration for the development agenda. In low- and middle-income countries, for example, the fingerprints of people involved in manual labor can become worn out and unreadable. The face is the most com-monly captured biometric, and is widely used in manual visual verification.

The biggest driver in selecting between a single or multimodal system is accuracy, driven by population size as well as demographic characteristics. In addition, the complexity of various operating systems and technologies in multimodal systems could pose operational challenges. If it becomes cost prohibitive to implement a multimodal system and a country is inclined to implement only part of a complete biometrics system, the risk of biometric failure must be identified and backup procedures for identity authentication (such as validation checks, built-in registration software, or manual examination of authenticity of breeder documents) should be defined.

c. Lack of Biometric Device Standards

The identity lifecycle can only work seamlessly when all IT systems and devices are integrated. Vendor lock-in risks must be mitigated by thoroughly examining previous records of similar implementations. As relevant ISO standards are mainly focused on interchange standards, quality standards and testing methodology standards


(see Section 5.3), there is a lack of standards or certifications regarding devices that read or authenticate biomet-ric information and countries should rely on best practices offered by industry consortia.

d. Modernizing Legacy Identification Systems

Prior to the widespread use of digital biometric technology and databases, some countries had well-established paper-based civil registration systems and national ID systems that relied on collecting limited biometrics (com-monly a single fingerprint), that may or may not have been digital. Many countries enhanced these systems by switching to digital capture of biometrics and adding additional attributes (e.g., iris, digital photo). This transition requires standardizing biographic and identity resolution on both biographic and biometric data. Modernizing these systems by incorporating digital biometric technology may also necessitate changes to legal frameworks to modify registration procedures, and upgrading technology and technical skills of staff. These efforts would require adoption and implementation of standards that take into consideration multiple modalities, methodologies and sources for biometrics as well as the management of biographic data.

e. Cost Effectiveness

Digital identification systems are technology based, and new technologies are evolving at an exponential rate. The development of new technologies and equipment may render old technologies obsolete, requiring frequent upgrades that may be costly. For low-income countries, compliance with all proprietary standards may be chal-lenging from a cost perspective, hence the use of open standards is generally recommended. Meeting minimum ISO standards regarding the identity lifecycle for specific applications may be considered in terms of cost effec-tiveness, as these standards prevent countries from costly corrective actions or revamping identification system. For example, if a country rolls out an ID card which is not ICAO compliant and in future the same is used as travel card, it has to incur unnecessary additional costs to reissue ICAO-compliant cards hence.

f. Interoperability and Interconnectivity

As specified in the European interoperability framework for pan-European eGovernment services document (http://ec.europa.eu/idabc/servlets/Docd552.pdf?id=19529), three aspects of interoperability need to be considered:

• Organisational Interoperability

This aspect of interoperability is concerned with defining business goals, modelling business pro-cesses and bringing about the collaboration of administrations that wish to exchange information and may have different internal structures and processes. Moreover, organizational interoperability aims at addressing the requirements of the user community by making services available, easily identifiable, accessible and user-oriented. Example of an activity with reference to digital ID interoperability across organizations/countries would be to map the identity lifecycle processes of that organization with the ISO Authentication assurance framework levels.

• Semantic Interoperability

This aspect of interoperability is concerned with ensuring that the precise meaning of exchanged information is understandable by any other application that was not initially developed for this pur-pose. Semantic interoperability enables systems to combine received information with other infor-mation resources and to process it in a meaningful manner. Semantic interoperability is therefore a prerequisite for the front-end multilingual delivery of services to the user.

Example for digital identity system: Defining the data formats and metadata for identity attributes like name and date of birth would be important to achieve this objective. The format of capturing name and the data type and maximum length of this field is important to ensure correct interpretation and prevent loss of information (length of name, order of specifying the first name, middle name,) format of date—date of birth (mm/dd/yyyy) or dd/mm/yy etc. needs to be agreed upon to ensure correct and complete information/data exchange. For the Aadhaar project in India these standards were defined


in the demographic standard document to enable interoperability of identity data with other systems. This system is being extensively used to provide the Know your Customer (KYC) service based on these standards ensuring data field definition compatibility across various IT systems/applications.

• Technical Interoperability

This aspect of interoperability covers the technical issues of linking computer systems and services. It includes key aspects such as open interfaces, interconnection services, data integration and middle-ware, data presentation and exchange, accessibility and security. Example for digital identity system: Identification of standards for biometrics (fingerprints, face image and iris), digital signature standards, federation protocols

Developing a set of minimum relevant standards for these three layers will therefore help to ensure that identification systems are sufficiently robust and interoperable

g. Foundational Legal Identification Systems

Identity systems developed with the general purpose of identifying individuals and providing proof of ID—may require linking with other functional systems for the provision of services. IT devices from different vendors with varying architectures and operating systems pose interoperability challenges. The development of new technolo-gies also poses challenges regarding interconnectivity. A question arises: should a system be integrated with a central data warehouse, or should a distributed model be implemented? In addition, there is a concern that dif-ferent biometric devices have their own inherent standards that may result in interconnectivity issues. In addition, multimodal systems create complexity as well, since different vendors offer different biometric solutions. ISO standards should be adopted to ensure interoperability and avoid vendor lock-in.

h. Privacy and Security

It is important to build privacy and security into the architecture of a digital ID system. Privacy challenges arise because the various authorities, agencies, and governmental departments requiring and authenticating identities for service provision and administration may have access to citizens’ personal information. Similarly, the systems need to be guarded so that citizens’ information is secure and protected. In consequence, privacy- and security-related standards are of central importance.

i. New Standards Compliance

Compliance with new standards may be challenging for the countries who have already registered large popula-tions. With so many competing requirements for identification systems, choosing which standard to implement and which one to relax (for example, to take cultural considerations into account10) becomes challenging. For countries that have already collected biometric attributes of large populations, it would be challenging to go back and update their data to implement a new standard without recalling all the individuals for re-enrollment. In India, for example, the ISO 24745 security standard—which provides guidance for the protection of biometric informa-tion for confidentiality and integrity during storage or managing identities—was not implemented in the rollout of the Aadhaar project due to the complexity of applicable compliance procedures. Although a security standard to ensure the privacy of individuals became available in 2011, when millions had already registered, it would be dif-ficult to implement retroactively in such a large-scale implementation. Hence, compliance with standards should follow a functional or outcome-based approach.


j. Role of Development Partners

Many countries need technical and financial support to implement standards, including support for infrastructure and training. This includes countries that are upgrading legacy identification systems, as well as those building entirely new systems. In addition, development partners can play a role in thought leadership and advocacy for adopting a standards approach to identification systems. This will require a communications strategy to appraise stakeholders on how market driven standards can encourage (a) business growth, (b) public private partner-ships, and (c) the inclusiveness of individuals to achieve development benefits at a local level.

An international effort to promote standards will require global coordination and partnership between a variety of actors. Such partnerships should also reach beyond the digital identity sector to include agencies such as the United Nations that work on CRVS, as the standards used for these documents have important implications for identity proofing in digital identity systems.

8. THE WAY FORWARDStandards are key to unlocking the value of digital identity for development and supporting an interoperable, scal-able, secure, and efficient digital identity platform for service delivery. Without standards, cross-functional sys-tems inter-operability will be difficult to achieve. With so many standards on the horizon, choosing which to adopt is a key issue. It has been observed that because most of the standard bodies involved in developing biometric enrollment, authentication, issuance and management of identity contribute to the Technical Committees and Working Groups of ISO, its standards are widely accepted. However, the precise choice of relevant standards depends on the purpose, scope, and function of the national identification system.

