European Electronic Identity Practices Country Update of Sweden Dag Osterman, SAMSET project, Swedish National Tax Agency, Head Office Date: May 26, 2005 Goal 24/7 Government e-services Private companies ”One-Stop-Service” Internet • eID (standardized) • yellow pages CA organisation • Responsible CA organisation: Swedish banks and TeliaSonera • The background of the organisation (private/public): The government has signed frame agreements with the banks and TeliaSonera regarding ID-services (checking of certificates, support to end users..) • Description of the existing CA infrastructure (e.g. registration authority, card factory etc): Bank Internet 0. The customer connects to the web services of his bank. 823 Ida Svensson The bank offers him an eID 7 free of charge. Bank customers: • citizens • companies Bank Internet 1. The customer downloads the eID from the bank elD Bank customers: • citizens • companies Bank 2. The customer connects to an Internet e-service of: • a government agency • a private company elD Bank customers: • citizens • companies 3. The service provider asks: valid/not valid? Bank revocation Internet list elD Bank customers: • citizens • companies 4. The bank responds: valid (not valid) Bank revocation Internet list elD Bank customers: • citizens • companies Status of National legislation on eID • Are eID specific regulations enacted and in place? Yes • Name and date of the regulation(s): The law on qualified electronic signatures (2000:832). But there are no CAs registered to issue qualified electronic signatures. Today there are no business demand for them. Status of National deployment of eID • Name of the project: SAMSET-project, the Government Interoperability Board (e-nämnden) and the 24/7 Delegation. • Plans, piloting or implementation? • legal Guidelines are implemented • test and ”standardization” of user interface - ongoing • use of an eID for government agencies information exchange – a project is ongoing to produce a Guideline • use of XML for government e-services……….. • Is the card obligatory? No • Starting date of issuance: 2002 (2001 for companies) Status of National deployment of eID • Envisioned total number of holders of eID : • 700 000 (about 100 000 on card) Number of inhabitants: 7.1 miljons ”taxpayers”. • 2 134 000 used one electronic channel (of 6.5 millions who could use prefilled tax forms) for income tax return. – 428 000 used eID (they could make changes in the tax form) – 902 000 used Internet + security code (accept the tax form) – 567.000 used telephone + security code ( -”- ) – 237 000 used SMS ( -”- ) – Tax board saved $2 for one electronic tax return form • Expected number of cards/eID certs by end of 2007: 3 – 4 miljons Number of eIDs used for income tax return 450 000 400 000 350 000 300 000 250 000 200 000 150 000 100 000 50 000 0 2003 2004 2005 Status of national deployment of eID • Basic functionalities of the eID : - official ID document: No – but there will be a national eID card issued by the police (October 2005) - European travel document: No – but the nationai eID card will be a Shengen passport - support of on-line access to e-Services: Yes – but whether the national card will contain the eID is currently beeing discussed with the banks • Validity period of the card/certificates: soft 1-2 years, card 3-5 years Status of national deployment of eID • Price in Euros of the eID: - for the citizen: Free of charge - price for the national eID-card :Euro 45. - any additonal costs for the relying party: For the user no. The e-service provider pays for the ID-service (checking of cerificates aso.) • From whom and how may the citizen obtain the end/user packages: From the banks and TeliaSonera over the Internet. For the national eID-card not yet decided. Basic ID function • What data is electronically stored in the eID: - national identifier - personal number – used by all government agencies and many private companies - includes: – date of birth – sex – a four digit number - family name, given name Basic ID function • Are these data elements in a dedicated data file? Yes - How is the file protected? PIN - Does the data file comply with the ICAO LDS? No – but the national eID-card will. • Is the personal data (also) held in a certificate? Yes Basic Authentication function • What Verification mechanism is used: - PIN? Yes - Biometrics? No - If No, is introduction of biometrics envisioned? No • Is there a PKI supported authentication mechanism? Yes but weak Basic Signing function • Is a PKI supported signing mechanism (certificate and keypair) present for e- transaction services (non –repudiation)? Yes - but we don´t use the word ”non- repudiation” because our courts have ”free handling of proof” eID