Joint workshop of Porvoo and GCF hosted by the Porvoo 7 meeting

May 26 2005, Reykjavik, Iceland

moderated by Jan van Arkel, co–chair Porvoo

acting chair GCF

Shaking hands ……..

Porvoo Group

Established in Porvoo in April 2002

A co-operative network of parties in charge of public certificates for citizens

Information exchange on eID experiences and nationaleID-projects in Europe

Develops the general usage of public certificates in The European Electronic Communication

Promotes the use of certificates and aims at making communication more convenient and offer where possible, a uniform solution for the European Citizen

•

Global Collaboration Forum on world-wide interoperable IAS

Established in 2001 (as follow up of earlier EU-Japan contacts)

Participants: eESC, NICSS, NIST, Global Platform, Maosco, ISO

Regular bi-annual meetings ( Iceland is GCF 8)

Rotating chair (presently held by EU)

Products so far: - Mapping document of GIF/GSC-IS and NICSS Framework

- Common Glossary of terms (in line with CWA 15264) - Draft for Common Requirements for eID in eGovernment domain (in line with CWA 15264) - common position on ISO 7816-13 - Individual contributions to ISO 24727

eESC - GlF CWA 15264 eAut CEN 224_15 ECC

NICSS-Framework V1.0(NICSS)

GSC-Framework V2.1(NIST) & FIPS 201

The 3 regional frameworksThe 3 regional frameworks

Short-term activities:

GCF

Long-term and Short-term Scopes of GCFLong-term and Short-term Scopes of GCF

To share the information about participants’ activities and overall short-term activities and to discuss common issues of interest

To hold 2 Plenary Meetings annually Activities related to long-term scopes are taken for two years as a start.

Afterwards it is decided if these need to be continued.

Long-termActivities

Short-termActivities

Each participant takes leadership in an area of his interest.

WG are established as required. The proposing participant is the leader.

E-Authentication

MRTD

DL Scheme for Multi-AP SC

Participants (organizations):- Global Platform- Eurosmart- MAOSCO- ISO

EU update ( J. van Arkel)

US eID development status update, Jim Dray, NIST, USA) - Homeland Security Presidential Directive HSPD No. 12 - status of FIPS 210 standard - status of ISO 24727, - status and plans for deployment

Japan status update - Japanese developments on eID, Hiroshi Shimada, Fujitsu/NICSS

- Status of Asian Smart Card Forum, Shoji Miyamoto (Hitachi)

Discussion on a World eID Steering Committee ( by all ) rationale for the joint workshop

Agenda for the joint workshop

Legal issue

Standardisation

Deployment

EU update

Procedure when issuing an eID

Content of eID Cardholder verification procedures

Data Protection

Liability

Revocation of eID

What needs to be regulated?

Privacy Directive + implementation in national legislation

E-sign Directive + implementation in national legislation

IAS: Discussion on Thomas Myhr report

EU council regulation on ePassports 15152/04 ; 2252/04 dd 13 Dec. 2004; Decision of the EC 28 Feb. 2005 (technical specification in relation to standards on security and biometrics for Passports and travel documents) Pending: technical specification on fingerprint in passport

What is already in place in the EU?

Legal Standardisation

Deployment

Status in eID

CEN/ISSS WS eAuthentication (Government requirements, Architectural model,

Business models, Legal Framework, Card issuer guidelines, Multi-application environment, Human interface aspects, eID policy vision)

CEN 224 WG 15 European Citizen Card (Policy and rules for CMS, Physical and logical card characteristics, data elements and structures, IAS procedures, Durability aspects)

Europe

CWA 15264- part 1: Architecture for a European interoperable eID system within a smart card infrastructure 

CWA 15264- part 2: Best Practice Manual for card scheme operators exploiting a multi-application card scheme incorporating interoperable IAS services

CWA 15264- part 3: User Requirements for a European interoperable eID system within a smart card infrastructure eID Strategic Vision Report

Download area: http://www.cenorm.be/cenorm/businessdomains/businessdomains/isss/activity/wseaut.asp

