STANDARDS
Standardisation in R&I projects like IMPULSE offers big opportunities. In a first step an overview of the standardisation landscape connected with the projects topic is given. This is intended to raise awareness on what is already on the market and to support the tool developments. Here, we provide the standards, which are the most relevant ones for the IMPULSE project.
We categorised the following standards into FORMAL and INFORMAL STANDARDS:
Formal standards are developed in the framework of international, European or national standardisation organisations like ISO (International Organisation for Standardisation), CEN (European Committee for Standardisation) or DIN (German Institute for Standardisation).
Informal standards, or sometimes called consortia standards, are usually developed in a closed body of experts where not all interested stakeholders are involved, such as W3C.
FORMAL STANDARDS
DIN SPEC 4997
Privacy by Blockchain Design: A standardised model for processing personal data using blockchain technology
“This DIN SPEC establishes general principles for and methods of handling personal data in BC/DLT systems. It specifies technical and organizational measures for data protection while taking into account the principles of privacy by design as well as specifications that are inspired by legal frameworks, such as the GDPR…”
Relevance in the IMPULSE context: This specification provides a standardised model for processing personal data using blockchain technology, which is a must-read standard in order to design a new decentralised eID model compliant with the current standards.
UNE 71307-1
Digital Enabling Technologies – Decentralized Identities Management Model on Blockchain and other Distributed Ledger Technologies. Part 1: Reference Framework
“This standard defines a reference framework for the management of decentralized identities oriented to people, physical and legal, which includes the description of an approach based on life cycles and the relationship of the main actors that participate in them, as well as the interrelationships among them.”
Relevance in the IMPULSE context: The purpose of the IMPULSE project is not to design a new identity model, but to use an existing one. The UNE 71307-1 standard directly tackles the management of digital identities in a decentralised manner. Therefore, this standard is used in IMPULSE to follow the best practices for decentralised identity management.
CEN/TS 16921
Personal identification – Borders and law enforcement application profiles for mobile biometric identification systems
“This Technical Specification primarily focuses on biometric aspects of portable verification and identification systems for law enforcement and border control authorities. The recommendations given here will balance the needs of security, ease of access and data protection….”
Relevance in the IMPULSE context: This specification is focused on the personal identification using mobile biometric identification systems. It is probably the most relevant standard for facial recognition and document verification services. These services are used within the IMPULSE project to identify citizens who request an enrolment process that leads to the issuance of a credential that proves the citizen’s identity.
ETSI TS 119 182-1
Electronic Signatures and Infrastructures (ESI); JAdES digital signatures; Part 1: Building blocks and JAdES baseline signatures
“The present document is intended to cover digital signatures supported by PKI and public key certificates, and aims to meet the general requirements of the international community to provide trust and confidence in electronic transactions, including, amongst other, applicable requirements from Regulation (EU) No 910/2014 [i.1].”
Relevance in the IMPULSE context: This document specifies a JSON format for AdES signatures (JAdES signatures) built on JSON Web Signatures (JWS) as specified in IETF RFC 7515. It is used in Impulse to build a profile for the Verificable Credential signature.
ISO/IEC 20889
Privacy enhancing data de-identification terminology and classification of techniques
“This document provides a description of privacy-enhancing data de-identification techniques, to be used to describe and design de-identification measures in accordance with the privacy principles in ISO/IEC 29100.”
Relevance in the IMPULSE context: This is a fundamental standard for IMPULSE due to its relevance to the technical specifications of the project. In fact, the standard deals with Cryptographic and other security mechanisms, including but not limited to mechanisms for protecting the accountability, availability, integrity and confidentiality of information and Security aspects of identity management, biometrics and privacy.
ISO/IEC 27001
Information technology – Security techniques – Information security management systems – Requirements
“ISO/IEC 27001:2013 specifies the requirements for establishing, implementing, maintaining and continually improving an information security management system within the context of the organization. It also includes requirements for the assessment and treatment of information security risks tailored to the needs of the organization…”
Relevance in the IMPULSE context: This standard is already implemented in most of the companies working on the technical side of the IMPULSE project. It provides security requirements to be considered for Information security management in IMPULSE.
ISO/IEC 30107 series
Information technology — Biometric presentation attack detection
“The purpose of ISO/IEC 30107-1 is to provide a foundation for PAD through defining terms and establishing a framework through which presentation attack events can be specified and detected so that they can be categorized, detailed and communicated for subsequent decision making and performance assessment activities.”
“ISO/IEC 30107-2:2017 defines data formats for conveying the mechanism used in biometric presentation attack detection and for conveying the results of presentation attack detection methods. The attacks considered in the ISO/IEC 30107 series take place at the sensor during the presentation and collection of the biometric characteristics. Any other attacks are outside the scope of this document”
“ISO/IEC 30107-3:2017 establishes:
– principles and methods for performance assessment of presentation attack detection mechanisms;
– reporting of testing results from evaluations of presentation attack detection mechanisms;
– a classification of known attack types (in an informative annex).”
Part 4: Profile for testing of mobile devices
“This document is a profile that provides requirements for testing biometric presentation attack detection (PAD) mechanisms on mobile devices with local biometric recognition.”
