Onderstaande eisen zijn een selectie van de eisen in ETSI TS 119 461 v1.1.1. De eisen zijn integraal overgenomen uit de norm en derhalve in de Engelse taal. De niet genoemde hoofdstukken en eisen worden reeds ingevuld door bestaande eisen in het Afsprakenstelsel. Zie Eisen Identificatie op Afstand niet van toepassing.

De bovenste rij in de tabellen bevat het hoofdstuk, de paragraaf en/of subparagraaf. De eerste kolom bevat de eisen. De tweede kolom bevat een toelichting op, of voorbeeld bij de eisen in de eerste kolom.

In de eisen dienen de woorden "shall", "shall not", "should", "should not", "may", "need not", "can" en "cannot" te worden geïnterpreteerd zoals beschreven in clause 3.2 van ETSI Drafting Rules.

  • SHALL: een absolute vereiste
  • SHALL NOT: een absoluut verbod
  • SHOULD: sterke wens, tenzij er valide reden is in specifiek geval af te wijken
  • SHOULD NOT: ongewenst, tenzij er valide reden is om het in specifiek geval toe te laten
  • MAY: een vrije keuze, een optie
  • NEED NOT: niet verplicht
  • CAN: mogelijkheid
  • CANNOT: onmogelijkheid

Terms ETSI TS 119 461 v1.1.1

Definitie van de termen die gehanteerd worden in de norm. De termen zijn integraal overgenomen uit de norm en derhalve in de Engelse taal.

  • applicant: person (legal or natural) whose identity is to be proven
  • authoritative evidence: evidence that holds identifying attribute(s) that are managed by an authoritative source
  • authoritative source: any source irrespective of its form that can be relied upon to provide accurate data, information and/or evidence that can be used to prove identity
  • (identity) attribute: quality or characteristic ascribed to a person
  • baseline LoIP: Level of Identity Proofing (LoIP) reaching a high level of confidence based on the fulfilment of general good practice requirements for the identity proofing process and considered suitable for the trust services policies currently defined by ETSI standards 
  • binding to applicant: part of an identity proofing process that verifies that the applicant is the person identified by the presented evidence 
  • digital identity document: identity document that is issued in a machine-processable form, that is digitally signed by the issuer, and that is in purely digital form
  • electronic identification means (eID means): material and/or immaterial unit containing person identification data and which is used for authentication for an online service
  • eID scheme: governance model and technical specifications allowing interoperability between eID means from different eID providers
  • (identity) evidence: information or documentation provided by the applicant or obtained from other sources, trusted to prove that claimed identity attributes are correct
  • False Acceptance Rate (FAR): proportion of verification transactions with false biometric claims erroneously accepted
  • False Rejection Rate (FRR): proportion of verification transactions with true biometric claims erroneously rejected
  • identity: attribute or set of attributes that uniquely identify a person within a given context
  • identity document: physical or digital document issued by an authoritative source and attesting to the applicant's identity
  • identity proofing context: external requirements affecting the identity proofing process, given by the purpose of the identity proofing, the related regulatory requirements, and the resulting restrictions on the selection of attributes and evidence and on the identity proofing process itself
  • identity proofing (process): process by which the identity of an applicant is verified by the use of evidence attesting to the required identity attributes
  • identity proofing policy: set of rules that indicates the applicability of an identity proofing service to a particular community and/or class of application with common security requirements
  • legitimate evidence holder: person for whom the evidence is issued
  • Level of Identity Proofing (LoIP): confidence achieved in the identity proofing
  • liveness detection: measurement and analysis of anatomical characteristics or involuntary or voluntary reactions, to determine if a biometric sample is being captured from a living subject present at the point of capture
  • physical identity document: identity document issued in physical and human-readable form
  • physical presence: identity proofing where the applicant is required to be physically present at the location of the identity proofing
  • presentation attack: presentation to the biometric data capture subsystem with the goal of interfering with the operation of the biometric system
  • Presentation Attack Detection (PAD): automated determination of a presentation attack
  • proof of access: any source irrespective of its form that can be trusted for reliable data, information and/or evidence that can be used in an identity proofing process, provided that the applicant is able to demonstrate access to the source
  • pseudonym: fictitious identity that a person assumes for a particular purpose, which differs from their original or true identity
  • remote identity proofing: identity proofing process where the applicant is physically distant from the location of the identity proofing
  • subject: legal or natural person that is enrolled to a trust service
  • subscriber: legal or natural person bound by an agreement with a trust service provider to any subscriber obligations
  • supplementary evidence: evidence that is used in addition to authoritative evidence to strengthen the reliability of the identity proofing and/or as evidence for attributes that are not evidenced by the authoritative evidence
  • trusted register: public register, database, or other source that is trusted for the conveyance of identity attributes in the identity proofing context
  • trust service component: one part of the overall service of a TSP
  • validation: part of an identity proofing process that determines whether or not attributes are validated by the presented evidence and whether or not the evidence is genuine, authoritative, and valid
hoofdstuk / paragraaf / normtoelichting ETSItoelichting eTD
8 Identity proofing service requirements
8.2 Attribute and evidence collection
8.2.3 Use of physical and digital identity documents as evidence