Results of WS eAut

Workgroup was launched in Feb 2004

Chair: L. Gaston, Axalto, Secretariat: AFNOR

Constituency: 20+ organisations

2 Subgroups are active: SG 1: Physical aspects; SG 2: Logical data aspects

Final meetings on May 11-12, 2005 in Vienna

2 part Technical Standard will be out for voting after CEN 224 approval (additional parts on ECC management & business models and SC durability

classes is pending)

Status of CEN 224 –WG 15 ECC

The eID systems shall support a secure and reliable cardholder electronic signature funtion for the purpose of legal validaty of the signature

For Europe the PKI system elements of the system shall be in complicance with the qualified digital signature as per article 5.1 of the EU directive 1999/93/EC on a Community framework for electronic signatures

The PKI system elements shall be in compliance with ETSI QCP 101456

The PKI system elements shall be in compliance with CWA 14890 parts 1 –2

Electronic signature status

ISO/IEC 19784-1 BioAPI, BioAPI specification

ISO/IEC 19785-1 Common Biometric Exchange formats (CBEFF) Part 1: Data Element Specification

ISO/IEC 19794-2 Biometric Data Interchange Format Part 2: Finger Minutiae Data Part 8: Finger Pattern Skeletal Data (Porvoo position?) Part 4: Finger Image Data (Porvoo position?) SC 17 : ISO/IEC 7816-11 : Personal verification through biometric methods in ID’s

Biometrics, SC 37

ISO SC 17

SC standard ISO/IEC 24727 part 1: architecture

part 2: card interface (card edge)part 3: high level application API (BSI)

(will be addressed by Jim Dray)

Deployment will be addressed by US, Japan and EU country updates.

ISO SC 17

Discussion on a World-wideeID Steering committee

Discussion on the concept of a World eID Steering Committee

Excerpt from the agenda:

The idea was launched at the Smart Card Charter conference in December 2004 in Prague. A first version of a vision paper is downloadable from the Porvoo 7 website. The basic idea being a mandated group of Government representatives on eID, setting World wide common requirements and stimulating the realisation of interoperability (adaptors).

World eID forum document draft version 1.1. February 14 2005

Table of Content

1. Rationale 2. Vision 3. Scope 4. Objective5. Participants6. Organisation7. Related organisations8. Activities and Deliverables9. Support and funding mechanism

global support of eServices (building block for trust, security, and convenience, without e-ID there is no real national and global eGovernment)

global combating of ID Fraud (causes more and more of a problem)

global anti-terrorism measure

Building a more global (European) society (making persons aware to be a –relevant- part of society as well as offering them a seamless experience)

Vision: Why global eID?

Some inhibitors so far

No strong leadership, no formal cooperation

State of the art of the technology and standardisation (dripping wet)

Costs and benefits, business cases

Not invented here (Scandinavia, GIXEL, DIF, other countries)

EU 2004 Report: Rethinking the European ICT agenda (10 ICT-Breakthroughs for reaching Lisbon Goals)

The breakthrough that is needed is an increased ICT utilisation by establishing:

- Authentication: Pan-European interoperability (minimum) or standardization (preferred) of authentication systems/platforms - Security: Pan-European emphasis on security standards in relation to access, identity theft and secure transactions

Policy support of IAS (1)

Resolution of the future Information Society policyof the Union adopted on 10 December 2004 bythe Council of the European Union (one of the 6 priorities):

To create a favourable environment for industry and the public sector to develop, both in Europe and globally, effective and interoperable solutions, in particular for electronic payments, authentication, identity management as well as security.

