Mobile ID

Devices

5
Standards

DRAFT
15 June 2011

Standards
Contents
Introduction....................................................................................................................1
Issues for discussion by e-MOBIDIG........................................................................1
Overviewthe system of standards ..............................................................................3
INTERNATIONAL standards organisations.................................................................5
ISOInternational Standards Organisation ..............................................................5
IECInternational Electrotechnical Commission ....................................................5
ISO / IEC Joint Technical Committee 1 ....................................................................5
ITUInternational Telecommunications Union.......................................................5
WSCWorld Standards Cooperation .......................................................................6
ICAOInternational Civil Aviation organisation.....................................................6
De facto international standards.................................................................................6
EUROPEAN standards organisations (Europe-wide) ...................................................7
European standards generally ....................................................................................7
CENEuropean Committee for Standardisation......................................................7
CENLECEuropean Committee for Electrotechnical Standardisation ...................7
ETSIEuropean Telecoms Standardisation Institute ...............................................7
Other EU standards-related bodies and organisations ...............................................8
CE Mark.................................................................................................................8
EU Joint Research Centre ......................................................................................8
Conformity testing .................................................................................................8
European NATIONAL standards organisations ............................................................9
Czech Office for Standards, Metrology and Testing (UNMZ)..................................9
French Standards Association (ANFOR)...................................................................9
German Institute for Standardisation (DIN) and Federal Office for Information
Security (BSI) ............................................................................................................9
United KingdomBritish Standards Institution (BSI Group) ..................................9
List of European Standards Organistions ................................................................10
US NATIONAL standards organisations ....................................................................11
ANSIAmerican National Standards Institute.......................................................11
IEEEInstitute of Electrical and Electronic Engineers ..........................................11
FIPSFederal Information Processing Standards ..................................................11
NISTNational Institute of Standards and Technology.........................................12
FBIFederal Bureau of Investigation.....................................................................12
Standards etc. relevant to mobile ID devices...............................................................13
Mobile ID devices....................................................................................................13
Mobile communications...........................................................................................13
Biometrics ................................................................................................................14
Security ....................................................................................................................15
MRTDsMachine Readable Travel Documents ....................................................16
Driving licenses .......................................................................................................17
Tachograph systems and documents........................................................................17
Vehicle registration documents................................................................................17

Standards

Introduction
This guide (which is a working draft) explains the main standards organisations and
how they work together to produce international standards; describes some main
standards applicable to mobile ID devices; and suggests where e-MOBIDIG might
best engage for the interests it needs to pursue.
The guide contains:
An overview of the structure of the organisations engaged in standards activity
and how responsibility for standards is allocated
International standards organisations, in particular ISO, IEC, ITU and ICAO
(these organisation names are explained later).
Europe-wide standards organisations co-operating on the European systems of
standards, CEN, CENLEC and ETSI.
National-level standards organisations, in Europe and in the US.
A description of some important standards applicable to mobile ID devices, by
category.

Issues for discussion by e-MOBIDIG

This paper is a working draft, not yet discussed in the e-MOBIDIG group and
therefore not representing a consensus of opinion. Key questions for consideration at
the next meeting include:
Any comments on the paper, which are of course welcome;
Identification by participants in the group, please, as to who has experience of
developing standards, so we can use that to best effect; and
In many cases relevant standards already exist but we welcome views as to
which should be used and in what way for mobile ID devices for immigration
and police. (Some are already summarised at the end of the paper.)
Views as to which areas might most warrant the development of any further
standards (of any kind) by e-MOBIDIG, recognising the constraints on
available time by members of the group.
One area that may benefit from work on standardisation by e-MOBIDIG in the
standards applicable to security is ISO/IEC 15408, Common Criteia. This provides
for the development of a Security Target (ST) defineing high level properties
required of a device, expanded in Security Functional Requirements (SFR)
detailing individual security functions required. This can be the basis for the
development of a full Protection Profile (PP) by a testing organisation to identify
formal, testable requirements for the class of security devices (e.g. mobile ID
devices). Products can then be formally evaluated against such a PP and can
demonstrate that they comply with it. Arrangements exist for the recognition of
compliance between countries for Evaluation Assurance Levels, EAL 1 to 4 but not
for the highest security levels (EAL 5 to 7).

