The TC on personal identification, electronic signature and cards was established in 1989. Its activities were initially focused on standards for cards in sectors such as telecomunications, health, transport and banking/payment. They targeted both functionality and security aspects.
Over time, the CEN/TC 224 work has broadened and included personal identification related aspects in a multi-sectorial environment.
Digital economy, dematerialised services and associated secure technologies is considered to be a growth area for Europe. This impacts the scope of the TC which is currently undergoing a review. Future activities of the committee will further concentrate on interoperability issues
226See European Commission, European Qualifications Framework for lifelong learning, no date.
227See EURALARM, Section Members Meeting Services, no date.
228See chapter 3.3.1
as well as on security of personal identification and related personal devices, systems and operations such as:
operations such as applications and services like electronic identification, electronic signature, payment and charging, access and border control;
personal devices with secure elements, independently of their form factor, such as cards, mobile devices, and their related interfaces;
security services including authentication, confidentiality, integrity, biometrics, pro-tection of personal and sensitive data;
system components such as accepting devices, servers and cryptographic modules.
Sectors such as public transport, road tolling, passports, and e-payments are now widely using contactless technology. Other sectors such as financial services are implementing this technology in their cards. Moreover, thanks to contactless technology and NFC229 technologies mobile devices may now be used for face-to-face transactions. This is also an area of further work for the committee.
CEN/TC 224 will also further explore a multi-sectorial dimension with special emphasis for sectors such as Government/Citizen, Transport, Banking and e-Health. It will also include the views of consumers and providers from the supply side such as card manufacturers, security technology, conformity assessment bodies and software manufacturers. The grouping of companies and alliances between the operators of different sectors may also occur in liaison with the development of multi-application solutions.
TC 224 currently encompasses the following working groups:
WG6: User interface and accessibility
WG11: Surface Transport Applications
WG15: European Citizen Card (ECC)
WG16: Electronic Signature: SSCD based on ISO 7816
WG17: Electronic Signature: Protection profiles for products and applications
WG18: Interoperability of biometrics recorded data
The following international and European TCs are relevant for CEN/TC 224:
ISO/IEC JTC 1/SC 17 “Cards and personal identification”
ISO/IEC JTC 1/SC 27 “IT Security techniques”
ISO/IEC JTC1/SC37 “Biometrics”
ISO/TC 68/SC 7 “Core Banking”
CEN/TC 251 “Health informatics”, for healthcare applications
CEN/TC 278 “Road transport and traffic telematics”, for surface transport applications
ETSI Electronic Signature Infrastructure Committee.
All parties involved in the development, production of systems and infrastructures are represented. These include:
229Near Field Communication
industry of cards and related smart secure devices (including components and cards manufacturers, personalisators as well as security service providers);
experts in security and cryptography, and providers of cryptographic modules;
operators of the various application sectors;
public authorities;
conformity assessment bodies;
software manufacturers and
consumers.
CEN/TC 224 has also established liaisons with several European and international organisations. Most recent security-related trends in the committee have covered electronic ID based services, e-Government and e-business, privacy by design aspects and electronic pay-ments. These trends are also expected to shape the activities of the committee in the months to come.
Most recent security related projects covered the European Citizen Card, electronic signature and other trust services and biometrics for border control. Some of these projects have been driven by manufacturers and others by EU regulations (see further below). Other projects are coherent with the scope of ISO international standardisation activities where the European Commission is encouraging European actors to play a much more proactive role.
Specific information on the interrelation between the TC’s standards and the European certification landscape is given in the following table.
Most important security-related standards of the TC
TS 15480, ECC, in 5 parts
EN 419212, Application interface for SSCD, in 5 parts EN 419111, Protection profiles for signature creation and verification application (5 parts)
EN 419211, Protection profiles for SSCD (6 parts)
EN 419221, Protection profiles for TSP cryptographic modules (5 parts)
EN 419231, Protection profiles for systems supporting time stamping
EN 419241, Protection profiles for systems supporting server signing (2 parts)
EN 419251, Protection profiles for devices for authentication (3 parts)
EN 419261, Security requirements for trustworthy systems managing certificates for electronic signatures
EN 419103 Conformity assessment for signature creation and validation
EN 419203 Conformity assessment for secure devices and trustworthy systems
(figure continues)
Security-related standards of the TC which form the basis of testing and certification processes
Not relevant. In general, the ISO common criteria form the basis for IT security certification. CEN/TC 224 does not duplicate the work of ISO but, either transposes some of the related international standards or uses them as the basis for specific European works. In a number of cases the ultimate objective of the work of the TC is to contribute to international standardisation. The TC deals with the development of a considerable number of protection profiles for each component of the electronic signature process.
