CEN/TC 224 - Machine-readable cards, related device interfaces and operations

This Technical Report provides an overview of the current deployment of biometric systems within Europe. It addresses the challenges that are being faced, in order to detect the current needs for improving the specifications for the implementation and deployment of biometric systems. This Technical Report considers all kind of deployments, from border control to ad-hoc services. As most of the deployed systems are based on the use of fingerprints or face recognition, this Technical Report will focus on these two biometric modalities, from the system integrator and interoperability points of view.
Identity documents, in terms of production, structure, interoperability, etc., are out of the scope of this TR. The TR is focused on the performance at system level.
The current European legislative initiatives around this topic (e.g., Entry/Exit System, framework for interoperability between EU information systems, etc.) need a robust framework study about the availability of standard technologies to improve interoperability in biometric products around the European Union.
By showing these needs, a set of recommendations for future standardization works is provided.
From a methodological perspective, the report gathers information of different entities with this classification:
- Capture/enrolment of biometrics including the quality assurance and the generation of feature or biometric models from the images.
- Best practices and guidelines to use biometrics in Europe.
- Data Quality environment using biometrics in European networks.

This document identifies relevant existing standards and standards work in progress around European Digital Identity Wallets. It also identifies missing work items and overlaps in standards and is supposed to work as a roadmap for future standardization projects in the area.

This document establishes a systematic description of the concepts in the field of biometrics pertaining to recognition of human beings. This document also reconciles variant terms in use in pre-existing International Standards on biometrics against the preferred terms, thereby clarifying the use of terms in this field.
This document does not cover concepts (represented by terms) from information technology, pattern recognition, biology, mathematics, etc. Biometrics uses such fields of knowledge as a basis.
In principle, mode-specific terms are outside of scope of this document.

This document consolidates information relating to successful and high quality biometric enrolment processes of facial and fingerprint systems, while indicating risk factors and providing appropriate mitigations. This information supports decisions regarding procurement, design, deployment and operation of these biometric systems.
This document provides guidance on:
—   capturing of facial images to be used as reference images in identity and secure documents;
—   capturing of fingerprint images to be used as reference images in identity and secure documents;
—   data quality maintenance for biometric reference data;
—   data authenticity maintenance for biometric reference data.
The document addresses the following aspects which are specific for biometric reference data capturing:
—   biometric data quality and interoperability ensurance;
—   data authenticity ensurance;
—   morphing and other presentation attack detection as well as other unauthorized changes;
—   accessibility and usability;
—   privacy and data protection;
—   optimal enrolment design.
The following aspects are out of scope:
—   IT security;
—   data capturing for verification purposes, e.g. in ABC gates;
—   capturing biometric data for enrolment in other systems different from data enrolment for integration in secure MRTD, like entry/exit systems.
This document consolidates the role of the enrolment process in a biometric system and differentiates the enrolment from the authentication, while mentioning key factors of the enrolment process that are feature independent.
Interests of the existing stakeholders are broken down and provide an insight on different views of the enrolment. In addition, organisational enrolment approaches are covered.
This document is not concerned with IT requirements or the capturing of biometric data for inspection, identification or verification purposes without the required step of creating an identity document using the captured data.

This document provides guidance on providing access:
— to areas with physical access control, e.g. entertainment facilities, train stations, shops, libraries, banks, or border control,
— for small groups of persons, e.g. families with small children or seniors, or other accompanied persons in need of support,
— by means of biometric authentication technologies, e.g. facial, fingerprint, or vein recognition,
— in the European regulatory context.
The document addresses the following aspects, which are specific for biometric and group access:
— accessibility and usability,
— user guidance including group guidance and interaction control,
— privacy including data set content,
— presentation attack detection,
— applicable biometric technologies,
— storage of reference data,
— biometric process integration,
— specific needs considering biometrics for groups,
— biometric performance and error rates, and
— group internal linkage.
The following aspects which reflect on generic access control issues are out of scope:
— IT security,
— application specific physical security,
— policy definition,
— processes not related to biometric authentication, and
— specific performance requirements of identification (1:N) and verification (1:1) applications.

This document covers the ergonomic layout and usability of keypads. The keypad consists of numeric, command and function keys and alphanumeric characters. On the basis that keypad layout impacts performance (keying speed, and errors), this document aims to:
-   enhance usability,
-   ensure ease of use through consistency,
-   increase customer confidence,
-   reduce customer error,
-   improve operating time,
-   ensure ergonomic data entry.
This document specifies the arrangement, the number and location of numeric, function and command keys, including placement of alphabetic characters on numeric keys. Design requirements and recommendations are also provided.
This document applies to all identification card systems with a numeric keypad for use by the public for stationary or non-stationary devices. This document also covers keypads on touch sensitive devices.

