Joint workshop of Porvoo and GCF hosted by the Porvoo 7 meeting
May 26 2005, Reykjavik, Iceland
moderated by Jan van Arkel, co–chair Porvoo
acting chair GCF
Shaking hands ……..
Porvoo Group
Established in Porvoo in April 2002
A co-operative network of parties in charge of public certificates for citizens
Information exchange on eID experiences and nationaleID-projects in Europe
Develops the general usage of public certificates in The European Electronic Communication
Promotes the use of certificates and aims at making communication more convenient and offer where possible, a uniform solution for the European Citizen
•
Global Collaboration Forum on world-wide interoperable IAS
Established in 2001 (as follow up of earlier EU-Japan contacts)
Participants: eESC, NICSS, NIST, Global Platform, Maosco, ISO
Regular bi-annual meetings ( Iceland is GCF 8)
Rotating chair (presently held by EU)
Products so far: - Mapping document of GIF/GSC-IS and NICSS Framework
- Common Glossary of terms (in line with CWA 15264) - Draft for Common Requirements for eID in eGovernment domain (in line with CWA 15264) - common position on ISO 7816-13 - Individual contributions to ISO 24727
eESC - GlF CWA 15264 eAut CEN 224_15 ECC
NICSS-Framework V1.0(NICSS)
GSC-Framework V2.1(NIST) & FIPS 201
The 3 regional frameworksThe 3 regional frameworks
Short-term activities:
GCF
Long-term and Short-term Scopes of GCFLong-term and Short-term Scopes of GCF
To share the information about participants’ activities and overall short-term activities and to discuss common issues of interest
To hold 2 Plenary Meetings annually Activities related to long-term scopes are taken for two years as a start.
Afterwards it is decided if these need to be continued.
Long-termActivities
Short-termActivities
Each participant takes leadership in an area of his interest.
WG are established as required. The proposing participant is the leader.
E-Authentication
MRTD
DL Scheme for Multi-AP SC
Participants (organizations):- Global Platform- Eurosmart- MAOSCO- ISO
EU update ( J. van Arkel)
US eID development status update, Jim Dray, NIST, USA) - Homeland Security Presidential Directive HSPD No. 12 - status of FIPS 210 standard - status of ISO 24727, - status and plans for deployment
Japan status update - Japanese developments on eID, Hiroshi Shimada, Fujitsu/NICSS
- Status of Asian Smart Card Forum, Shoji Miyamoto (Hitachi)
Discussion on a World eID Steering Committee ( by all ) rationale for the joint workshop
Agenda for the joint workshop
Legal issue
Standardisation
Deployment
EU update
Procedure when issuing an eID
Content of eID Cardholder verification procedures
Data Protection
Liability
Revocation of eID
What needs to be regulated?
Privacy Directive + implementation in national legislation
E-sign Directive + implementation in national legislation
IAS: Discussion on Thomas Myhr report
EU council regulation on ePassports 15152/04 ; 2252/04 dd 13 Dec. 2004; Decision of the EC 28 Feb. 2005 (technical specification in relation to standards on security and biometrics for Passports and travel documents) Pending: technical specification on fingerprint in passport
What is already in place in the EU?