Relevance in the IMPULSE context: These standards provide information on how to evaluate the security regarding biometrics. In the IMPULSE project the metrics described in this document are used.
ETSI GR SAI 001
Securing Artificial Intelligence (SAI) – AI Threat Ontology
“The document defines what an Artificial Intelligence (AI) threat is and defines how it can be distinguished from any non-AI threat. The model of an AI threat is presented in the form of an ontology to give a view of the relationships between actors representing threats, threat agents, assets and so forth. The ontology described in the present document applies to AI both as a threat agent and as an attack target.”
Relevance in the IMPULSE context: This standard is used to discover security vulnerabilities and attacks to IMPULSE AI systems based on threat modelling. In this context and as an example, a forgery simulator (AI threat/attack agent) has been developed in order to train/test the ID document verification module (system design). Specific metrics are obtained to assess the model and provide feedback.
ETSI GR SAI 002
Securing Artificial Intelligence (SAI) – Data Supply Chain Security
“The document summarises the methods currently used to source data for training AI, along with a review of existing initiatives for developing data sharing protocols. It then provides a gap analysis on these methods and initiatives to scope possible requirements for standards for ensuring integrity and confidentiality of the shared data, information, and feedback.”
Relevance in the IMPULSE context: In the context of ID documents’ verification module, there is a need to collect photos of ID documents (provided by volunteers from different countries) in order to train an AI-based forgery detection model. In this sense, TREE provided a multi-language form to obtain labelled dataset (photos of front/back sides of ID cards and the biodata page of passports). During this process, TREE team followed this standard’s recommendations in terms of data sources, data curation, training/testing and deployment of the forgery detection solution. Mechanisms to preserve integrity through cybersecurity hygiene and supply chain security has been followed. It is important to note, that a legal framework has been deployed during data collection/processing (privacy notice to participants) and in total respect of GDPR regulations.
INFORMAL STANDARDS
Decentralized Identifiers (DIDs) v1.0
Information technology – Security techniques – Information security management systems – Requirements
“Decentralized identifiers (DIDs) are a new type of identifier for verifiable, “self-sovereign” digital identity. DIDs are fully under the control of the DID subject, independent from any centralized registry, identity provider, or certificate authority. DIDs resolve to DID Documents — simple documents that describe how to use that specific DID. This document specifies the algorithms and guidelines for resolving DIDs and dereferencing DID URLs.”
Relevance in the IMPULSE context: This informal standard could become the first new identifier the W3C would approve since the URL. This document specifies the algorithms and guidelines for resolving DIDs and dereferencing DID URLs. It is the basis of the technology stacks on which Impulse will implement its services.
Verifiable Credentials Data Model v1.1
“Credentials are a part of our daily lives; driver’s licenses are used to assert that we are capable of operating a motor vehicle, university degrees can be used to assert our level of education, and government-issued passports enable us to travel between countries. This specification provides a mechanism to express these sorts of credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable.”
Relevance in the IMPULSE context: This informal standard provides a mechanism to express the credentials used on the decentralised eID management approach in a way that is cryptographically secure, privacy respecting, and machine-verifiable. In IMPULSE project this is essential for the user identification.
Verifiable Credentials JSON Schema Specification
“The [VC_DATA_MODEL] specifies the models used for Verifiable Credentials and Verifiable Presentations, and explains the relationships between three parties: issuer, holder, and verifier. A critical piece of infrastructure out of the scope of those specifications is the Credential Schema. This specification provides a mechanism to express a Credential Schema and the protocols for evolving the schema.”
Relevance in the IMPULSE context: The Identity Verifiable Credentials used in IMPULSE will need to be compliant with this specification.
JSON-LD 1.1
“JSON is a useful data serialization and messaging format. This specification defines JSON-LD 1.1, a JSON-based format to serialize Linked Data. The syntax is designed to easily integrate into deployed systems that already use JSON, and provides a smooth upgrade path from JSON to JSON-LD…”
Relevance in the IMPULSE context: This informal standard is used within IMPULSE for the REST APIs.
OpenId Specifications for Verifiable Credential Issuance
“This specification defines an Application Programming Interface (API) designated as Credential Endpoint that is used to issue verifiable credentials and corresponding OAuth 2.0 based authorisation mechanisms that the Wallet uses to obtain authorisation to receive verifiable credentials.”
Relevance in the IMPULSE context: This informal standard is used by ESSIF to provide guidelines for the process of issuing Verifiable Credentials. In the IMPULSE project we follow these guidelines for the issuance of EBSI Verifiable Authorisations and EBSI Verifiable Identities.
OpenId Specifications for Verifiable Presentations
“This specification defines a mechanism on top of OAuth 2.0 [RFC6749] for presentation of claims via verifiable credentials, supporting W3C formats as well as other credential formats. This allows existing OpenID Connect RPs to extend their reach towards claim sources asserting claims in this format. It also allows new applications built using verifiable credentials to utilise OAuth 2.0 or OpenID Connect as integration and interoperability layer towards credential holders.”
Relevance in the IMPULSE context: This informal standard is used by ESSIF to provide guidelines for the process of creating Verifiable Presentations. In the IMPULSE project we follow these guidelines for the verifiable presentations of EBSI Verifiable Authorisations and EBSI Verifiable Identities.