This document provides an overview of a framework on breeder documents. It introduces the document structure of CEN/TS 17489 (all parts) that specifies how citizens retain the control of breeder document data and how they can use them to support identity proofing and verification. Moreover, the framework provides methodologies to assess and increase the level of trust in breeder documents.
This framework specifies methods for:
-   defining physical and logical/digital representations of a secure breeder document (hardware based, paper-based, server-based),
-   securing breeder document processes,
-   linking the document to its legitimate holder.
The following types of breeder documents are in the scope of the framework:
-   birth certificates,
-   marriage and partnership certificates,
-   death certificates.
The following breeder documents management processes including first-time application, later-in-life registration of an identity, and content update (e.g. name-changing) are in the scope of this framework:
-   registration,
-   issuance,
-   renewal,
-   inspection/verification,
-   revocation.
The specification of policies is out of scope.

This document specifies a protection profile for trustworthy systems supporting time stamping.

The scope of proposed 419 241 part 2 (PP TSCM) covers security requirements to reach compliance with Annex II of Regulation No 910/2014 of the remote (qualified TSP operated) parts of the system, other than those relating to Signature Activation Data (SAD) management and the operation of the Signature Activation Protocol (SAP), assuming use of a cryptographic module conforming to EN 419 221-5. EN 419 241 part 2 will be balloted simultaneously with EN 419241 Part 3 Protection profile for Signature Activation Data management and Signature Activation Protocol(PP-SAD+SAP). These two new parts of EN 419 241, used in conjunction with the protection for PP for Cryptographic Module for Trust Services (EN 419 221-5), will contain security requirements for level 2 (sole control) as specified in TS 419 241 in a formal manner aligned with common criteria. These two new parts of EN 419 241, with EN 419 221-5, will support the certification of a system for remote qualified electronic signature or seal creation devices (remote QSCD) which meet the requirements of EU Regulation No 910/2014: The electronic signature creation data can be reliably protected by the legitimate signatory (sole control) against use by others, where the generation and management of the signature creation data is carried out by a qualified trust service provider on behalf of a signatory.
The scope of proposed 419 241 part 3 (PP-SAD+SAP) covers security requirements to reach compliance with Annex II of Regulation No 910/2014 on the management of the SAD and the operation of the SAP used to provide sole control of the signatory or seal creator for the remote QSCD signing or sealing functions. The proposed parts 2 and 3 are to be independent of specific authentication mechanism and signature activation protocol to allow maximum flexibility with respect to future solutions and to allow supporting several authentication mechanisms. The proposed part 3 is to take into account: a) potential implementations that require dedicated functional components, owned by the signatory or seal creator, which are for the purposes of ensuring sole control, and b) potential implementations that do not require such dedicated functional components but still ensuring sole control of the signatory or seal creator. The proposed part 3 covers requirements up to the interface to the signatory or seal creator needed for authentication and the interface to the signature creation application for selection, checking and display of data to be signed (e. g. a signature creation application as defined in EN 419 111) while requirements on the signature creation application itself are out of scope. It is proposed that part 3 (PP-SAD+SAP) forms the prime reference for server signing that may be certified according to Regulation No 910/2014 including Annex II, and that this part requires components certified according to part 2 (PP TSCM) and EN 419221-5.

This document specifies conditions for use of an EN 419221-5 certified device in the case the signatory or seal creator has direct local control of the cryptographic module with the aim of being recognised as a qualified seal and/or signature creation device as defined in Regulation EU 910/2014 [1].
This document is aimed at use by entities other than trust service providers. Trust service providers can use EN 419221-5 directly without the need to take into account specific conditions as specified in the present document.

This document considers requirements of the eIDAS regulation and use cases for qualified electronic seal creation devices and how these requirements may be met by standards.
These use cases will take into account differences in articles 26 and 36 of eIDAS on (sole) control of the signatory and seal creator on its signature / seal creation data, whilst also recognizing the commonalities.
This may possibly lead to identifying requirements for updates to existing standards.
The proposed table of content is the following:
1 Scope
2 References
3 Terms and definitions
3.1 Terminology
3.2 Abbreviations
4 A Consideration of Relevant Regulatory Requirements
5 Use cases
6 Analysis of features of Standard and Use cases
6.1 EN 419 211-x
6.1.1 Main Features relating to use cases
6.1.2 Applicability to use cases
6.2 EN 419 221-5
6.2.1 Main Features relating to use cases
6.2.2 Applicability to use cases
6.3 EN 419 241-1 / -2
6.3.1 Main Features relating to use cases
7 Summary of Conclusions

