Presentation is loading. Please wait.

Presentation is loading. Please wait.

E-SENS WP5.2 eID Pilot INTRODUCTION 1. CardInfo eID configuration CardInfo artifacts specify and configure specific eID carrier for use with e-SENS eID.

Published byLillian Nash Modified over 9 years ago

Similar presentations

Presentation on theme: "E-SENS WP5.2 eID Pilot INTRODUCTION 1. CardInfo eID configuration CardInfo artifacts specify and configure specific eID carrier for use with e-SENS eID."— Presentation transcript:

1 e-SENS WP5.2 eID Pilot INTRODUCTION 1

2 CardInfo eID configuration CardInfo artifacts specify and configure specific eID carrier for use with e-SENS eID building blocks support auto-detection of plugged eID carrier constrain the attribute realm to be available (SMP?) PT – basic profile, extended profile IT – basic profile, extended profile LX – basic profile, limited functionality (cert.-based) GR – basic profile, limited functionality (cert.-based) AT – extended profile ES – missing  DE – extended profile, no piloting planned 2

3 e-SENS LARMS Local Attribute Mapping and Retrieval: extract, transform, and process attributes from an eID processing local to the PoC in country-B independent of locally available middleware/country-A NI also referred to as passive AuthN provides two baseline profiles: 1.BASIC – identity traits can be freely extracted (Identification) 2.EXTENDED – identity traits can be extracted after controlled AuthN access to further information depending on eID carrier Status: INTEGRATED & DEPLOYED IF INTERESTED: Double Demo with DE & PT (5’+10’ Discussion) 3

4 advanced/distributed e-SENS eID SAT distributed attribute retrieval and cross eID mapping: usefulness limited but interesting for STORK enrichment pre-authorization by PIN-controlled attribute release: required for advanced functions, prerequisite for many MW providence of authenticated attributes from eID: very useful for mobile eID and STORK-based integrations digital signature for cross-border documents: patient consent as manifest of patient authorization no other document/AuthZ currently envisioned PAC out of scope due to missing x-border properties 4

5 E-SENS LAM Fully local card-based AuthN and implicit AuthZ based on locally available smart card service functions mandates a full patient authentication cycle by card unlocks higher level card functions: based on Authentication and Signature plan configuration and national constraints issues patient-signed epSOS assertions with NCP-B and NCP-A enforcement options may link to external signature creation and validation schemes requires country-A anchor in SecMan NCP-A reopens ancient issue on introduction of Security Context Status: INTEGRATED & NCP-INTEGRATED & DEPLOYED 5

6 DCA STORK 2.0 Junction selecting most appropriate eID means available: 1.STORK 2.0 (discussion: STORKv1 DSI component?) 2.advanced e-SENS eID profile (AuthN/AuthZ), FutureID 3.e-SENS LARMS, 4.„typing“ (epSOS), local extraction, proprietary tool chain required is available and dry tested early demonstrator components available need access to STORK 2.0 infrastructure for real tests priority component for regulatory robustness Status: EARLY DEMONSTRATOR w/ GR & IT 6

7 eID Integration integration development artifacts and progress: e-SENS LARMS: jnlp.fokus.fraunhofer.de e-SENS ready OpenNCP demonstrator e-SENS eID Attribute Mapping Policy documents: not included in current work assignments / budget consideration e-SENS Digital Signature code base re-integrated (harmonizing LARMS and DSig code for joint use) prototype integration into OpenNCP (not RC2 yet) auto-detection of plugged/available eID token carrier auto-filling of search masks with extracted attributes 7

8 eID physical Integration all integration is unofficial based on OpenNCP staged, complimentary deployment missing architectural cornerstones: security context handler (XACML-style on NCP level) NCP-level services but facades for pan-European selective providence to unburden local HIT (AIS, STORK) metadata / middleware locator and retrieval services re-issuing, compilation, enrichment of attributes from different sources, final LoA/AAL assignments local HIT integration by PAM/JS LARMS component 8

