Integration between PSBio and SPIDX

This document describes the integrated operation of the PSBio and SPIDX solutions.

Overview

PSBios are entities capable of performing biometric identification to ensure the authenticity and uniqueness of individuals for issuing digital certificates. PSBios form a distributed biometric database. Digital certificate issuers are Certification Authorities (CAs). Each CA can have several service endpoints called Registration Authorities (RAs), where individuals perform biometric collection and obtain certificates.

The PSBio architecture ensures the preservation of the identity of verified individuals. Identification data such as name and CPF are restricted to the CA where the certificate is being issued (CA-RA messages), and the uniqueness check on the PSBios network (CA-PSBio messages) is performed through an encrypted identifier (IDN) that cannot be used to obtain the individual's biographical data.

The PSBio interfaces, requirements and APIs are defined by ITI (National Institute of Information Technology), allowing different vendors to implement PSBio solutions capable of forming a distributed biometric database.

The SPIDX is a solution for biometric collection and registration on mobile devices. SPIDX is composed of:

• SPIDX App, an application/component running on the Android and iOS devices of individuals requesting certificates (RA clients).

• SPIDX Server, an online service hosted by SPIDX.

Operation of PSBio with SPIDX

The diagram below describes the operation of an integrated SPIDX and PSBio solution:

The Client, who wishes to obtain a digital certificate, must have the SPIDX App installed on their mobile device (smartphone/tablet).

1. When requesting the issuance of the digital certificate, the RA starts the flow by creating a remote biometric collection request to the CA. This call is made by the RA's SPID Client to its CA's SPID Server.

2. In operation with SPIDX, the SPID Server (RA) makes a biometric collection request to the SPIDX Server, an online service of SPIDX.

3. The SPIDX Server sends a biometric collection request to the SPIDX App on the mobile device (Client). The app performs the biometric collection using the device's sensors, and sends the biometric data to the SPIDX Server.

4. The SPIDX Server notifies the SPID Server (CA) that the biometric collection has been completed.

5. The SPID Server (CA) requests the biometric data from the SPIDX Server (SPIDX), and receives it.

6. The SPID Server (CA) requests from the PSBio the biometric verification of the collected data. The PSBio responds to the SPID Server (CA) indicating whether there is a duplicate or not.

7. Throughout the entire procedure above, the SPID Client (RA) remains waiting for the biometric collection and verification, periodically performing status checks (polling) of the transaction on the SPID Server (CA). When there is a definitive response (Authorization or Refusal for certificate issuance), the SPID Client (RA) can finalize the operation.