1.1   General
This document specifies security requirements and recommendations for Trustworthy Systems Supporting Server Signing (TW4S) that generate digital signatures.
The TW4S is composed at least of one Server Signing Application (SSA) and one Signature Creation Device (SCDev) or one remote Signature Creation Device.
A remote SCDev is a SCDev extended with remote control provided by a Signature Activation Module (SAM) executed in a tamper protected environment. This module uses the Signature Activation Data (SAD), collected through a Signature Activation Protocol (SAP), in order to guarantee with a high level of confidence that the signing keys are used under sole control of the signer.
The SSA uses a SCDev or a remote SCDev in order to generate, maintain and use the signing keys under the sole control of their authorized signer. Signing key import from CAs is out of scope.
So when the SSA uses a remote SCDev, the authorized signer remotely controls the signing key with a high level of confidence.
A TW4S is intended to deliver to the signer or to some other application, a digital signature created based on the data to be signed.
This standard:
-   provides commonly recognized functional models of TW4S;
-   specifies overall requirements that apply across all of the services identified in the functional model;
-   specifies security requirements for each of the services identified in the TW4S;
-   specifies security requirements for sensitive system components which may be used by the TW4S.
This standard is technology and protocol neutral and focuses on security requirements.
1.2   Outside of the scope
The following aspects are considered outside of the scope of this document:
-   other trusted services that may be used alongside this service such as certificate issuance, signature validation service, time-stamping service and information preservation service;
-   any application or system outside of the TW4S (in particular the signature creation application including the creation of advanced signature formats);
-   signing key and signing certificate import from CAs;
-   the legal interpretation of the form of signature (e.g. electronic signature, electronic seal, qualified or otherwise).
1.3   Audience
This standard specifies security requirements that are intended to be followed by:
-   providers of TW4S systems;
-   Trust Service Providers (TSP) offering a signature creation service.

This document addresses biometric recognition systems that are used as part of an automated access control system to provide a second and independent authentication factor of the individual using the AACS to access secured areas of critical infrastructure.
This document:
-   specifies requirements for biometric recognition systems to be used as part of an AACS for critical infrastructure,
-   describes a methodology for the evaluation of biometric authentication for AACSs against the specified requirements.
The requirements and test methods address biometric authentication for AACS that: (i) operate in an internal environment constituting part of a larger site, access to which is restricted and controlled by a separate access control system; and (ii) use biometrics as a second authentication factor to a token or proximity card.
This document does not consider access by the general public, e.g. passengers in an airport, or visitors to a hospital.
Products that meet the requirements of this document will comprise (i) a biometric sensor(s) external to the secured area, which reads the biometric characteristics of the user at the point of access; and (ii) a biometric server system performing biometric enrolment, signal processing, storage of biometric references and biometric comparison within a secured area.
This document does not address AACS or AACS portals (turnstiles) but is only concerned with the biometric components which integrate with the AACS. Other standards address requirements and testing of the non-biometric parts of the AACS.

This document is an application profile for the International Standard ISO/IEC 30107. It provides requirements and recommendations for the implementation of Automated Border Control (ABC) systems in Europe with Presentation Attack Detection (PAD) capability.
This document covers the evaluation of countermeasures from the Biometrics perspective as well as privacy, data protection and usability aspects. Technical descriptions of countermeasures are out of scope. Enrolment, issuance and verification applications of electronic Machine Readable Travel Documents (eMRTD) other than border control are not in scope. In particular, presentation attacks at enrolment are out of scope.
The biometric reference data can be stored in an eMRTD and/or in a database of registered travellers.
This document covers:
- biometric impostor attacks and
- biometric concealer attacks in a watchlist scenario.
This document addresses PAD for facial and fingerprint biometrics only.

This part of EN 419221 specifies a Protection Profile for cryptographic modules suitable for use by trust service providers supporting electronic signature and electronic sealing operations, certificate issuance and revocation, time stamp operations, and authentication services, as identified by the (EU) No 910/2014 regulation of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (eIDAS) in [Regulation]. The Protection Profile also includes optional support for protected backup of keys.
The document follows the rules and conventions laid out in Common Criteria part 1 [CC1], Annex B "Specification of Protection Profiles".

This part of this series contains Identification, Authentication and Digital Signature (IAS) services in addition to the QSCD mechanisms already described in Part 1 to enable interoperability and usage for IAS services on a national or European level.
It also specifies additional mechanisms like key decipherment, Client Server authentication, identity management and privacy related services.

