National Smartcard Project Work Package 8 – Security Issues Report

Corporate Structures Report Format of report: Executive summary Introduction and Scope of report Electronic Signatures Certification-Service-Providers ISO Authentication Smartcard Issues Memorandum of agreement

The Executive Summary outlines: What is covered in the introduction to this report The scope of this report The key points covered in each section of this report and any conclusions reached Executive Summary

Introduction The Introduction explains: Purposes of report Parameters of report Context in which to be read Summary of key legislation and regulation reviewed Please note that the report should be read in conjunction with the Introductory Report

Electronic Signatures EU Directive on a community framework for electronic signatures (1999) Basic and advanced electronic signatures Technologically neutral Electronic Communications Act 2000 Definition of “Electronic Signature” Section 7 UNCITRAL Model Law on Electronic Signatures Functional Equivalent Approach Article 6 – “Compliance with a requirement for a signature” Electronic Signatures Regulations 2002

Electronic Signatures (continued) Law Commission Advice “Electronic Commerce: Formal requirements in Electronic Transactions” Reviewed legal status of: Electronic documents Electronic signatures Adopted “functional equivalent approach”

Electronic Signatures (continued) What is a signature? Means of identification Indication of personal involvement Indication of intention to be bound Law Commission advised: Look at function not form Courts can determine evidential weight Various types of signature already accepted printed, scanned, typed, faxed Considered 4 types of electronic signatures Digital, scanned, typed and click Do not confuse reliability with validity

Certification-Service-Providers Public key Infrastructure “digital certificates” and “digital signatures” Certification–Service-Providers EU Directive Electronic Communications Act 2000 tScheme Electronic Signatures Regulations 2000 Imposes liability on Certification–Service-Providers for “qualified certificates”

Liability of Certification-Service- Providers Where a CSP issues or guarantees a qualified certificate to the public and a person reasonably relies on that certificate for: accuracy of information in the certificate inclusion of Schedule 1 Information holding by signatory of relevant signature-creation-data ability of signature-creation-data and signature-verification- data to work together and that person suffers loss, then CSP liable unless can show that not acted negligently

Schedule 1 - Qualified Certificates Statement that a ‘Qualified Certificate’ Name and country of establishment of CSP Name or pseudonym of the signatory Signature-verification data Period of validity of the certificate Identity code of the certificate Advanced electronic signature of issuing CSP Limitations: on the scope of use of the certificate on the value of transactions for which it can be used

Schedule 2 - CSP Qualities Operational reliability Technical ability and security Financial stability and security Manner in which certificates: issued stored revoked Identification of signatories Conflict of interests

Information Security: ISO PIU Report “Privacy and data-sharing: The way forward for public services” 2002 Recommendation 13 Information Security: Confidentiality Integrity Availability

Information Security: ISO (continued) Detailed security standard 10 sections Key elements: Top down approach Identify assets Evaluate risks Develop Security policy Implement policy by way of Information Security Management System Review regularly Third party suppliers: are they compliant?

Verification and Authentication Verification Verifying the identity of a Card User Authentication Authenticating that Card User is Card User by Something that Card User knows Something that Card User possesses Something that the Card User is

Verification and Authentication HMG’s minimum requirements for the verification of the identity of individuals (2003) Four levels of identity verification: Level 0 - none necessary Level 1 – balance of probabilities Level 2 – substantial likelihood Level 3 – beyond reasonable doubt Different types of evidence associated with each level

Verification and Authentication Biometrics Behavioural/physiological traits of an individual “something that a person is” Fingerprints, iris and retinal scans etc Stored on a card or central database? Some concerns: Access to biometric data (by whom and for what purpose?) Updating of data Speed Not infallible (how are errors corrected?)

Verification and Authentication Article 29 Data Protection Working Party: Working document on Biometrics Biometrics = personal data and can be sensitive personal data Need to address: Purpose and proportionality of using biometric data Fair collection of biometric data Legitimate grounds for processing personal data

Smartcard Issues Electronic Signatures: Identify machine or card rather than person unless use biometric data Certification-Service-Providers Qualified Certificates include limits on use for which certificate may be relied and on liability ISO Card, reader, telecommunications network & database Verification and Authentication Identity fraud Lies about attribute (e.g. age) Adopts false identity (e.g. third party’s or bogus identity)

Smartcard Issues Certification-Service-Providers contractual issues Services, Purposes, Certificate Terms, tScheme Approval, Security, Revocation Procedures and Data Processor Card User contractual issues Identity, Data Protection, Purpose, Card Security, Password Security, Biometrics, Dispute resolution, Limitation of Liability, Signatures and Card Issuer Security Obligations

Memorandum of Agreement Agreement to be entered into with Certification Authority Provides framework for: Verification Services Authentication Services Revocation Services Allows new Local Authorities to join in the agreement at later date