[CONDITONAL] If physical and/or digital identity documents are used as evidence, the requirements in the present clause apply.
Met een fysiek document wordt hier bedoeld het uitlezen van de ‘Visual Inspection Zone’ (VIZ). Dat is te beschouwen als het voor mensen gemakkelijk leesbare gedeelte van het identiteitsbewijs. Met digitaal wordt hier bedoeld het uitlezen van de chip en/of de ‘Machine Readable Zone’ (MRZ).
COL-8.2.3-01: An identity document used as evidence may be in physical or digital form.

NOTE 1: A physical or digital identity document as defined in the present document will usually represent a natural person only. Identity documents that evidence that a natural person represents a legal person can be envisaged but cannot be assumed to be generally available.

De term 'legal person' is in deze context niet relevant voor de Nederlandse situatie.

De term 'present document' dient gelezen te worden als het bron document, oftewel de ETSI TS 119 461 standaard v1.1.1.

COL-8.2.3-02: The document used as authoritative evidence shall contain a face photo and/or other information that can be compared with the applicant's physical appearance.

NOTE 2: Required for verification against the applicant's physical appearance for binding to applicant. The binding is by biometric technology or by manual verification, or a combination of the two, see clause 8.4 of the present document.

NOTE 3: This does not exclude the use of supplementary documents without a face photo or similar information.

NOTE 4: The present document only specifies requirements for binding to applicant using face biometrics and/or manual face verification. Requirement COL-8.2.3-02 does not exclude the possibility of using other biometrics, e.g. fingerprint or iris, but the present document does not specify requirements for such use cases. 

Sommige identiteitsdocumenten bevatten alleen een foto en verder geen andere details m.b.t. de fysieke kenmerken van de houder. Overige informatie over de uiterlijke kenmerken op het identiteitsdocument is voor ETD/eHerkenning geen vereiste.
COL-8.2.3-03: For each identity proofing context supported, a list of the identity documents that are accepted shall be documented and published.EXAMPLE: The list can consist of document types, e.g. all passports, or named documents, e.g. passports and national identity cards from specific countries.

Voor ETD/eHerkenning is de eis alleen van toepassing op identificatie op afstand en worden alleen paspoorten en nationale identiteitskaarten, zoals vermeld bij PRADO, geaccepteerd.

PRADO is beschikbaar op de volgende locatie: https://www.consilium.europa.eu/prado/nl

[CONDITIONAL] COL-8.2.3-04: If physical identity documents are used as evidence, only passports, national identity cards and other official identity documents that according to the identity proofing context offer comparable reliability of the identity shall be accepted; where the judgement on comparable reliability shall be based on an assessment of the security features and issuance process of the other identity document towards the security features and issuance process of passport and/or identity card.

NOTE 5: The comparable reliability of other identity documents can be based on a comparison of protection against known threats.

NOTE 6: Some countries issue national identity cards or have valid national identity cards that are below current practice in the security of national identity documents. Identity proofing context requirements can be to not accept such national identity cards.

Voor ETD/eHerkenning is de eis alleen van toepassing op identificatie op afstand en worden alleen paspoorten en nationale identiteitskaarten, zoals vermeld bij PRADO, geaccepteerd.
[CONDITIONAL] COL-8.2.3-05: If physical identity documents are used as evidence, the documents shall be presented in their original form.NOTE 7: Meaning the applicant is required to present the original in the identity proofing process to evidence proof of possession of the identity document; the identity proofing process can subsequently capture another representation of the document, e.g. by a video sequence, photo, or scan.
[CONDITIONAL] COL-8.2.3-06: If digital identity documents are used as evidence, only eMRTD digital identity documents according to ICAO 9303 part 10 [2] and other digital documents that according to the identity proofing context offer comparable reliability of the identity shall be accepted; where the judgement on comparable reliability shall be based on an assessment of the security features and issuance process of the other identity document towards the security features and issuance process required by ICAO 9303 part 10.NOTE 8: The comparable reliability of other identity documents can be based on a comparison of protection against known threats.

