You are here: Resources > FIDIS Deliverables > HighTechID > D3.6: Study on ID Documents > 

D3.6: Study on ID Documents

Biometrics  Title:
 Databases for Biometric Reference Data


Back-Office Systems

In addition to the infrastructure that is obvious for the user such as the ID document, reader technology, software to use the ID document or biometric sensors in many cases a remote infrastructure is used. This infrastructure provides reference data of different type depending on the technical method that is used and / or allows for logging of transaction data or the use of ID documents in general. These remote infrastructures are also called back-office systems. In this chapter we are introducing back-office systems that are highly relevant for ID documents. 



Public key infrastructure (PKI) in general has been introduced in the FIDIS Deliverable 3.2 (Gasson, Meints, Warwick 2005). In this documents we will focus on current developments to reach interoperability on a technical level in Europe with respect to ID document, as this was not covered in the FIDIS Deliverable 3.2.  

Especially relevant for ID documents are differences that can be observed among European countries in the way the PKI is operated. While the registration and certification for example in Austria and Belgium is done by the public administration (supported by enterprises), registration and certification is done by private enterprises for example in Germany and Sweden. In addition to the differences there is no European Root-CA. As a result electronic signatures today are on a technical level not interoperable in Europe.  

Currently we observe two approaches to address the technical aspects of interoperability of authentication procedures including the use of electronic signatures: The GUIDE project and bridge-CAs.

GUIDE uses a federated network identity management approach (Guide 2005). General scenarios taken into account in the GUIDE project are principals logging onto a pan-European Governmental Service (PEGS) in a foreign country. In these cases the PEGS has no possibility to authenticate the foreign user (principal). To do this an Identity Provider (IP) in the home country of the principal is needed. This IP provides in general two basic services: 


  • Authentication Service (AS) and 

  • Attribute Provider Service (APS) 


In cases where principal, PEGS and IP use standardised interfaces such as the GUIDE Interface communication would be quite simple as shown in the following figure:


Figure : International authentication and athorisation using GUIDE interfaces and services


Such an interface is not introduced so far; existing interfaces normally support national IPs only. In addition different communicational standards such as Liberty, SAML, Shibboleth and WS-* are supported and different document formats are used.  

To overcome this situation GUIDE proposes the introduction of Gateways equipped with the GUIDE Software Agent (GSA). This agent transforms data formats and standards used by PEGS and IPs (in this example a remote procedure call (RPC) able web service application programming interface (WS API)) into an intermediary GUIDE profile as shown in the following figure:


Figure : Gateways transforming nationally used data formats and standards for authentication


An alternate concept compared to the GUIDE-approach is the use of a so-called bridge-CA. Mainly driven by German and Austrian Certificate Authorities (CAs) the European Bridge CA (EB-CA) offers interoperability of PKI and electronic signatures to her members (private and public organisations) in Europe, the US and Asia.



Biometrics  fidis-wp3-del3.6.study_on_id_documents_03.sxw  Databases for Biometric Reference Data
Denis Royer 11 / 56