Infrastructure Standards for Smart ID card Deployment Ramaswamy Chandramouli (National Institute of Standards & Technology) Philip Lee (Identity Alliance) Smart Card deployment is increasing thanks to the addition of security features and improvements in computing power to support cryptographic algorithms with bigger footprints (for digitally signing and encrypting) in Smart Card Chips in the past five or six years. Typical applications are Subscriber Identification Module (SIM) cards (in Telecommunication), micropayments (in Financial Transactions), Commuter Cards (in Urban Transportation Systems) and Identification (ID) cards. Although the market share of the smart cards used for identification applications (which we shall call Smart ID cards) is relatively small within the overall Smart card market, it’s one of the fastest growing segments. The Smart ID cards control physical access to secure facilities and logical access to IT Systems (Web servers, Database Servers, Workstations) and applications. The authentication of the card and the holder takes place using a set of credentials. An organization deploying such cards must have an infrastructure for generating, collecting, storing, provisioning and maintaining credentials. The components involved in these Credential Lifecycle Management activities constitute what we’ll call the smart ID card system infrastructure, which supports smart ID card deployment. Not all components involved in this infrastructure have standardized interfaces. Moreover, no robust messaging standards exist for information exchange among the components. Yet, some efforts are underway to partially address the standards gap in this area. Smart ID Card System Infrastructure At the heart of Smart ID card system infrastructure is the Identity Management System (IDMS) which includes both a data repository and a software system that is increasingly used in many organizations to support all forms of identity-based applications such as Single Sign-on (SSO) and Authorization Management. Broadly, the two most common areas of identity-based applications are for physical access control systems (PACS) and logical access control systems (LACS). Despite the IDMS’s versatility, no agreed-upon definition exists for its functional scope. Its canonical function as the manager of all forms of enterprise-wide credentials (identity information) is recognized, but individual product offerings vary widely in their functionality. The points of variation include the types of corporate (meta) directories to which the IDMS can interface (LDAP, for example), native DBMS support (relational or object-oriented), the expressive power of the data schemas (some IDMS systems support capture of authorization information such as roles, groups, userIDs, target IT system definitions etc) and the mechanisms they use to connect to the systems to which the credentials must be provisioned (e.g., connectors, agents etc). We thus have a situation where a core component of an infrastructure for supporting identity-based applications in general and smart id-cards in particular, consists of product offerings with varying functionality and interfaces. Therefore, our search for identification of areas for standardization in the Smart ID card system infrastructure