Voor ETD/eHerkenning wordt eMRTD alleen geaccepteerd als de data uit de chip gevalideerd kan worden door een controle van de digitale handtekening van het betreffende land. Een gevolg hiervan is, onder meer, dat een rijbewijs niet kan worden geaccepteerd voor identificatie op afstand.

Zie ook eis 8.3.2-02 NOTE 2.

ICAO 9303 is beschikbaar op de volgende locatie: https://www.icao.int/publications/pages/publication.aspx?docnum=9303

ICAO 9303 definities:

MRTD = Machine Readable Travel Document
Official document, conforming with the specifications contained in Doc 9303, issued by a State or organization which is used by the holder for international travel (e.g. MRP, MRV, MROTD) and which contains mandatory visual (eye readable) data and a separate mandatory data summary in a format which is capable of being read by machine.

eMRTD = Electronic Machine Readable Travel Document

An MRTD (passport, visa or card) that has a contactless integrated circuit embedded in it and the capability of being used for biometric identification of the MRTD holder in accordance with the standards specified in the relevant Part of Doc 9303 — Machine Readable Travel Documents.

8.3 Attribute and evidence validation
8.3.1 General requirements

VAL-8.3.1-08: The identity proofing process shall verify that the evidence is genuine and presented in its original form.NOTE 1: An evidence of a type that actually exists, and that is not counterfeit, has not been tampered with and, where applicable, is not a copy of the original.
VAL-8.3.1-09: The authenticity and integrity of the evidence shall be verified.

[CONDITIONAL] VAL-8.3.1-10: If the evidence has explicit security features/elements, these elements shall be verified.NOTE 2: This need not be all security elements of, e.g. a physical identity document. A selection of elements sufficient for assessing that the evidence is genuine can be applied.Deze eis geldt zowel voor fysieke identificatie, als identificatie op afstand. Het uitgangspunt is dat, onafhankelijk van de gebruikte identificatiemethode, alle veiligheidskenmerken van het identiteitsdocument de gecontroleerd zouden moeten worden. De Toetreder dient dit middels een analyse van de risico's, gecombineerd met de mogelijkheden die de identificatiemethode biedt, toe te lichten.
8.3.2 Validation of digital identity document
[CONDITONAL] If digital identity documents are used as evidence, the requirements in the present clause apply.
Met digitaal wordt hier bedoeld het uitlezen van de chip en/of de ‘Machine Readable Zone’ (MRZ).
[CONDITIONAL] VAL-8.3.2-01: If the digital identity document is used in a remote identity proofing process, the data from the identity document shall be transferred to an environment controlled by the actor responsible for the identity proofing process in a manner that ensures authenticity, integrity, and confidentiality of the document content.

VAL-8.3.2-02: The digital identity document shall only be accepted if the issuer's digital signature on the document is successfully validated

NOTE 1: Usually this means that the validation result is TOTAL-PASSED as defined by ETSI EN 319 102-1 [i.5].

NOTE 2: For an eMRTD document following ICAO 9303 part 10 [2], country signing certificates, e.g. downloaded from the ICAO PKD (Public Key Database), are needed for validation.

Bij NOTE 1: ETSI EN 319 102-1 is beschikbaar op de volgende locatie: https://www.etsi.org/deliver/etsi_en/319100_319199/31910201/01.01.01_60/en_31910201v010101p.pdf

[CONDITIONAL] VAL-8.3.2-03: If an online status service to confirm the document's validity exists and is practically available, the process shall use this service to verify that the document is currently valid.

NOTE 3: Meaning not revoked, suspended, or reported as lost/stolen. Not all document issuers have available lookup services to check validity, and in some cases access to lookup services is restricted. Regarding current validity, note that there can be a delay in the order of days between the events of revoking a document and updating a status service.

NOTE 4: If digital identity documents from many different sources are accepted, online access (interactive or by API) to all the different status services can be impractical for documents that occur infrequently.

Voor ETD/eHerkenning wordt deze eis ingevuld middels een gestolen/vermist-controle vanaf betrouwbaarheidsniveau LoA3.