The proposal could be that e-MOBIDIG should develop a ST and SFR, and consider
how a PP could be developed that would set a common standard for mobile ID
devices, and that this would set a common benchmark in this area.
Reasons for suggesting this issue in particular include:
Security is a critical issue to the use of mobile ID devices for police and
immigration.
What security means can vary enormously from the assumption of one
person or organisation to another if it is not defined.
Without a clear benchmark standard there may be a commercial pressure to
cut corners in the implementationwhy go to the extra cost and effort of a
particular security feature that goes unrecognised if that disadvantages a good
supplier competing against another who saves that expense to reduce price.
ISO/IEC 15408 (Common Criteria) is a well established framework for this
kind of initiative and the concept of a Protection Profile is well understood.
It may be possible to have an efficient distribution of effort: e-MOBIDIG
could develop the high-level description (ST and SFR) and have a skilled
testing organisation develop the PP, subject to agreement and potentially
funding.
e-MOBIDIG should be in a good position to broker a wide consensus by
virtue of the representation from Member States and industry, but the
availability of resource (experts and/or funding) will have to be considered
further.
However, it is also important that we understand the likely timescale and effort
required, and can confirm that we have resources available to complete the work.
We are also keen to discuss and consider other possible ways of engaging usefully on
standards and look forward to discussing this at the 8th e-MOBIDIG meeting, 8 and 9
September, in Stockholm.
Comments on this paper should be sent, please, to the Chair of e-MOBIDIG:
frank.smith@homeoffice.gsi.gov.uk
Thank you.

Overviewthe system of standards

There are many standards organisations relevant to mobile ID devices, at
international, European and national level. These may seem confusing or complex but
there is more practical co-ordination between them than may at first be apparent.
Geographical scope
International / global standards bodies such as ISO, IEC, ITU and ICAO
Regional standards bodies such as those in EuropeCEN, CENLEC, ETSI
National standards organisation such as those in the Member States of the EU,
or the US
Subject matter
Many types of division are possible, but four of particular relevance in subdividing
standards organisations are:
General
Electrotechnical (electrical, electronic and information technology)
Radio and communications
Sector-specific bodies such as aviation or government.
Figure 1 shows how standards organisations relate by geographical scope and subject...
General

Electrotechnical

Comms

ISO

IEC

ITU

International

Sectorspecific
ICAO
Aviation

ISO / IEC JTC1

Europe-wide

CEN

CENLEC

ETSI

EN Standards
European
National
Standards

National Standards Organisations (NSOs)

German BSIIT + comms security for government

Organisations

US National
Standards

ANSI

IEEE

FBI
Biometrics

Organisations

NIST / FIPSstandards for government

In addition, standards produced by formal standards organisations are only one form
of specification that is offered or intended for use. In what might be suggested as
being in decreasing order of influence, but correspondingly perhaps in increasing
order of flexibility and responsiveness,
Laws, Directives and regulations

International standards by recognised standards-making organisations

De facto standards

National standards

Informal local standards, for example within one organisation; best practice
recommendations; professional thinking; current popular trends, etc.

Increasing acceptance and influence

This is represented in Figure 2.

1.
Law,
Directive
Regs.

2.
International
Standard
(formal)

3.
International
Standard
(de facto)

4.
National
Standard

5.
Informal
local
standard

Increasing flexibility and responsiveness

In addition, a standard will follow a lifecycle, starting as a draft or proposal and

becoming progressively firmer as it is refined and exposed to consultation before
being finalised; modified for new requirements; and at some stage it may be
withdrawn when it is no longer relevant.
The structure of standards organisations may seem complex, but this paper describes
mechanisms by which they work together to maximise co-operation and to avoid
standards conflicting. Pragmatism and common sense is alive and well.
Given the pace of development in some areas, the question arises as to whether the
structure of standards organisations is responsive enough to be able to develop
standards quickly where needed? That is left for debate, with the observation that it is
important substantive international standards are properly formulated and consulted
about; and flexibility can be and is often provided in the short-term through de facto
industry standards and groups.

