2. Functional View¶
2.1. Components: Standardized Definition and Scope¶
OSIA provides seamless interconnection between multiple components part of the identity ecosystem.
The components are defined as follows:
The Enrollment component.
Enrollment is defined as a system to register biographic and biometric data of individuals.
The Population Registry (PR) component.
Population registry is defined as “an individualized data system, that is, a mechanism of continuous recording, or of coordinated linkage, of selected information pertaining to each member of the resident population of a country in such a way to provide the possibility of determining up-to-date information concerning the size and characteristics of that population at selected time intervals. The population register is the product of a continuous process, in which notifications of certain events, which may have been recorded originally in different administrative systems, are automatically linked on a current basis. A. method and sources of updating should cover all changes so that the characteristics of individuals in the register remain current. Because of the nature of a population register, its organization, and also its operation, must have a legal basis.” [1]
The UIN Generator component.
UIN generator is defined as a system to generate and manage unique identifiers.
The Automated Biometric Identification System (ABIS) component.
An ABIS is defined as a system to detect the identity of an individual when it is unknown, or to verify the individual’s identity when it is provided, through biometrics.
The Civil Registry (CR) component.
Civil registration is defined as “the continuous, permanent, compulsory and universal recording of the occurrence and characteristics of vital events pertaining to the population, as provided through decree or regulation is accordance with the legal requirement in each country. Civil registration is carried out primarily for the purpose of establishing the documents provided by the law.” [2]
The Credential Management System (CMS) component.
CMS is defined as a system to manage the production and issuance of credentials such as ID Cards, passports, driving licenses, digital ID, etc.
The Third Party Services component.
TBD
ID Ecosystem Component | Data | Functions |
---|---|---|
Enrollment |
|
|
PR |
|
|
UIN Gen |
|
|
ABIS |
|
|
CR |
|
|
CMS |
|
|
Third Party Services | TBD | KYC/auth |
The components are represented on the following diagram:
2.2. Interfaces¶
This chapter describes the following interfaces:
Notification
A set of services to manage notifications for different types of events as for instance birth and death.
Data access
A set of services to access data.
The design is based on the following assumptions:
- All persons recorded in a registry have a UIN. The UIN can be used as a key to access person data for all records. Please note that the UIN is the same throughout all registries (see Chapter 3 - Security & Privacy).
- The registries (civil, population, or other) are considered as centralized systems that are connected. If one registry is architectured in a decentralized way, one of its component must be centralized, connected to the network, and in charge of the exchanges with the other registries.
- Since the registries are customized for each business needs, dictionaries must be explicitly defined to describe the attributes, the event types, and the document types. See Data Access for samples of those dictionaries.
- The relationship parent/child is not mandatory in the population registry. A population registry implementation may manage this relationship or may ignore it and rely on the civil registry to manage it.
- All persons are stored in the population registry. There is no record in the civil registry that is not also in the population registry.
UIN Management
A set of services to manage the unique identifier.
Enrollment Services
A set of services to manage biographic and biometric data upon collection.
Population Registry Services
A set of services to manage a registry of the population.
Biometrics
A set of services to manage biometric data and databases.
Credential Services
A set of services to manage credentials, physical and digital.
ID Usage
A set of services implemented on top of identity systems to favour third parties consumption of identity data.
Under discussion
A set of services under discussion and not yet linked to any specific tag.
The following table describes in detail the interfaces and associated services.
