Strid om ansiktsgjenkjenning

AnsiktsbiometriForanVi har hatt våre nye pass med chip og ansiktsbiometri siden oktober 2005 da Norge var et av de første landene i verden som utstedte biometriske pass. I 2011 ble disse passene utvidet med fingerbiometri.

Det er ICAO (International Civil Aviation Organisation) som godkjenner de endelige spesifikasjonene som skal brukes i ePass for å sikre interoperabilitet mellom landene. Spesifikasjonene utarbeides av ISO/IEC SC17 og SC37.

Arbeidet i Norge understøttes av den norske speilkomiteen SN/K 188 Person-ID under Standard Norge, men får ikke økonomisk støtte på tross av at sikkerhet er høyt på den politiske dagsorden. Bedrifter og enkeltpersoner kan være medlem i speilkomiteen og påvirke de internasjonale standardene som blir utarbeidet.

Problemet med ansiktsbiometri i gjeldende spesifikasjonen fra ICAO baseres (2005-versjonen av ISO/IEC 19794-5) som ikke er nøyaktig nok på hvordan slike bilder skal tas og spesifikasjonen støtter bare 2D og et færre antall punkter i ansiktet. Mange karakteristikker fra ansikt skal spesifiseres i forhold til hverandre med farger/gråtoner og disse data skal struktureres i henhold til en Logical Data Structure, slik at sikkerhetsinformasjon og annen biometri kan legges til. Den nye 2011-versjonen av ansiktsbiometri understøtter mange flere ansiktspunkter og fargenyanser i både 2D og 3D-format.

SC37 ba i et korigendum allerede i 2011 om komiteen SC17 kunne innarbeide de nyeste versjoner av standardene (del 1 til 10 av ISO/IEC 19794). SC17 er den rådgivende komite for ICAO og gjennomfører en omfattende sikringsarbeid for implementasjon av rettelser og nye elementer i de nye passene. SC17 vil ta dette opp i sitt neste møte i SIngapore for implementasjon i ICAO Doc 9303 som er den gjeldende standard for maskinlesbare reisedokumenter det være seg pass, visa, oppholdskort og borgerkort.

Asbjørn Hovstø, “acting” komiteleder

Collaborative Cyber Situational Awareness Transition

enisaThe requirement for CCSA continues to grow and there is an expectation that this community of interest will form an organisation capable of growing and establishing CCSA, as a major contribution to international cyber security and resilience.

As a result of the MNE7 Cyber Transition Workshops held in Feb and May, this current one-off meeting is being held to complete the transition and establish an organisational structure to take over leadership for the development and implementation of CCSA, particularly the CCSA Information Sharing Framework (ISF).

A new organisation is to be created to meet the requirements, progress quickly and  adapt to meet new requirements.  This organisation is provisionally called the Multinational Alliance for Collaborative Cyber Situational Awareness (MACCSA).

PKI Policy, Practices and Audit

howmanyMotivation for study

  • Current Public Key Infrastructure (PKI) Standards do not adequately consider Levels of’ Assurance'(“one size fits none”);
  • There are PKI “Oligopolies’of’Trust”’ that limit cooperation between governing bodies, thereby impeding global interoperability;
  • While there are many domain-specific PKI Authorities in place, there is need for more consistent security and auditing standards, policies and procedures that drive these entities;
  • ISO 21188:2006 “Public key infrastructure for financial services – Practices and  policy framework”, apart from its domain-specific focus, no longer represents current best practices;
  • Security breaches in the Certification Authority (CA)/Browser space have occurred, causing ‘government agencies to recommend tighter network standards;
  • There is wide variation among PKI governance bodies on the nature, purpose, timing and methodologies of a PKI Audit;
  • Overarching PKI guidance is required to create greater consistency in governance practices and greater interoperability between domain-specific authorities.

The following represents a starter set of questions/topics that are proposed to be addressed by the Study Period.
PKI StandardsGovernance

  • Do we need an ISO Certification Schema to help drive domain-specific needs?
  • How would one define a LoA for a PKI?
  • What standards unite disparate certificate types such as identity and SSL cert PKI systems?
  • How can ISO emerge as a global leader in this space?
  • How will PKI be affected by greater global focus and investment in cyber security?”

