7.2 Electrical personalization
Electrical personalization of PIV cards is performed in a manner that is compliant with SP800-73-1, SP800-76 and SP800-78-2. The following sections indicate which of the optional components are implemented and which of the valid forms of each data type are available through MyID. The following tables are based on those in SP800-73-4.
Data objects populated in containers contain all the appropriate tags and lengths for each element in the object. The following table identifies the content currently supported by MyID (where supported by the card). (EP.3, EP.4, EP.6, EP.7, EP.9)
|
Buffer Description |
BER-TLV Tag |
M/O |
Supported by MyID |
|---|---|---|---|
|
Card Capabilities Container |
'5FC107' |
M |
Yes |
|
Card Holder Unique Identifier |
'5FC102' |
M |
Yes |
|
X.509 Certificate for PIV Authentication (9A) |
'5FC105' |
M |
Yes |
|
Card Holder Fingerprints |
'5FC103' |
M |
Yes |
|
Printed Information |
'5FC109' |
O |
Yes |
|
Card Holder Facial Image |
'5FC108' |
O |
Yes EP.7 |
|
X.509 Certificate for Digital Signature (9C) |
'5FC10A' |
O |
Yes |
|
X.509 Certificate for Key Management (9D) |
'5FC10B' |
O |
Yes |
|
X.509 Certificate for Card Authentication (9E) |
'5FC101' |
O |
Yes |
|
Security Object |
'5FC106' |
M |
Yes |
|
Discovery Object |
'7E' |
O |
Yes |
|
Key History Object |
'5FC10C' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 1 (Key reference '82') |
'5FC10D' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 2 (Key reference '83') |
'5FC10E' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 3 (Key reference '84') |
'5FC10F' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 4 (Key reference '85') |
'5FC110' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 5 (Key reference '86') |
'5FC111' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 6 (Key reference '87') |
'5FC112' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 7 (Key reference '88') |
'5FC113' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 8 (Key reference '89') |
'5FC114' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 9 (Key reference '8A') |
'5FC115' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 10 (Key reference '8B') |
'5FC116' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 11 (Key reference '8C') |
'5FC117' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 12 (Key reference '8D') |
'5FC118' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 13 (Key reference '8E') |
'5FC119' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 14 (Key reference '8F') |
'5FC11A' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 15 (Key reference '90') |
'5FC11B' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 16 (Key reference '91') |
'5FC11C' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 17 (Key reference '92') |
'5FC11D' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 18 (Key reference '93') |
'5FC11E' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 19 (Key reference '94') |
'5FC11F' |
O |
Yes |
|
Retired X.509 Certificate for Key Management 20 (Key reference '95') |
'5FC120' |
O |
Yes |
|
Cardholder Iris Images |
'5FC121' |
O |
Yes |
|
Secure Messaging Certificate Signer |
'5FC122' |
O |
Yes |
|
Pairing Code Reference Data |
'5FC123' |
O |
Yes |
7.2.1 CHUID
Card Holder Unique Identifier EP.12
The CHUID is written to the card in the TLV format defined in SP800-73 as follows:
|
Data Element (TLV) |
Tag |
Type |
Max. Bytes |
Supported by MyID |
|
|---|---|---|---|---|---|
|
Buffer Length (Optional) |
0xEE |
Fixed |
2 |
Yes |
|
|
FASC-N |
0x30 |
Fixed Text |
25 |
Yes |
|
|
Organization Identifier (Optional) |
0x32 |
Fixed Text |
4 |
Yes |
|
|
DUNS (Optional) |
0x33 |
Fixed Numeric |
9 |
Yes |
|
|
GUID |
0x34 |
Fixed Numeric |
16 |
Yes |
|
|
Expiration Date $ |
0x35 |
Date (YYYYMMDD) EP.5 |
8 |
Yes |
EP.4 |
|
Issuer Asymmetric Signature § |
0x3E |
Variable |
2816 |
Yes |
|
|
Error Detection Code |
0xFE |
LRC |
0 |
Yes |
|
Notes:
$ The expiration date matches that of the card
§ The signature confirms the CHUID content and is created as defined in FIPS 201.
7.2.2 CBEFF
Card Holder Fingerprints EP.6, EP.7, EP.14
Biometric data is written to the card in a CBEFF format, comprising a CBEFF_HEADER, a STD_BIOMETRIC_RECORD and a CBEFF_SIGNATURE_BLOCK. Primary and secondary fingerprint template data are written in the form that they are presented to MyID; it is therefore the responsibility of the enrollment system to ensure that these are in a compliant INCITS 378 format. MyID performs the necessary CBEFF format wrapping to combine the two fingerprints into a single minutiae template on the PIV card.
|
Data Element (TLV) |
Tag |
Type |
Max. Bytes |
Supported by MyID |
|---|---|---|---|---|
|
Fingerprint 1 |
0xBC |
Variable |
2000 |
Yes |
|
Fingerprint 2 |
0xBD |
Variable |
2000 |
Not used |
|
Error Detection Code |
0xFE |
LRC |
0 |
Yes |
Note: Up to 2 fingerprint minutiae templates are combined into the Fingerprint 1 container, in accordance with SP800-73-1 (EP.6). The Fingerprint 2 container is not used.
