NIST updates guide for testing PIV card applications and middleware
Connecting state and local government leaders
Draft revisions for this NIST publication include tests for optional features and new middleware features for the government’s PIV access and identity card.
Draft revisions for guidelines for compliance testing of Personal Identity Verification card applications and middleware have been released for comment by the National Institute of Standards and Technology, including additional tests for compliance with updated specifications.
Special Publication 800-85A-2, PIV Card Application and Middleware Interface Test Guidelines (SP800-73-3 compliance), contains new tests needed for some optional features added to the PIV Data Model and Card Interface, as well as middleware. The document was last updated in April 2009.
Homeland Security Presidential Directive 12 mandated the PIV card as a common, interoperable, electronic ID card for government employees and contractors to be used for both logical and physical access control. Standards for the PIV card system are defined in Federal Information Processing Standard 201, which sets minimum requirements, and technical specifications and implementation guidance are provided in a series of NIST special publications, including SP 800-73-3, “Interfaces for Personal Identity Verification.” That publication specifies interface requirements for retrieving and using the identity credentials from the PIV card and also defines a data model detailing the structure and formation of information stored on the card.
The draft publication specifies the test plan, processes, derived test requirements and the detailed test assertions and conformance tests for middleware implementing the PIV client application programming interface and card applications. The conformance tests assure that middleware and applications are interoperable.
The middleware is software that acts as an interface between a PIV client application, which the card must access, and software on the card. The middleware contains a client application programming interface and generates appropriate commands for communicating with the card application. The card application resides on the PIV card, and implements the commands of the PIV card command interface and provides access to objects of the PIV data model. A card reader and driver link the PIV card with the middleware.
Changes made in the revised publication include:
- Tests for retrieving newly added optional PIV data objects such as the Key History Object, the 20 retired X.509 certificates for key management and the Iris Image Data Object.
- Test for populating these newly added data objects on the PIV card.
- Tests for verifying the correct behavior of the Elliptic Curve Diffie-Hellman)key establishment scheme with the key management key.
- Test for verifying the correct behavior of the retired private key management keys for the purpose of deriving or decrypting data encryption keys.
Comments on the document should be made by May 27 using the comment template available online.