PKI Audit

  • What constitutes an auditable requirement/practice statement?
  • Should all audits be consistent? Are there different types of PKI that need different kinds of’audit? Can they be characterized down to a few types?
  • How does one change auditing culture (i.e., auditor as advocate for improvement vs. auditor as policeman)? Is it wise in all cases?
  • What should be done about audit findings and by whom?
  • How can ISO establish itself as a widely recognized global reference source for PKI audit?
  • What should be the experience, qualifications for a Lead Auditor and Staff Audito in PKI?’

See experience from:

  1. TC68/SC2
  2. ITUHT’Q11/17 Erik Anderson
  3. ETSI Standards and EU Standardisation of Trust Service Providers –Nick Pope (ETSI)
  4. JTC’1/SC6
  5. JTC’1/SC27
  6. ISACA (E-commerce and Public Key Infrastructure (PKI) Audit /Assurance Programme


  • US Study Period Presentation based on the proposal SC27N12297
  • ITU-T ‘Q11/17 Presentation-Planned PKI activities for ITU-T ‘Study Period 201342016
  • ETSI Standards and EU Activities
  • Special Report SR 001 604; Rationalised Framework for Electronic Signature


  • EN 319 401: General Policy Requirements for Trust Service Providers supporting Electronic  Signatures
  • EN 319 411-2: Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Policy requirements for certification authorities issuing qualified certificates
  • EN 319 411-3: Part 3: Policy Requirement for Certification Authorities issuing public key certificates
  • Guidance for Auditors and CSPs on ETSI TS 102 042 for Issuing Publicly Trusted TLS/SSL


  • Trust Service Provider Conformity Assessment General requirements and guidance
  • JTC1 SC6 (ANS1/OID/Directories)
  • ISACA – E-commerce and Public Key Infrastructur'(PKI) Audit/Assurance Programme

Make comments to this article in order to receive more info

Country report Japan


New Technologies Working Group (NTWG) 

February 19-21, 2013



Last year, about 3.92 million ordinary Japanese e-Passports were issued. This is a 0.9 % decrease compared with that in 2011. On the other hand, the number of Japanese nationals travelled abroad in 2012 was 18.43million, which is an 8.5 % increase from the previous year level.

Japan issues both 10-year e-Passports and 5-year e-Passports. Among passports issued last year, 60% of them are 10-year ones and 40% are 5-year ones.

A little more than 30 million Japanese valid passports are in circulation as of the end of 2012, and about 90 percent of them were e-Passport.

New Technologies

Japan has been continuously preparing for issuing new version of e-Passports, and will start issuing them from this autumn. Basically the design of the booklet will not be changed, although several security features will be replaced or improved. The new e-Passports will also be supported by Active Authentication.

Security Issues / Developments

The number of lost or stolen Japanese passports in 2012 amounts to approximately 42,000, and it is reported that about 80% of them were occuered in Japan.

Among fraudulent cases detected in Japan, illicit acquisitions of e-Passports by imposters were the most in number. In order to prevent from the illicit acquisition all, 700 passport offices in Japan the hold special campaign for strengthening their screening twice a year. The number of detected cases decreased; from 86 in 2010, to 43 in 2011, to 26 last year.

After the Great East Japan Earthquake in 2011, Japan enacted a special law to enable those who lost their passports by the disaster including tsunami. It enables the victims to obtain alternative special passports free of charge if they apply for the new passports by submitting disaster-victim certificates.

This legislation is aimed to encourage the victims who had the passports to submit lost or stolen reports to invalidate their passports as soon as possible if they had lost them. More than 1800 alternative special passports have been issued until the end of December 2012. Recently the number of application is very small, and we will close this project at the end of this March, as the law is temporary legislation.

