Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Neumann 24727 B10.12 Update 20091029 AM R3
1. ISO/IEC 24727 and INCITS #2094: Bringing it Together Mike Neumann President Agile Set, LLC
2. ISO/IEC 24727 A Framework for Interoperable IAS Systems Something Old, Some things New, and not a moment too soon.
3. Interoperability, Yes Six Part Standard Covering End-to-end security Application Interface Testing Authentication Protocols Command and Procedural Translation Not covering On-card command sets
4. Haven’t we been here before? Not exactly. Previous standards/specifications were developed either “client-down” or “card-up” “client-down”, e.g. PKCS #11 – general, but uncoordinated across API CSP – Single function of a single application view “card-up”, e.g. All of ISO/IEC 7816 series (Nearly?) all middleware based on ISO/IEC 7816. ISO/IEC 24727 is the first series of standards to be designed with both in mind.
25. Proxy and Agent Architecture Application Application API API Marshall API Proxy APIService Layer APIService Layer Unmarshall API API Agent
26. Summary An International Standard to connect IAS systems to secure tokens Speaks semantics of IAS Client-Applications, with Means to map to constrained devices Flexible, standardized, mechanism to specify and identify new Authentication Protocols Testing; methodology and practice Multiple stack configurations to support legacy (APDU-constrained) devices and modern “connected” secure devices
33. Part 3 to include XML bindings for API and 7816-15 mapping guidance
34. Part 4 to update stack configurations to support “web services” and related security
35.
36. PIV “Answered the Mail”“We’ll do exactly that, Mr. President” Identity Verification on a Smart Card An Application – runtime, not personalization With Data – minimum required for FIPS 201 Not A Framework – remember GSC-IS ? A Flexible Data model
37. GICSGovernment and Industry in INCITS B10.12 Industry wants to be able to re-use PIV products and services for Corporate ID Local govt. Other IAS applications Cannot simply “just use PIV” Based on PIV and existing ISO/IEC standards for Data personalization Application management
38. GICSINCITS Project #2094 Multi-part U.S. National Standard Part 1: Card Application Command Set Part 2: Card Administrative Command Set Part 3: Testing Part 4: Card Application Profile Template Contributions (Pts 1 and 2) produced in June, comments resolved in July B10.12 Formal Drafts (Pts 1, 2 and 4) produced end of July, comments resolved in August B10.12 2nd Drafts produced in September, ballot closed 10-Oct, B10.12 meeting 9-10 November.
39. GICS and ISO/IEC 24727they work together, for growth ISO/IEC 24727 defines a new framework for providing card-application service access to client-applications GICS provides for PIV Interoperable and PIV Compatible card-applications to be built from a single product Including flexible data models Application data personalization Application management ISO/IEC 24727 defines the system interfaces GICS defines the card commands
40. Thank you. Questions? Mike NeumannAgile Set, LLCmike.neumann at agileset dot net twitter.com/agileset slideshare.net/agileset
Editor's Notes
HSPD-12 said,“it is the policy of the United States…establish a mandatory, Government-wide standard for secure and reliable forms of identification issued by the Federal Government to its employees and contractors (and their employees)” NIST is directed to issue “a Federal standard for secure and reliable forms of identification not later than 6 months after the date of this directive”
