ISO/IEC 18013-3:2017/PRF Amd 2
(Amendment)Information technology — Personal identification — ISO-compliant driving licence — Part 3: Access control, authentication and integrity validation — Amendment 2: Updates for passive authentication
Information technology — Personal identification — ISO-compliant driving licence — Part 3: Access control, authentication and integrity validation — Amendment 2: Updates for passive authentication
Technologies de l'information — Identification des personnes — Permis de conduire conforme à l'ISO — Partie 3: Contrôle d'accès, authentification et validation d'intégrité — Amendement 2: Titre manque
General Information
Relations
Buy Standard
Standards Content (Sample)
INTERNATIONAL ISO/IEC
STANDARD 18013-3
Second edition
2017-04
AMENDMENT 2
Information technology — Personal
identification — ISO-compliant driving
licence —
Part 3:
Access control, authentication and
integrity validation
AMENDMENT 2: Updates for passive
authentication
PROOF/ÉPREUVE
Reference number
ISO/IEC 18013-3/Amd. 2:2023(E)
© ISO/IEC 2023
---------------------- Page: 1 ----------------------
ISO/IEC 18013-3/Amd. 2:2023(E)
COPYRIGHT PROTECTED DOCUMENT
© ISO/IEC 2023
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
PROOF/ÉPREUVE © ISO/IEC 2023 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 18013-3/Amd. 2:2023(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical
activity. ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.The procedures used to develop this document and those intended for its further maintenance
are described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria
needed for the different types of document should be noted. This document was drafted in
accordance with the editorial rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives or
www.iec.ch/members_experts/refdocs).Attention is drawn to the possibility that some of the elements of this document may be the subject
of patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent
rights. Details of any patent rights identified during the development of the document will be in the
Introduction and/or on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC
list of patent declarations received (see https://patents.iec.ch).Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to
the World Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, SC 17,
Cards and security devices for personal identification.A list of all parts in the ISO/IEC 18013 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards
body. A complete listing of these bodies can be found at www.iso.org/members.html and
www.iec.ch/national-committees.iii
© ISO/IEC 2023 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 3 ----------------------
ISO/IEC 18013-3/Amd. 2:2023(E)
Information technology — Personal identification — ISO-
compliant driving licence —
Part 3:
Access control, authentication and integrity validation
AMENDMENT 2: Updates for passive authentication
Page 1, Clause 2 Normative references
Replace ISO/IEC 7816-4:2013 with ISO/IEC 7816-4.
Replace ISO/IEC 7816-4:2013 with ISO/IEC 7816 in Clause 4 and subclauses 8.2.4.1, 8.5.4, B.6.1,
Table B.3 and Table B.5.Page 1, Clause 2 Normative references
Replace
ISO/IEC 10118-3:2004, Information technology — Security techniques — Hash-functions — Part 3:
Dedicated hash-functionswith
ISO/IEC 10118-3, IT Security techniques — Hash-functions — Part 3: Dedicated hash-functions
Replace ISO/IEC 10118-3:2018 with ISO/IEC 10118-3 in B.8.Page 2, Clause 2 Normative references, Footnote 2)
Replace
ISO/IEC 11770-2:1996 is withdrawn and replaced by the 2008 version.
with
ISO/IEC 11770-2:1996 is withdrawn and replaced by the 2018 version.
Page 2, Clause 2 Normative references
Replace
"FIPS 186-2 (including Change Notice), Digital Signature Standard (DSS), Federal Information
Processing Standards Publication, National Institute of Standards and Technology, 27 January 2000"
with"FIPS 186-4 (including Change Notice), Digital Signature Standard (DSS), Federal Information
Processing Standards Publication, National Institute of Standards and Technology, July 2013"
© ISO/IEC 2023 – All rights reserved PROOF/ÉPREUVE---------------------- Page: 4 ----------------------
ISO/IEC 18013-3/Amd. 2:2023(E)
Page 4, subclause 3.11
Replace
Note 1 to entry See 8.1.
