STQC Publishes RD Certification Guidance Document V2.0

[Sanjith Sundaram]

Dear All,

Please be informed that STQC has published the latest version of RD Certification Guidance document - "Guidance to Applicant for Registered Devices for UID Application V 2.0"

The document majorly covers Provisional Certification Process, Traceability Matrix, Declarations to be provided, Functional and Security Test Cases, L1 Compliance Details. Logistics Pre-Requisites for Provisional Certification, Application fee details and Forms. 

http://www.stqc.gov.in/sites/upload_files/stqc/files/guidance_to_applicant%20for%20publish_revised%20V2.pdf

This mailer is for your information and appropriate preparations. 

Regards,

Sanjith Sundaram

[Amit Aggarwal]

Dear Sanjith, 

Some feedback on stqc fees & process for RD. 

Already device certification process is quite comprehensive and expensive. We paid the fees sometime back for public device certification.

RD timelines and changes added another layer. 

Now there is additional fees for RD certification. Summing up all this is very difficult. . 

Request you to consider following feedback : 

1. RD cert to be free for those who have already paid certification fees for public devices. 

2. Process should be paperless, online and easy.

3. Testing should be automated with focus on functionality. 

We are moving mountains inside our organisation to support timelines as asked by UIDAI. 

We as partners need support from UIDAI to make the whole process very simple, fast, paperless and easy.

Best Regards
Amit

--
You received this message because you are subscribed to the Google Groups "Aadhaar Registered Devices Discussion Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to aadhaar_rd+unsubscribe@googlegroups.com.
To post to this group, send email to aadha...@googlegroups.com.
Visit this group at https://groups.google.com/group/aadhaar_rd.
To view this discussion on the web visit https://groups.google.com/d/msgid/aadhaar_rd/68783e03-d132-46e5-948a-7142c42094ff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Arun Kumar]

Dear UIDAI Team,

 

1. Based on the below paragraph of the document:

 

“All authentication end user devices (for e.g. POS terminals) must possess RD Service provisional certification.

Under this scheme, biometric sensor vendor could apply for RD service and supply provisionally certified sensor and service to the ecosystem. End User device vendors who use an RD service certified by sensor vendor, need not apply for RD service provisional certification along with the sensor certified by STQC. In all other cases, end user device vendors need to apply for RD Service certification.”

 

We have following queries:

 

1. Should biometric sensor vendor only provide the RDService implementation for standard platforms mentioned in the Registered Device specification i.e. Windows , Linux and Android?

 

2. In case the module of a biometric sensor provider is integrated on “n” different POS terminals  with “n” different non-standard platforms (other than Windows, Linux and Android)  then should the biometric sensor vendor apply for certification for each of the “n” POS terminals and provide RDServices for “n” different platforms?

 

 

3. What is so special with POS terminals technically that make you feel to mention that biometric sensor vendor could apply for certification and on what basis do you differentiate it with other end user devices especially the phone and tablets with a fingerprint module?

 

4. How many applications a biometric sensor provider should apply for if its module is integrated with “n” different POS terminals running different non-standard platforms.

 

 

5. What is the DUT for POS terminals? Is it biometric sensor module or POS terminals?

 

 

2. “It is certified there is no debug or backdoor mechanism to extract the private key from the RD service and no  known  bugs/exploits/vulnerabilities/configurations  in  the OS or  any  other components  that  the RD services uses from where an attacker could extract the private key at the time of certification, especially for L0 devices.”

 

Query>> How a biometric sensor vendor controls the non-standard OS of the POS terminal provider? If the biometric sensor vendor doesn’t own the OS then how can it be made liable to bugs/exploits/vulnerabilities/configurations in  the OS.

 

3. “It is certified that the Device provider will actively watch for any known attacks or exploits or vulnerabilities that could help an attacker extract the keys and work towards patching the same.”

 

Query >> How can a biometric sensor vendor watch for known attacks or exploits or vulnerabilities in POS terminal of a manufacturer without any control on the OS, applications and firmware of the POS device.