Services | Description |
Notification | |
Subscribe | Subscribe a URL to receive notifications sent to one topic |
List Subscription | Get the list of all the subscriptions registered in the server |
Unsubscribe | Unsubscribe a URL from the list of receiver for one topic |
Confirm | Confirm that the URL used during the subscription is valid |
Create Topic | Create a new topic |
List Topics | List all the existing topics |
Delete Topic | Delete a topic |
Publish | Notify of a new event all systems that subscribed to this topic |
Data Access | |
Read Person Attributes | Read person attributes |
Match Person Attributes | Check the value of attributes without exposing private data |
Verify Person Attributes | Evaluate simple expressions on person’s attributes without exposing private data |
Query Person UIN | Query the persons by a set of attributes, used when the UIN is unknown |
Query Person List | Query the persons by a list of attributes and their values |
Read document | Read in a selected format (PDF, image, etc.) a document such as a marriage certificate |
UIN Management | |
Generate UIN | Generate a new UIN |
Enrollment Services | |
Create Enrollment | Insert a new enrollment |
Read Enrollment | Retrieve an enrollment |
Update Enrollment | Update an enrollment |
Partial Update Enrollment | Update part of an enrollment |
Finalize Enrollment | Finalize an enrollment (mark it as completed) |
Delete Enrollment | Delete an enrollment |
Find Enrollments | Retrieve a list of enrollments which match passed in search criteria |
Send Buffer | Send a buffer (image, etc.) |
Get Buffer | Get a buffer |
Population Registry Services | |
Create Person | Create a new person |
Read Person | Read the attributes of a person |
Update Person | Update a person |
Delete Person | Delete a person and all its identities |
Merge Persons | Merge two persons |
Create Identity | Create a new identity in a person |
Read Identity | Read one or all the identities of one person |
Update Identity | Update an identity. An identity can be updated only in the status claimed |
Partial Update Identity | Update part of an identity. Not all attributes are mandatory. |
Delete Identity | Delete an identity |
Set Identity Status | Set an identity status |
Define Reference | Define the reference identity of one person |
Read Reference | Read the reference identity of one person |
Read Galleries | Read the ID of all the galleries |
Read Gallery Content | Read the content of one gallery, i.e. the IDs of all the records linked to this gallery |
Biometrics | |
Create Encounter | Create a new encounter. No identify is performed |
Read Encounter | Read the data of an encounter |
Update Encounter | Update an encounter |
Delete Encounter | Delete an encounter |
Merge Encounter | Merge two sets of encounters |
Set Encounter Status | Set an encounter status |
Read Template | Read the generated template |
Read Galleries | Read the ID of all the galleries |
Read Gallery content | Read the content of one gallery, i.e. the IDs of all the records linked to this gallery |
Identify | Identify a person using biometrics data and filters on biographic or contextual data |
Verify | Verify an identity using biometrics data |
Credential Services | |
Create Credential Request | Request issuance of a secure credential |
Read Credential Request | Retrieve the data/status of a credential request |
Update Credential Request | Update the requested issuance of a secure credential |
Delete Credential Request | Delete/cancel the requested issuance of a secure document / credential |
Find Credentials | Retrieve a list of credentials that match the passed in search criteria |
Read Credential | Retrieve the attributes/status of an issued credential (smart card, mobile, passport, etc.) |
Suspend Credential | Suspend an issued credential. For electronic credentials this will suspend any PKI certificates that are present |
Unsuspend Credential | Unsuspend an issued credential. For electronic credentials this will unsuspend any PKI certificates that are present |
Revoke Credential | Revoke an issued credential. For electronic credentials this will revoke any PKI certificates that are present |
Find Credential Profiles | Retrieve a list of credential profils that match the passed in search criteria |
ID Usage | |
Verify ID | Verify Identity based on UIN and set of attributes (biometric data, demographics, credential) |
Identify | Identify a person based on a set of attributes (biometric data, demographics, credential) |
Read Attributes | Read person attributes |
Read Attributes set | Read person attributes corresponding to a predefined set name |
Under discussion | |
Update Document Val Status | Updates the status of a document validation |
Read Document Val Status | Retrieve the status of a document validation |
Update Biometric Val Status | Updates the status of a biometric validation |
Read Biometric Val Status | Retrieve the status of a biometric validation |
Update Biographic Val Status | Updates the status of a biographic validation |
Read Biographic Val Status | Retrieve the status of a biographic validation |
2.3. Components vs Interfaces Mapping¶
The interfaces described in the following chapter can be mapped against ID ecosystem components as per the table below:
Components | ||||||||
