Token Factory API - a way to issue tokens for ID-based travelling
Background
The project for Sydlänen/Lynx will launch a solution for ID-based travelling and needed therefore a secure way to issue tokens to travel documents, in this case travel cards where in this case Areff is the provider.
For this project Kirei was responsible to bring up a solution with the Token Factory API as the result which is one possible way of doing this.
Purpose
To highlight one way of issuing tokens to travel documents to enable ID-based travelling.
Related documentation
MTS 7 - Travel card application
Token API - ID-based travelling
Definitions
Concept | Definition |
---|---|
Personalization | Personalization is the operation that transforms a generic smart card (or other type of bearer) into an individually specific card that can be used for one or more applications. |
Provisioning | Is the operation that feeds the chip of a Travel Document with a service of some kind. |
PICC | Abbrevation for "Proximity Integrated Circuit Card". A "contactless" smart card which can be read without inserting it into a reader device. Even if part of the definition of PICC is “card” the travel document can be of other form than a card such as watch, dongle or other. |
Travel document | Definition from BoB Token API: An object (plastic card, wearable, app in mobile phone etc.) that carries a physical or emulated PICC (Proximity Integrated Circuit Card) in which a Travel Card Application is run which consists of a so called Travel Document also referred to as MTB (Mobile Ticket Bundle) is in its total the physical bearer for which the validity to travel is formed. When the concept Travel Document is used it is the above distinction that is referred to. |
Sequence diagram
Sequence steps
- A Travel Document with an empty PICC (proximity integrated circuit card) is exposed to the personalization/provisioning device.
- A request with POST/token towards the Token factory API by the token issuer is made to create a new token container with a unique serial number.
- The token container with serial number is sent to the personalization/provisioning device.
- The personalization/provisioning device creates the BoB application ("Travel Card Application" according to MTS7) on the exposed Travel Document.
- The personalization/provisioning device requests the Travel card application (on the Travel Document) to generate a token (public/private key).
- The personalization/provisioning device requests the Travel card application (on the Travel Document) to get the token public key.
- The token public key is sent to the personalization device.
- The personalization/provisioning device sends request by PUT/token/{serial}/public key for registration of the generated token public key on the token issuer side.
- Response of registration from token issuer is sent back to the personalization/provisioning device.
- The personalization/provisioning device sends request by GET/token/{serial}/mtb to fetch a signed MTB for the generated token from token issuer.
- A signed MTB is sent back to the personalization/provisioning device.
- The signed MTB is written on the exposed Travel document.
The travel document is now prepared with the MTB and BoB application to be able to tie tickets for travel to, see sequence for TokenAPI.