for e-Government
|
Open Interfaces for e-Government |
|
|
Designation |
Standardised key and info boxes for the Austrian Citizen Card |
|
Brief designation |
Standardised key and info boxes |
|
Version |
1.2.1 |
|
Date |
2005-03-01 |
|
Document class |
Convention |
|
Document status |
Recommendation |
|
Short Name |
This document specifies the standardised key boxes and info boxes of the Austrian Citizen Card that are always available. |
|
Authors |
Arno Hollosi |
|
Work group |
Federal Chancellery, Federal Staff Unit for ICT Strategy, Technology and Standards |
|
© |
This specification is supplied by A-SIT and the Federal Chancellery. It may be used without modification provided that reference is made to this copyright notice. The specification may be expanded, however any additional material must be clearly identified and the expanded specification must be made freely available. |
For better readability, this document dispenses with non-gender-specific formulations. However, the formulations expressly relate to both sexes.
The following name space prefixes are used in this specification to identify the name spaces of XML elements:
|
Prefix
|
Name space
|
Explanation
|
sl |
http://www.buergerkarte.at/namespaces/securitylayer/1.2# |
Elements of the interface specification |
pr |
http://reference.e-government.gv.at/namespace/persondata/20020228# |
Elements from [PersonData] |
This section specifies the key boxes which the Citizen Card Environment must provide by means of the Security Layer application interface. In addition to these obligatory key boxes, a Citizen Card Environment may provide any number of additional key boxes for signing and/or encryption.2.1 Key box for electronic signatur
The Citizen Card Environment
must provide a key box named SecureSignatureKeypair.
This key box must be suitable for creating signatures and may be suitable for decryption. An application must be able to determine the actual suitability of the Citizen Card Environment using the GetProperties command.
If a Citizen Card Environment
offers a secure signature according to the Austrian Signature Act [SigG]
or an administrative signature according to the Austrian E-Government
Act [E-GovG]
of equal status for a limited period, then this specially qualified
signature must be made available
by means of the SecureSignatureKeypair key box.
The Citizen Card Environment
must provide a key box named CertifiedKeypair.
This key box must be suitable for creating signatures and for executing decryption.
This section specifies the info boxes that must be implemented by the Citizen Card Environment on a mandatory basis. These are info boxes for storing certificates, the person identity link and authorisations issued by the citizen.
This info box contains certificates that are linked to the citizen's signature keys. The certificates for the two signature keys contained on the Citizen Card as standard must always be included (provided that the Citizen Card has been initialised correctly).
The key terms to be used to call these two certificates from the
info box correspond to the key box identifiers from section
2 (SecureSignatureKeypair and CertifiedKeypair).
In addition, this info box can also be used to store other certificates (for example certificates for other signature keys or certificates of the certification path for a signature key).
The identifier for this info box is Certificates. This
identifier is used by the application to select the info box for read
and update accesses.
This info box is an associative array type. For the associated read and update access options see Security Layer application interface, section 7.
There are no box-specific read parameters defined for this info box.
There are no box-specific update parameters defined for this info box.
This info box contains the citizen's person identity link. This is the data record, signed electronically by the SourcePIN Register Authority, that links the citizen's sourcePIN (source identification number) to the certificates of the citizen's signature key.
Note: For the specification of the person identity link see [PersBin].
The identifier for this info box is IdentityLink. This
identifier is used by the application to select the info box for read
and update accesses.
This info box is a binary file type. For the associated read and update access options see Security Layer application interface, section 7.
According to the provisions of par. 14 of the Austrian E-Government Act [E-GovG], clients in the private sector can use a private-sector-specific personal identifier (pssPIN) derived from the sourcePIN to identify the citizen. According to the provisions of par. 12 (1), lit. 4 of the Austrian E-Government Act [E-GovG], however, this derived identifier may not be calculated by the private-sector client himself.