[CONDITIONAL] VAL-8.3.2-04: If the digital identity document is required to be read from a chip embedded in a physical identity document, the identity proofing process shall ensure that neither the applicant nor an external attacker can inject into the process a copy of a digital identity document that has previously been obtained and stored by the attacker.

NOTE 5: Fulfilment of this requirement can depend on the protocol supported by the chip; reliable fulfilment can be difficult if the chip does not support a protocol that supports cloning detection.

NOTE 6: Fulfilment of this requirement can rely on the applicant's use of software that is approved for the identity proofing process, e.g. mobile app functionality.


VAL-8.3.2-05: Information obtained from the digital identity document shall be recorded as needed for binding to applicant and to evidence the identity proofing process.NOTE 7: In addition to identity attributes, required information to be recorded is typically at least issuer, validity period, and the document's unique identification number.Bij NOTE 7: voor ETD/eHerkenning wordt 'issuer' geïnterpreteerd als het land van uitgifte van het WID. De ICAO-standaard haalt voor de landcodes de standaard ISO 3166-1 aan.
VAL-8.3.2-06: The face photo contained in the digital identity document shall be extracted to enable binding to applicant.

8.3.3 Validation of physical identity document
[CONDITONAL] If a physical identity document is used as evidence, the requirements in the present clause apply.NOTE 1: A physical identity document can be used with the applicant's physical presence and remotely by the applicant presenting the document in front of a camera.
VAL-8.3.3-01: The process shall verify that the physical identity document presented is visually equal to the expected visual appearance of the document type.

[CONDITONAL] VAL-8.3.3-02: If a physical identity document is used as evidence in a remote validation process, the process shall ensure that the applicant has the document in hand and presents the document in real-time in front of a camera.

NOTE 2: It is required that this happens at the time of the identity proofing; submission of a pre-recorded photo or video stream of an identity document is considered not to meet the requirements for identity proofing to Baseline LoIP.

NOTE 3: This can rely on the applicant's use of software approved for the identity proofing process, e.g. mobile app functionality.

Remote validation is in deze context het op afstand beoordelen van de echtheid van het fysieke identiteitsdocument. Zie ook de definitie van validation.
VAL-8.3.3-03: The process shall ensure that the document presented by the applicant is a genuine, physical identity document that is not counterfeited or falsified/modified.

[CONDITIONAL] VAL-8.3.3-04: If the physical identity document is used in a remote identity proofing process, the applicant's presentation of the identity document in front of a camera shall include recording of a video sequence to visualize the physical characteristics of the identity document and its security features. The recording shall cover each relevant side of the identity document presented by the applicant.

EXAMPLE 1: The applicant can be given instructions for the movement of the identity document, where the specific actions and/or their sequence are unpredictable to the applicant.

NOTE 4: With the current state of technology, the use of a still photo of the identity document is not considered sufficient for Baseline LoIP. This can change in the future with the development of image analysis technology.

EXAMPLE 2: Both the front and back sides of a national identity card will usually need to be presented.


[CONDITIONAL] VAL-8.3.3-05: If the physical identity document is used in a remote identity proofing process, the process shall ensure that the video stream is transmitted to an environment controlled by the actor responsible for the identity proofing process in a manner that ensures authenticity, integrity, and confidentiality of the video stream.NOTE 5: In particular, to protect against replay attack with the injection of another video stream in the process.
[CONDITONAL] VAL-8.3.3-06: If the process is performed with manual validation of the physical identity document, the registration officer shall have access to authoritative sources of information on document appearance and document validation.EXAMPLE 3: PRADO (Public Register of Authentic Travel and Identity Documents Online) for the EU and the EEA countries.

Bij EXAMPLE 3: PRADO is beschikbaar op de volgende locatie: https://www.consilium.europa.eu/prado/nl

VAL-8.3.3-07: Security elements of physical identity documents shall be verified to the extent needed to obtain sufficient reliability in the genuineness of the document; the verification process shall be documented.EXAMPLE 4: Security elements can be watermarks, holograms, printing techniques, visual and infrared light patterns, and see-through elements.
[CONDITONAL] VAL-8.3.3-08: If the process is performed with the physical presentation of physical identity documents, the registration officer shall verify optical and haptic/tactile security features if any.

[CONDITIONAL] VAL-8.3.3-09: If an online status service to confirm the physical identity document's validity exists and is practically available, the process shall use this service to verify that the document is currently valid.

