Docstoc

Interoperable European Electronic Identities

Document Sample
Interoperable European Electronic Identities Powered By Docstoc
					European Electronic Identity
        Practices

Country Update of Sweden
Dag Osterman, SAMSET project, Swedish
National Tax Agency, Head Office
Date: May 26, 2005
Goal 24/7 Government e-services     Private
                                    companies


”One-Stop-Service”

                              Internet


• eID (standardized)
• yellow pages
                 CA organisation

• Responsible CA organisation: Swedish banks and
  TeliaSonera

• The background of the organisation (private/public):
  The government has signed frame agreements with
  the banks and TeliaSonera regarding ID-services
  (checking of certificates, support to end users..)

• Description of the existing CA infrastructure (e.g.
  registration authority, card factory etc):
                                        Bank

Internet

                      0. The customer connects to
                      the web services of his bank.
 823   Ida Svensson
                      The bank offers him an eID
 7
                      free of charge.
                      Bank customers:
                      • citizens
                      • companies
                              Bank

 Internet


            1. The customer downloads the
            eID from the bank
elD
            Bank customers:
            • citizens
            • companies
                                                      Bank
2. The customer
   connects to an        Internet
   e-service of:
• a government agency
• a private company

                        elD
                                    Bank customers:
                                    • citizens
                                    • companies
3. The service provider asks:
   valid/not valid?
                                  Bank
                                revocation
      Internet                      list



    elD
                  Bank customers:
                  • citizens
                  • companies
4. The bank responds: valid (not valid)

                                   Bank
                                 revocation
    Internet                         list



   elD
                 Bank customers:
                 • citizens
                 • companies
  Status of National legislation on eID

• Are eID specific regulations enacted and in
  place? Yes
• Name and date of the regulation(s):
  The law on qualified electronic signatures
  (2000:832).
  But there are no CAs registered to issue
  qualified electronic signatures. Today there
  are no business demand for them.
    Status of National deployment of eID

• Name of the project: SAMSET-project, the Government
  Interoperability Board (e-nämnden) and the 24/7 Delegation.

• Plans, piloting or implementation?
• legal Guidelines are implemented
• test and ”standardization” of user interface - ongoing
• use of an eID for government agencies information exchange
  – a project is ongoing to produce a Guideline
• use of XML for government e-services………..

• Is the card obligatory? No
• Starting date of issuance: 2002 (2001 for companies)
Status of National deployment of eID
• Envisioned total number of holders of eID :
• 700 000 (about 100 000 on card)
Number of inhabitants: 7.1 miljons ”taxpayers”.
• 2 134 000 used one electronic channel (of 6.5
  millions who could use prefilled tax forms) for income
  tax return.
   –   428 000 used eID (they could make changes in the tax form)
   –   902 000 used Internet + security code (accept the tax form)
   –   567.000 used telephone + security code ( -”- )
   –   237 000 used SMS ( -”- )
   –   Tax board saved $2 for one electronic tax return form
• Expected number of cards/eID certs by
  end of 2007: 3 – 4 miljons
          Number of
          eIDs used for
          income tax return
450 000

400 000

350 000

300 000

250 000

200 000

150 000

100 000

 50 000

     0
          2003   2004   2005
    Status of national deployment of eID
• Basic functionalities of the eID :
  - official ID document: No – but there will be
  a national eID card issued by the police (October 2005)
  - European travel document: No – but the nationai eID
  card will be a Shengen passport
  - support of on-line access to e-Services: Yes – but
  whether the national card will contain the eID is currently
  beeing discussed with the banks

• Validity period of the card/certificates: soft 1-2 years, card
  3-5 years
Status of national deployment of eID
• Price in Euros of the eID:
  - for the citizen:
  Free of charge
  - price for the national eID-card :Euro 45.
  - any additonal costs for the relying party:
  For the user no. The e-service provider pays
  for the ID-service (checking of cerificates aso.)
• From whom and how may the citizen obtain the
  end/user packages: From the banks and
  TeliaSonera over the Internet. For the national
  eID-card not yet decided.
             Basic ID function
• What data is electronically stored in the eID:
  - national identifier
       - personal number – used by all government
       agencies and many private companies -
       includes:
           – date of birth
           – sex
           – a four digit number
  - family name, given name
           Basic ID function

• Are these data elements in a dedicated
  data file? Yes
  - How is the file protected? PIN
  - Does the data file comply with the ICAO LDS?
  No – but the national eID-card will.
• Is the personal data (also) held in a
  certificate? Yes
    Basic Authentication function

• What Verification mechanism is used:
  - PIN? Yes
 - Biometrics? No
 - If No, is introduction of biometrics envisioned? No

