Fedict Eid Roadmap 2010

FedICT eID Roadmap 2010
Frank Cornelis 03/03/2010
Fedict 2010. All rights reserved
eID in Belgium
eID cards issued (16/01/2010)

8.220.456 citizen eID cards (full deployment) 511.774 foreigner eID cards 186.011 kids eID cards RSA 1024 smart card QC with 5 year validity FedICT: Federal ICT PKI, client software, SOA solutions National Registry user database, card issuing
Fedict 2010. All rights reserved | p. 2
Technology

Involved major governmental organizations:
eID Card Current Usability Status

Main eID feature: secure, remote authentication Main usage of eID: client-server environments Primary client-server environment: web browser Middleware (MW) targets eID on the desktop MW SDK comes with sample eID Applet Mutual SSL has some usability issues We want more eID enablers Developers, developers, developers
eID Roadmap Strategy

Position eID as a Service Focus less on the basic infrastructure (PKI) Move towards solutions to improve usability Explicitly target the web browser environment Deliverables:

Software building blocks: products SOA building blocks: web services Developers: easy to use software building blocks Architects: SOA integration via web services Other Federal Departments: SLA contracts
Target audience:

eID Project Lifecycle and eID Team

Sponsor Peter Strickx Artifact PM Bert Beyl
Supported product
Product OSS
Service
Supported Service
Architect Frank Cornelis
Service Manager Sam Van Den Eynde
Operational eID Projects
eID PKI infrastructure

CRL: signed list with revoked certificates OCSP: online certificate status service TSP: time-stamping service eID Content Viewer Crypto modules PKCS#11: Windows, Mac OS X, Linux CSP: Windows tokend: Mac OS X SDK: identification + MW Applet OSS: http://code.google.com/p/eid-mw/
eID Middleware

Operational eID Projects (cont'd)
eID Applet: aka browser eID Middleware

Java 6 Web Browser eID component Identification, authentication, signatures via eID OSS: http://code.google.com/p/eid-applet/ Uses a software PC/SC proxy Emulates different eID profiles via the proxy Online test PKI https://env.dev.eid.belgium.be/
eID Test Environment

eID Minidriver Targets Windows 7
New eID Applet Features
Exposes all eID functionality:

eID eID eID eID
Identification (who are you?) Authentication (is it really you?) Signatures (did you once claimed this?) Administration (PIN change, PIN unblock)
Platforms: Windows, Mac OS X, Linux Browsers: Firefox, MS IE, Safari, Chrome Secure (CCID) & interactive eID card handling Browser client-runtime management

Auto-installation of required JRE No need for installed eID Middleware

Demo
eID Middleware eID Applet Identification eID Applet Authentication
eID Architecture Overview

authentication IdP SAML IAM WS-Trust InfoCard OpenID
eID IdP signatures identification XKMS trust DSS PKI
SSL
eID Applet
tokend pinpad PC/SC CCID reader eID PKCS#15 PKCS#1 ID
CSP minidriver
PKCS#11
OCSP
CRL
CA PDF ODF NR OOXML PKCS#7 XMLDSig XAdES TSL TSP
TSA
NTP
eID Projects in execution
Trust List

List of all QC issuing CA's per EU Member State Cross-border signature validation by applications http://tsl.belgium.be OSS: http://code.google.com/p/eid-tsl/ Certificate validation via XKMS2 SOAP web service Improves the QoS related to PKI validation Ready for Trust List integration & XAdES OSS: http://code.google.com/p/eid-trust-service/ Initially available as an OSS product eID Trust Service as a real service during phase 2
eID Trust Service

