Spain s strategy on eID - Ministry of Presidency
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
MINISTERIO DE LA
PRESIDENCIA
Spain´s strategy on eID
Ministry of Presidency
Some facts about Spain.... Population: 44 million 17 Regional Governments 8000 Municipalities Per capita personal income: 23000€ (105% of 27 EU MS average)
Current national scenario on eID PKI digital certificates are the most common solution for eID, as well as for digital signatures Lively market for CAs: 12 recognised CSPs by the Ministry of Industry as QC issuers Important uptake in the usage of QC in recent years: more than 7 million QC already issued Since 2006: Issuing of a National eID smart card Killer application since 2000 is the Tax declaration. Early return of payments if submitted over the internet (10 days)
An insight to the acreditted CSP
Well-developed market for CSP: 12 existing CAs
accredited by the Ministry of Industry as QC issuers (more
than 70 types of certificates)
A mature and complex scenario for PKIs:
Mixture of public and private CAs
QC on soft or smart-card technologies (producing advanced
or qualified signature)
Some of them aimed at professional bodies
Types of QC: issued to people (citizens), legal people (to the
legal representative of a company or business), server
certificate (for SSL, TSL sessions), TSA certificate
An insight to acreditted CSP in the country
Public CAs
Royal Mint: More than 2M certificates issued
Police Directorate: National eID card: More than 4M cards
issued and expected to reach the whole population by the next
few years
Regional PKIs: Set-up by the Governments of Catalonia, the
Basque Country and Valencia
QC are mostly free for the holder
Private CAs
Mainly focused on Professional Bodies: Lawyers, Chambers
of Commerce, Public Notaries, Enterprise Certificates, Civil
Servant Bodies…
Mostly the cost of QC is supported by the holder of the
certificate or by the Professional BodyThe national eID card. . National eID (DNIe) is the way forward from the traditional paper- based National Identity Card. Universal and mandatory Spanish identification card since 1937 and Schengen Territory Travel Document. There is no social rejection to its use 97% of the Spanish electronic records with personal data include the number of the DNI as the primary citizen identifier. Two digital certificates inside the chip: One for authentication One for electronic signature (qualified signature)
Front Side of the Card
Security UV / IR inks
background • Only UV /IR visible
• Fluorescent ink
• Guilloches that can include logotypes
OVI inks • iridescent printing
Surface structure
•Change in color depending on
the angle at which it is viewed. • Polycarbonate
• Guilloches and micro-printing
• Easy visual and tactile identification
Cryptographic
chip Picture
• Identification through biometric • Stamped with laser technology
data inside the card
• Cryptographic data • Fraud protection
• Digital certificates • Picture integrated with the card
background.
• Security frame and security
background
Changeable Laser Image (CLI)
• Different and specific information items, integrated into
the transparent overlay as a live screen. Hologram/Kinegram
• MLI picture • Holographic structure designed artistically
• Protected by a 100nm overlay.
7/46Chip Data
All the information contained in the eID is confirmed by the Certification
Authority (CA) in order to guarantee its integrity and authentication.
Private Area:
• Personal access code (private password)
• Authentication certificate
• Signature Certificate
Public Area:
• Public access code (public password)
• Certification of Certification Authority
Security Area (accesed by the Police
Deparment ):
• Biometric identifiers (fingerprint)
• Identity data (same data as ID card, picture
included)
• Series number
Fuente: Dirección General de la Policía
8/46The national eID card. A SSCD The card has been evaluated following CC standards and accredited as CWA 14169 compliant by the National Certification Authority. “DNIe exceeds CWA 14169, EAL4+, as required by EU for SSCD” The Certification Authority is the Police Directorate, dependant on the Ministry of Interior Affairs The Registration Authorities and issuing points are the Police Stations around the country. Real-time issuing service: Less than 15 minutes to generate the certificates and the printing of the card at the RA (decentralised model) The roll-out phase has recently finished and has reached more than 240 Police offices to date. In fact, 24.000 eID cards issued every day To date more that 14 million cards issued. By 2012 the eID card will have reached the population over 14 years old
User Environment
Hardware components
Personal Computer
ISO-7816-compliant smart card reader, connected by USB or by a
PCMCIA interface).