Best practice in national identification management

_47802671_009246370-1ICAO’s interest in travel security has, in the past, largely concentrated on the security of the travel document itself. However, ICAO’s interest is wider with a goal to ensuring that a consistent level of security and integrity applies to all components of the ‘travel continuum’: the application and supporting documents, the interview (where required), and the the adjudicative decision-making processes. The provision of a highly secure blank travel document allows the approval decision to be followed by secure personalization and issuance, with interoperability at international borders.
“TOWARDS BETTER PRACTICE IN NATIONAL IDENTIFICATION MANAGEMENT”, Technical Report (TR) release 3, 20 Nov 2012 highlights the need for consistent effort across all processes. However, it suggests that in the decision processes, particularly the establishment of confidence in a person’s identity, is an area that can easily fall behind in the strength of its security when compared with that of the document itself.

Current ICAO guidance does not set standards for how confidence in a person’s identity should be established, as the best way of achieving this will vary from country to country, depending on local laws, customs, and the uses to which ‘foundation’ documents are put. Rather it sets out a framework of outcomes which should be achieved in order to be confident in a person’s identity prior to issuing a travel document.

Biometrics Labo Annual Workshop 22 Feb 2012

turbineWe take this opportunity to invite you to the Norwegian  (NBLAW) 2013. The workshop will take place on Friday 22nd February 2013 at Gjøvik University College (GUC), Norway.

This event is facing all who are interested in technologies, policies, applications, and wider acceptability of biometrics. The event in 2013 focuses on the topic “off-the-shelf technologies“ to realize user-centered biometrics with a better acceptability, higher efficiency, and lower deployment cost.


– European Association of Biometrics (

– Research Council of Norway ( via VERDIKT

Agenda (10.00 – 15.15):

– Welcome

(Nils Kalstad Svendsen -Section leader NISlab – GUC)

– Introduction and vision of the Norwegian Biometrics Laboratory

(Christoph Busch – Head of NBL – GUC)

– The theme of the workshop 2013 and topics in brief

(Bian Yang – GUC)

– Biometrics in a networked world

(Kevin C. Mangold – NIST – USA)

– Challenges and opportunities of cloud biometrics

(Ho Chang – BioID – Germany)

– Human dynamics for identification – research in Machine Vision

(Guoying Zhao – Univ. of Oulu – Finland)

– Preliminary analysis and vision of fingerprints collection

using smartphone cameras

(Bian Yang – GUC)

– Face recognition using light field camera

(Raghavendra Ramachandra – GUC)

– Usage of face biometrics in airports –

passenger timing, watch-listing and more

(Bendik Mjaaland – Accenture)

– On the fly head shape parameter estimation for

Automatic Border Control applications

(Catherine Herold – Morpho – France)

– Panel discussion: Key factors for deployment of Mobile and

User-Centered Biometrics

The event will take place in room K102 on campus of the Gjøvik University College. More details on NBLAW 2013 including talks / speakers and logistic information can be found via:

The registration (

as well as the attendance is free of any charge.

Best regards,

Bian Yang and Christoph Busch

(Norwegian Biometrics Laboratory)


Prof. Dr. Christoph Busch

Norwegian Information Security Laboratory (NISlab) Gjøvik University College Teknologiveien 22

2815 Gjøvik, Norway

Phone: +47-611-35-194



Identity proofing and verification processes

ImageBest practices and guidance on required processes for initial establishment and subsequent confirmation of an entity’s identity for parties are  expected to use ITU-T X.1254, ISO/IEC IS 29115 or other similar standards. The material is used to establish and/or confirm identity and thus should give greater confidence in an entity’s identity prior to delivery of a service to that entity, by or for that entity.
In scope:
• The development of identity proofing and verification (IPV) processes to be used as a national body standard in support of enrolment of entities. Definitions are provided for IPV principles, risk assessment, and controls sufficient to meet the requirements of ISO identity management standards for entities, notably ITU-T X.1254 l ISO/IEC IS 29115. These controls shall take account of threats, counter-fraud requirements and best practice guidance described by national policy specifications from government organisations.
• Entities that require to be authenticated in accordance with ISO standards, for which they need to be enroled: o Persons, particularly citizens, consumers, government employees and industry employees.
o Devices or Security Modules, particularly (but not limited to) for computer and telecommunication use cases, including e.g. Trusted Platform Module (TPM), Mobile Trusted Module (MTM) and similar approved standards
o Software applications.
o Organisations. For the purposes of trust, all persons, devices and software have a relationship with one or more organisations for reasons of ownership, issuance and management. Each organisation must be trustworthy to the same Level of Assurance as any credentials being issued or asserted, or higher.
A resulting International Standard that is sufficient for:
o Nations and industry to have confidence in using them
o Nations and industry to have confidence in the results of each others’ national IPV systems and the credentials
o Certification bodies to develop assessment and audit criteria against which certified auditors can successfully conduct Trusted Third Party (TTP) audit and assurance of IPV service providers.