NOTE 6: Meaning not revoked, suspended, or reported as lost/stolen. Not all document issuers have available lookup services to check validity, and in some cases access to lookup services is restricted. Regarding current validity, note that there can be a delay in the order of days between the events of revoking a document and updating a status service.

NOTE 7: If physical identity documents from many different sources are accepted, online access (interactive or by API) to all the different status services can be impractical for documents that occur infrequently.


VAL-8.3.3-10: Information printed on physical identity documents shall be recorded as needed for binding to applicant and to evidence the identity proofing process.

NOTE 8: Information can be extracted by manual transcription, automatically for example by optical scanning and OCR techniques, and in some cases by photo/photocopy of the document.

NOTE 9: In addition to identity attributes, required information to be recorded is typically at least issuer, validity period, and the document's unique identification number.


[CONDITONAL] VAL-8.3.3-11: If face biometrics is applied to bind the physical identity identity document to the applicant, the face photo printed on the identity document shall be extracted.

[CONDITONAL] VAL-8.3.3-12: If the physical identity document is used in a remote identity proofing process, and the identity document has an MRZ (machine readable zone), the information from the MRZ should be extracted and validated.

[CONDITONAL] VAL-8.3.3-13: If the physical identity document is validated by manual procedures, the validation task should be assigned randomly among available registration officers.  

[CONDITONAL] VAL-8.3.3-14: If validation of physical identity documents is done manually, the validation shall be carried out by a registration officer that has received appropriate training covering at least the following:
a) Fraud prevention and detection of forgery.
b) Data protection.
c) Communication training (when the registration officer is required to communicate with the applicant).
d) Training on software and equipment used.
e) Training on verification of documents and their security elements.


[CONDITONAL] VAL-8.3.3-15: If validation of physical identity documents is done manually, the training of the registration officers shall be repeated or refreshed at least annually.

[CONDITONAL] VAL-8.3.3-16: If validation of physical identity documents is done manually, and the process is performed with the physical presentation of the document, the registration officer should have available tools to enhance the reliability of the validation.EXAMPLE 5: Magnifying glass and an ultraviolet lamp.
[CONDITONAL] VAL-8.3.3-17: If validation of physical identity documents is done manually, and the document is used in a remote identity proofing process, the registration officer shall have available tools to enhance the reliability of the validation.  EXAMPLE 6: Computerized tool to zoom in on details of the document.
VAL-8.3.3-18: Automated means and machine-learning technology should be used to analyse the characteristics of physical identity documents against their expected appearance, including analysis of security elements of documents and potential manipulation of documents.

NOTE 10: This requirement implies that a purely manual process for validating a physical identity document is allowed both for physical presence and for remote identity proofing. However, the use of (additional) automated means is recommended.

NOTE 11: The document type, e.g. a passport of a specific country, can be an input parameter to the analysis, or the analysis can determine the type by automated means.

NOTE 12: Automated and manual analysis can be used in combination, e.g. with fall-back to manual analysis if the automated process yields an uncertain result, or by using automated analysis as a tool for a human registration officer.


[CONDITONAL] VAL-8.3.3-19: If automated means and machine-learning technology are used to analyse physical identity documents, the video stream recorded according to requirement VAL-8.3.3.-04 shall be of sufficient quality for the analysis.

[CONDITONAL] VAL-8.3.3-20: If automated means and machine-learning technology are used to analyse physical identity documents, the algorithms and technology shall be systematically tested against reference datasets and be kept updated to cope with changes in the threats and risk situation.

8.4 Binding to applicant
8.4.1 General requirements

BIN-8.4.1-01: The identity proofing process shall verify that the applicant is the legitimate evidence holder.

BIN-8.4.1-02: The identity proofing process shall verify that the evidence is in the possession of the applicant.

NOTE 1: For the evidence types existing eID means and existing digital signature means, no specific binding requirements are needed since the validation of the evidence also verifies the binding. This is under the assumption that only the applicant can use the eID means or digital signature means.

NOTE 2: For the supplementary evidence types trusted register, proof of access, and documents and attestations, no specific binding requirements are needed. If the binding of the authoritative evidence (identity document, eID means, or digital signature means) to the applicant is successful, and the supplementary evidence is validated and identifies the same person, the supplementary evidence is considered bound to the applicant.

Bij NOTE 1: 'existing eID means' is voor ETD/eHerkenning niet van toepassing in relatie tot identificatie op afstand.
8.4.2 Capture of face image of the applicant
[CONDITONAL] If the applicant is a natural person, and an identity document is used as evidence, and the identity proofing process is carried out remotely, the following requirements apply.

