Presentation on theme: "Status of U.S. Smart Card Deployment Jim Dray Porvoo 7/ World eID Meeting May 2005."— Presentation transcript:
Status of U.S. Smart Card Deployment Jim Dray Porvoo 7/ World eID Meeting May 2005
History Government Smart Card Program 2000 o Interoperability Specification NISTIR 6887 o Basis for some agency deployments Department of Defense Common Access Card Transportation Worker Identification Card No strong mandate for card deployment across agencies Gradual progress up to 27 August 2004...
Homeland Security Presidential Directive 12 Signed by the President 27 August 2004 Federal agencies are directed to deploy secure and reliable forms of authentication for employees and contractors that can be rapidly authenticated electronically NIST is directed to develop the technical framework and promulgate a Federal Information Processing Standard for Personal Identity Verification
Federal Information Processing Standard 201 Published 25 February 2005 Technical framework for Personal Identity Verification (PIV) Two implementation phases: o Meet control objectives by October 2005 (I) o Deploy interoperable PIV card systems (II) o Each agency will negotiate a Phase II completion date with the Office of Mangement and Budget
Special Publication 800-73 Interfaces for Personal Identity Verification 8 April 2005 Technical specifications for PIV card interface, client API, and data model Based on evolution of GSC concepts: o Unified card interface o Technology neutral (VM card, file system card) o Standards compliant (ISO)
Other PIV Special Publications SP800-76: Biometric Data Specification for Personal Identity Verification (Draft) SP800-78: Cryptographic Algorithms and Key Sizes for Personal Identity Verification SP800-79: Issuer Organization Accreditation Guidance (comment draft 17 June)
Non-government Standards ISO 24727: Smart card interoperability framework Considering a national standard (ANSI) to fill the gap between GSC and ISO 24727
ISO 24727 ISO JTC1/SC17 WG4/TF9 o Teresa Schwarzhoff(NIST), Convener o http://www.iso.org/jtc1/sc17/wg4/tf9 Standardize a set of programming interfaces for Identification, Authentication, Signature The primary focus is interoperability between applications, middleware, cards
ISO 24727 Document Status Part 1 o Overarching framework o Status: First Committee Draft ballot completed, CD resolution of comments: May 31, 2005 Part 2 o Describes common card interface o Status: In CD ballot stage, closes August 2005 Part 3 o New territory for smart card standards: Client API, middleware o Set of services: connection, discovery, retrieval, identity, cryptography o Status: Possible CD candidate by Oct 2005
U.S. Smart Card Landscape GSC Interoperability Specification is a legacy card framework ISO 24727 is the future framework PIV (SP800-73) is a card application specification looking for a framework A U.S. National Standard may provide an intermediate path between GSC and ISO 24727?
U.S. GSC Planned Work Formal Standards, international coordination PIV Reference Implementation (25 June) PIV Conformance Test Program (25 August) Procurement Guidance: General Services Administration Deployment Guidance: Office of Management and Budget And so on...
Major Challenges PIV Infrastructure Business model changes for Federal agencies Positioning the PIV application specification with respect to ISO 24727 Conformance testing Commercial product availability does NOT appear to be a problem in the SP800-73 domain o 3 cards already claim PIV compliance (beta)!
Conclusion Our PIV work in the U.S. has only begun, but the timing is good. After all, I retire in eight years so I may live to see full deployment of PIV cards.