with
Note 1 to entry See 8.1. and Annex G (informative)
Page 12, subclause 8.1
Replace
8.1 Passive authentication
with
8.1 Passive authentication (ver 02)
Page 12, subclause 8.1.1
Add the following paragraph at the end of the subclause:
This version 02 of passive authentication supersedes the deprecated version 01 included in Annex G
(informative) for the information of manufacturers of readers that must be able to read IDL cards
issued in accordance with this version that have not yet expired.Page 13, subclause 8.1.3
In the third to last paragraph, second sentence, replace
“…it may be possible to further narrow down the cause of the non-verification.”
with
“…it can be possible to further narrow down the cause of the non-verification.”
Page 13, subclause 8.1.4.1
In the first paragraph, delete “SHA-1, SHA-224,”..
In the second paragraph, delete "SHA-1 remains for compatibility with ICAO Doc 9303-1."
Page 16, subclause 8.1.5.1In NOTE 2 replace
“Data Groups 15 and 16 may be defined in future.”
with
“Data Groups 15 and 16 can be defined in future.”
PROOF/ÉPREUVE © ISO/IEC 2023 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC 18013-3/Amd. 2:2023(E)
Page 16, subclause 8.1.5.2
In the first NOTE replace "DG11" with "DG.SOD.1 and DG.SOD.H".
In the second paragraph, replace "FIPS 186-2, Appendix 6” with "Table 3".
In the third paragraph, delete “and one Type 1 data group”.
In the lettered list, replace b) with:
“b) DG.SOD.H: SHA-256 hash of IA public key certificate that contains the public key for the
verification of the DG.SOD.1 signature; the hash value shall be calculated over the entire DER-
encoded certificate (including the signature);”In the lettered list, delete c).
Under "DG.SOD shall be added after DG12, as follows:", replace with:
“[header] × [Data Group 1] × [Data Group 2] × [Data Group 3] × [Data Group 4] × [Data Group 7] ×
[Data Group 11] × [Data Group 12] × [DG.SOD.1 length] [digital signature] × [DG.SOD.H length]
[hash value]”Under the content of DG.SOD, replace “The inclusion of DG.SOD.2 and DG.SOD.3 (as a pair) is optional.”
with "DG.SOD.1 and DG.SOD.H shall be included."In the second NOTE replace “specifically the ISO issuer ID number and document discriminator in
DG3 and the licence number and date of issue in DG1” with “specifically the ISO issuer ID number from
ISO/IEC 7812-1, and document discriminator in DG3 and the licence number and date of issue in DG1”.
Replace Table 3 with:Curve name in FIPS 186-4 Curve name in RFC 5639
P-224 brainpoolP224r1
P-256 brainpoolP224t1
P-384 brainpoolP256r1
P-521 brainpoolP256t1
brainpoolP320r1
brainpoolP320t1
brainpoolP384r1
brainpoolP384t1
brainpoolP512r1
brainpoolP512t1
Replace the EXAMPLE with:
EXAMPLE Suppose that a compact encoded data string contains the following data groups: DG1, DG2,
DG7, DG.SOD.1 and DG.SOD.H. A digital signature and public key certificate hash is included.
The sequence of data groups and data group delimiters will be as follows:[header] × [DG1] × [DG2] × × × [DG7] × × × [DG.SOD.1] × [DG.SOD.H] ¶
Page 46, A.5.1, second list b) second paragraph
© ISO/IEC 2023 – All rights reserved PROOF/ÉPREUVE
---------------------- Page: 6 ----------------------
ISO/IEC 18013-3/Amd. 2:2023(E)
Replace
"For compact encoding, the appropriate public document key is identified by comparing the issue date
of the IDL with the “valid for signing from” and “valid for signing until” dates of the available public
document keys of the IA."with
"For compact encoding, the appropriate public document key can be identified using the hash value of
the signer certificate."After Annex F
Add new Annex G.
