European Electronic Identity Practices Country Update of Spain Date: 26 May 2005
CA organisation I Responsible CA organisation: National Spanish Police Department. (Ministry of Interior ). The background of the organisation (private/public): Public
CA organisation II Double CAs Infrastructure. Root CA technology A, and two SubCAs Technology A and B. We have 380 Police Station where all Spanish people can get their eID-card. The Card Factory is FNMT (Spanish Royal Mint).
Status of National legislation on eID I Are eID specific regulations enacted and in place? Yes –Directive 1999/93/CE. –Law 59/2003 of Electronic signature. –Directive 1995/46/CE, Directive 97/66/EC, Directive 2002/58/CE. Regulation (EC) 45/2001. About processing of personal data. –Organic Law 15/1999, of protection of data of personal character. –Organic Law 1/1992, of protection of city life –The Decree 196/1976 regulates the DNI (National Identity Card). –It has been partially modified by Royal Decree 1189/1978, 2002/1979, 2091/1982, 1245/1985. –Minister of Interior orders of July 12, 1990 and April 26, 1996 –Royal Decree 896/2003 regulates the Pasports.
Status of National deployment of eID Name of the project: DNI electrónico Plans, piloting or implementation? We should be starting and the end of 1Q of 2006 The eID card is mandatory for all >= 14 years Starting date of issuance: End of 1Q of 2006
Status of National deployment of eID Envisioned total number of cardholders: Number of inhabitants: Expected number of cards/eID certs by end of 2007: – eID-Cards. – Certificates.
Status of national deployment of eID Basic functionalities of the eID card: - official ID document: Yes - European travel document: Yes, but not ePasport - support of on-line access to e-Services: Yes Validity period of the card/certificates: –eID-card: 5 or 10 years depending the age of the cardholder. –Certificates: 30 months.
Status of national deployment of eID Price in Euros of the cards: - for the citizen: Tbd. - for the card issuer: Tbd - price for the card reader and software: Out of Scope - any additonal costs for the user/relying party: N one From whom and how may the citizen obtain the end/user packages: From Project and partners Website.
Basic ID function I Inside the eID-card we only stored: - Two Certificates (Autentication & No repudiation). - Personal National Identifier. - first & second family name, given name - date of birth - nationality - Fingerprint for MoC. - Application for MoC. - Hash personal data. Personal data is held only in the certificates, and printed in the Policarbonate (PC).
Basic ID function II We have two Certificates: –Autentication is free. –Signature (N R), is protected by PIN. Our project is out of the ICAO LDS scope. There is another project that we undertake in the near future.
Basic Authentication function What Cardholder Verification mechanism is used: - PIN? Yes - Biometrics? Yes, MoC, for Certificate update. Is there a PKI supported cardholder authentication mechanism? Yes. Is there a mutual device authentication mechanism? Yes for issue & update. No for USE
Basic Signing function Is a PKI supported signing mechanism (certificate and keypair) present for e- transaction services (non –repudiation)? Yes. And our eID CARD is: - CC EAL CWA – SSCD type 3. - CWA – 14890–1. Application Interface for smart cards used as Secure Signature Creation Devices. Part 1: Basic requirements.
eID based services What kind of services (include examples) are accessible to cardholders based on acceptance of the cards / eID Certificates: Law 59/2003 of Electronic signature, artº 16 “All public administration should used, if it is possible, the signing mechanism of spanish eID” - The “Agencia Estatal de Administración Tributaria” (for tax declaration) - The “Seguridad Social” (Social Security).
eAuthentication Business models; financial What are the Charging/Revenue mechanisms? –There are only charges for card expedition or update. The expedition and update of the certificates are free of charge. What charges are levied for use of the card? None. Is there a charge for checking certificates and if so who pays for this? NO Has a cost benefit analysis been compiled for the eID scheme? If yes what are the main conclusions? Out of scope
eAuthentication Business models; public/private partnership Are non government bodies allowed to use the IAS or other card functions in support of their services? YES, Only IAS. The CARD will never be used as health insurance card or bank card. Only as Id CARD & travel document. Is the card a multi-application smart card? Yes, Only Cryptographic & Match on Card
eAuthentication Business models; public/private partnership What is the level of usage of supported services (number of transactions per card per year)? Without limits
eAuthentication Business models; cross border usage Are there agreements with other national smart card issuers for mutual recognition of cards? (Status of Memorandum of Understanding (MOU) with other CAs) Not nowadays, but we are open to all type of Understanding.
Other Interoperability issues What is the level of Current Compliance with each of the following international standards or group activities (Full/Planned/None): –CWA eAuthentication (under development): Tbd –CWA Secure Signature creation device: FULL. –CWA – 1 : FULL –CEN 224 –15 European Citizen Card (under development): Tbd –ISO/IEC JTC1 SC 37 biometric standards: FULL. –ISO/IEC JTC1 SC 17 IS (under developmment): Tbd –ICAO recommendations: Planned, for 2007
Current use and plans in Biometrics (if applicable) Technical solution(s): We are working with Sagem and Siemens in the field of Match On Card. We store an Algoritm & template inside the CHIP. We use ISO/IEC , ISO/IEC , ISO/IEC 19785, ISO/IEC FDIS
Next plans We will aim to transform our eID in eID with ePasport funcionality. We will use Dual or Hybrid smart Card for this task.
Porvoo Group cooperation issues List of issues to be overcome and recommended Porvoo Group members actions that would support accelerated deployments: W e want to talk with Microsoft/SUN/Linux Comunnity to include our CSP/PKCS#11 and Root CA Public Key in their OS.
Environment... Client Application RTF, HTML, PDF XML Firma plugin / applet (PKCS#7 / XML) (S/MIME) Web (SSL) Logon (Kerberos) PC/SC Drivers Microsoft Resource Manager DNIe PKCS#11 Netscape Internal PKCS#11 Netscape Internal Services RSA Base CSP DNIe CSP CryptoAPI Authenticode
More information Web-pages for the project/eID issues: (under construction) Thank You!