Technology standards relate to the hardware, software, and platform involved in most technical aspects of the identity lifecycle, including creating and proofing identities, issuing credentials, authentication of identities, and the interoperability with other databases.
Major standards to facilitate the technical quality and interoperability of the ID system related to: (1) biometrics, (2) cards, (3) 2D barcodes, (4) digital signatures, and (5) federation protocols. In some cases, standards represent a clear consensus, and are used by a majority of ID systems globally. In other cases, there are competing standards that countries must adjudicate between. Different standards will also apply depending on the general design and goals of the ID system (e.g., whether the ID card will be used for international travel).
In order to assist practitioners with this process, ID4D has developed a catalog of technical standards, that enumerates existing standards in these five areas and includes a decision tree to clarify where choices need to be made (see Figure 36 below). Readers should consult the full publication for more guidance on adjudicating between applicable standards.
Importantly, standards are not static and will evolve over time as new technologies emerge. Therefore, it is important to stay informed regarding emerging technologies and standards relevant for ID systems. For example, some work-in-progress standards include:
ISO 29794-part 5: The new expanded standard on facial biometrics, which could go live by 2020.
ISO/IEC JTC/1 SC/17 SG/2: A special group on standards for virtual identity.
Digital Travel Credential (DTC): Looks at both policy and technology and is coordinated between ICAO and ISO.
In general, looking toward the future will also help countries avoid investing in a system which may become outdating quickly as better solutions emerge.
Box 45. Examples of standards use
India’s Aadhaar ID system relies on a competitive, standards-based (“plug and play”) procurement model. Its standard-setting programs rely on standards that promote transparency, accountability, scalability, and technical compliance. These, and real-time quality monitoring, allow flexibility in procurement and competition among vendors, thereby limiting costs (for more details, see Gelb & Clark 2013b).
Estonia issues a smart “ID-Kaart” with has advanced electronic functions that facilitate secure authentication and legally binding digital signatures that may be used for nationwide online services. The e-ID infrastructure is scalable, flexible, interoperable, and standards-based. All certificates issued in association with the ID card scheme conform with European Directive 1999/93/ EC on the use of electronic signatures in electronic contracts within the European Union (EU). The card complies with the ICAO Doc 9303 travel document standard, and its two one-dimensional bar codes are based on the ISO 15417 standard are used to encode the personal ID number and the document identification number.
The ID-Kaart is a secure credential for accessing public services. To sign a document digitally, a communication model using standardized workflows in the form of a common document format (DigiDoc) has been employed. DigiDoc is based on XML Advanced Electronic Signatures Standard (XAdes), which is a profile of that standard. XAdes defines a format that enables structurally storing data signatures and security attributes associated with digital signatures and hence caters for common understanding and interoperability.
Malawi has recently issued a biometric national ID card that includes an ICAO Identity Applet that will allow card holders to use it for all national travel at airports. In addition, an e-Health Applet that is compliant with European standard CW15974 will would health offices to use the card to verify identity information and authorize the user for services.
Pakistan’s National Database and Registration Authority (NADRA) issues a smart National ID Card for Overseas Pakistanis (NICOP) that complies with ICAO standards 9303 (Part 3) and is also ISO 7816-4 compliant. This means that the card can be accepted as a form of digital ID in all international airports and at points of entry and departure.
Peru’s National Electronic ID Card (DNIe) provides citizens with a digital identity that can be authenticated physically and virtually. The DNIe includes two digital certificates that allow the cardholder to sign electronic documents with the same probative value as a handwritten signature. The card complies with the ISO/IEC-7816 standard and its biometrics system followed ISO/IEC 19794. The card is also compliant with ICAO Doc 9303 and can therefore also be used as a machine-readable travel document.
Figure 36. Technical standards decision tree