 

 

4. “I understand  that at any point  of time, if my device-application is found non-conforming to any of the points  declared  and  above,  my  certification  may  be  revoked  without  any  justification  and  I  shall  be abiding by all applicable legal consequences as per Govt. rules and regulations.”

Query >> How does a biometric sensor vendor controls the device-application of the customers in the field? Any security mechanism at the OS level is always vulnerable to attacks and if STQC is certifying something to be immune to the security breaches at OS level then it should only own the responsibility for any compromise. STQC/ UIDAI should clearly mention what are they certifying and on what test criteria. Anything which doesn’t fall under the ambit of certification test criteria should not invite any legal consequence on device provider.

 

 

 

5. Is “compliance check and Poor Quality Biometric Capture Check” applicable for devices, which are already STQC certified after undergoing FRR and Image quality tests.

 

6. Why STQC is charging fee for certification when everyone in ecosystem is required to make unforeseen investment?

 

Best Regards,

Arun Kumar

--

You received this message because you are subscribed to the Google Groups "Aadhaar Registered Devices Discussion Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to aadhaar_rd+...@googlegroups.com.

To post to this group, send email to aadha...@googlegroups.com.
Visit this group at https://groups.google.com/group/aadhaar_rd.
To view this discussion on the web visit https://groups.google.com/d/msgid/aadhaar_rd/68783e03-d132-46e5-948a-7142c42094ff%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

This message, including any attachments, may contain confidential, proprietary, inside and/or legally privileged information. Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited and may be unlawful. If you are not the intended recipient, please notify the sender by replying to this message and then permanently delete it from your system. You are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. Crossmatch®, the Crossmatch logo, DigitalPersona® and the DigitalPersona logo are registered trademarks or trademarks of Cross Match Technologies, Inc. and DigitalPersona, Inc. in the United States and other countries. Sitz der Gesellschaft: Jena | Handelsregister: Amtsgericht Jena HRB 202568 | Geschäftsführung: Jerry Cahill, Kathryn Hutton

 

[shashi]

Dear UIDAI team,

Please find some of the queries on the STQC guidance document released mentioned below.

1) 3 b)To verify that the DUT meets all environmental, safety and accuracy requirements as per STQC specification.

Query : Why STQC has to perform environmental testing for L0 and L1.

2) 4,d) Integrated FP devices (in near future)

Query :  We hope that all the POS devices which will have FPS module integrated falls under Integrated device? Near future is an open ended statement, can you please be specific on when it will start? As all of us know we do not have any time left. 

3) 4. Scope of Work:

* Execution of test cases with tools & scripts provided by UIDAI

* Test case execution by vendors in presence of UIDAI & STQC engineers. Vendor to provide

test points & tools / jig as required.

Query : If STQC uses our jigs and UIDAI scripts and tools, what do they use from their lab?

4) * External test laboratory/ client’s test facility may be used to conduct the testing (where test facilities are not available with STQC).

Query : Better to be more clear here, as STQC knows about what tests to be done they can be more specific.

5) * Arrangement to witness the testing at client’s facility, in case the in-house facility for the same is not available with STQC

Query : Open ended statement, let us be specific. I think we cannot explore all these version at the end when we are nearing the deadline.

 

6) * Additional Certificate Charges Rs.10,000/- for each additional copy of certificate

Query : Is it for different platform for the same device?

 

7) Declarations(L0 and L1 both):

I understand that at any point of time, if my device-application is found non-conforming to any of the points declared and above, my certification may be revoked without any justification and I shall be

abiding by all applicable legal consequences as per Govt. rules and regulations

Query : All the declarations made by the device vendor doesn’t seem to be fair. Making the Indian device manufacturer liable for all the issues is not at all good. The point is that when STQC tests all required security needs and threats, why should we declare about the issues that may arise in the field by hackers. This also indicates that the test labs are not sure about their test cases to identify the security level of the device. If it is true why do we need to go for certification, we can move on with just declaration and take all responsibility on us.

8) Declarations for L1 devices only:

Query: Almost all the points mentioned under this section can be tested by the lab and approved except few of them. In such case why again declaration is expected from device vendors?

Best Regards

Shashi kumar