What is the ISO/IEC 24727 standard and what does it achieve?
Formally known as "ISO/IEC 24727 - Identification cards - Integrated circuit card programming interfaces", this is an important multi-part international standard developed to provide interoperability between identity tokens from different systems that manage identity, authentication and signatures - IAS Systems. The interoperability goals which the standard is designed to achieve include portability of middleware and tokens, independence of token platform, independence of tokens administration and independence of component certification procedures.
What issues are not already addressed by existing smart card standards?
One of the challenges of implementing identification systems is that the existing smart card standards (ISO/IEC 7816, ISO/IEC 14443, etc) are manufacturing standards, not interoperability standards. They offer a great degree of flexibility and literally many hundreds of options for implementation. This is problematic because any system targeting interoperability needs to support the particular combination of options for a particular implementation. This may suffice for a closed system, but as modern smart card implementations move outside the borders of individual cities, states or countries, or need to operate with multiple third parties, the need for open and interoperable implementations rises, as does the need for open and discoverable implementations under a higher level standard such as ISO/IEC 24727.
These existing standards describe low level communications and protocols that have so many options that they effectively guarantee disparate implementations that are neither interchangeable nor discoverable, and where each card manufacturer can implement the exact same specification just differently enough so that interoperability is not achieved. (One of the reasons why so many rounds of ePassport interoperability testing were required).
Another challenge is that the existing smart card standards (ISO/IEC 7816, ISO/IEC 14443, etc) solely address the low level interface to the card itself and provide no assistance to the average developer, who will not understand smart card communication via APDUs or cut down languages like Java Card, MEL etc - there has never before been a smart card standard which enabled a standardized set of services and a security architecture available through common high level APIs. This lack of common APIs causes difficulties for normal developers by requiring that they have knowledge of the explicit card manufacturer command sets and even the slight variances between manufacturers implementation of the same theoretically standardised command.
How does ISO/IEC 24727 solve these issues?
The ISO/IEC 24727 suite of standards sets strict limits on the allowable options and introduces a set of common services for routine actions, such as connection and cryptographic actions, that are required by typical implementations taking advantage of smart card based credentials, in particular the ability to employ cryptographic functionality. The standard defines a generic card interface such that independent implementations are interoperable and interchangeable by enabling, for example, system A to use system B's cards. ISO/IEC 24727 enables a modern, high level programming API with data structures and a service-orientated model that provides interoperability. This standardisation of architecture, generic hardware (card) interface and application programming interface has long been available in software systems for computers and networks, but has been sorely lacking in the smart card space.
What benefits does ISO/IEC 24727 offer government agencies?
As discussed above, smart card
technology has faced obstacles in the past due to a lack of interoperability
among applications and systems from different vendors. ISO/IEC 24727 offers
smart card scheme operators an internationally standardised alternative to a world of limited proprietary solutions. This opportunity to standardise smart card projects will benefit the entire
life cycle of smart card initiatives including design and specification, tender
preparation and issuance, implementation, operation and maintenance. Government
agencies and organisations implementing
identification systems based on smart card tokens will be able to reduce the
time, cost and risk of deploying critical security applications to their card
and passport holders.
ISO/IEC 24727 also offers Governments, for the very first time, a standards based methodology for defining complex, multi level access controls. Prior to ISO/IEC 24727, the only way to implement complex access control rules (especially complex privacy rules) was for each application to fully code the access controls in a proprietary on-card application. These were typically never re-used, and often were locked into proprietary authentication protocols. From this point of view, the ICC-resident-stack model of ISO/IEC 24727 can be seen as an "Identity Card Operating System" where complex access controls, with multi layered rules, and a wide range of authentication protocols can be configured with no development or coding of the on-card application at all. As manufacturers implement ISO/IEC 24727 and its most popular authentication protocols in the mask of their smartcards, this will make application functionality and interoperability much easier, since the actual application will become purely the configuration of an ISO/IEC 24727 ICC-resident-stack implemented natively on the card.
How can ISO/IEC 24747 provide interoperability?
The standard enables client-applications and middleware, that need to use data storage and processing of a smart card-application, to use a high-level interface and view a generic "virtual" card edge interface - irrespective of the card type or interface (contact or contactless) being used. This is designed to help to prevent vendor-specific schemes and hide implementation-specific differences between tokens from different manufacturers.
ISO/IEC 24727 thereby enables interoperability of different identity tokens within a system, while also enabling identity tokens from one system to be routinely used within other systems. In effect, this targets interoperability through interworking of tokens instead of the (far more complex and expensive) interconnecting of entire systems. ISO/IEC 24727 is therefore particularly relevant for smart card applications requiring interoperability among diverse application domains and the standardisation of the application-middleware-card interface is expected to provide a major contribution to the global interoperability of identity smart cards and smart card applications.
Have any governments adopted ISO/IEC 24727 to date?
The standard is sufficiently important that, while parts 5 and 6 have still to be finalised, it has already been selected for a number of major national and federal smart identity card implementations around the world including:
- European Union Citizens Card
- German Smart ID Card
- German Electronic Health Card
Several of these specific use cases will be discussed in the tutorial, including identity cards, health cards, driving licences and the application of ISO/IEC 24727 in a national government smart card framework. The standard is also currently under consideration for adoption by a number of other government agencies around the world.
How important is the ISO/IEC 24727 standard likely to become in the future?
Already widely acknowledged as an
important step for the identification market toward global interoperability of
smart card applications, ISO/IEC 24727 looks set to become as important for the
identification market as GSM 11.11 was for the development of the mobile
market, and as significant as the EMV specifications have become for the
financial payment card market. It allows client applications to be built with a
common coherent approach in the definition and use of electronic identification
documents which by technical nature, country laws or historical back ground
culture will always have differences.