9 e-SENS WP5.2 eID Pilot REAL-WORLD INTEGRATION AND DEPLOYMENT (e-SENS SCOPE) 9

10 eID Integration // OpenNCP LARMS is decoupled, „passive“ data provisioning LAM is an active component: needs to be fed with NCP-internal data needs to be granted processing time blocking scheduling, use case MUST be suspended @LAM needs to return data to internal NCP components DCA is an active, externalized component: substitutes/enriches an NCP-internal artefact is coordinated from the PoC, not NCP or NI needs to be granted blocking processing time @DCA 10

11 eID Integration // OpenNCP II NCP workflow coordination / orchestration: specified Workflow Manager not implemented XACML Security Context Handler not commonly available Liferay Message Bus absorbs orchestration needs: session is the common umbrella for meta data assertions, endpoints, etc. are held in session context Liferay orchestrates time sequence of service invocation Liferay invocation of external NCP services and data flow Liferay implements and triggers epSOS workflows Problem: LAM/DCA have no portal interactions not every PN uses Liferay  no message bus 11

12 eID Integration // OpenNCP III Problem session-centricity: HP epSOS IdA should not relate with a portal session: def epSOS IdA no portal session = no IdA  no epSOS use case runs matching IdA (+ TRC) are persisted in the session context unknown what IdA relates to which TRC and vice versa Problem Certificates & Management: certificates still rather incompliant to spec’s. huge problem in combination with x-signatures of eID massive changes in cert validation services on country-A 12

13 eID Integration // OpenNCP III Problem merging of security zones: portal merges all security zones into classic MitM vector: holds all endpoints, IdA, TRC, and signature material epSOS after security relaxations: 13 Portal B Acts on CLAIMS from Portal-B

14 eID Integration // OpenNCP IV epSOS as specified (Animation): 14 PoC-B NI-B + NCA-B + legal domain B NI-A + NCA-A + legal domain A

15 eID Integration // OpenNCP III Problem merging of security zones (con’t.): portal merges all security zones into classic MitM vector: holds all endpoints, IdA, TRC, and signature material no portal session = no IdA  no epSOS use case runs matching IdA (+ TRC) are persisted in the session context unknown what IdA relates to which TRC and vice versa Problem NCP w/f Sequencing/Orchestration: as specified, portal is not a component of the NCP orchestration/sequence hard-coded or portal controlled STS’s and Facades cannot re-flow/divert information (con’t. on next slides) 15

16 Security Architecture: injection of new sequencings LAM time & succession = orchestrating time: LAM/DCA cannot determine *when* to trigger DSig succession: LAM/DCA do not know *if* to engage completion: NCP/STS/LAM cannot control chronology Options: TRC-STS triggers LAM w/ piggybacked TRC-A prototype STS needs to localise LAM, LAM blindly trusts TRC, IdA opaque LAM substitutes TRC-STS and is triggered with IdA NCP needs to localize LAM, LAM trusts NCP, IdA inaccessible portal mediates exchange between TRC-STS and LAM portal merges domains, may withhold tokens, no „local“ display NCP may disengage all advanced functions in all options 16

17 Security Architecture II: injection of new sequencings OpenNCP v3 Proposal (compatibility & innovation): Option #1 – TRC-STS triggers LAM provides adequate security degree & AAL/LoI: separation/decoupling of concerns clear responsibilities of SOP’s (card, terminal, environment, etc.) much easier integration regarding workflow, IdA available @NCP harder localization of local LAM module by TRC-STS LAM as a local deployment needs to listen for requests preserves NCP-level orchestration & fat-client support acknowledges patient control regarding eID token encapsulates patient-centric DSig strictly to trusted zone enables trusted viewer for exercising patient control 17

18 Security Architecture II: injection of new sequencings OpenNCP v3 Proposal (compatibility & innovation): Option #2 – LAM requests unsigned TRC-A from TRC-STS provides adequate security degree & AAL/LoI: clear responsibilities of SOP’s (card, terminal, environment, etc.) harder workflow synchronization: w/f NCP and PoC decoupled correct IdA must be made available to TRC-STS prior to request easier local handling and no external connectivity (but portal) preserves NCP-level orchestration & fat-client support acknowledges patient control regarding eID token encapsulates patient-centric DSig strictly to trusted zone enables trusted viewer for exercising patient control DECISION required to avoid Blocker 18

19 Security Architecture III: injection of new sequencings 19

20 e-SENS WP5.2 eID Pilot Housekeeping INTEGRATION 20

21 Housekeeping // Integration Current To-Do‘s: SP certificate exchange IT, PT, AT, GR for STORK 2.0 Test provision of test-PS/eP bound to the test cards PT to provide context for eID Architecture Document PT to clarify documentation need for x-project work AT to formalize joining the pilot, provisioning of S/W 21

Download ppt "E-SENS WP5.2 eID Pilot INTRODUCTION 1. CardInfo eID configuration CardInfo artifacts specify and configure specific eID carrier for use with e-SENS eID."

