Академический Документы
Профессиональный Документы
Культура Документы
interoperability of eID
for eGovernment services in the EU
John Stienen
EUROPEAN COMMISSION
DIRECTORATE-GENERAL FOR INFORMATICS
European eGovernment Services (IDABC)
09/04/2008
Outline
The policy context
ICT Policy Support Programme Pilots
IDABC study on eSignatures
IDABC study on eID
2
09/04/2008
Outline
The policy context
ICT Policy Support Programme Pilots
IDABC study on eSignatures
IDABC study on eID
3
09/04/2008
09/04/2008
Manchester Ministerial
Declaration, 24 November 2005
No citizen left behind inclusion by design
By 2010 all citizens become major beneficiaries
By 2010 innovative ICT, trust, awareness, skills for inclusion
09/04/2008
09/04/2008
09/04/2008
Outline
The policy context
ICT Policy Support Programme Pilots
IDABC study on eSignatures
IDABC study on eID
9
09/04/2008
eGovernment Objectives
ICTPSP Call 2007 Overview
Pilots
Pilots
Type
Type BB
Towards
Towardspan-European
pan-Europeanrecognition
recognitionof
ofe-IDs
e-IDs
Mutual
Mutualrecognition
recognition&&interoperability
interoperabilityof
of
electronic
documents
electronic documents
Accessible
Accessible&&inclusive
inclusiveeGovernment
eGovernmentservices
services
Combined
Combineddelivery
deliveryof
ofsocial
socialservices
services
Promoting
Promotinglocal
localand
andregional
regionaleParticipation
eParticipation
Themati
Themati
cc
Network
Network
ss
10
Stimulating
Stimulatingmeasurement
measurementof
ofimpact
impactand
anduser
user
satisfaction
satisfaction
Brokering
Brokeringpan-European
pan-EuropeaneGovernment
eGovernmentsolutions
solutions
and
services
online
and services online
09/04/2008
Budget allocation: 24 M
Pilots
Pilots
Type
Type AA
Enabling
EnablingEU-wide
EU-widepublic
publiceProcurement
eProcurement
eProcurement
eProcurement
Pan-European
Pan-European
recognition
recognitionof
ofeIDs
eIDs
Implementation
Implementation of
of an
an integrated
integrated EUEUwide
electronic
public
procurement
wide electronic public procurement
solution
solution
Implementation
Implementation of
of an
an EU
EU wide
wide
interoperable
system
for
recognition
interoperable system for recognition of
of
eID
and
authentication
eID and authentication
enabling
enabling companies,
companies, in
in particular
particular
SMEs,
from
one
state
to
respond
SMEs, from one state to respondto
topublic
public
procurements
in
any
other
state.
procurements in any other state.
enabling
enabling businesses,
businesses,citizens
citizens to
touse
usetheir
their
national
electronic
identities
in
national electronic identities in any
any
Member
State
Member State
11
09/04/2008
Outline
The policy context
ICT Policy Support Programme Pilots
IDABC study on eSignatures
IDABC study on eID
12
09/04/2008
IDABC Programme
Objectives
Target groups
History
Duration
5 years (2005-2009)
Global budget
Managed by
13
09/04/2008
IDABC Programme
Key elements of IDABC Work Programme :
Projects of Common Interest (PCI): support (budget and
guidance) within the Commission services to sectoral
projects that have legal base from an existing Community
legislation (e.g. PLOTEUS, IMI, LISFLOOD, SANREF,
TRACES)
Horizontal Measures (HM): designed to support sectoral
projects and eGovernment services generally by providing
basic infrastructure (network, CIRCABC, PKI), security
measures (eID, eSignatures), interoperability measures
(European Interoperability Framework, XML Clearing
house), spread of good practise (OSS repository, eGov
observatory)
14
09/04/2008
09/04/2008
eSignatures:
Analysis, identified issues (1)
127 eGovernment applications processed:
90 using eSignatures
37 using electronic certificates as authentication means
Main sectors referenced:
eTaxes: 29 applications, One-stop shop portal: 12 applications
eProcurement: 11 applications
eHealth: 4, eJustice: 3, Social Security: 3,
Regulations tend to remain technology neutral
Administrations have large autonomy in choosing the right solution
for their applications
Cross border interoperability is not considered to be a priority
Mutual recognition: application owners presently have no way of
determining which signature solution providers meet the security and
reliability requirements of their applications.
