NIST revises conformance-testing guidelines for PIV data models
Special Publication 800-85B draft is open for comments
- By William Jackson
- Sep 15, 2009
Implementing interoperable Personal Identity Verification cards across government requires standardized infrastructure, interfaces and data used by the cards, along with a means for verifying conformance to these standards. The National Institute of Standards and Technology is revising conformance-testing guidelines for data models used in the cards.
NIST has released a draft revision of Special Publication 800-85B, “PIV Data Model Conformance Test Guidelines," that includes additional tests necessary for optional features added to the PIV Data Model in other specifications. It also updates tests to conform to the timeline for migrating to a cryptographic scheme.
The PIV card was developed under Homeland Security Presidential Directive 12, which required a standardized scheme for common identity credentials that could be used for both logical and physical access across government. NIST established the standards for the card and supporting infrastructure in the Federal Information Processing Standard 201. Specifications for the standards are spelled out in a series of special publications, including SP 800-73, which specifies card-interface requirements, and SP 800-78, which specifies acceptable cryptographic algorithms and key sizes for PIV systems.
FIPS 201 also describes several data model components that are included in PIV logical credentials. These include biometric elements in the form of fingerprint information and facial imagery, and security elements such as electronic keys, certificates and signatures.
“A robust testing framework and guidelines to provide assurance that a particular component or system is compliant with FIPS 201 and supporting standards should exist to build the necessary PIV,” NIST said in the revised guidelines.
The test guidelines were developed in two parts. SP 800-85A addresses requirements for the interface to the PIV card. The second part, SP 800-85B, provides test requirements for the PIV data model. It specifies test requirements, and the detailed test assertions and conformance tests for the PIV data model.
Testing requirements in this first revision of SP 800-85B reflect changes to specifications that have been made in SP 800-73-2 Part 1 and cryptographic digital signature requirements specified in SP 800-78-1. These changes include:
- Added conformance tests for Basic Encoding Rules Tag-Length Value (BER-TLV) for optional discovery objects.
- Removed conformance tests for the maximum container size for PIV data objects.
- Updated signatures-conformance tests on PIV data objects to base the signer’s key size, digest algorithm and signature algorithm on the date of signature generation.
- Updated PIV certificate profile conformance tests to base the certification authority’s signing key size, digest algorithm and signature algorithm on the date of signature generation.
Comments on the draft revision should be sent through Sept. 25 to firstname.lastname@example.org with “Comments on Public Draft SP 800-85B-1” in the subject line. Comments should be submitted using the Excel Spreadsheet template available.
William Jackson is freelance writer and the author of the CyberEye blog.