BIN-8.4.2-01: A video stream of the applicant's face shall be captured.NOTE 1: The video stream and images extracted from the stream can be used for binding to applicant by both face biometrics and manual means.
BIN-8.4.2-02: The video capture process shall apply liveness detection measures to ensure that the video stream is of a live person present in front of the camera at the time of the identity proofing.NOTE 2: It is required that this happens at the time of the identity proofing; submission of a pre-recorded video stream is considered not to meet the requirements for identity proofing to Baseline LoIP. A part of liveness detection can be instructing the applicant to perform certain actions, where the specific actions or their sequence are unpredictable to the applicant.
BIN-8.4.2-03: The video stream capture should apply measures to detect artificially generated or manipulated face appearance.NOTE 3: Such attacks are sometimes termed "deep fake" attacks.
[CONDITIONAL] BIN-8.4.2-04: If the video stream is captured on the applicant's device, the identity proofing process shall ensure that the video stream is transmitted to an environment controlled by the actor responsible for the identity proofing process in a manner that ensures authenticity, integrity, and confidentiality of the video stream.

NOTE 4: In particular to protect against replay attack with an injection of another video stream in the process.

NOTE 5: This can rely on the applicant's use of software approved for the identity proofing process, e.g. mobile app functionality.


[CONDITIONAL] BIN-8.4.2-05: If face biometrics is used for binding to applicant, at least one image of sufficient quality for binding to applicant shall be extracted from the video stream.

BIN-8.4.2-06: The video stream capture shall apply PAD measures in compliance with ISO/IEC 30107-3 [3].

BIN-8.4.2-07: The PAD should be evaluated according to ISO/IEC 19989-3 [i.18].NOTE 6: ISO/IEC 19989-3 [i.18] specifies security evaluation of PAD applying Common Criteria (ISO/IEC 15408 [i.24]).

Presentation Attack Detection (PAD): automated determination of a presentation attack

BIN-8.4.2-08: Test results for the PAD shall achieve an APCER (attack presentation classification error rate) as defined by ISO/IEC 30107-3 [3] at the level of industry best practice.NOTE 7: No specific number is specified for the APCER. Rapid technology improvement can lead to significant progress in industry best practice APCER performance even in the short term.

APCER = attack presentation classification error rate
proportion of attack presentations using the same PAI species incorrectly classified as bona fide presentations in a specific scenario

Bron: ISO30107-3: Information technology — Biometric presentation attack detection — Part 3: Testing and reporting, paragraaf 3.2.1

BIN-8.4.2-09: Test results for the PAD should achieve BPCER (bona fide presentation classification error rate) as defined by ISO/IEC 30107-3 [3] at the level of industry best practice.NOTE 8: The BPCER has no impact on security but on user-friendliness.

BPCER = bona fide presentation classification error rate
proportion of bona fide presentations incorrectly classified as presentation attacks in a specific scenario

Bron: ISO30107-3: Information technology — Biometric presentation attack detection — Part 3: Testing and reporting, paragraaf 3.2.2

Dit is een kwaliteitsnorm voor gebruikersvriendelijkheid. De toetreder dient via een risicoanalyse aan te tonen dat hierop zicht wordt gehouden.

BIN-8.4.2-10: The PAD measures and APCER and BPCER rates shall be kept up to date concerning advances in the threat landscape and available technology.

8.4.3 Binding to applicant by automated face biometrics
[CONDITONAL] If binding to applicant is by automated face biometrics, the following requirements apply:NOTE 1: Use of other biometric means than face biometrics is currently out of scope but can be a future possibility.
BIN-8.4.3-01 The process shall provide a reliable, automated comparison between the face image extracted from the identity document presented by the applicant and a face image captured according to the requirements of clause 8.4.2 of the present document.

BIN-8.4.3-02: Only data capture and preliminary data quality assessment shall be done in equipment controlled by the applicant.

BIN-8.4.3-03: Biometric signal processing, comparison, data storage, and decision SHALL be carried out in secure processing equipment. EXAMPLE 1: To protect against threats to the biometric system as described in clause 5.1 in ISO/IEC 30107-1 [i.16].
[CONDITONAL] BIN-8.4.3-04: If biometric face recognition is used with the physical presence of the applicant, properly secured equipment shall be used to read the identity document presented by the applicant and obtain a face image of the applicant.

