1 / 7

Sector Specific eID Solutions or User Centric Universal eID?

Sector Specific eID Solutions or User Centric Universal eID?. Libor Neumann ANECT a.s. Czech Republic Libor.Neumann@anect.com. Currently No Multisector Solution Available. Service provider centric strategy -> sector specific solutions SSEDIC defined 33 stakeholders ’ sectors

ratana
Download Presentation

Sector Specific eID Solutions or User Centric Universal eID?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Sector Specific eID Solutions or User Centric Universal eID? Libor Neumann ANECT a.s. Czech Republic Libor.Neumann@anect.com

  2. Currently No Multisector Solution Available • Service provider centric strategy -> sector specific solutions • SSEDIC defined 33 stakeholders’ sectors • Third party based solutions (sometimes using specific eID tokens) • e-citizen cards • e-health insurance cards, e-health professional cards • e-driver licence • No large scale multi-sector or global strong authentication system is used • Low acceptance level of large scale PKI based eID (3-20%) • Login/password is still the most frequently used eID • >90% - GARTNER 2011 • It is about 40 year old technology with well known weaknesses

  3. Issues - I • Gradual increase of complexity Adding a single negligible triviality would seem to pose noproblem, but the long-term large-scale effects leads to unacceptable threads • Password • PKI maintenance (by end user) • Attributes in certificates • Ownership of third parties • Third party eID attributes management (Timing & Privacy) Large scale trends- increasing number of attributes (sectors, relying parties): • increases complexity and acceptability of identity proofing process • increases privacy protection risks • decreases validity time of eID record (certificate)

  4. Issues - II • Access right management Some sectors needs specific access right management: • Short time change (in a few seconds - critical situation management) • Backward access verification (life protection situation in health care) • End user controlled access rights (social networks, health care) • Authentication and authorisation is limiting factor of security Third party does eID decisions and security decisions- relying party ICT system security is dependent on third party • Should many sectors’ security rely on one third party? • Who is responsible of what? • Ideal target for attackers • The shared third party cannot be controlled by many relying parties from many sectors • Security control paradox • Relying parties needs many third parties. • End user needs minimal number of third parties.

  5. User Centric eID requirements • User centric environment examples • Car user experience • Telephone user experience • Internet user experience • History of success stories • History of telecommunication • Predecessors of internet , DARPA project • Lessons learned • NO centralised hubs • Service oriented layered architecture • Open widely and voluntarily accepted high quality interface standard

  6. Theoretical essentials Cyber Identity is an abstract artificial identity used in cyber space. • It can work with digital information only, and there is no way to distinguish original information from copied information in cyber space. • Cyber Identity is based on provable ignorance of dynamic and easily faked information where identity verification should operate remotely. Human Identity is the standard identity used by people in social communication. • Based on knowledge of a face, a name, behaviour, etc. and the ability to compare this knowledge with reality. • Human Identity is based on known, stable and hard-to-fake real-world features where identity can be verified only locally. We must not confuse them!!! Cyber access management needs access right attributes, NOT a Human Identity !!!

  7. New generation distributedglobal eID ecosystem • Required features: • Cyber identity service oriented (no products, no data structures) • Fully distributed (no central system/service is required) • Seamless interoperable (voluntarily use of open interface standards) • Layered design (use of multiple simple abstractions) • Highly automated (supporting high productivity) • User centric (can be voluntarily, globally and easily used by end user) • Secure - balanced in all security areas (confidentiality, data integrity, service accessibility and non-reputation) • Manageable in large scale (supporting ITC system security and access right management with needed identity management) • Supporting long term sustainable development(e.g. new currently unknown cryptography).

More Related