National Police Directorate Norway The IDeALL programme Project Passport and ID Question and Answers Published June 19, 2014

National Police Directorate Norway The IDeALL programme Project Passport and ID Question and Answers Published June 19, 2014 Technical Market Dialogue 2014101839 Technical Market Dialogue Q&A Last updated: 19.06.2014

1 QUESTIONS AND ANSWERS No Received Answered Question Answer 1 June 3, 2014 June 10, 2014 PoID 2016 omfatter bla. sertifikattjenester for elektronisk ID på nasjonalt ID-kort. Vi ber Direktoratet komme inn på sammenhengen mellom dette og den pågående anskaffelse av PKI. Den pågående anskaffelsen for PKI (CSCA-PKI, EAC-PKI, SPOC, PKD etc) inneholder ikke-eksklusive opsjoner for programvare til rot CA og utstedende CA (subca) for eid på nasjonalt ID-kort. Vi har ikke avgjort om vi skal benytte denne opsjonen. Det vil også være behov for andre komponenter for e-id og dialogen i august /september vil bidra til vår beslutning om hvilke kontrakter som vil benyttes til kjøp av rot CA og utstedende CA. Beslutningen om hvor denne skal driftes vil også være med i denne totalvurderingen. The ongoing procurement for PKI (CSCA-PKI, EAC-PKI, SPOC, PKD etc) contains non-exclusive options for Root CA and Issuing CA (sub CA) software for eid on national ID-cards. We have not decided whether to use this option or not. Other components will also be necessary to establish an eid solution, and the dialogue in August/September will contribute to our decision on which contract to use; the ongoing procurement or the new one. The decision on where to locate the operational facility for eid will also be part of this decision process. 2 June 3, 2014 June 10, 2014 Vil Direktoratet kunne gi en nærmere orientering om G3kko? G3kko inngikk som en del av presentasjonen 10. juni. Se presentasjonen for nærmere detaljer. G3kko was part of the presentation on June 10th. See the presentation for more details. Technical Market Dialogue Q&A Side 2 av 8

3 June 4, 2014 June 10, 2014 I dagens endringsmelding skriver dere «Del to vil sannsynligvis bli avholdt i august eller september og være rettet mot leveransene i Pass og ID prosjektet. Nærmere informasjon om dette vil bli sendt ut til de leverandørene som ønsker dette.». Er det noe vi skal/bør gjøre nå for å melde ønske om å motta informasjonen, eller blir det en ny kunngjøring av noen slags? 4 June 5, 2014 June 10, 2014 Procurement Is the POD open to staging capabilities? E.g. start w/the ID card and then integrate Passports at a later date? 5 June 5, 2014 June 10, 2014 Procurement What is the desired lifespan of the National eid credential? 6 June 5, 2014 June 10, 2014 Procurement Is the national eid proposed to be an opt-in credential or will it be required that all citizens receive the credential? 7 June 5, 2014 June 10, 2014 Procurement Is the deployment of any high speed network infrastructure included as a part of this project or is it inferred that it will exist where required? 8 June 5, 2014 June 10, 2014 Procurement What is the anticipated "funding model" (e.g. all paid for by government, all paid for by citizens/recipients of the credentials or a blend)? Prosjektet PoID vil sende ut invitasjon til kontaktpersonene på dette møtet og legge invitasjonen på Doffin om hvordan del 2 vil håndteres. Vennligst avvent denne informasjonen. The Poid project will send invitations to contacts at the information meeting and put the invitation on Doffin about how Part 2 will be handled. Please wait for this information. Not decided, however we anticipate that personalisation of national ID cards and passports starts approx. at the same time, and that residence permit card may start earlier. Not decided. The card itself will probably be valid for 5 years. The lifespan of the national eid credential can be up to same lifespan and 5 years, depending on the cryptographic strength of the chosen algorithms and choice of key lengths. The Norwegian National Security Authority will assist in choosing algorithms and key lengths. No national proprietary algorithms will however be used. National ID-cards will be an opt-in credential, so it will not be required that all citizens receive the card nor the eid. Everyone who obtains a national ID-card can use the eid. However, it is planned to be voluntary to activate and use the e-id. We have currently not planned a deployment of any high speed network infrastructure as part of this project. We anticipate a model where the citizen pays a fee for the credentials, i.e. the same model as used for Norwegian passports. Technical Market Dialogue Q&A Side 3 av 8