Software components
Operating Systems: MS Windows, Linux, UNIX, Mac
Browsers: MS Internet Explorer (>= 6.0), Firefox (>=1.5),
Netscape (>= 4.78)
Controllers or cryptographic modules
CSP forMS Windows / IExplorer
PKCS#11 for linux, UNIX, Mac and Java browsers (Firefox,
Netscape)
10/46The challenge: multiple scenario for PKI infrastructures
As a summary, important uptake of QC in Spain. This leads to a
complex scenario of more than 70 types of QC available in the country
National CAs Unmanageable and non-rational Public Administrations
model for interoperability! P R O L IA N T
8000
ESC
SD
Royal Mint
DLT
SD
Ministries
CICCP
CA for Lawyers
SD
P R O L IA N T
8000
ESC
Izenpe
ANF AC DLT
SD
Public Bodies
FirmaProfesional
eID Card P R O L IA N T
8000
ESC
SD
CATCert Public
BANESTO CA
Agencies
SD
DLT
ANCERT
CAMERFIRMA
SD
P R O L IA N T
8000
ESC
SD
Regional
EU CAs
DLT
Governments
Belgium, Estonia, Finland, P R O L IA N T
8000
ESC
SD
Portugal, Germany… DLT
SD
MunicipalitiesThe challenge: technicalities.
Technical challenges
- Accept certificates from many CAs
- Install and maintain software for
-validation of the authenticity and integrity of the certificate
-interpretation of the content of the certificate
-verification of digital signatures (crypto verification)
The technical complexity increases as the number of CAs
increases
The number of integration software components needed to
process the certificates increases accordingly4. Launch of the national Multiple-PKI Validation
Authority: main
Since eID and goalssignatures are key enablers to establish secure
digital
eGOV services, the aim was to create a Broker of CAS or Validation
Platform (VP) that allows eGovernment Applications to verify the
status of all the qualified certificates and eSignatures created in the
country
Validation Platform is the core element to facilitate among Public
Administrations the use of the same digital signature formats and
higher levels of trust for eID: INTEROPERABILITY OF DIFFERENT PKI
SOLUTIONS
The connection to the service provides immediate eID and
eSignature Features to eGovernment Portals for all the Qualified
Certificates issued in the country (Multiple-PKI Platform)The national Multiple-PKI Validation Platform: An essential element to develop
interoperability on eID and QS
Cost-efficient and rational
model for interoperability!
National CAs Public Administrations
SD
P R O L IA N T
8000
ESC
Royal Mint
DLT
SD
Ministries
CICCP
CA for Lawyers
SD
P R O L IA N T
8000
ESC
Izenpe
ANF AC DLT
SD
Public Bodies
FirmaProfesional
eID Card P R O L IA N T
8000
ESC
SD
CATCert Public
BANESTO CA
Agencies
SD
DLT
ANCERT
CAMERFIRMA
SD
P R O L IA N T
8000
ESC
Multiple-PKI SD
Regional
EU CAs validation Platform DLT
Governments
Belgium, Estonia, Finland, P R O L IA N T
8000
ESC
SD
Portugal, Germany… DLT
SD
MunicipalitiesThe national Multiple-PKI Validation Platform: interconnection scheme
Multiple 1) Identification/eSignature
signatures Transaction
A) Citizen/ B) eGovernment
Business Service Portal
3) Validation and Verification 2) Validation and
Response Verification Request
D) Certification
Service Providers
established in Spain
and abroad
C) VPMultiPKI Validation Platform @firma
Mode I: ASP - Application Service Provider
Citizens and
Enterprises
MPR publish the validation and e-signature services
through its platform. SOA - Centralized
Services accessed by SARA.
Available since December ’05 2 Service
access
5 Signature/
Authentication
Delegated administration for public bodies
I*Net
Different activity and transactional reports.
SLA enforcement
Public bodies
Availability of a help desk service for different public users
bodies and users; integration and testing.
To benefit from agreements with PSCs.
S.A.R.A.
To cut down cost sand investment : development,
support, platform, ... Validaton Service
3 4
request response
Transparency in the release updates, patches, etc. 1 Integration
OCSP PSC
HTTPS
PSC
LDAP
PSC
- 16 - ...Two patterns
@firma Validation Platfomr
Mode II: Federate / Distributed Testa
network
EUROPE
Distribution of @firma to be installed in its
own platforms.
