FAQ



Common AMC

What are the rules for using the common-amc?

The important development of the Common AMC obliges us, as a structure responsible for governance and security, to be more vigilant and rigorous. This is why we remind you that any public or private organization that intervenes in the issuance of a common MCA (manufacturer), or that uses the common MCA (User Entity), whatever the use, must sign a usage agreement with ADCET and thus be referenced by our association.
Moreover, the functioning of a project around the Common AMC is only possible insofar as ADCET mobilizes the means necessary to support, develop, secure and govern the Common AMC, which represents a significant expense.

Consequently, the agreement may be granted free of charge, provided that the Relying Party and/or the manufacturer is a member of ADCET and is up to date with its dues.

If the User and/or the manufacturer does not wish to join the ADCET or is not up to date with its membership fees, a fee must be paid, by annex to the agreement to be established between the ADCET, the User and/or the manufacturer.

We would be grateful if you could communicate this information to any third party that you may meet in the context of a project around the common AMC. As a member, it is also your responsibility to contribute to ensuring that each third party partner is registered as an organization with ADCET and in particular to remind this obligation in the calls for tender and contracts that you will have to sign with third parties concerning the use and/or production of the Common AMC.

Furthermore, it is reminded that the logo of the common AMC must appear on any support integrating the common AMC. If, at first, there may have been exceptions and factual derogations to this rule, it is now necessary to regularize the situation without delay.

In this sense, we ask that each card manufacturer provide us with a visual for validation, before any new production. If the logo is not present, ADCET will have to oppose the production of these cards.

Finally, it is also reminded that the specification of the AMC standard cannot be distributed but that each entity wishing to know about it must acquire it on the AFNOR website (https://www.boutique.afnor.org/norme/nf-p99-508/services-de-vie-quotidienne-application-multiservices-citoyenne-amc/article/938347/fa199961).

We remain at your disposal.

Matthieu Theurier

President

What are the keys for the predefined Common AMC identifiers ?

1/ Number of keys

9  clés de gestion des identifiants prédéfinis de l'AMC commune ont été générées et conservées par l'ADCET:

  • trois clés TDES, pour le calcul des valeurs des identifiants. 
  • trois clés ECDSA privées, pour la génération des signatures dont deux clés de réserve.
  • trois clés  ECDSA publiques (correspondant aux clés privées ), pour la  vérification des signatures dont deux clés de réserve.

La clé publique en cours est : 

6C12AA5A8357F4EC4B5A3CA87D44C42D6EB97DD430144079EB00E2290F5B43E45E6C94ED56EF827B9EAE0A387EEA193873352816C836B88D5BB1

2/ Référence de la  clé de signature (ECDSA) en cours (valeur de PIDSignKeyReference) est 1A01h.

3/ Références des clés de calcul TDES (valeur de PIDXKeyRef): 

  • 0101h pour les identifiants sur support AMC, 
  • 0102h pour les identifiants virtuels

Launching of a new AMC

Can a common AMC and a specific AMC coexist in the same medium?

Yes, because as any ISO7816-5 compliant Calypso Rev.3 application, each AMC (common and specific) has its own application name (AID), so it can cohabit with one or more other AMCs in the same media.

The recommended test keys are :

  • For keys loaded into the application: interoperable test keys France of KIF/KVC=414Fh, 474Fh and 504Fh.
  • For the management of data MACs (such as Custom IDs): interoperable test key France of KIF/KVC=2B8Bh.
  • For the (de)encryption of personal data (photo, name/first name): interoperable test key France of KIF/KVC=EC4Dh.
  • For the management of predefined identifiers, the keys of the examples of the standard (NF P99-508) are used:
    • TDES key for calculating predefined identifiers: PIDXKeyRef = 0753h (Appendix A.1 of the standard).
    • ECDSA key for authentication of predefined identifiers : PIDSignKeyReference = CB32h (Appendix A.4).

Security

What is the procedure for transmitting AMC private keys?

AMC private keys are usually only transmitted to the embedders. The procedure is to be decided on a case-by-case basis (e.g. via OpenPGP secure mechanism). In the case of the common AMC, ADCET is in charge of transmitting the keys to the encoder on request of the community in charge of the services. In the case of a specific AMC, the community transmits its keys to the encoder.

In technical terms there are 2 groups of keys:

Group1 (in a SAM) :

- The 3 keys to be loaded in the Calypso application

- The MAC signature key

- The 3DES encryption key

Group 2 (outside SAM, transmitted securely) :

- The secret/private key pair, for signing predefined identifiers

- The 3DES key for calculating predefined identifiers

Which cryptographic algorithm (DES-X or T-DES) is used for the AMC application keys?

T-DES keys will be used to manage access to OGD files and to calculate the values of predefined identifiers. An ECDSA key will be used to calculate the signature of the predefined identifiers.

Files structure

Key identifiers/references

Identifier

Size

Description

AID

5 to 16

bytess


Identifier of an application Predefined values :

Common AMC:'A000000291 D250 0800 9301'h

Specific AMC, AID stored in the centralized registry: 'A000000291 D250 0800 93F0 DXYZ'h, where 'XYZ'h = value of ServiceScopeID value for this application

Serial number Calypso

8 bytes

Identification number of a Calypso application

ServiceScopeID

12 bits

Service scope identifier of the application, for France: 'XYZ'h Registered in the centralized registry for all AMCs . For the common AMC: 'E00'h

IssuerReference

2 bytes

AMC issuer reference (or AMC data) Registered in the centralized registry for all issuers, regardless of the service scope (ServiceScopeID)

GDIssuerReference

2 bytes

Issuer reference of the applicationValue from the issuer register (IssuerReference)

GDScopeID

3 bytes

 International service scope identifier of the application Predefined values:

For France: '250XYZ'h, where 'XYZ'h = value of ServiceScopeID for this application

For the common AMC: '250E00'h

HolderIssuerReference

2 bytes

Application issuer reference (same as GDIssuerReference)

PictInfoIssuerReference

2 bytes

 Reference of the issuer of the photograph

NameInfoIssuerReference

NameInfoIssuerReference

2 bytes

 Issuer reference of the first and last name

Value from the issuer register (IssuerReference

PIDIssuerReference

2 bytes

Issuer reference of the predefined identifiers
Value from the issuer register (IssuerReference)

PIDScopeID

3 bytes

 International service scope identifier of the application (same as GDScopeID) 

Unique identifiers

How is the uniqueness of the identifiers guaranteed?

