Strid om ansiktsgjenkjenning

AnsiktsbiometriForanVi har hatt våre nye pass med chip og ansiktsbiometri siden oktober 2005 da Norge var et av de første landene i verden som utstedte biometriske pass. I 2011 ble disse passene utvidet med fingerbiometri.

Det er ICAO (International Civil Aviation Organisation) som godkjenner de endelige spesifikasjonene som skal brukes i ePass for å sikre interoperabilitet mellom landene. Spesifikasjonene utarbeides av ISO/IEC SC17 og SC37.

Arbeidet i Norge understøttes av den norske speilkomiteen SN/K 188 Person-ID under Standard Norge, men får ikke økonomisk støtte på tross av at sikkerhet er høyt på den politiske dagsorden. Bedrifter og enkeltpersoner kan være medlem i speilkomiteen og påvirke de internasjonale standardene som blir utarbeidet.

Problemet med ansiktsbiometri i gjeldende spesifikasjonen fra ICAO baseres (2005-versjonen av ISO/IEC 19794-5) som ikke er nøyaktig nok på hvordan slike bilder skal tas og spesifikasjonen støtter bare 2D og et færre antall punkter i ansiktet. Mange karakteristikker fra ansikt skal spesifiseres i forhold til hverandre med farger/gråtoner og disse data skal struktureres i henhold til en Logical Data Structure, slik at sikkerhetsinformasjon og annen biometri kan legges til. Den nye 2011-versjonen av ansiktsbiometri understøtter mange flere ansiktspunkter og fargenyanser i både 2D og 3D-format.

SC37 ba i et korigendum allerede i 2011 om komiteen SC17 kunne innarbeide de nyeste versjoner av standardene (del 1 til 10 av ISO/IEC 19794). SC17 er den rådgivende komite for ICAO og gjennomfører en omfattende sikringsarbeid for implementasjon av rettelser og nye elementer i de nye passene. SC17 vil ta dette opp i sitt neste møte i SIngapore for implementasjon i ICAO Doc 9303 som er den gjeldende standard for maskinlesbare reisedokumenter det være seg pass, visa, oppholdskort og borgerkort.

Asbjørn Hovstø, “acting” komiteleder

Collaborative Cyber Situational Awareness Transition

enisaThe requirement for CCSA continues to grow and there is an expectation that this community of interest will form an organisation capable of growing and establishing CCSA, as a major contribution to international cyber security and resilience.

As a result of the MNE7 Cyber Transition Workshops held in Feb and May, this current one-off meeting is being held to complete the transition and establish an organisational structure to take over leadership for the development and implementation of CCSA, particularly the CCSA Information Sharing Framework (ISF).

A new organisation is to be created to meet the requirements, progress quickly and  adapt to meet new requirements.  This organisation is provisionally called the Multinational Alliance for Collaborative Cyber Situational Awareness (MACCSA).

PKI Policy, Practices and Audit

howmanyMotivation for study

  • Current Public Key Infrastructure (PKI) Standards do not adequately consider Levels of’ Assurance'(“one size fits none”);
  • There are PKI “Oligopolies’of’Trust”’ that limit cooperation between governing bodies, thereby impeding global interoperability;
  • While there are many domain-specific PKI Authorities in place, there is need for more consistent security and auditing standards, policies and procedures that drive these entities;
  • ISO 21188:2006 “Public key infrastructure for financial services – Practices and  policy framework”, apart from its domain-specific focus, no longer represents current best practices;
  • Security breaches in the Certification Authority (CA)/Browser space have occurred, causing ‘government agencies to recommend tighter network standards;
  • There is wide variation among PKI governance bodies on the nature, purpose, timing and methodologies of a PKI Audit;
  • Overarching PKI guidance is required to create greater consistency in governance practices and greater interoperability between domain-specific authorities.

The following represents a starter set of questions/topics that are proposed to be addressed by the Study Period.
PKI StandardsGovernance

  • Do we need an ISO Certification Schema to help drive domain-specific needs?
  • How would one define a LoA for a PKI?
  • What standards unite disparate certificate types such as identity and SSL cert PKI systems?
  • How can ISO emerge as a global leader in this space?
  • How will PKI be affected by greater global focus and investment in cyber security?”