Legal Standardisation
Deployment
Status in eID
CEN/ISSS WS eAuthentication (Government requirements, Architectural model,
Business models, Legal Framework, Card issuer guidelines, Multi-application environment, Human interface aspects, eID policy vision)
CEN 224 WG 15 European Citizen Card (Policy and rules for CMS, Physical and logical card characteristics, data elements and structures, IAS procedures, Durability aspects)
Europe
CWA 15264- part 1: Architecture for a European interoperable eID system within a smart card infrastructure
CWA 15264- part 2: Best Practice Manual for card scheme operators exploiting a multi-application card scheme incorporating interoperable IAS services
CWA 15264- part 3: User Requirements for a European interoperable eID system within a smart card infrastructure eID Strategic Vision Report
Download area: http://www.cenorm.be/cenorm/businessdomains/businessdomains/isss/activity/wseaut.asp
Results of WS eAut
Workgroup was launched in Feb 2004
Chair: L. Gaston, Axalto, Secretariat: AFNOR
Constituency: 20+ organisations
2 Subgroups are active: SG 1: Physical aspects; SG 2: Logical data aspects
Final meetings on May 11-12, 2005 in Vienna
2 part Technical Standard will be out for voting after CEN 224 approval (additional parts on ECC management & business models and SC durability
classes is pending)
Status of CEN 224 –WG 15 ECC
The eID systems shall support a secure and reliable cardholder electronic signature funtion for the purpose of legal validaty of the signature
For Europe the PKI system elements of the system shall be in complicance with the qualified digital signature as per article 5.1 of the EU directive 1999/93/EC on a Community framework for electronic signatures
The PKI system elements shall be in compliance with ETSI QCP 101456
The PKI system elements shall be in compliance with CWA 14890 parts 1 –2
Electronic signature status
ISO/IEC 19784-1 BioAPI, BioAPI specification
ISO/IEC 19785-1 Common Biometric Exchange formats (CBEFF) Part 1: Data Element Specification
ISO/IEC 19794-2 Biometric Data Interchange Format Part 2: Finger Minutiae Data Part 8: Finger Pattern Skeletal Data (Porvoo position?) Part 4: Finger Image Data (Porvoo position?) SC 17 : ISO/IEC 7816-11 : Personal verification through biometric methods in ID’s
Biometrics, SC 37
ISO SC 17
SC standard ISO/IEC 24727 part 1: architecture
part 2: card interface (card edge)part 3: high level application API (BSI)
(will be addressed by Jim Dray)
Deployment will be addressed by US, Japan and EU country updates.
ISO SC 17
Discussion on a World-wideeID Steering committee
Discussion on the concept of a World eID Steering Committee
Excerpt from the agenda:
The idea was launched at the Smart Card Charter conference in December 2004 in Prague. A first version of a vision paper is downloadable from the Porvoo 7 website. The basic idea being a mandated group of Government representatives on eID, setting World wide common requirements and stimulating the realisation of interoperability (adaptors).
World eID forum document draft version 1.1. February 14 2005
Table of Content
1. Rationale 2. Vision 3. Scope 4. Objective5. Participants6. Organisation7. Related organisations8. Activities and Deliverables9. Support and funding mechanism
global support of eServices (building block for trust, security, and convenience, without e-ID there is no real national and global eGovernment)
global combating of ID Fraud (causes more and more of a problem)
global anti-terrorism measure
Building a more global (European) society (making persons aware to be a –relevant- part of society as well as offering them a seamless experience)
Vision: Why global eID?
Some inhibitors so far
No strong leadership, no formal cooperation
State of the art of the technology and standardisation (dripping wet)
Costs and benefits, business cases
Not invented here (Scandinavia, GIXEL, DIF, other countries)
EU 2004 Report: Rethinking the European ICT agenda (10 ICT-Breakthroughs for reaching Lisbon Goals)
The breakthrough that is needed is an increased ICT utilisation by establishing:
- Authentication: Pan-European interoperability (minimum) or standardization (preferred) of authentication systems/platforms - Security: Pan-European emphasis on security standards in relation to access, identity theft and secure transactions
Policy support of IAS (1)
Resolution of the future Information Society policyof the Union adopted on 10 December 2004 bythe Council of the European Union (one of the 6 priorities):
To create a favourable environment for industry and the public sector to develop, both in Europe and globally, effective and interoperable solutions, in particular for electronic payments, authentication, identity management as well as security.
