Agenda10.45-11.00 Arriving to RIA (Pärnu mnt 139A, 7th floor)

11.00-12.00 First slot: Norway presentation about their e-solutions

12.00-12.30 Lunch (Pärnu Cafe Amps, cafe and bistro, 1st floor)

12.30-14.00 Second slot:

12.30-13.15 eID, Vallo Veinthal/Mark Erlich 40min presentation + 20min discussion

13.15-14.00 RIHA, Priit Parmakson 30min presentation + 15min discussion

14.00-14.15 Coffee break

14.15-15.30 Third slot: X-Road, Heiko Vainsalu - 30min presentation + 15min discussion

History in short 1

19941994

First ideas about eID

19981998

SEIS final eID standard

19991999

FINEID card launch

20002000

Directive 1999/93/ECLegal framework

History in short 2

20012001

Estonian CA (SK)

20022002

Estonian ID-Card (eID) – copy of FINEID

20072007 20102010 20142014

Facts About Estonia

● eID is a part of national identity document

● Population ca. 1.34 M

● Valid eID tokens ca. 1.27 M

● Since 2002– Online authentication: 443 M– Given digital signatures: 290 M

(today around 6M per Month)

● Mandatory to have (but not to use)●

●

●

– Win-win concept, where state takes hardest part: responsibility

Critical factors for high usage of eID

● Document is mandatory from age of 15● Personal Identification Code (PIC)

xYYMMDDyyyz

●

Identity in Estonia

● State issued eID are accepted by all public services and most private services

● Authentication (and not authorization)– Identifying the natural person only.

– Roles and rights are stored in registries

● Legally binding signature of a natural person– Qualified e-Signature: equal with handwritten signature

● Legally binding stamp (seal) of a legal entity– Same as for natural person but with legal entity certificate

– Replaces rubber stamp from paper world

● File encryption – decryption for secure delivery

Use cases

● Separate CA service for state issued eID– Qualified Certificates

Certificates

● Issued by Estonian Police ● Technically same for ID-Card, Residence Permit Card,

Digi-ID and eResidence Card ● 2 pairs of keys with corresponding X.509 certificate:

– Authentication: SSL is used– Signing: Middleware software with end user application and

web browser plugins

● Validity: – 5 years: ID-card and Residence Permit Card– 3 years: Digi-Id and eResidentce Card

eID Cards

● 2 pair of keys w corresponding X.509 certificate– Certificate stored in public repository only

● Central Security Service ● Validity: 3 years

Mobile-ID: system

Mobile-ID: issuing process

● State fee:– Covers production, issuing and maintenace– https://www.politsei.ee/en/teenused/riigiloivud/riigiloivu-

maarad/isikut-toendavad-dokumendid/index.dot

● Signing– Local computer: each individual can give 10 signatures per

month for free– Webservice: service provider pays

https://sk.ee/en/services/pricelist/certificate-validation-services

Pricing

...more generic view

eID (document & hardware)eID (document & hardware) Digital use (implementation)Digital use (implementation)

● To sign and seal any data in digital format● Container based signature file using PKI for

signing– XAdES and ASiC– eSignatures and eStamps (e-seal)

● PDF?– Limited use only– User interface – problem with trust

Digital signatures / Qualified e-Signatures

Impact on e-Society (i-Voting)

Impact on e-Society (Company registrartion)

● eIDAS regulation– National law for eIDAS implementation– Qualified e-Signature definition = Estonian Digital Signature– State issued eID schemes has same level - High

● Private sector:– May apply eIDAS regulation– Already accepts Digital Signatures– Already accepts state issued eID

Legal Basis

● Technical issues (trojans, phishing) only with private sector solutions (Bank eID solution – password based)

● State issued eID had only few issues where a close person shares his credential with PIN codes – This is users responsibility to not allow this.

● Since State issued eID is issued only through Police, the very high identification procedure is applied – all attempts has been discovered before issuing eID

Risks and Cases of misuse

● Smartcard in mobile devices: mid of 2017● eSIM

– Investigation is going on– Unclear which eIDAS classification will apply

● Keyless Signatures– Existing solution from GuardTime– As signature it survives Quantum computers– State keeps eyes open and cooperates– Still issue with authentication: today is the most reliable

solution PKI based eID

Future solutions

– http://www.id.ee/public/The_Estonian_ID_Card_and_Digital_Signature_Concept.pdf

● General information and documentation– http://id.ee/?lang=en

– https://sk.ee/en/useful/digitalsigning/

– http://eid.eesti.ee/index.php/EID_application_guide

– http://open-eid.github.io/