A strategic approach to developing a set of global minimum standards should translate into an actionable frame-work for country governments and their partners. To achieve this, the following next steps are recommended as a potential way forward:

1. Conduct an in-depth analysis of the standards identified in this document to see if a minimum universal set can be recommended.

2. Provide guidelines and options for implementing a high assurance identity system and applicable stan-dards for the option.

3. Identify standards to advocate for on a continuous basis. Provide thought leadership on promoting a common terminology and framework for standards.

4. Support standards development efforts at the international, regional, national, and country levels, in cooperation with a variety of stakeholders, including key international organizations and public-sector partners.

5. Support technical human resource development efforts at the country level to adopt or implement rel-evant standards.

6. Develop Data Standards and Process standards for semantic and organizational interoperability to achieve a truly interoperable system as described in the Government interoperability framework of vari-ous countries.


BIBLIOGRAPHYAshiq, J. A. The eIDAS Agenda: Innovation, Interoperability and Transparency. Cryptomathic, Retrieved 18

March 2016.

ENISA. Mobile ID Management. European Network and Information Security Agency, Accessed on April 11, 2016.

Europa.eu. Regulations, Directives and Other Acts. The European Union, Retrieved 18 March 2016.

Fumy, Walter, and Manfred Paeschke. Handbook of eID Security: Concepts, Practical Experiences, Technolo-gies. John Wiley & Sons, Dec. 13, 2010.

Gelb, Alan, and Julia Clark. Identification for Development: The Biometrics Revolution. Working Paper, Washing-ton, DC: Center for Global Development, 2013.

Gomes de Andrade, Norberto Nuno, Shara Monteleone, and Aaron Martin. Electronic Identity in Europe: Legal Challenges and Future Perspectives (eID 2020). Joint Research Centre, European Commission, 2013.

GSMA and SIA. Mobile Identity—Unlocking the Potential of the Digital Economy. Groupe Spéciale Mobile Asso-ciation (GSMA) and Secure Identity Alliance, Oct. 2014.

IEEE. What Are Standards? Why Are They Important? IEEE, 2011. http://standardsinsight.com/ieee_company_detail/what-are-standards-why-are-they-important.

ITU. Biometrics and Standards. Telecommunication Standardization Sector, International Telecommunication Union, Accessed on April 11, 2016.

ITU. Biometric Standards: ITU-T Technology Watch Report. International Telecommunications Union, Dec. 2009.

PIRA. The Future of Personal ID to 2019. Smithers PIRA International, 06 June 2014.

“Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive.” 1999/93/EC.

Turner, Dawn M. eIDAS from Directive to Regulation—Legal Aspects. Cryptomathic, Retrieved 18 March 2016.

Turner, Dawn M. Understanding Major Terms Around Digital Signatures. Cryptomathic, Retrieved 18 March 2016.

van Zijp, Jacques. Is the EU Ready for eIDAS? Secure Identity Alliance, Retrieved 18 March 2016.

Williams-Grut, Oscar. “Estonia wants to become a ‘country as a service’.” Business Insider, 2016.

World Bank. Digital Identity: Towards Shared Principles for Public and Private Sector Cooperation. Washington, DC: World Bank Group, 2016.


APP

ENDI

X A

ISO

/IEC

JTC

SUBC

OM

MIT

TEE,

WO

RK

ING

GRO

UPS

AN

D TH

EIR

MA

NDA

TE

SU

BC

OM

MIT

TEE

S/

WO

RK

ING

GR

OU

PS

CO

PE

DE

SC

RIP

TIO

N

ISO

/IEC

JTC

1/S

C 3

7 B

iom

etric

sS

tand

ardi

zatio

n of

gen

eric

bio

met

ric te

chno

logi

es p

erta

inin

g to

hum

an

bein

gs to

sup

port

inte

rope

rabi

lity

and

data

inte

rcha

nge

amon

g ap

plic

a-tio

ns a

nd s

yste

ms

Com

mon

file

fram

ewor

ks, B

iom

etric

ap

plic

atio

n pr

ogra

mm

ing

inte

rface

s (B

AP

I), B

iom

etric

dat

a in

terc

hang

e fo

r-m

ats,

Rel

ated

bio

met

ric p

rofil

es, A

ppli-

catio

n of

eva

luat

ion

crite

ria to

bio

met

ric

tech

nolo

gies

, Met

hodo

logi

es fo

r per

for-

man

ce te

stin

g an

d re

porti

ng a

nd c

ross

ju

risdi

ctio

nal a

nd s

ocie

tal a

spec

ts

ISO

/IEC

JTC

1/S

C 3

7/W

G 1

Har

mon

ized

Bio

met

ric V

ocab

ular

y

ISO

/IEC

JTC

1/S

C 3

7/W

G 2

Bio

met

ric T

echn

ical

Inte

rface

s

ISO

/IEC

JTC

1/S

C 3

7/W

G 3

Bio

met

ric D

ata

Inte

rcha

nge

Form

ats

ISO

/IEC

JTC

1/S

C 3

7/W

G 4

Tech

nica

l Im

plem

enta

tion

of B

iom

etric

Sys

tem

s

ISO

/IEC

JTC

1/S

C 3

7/W

G 5

ISO

/IEC

JTC

1/S

C 3

7/W

G 6

Bio

met

ric T

estin

g an

d R

epor

ting

Cro

ss J

uris

dict

iona

l and

Soc

ieta

l Asp

ects

of B

iom

etric

s

ISO

/IEC

JTC

1/S

C 2

7 IT

Sec

urity

te

chni

ques

The

deve

lopm

ent o

f sta

ndar

ds fo

r the

pro

tect

ion

of in

form

atio

n an

d IC

T.

This

incl

udes

gen

eric

met

hods

, tec

hniq

ues

and

guid

elin

es to

add

ress

bot

h se

curit

y an

d pr

ivac

y as

pect

s. 1

) Sec

urity

requ

irem

ents

cap

ture

met

h-od

olog

y; 2

) Man

agem

ent o

f inf

orm

atio

n an

d IC

T se

curit

y, in

par

ticul

ar

info

rmat

ion

secu

rity

man

agem

ent s

yste

ms,

sec

urity

pro

cess

es, s

ecur

ity

cont

rols

and

ser

vice

s; 3

) Cry

ptog

raph

ic a

nd o

ther

sec

urity

mec

hani

sms,

in

clud

ing

but n

ot li

mite

d to

mec

hani

sms

for p

rote

ctin

g th

e ac

coun

tabi

lity,

av

aila

bilit

y, in

tegr

ity a

nd c

onfid

entia

lity

of in

form

atio

n; 4

) Sec

urity

man

-ag

emen

t sup

port

docu

men

tatio

n in

clud

ing

term

inol

ogy,

gui

delin

es a

s w

ell

as p

roce

dure

s fo

r the

regi

stra

tion

of s

ecur

ity c

ompo

nent

s; 5

) Sec

urity

as

pect

s of

iden

tity

man

agem

ent,

biom

etric

s an

d pr

ivac

y; 6

) Con

form

ance

as

sess

men

t, ac

cred

itatio

n an

d au

ditin

g re

quire

men

ts in

the

area

of i

nfor

-m

atio

n se

curit

y m

anag

emen

t sys

tem

s; 7

) Sec

urity

eva

luat

ion

crite

ria a

nd

met

hodo

logy

.

