Professional Documents
Culture Documents
Devices
5
Standards
DRAFT
15 June 2011
Standards
Contents
Introduction....................................................................................................................1
Issues for discussion by e-MOBIDIG........................................................................1
Overviewthe system of standards ..............................................................................3
INTERNATIONAL standards organisations.................................................................5
ISOInternational Standards Organisation ..............................................................5
IECInternational Electrotechnical Commission ....................................................5
ISO / IEC Joint Technical Committee 1 ....................................................................5
ITUInternational Telecommunications Union.......................................................5
WSCWorld Standards Cooperation .......................................................................6
ICAOInternational Civil Aviation organisation.....................................................6
De facto international standards.................................................................................6
EUROPEAN standards organisations (Europe-wide) ...................................................7
European standards generally ....................................................................................7
CENEuropean Committee for Standardisation......................................................7
CENLECEuropean Committee for Electrotechnical Standardisation ...................7
ETSIEuropean Telecoms Standardisation Institute ...............................................7
Other EU standards-related bodies and organisations ...............................................8
CE Mark.................................................................................................................8
EU Joint Research Centre ......................................................................................8
Conformity testing .................................................................................................8
European NATIONAL standards organisations ............................................................9
Czech Office for Standards, Metrology and Testing (UNMZ)..................................9
French Standards Association (ANFOR)...................................................................9
German Institute for Standardisation (DIN) and Federal Office for Information
Security (BSI) ............................................................................................................9
United KingdomBritish Standards Institution (BSI Group) ..................................9
List of European Standards Organistions ................................................................10
US NATIONAL standards organisations ....................................................................11
ANSIAmerican National Standards Institute.......................................................11
IEEEInstitute of Electrical and Electronic Engineers ..........................................11
FIPSFederal Information Processing Standards ..................................................11
NISTNational Institute of Standards and Technology.........................................12
FBIFederal Bureau of Investigation.....................................................................12
Standards etc. relevant to mobile ID devices...............................................................13
Mobile ID devices....................................................................................................13
Mobile communications...........................................................................................13
Biometrics ................................................................................................................14
Security ....................................................................................................................15
MRTDsMachine Readable Travel Documents ....................................................16
Driving licenses .......................................................................................................17
Tachograph systems and documents........................................................................17
Vehicle registration documents................................................................................17
Standards
Introduction
This guide (which is a working draft) explains the main standards organisations and
how they work together to produce international standards; describes some main
standards applicable to mobile ID devices; and suggests where e-MOBIDIG might
best engage for the interests it needs to pursue.
The guide contains:
An overview of the structure of the organisations engaged in standards activity
and how responsibility for standards is allocated
International standards organisations, in particular ISO, IEC, ITU and ICAO
(these organisation names are explained later).
Europe-wide standards organisations co-operating on the European systems of
standards, CEN, CENLEC and ETSI.
National-level standards organisations, in Europe and in the US.
A description of some important standards applicable to mobile ID devices, by
category.
The proposal could be that e-MOBIDIG should develop a ST and SFR, and consider
how a PP could be developed that would set a common standard for mobile ID
devices, and that this would set a common benchmark in this area.
Reasons for suggesting this issue in particular include:
Security is a critical issue to the use of mobile ID devices for police and
immigration.
What security means can vary enormously from the assumption of one
person or organisation to another if it is not defined.
Without a clear benchmark standard there may be a commercial pressure to
cut corners in the implementationwhy go to the extra cost and effort of a
particular security feature that goes unrecognised if that disadvantages a good
supplier competing against another who saves that expense to reduce price.
ISO/IEC 15408 (Common Criteria) is a well established framework for this
kind of initiative and the concept of a Protection Profile is well understood.
It may be possible to have an efficient distribution of effort: e-MOBIDIG
could develop the high-level description (ST and SFR) and have a skilled
testing organisation develop the PP, subject to agreement and potentially
funding.
e-MOBIDIG should be in a good position to broker a wide consensus by
virtue of the representation from Member States and industry, but the
availability of resource (experts and/or funding) will have to be considered
further.
However, it is also important that we understand the likely timescale and effort
required, and can confirm that we have resources available to complete the work.
We are also keen to discuss and consider other possible ways of engaging usefully on
standards and look forward to discussing this at the 8th e-MOBIDIG meeting, 8 and 9
September, in Stockholm.
Comments on this paper should be sent, please, to the Chair of e-MOBIDIG:
frank.smith@homeoffice.gsi.gov.uk
Thank you.