9 June 5, 2014 June 10, 2014 ENROLMENT SYSTEM FOR PASSPORT AND NATIONAL ID CARD Will POD provide the desired applicant flow or is it a collaboration between the vendor and POD. Will this collaboration occur prior to or after the award? We anticipate to discuss use cases and applicant flow that must be supported by the enrolment system, either before the procurement as part of the dialogue in August/September or as part of the procurement. We also anticipate detailing some of the applicant flow after the award of a contract. ICAOs Guide for Assessing Security of Handling and Issuance of Travel Documents will be used as a baseline for security. 10 June 5, 2014 June 10, 2014 BIOMETRIC EQUIPMENT Do you anticipate fingerprint capture for later in-field identity validation purposes, or initial applicant validation? 11 June 5, 2014 June 10, 2014 BIOMETRIC EQUIPMENT Does POD envision capturing single prints or multiple prints? 12 June 5, 2014 June 10, 2014 BIOMETRIC EQUIPMENT Would facial images be captured for visual identity or biometric facial recognition systems? We anticipate that fingerprint capture can and should be used for applicant validation depending on legal possibilities (today this is not possible). We do not anticipate fingerprint capture for lager in-field identity validation purposes. We will also investigate the viability of facial recognition as part of initial identity validation. We may want input from vendors on technical pros and cons on this topic in August/September. For national ID-cards and passports two fingerprints are captured, from the right and left index finger. The equipment will also be used for other purposes, for UDI (Norwegian Directorate of Immigration) and for immigration tasks such as visa applications and emergency visas. In that respect up to ten fingers may be captured. Yes, the captured photos stored in emrtds such as passport and national ID card photos, and which are stored in the passport and ID-card register (database) will be used for visual identity purposes. Norwegian legislation also opens up for the possibility to do facial recognition against passport photos for certain police tasks. This capability has not yet been enabled, and is something that we need to look into. Technical Market Dialogue Q&A Side 4 av 8

13 June 5, 2014 June 10, 2014 DELIVERY BOXES We are uncertain about the meaning of Delivery Boxes ; please clarify. We see opportunities to ensure identity validation via either: In-person issuance with biometric validation Remote activation via a secure channel (i.e. webpage with secure login established at enrollment) 14 June 5, 2014 June 10, 2014 PASSPORT AND ID CARD DATABASE What is the technology that drives your current passport system? 15 June 5, 2014 June 10, 2014 PASSPORT AND ID CARD DATABASE What types of databases does that system currently use? 16 June 5, 2014 June 10, 2014 PASSPORT AND ID CARD DATABASE Are you able to provide any architectural diagrams of the current system architecture? 17 June 5, 2014 June 10, 2014 eid Is PKI a required component of this solution? Is POD open to a backup option to PKI as a secondary, more resilient authentication mechanism? With delivery boxes we were thinking of physical machinery/boxes that can be placed in governmental offices, with functionality to deliver passports and ID-cards to holders after identity validation, preferably after a biometric validation. An example is shown in the presentation. Identity validation for other purposes, e.g. ID and eid lifecycle management, is something we want to discuss in the dialogue in August/September. The enrolment system is developed in-house. The passport database is an Oracle database. The personalisation for passports is contracted to Gemalto until 2016. The personalisation of residence permit cards is contracted to Oberthur until 2016. As previous answer, the passport database is an Oracle database. Yes, as part of the dialogue in August/September. Currently PKI is a required component for the solution, at least for electronic signatures, and it has been planned to use a PKI based solution for authentication and encryption. However, this can be investigated once more, and we have looked into other technology choices for authentication, such as the one used with the German ID card (where authentication method is strictly not PKI-based in the traditional sense; it uses other mechanisms for establishing a secure channel to chip, authenticating to server and then onwards to the service). Alternatives for authentication and encryption may be a topic for discussion as part of the dialogue in August/September. Both e-id (authentication) and electronic signatures must however be compliant with the EU regulation, and we will therefore not take a high risk in choosing technology that may not be compliant with the secondary legislation for electronic identification which is currently being drafted by EU member states. Technical Market Dialogue Q&A Side 5 av 8

