ISOIEC24727forsecuremobile.PDFVIP

ISO/IEC 24727 for secure mobile web applications Jan Eichholz1 Detlef Houdeau2 Detlef Hühnlein3 Manuel Bach4 1Giesecke Devrient GmbH, jan.eichholz@ 2Infineon Technologies AG, detlef.houdeau@ 3secunet Security Networks AG, detlef.huehnlein@ 4Bundesamt für Sicherheit in der Informationstechnik, manuel.bach@bsi.bund.de Abstract: While the ISO/IEC 24727 series of standards [ISO24727] initially were meant to define architectures and application programming interfaces for electronic identity cards (eID) only, it has become clear in the mean time that the web service based architecture is powerful enough to serve arbitrary web applications and security tokens. As there are already many initiatives around the globe (e.g. in the USA, Australia and Europe) which are about to use this standard in major eID-projects, it may be expected, that this standard will provide a major contribution for global eID interoperability and will become widely adopted in near future. On the other hand there is an ever increasing trend for mobility and the ubiquitous use of portable devices as well as first national eID-projects, which support mobile devices such as PDAs, Netbooks and mobile phones. Therefore it is natural to investigate how ISO/IEC 24727 may be used with mobile devices. The present contribution provides a brief overview of this standard and discusses different options for using this standard to develop secure mobile web applications. Furthermore it emphasizes the interrelationships between secure tokens, mobile devices and internet-based e-government services. 1 Introduction Against the background of the US Government Smart Card Interoperability Specification [NIST-GSCIS] and the activities around the Personal Identity Verification (PIV) program [NIST-PIV] the National Institute of Standards and Technology (NIST) initiated the development of the ISO/IEC 24727 series of standards (cf. [ISO24727], [NIST-SMP]) which defines architectures and appl