SOA - Distributed
Free distribution of new releases, patches, etc. OCSP PSC
OCSP PSC
The configuration of the Central Server is
OCSP PSC
HTTPS
PSC HTTPS
PSC
LDAP HTTPS
distributed to the delegated implementations.
LDAP PSC
PSC OCSP
PSC PSC
LDAP
... PSC
... HTTPS
PSC
...
Exchange of reliable tokens :
OCSP PSC LDAP
PSC
HTTPS
PSC ...
LDAP
PSC
TSLs compliant with ETSI TR 102 030.
...
XML structure to define signature policies,
certificates, etc ... OCSP PSC
Exchange with public bodies and providers HTTPS
Suitable to the performance and architecture
PSC
needs of each body
LDAP
S.A.R.A. PSC
Backup configuration between the different
...
platforms
I*Net
- 17 -@firma service suite:
@firma client
@firma-compliant client:
o Applet
o Desktop application
Signature formats that are supported:
o Single or multiple signature
o Massive signature
o CAdES, XAdES, PDF, ODF
Software certificates or smart cards
Operating Systems
o Windows,
o Linux,
o Mac
Browsers:
o Firefox,
o Explorer,
o Chrome
o Safari@firma service suite:
VALIDe
Online signature and certificate validation service
14 national providers and 1 abroad Ciudadanos / Empresas
Services available:
o Certification validation
o Virtual office validation
o Signature validation and document preview
o Signature
I*Net
S.A.R.A.
OCSP PSC
HTTPS
PSC
LDAP
PSC
...@firma services suite:
TS@
Time Stamp Authority for the Public Administration
Available for all the Public Administration Bodies
Accessed through the SARA network
Services available:
o Timestamping
o RFC 3161-based Interface for Server Socket
o DSS OASIS-based WebServices Interface, specifically XML profile
Timestamping Profile
o Timestap validation
o Restamping
@firma services suite:
Port@firma
It allows to integrate the eSign in the organisational workflow.
o It publishes web services for the integration with workflow applications.
o It performs the signatures and validations through the @firma platform.Suite de productos @firma:
Cifras
Average of 1.400.000 monthly validations
Over 1.000.000 time stamps
Over 300 new organism (at national, autonomic and local level)
Over 500 applications
14 national certification providers and 1 provider abroad
Awarded by the Good Practice Label 2007 and Best Practice 2008
@firmaServices offered by the VP (Sept 2009)
1.Certificate validation services for all the QC issued in Spain: Use
of OCSP and WS protocols. Integrity /quality, validity and
revocation checking of the whole CA chain and the issued QC
If required, most relevant fields of the QC are extracted in order to
compose an easily interpretable XML scheme that is sent back
along with the validation response
2. Signature verification service: Verification of PKI-based digital
signatures
Acceptance of various European standards: CMS, PKCS#7,
XADES- BES, XADES-T, CADES-BES, CADES-T, ODF, PDF
3. Client component (applet) for signature creationMain eGOV application using the VP services
The Tax Agency and Social Security Departament run their own VP
due to the large amount of monthly transactions performed (millions
of QC validations/ QS verification)
The vast majority of Public Sector eGOV services in the country are
users of the MPA VP
Ranking of main users (in terms of the highest number of
transactions performed against the VP):
On-line request service for unemployment benefits
On-line verification service of personal address and
checking of driving offence points
Announcement of movement service
On-line purchase of treasury bondsLessons learned from the VP 1) The VP is a cost-efficient and time-saving service providing eID and electronic signature features in a simple way. In fact, it prevents Public Bodies from investing in validation SW modules and other communications-related infrastructures needed to interconnect eGOV systems to every qualified CA. There is no need either in implementing technologies for eSig creation/validation-related processes 2) The uptake in the use of digital certificates in the public sector is encouraging the private sector to provide secure services based on the national eID card (i.e.: in the banking sector 12 entities already incorporating the eID card at on-lie banking services 3) Spain is also taking part in the Large Scale Pilots on eIDM within the CIP initiative (STORK Consortium) and will integrate this national infrastructure to the future interoperability framework for eID to accept other EU eIDs
More Information
• On the national eID card:
• http://www.dnielectronico.es/
• On the Multiple PKI Validation Platform
• http://www.ctt.map.es/web/offonce/proyectos/afirma
• http://www.dnielectronico.es/seccion_aapp/platform
.html
• http://www.epractice.eu/cases/1984Thank you!
You can also read
