eESC OSCIE Management Summary
Smart Card Infrastructure for Europe” (OSCIE) provides the
basic information and common specifications considered necessary
to accelerate mass deployment and secure implementation of smart
cards in e-services across Europe. It represents the results of
one year preparation and two years intensive collaboration by the
eEurope Smart Card (eESC) Charter community, an industry and government
driven initiative following the European Commission announcement
in December 1999 of the eEurope 2002 Action Plan where smartcards
is an explicit action line. This management summary describes the
context, main goals, achievements and recommendations of eESC OSCIE.
Current activities and plans to continue and extend OSCIE, implement
wide scale deployments, and achieve international integration in
e-authentication and other applications of secure electronic identity
via concerted European standardization and continued joint harmonization
with Japan and USA are also outlined.
The eEurope Smart Card (eESC) Charter (Smart Cards
for Secure Electronic Access, April 2000) is the statement of expectations
and commitment agreed by the Smart Card Community to help bring
the benefits of the information society to all Europeans by means
of mass deployment of smart cards across Europe. The Charter was
developed through an open process facilitated by the European Commission
DG Information Society and subsequently its realization entrusted
to a novel temporary structure comprised of a central steering group
and groups of voluntary experts (Trailblazers and Working Groups)
each focused on specific goals. The eESC Action Plan for removing
barriers to mass deployment was established in December 2000 as
the eEurope Smart Cards Common Requirements and the results of the
collaboration published two years later as the Open Smart Card Infrastructure
for Europe (OSCIE). The entire process was a model of progressive
change management. Important ongoing activities remain to be completed
especially in the areas of implementation, standardization, dissemination
and international harmonization.
Clear collaborative targets and principles
framed according to the best-in-class project management practice
governed the development of OSCIE and other actions:
|The charter emphasized key areas
in which smart cards can add value - building trust, enhancing
usability, improving access - when deployed over a diverse range
of applications and services
|Goals and specific deliverables were clearly
defined and documented in advance. In particular mass deployment
of smart cards was translated into specific actions addressing
citizen centric requirements, pan-European technology infrastructures,
business and legal issues, and international cooperation and
|Active and observer participation was open to
all and purposefully sought from public and private stakeholders.
Formality was kept to a minimum. With the participation and
support of CEN/ISSS and ETSI information on interim and final
deliverables was freely available via mail reflectors, ftp and
a public website.
|Advances in smart card technology, certificates
management, authentication mechanisms and use of different form
factors were constantly reviewed and taken into account in establishing
the technology foundations, infrastructure guidelines, specifications
|Ultimate goal of mass deployment is being addressed
by OSCIE proof of implementations coupled to formal standardization
of specific documents, and proposed inputs into further change
management strategies and research such as the eEurope2005 action
program and the IST/FP6 call for proposals.
eESC Constituency and Communications
An active group of over 250 participants supported by an additional
1000 observers participated in the eESC Work. The active participants
were from diverse business and professional backgrounds including
Smart Card Issuers (both government and private sector), Smart Card
Industry partners, Smart Card Industry Associations, Smart Card
Manufacturers, PKI authorities, Consumer Associations, Universities,
and consultancy companies. Communication was conducted in face-to-face
meetings and electronically via mail reflectors provided by CEN/ISSS,
via the general www.eeurope-smartcards.org
website provided by ETSI, and via websites established by specific
Trailblazers eg Public identity (TB1), MultiApplication (TB7). Additionally
information on Contactless Cards (TB6), Protection profiles and
Security Certification (TB3) was made available via the Eurosmart
This was supported by a quarterly electronic newsletter and press-releases
at important mile-stones. The 6-monthly Open Steering Committee
Meetings and the bi-monthly management meetings were organized by
EUROSMART. The close collaboration with the European Standardization
organizations and premier Smart Card Associations is an important
feature of this work and has enabled strong links to critical areas
of expertise and existing constituencies. For example it has enabled
effective dependence on and integration with the valuable related
work in the CEN/ISSS Workshops: FINREAD and Embedded FINREAD (TB4),
FASTEST (TB9), eURI (TB7 and TB8), and E-Sign Area K (TB2, TB12
and Global Interoperability Framework Group).
Information exchange/integration with specific IST
and eTEN projects brought important advantages and quality information
to the OSCIE. This included information from closely related projects
on contactless cards (SINCE, Smart Meiji), ePayment (Smart@pay),
Advanced Electronic Signature (SmartIS) and public electronic identity
(Euclid). A full day of the two-day Madrid Open Steering Meeting
in June 2002 was dedicated to mutual sharing of results with representative
IST smart card research projects then nearing completion. The clustering
report and recommendations are included as an Annex in the OSCIE.