This part specifies mechanisms for SEs to be used as privacy-enabled devices in the context of IAS, and fulfil the requirements of Article 5 of the so-called eIDAS Regulation about data processing and protection.
It covers:
- Age verification
- Document validation
- Restricted identification
- eServices with trusted third party based on ERA protocol

This part specifies mechanisms for SEs to be used as qualified signature creation devices covering:
•   Signature creation and mobile signature creation
•   User verification
•   Password based authentication
The specified mechanisms are suitable for other purposes like services in the context of EU Regulation 910/2014 of the European Parliament and the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
The particular case of seal is also covered by the specification. The differences between seal and signature are exposed in Annex B. Annex B also explains how the mechanisms for SEs as qualified signature creation devices can be used for SEs as qualified seal creation devices.
Mobile signature is an alternative to the classical signature case which is performed by a secure element. Mobile signature is encouraged by the large widespread of mobile devices and the qualification authorized by the eIDAS Regulation. The particular case of remote signature (or server signing) is covered by this specification in Annex C.
In the rest of this document, except Annex B, there will be no particular notion of a seal since it technically compares to the signature.

This Technical Report aims to help citizens to understand the relevance of using electronic signature within their day-to-day lives. It also explains the legal and the technical backgrounds of electronic signatures.
This document gives guidance on the use of electronic signatures and addresses typical practical questions the citizen may have on how to proceed to electronically sign, where to find the suitable applications and material.

This Technical Report aims to be the entry point in relation to electronic signatures for any SME that is considering to dematerialize paper-based workflow(s) and seeks a sound legal and technical basis in order to integrate electronic signatures or electronic seals in this process. It is not intended to be a guide for SMEs active in the development of electronic signatures products and services - they should rather rely on the series ETSI EN 319 for building their offer - but it is a guide for SMEs CONSUMING e-Signature products and services.
This document builds on CEN/TR 419040, "Guidelines for citizens", explaining the concept and use of electronic signatures, to further help SMEs to understand the relevance of using e-Signatures within their business processes. It guides SMEs in discovering the level of electronic Signatures which is appropriate for their needs, extends the work to specific use-case scenarios, paying special attention to technologies and solutions, and addresses other typical concrete questions that SMEs need to answer before any making any decisions (such as the question of recognition of their e-Signature by third parties, within their sector, country or even internationally).
Once the decision is taken to deploy electronic signatures or electronic seals in support of their business, SMEs will then typically collaborate with their chosen providers of e electronic signatures or electronic seals products or services, which can be done on the basis of ETSI TR 119 100 "Guidance on the use of standards for signature creation and validation", that helps enterprises fulfil their business requirements. The present document presents the concepts and use of the standards relevant for SMEs developed under the Rationalised Framework to SMEs.

This part is an informative introduction into the following parts. It gives guidance to the following parts in order to allow an efficient usage of the provided information. Therefore Part 1 provides history, application context, market perspective and a tutorial about the basic understanding of electronic signatures.
-   Clause 3 provides "Terms and definitions" covering all parts of this standards. The specific parts will contain a similar section which refers to the clause of this Part 1.
-   Clause 4 provides "Symbols and abbreviations" covering all parts of this standards. The specific parts will contain a similar section which refers to the clause of this Part 1.
-   Clause 5 provides a Management Summary that describes the market context in which electronic signatures are typically
-   Annex A provides the algorithm identifies for all parts of the standard.
-   Annex B provides the algorithm identifies for all parts of the standard.
-   Annex C provides the build scheme for object identifiers for all parts of the standard.
-   Annex D "Tutorial on Signature Technology" provides a tutorial which helps the first reader to get familiar with signature technology and its relation to the society that it serves.
-   Annex E "Guide to the EN 419212" explains the historical and technical evolution of the ESIGN activities which did finally lead to this version of the signature standard.

This part specifies device authentication to be used for QSCDs in various context including
   Device authentication protocols
   Establishment of a secure channel Data structures
CV-certificates Key management
The device authentication protocols shall apply to sole-control signature mandated by the EU-regulation eIDAS.

The regulation on electronic identification and trusted eServices (eIDAS regulation) clearly extends the current Electronic Signature Directive from electronic signature towards electronic identification and electronic authentication. These two topics are closely linked to electronic signature and are considered in this context in this document. There are many documents, standards, industrial initiatives and European projects on identification and authentication, but the scope here is limited to electronic signature context, and wider to electronic transactions in the internal market.
The present Technical Report is twofold.
It firstly does a brief analysis of the implementing acts on electronic identities CIR 2015/1501 [29] and CIR 2015/1502 [30] and how this is addressed by the eID interoperability framework [31]. It secondly establishes what areas of existing standards are impacted by the eID framework and what further areas of standardization could assist nations in providing eID services.