INTERNATIONAL standards organisations

ISOInternational Standards Organisation
www.iso.org
ISO is an international standards-setting organisation. It is an non-Governmental
organisation (NGO), composed of representatives from national standards
organisations. Founded in 1947, ISO promulgates worldwide proprietary industrial
and commercial standards. Head office is in Geneva, Switzerland. Though and NGO,
many of its standards become incorporated into national law so have mandatory force.
In practice ISO is a consortium with strong links to governments. Derives from its
predecessor of 1926, the International Federation of National Standardising
Associations (ISA). ISO has 163 national members.
ISO operates through a series of technical committees (TCs) and Sub-Committees
(SCs) and where required, Working Groups (WGs). It has a 6-stage process for
development of standards from proposal to publications of the completed standard.

IECInternational Electrotechnical Commission

www.iec.ch
IEC is a not for profit NGO. It prepares and publishes international standards for all
electrical, electronic and related technologies (= electrotechnical). IEC covers a very
broad range of interests and manages three global conformity assessment systems to
certify whether systems, components and equipment conform to its standards.
Founded in 1906. 130 members and participating countries. Based in Geneva. Defines
standard units of measurement (SIs), and standard international vocabulary for
electrical terminology.
IEC standards are numbered 60,000 to 79,999. IEC works closely with ISO and ITU;
also others such as IEEE (US). Standards harmonised with Europe carry the
designation IEC or EN. Some IEC standards are also harmonised with individual
national standards bodies.

ISO / IEC Joint Technical Committee 1

Joint ISO / IEC standards come from the Joint ISO / IEC Technical Committee 1
(JTC1) on information technology. JTC1 works through several important subcommittees, including SC17, Identification cards; SC25 interconnection of IT; SC27
security; SC31 automatic identification and data capture; and SC37 biometrics. Some
further joint ISO / IEC standards carry the numbers 80,000 to 89,999.

ITUInternational Telecommunications Union

www.itu.int
ITU is a specialised agency of the United Nations (UN) responsible for information
and communications technologies. ITU co-ordinates the global use of the radio
spectrum, promotes international co-operation in assigning satellite orbits, works to
improve telecoms infrastructure in the developing world, and establishes worldwide
standards in these areas. It is active in broadband, internet, latest generation wireless
technology, and fixed / mobile convergence. The ITU is also based in Geneva. It has
192 member states and 700 sector members and associates.

The mission of the ITU is to enable growth and sustained development of telecoms
and information networks and to facilitate universal access to the emerging
information society and the digital economy; bridging the digital divide by building
adequate and safe information and communications infrastructure and developing
confidence in the use of cyberspace through enhanced online security. It is also
interested in developing communications for disasters and emergencies.

WSCWorld Standards Cooperation

www.worldstandardscooperation.org
World Standards Cooperation was established in 2001 by IEC, ISO and ITU to
strengthen and advance the voluntary, consensus-based international standards
systems of these organisations.

ICAOInternational Civil Aviation organisation

www.icao.int
ICAO is a specialised agency of the UN based in Montreal, Canada. It codifies the
principles and technologies of international air navigation and fosters the principles
and techniques of international air navigation and fosters planning and development
of international air transport to ensure safe and orderly growth. Founded in 1947;
predecessor organisations go back to 1903. Membership is 189 (i.e. most) members of
the UN.
ICAO defines the standard for Machine Readable Travel Documents (MRTDs) world
wideICAO Document 9303 including the definition of the Machine Readable Zone
(MRZ) and of the biometric chip. ICAO manages the work in this area through the
Technical Advisory Group (TAG) on MRTDs, which has further working groups
including the New Technologies Working Group (NTWG) which considers new and
future requirements and potential solutions.