For this reason, the Citizen Card Environment implicitly provides this calculation by means of a parameterised read access to the info box for the person identity link: If the sector code required to derive the pssPIN is transmitted as a box-specific parameter in the request to read out the person identity link, the Citizen Card Environment returns a modified person identity link: The sourcePIN originally encoded there is replaced by the private-sector-specific personal identifier derived from the sector code and the sourcePIN. If a box-specific parameter is not specified, the Citizen Card Environment returns the original person identity link.
The sector code may also be specified as a box-specific read
parameter as follows: A single element, sl:IdentityLinkDomainIdentifier
is transmitted in the container for box-specific read parameters (sl:BoxSpecificParameters).
This element contains the sector code for forming the pssPIN derived
from the sourcePIN as the URI. For a precise specification of the
sector code see [SourcePIN],
"Determining the pssPIN". The formal definition of the sl:IdentityLinkDomainIdentifier
element is contained in the XML
schema for the interface
specification.
If necessary, the person identity link is to be modified by the Citizen Card Environment
as follows: Instead of the sourcePIN, the pssPIN derived from the
sourcePIN and sector code is inserted in the personal data of the
person identity link (cf. [PersBin],
section 2.2.1.1): The pr:Type element receives the
contents of the transmitted box-specific read parameter sl:IdentityLinkDomainIdentifier
as its new value, while the pr:Value element receives the
private-sector-specific personal identifier (pssPIN) formed according
to [SourcePIN],
"Determining the pssPIN" in base64-encoded form as its new value.
There are no box-specific update parameters defined for this info box.
This info box contains the citizen's authorisations. An authorisation is the delegation of rights pertaining to the authorising party to the authorised party. To put in simplified terms: the authorisation contains information signed by the authorising party about the authorising party, the authorised party and the purpose of authorisation.
The identifier for this info box is Mandates. This
identifier is used by the application
to select the info box for read and update accesses.
This info box is an associative array type. For the associated read and update access options see Security Layer application interface, section 7.
For the reasons already outlined in section 3.2.3.1, the calculation
of the private-sector-specific personal identifier (pssPIN) is also
implicitly provided within the framework of a read access to values in
the Mandates associative array
(in other words to authorisations): If the sector code required to
derive the private-sector-specific personal identifier is transmitted
as a box-specific parameter in the request to read keys and values or
to read the value for a key (cf. Interface specification, section 7.1.2), the Citizen Card Environment
returns the authorisation(s) in modified form: The sourcePINs from the
authorising party and authorised party originally encoded there are
replaced by the pssPIN derived from the sector code and sourcePIN. If a
box-specific parameter is not specified, the Citizen Card Environment
returns the authorisation(s) unchanged.
The sector code may also be specified as a box-specific read
parameter as follows: A single element, sl:IdentityLinkDomainIdentifier
is transmitted in the container for box-specific read parameters (sl:BoxSpecificParameters).
This element contains the sector code for forming the pssPIN derived
from the sourcePIN as the URI. For a precise specification of the
sector code see [SourcePIN],
"Determining the pssPIN". The formal definition of the sl:IdentityLinkDomainIdentifier
element is contained in the XML
schema for the interface
specification.
[TBD]: Precise details of the exact modification of the authorisation, reference to the specification paper for the authorisations.
There are no box-specific update parameters defined for this info box.
Naber, Larissa: PersonData Struktur - XML Spezifikation. Konvention zum E-Government Austria erarbeitet von der Arbeitsgruppe Kommunikationsarchitekturen. Öffentlicher Entwurf. (PersonData XML Specification. Convention for E-Government in Austria drafted by the Communications Architectures working group. Public Draft.) Version 2.0.0, 14 October 2004. Downloaded from the World Wide Web on 1 March 2005 under http://reference.e-government.gv.at/XML-Strukturen_fuer_Personenda.614.0.html.
| Date | Version | Changes |
|---|---|---|
| 2005-03-01 | 1.2.1 |
|
| 2004-05-14 | 1.2.0 |
|
| 1.1.0 |
|