European Electronic Identity Practices Country Update of Austria Peter F Brown Office of the CIO, Austrian Federal Chancellery Chair, CEN eGov Focus Group
CA organisation Responsible CA organisation: A1, A-Trust, SV (no unique CA) The background of the organisation (private/public): Private (A1, A-Trust) and public (SV) Description of the existing CA infrastructure (e.g. registration authority, card factory etc): Different “representations” of citizen card
Status of National legislation on eID eID specific regulations enacted and in place 2004 eGovernment Act 2004 Administrative Signature Order 2005 Electronic Document Act
Status of National deployment of eID Name of the project: Bürgerkarte (”Citizen Card”) Plans, piloting or implementation? Operational Is the card obligatory? Yes/No No Starting date of issuance: 2004
Status of National deployment of eID Envisioned total number of cardholders: 8M Number of cards/certificates issued by : (some 25K QCs) Number of inhabitants: 8M Yearly growth rate (percentage): SV cards per week at moment Expected number of cards/eID certs by end of 2007: 13M
Status of national deployment of eID Bürgerkarte: Not an official ID document or European travel document Supports on-line access to e-Services and electronic signatures Valid for 3 years
Status of national deployment of eID Price of the cards: - to the citizen, depends on issuer (€0 up to 15) - to the card issuer: 0 (no special fee) - for the card reader and software: € 10 (Government subsidy to offset retail price) Various suppliers of end/user package – mobile phone, banks, civil service, social insurance
Basic ID function What cardholder data is electronically stored in the card: - national identifier: Yes - family name, given name: Yes - sex: No - date of birth: Yes - nationality: No - others No
Basic ID function Are these data elements in a dedicated data file? Yes - Is the file ’openly accessible’? depends on card - If not, how is the file protected? Querying national id requires an eGov certificate Name and date of birth may be freely accessible - Does the data file comply with the ICAO LDS? No Is the personal data (also) held in a certificate? No, only name
Basic Authentication function What Cardholder Verification mechanism is used: –PIN –Biometrics not envisioned Is there a PKI supported cardholder authentication mechanism? Yes Is there a mutual device authentication mechanism? Varies according to implementation
Basic Signing function PKI-supported signing mechanism (certificate and keypair) present for e-transaction services (non –repudiation)
eID based services What kind of services (include examples) are accessible to cardholders based on acceptance of the cards / eID Certificates: Various eGov services (e.g. tax declaration, municipality services), but open to eCommerce offers Total number of eID based services accessible by cardholders by : 100 Goal (in numbers/ percentage) of eID based services to be accessible to cardholders by the end of 2007: 80%
eAuthentication Business models; financial What are the Charging/Revenue mechanisms? Private CAs charge for certificates What charges are levied for use of the card? None (compared with paid non-eService charges) Is there a charge for checking certificates and if so who pays for this? None, prohibited by law Has a cost benefit analysis been compiled for the eID scheme? Yes, by private sector suppliers Is there a study report available? No
eAuthentication Business models; public/private partnership Are non government bodies allowed to use the IAS or other card functions in support of their services? Yes, in line with data-protection laws Is the card a multi-application smart card? Yes but depends on implenter/implementation –80-100% of the deployed card base is multi-application smart card enabled –Additional services (other than core IAS) loaded pre- issue
eAuthentication Business models; cross border usage Are there agreements with other national smart card issuers for mutual recognition of cards? (Status of Memorandum of Understanding (MOU) with other CAs) –No bilateral agreements; QCs are recognised under 1999/93/EC; prototype integration of IT and FI eIDs
Other Interoperability issues Level of Current Compliance: –CWA Secure Signature creation device: depends on issuer
Next plans Continued pilots on integration of foreign eIDs into national model Development of further server-side service modules Acting by proxy (“power of attorney”, for individuals and companies)
Lessons learned so far Need greater pan-European cooperation (especially on recognition of digitally signed and authenticated Austrian documents abroad) Possible limitations and liability questions arising from use of Bridge CAs
Porvoo Group cooperation issues Issue: need for an Interoperability Framework Action: –Survey of eID requirements –Map between different requirements and solutions –development of a ”Common Solutions and Services Centre” (see also Austrian proposal for en EU eGov “Virtual Competence Centre”)
More information Web-pages for the project/eID issues: