Joint workshop of Porvoo and GCF hosted by the Porvoo 7 meeting May , Reykjavik, Iceland moderated by Jan van Arkel, co–chair Porvoo acting chair GCF
Shaking hands ……..
Porvoo Group Established in Porvoo in April 2002 A co-operative network of parties in charge of public certificates for citizens Information exchange on eID experiences and national eID-projects in Europe Develops the general usage of public certificates in The European Electronic Communication Promotes the use of certificates and aims at making communication more convenient and offer where possible, a uniform solution for the European Citizen
Global Collaboration Forum on world-wide interoperable IAS Established in 2001 (as follow up of earlier EU-Japan contacts) Participants: eESC, NICSS, NIST, Global Platform, Maosco, ISO Regular bi-annual meetings ( Iceland is GCF 8) Rotating chair (presently held by EU) Products so far: - Mapping document of GIF/GSC-IS and NICSS Framework - Common Glossary of terms (in line with CWA 15264) - Draft for Common Requirements for eID in eGovernment domain (in line with CWA 15264) - common position on ISO Individual contributions to ISO 24727
eESC - GlF CWA eAut CEN 224_15 ECC NICSS-Framework V1.0 (NICSS) GSC-Framework V2.1 (NIST) & FIPS 201 The 3 regional frameworks
Short-term activities: GCF Long-term and Short-term Scopes of GCF To share the information about participants’ activities and overall short- term activities and to discuss common issues of interest To hold 2 Plenary Meetings annually Activities related to long-term scopes are taken for two years as a start. Afterwards it is decided if these need to be continued. Long-term Activities Short-term Activities Each participant takes leadership in an area of his interest. WG are established as required. The proposing participant is the leader. E-Authentication MRTD DL Scheme for Multi-AP SC Participants ( organizations ): - Global Platform - Eurosmart - MAOSCO - ISO
EU update ( J. van Arkel) US eID development status update, Jim Dray, NIST, USA) - Homeland Security Presidential Directive HSPD No status of FIPS 210 standard - status of ISO 24727, - status and plans for deployment Japan status update - Japanese developments on eID, Hiroshi Shimada, Fujitsu/NICSS - Status of Asian Smart Card Forum, Shoji Miyamoto (Hitachi) Discussion on a World eID Steering Committee ( by all ) rationale for the joint workshop Agenda for the joint workshop
Legal issue Standardisation Deployment EU update
Procedure when issuing an eID Content of eID Cardholder verification procedures Data Protection Liability Revocation of eID What needs to be regulated?
Privacy Directive + implementation in national legislation E-sign Directive + implementation in national legislation IAS: Discussion on Thomas Myhr report EU council regulation on ePassports 15152/04 ; 2252/04 dd 13 Dec. 2004; Decision of the EC 28 Feb (technical specification in relation to standards on security and biometrics for Passports and travel documents) Pending: technical specification on fingerprint in passport What is already in place in the EU?
Legal Standardisation Deployment Status in eID
CEN/ISSS WS eAuthentication (Government requirements, Architectural model, Business models, Legal Framework, Card issuer guidelines, Multi-application environment, Human interface aspects, eID policy vision) CEN 224 WG 15 European Citizen Card (Policy and rules for CMS, Physical and logical card characteristics, data elements and structures, IAS procedures, Durability aspects) Europe
CWA part 1: Architecture for a European interoperable eID system within a smart card infrastructure CWA part 2: Best Practice Manual for card scheme operators exploiting a multi-application card scheme incorporating interoperable IAS services CWA part 3: User Requirements for a European interoperable eID system within a smart card infrastructure eID Strategic Vision Report Download area: /isss/activity/wseaut.asp Results of WS eAut
Workgroup was launched in Feb 2004 Chair: L. Gaston, Axalto, Secretariat: AFNOR Constituency: 20+ organisations 2 Subgroups are active: SG 1: Physical aspects; SG 2: Logical data aspects Final meetings on May 11-12, 2005 in Vienna 2 part Technical Standard will be out for voting after CEN 224 approval (additional parts on ECC management & business models and SC durability classes is pending) Status of CEN 224 –WG 15 ECC
The eID systems shall support a secure and reliable cardholder electronic signature funtion for the purpose of legal validaty of the signature For Europe the PKI system elements of the system shall be in complicance with the qualified digital signature as per article 5.1 of the EU directive 1999/93/EC on a Community framework for electronic signatures The PKI system elements shall be in compliance with ETSI QCP The PKI system elements shall be in compliance with CWA parts 1 –2 Electronic signature status
ISO/IEC BioAPI, BioAPI specification ISO/IEC Common Biometric Exchange formats (CBEFF) Part 1: Data Element Specification ISO/IEC Biometric Data Interchange Format Part 2: Finger Minutiae Data Part 8: Finger Pattern Skeletal Data (Porvoo position?) Part 4: Finger Image Data (Porvoo position?) SC 17 : ISO/IEC : Personal verification through biometric methods in ID’s Biometrics, SC 37 ISO SC 17
SC standard ISO/IEC part 1: architecture part 2: card interface (card edge) part 3: high level application API (BSI) (will be addressed by Jim Dray) Deployment will be addressed by US, Japan and EU country updates. ISO SC 17
Discussion on a World-wide eID Steering committee
Discussion on the concept of a World eID Steering Committee Excerpt from the agenda: The idea was launched at the Smart Card Charter conference in December 2004 in Prague. A first version of a vision paper is downloadable from the Porvoo 7 website. The basic idea being a mandated group of Government representatives on eID, setting World wide common requirements and stimulating the realisation of interoperability (adaptors).
