ANSI/INCITS 504-1
Information Technology - Generic Identity Command Set - Part 1: Card Application Command Set
Organization: | ANSI |
Publication Date: | 24 April 2013 |
Status: | active |
Page Count: | 118 |
scope:
This part of the multi-part GICS standard defines a command set for base functionality addressing:
• Identity credential storage (Namespace standardization)
• Authentication protocols
• Biometric verification1
• Confidential protocols
• Digital signatures
In the context of the GICS, this part is based on ISO/IEC 24727-2 and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-73-3. Any additional commands are drawn from ISO/IEC 7816-4, -8, and -9.
The GICS standard defines a command set and a base functionality that offers the possibility to create, personalize, and use a compliant PIV and PIV-I card-application according NIST SP 800-73-3.
The standard defines a set of extensions to the SP 800-73-3 so that card-application issuers may have added flexibility in extending their data model while allowing relying parties to interoperably use the cards from different issuers. These extensions would favor the penetration of GICS standard at three levels. Manufactures will be able to minimize design and implementation costs; card issuers will manage a simple platform based on a successful and largely adopted schema; middleware and operating system providers will be able to adapt to different identity applications that are based on a single GICS standard. The following set of extensions to SP 800-73-3 is addressed in this document:
• Data model extension - The GICS standard allows formulation of different data elements and objects. Various data types are defined allowing card applications to store data according to their needs. The data size, data identifiers, and data access control rules are flexible to meet client-application needs.
• Authentication protocols - The PIV application currently supports Personal Identification Number (PIN) authentication (card authenticating card holder), Internal Authentication (reader authenticating card), External Authentication (card authenticating issuer), Signing, and Encryption. This standard adds Mutual Authentication, Key Agreement, and Secure Messaging protocols.
• GICS and ISO/IEC 24727: GICS standard allows interoperation with middleware compliant with ISO/IEC 24727. At a minimum, the discoverability mechanism (boot strap) based on the Card Capability Description (CCD) and / or Application Capability Description (ACD), as defined in ISO/IEC 24727, is supported by this standard.
• FIPS 140-2 certifications - The GICS standard is designed to allow card-applications constructed on this standard to minimize impact on FIPS 140-2 certification.
1 Note that the document does not completely specify biometric verification but only includes tags for biometric data for future use.