Products: secure signature creation device, device for online authentication, cryptographic modules for Trust Service Providers, Time stamping systems, server signing.
Applications: signature creation and verification.
Product/process: capture of biometrics data.
Security-related standards which are related to
European directives or regulations
Electronic signatures and trust services, shaped by proposal for a Regulation on eID and Trust services for electronic transaction in the internal market. This Regulation will be a powerful legal instrument for the promotion of the digital economy in the internal market.
Various national or European regulations exist in relation with the work of CEN/TC 224 such as on electronic identification, data protection, identity card, electronic ticketing, Schengen Visa and passport, electronic signature, payment. These are:
Directive 1999/93/EC on electronic signatures and Regulation proposal on electronic identification and trust services for electronic transactions in the internal market:
all standards related to electronic signatures.
Directive 1995/46/EC on data protection and Regulation proposal on general data protection: potentially all standards.
Directive 2007/64/EC on payment services as well as the proposal of revision. The Green Paper of the European Commission "Towards an integrated European market for card, internet and mobile payments" and the Euro Retail Payment Board launches by the European Central Bank is a framework for CEN/TC 224 for further standardisation activities.
Potential activities for TC 224 might draw inspiration from the White Paper of the European Commission defining a roadmap to a Single European Transport Area – Towards a competitive and resource efficient transport system (2011):
EN 1545 (Data elements) EN 15320: Interoperable Public Transport Application Framework.
Major topics of the interoperability among components of systems such as the creation of a qualified electronic signature by a SSCD, commands/protocol between components (card/reader).
Another major topic is the protection of personal data.
A third major topic is trust: the TC involves consumer representatives as a guaranty for including consumer requirements in its work and for building trust. The TC also acts in close contact with various consumer organizations working – amongst other – on accessibility of services by people with disabilities.
However, enhancing consumer trust is not only a question of standardisation, it is also a communication issue. Trust is difficult to establish and can be quickly lost. Trust considerations are very much linked to consumer’s perceptions and the role of media. In some cases the most effective solution to create a link between a certification process and trust is through a label.
Main effects on the market and expectations
Effects: interoperability of security product/services, security of other services, cross-border recognition of security product/services. Expectations: enhancing the internal market for the above mentioned products and services.
Additional comments Any new methodology for certification developed in the framework of the CRISP project should factor in already existing practices and methodologies. It might also be useful to take into account methodologies specified outside the ESOs, such as the one developed by the European Payment Council – that provide specification of standards in the area of mobile payments and have defined a methodology for certification applicable in the field of security.
Finally, there might be the need to strike a balance between attempts to achieve a uniform methodology and the benefits of a portfolio of ad hoc methodologies.
Source: Own figure
Figure 25: Interrelation between CEN/TC 224 and the European certification landscape
The TC’s activities are aimed at providing a sound basis for the development of numerous trusted applications based on personal identification and for trust in electronic transactions.
Enhanced interoperability in security of personal identification related products and services is of utmost importance. In this respect, the increased mobility of European citizens through the EU requires cross border interoperability of these systems. There is also the ambition of strengthening the position of the supply side for non European markets. The “trust” dimension receives special emphasis in the committee’s activities. Consumers confidence (including
security, quality, ergonomical and privacy aspects) is an important key factor for successful market development and integration.
Stakeholders’ involvement is inherent to the functioning of the committee. This guarantees that demand for security standards is not exclusively driven by the supply side. An interview-ee stressed the importance of avoiding any conflict of interest in the development of security standards. Such standards should always include requirements that satisfactorily match all possible risks. Security standards should be developed by balancing profit considerations and the public interest. In this sense, the role of the European Commission in coordinating some of the most strategic security standardisation activities is crucial and active stakeholder partic-ipation is a dominant point of attention for the CEN/TC 224.