Dev

elop

s In

tern

atio

nal S

tand

ards

, Tec

h-ni

cal R

epor

ts, a

nd T

echn

ical

Spe

cific

a-tio

ns w

ithin

the

field

of i

nfor

mat

ion

and

IT

secu

rity.

Sta

ndar

diza

tion

activ

ity b

y th

is

subc

omm

ittee

incl

udes

gen

eral

met

hods

, m

anag

emen

t sys

tem

requ

irem

ents

, tec

h-ni

ques

and

gui

delin

es to

add

ress

bot

h in

form

atio

n se

curit

y an

d pr

ivac

y.

(con

tinue

d)


SU

BC

OM

MIT

TEE

S/

WO

RK

ING

GR

OU

PS

CO

PE

DE

SC

RIP

TIO

N

ISO

/IEC

JTC

1/S

C 2

7/S

WG

-MM

anag

emen

t

ISO

/IEC

JTC

1/S

C 2

7/S

WG

-TTr

ansv

ersa

l ite

ms

ISO

/IEC

JTC

1/S

C 2

7/W

G 1

Info

rmat

ion

secu

rity

man

agem

ent s

yste

ms

ISO

/IEC

JTC

1/S

C 2

7/W

G 2

Cry

ptog

raph

y an

d se

curit

y m

echa

nism

s

ISO

/IEC

JTC

1/S

C 2

7/W

G 3

Sec

urity

eva

luat

ion,

test

ing

and

spec

ifica

tion

ISO

/IEC

JTC

1/S

C 2

7/W

G 4

Sec

urity

con

trols

and

ser

vice

s

ISO

/IEC

JTC

1/S

C 2

7/W

G 5

Iden

tity

man

agem

ent a

nd p

rivac

y te

chno

logi

es

ISO

/IEC

JTC

1/S

C 1

7 fo

r Car

ds

and

pers

onal

iden

tific

atio

n S

tand

ardi

zatio

n in

the

area

of:

Iden

tific

atio

n an

d re

late

d do

cum

ents

, car

ds

and,

dev

ices

ass

ocia

ted

with

thei

r use

in in

ter-

indu

stry

app

licat

ions

and

in

tern

atio

nal i

nter

chan

ge

Dev

elop

s an

d fa

cilit

ates

sta

ndar

ds w

ithin

th

e fie

ld o

f ide

ntifi

catio

n ca

rds

and

per-

sona

l ide

ntifi

catio

n

ISO

/IEC

JTC

1/S

C 1

7/W

G 1

Phy

sica

l cha

ract

eris

tics

and

test

met

hods

for I

D c

ards

ISO

/IEC

JTC

1/S

C 1

7/W

G 3

Iden

tific

atio

n ca

rds—

Mac

hine

read

able

trav

el d

ocum

ents

ISO

/IEC

JTC

1/S

C 1

7/W

G 4

Inte

grat

ed c

ircui

t car

ds

ISO

/IEC

JTC

1/S

C 1

7/W

G 5

Reg

istra

tion

Man

agem

ent G

roup

(RM

G)

ISO

/IEC

JTC

1/S

C 1

7/W

G 8

Inte

grat

ed c

ircui

t car

ds w

ithou

t con

tact

s

ISO

/IEC

JTC

1/S

C 1

7/W

G 9

Opt

ical

mem

ory

card

s an

d de

vice

s

ISO

/IEC

JTC

1/S

C 1

7/W

G 1

0M

otor

veh

icle

driv

er li

cens

e an

d re

late

d do

cum

ents

ISO

/IEC

JTC

1/S

C 1

7/W

G 1

1A

pplic

atio

n of

bio

met

rics

to c

ards

and

per

sona

l ide

ntifi

catio

n

Sour

ce: I

SO

htt

p://

ww

w is

o or

g/is

o/ho

me

htm

Con

tinu

ed


APP

END

IX B

ST

AN

DAR

DS

DES

CRIP

TIO

N

STA

ND

AR

DD

ES

CR

IPTI

ON

ISO

/IEC

197

85 In

for-

mat

ion

tech

nolo

gy—

Com

mon

Bio

met

ric

Exc

hang

e Fo

rmat

s Fr

amew

ork

(CB

EFF

)

The

stan

dard

def

ines

a b

asic

stru

ctur

e fo

r sta

ndar

dize

d bi

omet

ric in

form

atio

n re

cord

s (B

IRs)

with

in th

e C

omm

on B

iom

etric

E

xcha

nge

Form

ats

Fram

ewor

k (C

BE

FF).

This

stru

ctur

e co

nsis

ts o

f thr

ee p

arts

: the

sta

ndar

d bi

omet

ric h

eade

r (S

BH

), th

e bi

omet

-ric

dat

a bl

ock

(BD

B),

and

the

secu

rity

bloc

k (S

B).

CB

EFF

als

o de

fines

sev

eral

dat

a el

emen

ts a

nd th

eir s

tand

ardi

zed

abst

ract

val

-ue

s th

at c

an b

e us

ed in

SB

Hs

and

SB

s (C

BE

FF tr

eats

the

BD

B a

s op

aque

dat

a). C

BE

FF a

lso

esta

blis

hes

mec

hani

sms

by w

hich

or

gani

zatio

ns, c

alle

d “p

atro

ns” b

y C

BE

FF, c

an s

peci

fy a

nd p

ublis

h B

IR fo

rmat

spe

cific

atio

ns, w

hich

are

in tu

rn c

alle

d “p

atro

n fo

rmat

s.” C

BE

FF e

nabl

es p

atro

ns to

dev

elop

BIR

spe

cific

atio

ns th

at a

re fu

lly s

tand

ardi

zed

and

inte

rope

rabl

e, y

et a

re s

peci

fical

ly

adap

ted

to th

e re

quire

men

ts o

f a p

artic

ular

app

licat

ion

envi

ronm

ent.

CB

EFF

def

ines

rule

s fo

r BIR

s th

at c

onta

in o

nly

one

BD

B

(sim

ple

BIR

) and

that

con

tain

at l

east

one

BD

B (c

ompl

ex B

IR).

CB

EFF

def

ines

man

dato

ry d

ata

elem

ents

that

iden

tify

the

form

at

of a

BD

B a

nd it

s se

curit

y at

tribu

tes

(enc

rypt

ion

and

inte

grity

). A

ll th

e ot

her C

BE

FF-d

efin

ed d

ata

elem

ents

and

abs

tract

val

ues

are

optio

nal.

CB

EFF

ena

bles

pat

rons

to d

efin

e ad

ditio

nal d

ata

elem

ents

and

abs

tract

val

ues

as re

quire

d by

the

appl

icat

ion

envi

ron-

men

t. Th

e st

anda

rd w

as u

pdat

ed in

201

5. P

rote

ctio

n of

the

priv

acy

of in

divi

dual

s fro

m in

appr

opria

te d

isse

min

atio

n an

d us

e of

bi

omet

ric d

ata

is n

ot in

the

scop

e of

this

par

t of I

SO

/IEC

197

85 b

ut m

ay b

e su

bjec

t to

natio

nal r

egul

atio

n.