---|---|---|---|---|---|---|---|---|
Interfaces | Enroll Clt | Enroll Srv | PR | UIN Gen | ABIS | CR | CMS | 3rd PS |
Notification | ||||||||
Subscribe | U | U | U | U | ||||
List Subscription | U | U | U | U | ||||
Unsubscribe | U | U | U | U | ||||
Confirm | U | U | U | U | ||||
Create Topic | U | U | U | U | ||||
List Topics | U | U | U | U | ||||
Delete Topic | U | U | U | U | ||||
Publish | U | U | U | U | ||||
Data Access | ||||||||
Read Person Attributes | U | IU | U | IU | U | |||
Match Person Attributes | U | IU | IU | U | ||||
Verify Person Attributes | U | IU | IU | U | ||||
Query Person UIN | U | IU | IU | |||||
Query Person List | U | |||||||
Read Document | U | IU | IU | |||||
UIN Management | ||||||||
Generate UIN | U | I | U | |||||
Enrollment Services | ||||||||
Create Enrollment | U | I | ||||||
Read Enrollment | U | I | ||||||
Update Enrollment | U | I | ||||||
Partial Update Enrollment | U | I | ||||||
Finalize Enrollment | U | I | ||||||
Delete Enrollment | U | I | ||||||
Find Enrollments | U | I | ||||||
Send Buffer | U | I | ||||||
Get Buffer | U | I | ||||||
Population Registry Services | ||||||||
Create Person | I | U | U | |||||
Read Person | I | U | U | U | ||||
Update Person | I | U | U | |||||
Delete Person | I | U | U | |||||
Merge Person | I | U | ||||||
Create Identity | I | |||||||
Read Identity | I | |||||||
Update Identity | I | |||||||
Partial Update Identity | I | |||||||
Delete Identity | I | |||||||
Set Identity Status | I | |||||||
Define Reference | I | |||||||
Read Reference | I | |||||||
Read Galleries | I | |||||||
Read Gallery Content | I | |||||||
Biometrics | ||||||||
Create Encounter | U | U | I | |||||
Read Encounter | U | U | I | U | ||||
Update Encounter | U | U | I | |||||
Delete Encounter | U | U | I | |||||
Merge Encounter | U | I | ||||||
Set Encounter Status | U | U | I | |||||
Read Template | U | U | I | |||||
Read Galleries | ||||||||
Read Gallery Content | U | U | I | |||||
Identify | U | I | U | |||||
Verify | U | I | U | |||||
Credential Services | ||||||||
Create Credential Request | I | |||||||
Read Credential Request | I | |||||||
Update Credential Request | I | |||||||
Delete Credential Request | I | |||||||
Find Credentials | I | |||||||
Read Credential | I | |||||||
Suspend Credential | I | |||||||
Unsuspend Credential | I | |||||||
Revoke Credential | I | |||||||
Find Credential Profiles | I | |||||||
ID Usage | ||||||||
Verify ID | I | |||||||
Identify ID | I | |||||||
Read Attributes | I | |||||||
Read Attributes set | I | |||||||
Under discussion | ||||||||
Update Document Val Status | ||||||||
Read Document Val Status | ||||||||
Update Biometric Val Status | ||||||||
Read Biometric Val Status | ||||||||
Update Biographic Val Status | ||||||||
Read Biographic Val Status |
where:
I
is used when a service is implemented (provided) by a componentU
is used when a service is used (consumed) by a component
2.4. Use Cases - How to Use OSIA¶
Below are a set of examples of how OSIA interfaces could be implemented in various use cases.
2.4.1. Birth Use Case¶
Checks
When a request is submitted, the CR may run checks against the data available in the PR using:
matchPersonAttributes
: to check the exactitude of the parents’ attributes as known in the PRreadPersonAttributes
: to get missing data about the parents’s identityqureyPersonUIN
: to check if the new born is already known to PR or not
How the CR will process the request in case of data discrepancy is specific to each CR implementation and not in the scope of this document.
Creation
The first step after the checks is to generate a new UIN. To do so, the CR requests a new UIN to the PR using generateUIN service. At this point the birth registration takes place. How the CR will process the birth registration is specific to each CR implementation and not in the scope of this document.
Notification
As part of the birth registration, it is the responsibility of the CR to notify other systems, including the PR, of this event using:
publish
: to send a birth along with the newUIN
.
The PR, upon reception of the birth event, will update the identity registry with this new identity using:
readPersonAttributes
: to get the attributes of interest to the PR for the parents if relevant and the new child.
2.4.2. Death Use Case¶
To be completed
2.4.3. Marriage Use Case¶
To be completed
2.4.4. Deduplication Use Case¶
During the lifetime of a registry, it is possible that duplicates are detected. This can happen for instance after the addition of biometrics in the system. When a registry considers that two records are actually the same and decides to merge them, a notification must be sent.
How the target of the notification should react is specific to each subsystem.
2.4.5. ID Card Request Use Case¶
To be completed
2.4.6. Bank account opening Use Case¶
2.4.7. Police identity control Use Case¶
Footnotes
[1] | Handbook on Civil Registration and Vital Statistics Systems: Management, Operation and Maintenance, Revision 1, United Nations, New York, 2018, available at: https://unstats.un.org/unsd/demographic-social/Standards-and-Methods/files/Handbooks/crvs/crvs-mgt-E.pdf , para 65. |
[2] | Principles and Recommendations for a Vital Statistics System, United Nations publication Sales Number E.13.XVII.10, New York, 2014, paragraph 279 |