PKI Audit

  • What constitutes an auditable requirement/practice statement?
  • Should all audits be consistent? Are there different types of PKI that need different kinds of’audit? Can they be characterized down to a few types?
  • How does one change auditing culture (i.e., auditor as advocate for improvement vs. auditor as policeman)? Is it wise in all cases?
  • What should be done about audit findings and by whom?
  • How can ISO establish itself as a widely recognized global reference source for PKI audit?
  • What should be the experience, qualifications for a Lead Auditor and Staff Audito in PKI?’

See experience from:

  1. TC68/SC2
  2. ITUHT’Q11/17 Erik Anderson
  3. ETSI Standards and EU Standardisation of Trust Service Providers –Nick Pope (ETSI)
  4. JTC’1/SC6
  5. JTC’1/SC27
  6. ISACA (E-commerce and Public Key Infrastructure (PKI) Audit /Assurance Programme


  • US Study Period Presentation based on the proposal SC27N12297
  • ITU-T ‘Q11/17 Presentation-Planned PKI activities for ITU-T ‘Study Period 201342016
  • ETSI Standards and EU Activities
  • Special Report SR 001 604; Rationalised Framework for Electronic Signature


  • EN 319 401: General Policy Requirements for Trust Service Providers supporting Electronic  Signatures
  • EN 319 411-2: Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Policy requirements for certification authorities issuing qualified certificates
  • EN 319 411-3: Part 3: Policy Requirement for Certification Authorities issuing public key certificates
  • Guidance for Auditors and CSPs on ETSI TS 102 042 for Issuing Publicly Trusted TLS/SSL


  • Trust Service Provider Conformity Assessment General requirements and guidance
  • JTC1 SC6 (ANS1/OID/Directories)
  • ISACA – E-commerce and Public Key Infrastructur'(PKI) Audit/Assurance Programme

Make comments to this article in order to receive more info

Country report Japan


New Technologies Working Group (NTWG) 

February 19-21, 2013



Last year, about 3.92 million ordinary Japanese e-Passports were issued. This is a 0.9 % decrease compared with that in 2011. On the other hand, the number of Japanese nationals travelled abroad in 2012 was 18.43million, which is an 8.5 % increase from the previous year level.

Japan issues both 10-year e-Passports and 5-year e-Passports. Among passports issued last year, 60% of them are 10-year ones and 40% are 5-year ones.

A little more than 30 million Japanese valid passports are in circulation as of the end of 2012, and about 90 percent of them were e-Passport.

New Technologies

Japan has been continuously preparing for issuing new version of e-Passports, and will start issuing them from this autumn. Basically the design of the booklet will not be changed, although several security features will be replaced or improved. The new e-Passports will also be supported by Active Authentication.

Security Issues / Developments

The number of lost or stolen Japanese passports in 2012 amounts to approximately 42,000, and it is reported that about 80% of them were occuered in Japan.

Among fraudulent cases detected in Japan, illicit acquisitions of e-Passports by imposters were the most in number. In order to prevent from the illicit acquisition all, 700 passport offices in Japan the hold special campaign for strengthening their screening twice a year. The number of detected cases decreased; from 86 in 2010, to 43 in 2011, to 26 last year.

After the Great East Japan Earthquake in 2011, Japan enacted a special law to enable those who lost their passports by the disaster including tsunami. It enables the victims to obtain alternative special passports free of charge if they apply for the new passports by submitting disaster-victim certificates.

This legislation is aimed to encourage the victims who had the passports to submit lost or stolen reports to invalidate their passports as soon as possible if they had lost them. More than 1800 alternative special passports have been issued until the end of December 2012. Recently the number of application is very small, and we will close this project at the end of this March, as the law is temporary legislation.

Best practice in national identification management

_47802671_009246370-1ICAO’s interest in travel security has, in the past, largely concentrated on the security of the travel document itself. However, ICAO’s interest is wider with a goal to ensuring that a consistent level of security and integrity applies to all components of the ‘travel continuum’: the application and supporting documents, the interview (where required), and the the adjudicative decision-making processes. The provision of a highly secure blank travel document allows the approval decision to be followed by secure personalization and issuance, with interoperability at international borders.
“TOWARDS BETTER PRACTICE IN NATIONAL IDENTIFICATION MANAGEMENT”, Technical Report (TR) release 3, 20 Nov 2012 highlights the need for consistent effort across all processes. However, it suggests that in the decision processes, particularly the establishment of confidence in a person’s identity, is an area that can easily fall behind in the strength of its security when compared with that of the document itself.

