Eid in emea quest
1 / 29

EID in EMEA QuEST - PowerPoint PPT Presentation

  • Uploaded on

eID in EMEA & QuEST. Ronny Bjones Security Program Manager Microsoft EMEA. Agenda. What is happening in Europe Our technology support QuEST Conclusions. What is driving national smart card projects in Europe?. eGovernment - eID Identification of citizens on the portals & counters

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'EID in EMEA QuEST' - vin

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Eid in emea quest l.jpg


Ronny Bjones

Security Program Manager

Microsoft EMEA

Agenda l.jpg

  • What is happening in Europe

  • Our technology support

  • QuEST

  • Conclusions

What is driving national smart card projects in europe l.jpg
What is driving national smart card projects in Europe?

  • eGovernment - eID

    • Identification of citizens on the portals & counters

      • Austria

        • 60k cards issued to students

        • Scholarships, Tuition fees

      • Italy

        • 1.5M cards produced, 600k distributed, another 2M in production

        • Registration & tax services, e-signing of documents, etc.

      • Estonia

        • 500K cards distributed (50% penetration)

        • Tax services, e-ticketing, etc.

What is driving national smart card projects in europe4 l.jpg
What is driving national smart card projects in Europe?

  • Social security

    • Use of smart cards to protect privacy sensitive data

      • Belgium

        • SIS card issued to all citizens

        • Doctors, Pharmacia

      • Norway

        • National office for social assurance

        • All doctors, hospitals

        • PKI-based card, set of projects to simplify social security reporting

Norway l.jpg

Regional health care institutions




National databases&services

National db on use

of drugs


My health


National health







Root CA



Population database

Personal ID number

Municipality: Heath care in

institutions and private homes.



- Payment

- Time stamp

Citrix farm


Citrix ticket










Root CA

Public Health cards

containing certificates



Professional Health cards

containing certificates

Slide with the curtousy of ERGO

Impact of the ec directives l.jpg
Impact of the EC Directives

  • EC Directive on Electronic Signatures (1999)

    • Legal framework for electronic signatures

    • Adopted in all EU member states (25) + EEA (3) + Candidates (2) + MEA (2+)

  • EC Directive on e-Invoicing (2001)

    • Acceptance of electronic invoices

    • Security based on AES or Secure EDI

    • Important for the development of the supporting national PKI infrastructures

  • EC Directive on e-Procurement (in development)

More numbers l.jpg
More numbers

Source: EC DG Information Society 2003

Typical scenarios l.jpg
Typical Scenarios

  • Secure eGovernment, eBanking, eBusiness requires security services

    • Authentication

    • Data Confidentiality

    • Data Integrity

    • Non-repudiation

  • How are these services facilitated by eID?

Authentication l.jpg

  • Verify the identity of citizens by means of eID

    • TCOS of Identity management is high

    • Organisations can rely on the work done by the governments and enrol users over the Internet

Confidentiality l.jpg

  • Basic algorithms to encrypt information are foreseen in most eID projects

    • Belgian eID does not foresee a certificate for encryption

Integrity non repudiation l.jpg
Integrity & Non-repudiation

  • How can we be sure that the data was not altered?

  • How can we have proof in a case of law that a certain individual did this transaction?

  • Typically done by Electronic Signatures which are supported by most eID projects

  • Signing of forms, electronic documents

Agenda12 l.jpg

  • What is happening in Europe

  • Our technology support

  • QuEST

  • Conclusions

Microsoft smart card support l.jpg
Microsoft Smart Card Support

  • Windows Logon

    • Standard support for smart cards

    • GINA Custom models

    • Full integration with AD

    • Terminal Server (W2K3)

  • Applications can interface smart cards through

    • CryptoAPI/CAPICOM

    • .Net Framework

Microsoft smart card support14 l.jpg
Microsoft Smart Card Support

  • For vendors

    • PC/SC

    • Plug into CryptoAPI (custom CSP)

    • New smart card base CSP

Smart card enabled technologies l.jpg
Smart card enabled technologies

  • SSL – Internet Explorer

  • Secure email (S/MIME) – Outlook (Express)

  • VPN – W2K, XP, W2K3

  • Secure form – InfoPath

  • Document signing (Word, Excel, Powerpoint)

  • Windows Right Management – W2K3

  • Any third party CryptoAPI-enabled application

Agenda16 l.jpg

  • What is happening in Europe

  • Our technology support

  • QuEST

  • Conclusions

Quest l.jpg

  • Qualified Electronic Signatures Tutorial

  • Demystify Qualified Electronic signatures

  • Best practice/guidance for designing a Qualified Electronic signature solution

Why did we develop quest l.jpg
Why did we develop QuEST?