Existing and emerging ISO standards for identity management focus primarily on the policy and technical standards for the operation of identity management and access management systems. They describe the use of credentials and make reference to processes for the issuance of identity credentials. These issuance processes are dependent upon entity Identity Proofing and Verification (IPV) processes for which no reference standards exist. An ISO standard for IPV is required to which other identity management standards can refer, based on the four Levels of Assurance described in ISO/IEC 29115.

ETSI security

ETSI is pleased to invite you to the 8th ETSI Security Workshop
taking place on 16-17 January 2013
in ETSI’s Headquarters, in Sophia Antipolis (France)

The Annual ETSI Security Workshop has built a reputation of being a premier event on Security. It brings together the latest from those developing International Standards and security experts to discuss recent developments, share knowledge, identify gaps and co-ordinate on future actions and work areas.

The workshop aims at creating stimulating discussions arising from interesting contributions from those working within the following areas:

  • International standardization
  • CEN/CENELEC Standardization
  • Machine to Machine and Smart Grid Security
  • Mobile and network security
  • Intelligent Transport System Security
  • Privacy and Cloud
  • Security Testing

The event is free of charge and open to all upon registration.

The full programme together with registration are available from the event site.

ETSI is looking forward to welcoming you to this event!

The ETSI Event team


Subscribe to the ETSI-EVENTS mailing list
Subscribe to the ETSI-NEWSLETTER mailing list
Follow ETSI on Twitter

