ISO IEC 24727-3-2008 PDF

Full title and description

ISO/IEC 24727-3:2008 — Identification cards — Integrated circuit card programming interfaces — Part 3: Application interface. Defines a high-level, programming-language‑independent set of service representations for client applications to request and receive actions from card-resident applications, enabling interoperable access to card storage and processing while remaining implementation‑neutral.

Abstract

Part 3 of ISO/IEC 24727 specifies the application‑layer interface between client applications and integrated circuit card (ICC) applications. It describes services (requests and responses) in a programming‑language independent way, positions the interface within the OSI application layer, and targets interoperability across diverse ICC application domains while remaining neutral about internal implementation choices.

General information

• Status: Published (confirmed current at last ISO systematic review).
• Publication date: December 2008 (Edition 1, 2008-12).
• Publisher: International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC), developed by ISO/IEC JTC 1/SC 17.
• ICS / categories: 35.240.15 (Identification cards; smart cards).
• Edition / version: Edition 1 (2008).
• Number of pages: 194.

Note: this part has an associated corrigendum and an amendment; the standard was reviewed and the 2008 edition was confirmed in a later systematic review.

Scope

Specifies the client-application service interface for ICC applications: it defines the set of services (action requests and responses) that a client may use to access card-based information and operations (authentication, key usage, signature, secure storage, etc.) as seen via the generic card interface. The scope is limited to defining the abstract service interface and data representations; it does not mandate specific implementation methods or internal card architectures and is aligned with ISO/IEC 7816-4 and the OSI application-layer model.

Key topics and requirements

• Abstract service definitions for client-to-card interactions (requests/responses) described independent of programming language.
• High‑level application interface mapped to the OSI application layer.
• Support for common ICC functions: authentication, digital signing, key and credential management, protected data access.
• Data and service representations designed for multi‑domain interoperability across card OS and middleware vendors.
• Conformance to ISO/IEC 7816‑4 organization and command models where applicable; no mandate of specific implementation technology.
• Provision for administrative and registration considerations addressed in other parts of the 24727 series (API administration, testing, registration procedures).

Typical use and users

Used by smart‑card operating system vendors, card‑application developers, middleware and API implementers, system integrators, security architects and solution teams building interoperable eID, government PIV, national identity, e‑passport, transport ticketing, access control and multi‑application payment systems. NIST and other agencies have referenced ISO/IEC 24727 as a framework for interoperable identity APIs.

Related standards

Part of the ISO/IEC 24727 series (parts 1–6 covering architecture, generic card interface, application interface, API administration, testing and registration). Closely related to ISO/IEC 7816 (ICC commands and organization) and ISO/IEC 7498‑1 (OSI reference model). Guidance and national implementation notes (for example NIST IRs) reference 24727 for practical integration of PIV and other identity credentials.

Keywords

ISO/IEC 24727-3, integrated circuit card, ICC, application interface, client-service API, smart card interoperability, authentication, digital signature, key management, ASN.1, ISO/IEC 7816-4, OSI application layer.

FAQ

Q: What is this standard?

A: ISO/IEC 24727-3:2008 defines the abstract application‑layer interface (service requests and responses) that client applications use to interact with card‑resident applications on integrated circuit cards, enabling vendor‑neutral interoperability.

Q: What does it cover?

A: It covers the definition and representation of services at the client‑application service interface (e.g., authentication, signing, credential and key usage, protected data access), described in a programming‑language‑independent way and situated at the OSI application layer; it intentionally avoids prescribing internal implementations.

Q: Who typically uses it?

A: Smart card OS and application developers, middleware/API implementers, integrators of eID/PIV/national ID systems, security architects and testing bodies that require a common application interface for ICCs. Agencies and labs (for example NIST) have used the standard as a basis for interoperability testing and guidance.

Q: Is it current or superseded?

A: The published edition is ISO/IEC 24727‑3:2008 (Edition 1). The 2008 edition remains the formal published version; it has associated corrigenda and at least one amendment and was reviewed in ISO’s periodic review process. Users should check with their standards repository or national body for the most recent confirmation, corrigenda or amendments before implementation.

Q: Is it part of a series?

A: Yes — it is Part 3 of the ISO/IEC 24727 series (Identification cards — Integrated circuit card programming interfaces). Companion parts cover architecture (Part 1), generic card interface (Part 2), API administration (Part 4), testing (Part 5) and registration procedures for authentication protocols (Part 6).

Q: What are the key keywords?

A: Application interface, integrated circuit card (ICC), smart card API, interoperability, authentication, digital signature, key management, ISO/IEC 7816, ASN.1.