7.2.3 CCC
Card Capabilities Container
|
Data Element (TLV) |
Tag |
Type |
Max. Bytes |
Supported by MyID |
|---|---|---|---|---|
|
Card Identifier |
0xF0 |
Fixed |
21 |
Yes |
|
Capability Container version number |
0xF1 |
Fixed |
1 |
Yes |
|
Capability Grammar version number |
0xF2 |
Fixed |
1 |
Yes |
|
Applications CardURL |
0xF3 |
Variable |
128 |
Yes |
|
PKCS#15 |
0xF4 |
Fixed |
1 |
Yes |
|
Registered Data Model number |
0xF5 |
Fixed |
1 |
Yes |
|
Access Control Rule Table |
0xF6 |
Fixed |
17 |
Yes |
|
CARD APDUs |
0xF7 |
Fixed |
0 |
Yes |
|
Redirection Tag |
0xFA |
Fixed |
0 |
Yes |
|
Capability Tuples (CTs) |
0xFB |
Fixed |
0 |
Yes |
|
Status Tuples (STs) |
0xFC |
Fixed |
0 |
Yes |
|
Next CCC |
0xFD |
Fixed |
0 |
Yes |
|
Extended Application CardURL (optional) |
0xE3 |
Fixed |
48 |
No |
|
Security Object Buffer (optional) |
0xB4 |
Fixed |
48 |
No |
|
Error Detection Code |
0xFE |
LRC |
0 |
Yes |
7.2.4 Certificate Containers
X.509 Certificate for PIV Authentication EP.13
X.509 Certificate for Digital Signature EP.19
X.509 Certificate for Key Management EP.20
X.509 Certificate for Card Authentication EP.21
For PIV-III compliant cards only: X.509 Certificate for Retired Key Management 1 to 20
|
Data Element (TLV) |
Tag |
Type |
Max. Bytes |
Supported in MyID |
|---|---|---|---|---|
|
Certificate |
0x70 |
Variable |
2005 |
Yes |
|
CertInfo |
0x71 |
Fixed |
1 |
Yes |
|
MSCUID (Optional) |
0x72 |
Variable |
38 |
No |
|
Error Detection Code |
0xFE |
LRC |
0 |
Yes |
7.2.5 Printed Information
Printed Information EP.18
|
Data Element (TLV) |
Tag |
Type |
Max. Bytes |
Supported in MyID |
|---|---|---|---|---|
|
Name |
0x01 |
Fixed Text |
32 |
Yes |
|
Employee Affiliation |
0x02 |
Fixed Text |
20 |
Yes |
|
Expiration date |
0x04 |
Fixed Text |
9 |
Yes |
|
Agency Card Serial Number |
0x05 |
Fixed Text |
10 |
Yes |
|
Issuer Identification |
0x06 |
Fixed Text |
15 |
Yes |
|
Error Detection Code |
0xFE |
LRC |
0 |
Yes |
The Employee Affiliation line 2 has been deprecated in SP800-73-3,and has therefore been removed from recent card formats.
7.2.6 Card Holder Facial Image
Capturing a facial biometric (385 template) within MyID is supported. (EP.7, EP.17, EP.63)
Card Holder Facial Image
The card holder facial image is generated by a third-party image capture and processing library. This creates the image in a JPEG2000 format with single region of interest compression, compliant with SP800-76-1.
Only one such image may be written to each card.
|
Data Element (TLV) |
Tag |
Type |
Max. Bytes |
Supported in MyID |
|---|---|---|---|---|
|
Image for Visual Verification |
0xBC |
Variable |
12704 |
Yes |
|
Error Detection Code |
0xFE |
LRC |
0 |
Yes |
Notes:
1. Only one image is stored in this container (EP.7)
2. The internal format of the facial biometric will depend on the IDMS sending the data to the CMS. When using MyID to capture facial images, this will usually be in JPEG2000 with ROI compression. (EP.63)
7.2.7 Security Object
Security Object EP.15
|
Data Element (TLV) |
Tag |
Type |
Max. Bytes |
Supported in MyID |
|---|---|---|---|---|
|
Mapping of DG to ContainerID |
0xBA |
Variable |
100 |
Yes |
|
Security Object |
0xBB |
Variable |
900 |
Yes |
|
Error Detection Code |
0xFE |
LRC |
0 |
Yes |
7.2.8 Key History
The key history object is only present on PIV-III compliant cards. EP.178
|
Data Element (TLV) |
Tag |
Type |
Max. Bytes |
Supported in MyID |
|---|---|---|---|---|
|
Key with On Card Certificates |
0xC1 |
Fixed |
1 |
Yes |
|
Key with Off Card Certificates |
0xC2 |
Fixed |
1 |
No |
|
Off Card Cert URL |
0XF3 |
Variable |
128 |
No |
|
Error Detection Code |
0xFE |
LRC |
0 |
Yes |
MyID only supports On Card Certificates. The Off Card Certificates count is always set to zero. Therefore the Off Card Cert URL is never present.
7.2.9 Discovery Object
The optional discovery history object can only be present on PIV-III compliant cards. It is not supported by MyID.
7.2.10 Cardholder Iris Images
The Cardholder Iris Images object is only present on PIV-III compliant cards.
|
Data Element (TLV) |
Tag |
Type |
Max. Bytes |
Supported in MyID |
|---|---|---|---|---|
|
Images for Iris |
0xBC |
Variable |
7100* |
Yes |
|
Error Detection Code |
0xFE |
LRC |
0 |
Yes |
MyID stores the certificate the signed the images for iris in the CHUID, in accordance with SP800-73-3_Part 1 – Page 28 footnote.