Similar presentations

Improving Learning Object Description Mechanisms to Support an Integrated Framework for Ubiquitous Learning Scenarios María Felisa Verdejo Carlos Celorrio.

Improving Learning Object Description Mechanisms to Support an Integrated Framework for Ubiquitous Learning Scenarios María Felisa Verdejo Carlos Celorrio.
Practical Digital Signature Issues. Paving the way and new opportunities. www.oasis-open.org Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.

Practical Digital Signature Issues. Paving the way and new opportunities. Juan Carlos Cruellas – DSS-X co-chair Stefan Drees - DSS-X.
Functional requirements for non- repudiation in eHealth domain For potential eHealth dispute resolution we need the following (among possible other data):

Functional requirements for non- repudiation in eHealth domain For potential eHealth dispute resolution we need the following (among possible other data):
OOI-CI–Ragouzis–2007.10.15 Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop 17-19 October 2007.

OOI-CI–Ragouzis– Ocean Observatories Initiative Cyberinfrastructure Component CI Design Workshop October 2007.
Stork 2.0 is an EU co-funded project INFSO-ICT-PSP-297263 Robert Scharinger & Gottfried Heider (Ministry of Health, AT) WP 5.4 eHealth pilot - epSOS OpenNCP.

Stork 2.0 is an EU co-funded project INFSO-ICT-PSP Robert Scharinger & Gottfried Heider (Ministry of Health, AT) WP 5.4 eHealth pilot - epSOS OpenNCP.
ITIL: Service Transition

ITIL: Service Transition
Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.

Identity Management Based on P3P Authors: Oliver Berthold and Marit Kohntopp P3P = Platform for Privacy Preferences Project.
David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.

David L. Wasley Information Resources & Communications Office of the President University of California Directories and PKI Basic Components of Middleware.
TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-

TF-EMC2 February 2006, Zagreb Deploying Authorization Mechanisms for Federated Services in the EDUROAM Architecture (DAME) -Technical Project Proposal-
E-SENS Electronic Simple European Networked Services e-SENS CC5.2 F2F Porto, May 12/13, 2015 SMP & SML Massimiliano Masi.

E-SENS Electronic Simple European Networked Services e-SENS CC5.2 F2F Porto, May 12/13, 2015 SMP & SML Massimiliano Masi.
PAWN: A Novel Ingestion Workflow Technology for Digital Preservation

PAWN: A Novel Ingestion Workflow Technology for Digital Preservation
Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.

Tools and Services for the Long Term Preservation and Access of Digital Archives Joseph JaJa, Mike Smorul, and Sangchul Song Institute for Advanced Computer.
Configuration Management

Configuration Management
GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.

GFIPM Web Services Concept and Normative Standards GFIPM Delivery Team Meeting November 2011.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.

Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Methodology and Tools for End-to-End SOA Configurations By: Fumiko satoh, Yuichi nakamura, Nirmal K. Mukhi, Michiaki Tatsubori, Kouichi ono.

Methodology and Tools for End-to-End SOA Configurations By: Fumiko satoh, Yuichi nakamura, Nirmal K. Mukhi, Michiaki Tatsubori, Kouichi ono.
Web Development Process Description

Web Development Process Description
E-SENS eHealth Use Cases. eHealth Use Cases (Overview) eConfirmation How is a health care provider in MS B able to get an insurance confirmation for a.

E-SENS eHealth Use Cases. eHealth Use Cases (Overview) eConfirmation How is a health care provider in MS B able to get an insurance confirmation for a.
Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Cardea Requirements, Authorization Model, Standards and Approach Globus World Security Workshop January 23, 2004 Rebekah Lepro Metz

Similar presentations

Ads by Google