ISO

/IEC

197

94—

(Ser

ies)

Bio

met

ric

data

inte

rcha

nge

form

s

Fram

ewor

k de

scrib

es th

e ge

nera

l asp

ects

and

requ

irem

ents

for d

efin

ing

biom

etric

dat

a in

terc

hang

e fo

rmat

s. T

he n

otat

ion

and

trans

fer f

orm

ats

prov

ide

plat

form

inde

pend

ence

and

sep

arat

ion

of tr

ansf

er s

ynta

x fro

m c

onte

nt d

efin

ition

. Dat

a fo

rmat

s fo

r rep

re-

sent

atio

n of

fing

erpr

ints

usi

ng th

e fu

ndam

enta

l not

ion

of m

inut

iae.

Rel

evan

t for

aut

omat

ed fi

nger

prin

t rec

ogni

tion.

Fac

ial r

ecog

ni-

tion

form

ats.

ISO

/IEC

154

44 (a

ll pa

rts) I

nfor

mat

ion

tech

nolo

gy—

JPE

G

2000

imag

e co

ding

sy

stem

This

sta

ndar

d de

al w

ith J

PE

G 2

000

Imag

e co

ding

sys

tem

s. It

dea

ls w

ith S

patia

l (sa

mpl

es),

trans

form

ed (c

oeffi

cien

ts) a

nd C

om-

pres

sed

imag

e da

ta. V

ario

us e

lem

ents

suc

h as

enc

oder

, dec

oder

, cod

e st

ream

, opt

iona

l file

form

ats

with

syn

tax,

reco

nstru

ctio

n of

im

age

data

, and

gui

delin

es h

ow to

impl

emen

t the

se p

roce

sses

in p

ract

ice

are

expl

aine

d.

(con

tinue

d)


STA

ND

AR

DD

ES

CR

IPTI

ON

ISO

/IEC

297

94Q

ualit

y m

etric

s ar

e us

eful

for s

ever

al a

pplic

atio

ns in

the

field

of b

iom

etric

s. IS

O/IE

C 2

9794

def

ines

and

spe

cifie

s m

etho

dolo

gies

fo

r obj

ectiv

e, q

uant

itativ

e qu

ality

sco

re e

xpre

ssio

n, in

terp

reta

tion,

and

inte

rcha

nge.

Thi

s st

anda

rd is

inte

nded

to a

dd v

alue

to a

br

oad

spec

trum

of a

pplic

atio

ns in

a m

anne

r tha

t

a) e

ncou

rage

s co

mpe

titio

n, in

nova

tion,

inte

rope

rabi

lity

and

perfo

rman

ce im

prov

emen

ts; a

nd

b) a

void

s bi

as to

war

ds a

pplic

atio

ns, m

odal

ities

, or t

echn

ique

s.

It pr

esen

ts s

ever

al b

iom

etric

sam

ple

qual

ity s

corin

g to

ols,

the

use

of w

hich

is g

ener

ally

opt

iona

l but

can

be

dete

rmin

ed to

be

man

dato

ry b

y ap

plic

atio

n pr

ofile

s or

spe

cific

impl

emen

tatio

ns. I

t con

sist

s of

the

follo

win

g pa

rts, u

nder

the

gene

ral t

itle

Info

rmat

ion

tech

nolo

gy—

Bio

met

ric s

ampl

e qu

ality

:

• P

art 1

: Fra

mew

ork

• P

art 4

: Fin

ger i

mag

e da

ta

• P

art 5

: Fac

ial i

mag

e da

ta [T

echn

ical

Rep

ort]

• P

art 6

: Iris

imag

e da

ta

ISO

/IEC

781

0IS

O/IE

C 7

810

is o

ne o

f a s

erie

s of

sta

ndar

ds d

escr

ibin

g th

e ch

arac

teris

tics

of id

entif

icat

ion

card

s. T

he p

urpo

se is

to p

rovi

de

crite

ria to

whi

ch c

ards

sha

ll pe

rform

and

to s

peci

fy th

e re

quire

men

ts fo

r suc

h ca

rds

used

for i

nter

natio

nal i

nter

chan

ge. I

t tak

es in

to

cons

ider

atio

n bo

th h

uman

and

mac

hine

asp

ects

and

sta

tes

min

imum

requ

irem

ents

. It d

efin

es v

ario

us s

izes

(4) o

f the

ID c

ards

, th

e co

nditi

ons

for c

onfo

rman

ce, t

he d

imen

sion

s an

d to

lera

nces

of t

he id

entif

icat

ion

card

s; th

e co

nstru

ctio

n an

d m

ater

ials

of t

he

iden

tific

atio

n ca

rds;

and

the

phys

ical

cha

ract

eris

tics

of th

e ca

rds

such

as

bend

ing

stiff

ness

, fla

mm

abili

ty, t

oxic

ity, r

esis

tanc

e to

ch

emic

als,

dim

ensi

onal

sta

bilit

y, a

dhes

ion

or b

lock

ing,

war

page

, res

ista

nce

to h

eat,

surfa

ce d

isto

rtion

s, a

nd c

onta

min

atio

n—al

l ar

e el

abor

ated

in th

is s

tand

ard.

ISO

/IEC

781

1 S

erie

sIS

O/IE

C 7

811

Ser

ies

stan

dard

des

crib

es c

hara

cter

istic

s of

iden

tific

atio

n ca

rds

with

mag

netic

stri

pes.

It s

peci

fies

the

embo

ssin

g,

mag

netic

stri

pe, l

ocat

ion

of R

ead

Onl

y m

agne

tic tr

acks

, loc

atio

n of

Rea

d/W

rite

Mag

netic

Tra

cks,

etc

.

ISO

781

2IS

O/IE

C 7

812

Iden

tific

atio

n ca

rds—

Iden

tific

atio

n of

issu

ers

was

firs

t pub

lishe

d by

the

Inte

rnat

iona

l Org

aniz

atio

n fo

r Sta

ndar

d-iz

atio

n (IS

O) i

n 19

89. I

t is

the

inte

rnat

iona

l sta

ndar

d th

at s

peci

fies

“a n

umbe

ring

syst

em fo

r the

iden

tific

atio

n of

issu

ers

of c

ards

th

at re

quire

an

issu

er id

entif

icat

ion

num

ber (

IIN) t

o op

erat

e in

inte

rnat

iona

l, in

ter-

indu

stry

and

/or i

ntra

-indu

stry

inte

rcha

nge,

” and

pr

oced

ures

for r

egis

terin

g IIN

s. [2

] IS

O/IE

C 7

812

have

two

parts

:

Par

t 1: N

umbe

ring

syst

em

Par

t 2: A

pplic

atio

n an

d re

gist

ratio

n pr

oced

ures

(con

tinue

d)

Con

tinu

ed


(con

tinue

d)

STA

ND

AR

DD

ES

CR

IPTI

ON

ISO

/IEC

781

3IS

O/IE

C 7

813

spec

ifies

the

stan

dard

s fo

r car

ds u

sed

for f

inan

cial

tran

sact

ions

. It s

peci

fies

the

data

stru

ctur

e an

d da

ta c

onte

nt

of m

agne

tic tr

acks

1 a

nd 2

, whi

ch a

re u

sed

to in

itiat

e fin

anci

al tr

ansa

ctio

ns. I

t tak

es in

to c

onsi

dera

tion

both

hum

an a

nd p

hysi

cal

aspe

cts

and

stat

es m

inim

um re

quire

men

ts o

f con

form

ity. I

t ref

eren

ces

layo

ut, r

ecor

ding

tech

niqu

es, n

umbe

ring

syst

ems,

regi

stra

-tio

n pr

oced

ures

, but

not

sec

urity

requ

irem

ents

.