[CONDITONAL] BIN-8.4.3-05: If biometric face recognition is used with the physical presence of the applicant, locally installed and properly secured equipment may be used for the biometric face recognition processing.EXAMPLE 2: For fulfilment of the two requirements above, a biometric kiosk as commonly used at passport offices, or equipment similar to that used for automated border control, can be used.
BIN-8.4.3-06: The biometric algorithms and technologies applied shall be systematically tested against reference datasets and kept updated to cope with changes in the threats and risk situation.  NOTE 2: See for example, clauses for face biometrics in ISO/IEC 19795-1 [i.17].
BIN-8.4.3-07: Test results for the biometric face recognition shall show a FAR (false acceptance rate) at the level of industry best practice.

NOTE 3: No specific number is specified for FAR. Rapid technology improvement can lead to significant progress in industry best practice FAR performance even in the short term.

NOTE 4: An example of industry best practice reference can be the one-to-one face matching results reported from the NIST Face Recognition Vendor Test.

ETSI 119 461 definities:

False Acceptance Rate (FAR)
proportion of verification transactions with false biometric claims erroneously accepted

NOTE: Source ISO/IEC 19795-1 [i.17].

BIN-8.4.3-08: Test results for the biometric face recognition should show a FRR (false rejection rate) at the level of industry best practice.NOTE 5: False rejection rate has no impact on security but on user-friendliness.

ETSI 119 461 definities:

False Rejection Rate (FRR)
proportion of verification transactions with true biometric claims erroneously rejected

NOTE: Source ISO/IEC 19795-1 [i.17].

De Toetreder dient via een risicoanalyse aan te tonen dat hierop zicht wordt gehouden.

BIN-8.4.3-09: The biometric face recognition may apply measures to detect morphed photos in identity documents.

NOTE 6: A morphed photo is created by merging the face photos of two or more different persons into one photo. Since some countries allow persons to bring their own photo for issuing a passport or national identity card, there is a risk that documents are issued with morphed photos. With a morphed photo, there is a risk that both/all the persons can be recognized both by a human registration officer and by face biometrics with a reliability above the applied threshold, meaning more than one person can use the identity document containing the morphed photo.

NOTE 7: Morphing detection means are best applied in the binding to applicant step of an identity proofing process when a new photo, known not to be morphed, of the applicant can be compared to the potentially morphed reference photo.

Het voorkomen van morphed foto's op het WID is een primaire taak van de uitgever van het WID.
8.4.4 Binding to applicant by manual face verification
[CONDITONAL] If manual binding of the applicant to an identity document is used, the following requirements apply:

BIN-8.4.4-01: The registration officer shall compare the face photo obtained from the applicant's identity document with the applicant's physical appearance, either from the applicant's the physical presence or from a video sequence.

BIN-8.4.4-02: The registration officer performing the binding to applicant shall receive training before being allowed to make any comparison, with training repeated or refreshed at least yearly.EXAMPLE 1: See the FISWG Minimum Training Criteria for Assessors Using Facial Recognition Systems [i.22] or for more extensive description the ENFSI Best Practice Manual for Facial Image Comparison [i.23], Appendix A.

Bij EXAMPLE 1:

BIN-8.4.4-03: The registration officer shall perform a morphological analysis according to a defined feature list. EXAMPLE 2: As recommended by the FISWG Facial Comparison Overview and Methodology Guidelines [i.20] and the corresponding checklist in [i.21].Bij EXAMPLE 2: De documenten waaraan gerefereerd wordt zijn beschikbaar op de volgende locatie: https://fiswg.org/documents.html
BIN-8.4.4-04: The registration officer shall be allowed to spend sufficient time for the face comparison. NOTE 1: In general, an assessment according to the FISWG Facial Comparison Overview and Methodology Guidelines [i.20] can be sufficient, while a review according to the same document can be required at least for remote identity proofing.
BIN-8.4.4-05: The registration officer shall have tools available to magnify images to view details. NOTE 2: With physical presence and physical identity document, this can be a magnifying glass for the face image printed on the document. If face images are used, computerized tools are assumed.
[CONDITIONAL] BIN-8.4.4-06: If binding to applicant is done by comparing face images or video sequences, the registration officer should use computerized tools in the face comparison.EXAMPLE 3: Tool for superimposition of images described by the FISWG Facial Comparison Overview and Methodology Guidelines [i.20].Bij EXAMPLE 3: De documenten waaraan gerefereerd wordt zijn beschikbaar op de volgende locatie: https://fiswg.org/documents.html
8.5 Issuing of proof
8.5.1 Result of the identity proofing

ISS-8.5.1-01: The result of the identity proofing shall be delivered securely to the trust service provider, regarding the authenticity, integrity, and confidentiality of the result. 