• Is there a PKI supported authentication
  mechanism? Yes but weak
         Basic Signing function

• Is a PKI supported signing mechanism
  (certificate and keypair) present for e-
  transaction services (non –repudiation)?
Yes - but we don´t use the word ”non-
  repudiation” because our courts have ”free
  handling of proof”
             eID based services
• Swedish Tax Agency services are accessible
  to holders based on acceptance of the eID
  Certificates:
  –   income tax return
  –   monthly corporate tax return
  –   tax account
  –   preliminary income tax return
  –   population registration certificate
  –   registration of a business
  –   report qualified person
                 eID based services
• Example of other e-services which are accessible to
  holders based on acceptance of the eID Certificates:
   – applications for temporary parental benefits (National Social
     Insurance board)
   – calculation of a persons retirement pension (co-operation
     between National Social Insurance board, Premium Pension
     authority and different private insurance companies)
   – selection of school for your children
   – registration of a new address
   – permission to start a lorry/taxi/other vehicle corporation
   – the Swedish Farmers Supply and Crop Marketing Association
     (52 000 farmers) will use the eID for contracts beetwen the
     farmers and the Association
   – identification for on-line shopping (some web shops)
   – renewel of bank loans
   – a large number of local government e-services
     eAuthentication Business models;

• What are the Charging/Revenue mechanisms?
  The service provider pays for checking of the eID
• What charges are levied for use of the eID? None
• Is there a charge for checking certificates and if so
  who pays for this? The service provider
• Has a cost benefit analysis been compiled for the
  eID scheme? If yes what are the main
  conclusions? No – but for some e-services
• Is there a study report available? N/A
  eAuthentication Business models;
      public/private partnership
• Are non government bodies allowed to use
  the eID in support of their services? Yes
• Is the card a multi-application smart card?
  Yes some of the eID-cards issued by banks
  are. In one or two years the banks will
  support EMV and include our eID on the
  card, too. The national eID-card will
  probably (?) support our eID.
eAuthentication Business models;
    public/private partnership

• What is the approach to and experience with
  card branding? The Swedish banks will
  support the EMV card, but they will also
  include our eID on the card. If the banks also
  will include our eID on the national eID-card
  is under discussion
  eAuthentication Business models;
        cross border usage
• Are there agreements with other national eID
  issuers for mutual recognition of eIDs?
  (Status of Memorandum of Understanding
  (MOU) with other CAs)
No
        Other Interoperability issues
• What is the level of Current Compliance with each of the
  following international standards or group activities
  (Planned): the answers are for the national eID-card
   – CWA eAuthentication (under development): Yes
   – CWA 14890 Secure Signature creation device: Yes if/when we will
     see a demand for qualfied signatures arising
   – CEN 224 –15 European Citizen Card (under development): Yes
   – ISO/IEC JTC1 SC 37 biometric standards: N/A
   – ISO/IEC JTC1 SC 17 IS 24727 (under developmment): Yes
   – ICAO recommendations: Yes
         Current use and plans
  in Biometrics (the national eID-card)
• Technical solution(s):
   – The national eID card will use face recognition, in 2006 it will
     probably also support fingerprint recognition (a law must be
     changed)
• Type of project(s):
   – Pilot on its way and deployment to the public October 2005.
• Application areas:
   –   Border Control, immigration
   –   National ID
   –   Computer log on
   –   Central, regional and local government services (if our eID is
       supported)
               Next plans

• The necessary support is now existing:
  – the eID standard
  – 700 000 end users
  – the infrastructure and the business model
  – roadmaps
  – most laws
• Now it is upp to the agencies!
               Lessons learned so far

• The costs for the citizen must be zero till the ”market”
  can offer more e-services
• The market (esp. government) will not develop e-
  services if the citizens do not have eIDs
• This is the reason why the Swedish government has
  started with:
   – the customer base of the Internet Banks (5 miljons
     customers)
   – ”soft eID” (and ”hard” eID at the same time)
   but we will migrate with the Banks towards ”hard
     eIDs”
   Porvoo Group cooperation issues

• List of issues to be overcome and recommended
  Porvoo Group members actions that would support
  accelerated deployments:

• Joint co-op letter to encourage PC manufacturers to
  include card readers as a standard component in
  PCs.
• Cooperation with Microsoft and other software
  vendors to get an acceptable ”user interface” for the
  PKI-related functions. The PKI ”language” must be
  hidden for the users.
              More information


• Web-pages for the project/eID issues:
www.e-namnden.se (here you can find some of the
  SAMSET project Guidelines) and www.24sju.se


The SAMSET project:
• email: dag.osterman@skatteverket.se
• email legal questions: johan.balman@skatteverket.se



                    Thank You!