ISO

/IEC

180

13Th

e IS

O/IE

C 1

8013

sta

ndar

d es

tabl

ishe

s gu

idel

ines

for t

he d

esig

n fo

rmat

and

dat

a co

nten

t of I

SO/IE

C-c

ompl

iant

driv

ing

licen

ses

(IDL)

with

rega

rd to

hum

an-re

adab

le fe

atur

es (I

SO/IE

C 1

8013

-1),

mac

hine

-read

able

tech

nolo

gies

(ISO

/IEC

180

13-2

), an

d ac

cess

co

ntro

l, au

then

ticat

ion

and

inte

grity

val

idat

ion

(ISO

/IEC

180

13-3

). It

crea

tes

a co

mm

on b

asis

for i

nter

natio

nal u

se a

nd m

utua

l rec

og-

nitio

n of

the

IDL

with

out i

mpe

ding

indi

vidu

al c

ount

ries/

stat

es fr

om a

pply

ing

thei

r priv

acy

rule

s an

d na

tiona

l/com

mun

ity/re

gion

al m

otor

ve

hicl

e au

thor

ities

in ta

king

car

e of

thei

r spe

cific

nee

ds.

ISO

/IEC

781

6IS

O/IE

C 7

816

is a

mul

ti-pa

rt in

tern

atio

nal s

tand

ard

brok

en in

to fo

urte

en p

arts

. IS

O/IE

C 7

816

Par

ts 1

, 2 a

nd 3

dea

ls o

nly

with

co

ntac

t sm

art c

ards

and

def

ine

the

vario

us a

spec

ts o

f the

car

d an

d its

inte

rface

s, in

clud

ing

the

card

’s p

hysi

cal d

imen

sion

s, th

e el

ectri

cal i

nter

face

and

the

com

mun

icat

ions

pro

toco

ls. I

SO

/IEC

781

6 P

arts

4, 5

, 6, 8

, 9, 1

1, 1

3 an

d 15

are

rele

vant

to a

ll ty

pes

of

smar

t car

ds (c

onta

ct a

s w

ell a

s co

ntac

tless

). Th

ey d

efin

e th

e ca

rd lo

gica

l stru

ctur

e (fi

les

and

data

ele

men

ts),

vario

us c

omm

ands

us

ed b

y th

e ap

plic

atio

n pr

ogra

mm

ing

inte

rface

for b

asic

use

, app

licat

ion

man

agem

ent,

biom

etric

ver

ifica

tion,

cry

ptog

raph

ic s

er-

vice

s an

d ap

plic

atio

n na

min

g. IS

O/IE

C 7

816

Par

t 10

is u

sed

by m

emor

y ca

rds

for a

pplic

atio

ns s

uch

as p

repa

id te

leph

one

card

s or

ve

ndin

g m

achi

nes.

ISO

/IEC

781

6 P

art 7

def

ines

a s

ecur

e re

latio

nal d

atab

ase

appr

oach

for s

mar

t car

ds b

ased

on

the

SQ

L in

ter-

face

s (S

CQ

L).

ISO

/IEC

144

43IS

O/IE

C 1

4443

is a

n in

tern

atio

nal s

tand

ard

that

def

ines

the

inte

rface

s to

a “c

lose

pro

xim

ity” c

onta

ctle

ss s

mar

t car

d, in

clud

ing

the

radi

o fre

quen

cy (R

F) in

terfa

ce, t

he e

lect

rical

inte

rface

, and

the

com

mun

icat

ions

and

ant

i-col

lisio

n pr

otoc

ols.

ISO

/IEC

144

43

com

plia

nt c

ards

ope

rate

at 1

3.56

MH

z an

d ha

ve a

n op

erat

iona

l ran

ge o

f up

to 1

0 ce

ntim

eter

s (3

.94

inch

es).

ISO

/IEC

144

43 is

the

prim

ary

cont

actle

ss s

mar

t car

d st

anda

rd b

eing

use

d fo

r tra

nsit,

fina

ncia

l, an

d ac

cess

con

trol a

pplic

atio

ns. I

t is

also

use

d in

ele

c-tro

nic

pass

ports

and

in th

e FI

PS

201

PIV

car

d.

ICA

O 9

303

Sta

ndar

d fo

r Mac

hine

Rea

dabl

e Tr

avel

Doc

umen

ts

A m

achi

ne-re

adab

le tr

avel

doc

umen

t (M

RTD

) is

in fa

ct a

trav

el d

ocum

ent w

ith th

e da

ta o

n th

e id

entit

y pa

ge e

ncod

ed in

opt

ical

ch

arac

ter r

ecog

nitio

n fo

rmat

. Man

y co

untri

es b

egan

to is

sue

mac

hine

-read

able

trav

el d

ocum

ents

in th

e 19

80s.

Mos

t tra

vel p

ass-

ports

wor

ldw

ide

are

MR

Ps. T

hey

are

stan

dard

ized

by

the

ICAO

Doc

umen

t 930

3 (e

ndor

sed

by th

e In

tern

atio

nal O

rgan

izat

ion

for

Stan

dard

izat

ion

and

the

Inte

rnat

iona

l Ele

ctro

tech

nica

l Com

mis

sion

as

ISO

/IEC

750

1-1)

and

hav

e a

spec

ial m

achi

ne- re

adab

le

zone

(MR

Z), w

hich

is u

sual

ly a

t the

bot

tom

of t

he id

entit

y pa

ge a

t the

beg

inni

ng o

f a p

assp

ort o

r tra

vel c

ard

with

bas

ic id

entit

y in

form

atio

n.

Con

tinu

ed


STA

ND

AR

DD

ES

CR

IPTI

ON

ISO

/IEC

858

3IS

O 8

583

prov

ides

a fr

amew

ork

for c

reat

ing

prot

ocol

s fo

r the

exc

hang

e of

fina

ncia

l tra

nsac

tion

mes

sage

s. T

ypic

ally,

thes

e ar

e m

es-

sage

s th

at in

volv

e tra

nsac

tions

orig

inat

ing

from

car

ds o

f som

e so

rt or

the

othe

r, be

they

cre

dit o

r deb

it ca

rds.

It is

impo

rtant

to re

aliz

e th

at 8

583

itsel

f is

not a

pro

toco

l, ju

st a

s XM

L is

not

a fi

le fo

rmat

. XM

L ca

n be

con

side

red

a de

scrip

tion

of h

ow to

spe

cify

file

form

ats

for

stru

ctur

ed d

ata

acco

rdin

g to

a s

et o

f rul

es. I

SO 8

583

is a

met

a-pr

otoc

ol p

rovi

ding

a s

et o

f rul

es fo

r the

def

initio

n of

fina

ncia

l tra

nsac

-tio

n pr

otoc

ols.

