CMS InterfacesActivIdentity

Dom Fedronic - CTO Office - v1.0 - 04-15-06

2

DHS PIV System Architecture

PhysicalAccessControlSystem(PACS)

PACSInterface

Enrollment Workstation

Meta Directory

OpenInterface

API

IdentityManagement

System(IDMS)

CA RepositoryActive Directory

DHS HQActive Directory

CertificateAuthority

Life Cycle Mgmt APINotification API

Card Issuance Workstation

Badging API

Issuance RequestNotifications

IssuanceRevocation

HRSecurity

ClearanceUser

Provisioning Authorization

PIV & NetworkAdmin

Browser

Hot List Subsystem

RevocationBrowser

CardManagement

System(CMS)

PIV Card

Logical Access

PIV EnclavePhysicalAccess

HTTPSHTTPS

HTTPS

HTTPS

PIVPre-Enroll

HTTPS

HTTPSApplicantSponsor

Registrar Issuance Op

3

Interfaces of the CMS

Interface with the IDMS:Card Issuance RequestCard status notification

Interface with Credential ProvidersCAsDigital signatories

Interface with the Card Production Facilities (Service Bureaus)

Based on an extension/update of PIR4.2

4

VettingSystem

CardProduction

System

CMS6. BIO,CHUID

SignatureRequest CA

Enrollment Station

IDMS

Applets

RegistrarSponsorApplicantIssuer

Applicant

1. PIVRequest

2. RegistrationRequest

11. PIV CardActivationRequest

PIV Card

3. NACI Request

12. PKICertificateRequest

9. Fulfillment

Activation&Help DeskFront-end

RegistrationFront-End

Obtain IDProofingPackage

ID Proofing Life Cycle

PIV Card ContentLife Cycle

PIV Card ProductionCycle

10. ID Status orVerification Request

(Optional)

14. AccessRequest

To IDMS, OCSP, ..

Synchronous

Asynchronous

4.NACI Result

7.Batch ProductionRequest

(Improvement of CAC Pre-Issuance

Requirements)

5.PIV CardIssuance request

13. PIV IssuanceNotification 8. Production

Notification

Digitalsignatory

Issuance Station

Verify BioObtain PKI

Set PINUnlock

AccessControlSystem

BackendServices

PIV general architecture

5

Interfaces of with the IDMS

The Card Issuance RequestXMLImplemented at DHS with LMCO IDMSSupports PIVExtensibleSecure: XML_DSIG, XML_ENC /W3CTransaction OrientedTransport insured by the Card Life Cycle Mgt API (card/credential management API)

The Card Status NotificationLeverage CIR transaction dataReturns issuance statusPlugins. Implemented at DHS

Published 2005 (Life Cycle Management, Badging).

6

Interfaces of with Credential Providers

SPI

Full Abstract Credential Life Cycle Management

Supports CA

Supports Digital Signatory services

Supports Biometrics sub systems Identification and verification.

7

Interfaces with Card Production Facilities

Requirement:

OpenXML basedExtensibleCover the requirements for PIV Card ProductionSecured (proof of origin and integrity, and confidentiality) .Should leverage an existing standard in a backward compatible manner: Should be backward compatible with PIR.

8

ActivIdentity PartnerOCS

Synchronous AsynchronousData Exchange

Signed, Encrypted XML

AICMS

BatchProductionGateway

CardProduction

System

1. Card IssuanceRequest

Productionfacility

2. Batch Production Request (SBOD)Card profile ID, Issuer Info, CIN, IIN,Signed PIV Data Model Objects (incl

CBEFF face),surface printing layout ID and data

(incl jpeg face)

6. Production Notification (SBDD)

CIN, key config ID, card product ID, physical

description ID, logical description ID, requirements

ID

BatchMgmt

System

Internal Format

OtherCMS

SBOD/SBDD

OtherCMSOtherCMSOtherCMSes

9

Leverage Pre-Issuance Requirements specifications

PIR fulfills need for interoperable format between Issuers and Shared Production Service Providers

Each production facility can support simultaneously multiple issuers (service provider model).

Each Issuer can support simultaneously multiple production facilities (Current PIR 4.2 / DoD CAC production model)

New Issuers can be supported with limited impact on the production system

New Production facilities can be supported with limited impact on the Issuer

Needs Personalization data in SBODAlignment with FIPS201 Data Model

10

PIR, a Proven Data Interchange Specification

PIR has been used to produce several millions of CACs:Multiple manufacturing sites1000s issuance sitesMultiple card typesMultiple card profiles (CACv1, CACv2)Centralized Issuance or face-to-faceNow version 4.2

Production contract between Card Issuer and Card Production Facility.

Self Contained.

Batch Oriented.

Defines two XML message format for transmission of data specific to a batch.

11

Standard – Secure - Open

StandardXML schema, xml-dsig, xml-enc, W3CBackward-compatible with Pre-Issuance requirementsDesign to support 800-73 Data model encoding & FIPS201 layout

SecurityProof of origin, confidentiality, integrity to transport sensitive data in various contexts, possibly offline and asynchronous.

Open- 800-73 Data model extensions- New Applications

12

SBOD/SBDD

SBOD/SBDDService Bureau Order Descriptor / Delivery Descriptor

PurposeComplete Card Production Protocol

Encompasses all card production directives in a single message

Support bulk card production of personalized PIV cards (SBOD)

Provides product configuration, personalization data, delivery site and contact to production facility or Service Bureau.

Support notification of card production for further activation and post-issuance (SBDD)

Returns status and identifiers of produced card/credentials

13

Call for Action

Already started to engaged with the PIR editing community.

Already engaged with Global Platform

Engage with Security Industry Association

Early draft.

14

For Additional Information

Contact:

Dom FedronicCTO

ActivIdentitydfedronic@actividentity.com