Logo BKA Open Interfaces
for e-Government
Logo A-SIT

The Austrian Citizen Card

Standardised Key and Info Boxes


Document information

Designation

Standardised key and info boxes for the Austrian Citizen Card

Brief designation

Standardised key and info boxes

Version

1.2.1

Date

2005-03-01

Document class

Convention

Document status

Recommendation

Short Name

This document specifies the standardised key boxes and info boxes of the Austrian Citizen Card that are always available.

Authors

Arno Hollosi
Gregor Karlinger

Work group

Federal Chancellery, Federal Staff Unit for ICT Strategy, Technology and Standards

©

This specification is supplied by A-SIT and the Federal Chancellery. It may be used without modification provided that reference is made to this copyright notice. The specification may be expanded, however any additional material must be clearly identified and the expanded specification must be made freely available.


Table of contents

  1. General information
    1. Naming conventions
  2. Key boxes
    1. Key box for electronic signatures
    2. Key box for electronic signature and encryption
  3. Info boxes
    1. Info box for certificates
    2. Info box for the person identity link
    3. Info box for authorisations

1 General information

1.1 Naming conventions

For better readability, this document dispenses with non-gender-specific formulations. However, the formulations expressly relate to both sexes.

The following name space prefixes are used in this specification to identify the name spaces of XML elements:

Prefix
Name space
Explanation
sl http://www.buergerkarte.at/namespaces/securitylayer/1.2# Elements of the interface specification
pr http://reference.e-government.gv.at/namespace/persondata/20020228# Elements from [PersonData]

2 Key boxes

This section specifies the key boxes which the Citizen Card Environment must provide by means of the Security Layer application interface. In addition to these obligatory key boxes, a Citizen Card Environment may provide any number of additional key boxes for signing and/or encryption.

2.1 Key box for electronic signatures

The Citizen Card Environment must provide a key box named SecureSignatureKeypair.

This key box must be suitable for creating signatures and may be suitable for decryption. An application must be able to determine the actual suitability of the Citizen Card Environment using the GetProperties command.

If a Citizen Card Environment offers a secure signature according to the Austrian Signature Act [SigG] or an administrative signature according to the Austrian E-Government Act [E-GovG] of equal status for a limited period, then this specially qualified signature must be made available by means of the SecureSignatureKeypair key box.

2.2 Key box for electronic signature and encryption

The Citizen Card Environment must provide a key box named CertifiedKeypair.

This key box must be suitable for creating signatures and for executing decryption.

3 Info boxes

This section specifies the info boxes that must be implemented by the Citizen Card Environment on a mandatory basis. These are info boxes for storing certificates, the person identity link and authorisations issued by the citizen.

3.1 Info box for certificates

This info box contains certificates that are linked to the citizen's signature keys. The certificates for the two signature keys contained on the Citizen Card as standard must always be included (provided that the Citizen Card has been initialised correctly).

The key terms to be used to call these two certificates from the info box correspond to the key box identifiers from section 2 (SecureSignatureKeypair and CertifiedKeypair).

In addition, this info box can also be used to store other certificates (for example certificates for other signature keys or certificates of the certification path for a signature key).

3.1.1 Identifier for the info box

The identifier for this info box is Certificates. This identifier is used by the application to select the info box for read and update accesses.

3.1.2 Info box type

This info box is an associative array type. For the associated read and update access options see Security Layer application interface, section 7.

3.1.3 Box-specific parameters

3.1.3.1 Read parameters

There are no box-specific read parameters defined for this info box.

3.1.3.2 Update parameters

There are no box-specific update parameters defined for this info box.

3.2 Info box for the person identity link

This info box contains the citizen's person identity link. This is the data record, signed electronically by the SourcePIN Register Authority, that links the citizen's sourcePIN (source identification number) to the certificates of the citizen's signature key.

Note: For the specification of the person identity link see [PersBin].

3.2.1 Identifier for the info box

The identifier for this info box is IdentityLink. This identifier is used by the application to select the info box for read and update accesses.

3.2.2 Info box type

This info box is a binary file type. For the associated read and update access options see Security Layer application interface, section 7.

3.2.3 Box-specific parameters

3.2.3.1 Read parameters

According to the provisions of par. 14 of the Austrian E-Government Act [E-GovG], clients in the private sector can use a private-sector-specific personal identifier (pssPIN) derived from the sourcePIN to identify the citizen. According to the provisions of par. 12 (1), lit. 4 of the Austrian E-Government Act [E-GovG], however, this derived identifier may not be calculated by the private-sector client himself.

For this reason, the Citizen Card Environment implicitly provides this calculation by means of a parameterised read access to the info box for the person identity link: If the sector code required to derive the pssPIN is transmitted as a box-specific parameter in the request to read out the person identity link, the Citizen Card Environment returns a modified person identity link: The sourcePIN originally encoded there is replaced by the private-sector-specific personal identifier derived from the sector code and the sourcePIN. If a box-specific parameter is not specified, the Citizen Card Environment returns the original person identity link.