The

sta

ndar

d, o

ffici

ally

title

d “F

inan

cial

tran

sact

ion

card

orig

inat

ed m

essa

ges—

Inte

rcha

nge

mes

sage

spe

cific

atio

ns” i

s co

mpr

ised

of t

hree

par

ts:

• P

art 1

: Mes

sage

s, d

ata

elem

ents

and

cod

e va

lues

• P

art 2

: App

licat

ion

and

regi

stra

tion

proc

edur

es fo

r Ins

titut

ion

Iden

tific

atio

n C

odes

(IIC

)

• Pa

rt 3:

Mai

nten

ance

pro

cedu

res

for m

essa

ges,

dat

a el

emen

ts a

nd c

ode

valu

es

Eur

opay

, Mas

terc

ard

and

VIS

A (E

MV

) S

tand

ards

EMV

is a

tech

nica

l sta

ndar

d fo

r sm

art p

aym

ent c

ards

and

for p

aym

ent t

erm

inal

s an

d au

tom

ated

telle

r mac

hine

s th

at c

an a

ccep

t th

em. E

MV

(Eur

opay

, Mas

terC

ard

and

Visa

) car

ds a

re s

mar

t car

ds (a

lso

calle

d ch

ip c

ards

or I

C c

ards

), w

hich

sto

re th

eir d

ata

on

inte

grat

ed c

ircui

ts ra

ther

than

mag

netic

stri

pes,

alth

ough

man

y EM

V ca

rds

also

hav

e st

ripes

for b

ackw

ard

com

patib

ility.

The

y ca

n be

co

ntac

t car

ds th

at m

ust b

e ph

ysic

ally

inse

rted

(or “

dipp

ed”)

into

a re

ader

, or c

onta

ctle

ss c

ards

that

can

be

read

ove

r a s

hort

dist

ance

us

ing

radi

o-fre

quen

cy id

entif

icat

ion

(RFI

D) t

echn

olog

y. P

aym

ent c

ards

that

com

ply

with

the

EMV

stan

dard

are

ofte

n ca

lled

chip

-and

-PI

N o

r chi

p-an

d- si

gnat

ure

card

s, d

epen

ding

on

the

exac

t aut

hent

icat

ion

met

hods

requ

ired

to u

se th

em. E

MV

stan

ds fo

r Eur

opay

, M

aste

rCar

d, a

nd V

isa,

the

thre

e co

mpa

nies

that

orig

inal

ly c

reat

ed th

e st

anda

rd. T

he s

tand

ard

is n

ow m

anag

ed b

y EM

VCo,

a c

onso

r-tiu

m w

ith c

ontro

l spl

it eq

ually

am

ong

Visa

, Mas

terc

ard,

JC

B, A

mer

ican

Exp

ress

, Chi

na U

nion

Pay,

and

Dis

cove

r. Th

ere

are

stan

dard

s ba

sed

on IS

O/IE

C 7

816

for c

onta

ct c

ards

, and

sta

ndar

ds b

ased

on

ISO

/IEC

144

43 fo

r con

tact

less

car

ds (P

ayPa

ss, P

ayW

ave,

Ex

pres

sPay

). Vi

sa a

nd M

aste

rCar

d ha

ve a

lso

deve

lope

d st

anda

rds

for u

sing

EM

V ca

rds

in d

evic

es to

sup

port

card

-not

-pre

sent

tra

nsac

tions

ove

r the

tele

phon

e an

d In

tern

et. M

aste

rCar

d ha

s th

e C

hip

Auth

entic

atio

n Pr

ogra

m (C

AP) f

or s

ecur

e e-

com

mer

ce. I

ts

impl

emen

tatio

n is

kno

wn

as E

MV-

CAP

and

sup

ports

man

y m

odes

. Vis

a ha

s th

e D

ynam

ic P

assc

ode

Auth

entic

atio

n (D

PA) s

chem

e,

whi

ch is

thei

r im

plem

enta

tion

of C

AP u

sing

diff

eren

t def

ault

valu

es.

ISO

/IEC

247

61

Info

rmat

ion

te

chno

logy

—S

ecur

ity

tech

niqu

es—

A

uthe

ntic

atio

n co

ntex

t fo

r bio

met

rics

Spe

cifie

s th

e st

ruct

ure

and

the

data

ele

men

ts o

f Aut

hent

icat

ion

Con

text

for B

iom

etric

s (A

CB

io),

whi

ch is

use

d fo

r che

ckin

g th

e va

lidity

of t

he re

sult

of a

bio

met

ric v

erifi

catio

n pr

oces

s ex

ecut

ed a

t a re

mot

e si

te. I

SO

/IEC

247

61:2

009

allo

ws

any

AC

Bio

inst

ance

to

acc

ompa

ny a

ny d

ata

item

that

is in

volv

ed in

any

bio

met

ric p

roce

ss re

late

d to

ver

ifica

tion

and

enro

llmen

t. Th

e sp

ecifi

catio

n of

A

CB

io is

app

licab

le n

ot o

nly

to s

ingl

e m

odal

bio

met

ric v

erifi

catio

n bu

t als

o to

mul

timod

al fu

sion

. IS

O/IE

C 2

4761

:200

9 sp

ecifi

es th

e cr

ypto

grap

hic

synt

ax o

f an

AC

Bio

inst

ance

. The

cry

ptog

raph

ic s

ynta

x of

an

AC

Bio

inst

ance

is b

ased

on

an a

bstra

ct C

rypt

ogra

phic

M

essa

ge S

ynta

x (C

MS

) sch

ema

who

se c

oncr

ete

valu

es c

an b

e re

pres

ente

d us

ing

eith

er a

com

pact

bin

ary

enco

ding

or a

hum

an-

read

able

XM

L en

codi

ng. I

SO

/IEC

247

61:2

009

does

not

def

ine

prot

ocol

s to

be

used

bet

wee

n en

titie

s su

ch a

s bi

omet

ric p

roce

ssin

g un

its, c

laim

ant,

and

valid

ator

. Its

con

cern

is e

ntire

ly w

ith th

e co

nten

t and

enc

odin

g of

the

AC

Bio

inst

ance

s fo

r the

var

ious

pro

cess

-in

g ac

tiviti

es.

(con

tinue

d)

Con

tinu

ed


STA

ND

AR

DD

ES

CR

IPTI

ON

Mob

ile C

onne

ct—

a ne

w in

dust

ry m

echa

-ni

sm fo

r onl

ine

iden

tity

Mob

ile C

onne

ct is

boa

sted

as

a se

cure

uni

vers

al lo

g-in

sol

utio

n. It

is in

crea

sing

ly b

ecom

ing

a ne

w s

tand

ard

in d

igita

l aut

hent

ica-

tion.

Sim

ply

by m

atch

ing

the

user

to th

eir m

obile

pho

ne, M

obile

Con

nect

allo

ws

them

to lo

g in

to w

ebsi

tes

and

appl

icat

ions

qui

ckly

w

ithou

t the

nee

d to

rem

embe

r pas

swor

ds a

nd u

ser n

ames

. It i

s ge

nera

lly c

onsi

dere

d as

saf

e, s

ecur

e an

d no

per

sona

l inf

orm

atio

n is

sha

red

with

out p

erm

issi

on. T

he s

tand

ard

is b

ack

by th

e m

obile

indu

stry

con

sorti

um k

now

n as

Gro

upe

Spe

cial

e M

obile

Ass

ocia

-tio

n (G

SM

A).

Eur

opea

n U

nion

end

orse

d th

e G

SM

pro

ject

in 1

986.

Mob

ile C

onne

ct is

ava

ilabl

e to

2 b

illio

n co

nsum

ers

glob

ally.