Current ICAO guidance does not set standards for how confidence in a person’s identity should be established, as the best way of achieving this will vary from country to country, depending on local laws, customs, and the uses to which ‘foundation’ documents are put. Rather it sets out a framework of outcomes which should be achieved in order to be confident in a person’s identity prior to issuing a travel document.

Biometrics Labo Annual Workshop 22 Feb 2012

turbineWe take this opportunity to invite you to the Norwegian  (NBLAW) 2013. The workshop will take place on Friday 22nd February 2013 at Gjøvik University College (GUC), Norway.

This event is facing all who are interested in technologies, policies, applications, and wider acceptability of biometrics. The event in 2013 focuses on the topic “off-the-shelf technologies“ to realize user-centered biometrics with a better acceptability, higher efficiency, and lower deployment cost.


– European Association of Biometrics (

– Research Council of Norway ( via VERDIKT

Agenda (10.00 – 15.15):

– Welcome

(Nils Kalstad Svendsen -Section leader NISlab – GUC)

– Introduction and vision of the Norwegian Biometrics Laboratory

(Christoph Busch – Head of NBL – GUC)

– The theme of the workshop 2013 and topics in brief

(Bian Yang – GUC)

– Biometrics in a networked world

(Kevin C. Mangold – NIST – USA)

– Challenges and opportunities of cloud biometrics

(Ho Chang – BioID – Germany)

– Human dynamics for identification – research in Machine Vision

(Guoying Zhao – Univ. of Oulu – Finland)

– Preliminary analysis and vision of fingerprints collection

using smartphone cameras

(Bian Yang – GUC)

– Face recognition using light field camera

(Raghavendra Ramachandra – GUC)

– Usage of face biometrics in airports –

passenger timing, watch-listing and more

(Bendik Mjaaland – Accenture)

– On the fly head shape parameter estimation for

Automatic Border Control applications

(Catherine Herold – Morpho – France)

– Panel discussion: Key factors for deployment of Mobile and

User-Centered Biometrics

The event will take place in room K102 on campus of the Gjøvik University College. More details on NBLAW 2013 including talks / speakers and logistic information can be found via:

The registration (

as well as the attendance is free of any charge.

Best regards,

Bian Yang and Christoph Busch

(Norwegian Biometrics Laboratory)


Prof. Dr. Christoph Busch

Norwegian Information Security Laboratory (NISlab) Gjøvik University College Teknologiveien 22

2815 Gjøvik, Norway

Phone: +47-611-35-194



Identity proofing and verification processes

ImageBest practices and guidance on required processes for initial establishment and subsequent confirmation of an entity’s identity for parties are  expected to use ITU-T X.1254, ISO/IEC IS 29115 or other similar standards. The material is used to establish and/or confirm identity and thus should give greater confidence in an entity’s identity prior to delivery of a service to that entity, by or for that entity.
In scope:
• The development of identity proofing and verification (IPV) processes to be used as a national body standard in support of enrolment of entities. Definitions are provided for IPV principles, risk assessment, and controls sufficient to meet the requirements of ISO identity management standards for entities, notably ITU-T X.1254 l ISO/IEC IS 29115. These controls shall take account of threats, counter-fraud requirements and best practice guidance described by national policy specifications from government organisations.
• Entities that require to be authenticated in accordance with ISO standards, for which they need to be enroled: o Persons, particularly citizens, consumers, government employees and industry employees.
o Devices or Security Modules, particularly (but not limited to) for computer and telecommunication use cases, including e.g. Trusted Platform Module (TPM), Mobile Trusted Module (MTM) and similar approved standards
o Software applications.
o Organisations. For the purposes of trust, all persons, devices and software have a relationship with one or more organisations for reasons of ownership, issuance and management. Each organisation must be trustworthy to the same Level of Assurance as any credentials being issued or asserted, or higher.
A resulting International Standard that is sufficient for:
o Nations and industry to have confidence in using them
o Nations and industry to have confidence in the results of each others’ national IPV systems and the credentials
o Certification bodies to develop assessment and audit criteria against which certified auditors can successfully conduct Trusted Third Party (TTP) audit and assurance of IPV service providers.

Existing and emerging ISO standards for identity management focus primarily on the policy and technical standards for the operation of identity management and access management systems. They describe the use of credentials and make reference to processes for the issuance of identity credentials. These issuance processes are dependent upon entity Identity Proofing and Verification (IPV) processes for which no reference standards exist. An ISO standard for IPV is required to which other identity management standards can refer, based on the four Levels of Assurance described in ISO/IEC 29115.