1

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Aleš Pelan, M.Sc.Directorate for e-Government and Administrative Processes Ministry of Public Administration

SI-TSA

Certification service and electronic identification – PKI in Slovenian government

Ministry of Public Administration

www.mju.gov.si, e: gp.mju@gov.si Tržaška cesta 21, 1000 Ljubljana t: 01 478 83 30, f: 01 478 83 31

Republic of Slovenia

2

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Content:Content:

• Name and surname of the holder • Unique number• Public key • E-mail address• ......

Digital Certificate

Digital CertificateDigital Certificate = Presents a modern alternative to old fashioned forms of identification

Certified by the certificate authority

DN: cn=Ales Pelan, ou=certificates, o=state-institutions,c=si

Serial #: 8391037Start: 15/7/2008 14:20End: 15/7/2013 14:50E-mail: Ales.Pelan@gov.siKey:

CA DN: ou=SIGOV-CA, c=SI

3

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Legal Bases for Digital Certificates

• Electronic Commerce and Electronic Signature Act (2001, novel in 2004)

• Decree on Conditions for Electronic Commerce and Electronic Signing

• Personal Data Protection Act

• Secret Data Protection Act

• CA Policy (public and internal part of rules)

4

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

• Regulated in ECESA (electronic, digitaly signed form)

• Managed by Ministry of Higher Education, Science and Technology

• Basis for Certificate-based e-services in Slovenia (instead of cross-certification)

• 5 CSP’s issuing qualified certificates:• SI*CA (CA at MPA)• HALCOM CA• AC NLB• POŠTA CA• SI-MoD-CA

Register of CSP’s (Certificate Service Providers)

5

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

SlovenianGovernmental

Certification Authority

Slovenian General

Certification Authority

SI*CASI*CA

6

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Slovenian

Country Signing Certification AuthoritySlovenia

SI-TSA

Time Stamping Authority

SI*CASI*CA

7

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Encryption/decryption

Digital signature Authentication Secure delete Web communication e-mail

Web communication (SSL, TLS)

e-mail (S/MIME) Digital signature Authentication

Usage

Valid for 5 years No automatic

extension of validity

Validity of keys• 3 years en./de.,

signature• 5 years

authentication Automatic extension of

validity Keeping of decryption

keys

Characteristics

Enterprisecertificates

Web certificates

Types of digital certificates

privatepublicprivate private

public public

8

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Types of digital certificates

Enterprise certificates:• employees• organizational units• servers• TSA systems

Web certificates :• employees• organizational units• servers• code signers• OCSP responders

Public administration

Enterprise certificates :• employees• organizational units• servers

Web certificates:• employees• organizational units • servers• code signers• citizens

Natural and legal persons

9

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

SIGEN-CA public directory (digital certificates & CRL)

c=si

firma1

ou=companies

firma2 firma3

…

ou=individualsou=companies-web

firma1 firma2 firma3

… …

X500.gov.si(LDAP, HTTP access)

o=state-institutions

ou=sigen-ca

10

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Levels of access:- data acquisition- data validation

serial number ofdigital certificate

holder’s ID number

holder’s tax number

ID number of legal person

tax number of legal person

Connectional table

2345680712012 1103986715158 95962158 5874483000 282328012345680812017 1903969500853 32542186 5874483000 282328012345680912011 0104971500476 89159659 1358561000 337147892345681012014 0504953500645 16186575 1358561000 337147892345681112019 5119645002051 98783653 1358561000 337147892345681212013 2307976500283 11745889 5874424000 400168032345681312018 1403966500019 25978977 5874424000 40016803…

Access for services:- legal basis- agreement

Data of certificate holders andlegal persons

11

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Applicant

SIGOV-CA

Referencenumber

Authorizationcode

DC holder

Registrationauthority

PolicyApplication

SIGEN-CA

Registration authority SI*CA

12

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Legal

persons

Public

Admini-

stration

Registration authority SI*CA

Administrativeunits (68)

Tax offices (24)

MPA

Citizens Embassies &Consulates (45)

13

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

SI*CA certificates in e-services

• e-Government (e-SPA, OSS, e-taxes, Intrastat, e-notary, e-reporting, e-geodetic data, e-farm …)

• e-banking (Abanet, e-Banka Celje, DBS NET, Bank@Net, Dh-Plus, E-LON, KaD.Net …)

• e-businesses (SiOL, Elektro Ljubljana, Mobitel, miniMAX, EBA …)

• other (e-student, M servis …)

14

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

SI-TSA (Slovenian Time-Stamp Authority)

Trusted time stamp is an electronically signed certificate from a certifying authority that confirms data content at the stated time.

SI-TSA• Issuing trusted time stamps for applications;• Intended for public administration institutions and bussinesses (agreement);• Interface: Web service (SOAP) and RFC 3161 ASN.1 service.

15

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

CSCA-SI (Country Signing Certification Authority - Slovenia)

• EU Member States must issue passports with Biometric identifiers (facial image) after 28 August 2006 - Council Regulation No 2252/2004 of 13 December 2004;

• Countries in Visa waiver Permanent Program had to fulfill the same requirement till 26 October 2006;

• Biometric data stored on a contactless radio chip and digitaly signed;

• CSCA-SI issues digital certificates for Document Signers in Slovenia;

• Operational since June 2006.

16

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Bussiness issues

• PKI – one of infrastructural services at MPA

• availability of services:• free services for government and citizens• paylable services for legal persons (16.000 contracts,300.000 EUR of yearly income)

• maintanance costs:• usually as a percentage of purchase price• monthly cost per CA approx. 5.000 EUR (covering HW and SW for core CA and RA services; no costs for business premises, common infrastructure and employees included)

17

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Critical success factors

• suitable internal organization• compulsory policy documents (CP, CPS…)• pre-defined standard procedures • strict division of responsibilities/roles• min two employees per role• trained stuff (min 9 persons for 8 roles to be correctly covered)

• integration of certificates in e-services:

• test PKI environment• tool for creating dig. signatures (XML/PDF)• CA certificates in web browsers (IE,FF…)

18

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

And the future?

• web RA• autoregistration• identification by Post

• m-PKI• certificates on mobile phones

• CVCA-SI• e-passports with fingerprints• CVCA -> DV -> IS

• e-ID• e-gov functionality (digital certificates)• project currently on-hold

19

MINISTRSTVO ZA JAVNO UPRAVO

04/19/23

Any further questions:

Ales.Pelan@gov.si

Additional information: http://www.gov.si/ca/eng/index.htm

sigov-ca@gov.si