De facto international standards

A good example of de facto industry standards that have major global influence is in
relation to the standards that govern the internet: the World Wide Web Consortium
(W3C, www.w3.com) and the Internet Engineering Task Force (IETF,
www.ietf.org). W3C is headed by Sir Tim Berners-Lee (credited with the invention of
the World Wide Web, in 1989) and is responsible for standards including HTML,
XML, WSDL and SOAP (web services for interconnection between distributed
applications). IETF works closely on the TCP/IP and Internet Protocol suite. Both
organisations co-operate closely with ISO and IEC.

EUROPEAN standards organisations (Europe-wide)

European standards generally

The purpose of European standards is to support the European-wide internal

market.
Official European standards are known by the designation EN (European
Normalisation: normalisation is the French word for standardisation). These are
intended to promote free trade, safety of workers and consumers, and
interoperability, environmental protection, etc. A list of all EN standards is
available at www.en.w3j.com.
There is an agreement between the three recognised European standards bodies
(CEN, CENLEC and ETSI) to decide who is in the lead on a particular issue and
to respect that allocation of responsibility.
CENall issues not covered by CENLEC and ETSI
CENLECelectrotechnical
ETSItelecommunications
In 1991 the European Parliament noted that the three EU standards bodies cooperated efficiently and decided that a merger was not necessary.

CENEuropean Committee for Standardisation

www.cen.eu (also Comit Europen de Normalisation)
CEN is a non-profit organisation. Mission: to foster European economy in global
trading, the welfare of European citizens and environment by providing an efficient
infrastructure to interested parties for the development, maintenance and distribution
of coherent sets of standards and specifications. CEN was founded 1962. 30 members
work together to develop European Standards (ENs) to build the European internal
market. Some standards are voluntary. Some harmonised standards are incorporated
under EU law.
Under the Vienna agreement of 1991, CEN has an agreement with ISO for
avoidance of duplication that CEN will follow ISO standards where these overlap.

CENLECEuropean Committee for Electrotechnical

Standardisation
www.cenlec.org
EU standardisation on electrical engineering. CENLEC was founded in 1973 under
Belgian law.

ETSIEuropean Telecoms Standardisation Institute

www.etsi.org
EU standards organisation for telecommunications. ETSI standards include Global
Standardisation Collaboration (GSM) cellphone standards (2G), TETRA, and
standards on low-powered short-distance communications. Formed 1988. Based in
Sofia Antipolis (France), covers standardisation of Information and Communications
Technology (ICT) in Europe. ETSI has over 740 members across all sectors and types
of participant. ETSI runs the Centre for Testing and Interoperability (CTI).

Other EU standards-related bodies and organisations

CE Mark
The CE mark (Conformit Europenne) is obligatory on certain goods
offered for sale in the European Union (e.g. mobile phones and fire
extinguishers) and signifies that the product complies with the relevant
European Directive (EU Law) applicable to that product.
www.ec.europa.eu/enterprise/policies/single-market-goods/cemarking

EU Joint Research Centre

The EU Joint Research Centre (JRC) is based in Brussels with offices at other
locations in the EU, including Ispra, near Milan. JRC works on a range of research
and conformity testing relevant to standardisation; it works closely with standards
organisations; and it acts as secretariat to several EU working groups including eMOBIDIG. www.ec.europa.eu/dgs/jrc

Conformity testing
Conformity testing is an essential part of realising the potential value of standardsif
compliance to a standard cannot be rigorously tested and proven, the standard may
well be ineffective. Organisations such as JRC may operate as a conformity
laboratory at EU level; in addition other national government labs or commercial
organisations may provide conformity testing and certificationin the case of
commercial test organisations, this may be subject to certification of those
organisations for that purpose, by government. See also ETSI /CTI, above.

European NATIONAL standards organisations

Some examples of the many national standards organisations (NSOs) in Member
States of the EU.

Czech Office for Standards, Metrology and Testing (UNMZ)

SN is a protected designation of Czech technical standards. CSN was also the
official name of the Czechoslovak state standards (since 1964), since 1991 the
Czechoslovak standards (Czech Republic technical standardsthe Czech Republic
was formed in 1993). Creation and issuance of CSN is currently provided by the
Czech office for Standards, Metrology and Testing: www.unmz.cz/office/en.

