Agenda - › ... · PDF file 2016-05-26  · Agenda 10.45-11.00 Arriving...

Click here to load reader

  • date post

    29-Jun-2020
  • Category

    Documents

  • view

    0
  • download

    0

Embed Size (px)

Transcript of Agenda - › ... · PDF file 2016-05-26  · Agenda 10.45-11.00 Arriving...

  • Agenda 10.45-11.00 Arriving to RIA (Pärnu mnt 139A, 7th floor)

    11.00-12.00 First slot: Norway presentation about their e-solutions

    12.00-12.30 Lunch (Pärnu Cafe Amps, cafe and bistro, 1st floor)

    12.30-14.00 Second slot:

    12.30-13.15 eID, Vallo Veinthal/Mark Erlich 40min presentation + 20min discussion

    13.15-14.00 RIHA, Priit Parmakson 30min presentation + 15min discussion

    14.00-14.15 Coffee break

    14.15-15.30 Third slot: X-Road, Heiko Vainsalu - 30min presentation + 15min discussion

  • History in short 1

    19941994

    First ideas about eID

    19981998

    SEIS final eID standard

    19991999

    FINEID card launch

    20002000

    Directive 1999/93/EC Legal framework

  • History in short 2

    20012001

    Estonian CA (SK)

    20022002

    Estonian ID-Card (eID) – copy of FINEID

    20072007 20102010 20142014

  • Facts About Estonia

    ● eID is a part of national identity document

    ● Population ca. 1.34 M

    ● Valid eID tokens ca. 1.27 M

    ● Since 2002 – Online authentication: 443 M – Given digital signatures: 290 M

    (today around 6M per Month)

  • ● Mandatory to have (but not to use) ●

    – Win-win concept, where state takes hardest part: responsibility

    Critical factors for high usage of eID

  • ● Document is mandatory from age of 15 ● Personal Identification Code (PIC)

    xYYMMDDyyyz

    Identity in Estonia

  • ● State issued eID are accepted by all public services and most private services

    ● Authentication (and not authorization) – Identifying the natural person only.

    – Roles and rights are stored in registries

    ● Legally binding signature of a natural person – Qualified e-Signature: equal with handwritten signature

    ● Legally binding stamp (seal) of a legal entity – Same as for natural person but with legal entity certificate

    – Replaces rubber stamp from paper world

    ● File encryption – decryption for secure delivery

    Use cases

  • ● Separate CA service for state issued eID – Qualified Certificates

    Certificates

  • ● Issued by Estonian Police ● Technically same for ID-Card, Residence Permit Card,

    Digi-ID and eResidence Card ● 2 pairs of keys with corresponding X.509 certificate:

    – Authentication: SSL is used – Signing: Middleware software with end user application and

    web browser plugins

    ● Validity: – 5 years: ID-card and Residence Permit Card – 3 years: Digi-Id and eResidentce Card

    eID Cards

  • ● 2 pair of keys w corresponding X.509 certificate – Certificate stored in public repository only

    ● Central Security Service ● Validity: 3 years

  • Mobile-ID: system

  • Mobile-ID: issuing process

  • ● State fee: – Covers production, issuing and maintenace – https://www.politsei.ee/en/teenused/riigiloivud/riigiloivu-

    maarad/isikut-toendavad-dokumendid/index.dot

    ● Signing – Local computer: each individual can give 10 signatures per

    month for free – Webservice: service provider pays

    https://sk.ee/en/services/pricelist/certificate-validation- services

    Pricing

  • ...more generic view

    eID (document & hardware)eID (document & hardware) Digital use (implementation)Digital use (implementation)

  • ● To sign and seal any data in digital format ● Container based signature file using PKI for

    signing – XAdES and ASiC – eSignatures and eStamps (e-seal)

    ● PDF? – Limited use only – User interface – problem with trust

    Digital signatures / Qualified e-Signatures

  • Impact on e-Society (i-Voting)

  • Impact on e-Society (Company registrartion)

  • ● eIDAS regulation – National law for eIDAS implementation – Qualified e-Signature definition = Estonian Digital Signature – State issued eID schemes has same level - High

    ● Private sector: – May apply eIDAS regulation – Already accepts Digital Signatures – Already accepts state issued eID

    Legal Basis

  • ● Technical issues (trojans, phishing) only with private sector solutions (Bank eID solution – password based)

    ● State issued eID had only few issues where a close person shares his credential with PIN codes – This is users responsibility to not allow this.

    ● Since State issued eID is issued only through Police, the very high identification procedure is applied – all attempts has been discovered before issuing eID

    Risks and Cases of misuse

  • ● Smartcard in mobile devices: mid of 2017 ● eSIM

    – Investigation is going on – Unclear which eIDAS classification will apply

    ● Keyless Signatures – Existing solution from GuardTime – As signature it survives Quantum computers – State keeps eyes open and cooperates – Still issue with authentication: today is the most reliable

    solution PKI based eID

    Future solutions

  • – http://www.id.ee/public/The_Estonian_ID_Card_and_Digital_Signature_C oncept.pdf

    ● General information and documentation – http://id.ee/?lang=en

    – https://sk.ee/en/useful/digitalsigning/

    – http://eid.eesti.ee/index.php/EID_application_guide

    – http://open-eid.github.io/

  • Slide 1 Slide 2 Slide 3 Slide 4 Slide 5 Slide 6 Slide 7 Slide 8 Slide 9 Slide 10 Slide 11 Slide 12 Slide 13 Slide 14 Slide 15 Slide 16 Slide 17 Slide 18 Slide 19 Slide 20 Slide 23 Slide 24 Slide 25 Slide 26