A Painful Birth for an ID Card Standard

Initiative moves forward, attempting to create standards where none exist

It was a simple enough goal: create a standard ID card that U.S. government employees and private contractors could use to enter government buildings and for logging on to computer networks.

And, by the way, make sure it supports digital certificates for signing electronic documents and biometrics to verify that the person presenting the card is the legitimate cardholder. And it would be a big help if it were compatible with existing smart card programs, especially that of the Department of Defense, which has issued Common Access Cards to 3.1 million of the 3.5 million military and civilian personnel who will need the smart card IDs.

OK, maybe it wasn't such a simple goal.

It certainly has turned out to be a painful process, but one that may prove useful to others as they seek to introduce identification credentials that can be shared by many entities.

As Card Technology went to press in late February, government officials were increasingly optimistic they could arrive at a reasonable compromise. Some officials, as well as industry vendors were less optimistic after the National Institute of Standards and Technology, the U.S. government's technology arm, released its latest proposal Jan. 31. But sources say negotiations were productive.

The aim is to create a protocol that ensures that a card issued by agency A can be read by agency B, without tying those agencies to specific vendors or smart card formats. The ID card will be used by some 7 million U.S. government employees and private contractors.

It's an aim others are pursuing, as well.

European Initiatives
In Europe, there is similar work underway to create a framework that would allow different agencies within government to accept each other's credentials, says John Elliott of UK-based Consult Hyperion. And he says his firm was recently engaged by the European Commission to study both private and public identification systems in each of the European Union's 25 member states with a view toward encouraging interoperability.

U.S. officials also are spearheading an effort within the International Organization for Standardization to create an ISO standard, known as ISO/IEC 24727, for use with ID cards. Work on the overall architecture has reached the draft stage, and votes on that proposal are due by April, says Teresa Schwarzhoff, the NIST official chairing the ISO task force.

Normally, it takes a year to get a proposal to the ballot stage, and she says the first part of the 24727 proposal managed it in six months. Two more sections are likely to reach the ballot stage this year, she says. Nonetheless, final approval is likely still years away.

Other governments might choose to wait, but Washington is moving forward.

President George Bush signed an executive order in August mandating that the U.S. Commerce Department, the parent agency of NIST, come up with a standard for an ID card that can be used for physical and computer network access by government workers and contractors. The deadline was set for late February. Implementation of that new standard is supposed to begin by October.

Facing that aggressive timetable, NIST set to work last fall on a new standard. There already was a protocol in place and being implemented, the Government Smart Card Interoperability Specification, or GSC-IS, which was largely based on the Defense Department's ID card.

Other agencies also are moving forward. The Department of Homeland Security recently received a $6 million appropriation for the coming fiscal year to issue a smart card ID to its 180,000 employees. The agency will be required to conform to the new ID card spec.

This content continues onto the next page...