Policy support of IAS (2)
Policy support of IAS (3)
G8 2004 Summit endorsed the statement
“Accelerate development of international standards for the interoperability of government-issued smart chip passports and other government-issued identity documents. We will work for implementation by the 2005 Summit“
http: //www/g8usa.gov/d 060904f.htm
There are relevant use cases for
IAS (TC224/WG15)
1. E-Mail encryption and digital signature2. The National Tax Board and administration3. The National Social Insurance Board4. Employee ID (physical & logical access)5. Medical services access6. Industrial security 7. National archive access 8. Public registries access
European ID Management Projects
Modinis Study (operational) • Support progress towards a coherent approach in electronic identity
management• Provide information on eID technologies, related market developments and
technical requirements • Provide a prospective analysis of possible initiatives and solutions at
European level
The GUIDE Project (FP6, operational)Research and develop an open identity management architecture as core technology for e-Government solutions
• To create a world-class and innovative European e-Government market. • To demonstrate and evaluate solutions in the three major areas of e-
Government services: A2A, A2B & A2C
CEN/ISSS WS MMUSST (operational)
TIFI project (under evaluation) Porvoo signed declaration of cooperation)
E-Sign KCWA 14890
eEpoch WP3BIKE
WSeAutCWA 15264
E-Sign GIF
CEN/ISSS eEurope SC Charter
TC224 WG15
TS ECC
SC17 WG4ISO/IEC 24727
Overview of relevant actors
Policy makers on eID in EU and other regions
Standardisation bodies CEN CEN 224/WG 15 ECC CEN/ISSS CWA 15264, CWA 14890 ISO ISO/IEC 24727 Regional standardisation US FIPS 201, Japanese ICSS, Asian Card Forum
EU Industry consortia: Germany: DIF France: GIXEL
Porvoo Common Requirements Eepoch BIKE GCF Cooperative Framework
EU projects Guide, Modinis, Impact, Regional & national deployment
Report CEN/ISSS Focus group on eHealth (March 1, 2005)
Establishing an Interoperability PlatformThe Member States, with the Commission, should establish a permanent platform with a mandate, and the necessary resources to promote eHealth interoperability based on standards and to facilitate co-operation between Member States.
This eHealth interoperability platform should:• establish a Europe-wide view on the requirements for standardisation and its
implementation in specific domains, in collaboration with standards organisations, based on input from relevant stakeholders communities;
• encourage and promote an environment for detailed specifications testing, evaluation or certification, to achieve interoperability of systems based on standards;
• establish a means for tracking and promoting good practice, and foster pilot implementations in compliance with the aforementioned environment;
• encourage agreements across national borders and between professional groups;• encourage the further development of an appropriate European legal and
regulatory framework;• promote the establishment of infrastructure services such as for the creation and
maintenance of terminology systems and knowledge repositories.
World eID Forum
Participants• Vision (everyone who shares the vision) • Interoperability charter (and signs the IOP charter)• Relevant stakeholders (eGovernment representatives) • Mandate (is this realistic?)
Organisation• New organisation? (preferable not, but how to organise?)• No legal entity• Chair and secretariat• No permanent staff
Activity plan
World eID Forum
Activity plan• Contributing to the legal issue of World wide interoperable eID
• Setting joint requirements for interoperable World wide eID
• Information exchange between participants on eID deployment
• Set-up, maintenance and exploitation of an eID-body of knowledge
• Exploiting an interoperability demonstrating and test environment, including Open Source solutions
• Issuance of eID interoperability compliance certificates
• Development of a eID Implementation and Guidance document offering- best practice information- choices in standards and preferred options in standards (PKCS #11 interface, PKCS #15 profile, harmonised Human Interface etc) - exploitation models- study into basic eID versus role based ID - study in International validation services etc ……….
World eID Forum
Support and funding mechanisms
Option 1: Virtual, non funded organisation, embedded/part of other organisation, like Porvoo, GCF, Modinis project, Guide project
Option 2: Separate body with participation fee from participants
Option 3: CEN/ISSS Workshop for 2 year period(meaning small participation fee)
Option 4: EU funded IST/IP project
Other options?
Questions for discussion ….
1. Is there a common understanding of the need?
2. Do we support the idea of a joint approach?
3. If yes, how to organise such an activity, in what context, and do we need more mandate?
4. What activities would we like to carry out?
5. ………….