Digital signatures in DenmarkOCES 2.0
Boosting trust in the digital single market: The role of e-signature9-10 November 2011, Poland
Charlotte JacobySenior adviser, Master of lawCentre for Digital SignatureDanish Agency for Digitisation
Agency for DigitisationMinistry of Finance
Due to the inauguration of the new Danish government and changes in political areas, OCES and e-signature now resides in the Ministry of Finance
By 3. October 2011 The National IT and Telecom Agency was closed, tasks moved to The Danish Agency for Governmental Management
By 31. October 2011 The Danish Agency for Governmental Management was closed and two new Agencies formed. Tasks now in Danish Agency for Digitisation
Agenda
Background, ICT policy and principles National esignature standard OCES 1.0 National esignature standard OCES 2.0 –
NemID How does it work? Status today
Government globalisation strategy
At the latest in 2012 it should be possible to perform all relevant written communication between companies, citizens and the public sector digitally. Fremgang, fornyelse og tryghed, april 2006
Goals for reforming the public sector
Productivity and efficiency
Coherent infrastructure
Digital communication
The Danish esignature history
2000
OCES I – Digital Signature
2003 2004 2010
NemID
Qualified Certificate Pilots
OCES legal framework OCES Agreement with governmental agency State owned OCES Certificate Policies
requirements for the public key infrastructure level of security applied for the digital signature
CP’s part of agreement Agency for Digitasation supervisory authority Audit - annual report to the supervisory authority
including external system audit of the CA CA liable for the content of the certificate unless the CA
can prove that the CA has not acted negligently or intentionally
Goal and foundation of the OCES project OCES = Public Certificates for Electronic Services Goal:
A general open, scalable and transparent security infrastructure based on PKI
Controlled by the state and operated by private Certificate authorities (CA)
Foundation: Defining state-owned Certificate Policies (CP) An open architecture based on international standards –
OCES CP’s EU-Tender with a public private partnership in mind Establishing a non-discrimination approval process for
potential OCES CA’s
OCES CertificatesIssued as: Personal certificates – PID (a unique number related to civil
registration number) Employee certificates – RID/CVR (Employee number/Central
company number) Business certificates – CVR (Central company number) Device certificates – CVR (Central company number +
deviceID)Used for: Access control - Logon Secrecy - Encryption of e-mails Signature for e-mails, documents and web-sites (non-
repudiation)
Roles of interested parties
DanIDDanIDAgency forDigitisation
Citizens Public sector
Privatecompanies
OCES agreement
Commercial agreement
PKI services Guidance, monitoring, marketing etc.
Coordinating and recommendations
Develop. infrastructure
•OCES CPs•Supervision
Danish Standard Association
Vendors
Dialogue
OCES CA
OCES 1.0 – a good start
March 2003 – July 2010:
More than 1.88 million OCES 1.0 digital signatures were issued
Of these around 354.000 employee certificates among 132.000 companies/public authorities
Many public and some private services
Examples of electronic services using digital signatures (OCES 1.0 and 2.0)
Sundhed.dk – the public sector’s health portal The National Tax Authority The State Education Fund The City of Copenhagen Borger.dk – A portal for citizens used by all local authorities “danmark” – the private Danish health insurance company “Virk.dk” – the common public sector portal for companies
(potential 250.000 companies) ATP - the Danish supplementary labour market pension fund The Ministry of Education: Central Education Admission Portal Digital post – public electronic mailbox “Eboks” - private electronic mailbox
OCES 2.0 Tender demands Economy of the solution Security User friendliness and mobility Public as clear sender/owner Further penetration Functionality at least as today Continuity for services and easy migration for
users
New agreement (august 2008)
All citizens can still order and use digital signatures and get competent support free of charge
Companies and public authorities can order and use up to three employee certificates free of charge
Public authorities can receive certificates for a five year period
OCES 2.0 - NemID
NemID is the new national digital signature
NemID used for log-on, signing and secure e-mail
Access to online banking in all Danish
Access to a large number of public services
NemID use from any computer
NemID based on 2-factor security
Private service providers use NemID
Mobility
Security
Penetration
User-Friendly
FrequentUse
OCES 2.0 - NemID Centrally securely stored private keys
Access with 2-factor authentification independant of pc Something you know (password) Something you have (one time password)
CA certificates 2048 – 4096 bits RSA SHA256
End user certificates 2048 bits RSA SHA256
CRL’s and OCSP
Common use of infrastructure
DanID
OCESSignatures
NetbankSignatures
OTPServer
Netbank
Applet
TaxLarger penetration
Larger effiency potential
Frequent use
Remember password
End user registration – based on requirementsfrom law on money laundry and terror funding
CA/DanID
Netbank
Citizen service centresTax centres
NemID.nu
Identity known -Code card sentto registeredCPR-address
Physical presence –On site issuancehandover of Activationpassword and code card
Identity unknown -Activation password andcode card sent toregistered CPR-address
Tax authorities
Signature server
Internet
Publiclyfinanced
Helpdesk
Citizen
HSM
OTP-server
NemID PenetrationPenetration status today 3,000,000+ active users
Supported by all major government sites Supported by all banks for ebanking
Around 1.500 new users per day
Around 140 private service provider agreements
1,000,000 transactions per day average
More than 450 transactions since 1st July 2010
References and links
The official Danish NemID website: http://www.nemid.nu (some in English)
The official Danish site for publishing the OCES certificate policies (now available in English):
https://www.oces.dk
OIO - Public Information Online - http://www.oio.dk/english
The official site of the Danish eGovernment programme: http://www.e.gov.dk/english