18 June 5, 2014 June 10, 2014 eid It will be important to vendors to determine if POD desires a Managed Service for certificates (outsourced) or they want a Hosted Solution that is managed in-house. If the POD would like its own CA infrastructure, significant costs would be expected. As described in today s presentation, we require a separate CA infrastructure where the private keys and certificate policy is owned by the government. It has not been decided whether the operation of the infrastructure will be performed by the government. 19 June 5, 2014 June 10, 2014 IMPLEMENTATION, TIME AND PLACE We look forward to clarification on timing of the tender process, program development and delivery. Please see the preliminary plan in the presentation. 20 June 5, 2014 June 10, 2014 IMPLEMENTATION, TIME AND PLACE What is the envisioned rollout strategy? A phased series of pilots would be suggested. 21 June 6, 2014 June 10, 2014 Tillater meg å spørre om det vil være mulig å få prosjektet il å vurdere følgende: Be om 1:1 dialog med leverandørene som kan levere "hele" løsningen, for å få deres erfaringer, referanser samt ikke minst tanker om framtidig utvikling - trender og anbefalinger? Dette i etterkant av Markedsdialogmøtet og før neste fase. Dette vil være på Programnivå. 22 June 10, 2014 June 10, 2014 In the time schedule presented this morning it is mentioned that the design contest for the new Norwegian passport and ID card is ongoing and that the winner will be announced in September. My question: is it still possible for companies to participate in this design contest? 23 June 10, 2014 June 10, 2014 The 50K cards per year mentioned in the scope is this the residence permit card? It has not yet been decided at a rollout strategy. This is something we want to include in a dialogue in August / September. For å sikre likebehandling vil det ikke bli gjennomført leverandørmøter med enkeltleverandører på programnivå. Vi vil i august komme tilbake til hvordan vi gjennomfører del 2 av teknisk markedsdialog ut fra anskaffelsesbehovene til prosjektet Pass og ID. To ensure equal treatment there will not be held provider meetings with individual providers at the program level. We will coming back in August to how we conduct part 2 of the technical market dialogue based on procurement needs of the project Pass and ID. No The number 50.000 cards in the scope foil were incorrect. We have updated the presentation. The correct number of cards is: 120.000 to 150.000 cards / year. Divided into Residential Permit Cards, Diplomacy Cards and Local Boarder Traffic Permits. Technical Market Dialogue Q&A Side 6 av 8

24 June 10, 2014 June 10, 2014 Do you have a desired roll out for the National ID card to get most of the country involved? And do you have a means for enticing the populations to pay for a voluntary credential? As to the first question, we want the card to be rolled out to everyone who is entitled to it. A high roll out is important in order to achieve the overall goal of reducing ID-related crime. We believe that the main driver will be the citizen s desire to have a pocket-size identity card which also can be used to travel within Schengen. Banking cards and driving licenses are not secure enough, and when an alternative in the form of a national ID-card is available, we also anticipate that most governmental services will require a biometric passport or national ID-card. We will work for this to happen, which can make the roll-out volumes high. 25 June 10, 2014 June 16, 2014 Are the certificate services managed by the procurement relating to secure infrastructure of biometric chips, or is related to the national ID card/eid? 26 June 10, 2014 June 16, 2014 How quickly do you plan to have all citizens enrolled in the eid system? 27 June 11, 2014 June 16, 2014 June 19, 2014 One more question: yesterday reference was made to a "demo video" that could be made available. Is that something you could direct to me? In addition, it will also be very important to make the card and eid attractive for the end users when it comes to functionality/content and price. This is an area where input from the vendors will be important during the dialogue in August/September. See answer to question number 1. We hope that most holders of a national ID-card will take the eid into use. See answer 10 for roll out of national IDcard (and answer to question 6). Yes, we are currently looking into how to make the video available. Update: https://www.dropbox.com/s/dndk1d36oypp1wp/lese- ICAO-reisedokumenter-NFC.mp4 The video demonstrates the feasibility of using low-cost offthe-shelf technology to read (travel) documents over NFC. Technical Market Dialogue Q&A Side 7 av 8

28 June 12, 2014 June 16, 2014 Annar Bohlin-Hansen nevnt under presentasjonen sin på tirsdag at «Handlingsplan for ID-området» kunne oversendes ved forespørsel. See document uploaded on Doffin. Please be advised that this document is in Norwegian and will not be translated. 29 June 12, 2014 June 16, 2014 Vi har et spørsmål til omfanget av programmet. På tirsdag ble det fokusert på områdene Utstedelse og Kontroll. Kriminalitet ble ikke presentert. Vil Kriminalitet kjøre som et separat prosjekt senere? Noen indikasjoner på når dette kan skje tidmessig 2015? 2016? Ser også at det er en stiplet linje til dette prosjektet. Hvordan skal vi tolke dette?. Kan det eventuelt bli slått sammen med noe annet/eventuelt eid av andre i POD? Arbeidet på kriminalitet basert på misbruk av ID er ett løp som er under utvikling i IDeALT-programmet. Det er i en planleggings- og analysefase, og det er ennå for tidlig å identifisere hva som vil komme ut av arbeidet som anskaffelser. The work on ID-related crime is an area within the IDeALL programme which is under development. This is currently in a planning- and analysis phase and it is still too early to identity how this will result in potential procurements. Technical Market Dialogue Q&A Side 8 av 8