French Standards Association (ANFOR)

Frances national standards organisation is ANFOR (Association franaise de
Normalisation). It works closely with a range of French specialist groups, e.g. sectoror industry-specific, to develop French standards; and also with the European and
international standards bodies. www.anfor.fr

German Institute for Standardisation (DIN) and Federal Office

for Information Security (BSI)
The German national standards organisation is the Deutsches Institut fr Normung
(DIN). DIN is also the prefix for standards issued by the organisation. For instance,
the DIN 476 standard of 1922 defined the A-series of sizes for paper and was adopted
as ISO 216 in 1975 and later as a European EN standard. Multiple recognition by DIN
and other bodies is shown by the numbering (in full) of that standard as DIN EN ISO
216. www.din.de
The Federal Office for Information Security or Bundesamt fr Sicherheit in der
Informationstechnik (BSI) is the German government agency in charge of computer
and communication security for the German government. This includes security of
computer applications, protection of critical national infrastructure, internet security,
cryptography, protection against eavesdropping and certification of security products
and test laboratories. www.bsi.bund.de

United KingdomBritish Standards Institution (BSI Group)

The (UK) BSI was founded in 1901 as the Engineering Standards Committeethe
first standards organisation at national level. The BSI name was adopted in 1931. It
now operates in 150 countries and concentrates on standards-related work. BSI
standards are all specifications, methods, vocabularies, codes of practice or guides.
BSI standards are designated BS. Key examples include BS 5750 on quality
management (now ISO 9000); BS 7799 for information security (now ISO/IEC
27001); and BS 25999 for business continuity. www.bsigroup.com
The British Standards kitemark (right) is widely recognised and trusted in the UK
as a mark showing compliance with a BS standard. www.kitemark.com

List of European Standards Organistions

10

Austria ASI Austrian Standards Institute

Belgium NBN Bureau voor Normalisatie/Bureau de Normalisation
(formerly: IBN/BIN) and BEC / CEB The Belgian Electrotechnical
Committee - Belgisch Elektrotechnisch Comit - Comit Electrotechnique
Belge
Bulgaria BDS Bulgarian Institute for Standardization
Czech Republic CSNI Czech Standards Institute
Denmark DS Dansk Standard
Estonia EVS Eesti Standardikeskus
Finland SFS Finnish Standards Association
France AFNOR Association franaise de normalisation
Germany DIN Deutsches Institut fr Normung
Greece ELOT Hellenic Organization for Standardization
Hungary MSZT Magyar Szabvnygyi Testlet
Iceland IST Icelandic Council for Standardization
Italy UNI Ente Nazionale Italiano di Unificazione
Latvia LVS Latvian Standard
Lithuania LST Lithuanian Standards Board
Luxembourg SEE Service de l'Energie de l'Etat, Organisme
Luxembourgeois de Normalisation
Malta MSA Malta Standards Authority
Netherlands NEN Nederlandse Norm, maintained by the Nederlands
Normalisatie Instituut (NNI)
Norway SN Standards Norway (Standard Norge)
Poland PKN Polish Committee for Standardization (Polski Komitet
Normalizacyjny)
Portugal IPQ Instituto Portugus da Qualidade
Republic of Ireland NSAI National Standards Authority of Ireland
Romania ASRO Asociatia de Standardizare din Romnia
Slovakia SUTN Slovak Standards Institute
Slovenia SIST Slovenian Institute for Standardization
Spain AENOR Asociacin Espaola de Normalizacin y Certificacin
Sweden SIS Swedish Standards Institute
Switzerland SNV Swiss Association for Standardization
United Kingdom BSI British Standards Institution or BSI Group

US NATIONAL standards organisations

ANSIAmerican National Standards Institute
www.ansi.org
ANSI is a private not-for-profit organisation overseeing the development of voluntary
consensus standards in the US. It also co-ordinates between US and international
standards. ANSI accredits standards that have been developed by other organisations
including commercial and government bodies. For example, the standard on
photographic film speed rating developed by the American Standards Association
(ASA, a predecessor to ANSI) was later adopted by ISO hence the dual designation
ASA / ISO on films. Standards adopted by ANSI begin with ANS (American National
Standard). ANSI or its predecessor(s) also adopted the standard for the Fortran (1966)
and C (1989) programming languages, the standard version of C also being known as
ANSI C.