It

is b

ecom

ing

popu

lar a

s it

offe

rs a

sol

utio

n by

pro

vidi

ng c

itize

ns w

ith a

sec

ure

and

conv

enie

nt w

ay to

pro

ve w

ho th

ey a

re, w

ith th

e de

vice

that

is a

lway

s w

ith th

em: t

heir

mob

ile p

hone

. Mob

ile C

onne

ct c

an s

uppo

rt e-

gove

rnm

ent d

igita

l ide

ntity

aut

hent

icat

ion

for

citiz

ens

givi

ng a

cces

s to

pub

lic s

ervi

ces,

sm

art c

ities

, hea

lth c

are,

edu

catio

n, c

ross

bor

der p

ublic

ser

vice

s an

d vo

ting.

Thr

ough

the

in-b

uilt

priv

acy

prot

ectio

n of

fere

d, it

can

sim

plify

ano

nym

ous

regi

stra

tion

whe

re c

itize

n en

title

men

t doe

s no

t nee

d to

be

chec

ked,

an

d re

duce

the

risk

of d

ata

brea

ches

as

wel

l as

cut g

over

nmen

ts’ c

osts

to s

erve

. By

deliv

erin

g th

ese

bene

fits

to c

itize

ns a

nd

empl

oyee

s, M

obile

Con

nect

has

a p

oten

tial t

o st

reng

then

trus

t and

upt

ake

of e

-gov

ernm

ent s

ervi

ces.

ISO

/IEC

247

45:2

011

Info

rmat

ion

tech

nolo

gy-s

ecur

ity

tech

niqu

es—

Bio

met

ric

info

rmat

ion

prot

ectio

n

Pro

vide

s gu

idan

ce fo

r the

pro

tect

ion

of b

iom

etric

info

rmat

ion

unde

r var

ious

requ

irem

ents

for c

onfid

entia

lity,

inte

grity

and

rene

w-

abili

ty/re

voca

bilit

y du

ring

stor

age

and

trans

fer.

Add

ition

ally,

ISO

/IEC

247

45:2

011

prov

ides

requ

irem

ents

and

gui

delin

es fo

r the

se

cure

and

priv

acy-

com

plia

nt m

anag

emen

t and

pro

cess

ing

of b

iom

etric

info

rmat

ion.

• an

alys

is o

f the

thre

ats

to a

nd c

ount

erm

easu

res

inhe

rent

in a

bio

met

ric a

nd b

iom

etric

sys

tem

app

licat

ion

mod

els;

• se

curit

y re

quire

men

ts fo

r sec

ure

bind

ing

betw

een

a bi

omet

ric re

fere

nce

and

an id

entit

y re

fere

nce;

• bi

omet

ric s

yste

m a

pplic

atio

n m

odel

s w

ith d

iffer

ent s

cena

rios

for t

he s

tora

ge o

f bio

met

ric re

fere

nces

and

com

paris

on; a

nd

• gu

idan

ce o

n th

e pr

otec

tion

of a

n in

divi

dual

’s p

rivac

y du

ring

the

proc

essi

ng o

f bio

met

ric in

form

atio

n.

How

ever

, doe

s no

t inc

lude

mea

sure

s fo

r phy

sica

l, en

viro

nmen

tal s

ecur

ity a

nd k

ey m

anag

emen

t for

cry

ptog

raph

ic te

chni

ques

.

FID

O m

echa

nism

for

secu

rity

devi

ces

and

plug

-ins

The

FID

O (F

ast I

Den

tity

Onl

ine)

Alli

ance

is a

non

prof

it or

gani

zatio

n fo

rmed

in J

uly

2012

to a

ddre

ss th

e la

ck o

f int

erop

erab

ility

am

ong

stro

ng a

uthe

ntic

atio

n de

vice

s as

wel

l as

the

prob

lem

s us

ers

face

with

cre

atin

g an

d re

mem

berin

g m

ultip

le u

ser n

ames

an

d pa

ssw

ords

. The

FID

O A

llian

ce p

lans

to c

hang

e th

e na

ture

of a

uthe

ntic

atio

n by

dev

elop

ing

spec

ifica

tions

that

def

ine

an o

pen,

sc

alab

le, i

nter

oper

able

set

of m

echa

nism

s th

at s

uppl

ant r

elia

nce

on p

assw

ords

to s

ecur

ely

auth

entic

ate

user

s of

onl

ine

serv

ices

. Th

is n

ew s

tand

ard

for s

ecur

ity d

evic

es a

nd b

row

ser p

lug-

ins

will

allo

w a

ny w

ebsi

te o

r Clo

ud a

pplic

atio

n to

inte

rface

with

a b

road

va

riety

of e

xist

ing

and

futu

re F

IDO

-ena

bled

dev

ices

that

the

user

has

for o

nlin

e se

curit

y. F

IDO

pro

toco

ls a

re b

ased

on

publ

ic k

ey

cryp

togr

aphy

and

are

stro

ngly

resi

stan

t to

phis

hing

.

Con

tinu

ed

(con

tinue

d)


STA

ND

AR

DD

ES

CR

IPTI

ON

eID

AS

Reg

ulat

ion

of

Eur

opea

n U

nion

eID

AS

sta

nds

for E

U R

egul

atio

n N

o 91

0/20

14 o

n el

ectro

nic

iden

tific

atio

n an

d tru

st s

ervi

ces

for e

lect

roni

c tra

nsac

tions

. eID

AS

w

as p

ublis

hed

by th

e E

urop

ean

Par

liam

ent a

nd th

e E

urop

ean

Cou

ncil

on J

uly

23, 2

014.

eID

AS

ove

rsee

s el

ectro

nic

iden

tific

atio

n an

d tru

st s

ervi

ces

for e

lect

roni

c tra

nsac

tions

in th

e E

urop

ean

Uni

on’s

inte

rnal

mar

ket.

It re

gula

tes

elec

troni

c si

gnat

ures

, ele

c-tro

nic

trans

actio

ns, i

nvol

ved

bodi

es a

nd th

eir e

mbe

ddin

g pr

oces

ses

to p

rovi

de a

saf

e w

ay fo

r use

rs to

con

duct

bus

ines

s on

line

like

elec

troni

c fu

nds

trans

fer o

r tra

nsac

tions

with

pub

lic s

ervi

ces.

Bot

h th

e si

gnat

ory

and

reci

pien

t hav

e ac

cess

to a

hig

her l

evel

of

con

veni

ence

and

sec

urity

. Ins

tead

of r

elyi

ng o

n tra

ditio

nal m

etho

ds, s

uch

as m

ail,

facs

imile

ser

vice

, or a

ppea

ring

in p

erso

n to

su

bmit

pape

r-ba

sed

docu

men

ts, t

hey

may

now

per

form

tran

sact

ions

acr

oss

bord

ers,

e.g

., us

ing

“1-C

lick”

tech

nolo

gy. [

1][2

] eID

AS

ha

s cr

eate

d st

anda

rds

for w

hich

ele

ctro

nic

sign

atur

es, e

lect

roni

c se

als,

tim

e st

amps

and

oth

er p

roof

for a

uthe

ntic

atio

n pu

rpos

es

prov

ide

elec

troni

c tra

nsac

tions

with

the

sam

e le

gal s

tand

ing

as tr

ansa

ctio

ns p

erfo

rmed

on

pape

r.