PROOF/ÉPREUVE © ISO/IEC 2023 – All rights reserved
---------------------- Page: 7 ----------------------
ISO/IEC 18013-3/Amd. 2:2023(E)
Annex G
(informative)
Passive authentication (version 01)
G.1 General
This annex defines the deprecated passive authentication (ver 01) for the information of manufacturers
of readers that must be able to read IDL cards issued in accordance with this version that have not yet
expired.G.2 Purpose
The purpose of passive authentication is to confirm that machine-readable data has not been changed
since the IDL was issued.G.3 Applicability
Passive authentication is applicable to all machine-readable technologies.
G.4 Description
Passive authentication is implemented by way of a digital signature over specified machine-readable
data on the IDL, using a public-private (asymmetric) key pair.In the case of standard encoding, a separate message digest is calculated for each data group and
included in the machine-readable data. The collection of message digests is then digitally signed (using
a private key that is kept secret by the IA) and the digital signature is added to the machine-readable
data.In the case of compact encoding, no message digests are calculated separately. The contents of the
data groups present is directly signed (using a private key that is kept secret by the IA) and the digital
signature is added to the machine-readable data.NOTE A message digest has the following properties:
a) It is very small
...
Deleted: Date: 2022-12-13¶
ISO/IEC 18013-3:2017/PRF Amd 2
Deleted: AM
ISO/IEC JTC 1/SC 17
Deleted: :2022(E)
Deleted: /WG 10
Secretariat: BSI
Date: 2023-01-27
Information technology — Personal identification — ISO-
Deleted: —
compliant driving licence —
Part 3:
Access control, authentication and integrity validation
Deleted: Certificate hash
AMENDMENT 2: Updates for passive authentication
Deleted: compact encoding
Deleted: Technologies de l'information — Identification
des personnes — Permis de conduire conforme à l'ISO —
Partie 3: Contrôle d'accès authentification et validation
FDIS stage
d'intégrité Amendement 2¶
Copyright notice¶
This
---------------------- Page: 1 ----------------------
ISO/IEC 18013-3:2017/PRF Amd 2(E)
Deleted: DAM
Deleted: :2022
© ISO/IEC 2017
Deleted: document is a working draft
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this
publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, Deleted: committee draft and is copyright-protected
by ISO. While …including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can
be requested from either ISO at the address below or ISO’s member body in the country of the requester.
Deleted: reproductionDeleted: working drafts or committee drafts in any
ISO copyright office
form for use by participants in the ISO standards
CP 401 • Ch. de Blandonnet 8
development process is permitted without prior
CH-1214 Vernier, Geneva
permission from ISO, neither
Phone: + 41 22 749 01 11
Deleted: document nor any extract from it
E-mail: copyright@iso.org
Deleted: , stored
Website: www.iso.org
Deleted: transmitted in any form for any other
Published in Switzerland
purpose…
Deleted: from ISO
Deleted: Requests for permission to reproduce this
document for the purpose of selling it should be
addressed as shown below or to ISO's member body in
the country of the requester:¶
Deleted: Case postale 56 •
Deleted: 1211
Deleted: 20
Deleted: Tel.
Deleted: Fax + 41 22 749 09 47¶
Deleted: Web
Deleted: Reproduction for sales purposes may be
subject to royalty payments or a licensing agreement.¶
Violators may be prosecuted.¶
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 2 ----------------------
ISO/IEC 18013-3:2017/PRF Amd 2(E)
Foreword
ISO (the International Organization for Standardization) and IEC (the International Electrotechnical
Commission) form the specialized system for worldwide standardization. National bodies that are
members of ISO or IEC participate in the development of International Standards through technical
committees established by the respective organization to deal with particular fields of technical activity.
