Evolutionin cross-border interoperability of eSignatures and eID Tarvi Martens SK, Estonia
Let’s read the title again! • “Evolutionin cross-border interoperabilityof eSignatures and eID” • Prerequisites: • eID • eSignature • Evolution • Cross-border interoperability
Summary of current situation • eID deployment: • Some countries are leading • Some countries have “odd” solutions and/or are stalled • Number of countries have plans • Number of countries do not even have a plan • Deployment: 5-10 years • eSignature practice: • Used mostly in closed systems • No common understanding of “free-flowing digitally signed file”
Use of eID & eSignature in Estonia • ID-card launched 6 years ago • Rollout “completed”, 1M+ cards out • Common system for eSignatures, widely accepted and deployed for 5+ years • All major e-services support ID-card • Internet voting deployed . . . • ~80 000 users
Cross-border interoperability • eID uptake low • Even worse with eSignatures • <1% of transactions cross-border Cross-border interoperability ???
Manchester declaration • By 2010 European citizens and businesses shall be able to benefit from secure means of electronic identification that maximise user convenience while respecting data protection regulations. • By 2010 Member States will have agreed a framework for reference to and where appropriate the use of authenticated electronic documents across the EU, as appropriate in terms of necessity and applicable law
Drivers behind interop • Political • eProcurement • Service Directive • Business • eBanking etc. • General • Common understanding of digital signature • Standardization in industry (cards, tools etc.)
Evolution: yes! • Technically repeatedly piloted • IDABC Bridge/Gateway v.1. • European Bridge-CA (TeleTrust, Germany) • Euro-PKI, GUIDE, ... • openvalidation.org • Initatives to be observed today • De Norske Veritas e-notary service • Spanish eGov Validation Gateway • eApostille • Upcoming IDABC Bridge/Gateway v.2. • Upcoming eID Large Scale Project
Organizational issues • Paper-ID interoperability works! • Miracles happen in border points • Organizational set-up of Paper-ID interop: • ICAO sets standards • Continuous information exhange by network of MoIA-s to the borderguards etc. • Organizational set-up of eID interop ??? • Standards are not strict and not imposed • Continuous information exhange is missing completely
Need for (foreign) eID info • Collecting and managing eID/service info is a daily job, not project-based • What info is needed ? • Certificate validity (reference) • Certificate semantics • Certificate quality (!!!) • Hardware token vs. software certificate • Quality of service provider & certificate • Context of certificate issuance • ......
Handling foreign eID ServiceProvider “What certificateis that?” Certificate quality /semantics / validity “Identity hub” Certification & validation service providers foreign user
eSignature handling “What documentis that?” “E-notary” “What certificateis that?” “translation” and assessment Certificate quality /semantics / validity “Identity hub” Digital signingsoftware providers Certification & validation service providers
Who will run the Indentity Hub ? • EC does not have mandate (yet) • Single MS cannot afford it (to cover all Europe/World) • No actual demand (read: need covered with money) • Low volume of international transactions • Uptake of national eID-s is still underway • We need clear political agreement to create such a service in EU level • In future we can envisage situation where every MS runs its own “e-borderguard”
The Other Direction - Harmonization • Standardization • European Citizen Card (ECC) • Common middleware • OpenSC • Windows Vista plug-and-play for smartcards • Various approaches and initiatives to solve differences in middleware layer
Legal problems • There is no eAuthentication Directive • National legislations hardly touch the subject • SP: “Who to sue if I will make wrong assessment on certificate inheritance/validity ?”
Bottom Line • We need to create and distribute eID-s first • Preferably PKI-based qualified certificates • Then teach holders of eID-s to use them • Estonian case: penetration ≠ usage • But interop shall be addressed NOW • Withouht vision, political will and hard work there would never been such thing as EU
firstname.lastname@example.org Thank You!