ID card – vision in action
Tarvi Martens
SK, Estonia
The Vision: 1997
Let’s assign electronic identity to
every Estonian and give them
means for electronic signing!
Surrounding World
• 10-year passports issued from 1992 will
expire in 2002: perfect timing for
introducing new type of document
• SEIS specifications: 1998
• FINEID: launched 2000
• Digital Signature Act: 2000
The ID-Card
• Roll-out started 2002
• “Compulsory”
for all residents
from age 15+
• October 2006: 1 000 000th card
issued (population: 1.35M)
• eID part allows for
e-authentication and
digital signing
Card issuance
Citizenship and Migration Board
Ministry of Internal Affairs
2. Request for Personalisation
TRÜB Baltic AS
5. ID Card with
Private Keys
and Certificates
3. Request for
Certificates
4. Certificates
CMB Regional
Offices ( 15 sites )
1. Application
6. PIN codes sent by courier
Afterservice
CA
RA
(bank office)
...
Public Directory
Certification Centre Ltd
RA
7. Personalised ID Card with
Certificates and PIN
envelope handed over
eID applications
• E-ticketing (non-PKI)
• Secure e-mail
• Authentication
 All internet banks
 E-government
 Any other major e-service
• Digital signing
 Universal replacement of handwritten signature
• Internet voting
ID-card as a ticket for
public transportation
Fixed-line
Population Registry
Mobile
e-Tickets
Internet
Cash
Person must possess and show an
ID-card when buying or verifying a ticket
ID-card for secure e-mail
• The authentication certificate contains
an e-mail address
Surname.Lastname[.X]@eesti.ee
• All S/MIME mailers are usable
• The eesti.ee server runs a forwarding
service
• Usable for secure C2C, B2C and G2C
communication
ID-card authentication
Universal Digital Signature
• Public sector is obliged to accept
digitally signed documents
• Digital signature is universal
 Open user group
 Any relation – government, business, private
• Focus on document concept
 Equivalent to what we are doing on paper
• Innumerable quantity of “applications”
DigiDoc architecture
Application
Application
Application
Win32
Client
DigiDoc
portal
COM-library WebService
DigiDoc-library (Win/Unix/C/Java)
CSP
PKCS#11
MSSP
XML
Mobile-ID
ID card
OCSP
DigiDoc for end-user
• DigiDoc Client
 Desktop application
 Lets users sign, verify
signatures etc
 ID Card not needed for
document verification
 Comes with ID-card base
software
• DigiDoc portal
 https://digidoc.sk.ee
 Signing, verification,
co-signing by multiple
persons
Internet voting
• Happened first in October 2005
• First pan-national binding occasion in the
World
• Used 5 times in total
• ID-card as an enabling tool
• Normal application vs.
Rocket Science?
I-voting: Main Principles
• All major principles of paper-voting are followed
• I-voting is allowed during period before Voting Day
• The user uses ID-card or Mobile-ID
 System authenticates the user
 Voter confirms his choice with digital signature
• Repeated e-voting is allowed
 Only last e-ballot is counted
• Manual re-voting is allowed
 If vote is casted in paper during absentee voting days,
e-vote(s) will be revoked
The spread of Internet voting
80
160000
70
140 846140000
62
60
50
63
61
104 413
47
44
40
30
120000
100000
80000
60000
58 669
20
40000
30 275
10
20000
9 317
0
0
2005 local
2007 national
Overall turnout
2009 EP
2009 local
Internet voters
2011 national
Flip side of the coin
• 1,000,000 ID-cards
• 30,000 electronic users (2006)
Why won’t they go e?
• Habits
 Strong tradition of banks-provided
authentication service
• Barriers
 Need for smart-card reader and software
• No awareness promotion
 ID-cards are perceived as merely physical
documents
 Unawareness about security benefits
Who is driving ?
Public sector service
Private sector service
Tax
Declarations
Online banking
Once in a year
Once in a week
“Computer Security 2009”
• Co-operation program
between private and public
sector
• Aims for safe information
society in general
• Special target: ten-fold increase of eID
users (300,000 by the end of 2009)
• Achieved: February 2010
Measures for CS09
• Pressure by banks
 Termination of authentication service to 3rd parties
 Reduction of transaction limits with passwords
• Availability
 Alternative PKI-based tokens/methods
 Redundant service network
• Wide support and usability
 Support for alternative platforms (Mac,Linux,..)
• Awareness and training
Reader distribution
- card reader
- https://installer.id.ee
- Price ca 6 EUR
• Available at retail stores
• Sold by banks
• Giveaways in campaigns
ID card software: 2nd generation
• Multi-platform
 Card drivers (CSP/PKCS#11)
 Card maintenance tool
 Digital signing
• Libraries
• Webservice
• Desktop client
• Launched 2011 by LGPL terms.
Alternative eID - MobileID
• PKI-capable SIM cards
 Requires replacement of SIM
• Instantly ready to use
 No specific software required
• Equal legal power and
security with ID-card
• Launched: May 2007
• Available from all major
GSM operators
User view: entry
User view: mID
authentication
User’s view: mobile PINentry
Swedbank
Control code
0342
Enter?
Enter PIN1
****
Sending
message...
User view: I’m in!
Digi-ID
•
•
•
•
•
Another PKI token for redundancy
Delivered over-the-counter
Same electronic content as ID-card
Not a travel document
Validity: 3 years
• Launched:
10.2010
id.ee
0
2011 IV
2011 I
2010 X
2010 VII
2010 IV
2010 I
2009 X
2009 VII
2009 IV
2009 I
2008 X
2008 VII
2008 IV
2008 I
2007 X
2007 VII
2007 IV
2007 I
2006 X
2006 VII
2006 IV
2006 I
2005 X
2005 VII
CS2009: impact
500000
450000
400000
350000
300000
250000
200000
150000
100000
50000
Morale (1)
• PKI stands for Public Key Infrastructure
• There are no services nor applications
before The Infrastructure is built
 Roads generate no benefit, transportation does
 People do not buy cars unless there are roads
• Infrastructure first
Morale (2)
• Roads were ready in 2006
• Since then we have been teaching people
about the wonders of transportation
 Car manufacturing (services)
 Driving schools (promotion & awareness)
The Result
• 560 000 ID-card users
 ~50% of cardholders
• 360 000 “frequent users”
 have used it within past 6 months
• Around 3 Mio signatures created per month
• Around 5 Mio e-authentications per month
• 1/4 of votes is casted electronically (2011)
• Enormous savings in time and environment
Additional Information
•
•
•
•
PKI & CA
ID-card practices
Digital signature software
I-voting
www.sk.ee
www.id.ee
www.openxades.org
www.vvk.ee
Contact point:
tarvi@sk.ee