The present Technical Report provides guidance on the selection of standards and options for the signature/seal creation and other related devices (area 2) as identified in the framework for standardization of signatures: overview ETSI/TR 119 000 [16].
The present Technical Report describes the Business Scoping Parameters relevant to this area (see Clause 5) and how the relevant standards and options for this area can be identified given the Business Scoping Parameters (Clause 6).
The target audience of this document includes:
-   business managers who potentially require support from electronic signatures/seals in their business and will find here an explanation of how electronic signatures/seals standards can be used to meet their business needs;
-   application architects who will find here material that will guide them throughout the process of designing a system that fully and properly satisfies all the business and legal/regulatory requirements specific to electronic signatures/seals, and will gain a better understanding on how to select the appropriate standards to be implemented and/or used;
-   developers of the systems who will find in this document an understanding of the reasons that lead the systems to be designed as they were, as well as a proper knowledge of the standards that exist in the field and that they need to know in detail for a proper development.

This Technical Specification is intended to provide a Full Body Image Format for pattern recognition services and applications requiring the exchange of full body image data. Its typical applications include:
a)   human examination of high resolution full body images;
b)   human verification of identity based on full body images;
c)   computer automated full body identification;
d)   computer automated full body verification.
To enable applications on a wide variety of devices, including devices that have limited data storage, and to improve image recognition accuracy, ISO/IEC 19794 standards are followed regarding not only data format, but also scene constraints (lighting, pose, expression, etc.), photographic properties (positioning, camera focus, etc.), and digital image attributes (image resolution, image size, etc.).
A specific biometric profile for cross-border interoperability is required for full body photographs. Full body photography standardization is required to get good quality database images for identification and verification using video surveillance and other similar system generated images. At the moment, border guards take full body photographs using local practices for enrolment, verification, identification and watch list identification.
ISO 22311:2012 [10] specifies a common output file format that can be extracted from the video-surveillance contents collection systems to perform necessary processing. ISO/IEC 30137 [8] specifies data formats for storing, recording and transmitting biometric information acquired via a video surveillance system. The EN 62676 series [11] defines video surveillance systems for use in security applications.
The purpose of this Technical Specification is to provide expert guidance (i.e. best practices) for the photography of full body, especially when the resulting images are to be used for purposes of identification and verification, either by automated recognition systems or by human viewers.

This Technical Specification provides an overview of the protection profiles specified in other parts of CEN/TS 419221.

This Technical Standard specifies a protection profile for cryptographic module for CSP key generation services.

This Technical Specification specifies a protection profile for cryptographic modules used by certification service providers (as specified in Directive 1999/93) for signing operations, with key backup. Target applications include root certification authorities (certification authorities who issue certificates to other CAs and who are at the top of a CA hierarchy) and other certification service providers where there is a high risk of direct physical attacks against the module.

This Technical Specification specifies a protection profile for cryptographic modules used by certification service providers (as specified in Directive 1999/93) for signing operations, without key backup. Target applications include root certification authorities (certification authorities which issue certificates to other CAs and is at the top of a CA hierarchy) and other certification service providers where there is a high risk of direct physical attacks against the module.

The purpose of this document is to specify the ISO/IEC 29197 testing methodology for European ABC systems. This specification will cover the following aspects:
-   environmental conditions which influence biometric modalities used for European ABC systems, i.e. temperature, humidity, illumination and noise;
-   different tests that can be defined regarding European ABC systems and the procedures for defining of the evaluation conditions to analyse per each test;
-   particular characteristics of European ABC systems in accordance to best practice recommendations and privacy and data protection regulations for this kind of systems in case of European deployments.
As a consequence, the proposed document will include the following aspects:
-   specific requirements for planning and executing environmental testing evaluations for European ABC systems based on ISO/IEC 29197 project and the best practices recommendations provided by CEN/TS 16634 Personal identification — Recommendations for using biometrics in European Automated Border Control document;
-   recommendations for the selection of the possible tests according to the specific system that is going to be evaluated;
-   specific requirements to establish and measure such evaluation conditions as well as to establish the baseline performance;
-   a specification of the biometric performance evaluation including requirements for test population, test protocols, data to record and test results consistent with operational deployments of European ABC systems.

This Technical Specification primarily focuses on biometric aspects of portable verification and identification systems for law enforcement and border control authorities. The recommendations given here will balance the needs of security, ease of access and data protection.
ISO/IEC has published a series of standards dealing with biometric data coding, interfaces, performance tests as well as compliance tests. It is essential for interoperability that all these standards are applied in European deployments. However, ISO/IEC standards do not consider national or regional characteristics; in particular, they do not consider European Union privacy and data protection regulation as well as accessibility and usability requirements.
This Technical Specification extends the ISO standards by emphasizing specific European needs (for example EU data Protection Directive 95/46/EC and European databases access). The Technical Specification systematically discusses issues to be considered when planning, deploying and using portable identity verification systems and gives recommendations for those types of systems that are or will be in use in Europe.
Communication, infrastructure scalability, and security aspects other than those related to biometrics are not considered. This document also does not consider hardware and security requirements of biometric equipment and does not recommend general identification procedures.