Security 2013 utlysning


by Magnar Aukrust

  • Call identifier: FP7-SEC-2013-1
  • Date of publication: 10/July/2012[1]
  • Deadline:22/November/2012 at 17.00.00, Brussels local time[2]
  • Indicative budget:EUR 298.73 million[3]
  • Call identifier: FP7-SEC-2013-1
  • Date of publication: 10/July/2012[1]
  • Deadline:22/November/2012 at 17.00.00, Brussels local time[2]
  • Indicative budget:EUR 298.73 million[3]
Activity/ Area Topics called Funding Schemes
Activity 10.1 Security of citizens
Area: 10.1.1 Organised crime Topic SEC-2013.1.1-1 Serious organised economic crime CP-IP
Topic SEC-2013.1.1-2 “Stronger Identity for EU citizens” CP-FPCoordinate proposal (NO) with (SL) and (TR)
Area: 10.1.2 Intelligence against terrorism none none
Area: 10.1.3 Explosives Topic SEC-2013.1.3-1 Inhibiting the use of explosives precursors CP-FP
Area: 10.1.4 Ordinary crime and forensics Topic SEC-2013.1.4-1 Smart and protective clothing for law enforcement and first responders CP-FP
Topic SEC-2013.1.4-2 Development of a Common European Framework for the application of new technologies in the collection and use of evidence CSA
Area: 10.1.5 CBRN protection Topic SEC-2013.1.5-1 European toolbox, focusing on procedures, practices and guidelines for CBRN forensic aspects CP-FP
Area: 10.1.6Information gathering Topic SEC-2013.1.6-1 Framework and tools for (semi-) automated exploitation of massive amounts of digital data for forensic purposes CP-IP
Topic SEC-2013.1.6-2 Novel technologies and management solutions for protection of crowds CP-IPMight interest smartphone sensor tech. and elaborate from ICT Call 9 on Crowd
Topic SEC-2013-1.6-3 Surveillance of wide zones: from detection to alert CP-IP
Topic SEC-2013-1.6-4 Information Exploitation CP-IP
Activity: 10.2 Security of infrastructures and utilities
Area: 10.2.1 Design, planning of buildings and urban areas Topic SEC-2013.2.1-1 Evidence based and integral security concepts for government asset protection CP-FP
Topic SEC-2013.2.1-2 Impact of extreme weather on critical infrastructure CP-FP
Area: 10.2.2 Energy, transport, communication grids Topic SEC-2013.2.2-1 A research agenda for security issues on land transport Coordination and Support Action (Coordinating Action)ITS/Ertico proposal
Topic SEC-2013.2.2-2 Toolbox for pandemics or highly dangerous pathogens in transport hubs – Capability Project CP-FP
Topic SEC-2013.2.2-3 Protection of smart energy grids against cyber attacks CP-FPGUC Protergy proposal updates
Topic SEC-2013.2.2-4 Cost effectiveness of security measures applied to renewable/distributed energy production and distribution CP-FP
Topic SEC-2013.2.2-5 Security of ground based infrastructure and assets operating space systems CP-FP
Area: 10.2.3 Surveillance none none
Area: 10.2.4 Supply chain Topic SEC-2013.2.4-1 Phase II demonstration programme on logistics and supply chain security CP-IP
Topic SEC-2013.2.4-2 Non-military protection measures for merchant shipping against piracy CP-FP or Coordination and Support Action
Area: 10.2.5 Cyber crime Topic SEC-2013.2.5-1 Developing a Cyber crime and cyber terrorism research agenda CSA
Topic SEC-2013.2.5-2 Understanding the economic impacts of Cyber crime in non-ICT sectors across jurisdictions CP-FP
Topic SEC-2013.2.5-3 Cross border Real-time detection and management of cyber incidents/attacks/espionage on critical infrastructures in sectors other than the ICT sector and government networks (i.e. energy, transport, finance, health, etc) CP-IP
Topic SEC-2013.2.5-4 Protection systems for utility networks CP-FP
Activity: 10.3 Intelligent surveillance and border security
Area: 10.3.1 Sea borders none none
Area: 10.3.2 Land borders Topic SEC-2013.3.2-1 Pre-Operational Validation (POV) on land borders CP-CSAITS/Ertico proposal
Topic SEC-2013.3.2-2 Sensor technology for under foliage detection CP-IP
Topic SEC-2013.3.2-3 Mobile equipment at the land border crossing points CP-FP
Area: 10.3.3 Air borders none none
Area: 10.3.4 Border checks Topic SEC-2013.3.4-1 Border checkpoints – hidden human detection CP-FP
Topic SEC-2013.3.4-2 Extended border security – passport breeder document security CSAGUC proposal based on BCP of the Future (Sule)
Topic SEC-2013.3.4-3 Security checks versus risk at borders CP-FP
Area: 10.3.5 Intelligent border surveillance none none
Activity: 10.4 Restoring security and safety in case of crisis
Area: 10.4.1 Preparedness, prevention, mitigation and planning Topic SEC-2013.4.1-1 Phase II demonstration programme on aftermath crisis management CP-IP
Topic SEC-2013.4.1-2 Better understanding of the cascading effect in crisis situations in order to improve future response and preparedness and contribute to lower damages and other unfortunate consequences CP-FP