ISO and IEC technical committees collaborate in fields of mutual interest. Other international
organizations, governmental and non-governmental, in liaison with ISO and IEC, also take part in the
work.The procedures used to develop this document and those intended for its further maintenance are
described in the ISO/IEC Directives, Part 1. In particular, the different approval criteria needed for the
different types of document should be noted. This document was drafted in accordance with the editorial
rules of the ISO/IEC Directives, Part 2 (see www.iso.org/directives orwww.iec.ch/members_experts/refdocs).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. ISO and IEC shall not be held responsible for identifying any or all such patent rights. Details
of any patent rights identified during the development of the document will be in the Introduction and/or
on the ISO list of patent declarations received (see www.iso.org/patents) or the IEC list of patent
declarations received (see https://patents.iec.ch). Deleted: ).Any trade name used in this document is information given for the convenience of users and does not
constitute an endorsement.For an explanation of the voluntary nature of standards, the meaning of ISO specific terms and
expressions related to conformity assessment, as well as information about ISO's adherence to the World
Trade Organization (WTO) principles in the Technical Barriers to Trade (TBT) see Deleted: ),
www.iso.org/iso/foreword.html. In the IEC, see www.iec.ch/understanding-standards.
This document was prepared by Joint Technical Committee ISO/IEC JTC 1, Information technology, SC 17,
Cards and security devices for personal identification.A list of all parts in the ISO/IEC 18013 series can be found on the ISO website.
Any feedback or questions on this document should be directed to the user’s national standards body. A
complete listing of these bodies can be found at www.iso.org/members.html and www.iec.ch/national-
committees.© ISO/IEC 2017 – All rights reserved iii
---------------------- Page: 3 ----------------------
Deleted: ISO/IEC 18013-3:2017/DAM 2:2022(E)
Information technology — Personal identification — ISO-
Deleted: —
compliant driving licence —
Part 3:
Access control, authentication and integrity validation
Deleted: standard and compact encoding
AMENDMENT 2: Updates for passive authentication
Page 1, Clause 2 Normative references
Deleted: 2
Replace ISO/IEC 7816-4:2013 with ISO/IEC 7816-4.
Replace ISO/IEC 7816-4:2013 with ISO/IEC 7816 in Clause 4 and subclauses 8.2.4.1, 8.5.4, B.6.1, Table
B.3 and Table B.5.Page 1, Clause 2 Normative references
Replace
ISO/IEC 10118-3:2004, Information technology — Security techniques — Hash-functions — Part 3:
Dedicated hash-functionswith
ISO/IEC 10118-3, IT Security techniques — Hash-functions — Part 3: Dedicated hash-functions
Replace ISO/IEC 10118-3:2018 with ISO/IEC 10118-3 in B.8.Page 2, Clause 2 Normative references, Footnote 2)
Replace
ISO/IEC 11770-2:1996 is withdrawn and replaced by the 2008 version.
with
ISO/IEC 11770-2:1996 is withdrawn and replaced by the 2018 version.
Page 2, Clause 2 Normative references
Replace
"FIPS 186-2 (including Change Notice), Digital Signature Standard (DSS), Federal Information Processing
Standards Publication, National Institute of Standards and Technology, 27 January 2000"
with"FIPS 186-4 (including Change Notice), Digital Signature Standard (DSS), Federal Information Processing
Standards Publication, National Institute of Standards and Technology, July 2013"
Page 4, subclause 3.11 Deleted: ClauseReplace
Note 1 to entry See 8.1.
Deleted: :
with
Note 1 to entry See 8.1. and Annex G (informative)
Deleted: :
Deleted: © ISO/IEC 2022 – All rights reserved
...
---------------------- Page: 4 ----------------------
ISO/IEC 18013-3:2017/PRF Amd 2(E)
Page 12, subclause 8.1 Deleted: Clause
Replace
8.1 Passive authentication
with
8.1 Passive authentication (ver 02)
Page 12, subclause 8.1.1
Deleted: Clause
Add the following paragraph at the end of the subclause:
Deleted: clause
This version 02 of passive authentication supersedes the deprecated version 01 included in Annex G
(informative) for the information of manufacturers of readers that must be able to read IDL cards
issued in accordance with this version that have not yet expired.Page 13, subclause 8.1.3 Deleted: Clause
In the third to last paragraph, second sentence, replace
“…it may be possible to further narrow down the cause of the non-verification.”
with
“…it can be possible to further narrow down the cause of the non-verification.” Deleted: .”.