World eID forum document draft version 1.1. February Table of Content 1. Rationale 2. Vision 3. Scope 4. Objective 5. Participants 6. Organisation 7. Related organisations 8. Activities and Deliverables 9. Support and funding mechanism
global support of eServices (building block for trust, security, and convenience, without e-ID there is no real national and global eGovernment) global combating of ID Fraud (causes more and more of a problem) global anti-terrorism measure Building a more global (European) society (making persons aware to be a –relevant- part of society as well as offering them a seamless experience) Vision: Why global eID?
Some inhibitors so far No strong leadership, no formal cooperation State of the art of the technology and standardisation (dripping wet) Costs and benefits, business cases Not invented here (Scandinavia, GIXEL, DIF, other countries)
EU 2004 Report: Rethinking the European ICT agenda (10 ICT-Breakthroughs for reaching Lisbon Goals) The breakthrough that is needed is an increased ICT utilisation by establishing: - Authentication: Pan-European interoperability (minimum) or standardization (preferred) of authentication systems/platforms - Security: Pan-European emphasis on security standards in relation to access, identity theft and secure transactions Policy support of IAS (1)
Resolution of the future Information Society policy of the Union adopted on 10 December 2004 by the Council of the European Union (one of the 6 priorities): To create a favourable environment for industry and the public sector to develop, both in Europe and globally, effective and interoperable solutions, in particular for electronic payments, authentication, identity management as well as security. Policy support of IAS (2)
Policy support of IAS (3) G Summit endorsed the statement “Accelerate development of international standards for the interoperability of government-issued smart chip passports and other government-issued identity documents. We will work for implementation by the 2005 Summit“ http: //www/g8usa.gov/d f.htm
There are relevant use cases for IAS (TC224/WG15) 1. encryption and digital signature 2.The National Tax Board and administration 3.The National Social Insurance Board 4.Employee ID (physical & logical access) 5.Medical services access 6.Industrial security 7.National archive access 8.Public registries access
European ID Management Projects Modinis Study (operational) Support progress towards a coherent approach in electronic identity management Provide information on eID technologies, related market developments and technical requirements Provide a prospective analysis of possible initiatives and solutions at European level The GUIDE Project (FP6, operational) Research and develop an open identity management architecture as core technology for e-Government solutions To create a world-class and innovative European e-Government market. To demonstrate and evaluate solutions in the three major areas of e- Government services: A2A, A2B & A2C CEN/ISSS WS MMUSST (operational) TIFI project (under evaluation) Porvoo signed declaration of cooperation)
E-Sign K CWA eEpoch WP3 BIKE WSeAut CWA E-SignGIF CEN/ISSS eEurope SC Charter TC224 WG15 TS ECC SC17 WG4 ISO/IEC 24727
Overview of relevant actors Policy makers on eID in EU and other regions Standardisation bodies CEN CEN 224/WG 15 ECC CEN/ISSS CWA 15264, CWA ISO ISO/IEC Regional standardisation US FIPS 201, Japanese ICSS, Asian Card Forum EU Industry consortia: Germany:DIF France: GIXEL Porvoo Common Requirements Eepoch BIKE GCF Cooperative Framework EU projects Guide, Modinis, Impact, Regional & national deployment
Report CEN/ISSS Focus group on eHealth (March 1, 2005) Establishing an Interoperability Platform The Member States, with the Commission, should establish a permanent platform with a mandate, and the necessary resources to promote eHealth interoperability based on standards and to facilitate co-operation between Member States. This eHealth interoperability platform should: establish a Europe-wide view on the requirements for standardisation and its implementation in specific domains, in collaboration with standards organisations, based on input from relevant stakeholders communities; encourage and promote an environment for detailed specifications testing, evaluation or certification, to achieve interoperability of systems based on standards; establish a means for tracking and promoting good practice, and foster pilot implementations in compliance with the aforementioned environment; encourage agreements across national borders and between professional groups; encourage the further development of an appropriate European legal and regulatory framework; promote the establishment of infrastructure services such as for the creation and maintenance of terminology systems and knowledge repositories.
World eID Forum Participants Vision (everyone who shares the vision) Interoperability charter (and signs the IOP charter) Relevant stakeholders (eGovernment representatives) Mandate (is this realistic?) Organisation New organisation? (preferable not, but how to organise?) No legal entity Chair and secretariat No permanent staff Activity plan
World eID Forum Activity plan Contributing to the legal issue of World wide interoperable eID Setting joint requirements for interoperable World wide eID Information exchange between participants on eID deployment Set-up, maintenance and exploitation of an eID-body of knowledge Exploiting an interoperability demonstrating and test environment, including Open Source solutions Issuance of eID interoperability compliance certificates Development of a eID Implementation and Guidance document offering - best practice information - choices in standards and preferred options in standards (PKCS #11 interface, PKCS #15 profile, harmonised Human Interface etc) - exploitation models - study into basic eID versus role based ID - study in International validation services etc ……….
World eID Forum Support and funding mechanisms Option 1: Virtual, non funded organisation, embedded/part of other organisation, like Porvoo, GCF, Modinis project, Guide project Option 2: Separate body with participation fee from participants Option 3: CEN/ISSS Workshop for 2 year period (meaning small participation fee) Option 4: EU funded IST/IP project Other options?
Questions for discussion …. 1.Is there a common understanding of the need? 2.Do we support the idea of a joint approach? 3.If yes, how to organise such an activity, in what context, and do we need more mandate? 4.What activities would we like to carry out? 5.………….