Evolution in cross-border
interoperability
of eSignatures and eID
Tarvi Martens
SK, Estonia
Let’s read the title again!
• “Evolution in cross-border interoperability of eSignatures
and eID”
• Prerequisites:
• eID
• eSignature
• Evolution
• Cross-border interoperability
European
eID
landscape
eSignature landscape
Summary of current situation
• eID deployment:
• Some countries are leading
• Some countries have “odd” solutions and/or are
stalled
• Number of countries have plans
• Number of countries do not even have a plan
• Deployment: 5-10 years
• eSignature practice:
• Used mostly in closed systems
• No common understanding of “free-flowing
digitally signed file”
Use of eID & eSignature in Estonia
• ID-card launched 6 years ago
• Rollout “completed”, 1M+ cards out
• Common system for eSignatures, widely accepted and deployed for 5+
years
• All major e-services support ID-card
• Internet voting deployed
.
.
.
• ~80 000 users
Cross-border interoperability
• eID uptake low
• Even worse with eSignatures
• <1% of transactions cross-border
Cross-border interoperability ???
Manchester declaration
• By 2010 European citizens and businesses shall be able to benefit
from secure means of electronic identification that maximise user
convenience while respecting data protection regulations.
• By 2010 Member States will have agreed a framework for reference to
and where appropriate the use of authenticated electronic documents
across the EU, as appropriate in terms of necessity and applicable law
The road to Nirvana i2010
Drivers behind interop
• Political
• eProcurement
• Service Directive
• Business
• eBanking etc.
• General
• Common understanding of digital signature
• Standardization in industry (cards, tools etc.)
Evolution: yes!
• Technically repeatedly piloted
• IDABC Bridge/Gateway v.1.
• European Bridge-CA (TeleTrust, Germany)
• Euro-PKI, GUIDE, ...
• openvalidation.org
• Initatives to be observed today
• De Norske Veritas e-notary service
• Spanish eGov Validation Gateway
• eApostille
• Upcoming IDABC Bridge/Gateway v.2.
• Upcoming eID Large Scale Project
Organizational issues
• Paper-ID interoperability works!
• Miracles happen in border points
• Organizational set-up of Paper-ID interop:
• ICAO sets standards
• Continuous information exhange by network of MoIA-s
to the borderguards etc.
• Organizational set-up of eID interop ???
• Standards are not strict and not imposed
• Continuous information exhange is missing completely
Need for (foreign) eID info
• Collecting and managing eID/service info is a daily
job, not project-based
• What info is needed ?
• Certificate validity (reference)
• Certificate semantics
• Certificate quality (!!!)
• Hardware token vs. software certificate
• Quality of service provider & certificate
• Context of certificate issuance
• ......
Handling foreign eID
Service
Provider
“What certificate
is that?”
Certificate quality /
semantics / validity
“Identity hub”
Certification & validation
service providers
foreign user
eSignature handling
“What document
is that?”
“E-notary”
“translation” and
assessment
“What certificate
is that?”
Certificate quality /
semantics / validity
“Identity hub”
Digital signing
software providers
Certification & validation
service providers
Who will run the Indentity Hub ?
• EC does not have mandate (yet)
• Single MS cannot afford it (to cover all Europe/World)
• No actual demand (read: need covered with money)
• Low volume of international transactions
• Uptake of national eID-s is still underway
• We need clear political agreement to create such a service in EU
level
• In future we can envisage situation where every MS runs its own
“e-borderguard”
The Other Direction - Harmonization
• Standardization
• European Citizen Card (ECC)
• Common middleware
• OpenSC
• Windows Vista plug-and-play for smartcards
• Various approaches and initiatives to solve differences in
middleware layer
Legal problems
• There is no eAuthentication Directive
• National legislations hardly touch the subject
• SP: “Who to sue if I will make wrong assessment on
certificate inheritance/validity ?”
Bottom Line
• We need to create and distribute eID-s first
• Preferably PKI-based qualified certificates
• Then teach holders of eID-s to use them
• Estonian case: penetration ≠ usage
• But interop shall be addressed NOW
• Withouht vision, political will and hard work there
would never been such thing as EU
Thank You!
tarvi@sk.ee