ISO

/IEC

247

60

Info

rmat

ion

Tech

nolo

gy-S

ecur

ity

Tech

niqu

es—

A fra

mew

ork

of Id

entit

y M

anag

emen

t

Dat

a pr

oces

sing

syst

ems

com

mon

ly ga

ther

a ra

nge

of in

form

atio

n on

thei

r use

rs, b

e it

a pe

rson

, pie

ce o

f equ

ipm

ent,

or p

iece

of s

oftw

are

conn

ecte

d to

them

, and

mak

e de

cisio

ns b

ased

on

the

gath

ered

info

rmat

ion.

Suc

h id

entit

y-ba

sed

decis

ions

may

con

cern

acc

ess

to a

pplic

a-tio

ns o

r oth

er re

sour

ces.

To

addr

ess

the

need

to e

fficie

ntly

and

effe

ctive

ly im

plem

ent s

yste

ms

that

mak

e id

entit

y-ba

sed

decis

ions

, ISO

/IEC

24

760

spec

ifies

a fra

mew

ork

for t

he is

suan

ce, a

dmin

istra

tion,

and

use

of d

ata

that

ser

ves

to c

hara

cter

ize in

divid

uals,

org

aniza

tions

, or i

nfor

-m

atio

n te

chno

logy

com

pone

nts

that

ope

rate

on

beha

lf of

indi

vidua

ls or

org

aniza

tions

. For

man

y or

gani

zatio

ns, t

he p

rope

r man

agem

ent o

f id

entit

y in

form

atio

n is

cruc

ial t

o m

aint

ain

secu

rity

of th

e or

gani

zatio

nal p

roce

sses

. For

indi

vidua

ls, c

orre

ct id

entit

y m

anag

emen

t is

impo

rtant

to

prot

ect p

rivac

y. IS

O/IE

C 2

4760

Ser

ies

spec

ifies

fund

amen

tal c

once

pts

and

oper

atio

nal s

truct

ures

of i

dent

ity m

anag

emen

t with

the

purp

ose

to re

alize

info

rmat

ion

syst

em m

anag

emen

t so

that

info

rmat

ion

syst

ems

can

mee

t bus

ines

s, c

ontra

ctua

l, re

gula

tory

and

lega

l obl

igat

ions

.

ISO

/IEC

291

09IS

O/IE

C 2

9109

def

ines

the

conc

epts

of c

onfo

rman

ce te

stin

g fo

r bio

met

ric d

ata

inte

rcha

nge

form

ats

and

defin

es a

gen

eral

con

-fo

rman

ce-te

stin

g fra

mew

ork.

It s

peci

fies

com

mon

(mod

ality

-neu

tral)

elem

ents

of t

he te

stin

g m

etho

dolo

gy, s

uch

as te

st m

etho

ds

and

proc

edur

es, i

mpl

emen

tatio

n co

nfor

man

ce c

laim

s, a

nd te

st re

sults

repo

rting

. It a

lso

prov

ides

the

asse

rtion

lang

uage

def

ini-

tion

and

sets

forth

oth

er te

stin

g an

d re

porti

ng re

quire

men

ts, a

nd o

utlin

es o

ther

asp

ects

of t

he c

onfo

rman

ce te

stin

g m

etho

dol-

ogy

that

are

gen

eral

ly a

pplic

able

and

not

mod

ality

spe

cific

. As

part

of th

e co

nfor

man

ce te

stin

g m

etho

dolo

gy, d

iffer

ent t

ypes

and

le

vels

of c

onfo

rman

ce te

stin

g ar

e de

scrib

ed, a

s w

ell a

s th

eir a

pplic

abili

ty. T

he c

onfo

rman

ce te

stin

g m

etho

dolo

gy s

peci

fied

in

ISO

/IEC

291

09-1

:200

9 is

con

cern

ed o

nly

with

dat

a in

terc

hang

e fo

rmat

reco

rds

and

syst

ems

that

pro

duce

or u

se th

ese

reco

rds.

ISO

/IEC

291

15IS

O/IE

C 2

9115

:201

3 pr

ovid

es a

fram

ewor

k fo

r man

agin

g en

tity

auth

entic

atio

n as

sura

nce

in a

giv

en c

onte

xt. I

n pa

rticu

lar,

it:

• sp

ecifi

es fo

ur le

vels

of e

ntity

aut

hent

icat

ion

assu

ranc

e;

• sp

ecifi

es c

riter

ia a

nd g

uide

lines

for a

chie

ving

eac

h of

the

four

leve

ls o

f ent

ity a

uthe

ntic

atio

n as

sura

nce

(LoA

s);

• pr

ovid

es g

uida

nce

for m

appi

ng o

ther

aut

hent

icat

ion

assu

ranc

e sc

hem

es to

the

four

LoA

s;

• pr

ovid

es g

uida

nce

for e

xcha

ngin

g th

e re

sults

of a

uthe

ntic

atio

n th

at a

re b

ased

on

the

four

LoA

s; a

nd

• pr

ovid

es g

uida

nce

conc

erni

ng c

ontro

ls th

at s

houl

d be

use

d to

miti

gate

aut

hent

icat

ion

thre

ats.

Sour

ce: I

SO

htt

p://

ww

w is

o or

g/is

o/ho

me

htm

Con

tinu

ed


endnotes

1 For more on the importance of identification for development, see (World Bank 2016, Gelb and Clark 2013).2 Estimates by the World Bank ID4D Dataset, as of February 2016. This dataset will be updated annually.3 IEEE. What are Standards? Why are they important? IEEE, 2011. 4 Digital Identity: Towards Shared Principles for Public and Private Sector Cooperation, World Bank-GSMA-SIA 2016.5 IEE FAQs https://supportcenter.ieee.org/app/answers/detail/a_id/83/~/what-are-standards%3F.6 Europay, MasterCard and Visa—Payment Smart Card Standard.7 https://mobileconnect.io.8 EU Regulation No 910/2014 on electronic identification and trust services for electronic transactions in the European internal market. See also Ashiq, J. A. 2016. “The eIDAS Agenda: Innovation, Interoperability and Transparency.” Cryptomathic. 25 January, https://www.cryptomathic.com/news-events/blog/the-eidas-agenda-innovation-interoperability-and-transparency; Turner, Dawn M. “eIDAS from Directive to Regulation—Legal Aspects.” Cryptomathic, https://www.cryptomathic.com/news-events/blog/eidas-from-directive-to-regulation-legal-aspects; van Zijp, Jacques. “Is the EU ready for eIDAS?,” Secure Identity Alliance. 9 A multimodal system does not require dependency on just one specific biometric feature.10 http://www.eiuperspectives.economist.com/technology-innovation/economic-empowerment-leaders/article/identifying-better-future.11 eID cards can be easily carried in a wallet, unlike large legal documents.12 Turner, Dawn M. “Understanding Major Terms Around Digital Signatures.” Cryptomathic.13 According to PIRA, “The global market for Personal ID credentials was valued at $5.3 billion in 2009, and is forecast to reach $9.1 billion by 2019” (PIRA, 2014).14 Excerpt from World Bank. 2016. Digital Identity: Towards Shared Principles for Public and Private Sector Coop-eration. Washington, D.C.: World Bank Group, p. 19.15 For example, see EU Cross-border Digital Authentication by Gemalto, http://www.gemalto.com/mobile/customer-cases/eu-cross-border-digital-authentication.

Technical Standards for Digital Identity (Draft for...

Documents

Transcript of Technical Standards for Digital Identity (Draft for...