based services • Swedish Tax Agency services are accessible to holders based on acceptance of the eID Certificates: – income tax return – monthly corporate tax return – tax account – preliminary income tax return – population registration certificate – registration of a business – report qualified person eID based services • Example of other e-services which are accessible to holders based on acceptance of the eID Certificates: – applications for temporary parental benefits (National Social Insurance board) – calculation of a persons retirement pension (co-operation between National Social Insurance board, Premium Pension authority and different private insurance companies) – selection of school for your children – registration of a new address – permission to start a lorry/taxi/other vehicle corporation – the Swedish Farmers Supply and Crop Marketing Association (52 000 farmers) will use the eID for contracts beetwen the farmers and the Association – identification for on-line shopping (some web shops) – renewel of bank loans – a large number of local government e-services eAuthentication Business models; • What are the Charging/Revenue mechanisms? The service provider pays for checking of the eID • What charges are levied for use of the eID? None • Is there a charge for checking certificates and if so who pays for this? The service provider • Has a cost benefit analysis been compiled for the eID scheme? If yes what are the main conclusions? No – but for some e-services • Is there a study report available? N/A eAuthentication Business models; public/private partnership • Are non government bodies allowed to use the eID in support of their services? Yes • Is the card a multi-application smart card? Yes some of the eID-cards issued by banks are. In one or two years the banks will support EMV and include our eID on the card, too. The national eID-card will probably (?) support our eID. eAuthentication Business models; public/private partnership • What is the approach to and experience with card branding? The Swedish banks will support the EMV card, but they will also include our eID on the card. If the banks also will include our eID on the national eID-card is under discussion eAuthentication Business models; cross border usage • Are there agreements with other national eID issuers for mutual recognition of eIDs? (Status of Memorandum of Understanding (MOU) with other CAs) No Other Interoperability issues • What is the level of Current Compliance with each of the following international standards or group activities (Planned): the answers are for the national eID-card – CWA eAuthentication (under development): Yes – CWA 14890 Secure Signature creation device: Yes if/when we will see a demand for qualfied signatures arising – CEN 224 –15 European Citizen Card (under development): Yes – ISO/IEC JTC1 SC 37 biometric standards: N/A – ISO/IEC JTC1 SC 17 IS 24727 (under developmment): Yes – ICAO recommendations: Yes Current use and plans in Biometrics (the national eID-card) • Technical solution(s): – The national eID card will use face recognition, in 2006 it will probably also support fingerprint recognition (a law must be changed) • Type of project(s): – Pilot on its way and deployment to the public October 2005. • Application areas: – Border Control, immigration – National ID – Computer log on – Central, regional and local government services (if our eID is supported) Next plans • The necessary support is now existing: – the eID standard – 700 000 end users – the infrastructure and the business model – roadmaps – most laws • Now it is upp to the agencies! Lessons learned so far • The costs for the citizen must be zero till the ”market” can offer more e-services • The market (esp. government) will not develop e- services if the citizens do not have eIDs • This is the reason why the Swedish government has started with: – the customer base of the Internet Banks (5 miljons customers) – ”soft eID” (and ”hard” eID at the same time) but we will migrate with the Banks towards ”hard eIDs” Porvoo Group cooperation issues • List of issues to be overcome and recommended Porvoo Group members actions that would support accelerated deployments: • Joint co-op letter to encourage PC manufacturers to include card readers as a standard component in PCs. • Cooperation with Microsoft and other software vendors to get an acceptable ”user interface” for the PKI-related functions. The PKI ”language” must be hidden for the users. More information • Web-pages for the project/eID issues: www.e-namnden.se (here you can find some of the SAMSET project Guidelines) and www.24sju.se The SAMSET project: • email: firstname.lastname@example.org • email legal questions: email@example.com Thank You!