EXAMPLE 1: The result can be digitally signed and encrypted at the message level or be transmitted over a properly secured communication channel.

NOTE 1: The present document places no requirement on the format of the result of the identity proofing. Example formats can be a document (e.g. PDF), structured data (e.g. XML, JSON), or an identity assertion (e.g. OIDC, SAML).

NOTE 2: The result of the identity proofing process can convey the attributes that are verified and the LoIP, but can even be a simple 'success' or 'failure' statement meaning that identity attributes provided by the TSP at the start of the identity proofing process are verified (or not) against the applicant to the required LoIP.

NOTE 3: The present document makes no assumption on the attributes to convey, whether the applicant is a natural person, a legal person, or a natural person representing a legal person (roles or authorizations can be relevant in the latter case).

NOTE 4: The present document makes no assumptions on the information to convey for identity proofing processes that do not complete successfully.

Bij NOTE 2: voor ETD/eHerkenning kan de term TSP gelezen worden als middeluitgever (MU).

Bij NOTE 3: 'legal person' is in deze context niet relevant voor de Nederlandse situatie.

ISS-8.5.1-02: The result of the identity proofing process shall convey the LoIP achieved by the identity proofing process for the identity attributes required for the unique identification of the applicant in the identity proofing context. EXAMPLE 2: By referring to the Baseline LoIP defined by the present document.

Bij EXAMPLE 2: ETSI 119 461 definities:

baseline LoIP
Level of Identity Proofing (LoIP) reaching a high level of confidence based on the fulfilment of general good practice requirements for the identity proofing process and considered suitable for the trust services policies currently defined by ETSI standards

ISS-8.5.1-03: The result of the identity proofing process may convey LoIP separately for individual identity attributes that are not required for unique identification in the identity proofing context and where these LoIPs differ from the overall result of the identity proofing process.

8.5.2 Evidence of the identity proofing process
ISS-8.5.2-01: Evidence of the identity proofing process shall be gathered and retained in compliance with the identity proofing context.

NOTE 1: Evidence can be retained in digital or paper format.

NOTE 2: The need to retain evidence of identity proofing processes that did not complete successfully can be determined by the identity proofing context.

NOTE 3: Gathering and retention of evidence is required to comply with applicable data protection legislation, notably GDPR if the identity proofing process is carried out under the legislation of an EU Member State

De bewaartermijnen dienen conform AVG te worden vastgesteld.
ISS-8.5.2-02: The evidence of the identity proofing process shall document the identity evidence used in the identity proofing process and the issuer or source of that evidence.EXAMPLE 1: An identity document can be identified by the issuer name and document number, or by retaining a copy of the document, possibly in the form of a video sequence or image if a physical identity document is used. Retaining a copy can, depending on the identity proofing context, be required, allowed, or forbidden. 
ISS-8.5.2-03: The evidence of the identity proofing process should completely document the identity proofing process. EXAMPLE 2: Including video sequences used in a remote identity proofing process; however, retaining video sequences or images of a human applicant can, depending on the identity proofing context, be required, allowed, or forbidden.
ISS-8.5.2-04: Evidence of the identity proofing process shall be retained for the necessary retention time given by the identity proofing context.EXAMPLE 3: A typical requirement from a TSP is to retain evidence of the identity proofing process as long as the applicant remains a subject/subscriber of the TSP plus several of years after that time.

De bewaartermijnen dienen conform AVG te worden vastgesteld.

Bij EXAMPLE 3: voor ETD/eHerkenning kan de term TSP gelezen worden als middeluitgever (MU).

ISS-8.5.2-05: The evidence of the identity proofing process shall be stored in a tamper-proof way.

ISS-8.5.2-06: The evidence of the identity proofing process shall be stored in a way that guarantees the confidentiality of the information.

ISS-8.5.2-07: The evidence of the identity proofing process shall be stored in a way that ensures the possibility to search, retrieve, and re-verify the identity proofing result.NOTE 4: Offline storage or other means that will result in a prolonged response time are acceptable.
ISS-8.5.2-08: At the end of the retention time defined by ISS 8.5.2-04, the evidence of the identity proofing process and all personal data on the applicant shall be deleted.

  • No labels