This European Standard specifies data formats, data elements and data elements with associated code lists for use within Surface Transport Applications on ICs. This European Standard defines those data elements and code lists related to transport and travel payment and the specific data elements needed for low memory capacity ICs.
The mechanism for how to establish the application context, including the decision of which encoding rules to use, is outside the scope of this European Standard.

This European Standard specifies data formats, data elements, data types and data elements with associated codelists for general use within surface transport applications (STAs) on ICs.
The mechanism for how to establish the application context, including the decision of which encoding rules to use, is outside the scope of this European Standard.

This European Standard specifies a protection profile for a secure signature creation device that may import signing keys and communicate with the signature creation application in protected manner: secure signature creation device with key import and trusted communication with signature creation application (SSCD KI TCSCA).

This European Standard:
-   specifies terms used in specifying protection profiles for secure signature creation devices,
-   specifies functional and operational requirements for secure signature creation devices,
-   describes the targets of evaluation for these protection profiles.

1.1   General
This Technical Specification establishes security requirements for TWSs that can be used by a TSP in order to issue QCs and Non-Qualified Certificates (NQCs) as well as electronic time-stamps in accordance with Dir.1999/93/EC and with [Reg.910/2014/EU].
Security requirements for the Subject Device Provision Service, which includes SCDev/QSCD provision to subjects, are defined in this TS. However, requirements specific to SCDev/QSCD devices, as used by subjects of the TSP, are outside the scope of this TS. These requirements are defined as Common Criteria [CC] Protection Profiles (PP) in the EN 419211 series.
Recommendations for the cryptographic algorithms to be supported by TWSs are provided in ETSI/TS 119 312.
Although this TS is based on the use of public key cryptography, it does not require or define any particular communication protocol or format for electronic signatures, certificates, certificate revocation lists, certificate status information and time-stamp tokens. It only assumes certain types of information to be present in the certificates in accordance with Annex I of Dir.1999/93/EC and of [Reg.910/2014/EU]. Interoperability between TSP systems and subject systems is outside the scope of this document.
The use of TWSs that are already compliant to relevant security requirements of this TS should support TSPs in reducing their burden to establish conformance of their policy to ETSI TS 119 411-1, 119 411-2, and 119 421 (or equivalent ENs to be subsequently published) and in meeting the Annex I and Annex II requirements of Dir.1999/93/EC as well as the requirements from Annex I and Article 24.2 (e) of [Reg.910/2014/EU].
1.2   European Regulation-specific
The main focus of this document is on the requirements in Article 24.2 (e) of [Reg.910/2014/EU] whilst still facilitating the meeting of requirements in Dir.1999/93/EC, Annex II (f). In considering [Reg.910/2014/EU] it is important to take into account the following requirements of particular relevance to TSP trustworthy systems:
a)   Article 24.2 (f) – “use trustworthy systems to store data provided to it, in a verifiable form so that:
(i)   they are publicly available for retrieval only where the consent of the person to whom the data relates has been obtained,
(ii)   only authorised persons can make entries and changes to the stored data,
(iii)   the data can be checked for authenticity”;
b)   Article 24.2 (g) – “take appropriate measures against forgery and theft of data”;
c)   Article 24.2 (h) – “record and keep accessible for an appropriate period of time, including after the activities of the qualified trust service provider have ceased, all relevant information concerning data issued and received by the qualified trust service provider, in particular, for the purpose of providing evidence in legal proceedings and for the purpose of ensuring continuity of the service. Such recording may be done electronically”;
d)   Article 24.2 (j) – “ensure lawful processing of personal data in accordance with Directive 95/46/EC”;
e)   Article 24.2 (k) – “in case of qualified trust service providers issuing qualified certificates, establish and keep updated a certificate database”;
f)   Article 24.3 – “If a qualified trust service provider issuing qualified certificates decides to revoke a certificate, it shall register such revocation in its certificate database and publish the revocation status of the certificate in a timely manner, and in any event within 24 hours after the receipt of the request. The revocation shall become effective immediately upon its publication”;
g)   Article 24.4 – "With regard to paragraph 3, qualified trust service providers issuing qualified certificates shall provide to any relying party information on the validity or revocation status of qualified certificates issued by them.

This European Standard specifies a protection profile for a secure signature creation device that may generate signing keys internally and communicate with the signature creation application in protected manner: secure signature creation device with key generation and trusted communication with signature creation application (SSCD KG TCSCA).