Policy support of IAS (2)

Policy support of IAS (3)

G8 2004 Summit endorsed the statement

“Accelerate development of international standards for the interoperability of government-issued smart chip passports and other government-issued identity documents. We will work for implementation by the 2005 Summit“

http: //www/g8usa.gov/d 060904f.htm

There are relevant use cases for

IAS (TC224/WG15)

1. E-Mail encryption and digital signature2. The National Tax Board and administration3. The National Social Insurance Board4. Employee ID (physical & logical access)5. Medical services access6. Industrial security 7. National archive access 8. Public registries access

European ID Management Projects

Modinis Study (operational) • Support progress towards a coherent approach in electronic identity

management• Provide information on eID technologies, related market developments and

technical requirements • Provide a prospective analysis of possible initiatives and solutions at

European level

The GUIDE Project (FP6, operational)Research and develop an open identity management architecture as core technology for e-Government solutions

• To create a world-class and innovative European e-Government market. • To demonstrate and evaluate solutions in the three major areas of e-

Government services: A2A, A2B & A2C

CEN/ISSS WS MMUSST (operational)

TIFI project (under evaluation) Porvoo signed declaration of cooperation)

E-Sign KCWA 14890

eEpoch WP3BIKE

WSeAutCWA 15264

E-Sign GIF

CEN/ISSS eEurope SC Charter

TC224 WG15

TS ECC

SC17 WG4ISO/IEC 24727

Overview of relevant actors

Policy makers on eID in EU and other regions

Standardisation bodies CEN CEN 224/WG 15 ECC CEN/ISSS CWA 15264, CWA 14890 ISO ISO/IEC 24727 Regional standardisation US FIPS 201, Japanese ICSS, Asian Card Forum

EU Industry consortia: Germany: DIF France: GIXEL

Porvoo Common Requirements Eepoch BIKE GCF Cooperative Framework

EU projects Guide, Modinis, Impact, Regional & national deployment

Report CEN/ISSS Focus group on eHealth (March 1, 2005)

Establishing an Interoperability PlatformThe Member States, with the Commission, should establish a permanent platform with a mandate, and the necessary resources to promote eHealth interoperability based on standards and to facilitate co-operation between Member States.

This eHealth interoperability platform should:• establish a Europe-wide view on the requirements for standardisation and its

implementation in specific domains, in collaboration with standards organisations, based on input from relevant stakeholders communities;

• encourage and promote an environment for detailed specifications testing, evaluation or certification, to achieve interoperability of systems based on standards;

• establish a means for tracking and promoting good practice, and foster pilot implementations in compliance with the aforementioned environment;

• encourage agreements across national borders and between professional groups;• encourage the further development of an appropriate European legal and

regulatory framework;• promote the establishment of infrastructure services such as for the creation and

maintenance of terminology systems and knowledge repositories.

World eID Forum

Participants• Vision (everyone who shares the vision) • Interoperability charter (and signs the IOP charter)• Relevant stakeholders (eGovernment representatives) • Mandate (is this realistic?)

Organisation• New organisation? (preferable not, but how to organise?)• No legal entity• Chair and secretariat• No permanent staff

Activity plan

World eID Forum

Activity plan• Contributing to the legal issue of World wide interoperable eID

• Setting joint requirements for interoperable World wide eID

• Information exchange between participants on eID deployment

• Set-up, maintenance and exploitation of an eID-body of knowledge

• Exploiting an interoperability demonstrating and test environment, including Open Source solutions

• Issuance of eID interoperability compliance certificates

• Development of a eID Implementation and Guidance document offering- best practice information- choices in standards and preferred options in standards (PKCS #11 interface, PKCS #15 profile, harmonised Human Interface etc) - exploitation models- study into basic eID versus role based ID - study in International validation services etc ……….

World eID Forum

Support and funding mechanisms

Option 1: Virtual, non funded organisation, embedded/part of other organisation, like Porvoo, GCF, Modinis project, Guide project

Option 2: Separate body with participation fee from participants

Option 3: CEN/ISSS Workshop for 2 year period(meaning small participation fee)

Option 4: EU funded IST/IP project

Other options?

Questions for discussion ….

1. Is there a common understanding of the need?

2. Do we support the idea of a joint approach?

3. If yes, how to organise such an activity, in what context, and do we need more mandate?

4. What activities would we like to carry out?

5. ………….