Electrotechnical
Comms
ISO
IEC
ITU
International
Sectorspecific
ICAO
Aviation
Europe-wide
CEN
CENLEC
ETSI
EN Standards
European
National
Standards
Organisations
US National
Standards
ANSI
IEEE
FBI
Biometrics
Organisations
In addition, standards produced by formal standards organisations are only one form
of specification that is offered or intended for use. In what might be suggested as
being in decreasing order of influence, but correspondingly perhaps in increasing
order of flexibility and responsiveness,
Laws, Directives and regulations
De facto standards
National standards
Informal local standards, for example within one organisation; best practice
recommendations; professional thinking; current popular trends, etc.
1.
Law,
Directive
Regs.
2.
International
Standard
(formal)
3.
International
Standard
(de facto)
4.
National
Standard
5.
Informal
local
standard
The mission of the ITU is to enable growth and sustained development of telecoms
and information networks and to facilitate universal access to the emerging
information society and the digital economy; bridging the digital divide by building
adequate and safe information and communications infrastructure and developing
confidence in the use of cyberspace through enhanced online security. It is also
interested in developing communications for disasters and emergencies.
Conformity testing
Conformity testing is an essential part of realising the potential value of standardsif
compliance to a standard cannot be rigorously tested and proven, the standard may
well be ineffective. Organisations such as JRC may operate as a conformity
laboratory at EU level; in addition other national government labs or commercial
organisations may provide conformity testing and certificationin the case of
commercial test organisations, this may be subject to certification of those
organisations for that purpose, by government. See also ETSI /CTI, above.
10
11
12
Mobile communications
The leading standards organisations in relation to mobile communications are not
surprisingly ETSI and ITUthe European and International standards organisations for
telecommunications. This embraces standards for 2G and 3G (such as GPRS, EDGE,
HSPA). ETSI (through its predecessor, CEPT) founded GSM, the alliance that introduced
the first digital cellular network standards (2G) and the TETRA standard for emergency
services mobile communications. ETSI is am organisational partner of the 3G Partnership
Project (3GPP) and provides its secretariat. 3GPP has developed the Universal Mobile
Telecommunications System (UMTS) model for 3G and 4G networks and is developing the
high-speed LTE standard to access 4G networks, within a framework that is consistent with
ITU standards and approach. ITU has defined standards for WiFi (802.11) and WiMAX
(802.16). Both standards organisations have a close interest in fixed / mobile convergence.
13
Biometrics
ISO/IEC JTC1 / SC37 international standards on biometrics:
ISO/IEC 19784 (2006/7)Biometric Application Programming Interface
(BioAPI), Parts 1 and 2. Defines how a software application can use the
services of a biometric application, including enrolment, search and
verification. Compatible with ISO/IEC 19785.
ISO/IEC 19785 (2006)Common Biometric Exchange Formats
Framework (CBEFF), Parts 1 and 2. Defines a structure for biometric
records including header, data and security blocks.
ISO/IEC 19794 (2005/7)Biometric Data Interchange Format, Parts 1 to
10 (+?). Includes framework, finger minutiae / image, face image, iris image
ISO/IEC 19795 (2006/7)Biometric Performance Testing and reporting,
Parts 1 and 2.
ISO/IEC 24709 (2007)BioAPI Conformance Testing, Parts 1 and 2.
ANSI/NIST Information Technology Laboratory (ITL)
14
Security
Management of information security: ISO/IEC JTC1 / SC27;
ISO/IEC 27000 series of standardsmanagement of security.
Use of data encryption: FIPS 140-2.
The Common Criteria for Information Technology Security Evaluation (or
Common Criteria, or CC), ISO/IEC 15408, provides a framework for users to specify
their security requirements, vendors can implement solutions claiming to meet these
requirements, and testing laboratories can evaluate the products to determine
whether they do or do not meet the requirements. Key elements:
The Target of Evaluation (TOE) is the product or system subject to
evaluation.
The Security Target (ST) defines high level properties required of the TOE,
amplified in the Security Functional Requirements (SFR) detailing
individual security functions required.
The Protection Profile (PP) is created by a user or user community to identify
security requirements for a class of security devices (e.g. mobile ID devices).
Products can then be evaluated against one or more PPs.
In addition,
Evaluation Assurance Level (EAL), 1 = lowest, 7 = highest describes the
rigour of evaluation
Security Assurance Requirements (SARs) describe measures taken to assure
compliance.
The Common Criteria Recognition Arrangement (CCRA) provides for
mutual recognition between 14 or more countries of evaluation against
common criteria, up to EAL 4.
Common Criteria Portal is at www.commoncriteriaportal.org/pps. Protection
profiles for different ID / residence permits and passports with EAC chips can be
found on the tab Identity cards, smart cards and related devices and systems.
See discussion at the start of this document suggestion the potential use of this for
mobile ID devices by e-MOBIDIG.
15
16
Driving licenses
17