This European Standard specifies a protection profile for a secure signature creation device that may generate signing keys internally and export the public key in protected manner: secure signature creation device with key generation and trusted communication with certificate generation application (SSCD KG TCCGA).

This European Standard specifies a protection profile for a secure signature creation device with signing keys import possibility: SSCD with key import (SSCD KI).

This Technical Specification primarily focuses on biometric aspects of Automated Border Control (ABC) systems. Drawing on the first European and international ABC deployments, it aims to disseminate best practice experiences with a view to ensure consistent security levels in European ABC deployments. Furthermore, the best practice recommendations given here shall help make border control authorities' processes more efficient, speeding up border clearance, and delivering an improved experience to travellers.
ISO/IEC JTC1/SC 37 has published a series of standards dealing with biometric data coding, interfaces, performance tests as well as compliance tests. In order to promote global interoperability it is essential that all these standards are applied in European deployments. However, these standards do not consider national or regional characteristics; in particular, they do not consider European Union privacy and data protection regulation as well as European accessibility and usability requirements [22]. Thus, this Technical Specification amends the ISO standards with respect to special European conditions and constraints.
The Technical Specification systematically discusses issues to be considered when planning and deploying biometric systems for ABC and gives best practice recommendations for those types of systems that are or will be in use in Europe. The document deals with personal identification including ergonomic aspects that have an impact on the acquisition of biometric data.
Communication, infrastructure scalability and security aspects other than those related to biometrics are not considered. This document also does not consider hardware and security requirements of biometric equipment and does not recommend general border crossing procedures.
The enrolment process, e. g. for electronic passports, is out of scope of this document.

This Technical Specification provides an Interoperability Model, which will enable an eService compliant with technical requirements, to interoperate with different implementations of the European Citizen Card.
This Interoperability model will be developed as follows:
-   starting from the ECC Part 2, Part 3 of the ECC series provides additional technical specifications for a middleware architecture based on ISO/IEC 24727 (all parts); this middleware will provide an API to an eService as per ISO/IEC 24727 3.
-   a set of additional API provides the middleware stack with means to facilitate ECC services.
-   a standard mechanism for the validation of the e-ID credential is stored in the ECC and retrieved by the eService.
In order to support the ECC services over an ISO/IEC 24727 middelware configuration, this part of the standard specifies the following:
-   a set of mandatory requests to be supported by the middleware implementation based on ISO/IEC 24727 (all parts).
-   data set content for interoperability to be personalised in the ECC.
-   three middleware architecture solutions: one based on a stack of combined ISO/IEC 24727 configurations and the other based on Web Service configuration whereas the third one is relying on a SAL Lite component.
-   an Application DiscoveryProfile featuring the guidelines for card-applications to fit in ISO/IEC 24727 framework.

This European Standard specifies a protection profile for a secure signature creation device that may generate signing keys internally: secure signature creation device with key generation (SSCD KG).

This European Standard is a Protection Profile that defines the security requirements for an authentication device.

This European Standard is a Protection Profile that defines the security requirements for an authentication device.

This European Standard contains packages that define security requirements for an authentication device. This document is Part 3. Part 1 and Part 2 are Protections Profiles - PP - based on the packages defined in this document. Packages contained in this document can be added in a Security Target - ST- claiming PP of Part 1 or Part 2.

1.1   Scope of CEN/TS 15480-5:2013
The scope of this Technical Specification is to provide a general description of the standard together with an introduction to each part of the ECC standard.
Informative Annex A maps the relationship between the various parts of the ECC standard and other ISO/IEC standards relating to the card platform.
1.2   Scope of the ECC standard
The European Citizen Card (ECC) standard addresses the difficulties presented to citizens when attempting to access various public services using a smart card as an access token. The scope of the ECC standard covers card capabilities and structures specified under the following headings:
- Specific definition of minimum features (for example, card surface print structure).
- Definition of optional features that may be required to provide the desired electronic services.
- Specification of discovery mechanisms to allow supported and in-use card capabilities and features to be identified.
- Besides covering the hardware and software of the card, the ECC standard also addresses interfaces to readers and servers through middleware components.
This simple concept can enable ECC cards to adopt a widely different set of personas, even though a common application may be housed on cards used in different environments and in different ways. Generically, we can consider ECC cards as being classed as one of the following groups, even though the same application may be loaded (alongside others) in each environment. These groupings are:
- eID Verification token;
- Inter-European Union travel document;
- Provider of logical access to e-Government or local administration services or to private sector services by housing personal credentials.
In order to support the above, it is noted that there will be certain minimum requirements upon any card conforming to the ECC, specifically, the European Citizen Card will be at a minimum a smart card with Identification, Authentication and electronic Signature (IAS) service capabilities. The ECC may act as a bridge between different application requirements of an integrated circuit card and in so doing act to reduce the number of different European specifications and standards required.
The ECC will be issued under the responsibility of a European National Public Administration in order to provide a token supporting one of the above usage groupings by housing one or more relevant applications. In addition, there is nothing to stop the ECC being used to support private applications and environments which would therefore allow the ECC to be used in a shared public-private application scenario.
It is apparent that the ECC is intended to offer the card issuer/ service provider with a great deal of flexibility in the services that the ECC provides, the authentication mechanisms supported and the local national specific public policy with an special concern to protect the citizen privacy according to the applicable European legislation.

