By Peter Tomlinson, Independent Consultant, Iosis Associates
May's article was an overview of a week spent in Washington DC at the end of April, attending the CardTech/SecurTech convention, and also joining the small European presence at the USA/Europe/Japan informal group known as the Global Collaboration Forum.
June’s topic is the dominant USA Smart Card project - the military Common Access Card (CAC) - and its civil offspring the GSC-IS V2.1 specification. Readers should note that the material presented here has been gathered from several people attending CTST.
The CAC is an ID card for US military personnel, capable of holding a short-form personnel file of core data about the cardholder. The scheme development process was a classic of US methodology: potential suppliers were invited to join a working group defining an interoperable technology, and the US government supplied in-house technical resources to write the resulting specification.
The result was a contact card technology, compliant with ISO/IEC 7816, adopting Global Platform's card management methodology, and supporting Javacard, Multos, and potentially Microsoft's WfSC offering. On the systems side, a network of card issuing bureaus has been established, but to a great extent it was left to the various military units to procure their own operational systems. Several million CAC cards have already been deployed or ordered, with a small but growing proportion using a biometric for authentication.
Deployment already extends to several overseas theatres. In practice most of the cards use Javacard methods, and in using them it is believed that there have been a considerable number of interoperability problems and some difficulty handling the ever-growing list of revoked cards. The project started well before the 9/11 events, and those events have caused a major re-appraisal of assumptions about identifying individuals. Information assurance is now a key component of good practice, and a structured approach to personal identity protection has been developed:
q Strong authentication of the individual (face to face interaction between the individual and a trusted agent; and a business process that provides sufficient evidence of identity - public records checks, background investigations, examination of primary documents).
q Binding the identity to a management system (a credential is the best linkage to the personal identity protection system).
q Binding the credential to the individual (biometric and PINs bind the credential to an individual; the credential then becomes a proxy for digital/physical access where technology is used).
q Authentication of the credential at all access points (logical and physical).
q Safeguarding identity information from unwarranted disclosure.
Behind that, the USA Dept of Defense (DoD) has strengthened its internal processes for vetting both recruits to the military and also employees who operate the above approach to registration and information assurance. Much of the CAC spec has been incorporated into the current round of USA civil developments, and the material is now going forward to the new ISO/IEC SC17 WG4 Task Force 9 mentioned last month.
It must be noted that the civil deployment of personal Smart Cards in the USA will be for US Government employees and related personnel - it is not an ID card for the population at large. It is interesting to see here the clash between USA and European policies on ID cards and attitudes to protection of personal data. In Europe we wish to see as little personal information as possible held in the Identity data on the civil ID card, whereas the civil USA deployment of cards will allow a large file of data - just as with the CAC.
Not a problem if you work for the government, you might think, but now a similar attitude is moving into the travel document arena in the USA: if you travel to the USA, its government wants all the data on you, and expects to read your biometric data (in image form, not templates) out of your travel visa or passport