Topic SEC-2013.4.1-3 Development of simulation models and tools for optimising the pre-deployment and deployment of resources and the supply chain in external emergency situations CP-FP
Topic SEC-2013.4.1-4 Development of decision support tools for improving preparedness and response of Health Services involved in emergency situations CP-FPKITH Jakob Hygen Bjarte Aksnes
Topic SEC-2013.4.1-5 Preparing societies to cope with large scale and/or cross border crisis and disasters CSA
Topic SEC-2013.4.1-6 Preparedness for and management of large scale forest fires CP-IP
Area: 10.4.2Response Topic SEC-2013.4.2-1 Fast rescue of disaster surviving victims: Simulation of and situation awareness during structural collapses including detection of survivors and survival spaces CP-IP
Area: 10.4.3 Recovery Topic SEC-2013.4.3-1 Shaping immediate relief action in line with the goals of development co-operation in post crisis / post conflict societies to maintain stability CP-FP
Area: 10.4.4 CBRN response Topic SEC-2012.4.4-1 Tools for detection, traceability, triage and individual monitoring of victims after a mass CBRN contamination CP-IP
Activity: 10.5 Security systems integration, interconnectivity and interoperability
Area: 10.5.1 Information management Topic SEC-2013.5.1-1 Analysis and identification of security systems and data set used by first responders and police authorities CP-FP
Topic SEC-2013.5.1-2 Audio and voice analysis, speaker identification for security applications CP-IP
Area: 10.5.2 Secure communications none none
Area: 10.5.3 Interoperability Topic SEC-2013.5.3-1 Definition of interoperability specifications for information and meta-data exchange amongst sensors and control systems CP-FP
Topic SEC-2013.5.3-2 Testing the interoperability of maritime surveillance systems CP-CSAPortahead partner
Area: 10.5.4 Standardisation Topic SEC-2013.5.4-1 Evaluation and certification schemes for security products CP-FP
Activity: 10.6 Security and society
Area: 10.6.1 Citizens, media and security Topic SEC-2013.6.1-1 The impact of social media in emergencies CP-FP
Topic SEC-2013.6.1-2 Varying forms of terrorism CP-FP
Topic SEC-2013.6.1-3 Trafficking in Human Beings: analysis of criminal networks for more effective counter-trafficking CSA
Area: 10.6.2 Organisational requirements for interoperability of public users Topic SEC-2013.6.2-1 Facilitators for assistance among EU Member States in emergencies at home and abroad CP-FP or Coordination and Support Action
Area: 10.6.3 Foresight, scenarios and security as evolving concept Topic SEC-2013.6.3-1 Horizon scanning and foresight for security research and innovation CSASecurityValley and GUC may partner Austrian Institute of Technology proposal
Topic SEC-2013.6.3-2 The evolving concept of security CSA
Area: 10.6.4 Security economics none none
Area: 10.6.5 Ethics and justice Topic SEC-2013.6.5-1 Synthesis of results and reviewing of ethics, legal and justice activities in Security research in FP7 CSA
Activity: 10.7 Security Research coordination and structuring
Area: 10.7.1 ERA-net none none
Area: 10.7.2 Small and Medium Enterprises Topic SEC-2013.7.2-1 Open topic for Small and Medium Enterprises: “Solutions for frequent petty crimes that are of high impact to local communities and citizens” CP-FPNorSIS may partner SMEs
Area: 10.7.3 Studies Topic SEC-2013.7.3-1 Increasing the engagement of civil society in security research Coordination and Support Action (Supporting Action)
Area: 10.7.4 Other coordination Topic SEC-2013.7.4-1 Trans-national cooperation among public security research stakeholders Coordination and Support Action (Coordinating Action)
Area: 10.7.5 End-users none none
Area: 10.7.6 Training Topic SEC-2013.7.6-1 Open topic for Small and Medium Enterprises: “Use of serious gaming in order to improve intelligence analysis by law enforcement agents” CP-FPGUC may partner SMEs (Action: Simon McCallum)

First Biometrics Games ever

Olympic Games 27 July – 12 August 2012 & Paralympic Games 29 August – 9 September 2012

This will be the first Biometric Olympic Games. Normally, citizens of countries that require a visa to enter the UK provide their biometrics overseas as part of their visa application. However the Accreditation Card for the Olympic and Paralympic Games will act as a visa waiver for Games Family Members (GFM). The GFM may apply for a special Olympic visa, provide their biometrics voluntarily overseas or provide their biometrics at the border in a process which is both simple and swift to use for both GFM and Border Force Officer. We have started to capture biometrics from a few visa national GFMs and we expect numbers to rise significantly in the next few weeks and we have developed a process to deal with actionable adverse matches.