Authentication protocol standards finalized
- By Joab Jackson
- Oct 28, 2008
The International Organization for Standardization standards committee has published key parts of a set of standards around authentication protocols.
Such standards may pave the way for greater interoperability of authentication systems. Not only could agencies use the standard to specify the authentication protocols to be used for their identification systems and end-user applications, but such standards could even be used to promote sharing of credentials across different organizations, according to Graeme Freedman, consultant with the Sydney, Australia-based DotInDots and co-author of the some of the standards.
Freedman sketched out the six-part standard ISO/IEC 24727
, "Authentication Protocols and Interoperability" at the Smart Card in Government conference last week in Washington.
This set of standards was developed to simplify the process of setting up an authentication protocol, such as one that would let the bearer of some form of authentication, such as a smart card, log on to a particular client application. Formerly, the organization would have to specify how the authenticating data is transferred between the different applications, usually at the field level.
The standard is broken into six parts. The parts concerning architecture and how to work with the tokens have already been published; parts on testing and the registration procedure are still being formulated. But the two sections that are the heart of the standard'one detailing the authentication protocol's application programming interface
and the other on the API administration
'were recently published.
The new publications offer a "high-level programming API [application programming interface] that gives you access to an authentication credential," said Bill MacGregor, a computer scientist at the National Institute of Standards and Technology who introduced Freedman. "It is a software-driven token reader" he said, where the tokens can come from any source, such as bar codes or smart cards.
In addition to the specifications, the standard will also set up a registry for both end users and vendors. Registering will cost vendors $5,000 and of end users, registration will cost only $200.The registration could be useful for organizations that wish to have their cards used by other organizations. Freedman noted that Australia, for instance, wants to use the medical health cards being developed in the European Union. Australian facilities could simply use the EU profile for its use of 24727, and incorporate the appropriate APIS in its card readers.
Joab Jackson is the senior technology editor for Government Computer News.