This Technical Specification specifies Electronic Citizen Card (ECC) requirements.
The requirements described in this Technical Specification are used to:
1)   define a plastic body card with associated physical and logical securities;
2)   specify the electrical interface and data transport protocols for the ECC;
3)   support the basic set of identification and authentication elements visible at the card surface;
4)   provide guidance for the specification of the ECC Durability.
In addition to the above requirements, Informative Annex A in this document recommends different Physical Layouts for the ECC for two scenarios:
-   when the ECC is issued to act as a travelling document;
-   when the ECC is not issued to act as a travelling document.

The main goal of this Technical Specification is to give guidelines to follow during the acquisition process of slap tenprints in order to obtain fingerprints with the best quality possible in acceptable time constraints.
NOTE   Non-cooperative users are out of the scope of this Technical Specification.
When using ten-fingerprint sensors, it is fundamental to know how to use them and how to proceed during the acquisition. This Technical Specification describes how to capture fingerprints correctly by specifying best practices for slap ten-print captures.
This Technical Specification gives guidance on the following topics:
1)   Recommendations on the hardware of the fingerprint sensor and its deployment,
2)   Recommendations on user guidance,
3)   Recommendations on the enrolment process including a sample workflow,
4)   Recommendations for developers and system integrators on application software,
5)   Recommendations on processing, compression and coding of the acquired fingerprint images,
6)   Recommendations on operational issues and data logging,
7)   Recommendations on the evaluation of a solution and its components.
Although this Technical Specification primarily focuses on reaching optimal data quality for enrolment purposes, the recommendations given here are applicable for other purposes. All processes which rely on good quality tenprint slaps can take advantage of the best practices reported here.

This Technical Specification specifies the logical characteristics and security features at the card/system interface for the European Citizen Card.
The European Citizen Card is a smart card with Identification, Authentication and electronic Signature (IAS) services. Therefore:
-   the supported services are specified;
-   the supported data structures as well as the access to these structures are specified;
-   the command set is defined.
This Technical Specification aims to ensure the interoperability at card/system interface in the usage phase.
In order to reach the interoperability objective, IAS services are compliant with EN 14890 Part 1 and Part 2. As the EN documents offer options, this specification fully defines a complete profile.
This Technical Specification also considers ICAO Doc 9303.
This Technical Specification does not mandate the use of a particular technology, and is intended to allow both native and Java card technologies.
This specification encompasses mandatory and optional features. Optional features make up a toolbox of modular options from which issuers can pick up the necessary protocols to fulfil the requirements for use. Mandatory features shall be implemented for a smart card to be compliant with this Technical Specification. Mandatory features required for compliancy to ECC specification are given in Annex C, the optional features are given in Annex D. Two IAS-enabled smart cards issued by two different issuers, and compliant with this Technical Specification but implementing different application profiles out of this Technical Specification, can interoperate with a terminal provided that such a terminal supports both application profiles. Therefore, interoperability requires a specific agreement between issuers/governments in order to determine which cross-border services are to be shared, and consequently, which protocols are to be supported by the terminals in each country.
All the APDU commands described in this Technical Specification are in accordance with ISO/IEC 7816 Part 4 or Part 8. They are fully described here in order to provide the settings adopted by this specification and to prevent any ambiguity in case of several possible interpretations of the standards.
For physical, electrical and transport protocol characteristics, refer to CEN/TS 15480-1.

CEN/TS 15480-4 recommends card issuance and operational procedures including citizens' registration.
CEN/TS 15480-4 gives recommendations with regard to the end-user e.g. with respect to privacy and accessibility aspects.
CEN/TS 15480-4 also identifies a set of standard ECC card profiles (e.g. National ID Card, Health Card, Card issued by a Municipality), that can be used as basis for the specification of new ECC projects.
For each profile, this Technical Specification uses a specified template which
-  selects a subset of technical requirements from CEN/TS 15480-1, FprCEN/TS 15480-2:2011 and CEN/TS 15480-3:2010.
-  considers the operation of the ECC in its particular environment.
The target audience of CEN/TS 15480-4 is the card issuer.