Philip Hoyer, Director of Strategic Innovation, HIDGlobal and Chair of GlobalPlatform’s Identity Task Force
In our latest industry interview, Philip Hoyer explains the reasons behind the decision to establish an Identity Task Force (ITF), the role that it will play in communicating GlobalPlatform’s place in the ecosystem and why he thinks new players in the internet of things (IoT) need to adopt GlobalPlatform.
1. What is the role of GlobalPlatform’s recently formed Identity Task Force (ITF)?
The ITF has taken on and broadened the role of the former GlobalPlatform Government Task Force.
Governments tend to drive the more stringent requirements around identity and security. GlobalPlatform has good relationships, particularly in the US with the Department of Defense and other agencies post 9/11 around the FIPS 201 PIV (Personal Identity Verification) program. Many of these schemes are deployed on chip card technology based on GlobalPlatform specifications; they want to have a secure lifecycle, for example to securely update certificates in the field. And that is what GlobalPlatform is very good at. In addition, governments do not want to be locked into specific vendors. Their demand was to find a way to standardize the interaction between them and chip card issuers and that is what GlobalPlatform is all about.
Recently, however, GlobalPlatform members acknowledged that many government requirements and use cases were also applicable to identity programs outside of the government realm, specifically identity programs in the enterprise and consumer space. As a consequence, the charter of the Government Task Force was expanded to embrace identity across all sectors.
2. Why has GlobalPlatform specifically decided to create this group now?
We realized that there are a number of trends happening right now in the identity market. The first is that consumers are putting more and more personal information on mobile devices – not just keys but also identities such as drivers licenses. The second is the move of things we value and their related services into the cloud. As a result access to these resources and services requires an identity proportionally as strong as the value of the resources. The third is that these identities can be used in the internet-of-things (IoT). Looking at these trends, GlobalPlatform realized that by expanding the charter of the group we would essentially create the right place to discuss how we can best support this market. This activity had a lot of parallels with the existing Government Task Force, therefore we decided to create a new group that could tackle a wider scope of topics.
3. How can GlobalPlatform’s Specifications for the secure element (SE) and trusted execution environment (TEE) be leveraged for the identity market?
Different industries require different levels of assurance. Looking at the level of breaches that have happened recently on a global scale, it’s clear that no-one should rely on a weak form of identity these days. What GlobalPlatform provides with its specifications is the ability to manage and provision a dedicated identity application that is scheme agnostic and highly secure. Stakeholders can then rely on all the building blocks that have been created over the years by GlobalPlatform for the banking and telecoms industries to store identities or keys in a format that has desirable security characteristics.
There are many aspects to this, however, therefore I recommend interested parties read our Mobile ID White Paper, which will be released later this year. The paper focuses on mobile, however, it also provides broader information about how GlobalPlatform technologies can be used in the identity space.
4. The ITF charter has grown since its original focus on the Government sector to now include identity use cases in the enterprise and consumer space as well. Under the new charter, has the focus on the Government sector expanded and, if so, how?
Yes it has. This reflects current changes in technology. As consumers increasingly use mobile devices to make their daily lives easier, governments too are interested in offering more choices in the way they manage and deliver services on those devices. Governments want to offer these services without sacrificing security and hence need strong identities to secure them.
Also, GlobalPlatform is working with government agencies to determine how we can leverage GlobalPlatform secure components interacting with the mobile device. At present, we are focusing on Bluetooth Smart (also known as Bluetooth Low Energy), as an ubiquitous proximity technology for mobile devices to communicate with each other. We are therefore working to see if there is a way to satisfy the stringent security requirements of governments, maybe with a dedicated Bluetooth identity device or by leveraging GlobalPlatform technologies over this new protocol.
5. The ITF has evolved from the Government Task Force (GTF), will the new group continue to develop work items such as the Privacy Framework that were driven by the GTF and why?
The privacy framework continues to be an area that we will work on to advance and evolve to support the changing industry requirements.
Privacy is of upmost importance, especially in a hyper connected world full of smart devices with multiple sensors. GlobalPlatform is uniquely positioned in that it has a set of components, technologies and specifications that allow a secure and privacy-enabled world to happen. More and more parties are understanding the strength of what GlobalPlatform has to offer and are even in some instances setting the use of Secure Component (Secure Element and / or Trusted Execution Environment) as a requirement for privacy-sensitive smart infrastructure such as Smart Meters in Germany.
Hence GlobalPlatform believes that there is still a lot of work to be done to educate people about its specifications and define how they can be leveraged for a more secure privacy enabled smart world.
6. What are the next steps for the group?
Firstly we are continuing our strong engagement with governments to ensure we understand their ever evolving requirements and agree on the areas that GlobalPlatform should focus its activity.
We are also exploring the theme of mobile ID. One of the first deliverables in this area is the soon to be released white paper. The ITF will also be engaging with industry groups to develop an understanding of identity use cases in the IoT. We will also focus on investigating the concept of derived credentials, which allows identities derived from an existing breeder credential (e.g. an existing electronic driver’s license or identity card) to be securely used and trusted on mobile platforms.
7. How can members get involved?
All GlobalPlatform Members, regardless of their membership level, may sign up to participate in the organization’s many task forces, including the Identity Task Force. They can do this by simply joining the group via the member only website. They will then be automatically notified of all upcoming conference calls and face-to-face meetings being planned by the participants of that group.
To participate in GlobalPlatform's identity discussions please visit