The sector code may also be specified as a box-specific read parameter as follows: A single element, sl:IdentityLinkDomainIdentifier is transmitted in the container for box-specific read parameters (sl:BoxSpecificParameters). This element contains the sector code for forming the pssPIN derived from the sourcePIN as the URI. For a precise specification of the sector code see [SourcePIN], "Determining the pssPIN". The formal definition of the sl:IdentityLinkDomainIdentifier element is contained in the XML schema for the interface specification.

If necessary, the person identity link is to be modified by the Citizen Card Environment as follows: Instead of the sourcePIN, the pssPIN derived from the sourcePIN and sector code is inserted in the personal data of the person identity link (cf. [PersBin], section 2.2.1.1): The pr:Type element receives the contents of the transmitted box-specific read parameter sl:IdentityLinkDomainIdentifier as its new value, while the pr:Value element receives the private-sector-specific personal identifier (pssPIN) formed according to [SourcePIN], "Determining the pssPIN" in base64-encoded form as its new value.

3.2.3.2 Update parameters

There are no box-specific update parameters defined for this info box.

3.3 Info box for authorisations

This info box contains the citizen's authorisations. An authorisation is the delegation of rights pertaining to the authorising party to the authorised party. To put in simplified terms: the authorisation contains information signed by the authorising party about the authorising party, the authorised party and the purpose of authorisation.

3.3.1 Identifier for the info box

The identifier for this info box is Mandates. This identifier is used by the application to select the info box for read and update accesses.

3.3.2 Info box type

This info box is an associative array type. For the associated read and update access options see Security Layer application interface, section 7.

3.3.3 Box-specific parameters

3.3.3.1 Read parameters

For the reasons already outlined in section 3.2.3.1, the calculation of the private-sector-specific personal identifier (pssPIN) is also implicitly provided within the framework of a read access to values in the Mandates associative array (in other words to authorisations): If the sector code required to derive the private-sector-specific personal identifier is transmitted as a box-specific parameter in the request to read keys and values or to read the value for a key (cf. Interface specification, section 7.1.2), the Citizen Card Environment returns the authorisation(s) in modified form: The sourcePINs from the authorising party and authorised party originally encoded there are replaced by the pssPIN derived from the sector code and sourcePIN. If a box-specific parameter is not specified, the Citizen Card Environment returns the authorisation(s) unchanged.

The sector code may also be specified as a box-specific read parameter as follows: A single element, sl:IdentityLinkDomainIdentifier is transmitted in the container for box-specific read parameters (sl:BoxSpecificParameters). This element contains the sector code for forming the pssPIN derived from the sourcePIN as the URI. For a precise specification of the sector code see [SourcePIN], "Determining the pssPIN". The formal definition of the sl:IdentityLinkDomainIdentifier element is contained in the XML schema for the interface specification.

[TBD]: Precise details of the exact modification of the authorisation, reference to the specification paper for the authorisations.

3.3.3.2 Update parameters

There are no box-specific update parameters defined for this info box.

4 References

E-GovG
BGBl. I No. 10/2004.
PersBin
Hollosi, Arno and Karlinger, Gregor: XML-Definition der Personenbindung. Konvention zum E-Government Austria erarbeitet von der Stabsstelle IKT-Strategie des Bundes, Technik und Standards. Öffentlicher Entwurf. (XML definition of the person identity link. Convention for E-Government in Austria drafted by the Federal Staff Unit for ICT Strategy, Technology and Standards. Public Draft.) Version 1.2.2, 14 February 2005. Downloaded from the World Wide Web on 1 March 2005 under http://www.buergerkarte.at/konzept/personenbindung/spezifikation/20050214/.
PersonData

Naber, Larissa: PersonData Struktur - XML Spezifikation. Konvention zum E-Government Austria erarbeitet von der Arbeitsgruppe Kommunikationsarchitekturen. Öffentlicher Entwurf. (PersonData XML Specification. Convention for E-Government in Austria drafted by the Communications Architectures working group. Public Draft.) Version 2.0.0, 14 October 2004. Downloaded from the World Wide Web on 1 March 2005 under http://reference.e-government.gv.at/XML-Strukturen_fuer_Personenda.614.0.html.

SigG
BGBl I No. 190/1999 idF BGBl I No. 152/2001.
SourcePIN
Hollosi, Arno and Hörbe, Rainer: Bildung von Stammzahl und bereichsspezifischem Personenkennzeichen (bPK). Konvention zum E-Government Austria erarbeitet von der Stabsstelle IKT-Strategie des Bundes, Technik und Standards sowie vom Bundesminsterium für Inneres. Öffentlicher Entwurf. (Formation of a sourcePIN and a private-sector-specific personal identifier (pssPIN). Convention for E-Government in Austria drafted by the Federal Staff Unit for ICT Strategy, Technology and Standards and by the Federal Ministry for the Interior. Public Draft.) Version 1.0, 2 February 2004. Downloaded from the World Wide Web on 14 May 2004 under http://www.cio.gv.at/it-infrastructure/sz-bpk/Stammzahl-bPK-Algorithmen-20040202.pdf.

5 History

Date Version Changes
2005-03-01 1.2.1
  • Erratum 25 eliminated.
2004-05-14 1.2.0
  • Explanations relating to the key boxes revised.
  • Specification of the box-specific parameters for the standardised info boxes inserted.
2002-08-31 1.1.0
  • Various editorial improvements