Update on WS eAuthentication status Jan van Arkel Co-Chairman eEurope Smart Card Charter Ambassador CEN/ISSS WS eAuthentication

 consolidate OSCIE eAuthentication GIF content and search for maintenance  offer a European Forum on eAuthentication  seek wider involvement and consensus  harmonise eAut with Japan and US  harmonise eAut with WS e-sign i.e. Area K  harmonise with eEpoch development  relate with Porvoo group eGov/eID requirements  prepare a harmonised Glossary of Terms Objectives of the Workshop eAuthentication/eID

 CWA eAut Part 1: Architecture for a European interoperable eID system within a smart card infrastructure  CWA eAut Part 2: Best Practice Manual for card scheme operators exploiting a multi-application card scheme incorporating interoperable IAS services  CWA eAut Part 3: User Requirements for a European interoperable eID system within a smart card infrastructure  WP 4: eID Strategic Vision Report Deliverables of WSeAut

 The WS started September 16, 2003  Draft CWA documents were approved (with some comments) on September 20, 2004  Revised drafts distributed for 60 days public comment period on October 18, 2004  Disposition of comments ready by December 31  Final documents distributed by January 15, 2005  Workshop closing meeting on February 11, 2005  Official publication of CWA eAuthentication by CEN Status WS eAut

 CWA eAut Part 1: Architecture for a European interoperable eID system within a smart card infrastructure Deliverables of WSeAut Table of Content  Introduction  Contextual Model for IAS interoperability  Conceptual model for IAS interoperability  The IAS functional model  IAS system architecture  The functional model in the IAS system architecture  High level description of the primary processes - formal description  IAS interoperability  Securing interoperability  Common requirements for IAS interoperability  Annex A Mandatory fields in certificates

content e-Service access card access IAS / eID card application certificate content e-Service access card access IAS / eID card application certificate on us not on us Closed eID scheme

content e-Service access card access IAS / eID card application certificate content e-Service access card access IAS / eID card application certificate on us not on us IOP #3 IOP #2 eService interoperability

IAS Smart card information system architecture

 CWA eAut Part 2: Best Practice Manual for card scheme operators exploiting a multi-application card scheme incorporating interoperable IAS services Deliverables of WSeAut Table of Content  Multi-application smart card schemes (including Government issued eID driven MA Schemes)  Risk analysis and Policy management  Service implementation and legal /adminstrative guidelines  Business case analysis  Peer support mechanisms and recommendations

 CWA eAut Part 3: User Requirements for a European interoperable eID system within a smart card infrastructure Deliverables of WSeAut Table of Content  General User requirements for smart card based systems - common elements in support of user req - doing things with a smart card - doing things to a smart card  User requirements for Authenticatioin within an eID system - identification - authentication - signature services - eID processes

 Strategic eID Vision report Table of Content  The Vision - Rationale for a common eID approach - Drivers and inhibirtors for a common apporach  How can the vision be realised  Conditions for mass deployment - minimum requirements - Architectural model - The legal issue - Standardisation  Deployment of eID in Europe and beyond  Recommendations Deliverables of WSeAut

Deployment of eID  Group 1: the no-not for us- group  Group 2: Early adopters  Group 3: Middle of the road group

 Group 1: the no-not for us- group Anglo-saxon countries - US - Canada - Australia - New Zealand - UK ??? Deployment of eID

 Group 2: Early adopters Malaysia South East Asia Middle East Japan

Deployment of eID  Group 3: Middle of the road group Europe China, India South America Africa

Europe’s leading examples  Estonia 650K  Italy 400K  Belgium 85K  Finland 55K  Spain  Austria

eID deployment worldwide  Overall conclusions: - strong regional differences - a number of European countries is on the move - smart cards prevail - PIN is omnipresent, biometrics are emerging as preferred CHV - PKI is taking off - patchy solutions

 Approach eID as an infrastructure which needs to come into place at least in the European domain  Provide a legal basis for a common European eID  Organise a stronger participation in Standardisation  Organise a pan-European demonstrator  European Coordination on eID development is needed Recommendations

Common Requirements (WS-eAut, CEN 224-WG 15, Porvoo group)

 electronic identification & authentication of the cardholder to public and private services  electronic signature for legal proof of non repudiation Optional functions:  confidentiality services, enabling encryption of data transmitted over a network ( , documents transfer)  official travel document Basic Functionalities

 The system shall support different security profiles/classes  The system shall be trustworthy for the cardholder, the system as such shall be reliable and it shall protect the cardholders data present in the card  The IAS functionality shall be executed in a secure and controllable way  The execution of the eID and eAuthentication function shall be convenient and fast  The system shall be future proof: - based on international standards (ISO/IEC 7810, 7816, ISO/IEC 14443, JavaCard/GP, ISO/IEC (ICAO) - post issuance secure updating of data as well as application downloading supported as an option - Multi-vendor support Overall system requirements

 The system shall support a secure and reliable cardholder identification function:  Personal data of the cardholder shall be held in an electronic form  The Personal data set shall contain as a minimum for interoperability: - (optional) national identification number - family name(s), given name - sex - date of birth - (optional) place of birth - (optional) nationality This file is (optionally) PIN/Biometric protected  The Card related data set shall contain as a minimum for interoperability: - card issuer name/reference - card number - country name, - date of issuance - expiration date Cardholder identification requirements

 The system shall support a secure and reliable cardholder authentication function  A PIN is mandatory and shall be compliant with ISO/IEC  Biometrics are optional If biometrics are included the following applies: - 1:1 verification compliant to ISO/IEC a Biometric OID in support of multiple biometric technologies must be present compliant to ISO/IEC (under development) - Fingerprint minutia data is recommended. Implementation shall be compliant to ISO/IEC (under development) - Biometric template storage shall be on the card - Biometric matching on the card is recommended  A Signature key for authentication purposes - shall be present - shall occur only once and shall be protected so it cannot be derived - shall be protected against unauthorized usage by PIN and optionally by biometrics Cardholder authentication requirements

 The system shall support a secure and reliable cardholder electronic signature funtion for the purpose of legal validaty of the signature  For Europe the PKI system elements of the system shall be in complicance with the qualified digital signature as per article 5.1 of the EU directive 1999/93/EC on a Community framework for electronic signatures  The PKI system elements shall be in compliance with ETSI QCP (under revision)  The PKI system elements shall be in compliance with CWA parts 1 –2 Electronic signature requirements

 The PKI system elements shall be in compliance with ETSI QCP The main issues being: - registration procedures - information content of a certificate - liability of the certificate authority - responsibility for protecting the eID card and its content - loading of other applications on the card - renewal of an eID card - prevention of use of eID card and its certificates - cancellation of an eID card - requirements for the supporting PKI (i.e. CWA 14171) - obtaining and protecting the CA certificate - obtaining certificate status information Electronic signature requirements (2)

 Compliance with CWA (area K) part 1 and 2: - key pair generation on board card - storage of keys on board card - compliance with 7816/15 (PKCS 15) and Crypto Objects - signing function will be PIN and/or Bio protected - data to be signed cannot be altered - the format for electronic signatures and their certificates shall be interoperable - secure messaging shall be supported (symmetric crypto) - algorithms as in EU WS eSign algo document shall be supported - public available certificate status verifying function for relying parties  PKI shall be implemented in the following way: - minimum of 2 certificates (1 for signing; 1 for other functions) - compliant with X509 V3 minimum profile: name of CA, name of Cert holder, unique identifier of Card Holder /Certholder, period of validity of certificate, serial number of certificate, pointer to info on CA certificate policy Electronic signature requirements (3)