Several CD compilations of the earlier drafts of
OSCIE (March 2002, November 2002) were prepared and distributed
at various conferences and open Steering Committee Meetings. The
feedback received from all quarters including substantive insightful
inputs from NICSS Japan has been taken into account and resulted
in the final version of OSCIE issued in February 2003.
The structure and approach enabled the eESC
participants to effectively research the current status, diagnose
the barriers, and develop the requirements, specifications, and
approaches to practical solutions contained in the OSCIE.
OSCIE is intended to promote the establishment
of an open end-to-end Smart Card Infrastructure which enables interoperability
between different smart card communities at the level of smart cards,
information systems and data.
’Open’ because OSCIE is multi-application, multi-platform
and multi-vendor and applicable in each and every present and future
member state. The objective is to build user’s trust and confidence
by encouraging Smart Card and smart card systems interoperability,
supporting innovative applications and services for secure multi-application
cards technology. OSCIE comprises over 50 individual parts and is
organised into 11 distinct volumes all in all covering more than
2000 pages in print.
||application white papers and background
data on deployment of services for e-government, epayments,
public transport and healthcare.
||user requirements best practice
||global framework for identification,
authentication and electronic signature (IAS) interoperability
||Public Electronic Identity, Electronic Signature
||Practical multi-party multi-application
business models and criteria, social and legal pre-requisites,
and technology implementation guidelines
||Contactless Technology overview, status and
||Generalised Card Reader applicable to multiple
||Security certification and protection profiles
||Referenced standards, regional specifications
and industry agreements
||Glossary of terms
||Implementation and deployment boosters i.e.
description of existing eESC demonstrators in cooperative introduction
of national public identity and city based e-services cards
(IST project eEpoch) and pan European Social Services entitlement
Annexes provide additional information on OSCIE development,
deployment statistics, related R&D work and general tutorial
documentation. A management summary of the GIF contents and underlying
concepts (Smart card community, e-services community, 3-layer architecture,
functional components and interoperability adaptors, mode of operation)
is provided in the OSCIE preface.
OSCIE and updates are available from www.eeurope-smartcards.org
and from www.eurosmart.com.
Standardization of OSCIE
With the completion of OSCIE, a CEN/ISSS standardisation
of selected parts of the specification has been triggered together
with a concerted Global Standards Collaboration Forum with Japan
and USA on a formal ISO/IEC standardization of common eAuthentication
elements. The OSCIE parts being submitted to a CEN/ISSS WS for a
CWA qualification process are principally the GIF Framework, Public
identity (TB 1) whitebook, multi-application (TB 7) architecture
and the user requirements (TB 8) Best Practice Manual design guidelines
relating to IAS. It is envisioned that during a second phase the
resulting CWA will be converted into a recognised European Standard.
Discussions with CEN/TC224 as the relevant body are ongoing.
Because a number of other OSCIE related documents
already have a CWA status or are expecting one, the maintenance
of OSCIE for the near future is in this way reasonably assured.
Proof of Concept for OSCIE
To prove the validity of the OSCIE produced documentation
including the scaling capabilities for mass deployment two demonstrators
(eEpoch and Netc@rds) have been initiated. The eEpoch project, co-funded
by the European Commission DG INFSO IST programme, went live in
November 2002. It focuses on a detailed elaboration of the OSCIE
interoperability specifications and an intensive information exchange
on the results of implementation under construction at 7 sites for
applications incorporating use of identification, authentication
and digital signature (IAS) as well as from its university led Action
Research Program. eEpoch will not only demonstrate but also be the
nucleus for the national roll-outs of eGovernment cards in a number
of Member States. By doing so eEpoch sites will be carrying the
torch for OSCIE.
The Netc@rds project aims to replace the European
health insurance entitlement paper-form (E111, E128) by electronic
forms stored in a health insurance smart card or downloaded from
a server. Netc@rds is co-funded by the European Commission DG INFSO
e-TEN programme. Phase A on “Preparation of the Business Plan
and Market Validation” will be completed in 2003. Initial
deployment will be conducted in Phase B during 2004-5.
OSCIE as endorsed by the final eESC Open Steering
Committee Meeting (Brussels, December 2002) identified some specific
issues and in certain cases proposed detailed recommendations some
of which are highlighted in this brief summary. Not all of these
have received unanimous support and if so this is clearly indicated.
Key OSCIE Outputs
||unanimous set of integrated specifications
describing the eESC recommendations for pan-European interoperable
implementations of identification, authentication and electronic
signature functionalities and technologies.
||unanimous set of clear international
agreements (recognized by Common Criteria Board) for security
certifications and mutual recognition of smart card protection
profiles and system evaluations
||current context and recommended
business model and technology provisions required for multi-party
multi-application smart cards (contact and contactless)
||a Best Practices Manual containing a wide ranging
set of recommendations on User requirements for system interfaces,
responses, transaction timing, icons, animations, secure access
to card data / final content and card information roll-back
facilities according to card personalization rules to ensure
privacy and trust.
Other Identified Issues and areas of required additional
||Legal (Vol.1 Part 2-1a): there is
no legal framework in Europe to govern the 'coming together'
of multiple functions in one multi-party multi-application card.
Legal limitation of liability in this situation could be the
way to improve the business cases.
||eGovernment (Vol.1 Part 1-2): A
large programme to encourage enterprises in all members states
to use smart cards to authenticate and e-sign over internet
B2A applications is strongly recommended to facilitate management
of the enterprises and secure the relationships between them
and the administrations.
||Standards: differences between EMV
and ISO/IEC 7816 although not great, means that card and product
certification will be blocked when the item to be certified
conforms to one spec or standard, and the scheme mandates conformance
with the other spec or standard.
||e-€uro (Vol. 1 Part 2-1b): business model
investigation and genuine impact assessment is required and
is planned to be conducted by TB5 to ensure the eEuro concept
is not hampered by the knee-jerk “no-business case”
reasoning in particular now that the first ePurse schemes are
beginning to demonstrate profitability.
||Transport 1 (Vol.1 Part 3-1): The EU must support
strongly the deployment of multi-party multi-application smart
cards for eGovernmental e-applications combined with the T(Transport)-Smart
Card for passenger transport systems in all European urban areas.
||Transport 2 (Vol.1 Part 3-1) The Global Interoperability
Framework (GIF) for pan- European interoperability has been
focused on the functionality of end user identification, authentication
and digital signature. These results are not applicable in general
for transport - interoperability in transport covers more issues.
Relevance to eEurope2005 and FP6
Other possible activities envisioned by the eESC
participants in the context of FP6 and eEurope2005 include encouraging
spin off from and assessment of influence on competitiveness, e-services
implementation, socio-economic impact, and emerging pervasive networked
|| identify, establish, monitor and
apply citizen centric and business metrics for the smart cards
value add in the implementation of the user friendly information
society and industry competitiveness
||improve the socio-economic impact
of smart card based technology on citizen’s life
||apply knowledge management and business
models approaches to business case development
||build on results of proposals such as RESET
(Smart card technology roadmaps) and RAPID (Privacy and electronic
identity) to focus on the future generation of technologies
in which computers and networks will be integrated into the
everyday environment, rendering accessible a multitude of services
and applications through easy-to-use human interfaces.
||build on the extensive range of practical e-services
and realistic combinations of multi-applications which can be
mounted on transport cards and/or city cards to deliver applications
that provide benefit to citizens and demonstratively improve
their quality of life.
The eEurope2005 collaboration in smart cards
will be determined at the final eESC Public Seminar in Athens, 5-6
June 2003. Discussions are currently underway in each of the Trailblazers
and in the other forums (IST eEpoch. eTEN Netc@rds, Porvoo Group
of Member State Government bodies active in national electronic
The main future focus emerging from the December 2002 Open Steering
Committee Meeting is to step from removing the barriers to actual
support and R&D for mass deployment and practical usage. In
a certain sense it is agreed that paper work is the easy part …
the challenges of implementation and deployment must be met or else
the work has not been successful. eEpoch and Netc@ards are there
but more implementation programs are needed especially in the domain
of future coordination mechanisms similar to the Smart Card Charter.
A Draft Mission for a continuation program eESC2
has been proposed.
“Stimulate mass deployment of smart cards
in Europe and promote the use of smart cards by European Citizens
and organizations by contributing to the realization of a pan-European
Open Smart Card interoperable infrastructure which demonstratively
meets the requirements for trust, convenience and security and
where practicable conforms to international standardization”.
The eESC achievements and proposed new goals/mission
as described above are directly in line with key objectives identified
in the eEurope 2005 program and FP6 documentation e.g.
|extend the scope and efficiency
of IST-based solutions addressing major society and economic
challenges posed by the “all-digital” world and
by the need to secure the rights of individuals and communities
(ref. 1.1.2i Information Society Technology: Applied IST research
addressing major societal and economic challenges)
| improve usability of IST applications and services
and access to the knowledge they embody in order to encourage
their wider adoption and faster deployment (ref. 1.1.2iv Information
Society Technology: Knowledge and interface technologies)
|provide comparative perspectives across Europe
and thus provide an improved basis for the formulation and implementation
of transition strategies towards a knowledge society at the
national and regional levels (ref 1.1.7i Citizens and Governance
in a Knowledge-based Society: knowledge-based society and social
It is a permanent and challenging task for
the whole of the Smart Card Charter community and interested parties
to keep the network alive and in function to address in a cooperative
and coordinated way the challenges of both R&D and deployment
in the smart card domain. The common theme and objective is to secure
benefits and access to the information society for all European