Demo
eID Trust Service
eID Projects in execution (cont'd)
eID Quick-Key Toolset

Behaves like a production eID smart card Scope is pure technology delivery Not to be positioned against the federal token: Application specific trust model (out of scope) Application specific distribution model (out of scope) Deliverables: eID Quick-Key Manager (Java 6 Desktop) Manual targeting different blank smart cards Can be used as: Temporal solution in case of unavailability eID R&D platform for development of future eID
Visible eID Projects in the pipeline
eID Identity Provider

eID is the only token supported Uses the eID Applet, eID Trust Service Tunneled entity-authentication SAML2 based IdP protocol Generic IdP protocol layer with OpenSSO integration Is not a complete IAM solution! Attributes and other tokens are out of scope! Could be used by IAM for eID token support Integration with web applications is primary goal Uses the eID Applet, eID Trust Service, TSL XAdES-X-L according to the Service Directive
eID Digital Signature Service

New Approach on Signatures

Pragmatic: based on eID Applet technology XML Signatures

ODF 1.2 Signatures (OpenOffice.org) Office OpenXML Signatures (Office 2007) XAdES v1.3.2 X-L eID citizen information Full name, date of birth Address Photo
Signature extension framework

Signature Service based on OASIS DSS

PDF versus XML Signatures

Human-readable signature argumentation Open standard Adobe specific signature extensions PAdES versus XAdES Domain specific document format Processability Service Directive shifts towards XAdES Service versus Desktop Sign Verification
eID Applet Signature Architecture

client Browser eID Applet server PKCS1-RSA eID Applet Service Signature SPI XML Signature Service
eID
ODF Signature Service
OOXML Signature Service
OpenOffice
XAdES
Office 2007
Demo
eID Applet ODF Signature eID Applet OOXML Signature eID DSS (XMLDSig & XAdES-BES)
Thank you
Fedict Maria-Theresiastraat 1/3 Rue Marie-Thrse Brussel 1000 Bruxelles TEL. +32 2 212 96 00 | FAX +32 2 212 96 99 info@fedict.belgium.be | www.fedict.belgium.be
Fedict 2010. All rights reserved

Fedict Eid Roadmap 2010

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Fedict Eid Roadmap 2010

Uploaded by

Copyright:

Available Formats

FedICT eID Roadmap 2010

Frank Cornelis 03/03/2010

Fedict 2010. All rights reserved

eID cards issued (16/01/2010)

Involved major governmental organizations:

eID Card Current Usability Status

eID Roadmap Strategy

eID Project Lifecycle and eID Team

Architect Frank Cornelis

Service Manager Sam Van Den Eynde

Fedict 2010. All rights reserved | p. 5

Operational eID Projects

eID PKI infrastructure

Fedict 2010. All rights reserved | p. 6

Operational eID Projects (cont'd)

eID Applet: aka browser eID Middleware

eID Test Environment

eID Minidriver Targets Windows 7

Fedict 2010. All rights reserved | p. 7

New eID Applet Features

Exposes all eID functionality:

eID eID eID eID

Auto-installation of required JRE No need for installed eID Middleware

Fedict 2010. All rights reserved | p. 9

eID Architecture Overview

eID IdP signatures identification XKMS trust DSS PKI

tokend pinpad PC/SC CCID reader eID PKCS#15 PKCS#1 ID

CA PDF ODF NR OOXML PKCS#7 XMLDSig XAdES TSL TSP

Fedict 2010. All rights reserved | p. 10

eID Projects in execution

eID Trust Service

eID Trust Service

Fedict 2010. All rights reserved | p. 12

eID Projects in execution (cont'd)

eID Quick-Key Toolset

Fedict 2010. All rights reserved | p. 13

Visible eID Projects in the pipeline

eID Identity Provider

eID Digital Signature Service

New Approach on Signatures

Pragmatic: based on eID Applet technology XML Signatures

Signature extension framework

Signature Service based on OASIS DSS

PDF versus XML Signatures

Fedict 2010. All rights reserved | p. 16

eID Applet Signature Architecture

ODF Signature Service

OOXML Signature Service

Fedict 2010. All rights reserved | p. 17

Fedict 2010. All rights reserved | p. 18

Fedict 2010. All rights reserved

You might also like