eGovernment Commonalities within Europe and beyond Colin Wallis & Fulup Ar Foll European Identity Conference 2011

A 2-part presentation with conclusion and discussion: Colin: overview the landscape & highlight policy-oriented common touch points Fulup: detail technically-oriented common touch points Colin: draw conclusions and facilitate discussion

‘the Venn of eGovernment’ – a framework of frameworks? What is this? GovernancePolicy Legislation & regulation Conformance & certification Technology Management Identity Information Management Interoperability

..of ecosystems, federations and frameworks…. is it all semantics? Identity Ecosystem? Trust framework? eGovernment (interoperability) Framework? Transformational Government framework? Cloud computing framework? Trust federation?

…grouped by breadth of scope, level of detail European Interoperability Framework National Strategy for Trusted Identities in Cyberspace OASIS’s Transformational Government Framework eGIFs everywhere.. PEPOL STORK etc Semantics and taxonomy Conformance and certification etc

Question… If one framework uses asserted government issued credentials (a government IdP) and another framework uses asserted private sector credentials (a private sector IdP) does it matter?

Question… If one framework is based on regulation and legislation and another framework is based on contract and common law does it matter?

Technical Commonalities eGov Profile v2.0 The goal is to implement a certification process that allows a non-expert to select the correct product suite. Common technical issues are: Metadata exchanges Authentication assurance SSO/SLO session management Proxy and authentication attributes

Metadata exchange Most, if not every, government relies on some form of contract to handle IDP/SP relationship. Publication of Metadata in a well-known location Generation/Exportation is OPTIONAL Verification, if implemented, MUST use XML signature

Authentication Assurance Framework Most governments rely on some form of assurance framework based on some form of NIST equivalent level Implemented through OASIS Assurance Framework MUST support the acceptance/rejection of assertions based on the content of the elements It is hard to agree on a common certification, but it is a MUST have to agree on a common framework and assure interoperability

SSO/SLO Session Management Logout is the main technical issue for implementers. eGov profile enforces as a MUST for SLO HTTP transport binding SAML SOAP LogOut request SAML redirect [optional for SP] Specify user options to control SLO behaviours. TLS and other forms of authentication with SAML/SOAP are optional.

Proxy Authentication [Only for Full V2.0 Profile] Suppression or editing of RequesterID elements from outgoing AuthnRequest Support the mapping of incoming to outgoing AuthnContext elements MUST support the suppression of

Questions?

Conclusions They are all (federated) trust frameworks There are broad (eGov and TGov) trust framework deployment profiles There are narrower (cloud) trust framework deployment profiles They comprise common components They have common requirements – policy, semantics, conformance, compliance, certification etc