IEEEInstitute of Electrical and Electronic Engineers

www.ieee.org
IEEE is a not-for-profit professional association for the advancement of technological
innovation related to electricity. It has over 400,000 members in over 160 countries,
45% outside the US. It was formed in 1963 from predecessor radio and electrical
engineering bodies dating back to 1912 and 1884.
IEEEs purpose is Scientific and educational, directed toward the advancement of the
theory and practice of electrical, electronic, communication and computer
engineering. It is a leading publisher of scientific journals, organiser of conferences,
has developed over 900 industry standards across a broad range of technologies, and
runs a major educational programme. Standards are developed through the IEEE
Standards Association (IEEE-SA). IEEE standards include 802.3, Ethernet; and
802.11, Wireless Networking.

FIPSFederal Information Processing Standards

NIST FIPS homepage: www.itl.nist.gov/fipspubs
FIPS standards comprise publicly announced standards developed by US federal
government for use in computer systems by all non-military government agencies and
contractors. Many are modified versions of standards used in the wider community
(e.g. ANSI, IEEE, and ISO). Examples of FIPS standards include Data Encryption
Standard (DES, in 1976), Advanced Encryption Standard (FIPS 197, in 2001), and
Security Requirements for Cryptographic Modules (FIPS 140-2, in 2001).

11

NISTNational Institute of Standards and Technology

www.nist.gov
The US National Institute of Standards and Technology (NIST: from 1902 to 1988:
the National Bureau of Standards) is the measurement standards laboratory, an agency
of the US Department of Commerce. Its mission is to promote US innovation and
industrial competitiveness by advancing measurement science, standards and
technology in ways that enhance economic security and improve quality of life. NIST
Information Technology Laboratory (ITL) is instrumental in work on IT-related
standards.
NIST is developing US government-wide card standards for federal employees and
contractors for access to government buildings and computers, and has created
biometric measurement standards. It also produced Mobile ID Device Best Practice
Recommendation (version 1.0, August 2009, Shahram Orandi and R. Michael
McCabe, Information Access Division, Information Technology Laboratory: NIST
Special Publication 500-280).

FBIFederal Bureau of Investigation

www.fbibiospecs.org
As a major and influential user of biometrics, the FBI itself has defined standards that
are recognised more widely for aspects of biometrics.

12

Standards etc. relevant to mobile ID devices

Mobile ID devices
NIST Mobile ID Device Best Practice Recommendation is an important document
on mobile ID. It is not a standard but is a NIST special publication, number 500-280,
version 1.0, dated August 2009, mentioned earlier. The best practice recommendation
(BPR) concentrates on biometric ID devices. It proposes an escalating scale of
accuracy requirements and/or features based particularly on:
Roleverification that an individual matches an existing record is least
demanding on accuracy, then capture of biometrics for 1:Many search, then
enrolment for future use requires the highest standard of accuracy.
Risk levelfrom mild, to moderate, to severe if the context is one in which
lives may be put at risk if correct identification does not take place.
The resulting assessment of the criticality of the application is expressed as a
Subject Acquisition Profile (SAP). The higher the SAP rating (in practice
from 10 to 60), the more stringent the sets of parameters and requirements
relevant to that device and the way it is used. The SAP value is linked to
ANSI/NIST-ITL 1 standard, Data Format for the Interchange of Biometric and
Forensic Information (2007 and 2010; new version under development).
The consequence of a higher SAP score is that greater accuracy in
biometrics is recommended in a device, e.g. in the resolution and number of
biometric images collected and their overall size (from 2 cm2 to 60 cm2); also
the number of biometric modes usedin more critical uses, facial image,
fingerprint and iris being recommended for joint use.
It is recognised that technology is still advancing and that the most
demanding levels may be challenging now for cost-effective implementation
on mobile devices, comms and support systems, but would be expected to
become more cost effective in the future. The BPR also addresses practical
aspects e.g. of device ruggedness and battery performance.
The scope of interest of e-MOBIDIG includes the biometric identity aspects of the
NIST BPR, but also includes some other features of mobile ID devices as set out in the
e-MOBIDIG Use Cases reference document including reading and authentication of
documents (passports, ID cards, driving licenses, etc.), recording of geo-position, image
capture and analysis and access to reference systems which is also of potential use for
operational policing and immigration in relation to mobile devices.

Mobile communications
The leading standards organisations in relation to mobile communications are not
surprisingly ETSI and ITUthe European and International standards organisations for
telecommunications. This embraces standards for 2G and 3G (such as GPRS, EDGE,
HSPA). ETSI (through its predecessor, CEPT) founded GSM, the alliance that introduced
the first digital cellular network standards (2G) and the TETRA standard for emergency
services mobile communications. ETSI is am organisational partner of the 3G Partnership
Project (3GPP) and provides its secretariat. 3GPP has developed the Universal Mobile
Telecommunications System (UMTS) model for 3G and 4G networks and is developing the
high-speed LTE standard to access 4G networks, within a framework that is consistent with
ITU standards and approach. ITU has defined standards for WiFi (802.11) and WiMAX
(802.16). Both standards organisations have a close interest in fixed / mobile convergence.

13

Biometrics
ISO/IEC JTC1 / SC37 international standards on biometrics:
ISO/IEC 19784 (2006/7)Biometric Application Programming Interface
(BioAPI), Parts 1 and 2. Defines how a software application can use the
services of a biometric application, including enrolment, search and
verification. Compatible with ISO/IEC 19785.
ISO/IEC 19785 (2006)Common Biometric Exchange Formats
Framework (CBEFF), Parts 1 and 2. Defines a structure for biometric
records including header, data and security blocks.
ISO/IEC 19794 (2005/7)Biometric Data Interchange Format, Parts 1 to
10 (+?). Includes framework, finger minutiae / image, face image, iris image
ISO/IEC 19795 (2006/7)Biometric Performance Testing and reporting,
Parts 1 and 2.
ISO/IEC 24709 (2007)BioAPI Conformance Testing, Parts 1 and 2.
ANSI/NIST Information Technology Laboratory (ITL)

ANSI/NIST-ITL standard (2007/8)Data Format for the Interchange of

Fingerprint, Facial & Other Biometric Information. Includes fingerprint
minutiae and image, scars, marks and tattoos, facial image, iris image and
palmprint image. Part 1 (2007) in traditional format; Part 2 (2008) in NIEMconformant XML format. (NIEM = US National Information Exchange
Format.) [Checklink to ISO/IEC standards, above?]

Fingerprint image representation / compression

The Wavelet Scalar Quantization algorithm (WSQ) is a data compression
algorithm for grey-scale fingerprint images published as Criminal Justice
Information Services (CJIS) / FBI WSQ fingerprint image compression
specification, version 3.1, 4 October 2010. This algorithm is favoured for
criminal justice and other applications over previous compression algorithms
because at the same compression ratios it preserves essential fine-scale features
of fingerprints better than general purpose compression algorithms.
JPEG 2000 image format is improved over previous JPEG specifications and
is regarded as appropriate for compressed fingerprint images.
NIST standard for fingerprint quality assessment:
NISTIR 7300, E. Tabassi NIST Fingerprint Image Quality (NFIQ)
Compliance Test, Feb 2005
See also NIST Best Practice Recommendations on Mobile ID Devices, above.