If we consider all the AMCs issued in a given service perimeter, the uniqueness of a predefined identifier is guaranteed by all the following fields:

  • PIDXSector (2 bytes) which defines the service perimeter ;
  • PIDXKeyRef (2 bytes) which defines the TDES key used to calculate the identifiers from a root value;
  • PIDXValue (4 bytes) which defines the value calculated from the above key and a root value.

This uniqueness is ensured by the respect of the rules defined for the choice of the values of PIDXSector, PIDXKeyRef, and PIDXValue.
Within a given information system, PIDXKeyRef or PIDXSector can be omitted if they are identical for all AMCs managed by this system.

So, in the case of the common AMC, to use one of the ranges defined on the ADCET site (Common AMC value ranges), it is necessary and sufficient that in the data structure of the predefined identifiers there is :

  • PIDScopeID = 250E00h (common AMC).
  • PIDXKeyRef = 0101h (TDES key referenced on the ADCET site, Keys for the predefined identifiers of the common AMC)


Of course, it is also necessary that the one who produces the predefined identifiers takes values only in the ranges which were allocated to him by the ADCET.

IMPORTANT - Rule of uniqueness and non-correlation: the issuer of the predefined identifiers (indicated by PIDIssuerReference) guarantees that each value it generates is used only once for a given sector of activity, and that the identifier must not be deduced from the sole knowledge of one or more other AMC identifiers
The principles of value generation used for the common AMC, and recommended for the specific AMCs, are as follows:

  • the issuer of predefined identifiers has a whole range of values of 4 bytes (i.e. more than 4 billion possible values) which he can subdivide as he wishes. It is for example possible to split it into smaller ranges assignable to different subcontractors or to different projects, provided that these ranges do not overlap;
  • A triple-DES ("TDES") key managed by the governance of the service scope (ADCET for the AMC commue) is used. This key must remain confidential because it can predict the numbers of the AMC applications: only the entities that generate the identifiers need to know it.

What are the predefined sectors and identifiers

In order to comply with CNIL recommendations, the card bears several identifiers (from 1 to 10: these identifiers are reserved for public services corresponding to a sector of activity defined by the CNIL):

1 Taxation Tax or fee for household waste collection. Tourist tax.

2 Labor and social services Employment exchange. Apprenticeship. Professional training. Application for internships and jobs. Management of social aid (application, allocation and follow-up) in the following areas

application for housing and/or assistance ;

grants ;

personalized autonomy allowance

aid for the disabled;

active solidarity income.

3 Health Maternal and child protection. Vaccination plan. Heat wave plan. Warning and protection plan for the population.

4 Transport: Registration, monitoring and online payment of school or municipal services, individual or public transport (bicycle, car, bus, etc.) Information on traffic conditions.

5 Civil status and citizenship Request for extracts or copies of civil status records, family record book. Registration for the defense and citizenship day/compulsory citizen census. Registration on electoral lists. Notification of change of address. Certificate of reception. Authorization to leave the territory. Application for identity, travel or residence permits.

6 Relations with elected officials Municipal communication. User relations with elected officials (request for an appointment, etc.).

7 School and extracurricular services, sports and socio-cultural activities Management of files (registration, follow-up and online payment) in the following areas

leisure center without accommodation ;

tourist services ;

vacation center ;

school ;

day-care center;

School catering ;

sports activities (municipal swimming pool, sports hall, etc.);

socio-cultural activities (library, media library, museum, reservation of municipal hall);

training for adults ;

rental of municipal halls or equipment;

meals on wheels.

8 Economy and town planning Registration of the activity in the socio-economic directory. Aid to businesses. Request for business premises.

Management of files (application, allocation, follow-up and online payment) in the following areas: water and sanitation; building permits; development permits; demolition permits; town planning certificates; individual alignment orders.

Declaration: of completion of works; of opening of a building site; of intention to sell.

9 Special policies and roads; Temporary authorization of a drinks shop. Declaration of first or second category dog. Certificate of change of address. Payment, subscription or parking permit. Market/fair site. Access to pedestrian areas. Lost and found. Notification of noise, odor or visual nuisance. Request for intervention on the public domain (maintenance of green space, public lighting, graffiti, container, etc.). Cemetery (allocation of burial plot). Filming of films.

10 User relations User relations with the services (request for an appointment, etc.).

Registration for the ceremony for new residents.

Exercise of data protection rights (request for information, rectification, deletion, etc.).

11 Services for agents (agent card)

12 Student life services (student catering, access to premises and services reserved for students: libraries, student residences, computer rooms, etc.)

13 Loyalty and commerce

14 Mobility (Maas) mobility actions grouping either public or private transport around a single account

15- 19 Reserved for future definition PUBLIC SERVICES

20 Personal services

21 Private transport

22 Payments

23 Social networks

24 Sports, cultural and leisure activities

25 Loyalty program (outside the "city center" context)

26 to 35: RFU

© 2023 ADCET