Page 13, subclause 8.1.4.1 Deleted: ClauseIn the first paragraph, delete “SHA-1, SHA-224,”..
In the second paragraph, delete "SHA-1 remains for compatibility with ICAO Doc 9303-1."
Page 16, subclause 8.1.5.1 Deleted: ClauseIn NOTE 2 replace
“Data Groups 15 and 16 may be defined in future.”
with
“Data Groups 15 and 16 can be defined in future.”
Page 16, subclause 8.1.5.2 Deleted: Clause
In the first NOTE replace "DG11" with "DG.SOD.1 and DG.SOD.H".
In the second paragraph, replace "FIPS 186-2, Appendix 6” with "Table 3".
In the third paragraph, delete “and one Type 1 data group”.
In the lettered list, replace b) with:
“b) DG.SOD.H: SHA-256 hash of IA public key certificate that contains the public key for the
verification of the DG.SOD.1 signature; the hash value shall be calculated over the entire DER-
encoded certificate (including the signature);”In the lettered list, delete c).
Under "DG.SOD shall be added after DG12, as follows:", replace with:
“[header] × [Data Group 1] × [Data Group 2] × [Data Group 3] × [Data Group 4] × [Data Group 7] ×
[Data Group 11] × [Data Group 12] × [DG.SOD.1 length] [digital signature] × [DG.SOD.H length] [hash
value]”Deleted: 22
...
© ISO/IEC 2017 – All rights reserved
---------------------- Page: 5 ----------------------
ISO/IEC 18013-3:2017/PRF Amd 2(E)
Deleted: DAM
Under the content of DG.SOD, replace “The inclusion of DG.SOD.2 and DG.SOD.3 (as a pair) is optional.”
Deleted: :2022with "DG.SOD.1 and DG.SOD.H shall be included."
In the second NOTE replace “specifically the ISO issuer ID number and document discriminator in DG3
and the licence number and date of issue in DG1” with “specifically the ISO issuer ID number from ISO/IEC Deleted: , which shall be in accordance with
7812-1, and document discriminator in DG3 and the licence number and date of issue in DG1”.
Replace Table 3 with:Curve name in FIPS 186-4 Curve name in RFC 5639
P-224 brainpoolP224r1
P-256 brainpoolP224t1
P-384 brainpoolP256r1
P-521 brainpoolP256t1
brainpoolP320r1
brainpoolP320t1
brainpoolP384r1
brainpoolP384t1
brainpoolP512r1
brainpoolP512t1
Replace the EXAMPLE with:
EXAMPLE Suppose that a compact encoded data string contains the following data groups: DG1, DG2,
DG7, DG.SOD.1 and DG.SOD.H. A digital signature and public key certificate hash is
included. The sequence of data groups and data group delimiters will be as follows:
[header] × [DG1] × [DG2] × × × [DG7] × × × [DG.SOD.1] × [DG.SOD.H] ¶Page 46, A.5.1, second list b) second paragraph Deleted: Annex
Replace
"For compact encoding, the appropriate public document key is identified by comparing the issue date of
the IDL with the “valid for signing from” and “valid for signing until” dates of the available public
document keys of the IA."with
"For compact encoding, the appropriate public document key can be identified using the hash value of
the signer certificate."After Annex F
Add new Annex G.
Deleted: © ISO/IEC 2022 – All rights reserved
...
© ISO/IEC 2017 – All rights reserved 3
---------------------- Page: 6 ----------------------
ISO/IEC 18013-3:2017/PRF Amd 2(E)
Annex G
(informative)
Passive authentication (version 01)
G.1 General
This annex defines the deprecated passive authentication (ver 01) for the information of manufacturers
of readers that must be able to read IDL cards issued in accordance with this version that have not yet
expired.G.2 Purpose
The purpose of passive authentication is to confirm that machine-readable data has not been changed
since the IDL was issued.G.3 Applicability
Passive authentication is applicable to all machine-readable technologies.
G.4 Description
Passive authentication is implemented by way of a digital signature over specified machine-readable data
on the IDL, using a public-private (asymmetric) key pair.In t
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.