16
09/04/2008
eSignatures:
Analysis, identified issues (2)
Qualified
signature
Austria
Belgium
Ireland
Italy
Latvia
Portugal
Slovakia
Spain
Sweden
Germany
Estonia
17
Qualified
certificate
Bulgaria
Croatia
Czech Republic
Slovenia
Finland
France
Turkey
Greece
Hungary
Malta
The Netherlands
Romania
Advanced
signature
Denmark
Hungary
Luxembourg
Malta
Poland
Portugal
Slovakia
Simple
Authentication
signature
Ireland
Cyprus
United Kingdom
Finland
Ireland
Lithuania
Luxembourg
Malta
The Netherlands
Portugal
United Kingdom
09/04/2008
eSignatures:
Conclusions
Dissemination of available information on national
practices should be improved
There is a link and sometimes confusion between the
concepts and implementation of authentication and
electronic signatures
The trend is toward PKI solutions, hence this is where
initiatives should focus
A federated validation solution is needed to permit the
validation and the establishment of trust for foreign
signatures. Member States opinions on EU involvement
and the role of the private sector should be sought
18
09/04/2008
eSignatures:
List of supervised CSPs
19
09/04/2008
eSignatures:
Federated Validation
20
09/04/2008
Outline
The policy context
ICT Policy Support Programme Pilots
IDABC study on eSignatures
IDABC study on eID
21
09/04/2008
IDABC
eID Interoperability for PEGS
Based on existing actions at the EU level (e.g. Modinis Study on ID
Management in eGovernment (DG INFSO), IST projects GUIDE,
FIDIS and PRIME (DG INFSO), work by the Porvoo Group, etc),
a strategy for eID Interoperability shall be elaborated that includes
as a minimum :
a survey and comparison of the national eID legal instruments for the
27 MS + 2 CC + 3 EEA;
a survey and description of the national technical solutions
implemented in each of the 27 + 2 + 3 Countries for the national eID.
a market assessment of the ID Management technical solutions; in
particular a high-level description of the concept of federated identities
and its applicability for interoperability of eIDs shall be produced;
a proposal and an impact assessment of a multi-level authentication
mechanism;
Common specifications for interoperable eID solutions shall be drafted
based on the results of the elaborated strategy for eID interoperability
22
09/04/2008
eID:
Identity resources
27 issue identity cards (84%); 7 are currently deploying eID
cards to the public; 14 more are in the process of designing
eID cards for future roll-out
Apart from smart cards, in 12 countries out of 32 (37.5%) the
use of non-card tokens was reported; predominantly soft PKI
certificates
All countries use general identifiers in some form; specific
legal protection of such identifiers was reported in 20 of the
32 surveyed countries (62.5%)
Formal acceptance of an authentic source principle was
uncommon, being reported in only 5 countries out of 32
(16%). A further 9 countries (28%) had informally adopted
the principle, with another 3 (10%) planning to do so
23
09/04/2008
eID:
Authentication
A total of 14 countries out of 32 (44%) reported using
public sector controlled PKI systems, with a total of 16
systems being reported. Of these 16 systems, 10 were
open to private sector use (62.5%).16 countries out of 32
(50%) reported using public/private sector controlled PKI
systems.
75% of countries use PKI as a key authentication strategy
Username/password systems also remain very popular. In
total, 20 countries out of 32 (62.5%) have reported using
login systems as a key component of their eIDM strategy,
with 27 systems in total being reported. Of the reported
login systems, 17 were simple username/password
systems; 8 required a challenge/response system; and 2
required password calculators.
24
09/04/2008
eID:
Mandates/roles
27 countries out of 32 (84%) have no form of mandate
management, apart from the static allocation of certificates
or credentials to the representatives of a specific legal entity
4 countries out of 32 (12.5%) have implemented an ad hoc
form of mandate management covering specific
applications or service types, most typically by allowing the
designation of an authorised representative in an
administration specific database
Only Austria has created a generic system of mandate
management, relying on the central source PIN Register
Authority
25
eID:
Multilevel authentication
15 out of 32 countries (47%) allow some form of multilevel
authentication structure to be derived; but only in 4 of these
countries can a formal authentication policy be identified
From a practical perspective, in most of these countries the
acceptance (formal or informal) of an authentication policy
has had a limited impact on the use of the applications
The practical impact of authentication policies has been
very limited thus far
26
09/04/2008
eID:
Legal/policy analysis
The received responses confirmed the expectation that no
specific legal framework with regard to entity authentication
exists in any of the 32 surveyed countries
While a legal framework has often been created with regard
to electronic identity cards (specifically which information
they contain and what form they should take), the question
of which elements legally constitute an entitys identity has
not been explicitly regulated in any of the countries; nor has
any of the countries implemented a generic legal
framework detailing on what authentication is, and at which
point authentication requirements have been met
27
09/04/2008
eID:
Technical/infrastructure analysis
No common specification exists for tokens and application
middleware. Hardware tokens were not specified in 19
countries out of 32 (59.5%) and middleware applications
were not specified in 20 countries out of 32 (62.5%)
28 countries out of 32 (87.5%) are either using or planning to
use some sort of certificate based identities
22 countries out of 32 (68%) have implemented some level
of certificate based authentications to their eGovernment
services; 7 of the surveyed countries did not have any
specific eGovernment applications to present
23 countries out of 32 (72%) did not report a systematic
preference for industrial standards; with only SAML being
reported with any regularity (7 out of the 32 (22%))
28
09/04/2008
More information
The IDABC Programme: http://ec.europa.eu/idabc
e-mail: idabc@ec.europa.eu
CIP Programme: http://ec.europa.eu/cip
ICT Policy Support Programme: http://
europa.eu/ict_psp
29
09/04/2008