  • Demystify the subject

    • General perception: Very complex subject

    • Multidisciplinary: Legal, Technology, Policy

  • A lot of customers will get QES as a requirement in the years to come

How to build a QES solution?

Approach l.jpg

  • Provide guidance for customers

    • Project Managers & Architects

  • Design a knowledge base – Blueprints

    • Legal, Technology, Policy

    • Knowledge base for different audiences

  • Project Team Guide

    • Which questions should be answered by a project team to design a QES solution

    • Design process

  • Scenario – Contoso Lottery

    • Based on Norwegian Lottery

    • Show how a QES solution can be implemented on our platform

Quest background l.jpg
QuEST Background

EC Directive on Electronic Signatures

  • 1999

  • Mandates member states to change their laws

    • Electronic Signatures can be equivalent to handwritten signatures

    • If they are performed under certain conditions

      • European Electronic Signature Standardization Initiative (EESSI)

      • ETSI – CEN standards

      • Other standards

Eessi standards overview l.jpg
EESSI Standards Overview

Certification ServiceProvider

Trustworthy system (A II.f)

CWA 14167-1

CWA 14167-2

Requirements for CSPs (A II)

ETSI TS 101456

Time StampETSITS 101861

Qualified certificate -A I

ETSI 101 862

Signature format& syntax (Advanced ES)

ETSI TS 101733

ETSI TS 101903 (XAdES)

Signature creation process and environment (A III)

CWA 14170

Signature validation process & environment (A IV)

CWA 14171

Creationdevice (A III)

CWA 14169

Relying party/verifier




Ec directive on electronic signatures l.jpg

Electronic Signatures

Advance Electronic Signatures


security technology

based on PKI

all kinds of substitutes

for penned signatures

Advanced Electronic SignatureQualified CertificateSecure Signature Creation Device

EC Directive on Electronic Signatures

Building a qes solution l.jpg
Building a QES Solution

  • Mandatory Requirements

    • Relate to Directive on Electronic Signatures

    • Compliance

  • Additional Requirements

    • Risk management

    • Added-value elements before court

Mandatory requirements l.jpg
Mandatory Requirements

EC Directive on Electronic Signatures

  • Impact of Directive

    An independent arbiter (Judge/Notary) should follow harmonised criteria to decide whether a signature was valid at a certain moment of time

  • Legal requirements

    • Advanced Electronic Signature (AdES)

    • Qualified Certificate (QC)

    • Secure Signature Creation Device (SSCD)

Additional requirements l.jpg
Additional Requirements

  • Validation by an independent arbiter

    • How can we facilitate that an independent arbiter can still validate a signature in a period n years?

    • Electronic Signature Format

  • How can we reduce the risk that somebody can easily repudiate the signature?

    • Risk management

    • Standards and technology introduced to increase the overall security of a QES solution.

Xades l.jpg

  • XML Advanced Electronic Signatures

  • ETSI standard for XML Signatures

    • TS 101 903

    • Based on W3C XML Signatures

      • W3C adopted XAdES

    • Include signature qualifying properties

      • TS 101 733

      • Formats for advanced electronic signatures valid over a long period of time

  • Aimed at convincing an independent arbiter of the validity of a signature

Conclusion l.jpg

  • eID is happening all over Europe and will become more and more a requirement in projects

  • We have a lot of technology available that allows you to use eID orto develop eID based applications

  • Download our QuEST guide and get guidance on how to enable signature scenarios in your apps based on eID

Resources l.jpg

  • Register for [email protected]: Register QuEST

  • EC Reporthttp://europa.eu.int/information_society/eeurope/2005/all_about/security/electronic_sig_report.pdf

  • Microsoft developers infohttp://msdn.microsoft.com/security/

  • Microsoft Smart Card Base CSPhttp://msdn.microsoft.com/library/default.asp?url=/library/en-us/security/security/microsoft_smart_card_base_cryptographic_provider.asp

Slide29 l.jpg

© 2003 Microsoft Corporation. All rights reserved.

This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.