14

Security
Management of information security: ISO/IEC JTC1 / SC27;
ISO/IEC 27000 series of standardsmanagement of security.
Use of data encryption: FIPS 140-2.
The Common Criteria for Information Technology Security Evaluation (or
Common Criteria, or CC), ISO/IEC 15408, provides a framework for users to specify
their security requirements, vendors can implement solutions claiming to meet these
requirements, and testing laboratories can evaluate the products to determine
whether they do or do not meet the requirements. Key elements:
The Target of Evaluation (TOE) is the product or system subject to
evaluation.
The Security Target (ST) defines high level properties required of the TOE,
amplified in the Security Functional Requirements (SFR) detailing
individual security functions required.
The Protection Profile (PP) is created by a user or user community to identify
security requirements for a class of security devices (e.g. mobile ID devices).
Products can then be evaluated against one or more PPs.
In addition,
Evaluation Assurance Level (EAL), 1 = lowest, 7 = highest describes the
rigour of evaluation
Security Assurance Requirements (SARs) describe measures taken to assure
compliance.
The Common Criteria Recognition Arrangement (CCRA) provides for
mutual recognition between 14 or more countries of evaluation against
common criteria, up to EAL 4.
Common Criteria Portal is at www.commoncriteriaportal.org/pps. Protection
profiles for different ID / residence permits and passports with EAC chips can be
found on the tab Identity cards, smart cards and related devices and systems.
See discussion at the start of this document suggestion the potential use of this for
mobile ID devices by e-MOBIDIG.

15

MRTDsMachine Readable Travel Documents

ICAO 9303ICAO standard for travel documents and document readers:
ICAO, International Civil Aviation Organization: Doc9303 Machine
Readable Travel Documents, Part 1 Vol. 2 and Part 3 Vol. 2
ID card standardsalso ISO/IEC JTC1 / SC17
EU2nd generation biometric MRTDs, inclusion of fingerprints and Extended
Access Control (EAC).
EU regulation biometric characteristics to be included in the Electronic Passport:
Regulation (EC) No 2252/2004 of the European Parliament and of the Council
of 13 December 2004 on standards for security features and biometrics in
passports and travel documents issued by Member States.
Certification schemes for compliance of document reader to ISO and ICAO standards:
BSI, TR-03110, Advanced Security Mechanisms for Machine Readable Travel
Documents Extended Access Control (EAC), Version 2.05, 2010
BSI, TR-03105, Conformity Tests for Official Electronic ID Documents, Part 4:
Test plan for ICAO compliant Proximity Coupling Device (PCD) on Layer 2-4
BSI (Germany) test standard for EAC:
BSI, TR-03105, Conformity Tests for Official Electronic ID Documents, Part
5.1: Test plan for ICAO compliant Inspection Systems with EAC 1.11
Czech standard SN 36 9791 ed. A, Information technology - Country Verifying
Certification Authority Key Management Protocol for SPOC has been adopted in EU
Regulations for the exchange of verification certificates so that a passport (i.e. MRTD)issuing country can authorise another country to read fingerprints from documents it
issues, via each countrys national Single Point of Contact (SPOC).

16

Driving licenses

ISO/IEC 18013Driving license. The standard results from a collaboration by

the International Organisation for Standardisation (ISO WGH10) and the
International Electrotechnical Commission. Work was co-ordinated through
ISO/IEC JTC1/SC17, Cards and Personal Identification. The standard provides a
common framework with national level authorities able to choose to adopt
different parts of the standard. WG10 agreed a harmonised standard for the chip
using Data Groups (similar in concept to MRTDs). DG1 (mandatory) contains
family name, given name, date of birth, date of issue, date of expiry, issuing
country and issuing authority. License number, categories of vehicles and
restrictions. DG4 (optional) can contain a face image. DG6 (optional) can
contain a templated finger biometric.
EU Directives on minimum information on a driving licensedriving
licence Directives 91/439/EEC, in force since 1 July 1996; and 2006/126/EC.

Tachograph systems and documents

EU/JRCrevision of existing regulations (proposed).

EU Regulation on Digital Tachographs3821/85 as amended by 2135/98.

Digital tachographs and cards have been used in the UK since 2005. Digital
tachographs have a single PKI hierarchy with a European root key.

Vehicle registration documents

EU Directive on Vehicle Registration Documents2003/127/EC. Annex 1

sets out the smartcard format. The standard lacks read data access control.
(Does it include PKI-based authentication?)

17