You are on page 1of 19

FedICT eID Roadmap 2010

Frank Cornelis 03/03/2010

© Fedict 2010. All rights reserved

client software.774 foreigner eID cards 186.220.011 kids eID cards RSA 1024 smart card QC with 5 year validity FedICT: Federal ICT – PKI. card issuing © Fedict 2010.456 citizen eID cards (full deployment) 511. All rights reserved | p.eID in Belgium  eID cards issued (16/01/2010)    8. 2  Technology    Involved major governmental organizations:   . SOA solutions National Registry – user database.

All rights reserved | p. 3 . developers © Fedict 2010.eID Card Current Usability Status         Main eID feature: secure. remote authentication Main usage of eID: client-server environments Primary client-server environment: web browser Middleware (MW) targets “eID on the desktop” MW SDK comes with “sample” eID Applet Mutual SSL has some usability issues We want more eID enablers Developers. developers.

All rights reserved | p.eID Roadmap Strategy      Position eID as a Service Focus less on the basic infrastructure (PKI) Move towards solutions to improve usability Explicitly target the web browser environment Deliverables:   Software building blocks: products SOA building blocks: web services Developers: easy to use software building blocks Architects: SOA integration via web services Other Federal Departments: SLA contracts © Fedict 2010. 4  Target audience:    .

All rights reserved | p. 5 .eID Project Lifecycle and eID Team Sponsor Peter Strickx Artifact PM Bert Beyl Supported product Product OSS Service Supported Service Architect Frank Cornelis Service Manager Sam Van Den Eynde © Fedict 2010.

Mac OS X.com/p/eid-mw/  eID Middleware     © Fedict 2010.Operational eID Projects  eID PKI infrastructure    CRL: signed list with revoked certificates OCSP: online certificate status service TSP: time-stamping service eID Content Viewer Crypto modules – PKCS#11: Windows. All rights reserved | p. 6 .google. Linux – CSP: Windows – tokend: Mac OS X SDK: identification + MW Applet OSS: http://code.

7 .Operational eID Projects (cont'd)  eID Applet: aka browser eID Middleware    Java 6 Web Browser eID component Identification. authentication.google.dev.be/  eID Test Environment      eID Minidriver  Targets Windows 7 © Fedict 2010.belgium.com/p/eid-applet/ Uses a software PC/SC proxy Emulates different eID profiles via the proxy Online test PKI https://env.eid. signatures via eID OSS: http://code. All rights reserved | p.

Mac OS X. Linux Browsers: Firefox. Chrome Secure (CCID) & interactive eID card handling Browser client-runtime management   Auto-installation of required JRE No need for installed eID Middleware © Fedict 2010. Safari. All rights reserved | p. 8 . MS IE.New eID Applet Features  Exposes all eID functionality:     eID eID eID eID Identification (who are you?) Authentication (is it really you?) Signatures (did you once claimed this?) Administration (PIN change. PIN unblock)     Platforms: Windows.

9 .Demo eID Middleware eID Applet Identification eID Applet Authentication © Fedict 2010. All rights reserved | p.

eID Architecture Overview authentication IdP SAML IAM WS-Trust InfoCard OpenID eID IdP signatures identification XKMS trust DSS PKI SSL eID Applet tokend pinpad PC/SC CCID reader eID PKCS#15 PKCS#1 ID CSP minidriver PKCS#11 OCSP CRL CA PDF ODF NR OOXML PKCS#7 XMLDSig XAdES TSL TSP TSA NTP © Fedict 2010. 10 . All rights reserved | p.

belgium. 11  eID Trust Service       .com/p/eid-trust-service/ Initially available as an OSS product eID Trust Service as a real service during phase 2 © Fedict 2010. All rights reserved | p.be OSS: http://code.eID Projects in execution  Trust List     List of all QC issuing CA's per EU Member State Cross-border signature validation by applications http://tsl.com/p/eid-tsl/ Certificate validation via XKMS2 SOAP web service Improves the QoS related to PKI validation Ready for Trust List integration & XAdES OSS: http://code.google.google.

12 . All rights reserved | p.Demo eID Trust Service © Fedict 2010.

All rights reserved | p.eID Projects in execution (cont'd)  eID Quick-Key Toolset      Behaves like a production eID smart card Scope is “pure technology delivery” Not to be positioned against the federal token: – Application specific trust model (out of scope) – Application specific distribution model (out of scope) Deliverables: – eID Quick-Key Manager (Java 6 Desktop) – Manual targeting different blank smart cards Can be used as: – Temporal solution in case of unavailability eID – R&D platform for development of future eID © Fedict 2010. 13 .

14  eID Digital Signature Service    . TSL XAdES-X-L according to the Service Directive © Fedict 2010. All rights reserved | p. eID Trust Service Tunneled entity-authentication SAML2 based IdP protocol Generic IdP protocol layer with OpenSSO integration Is not a complete IAM solution! – Attributes and other tokens are out of scope! Could be used by IAM for eID token support Integration with web applications is primary goal Uses the eID Applet. eID Trust Service.Visible eID Projects in the pipeline  eID Identity Provider        eID is the only token supported Uses the eID Applet.

2 X-L eID citizen information – Full name.New Approach on Signatures   Pragmatic: based on eID Applet technology XML Signatures   ODF 1. 15 . All rights reserved | p. date of birth – Address – Photo  Signature extension framework    Signature Service based on OASIS DSS © Fedict 2010.3.org) Office OpenXML Signatures (Office 2007) XAdES v1.2 Signatures (OpenOffice.

All rights reserved | p.PDF versus XML Signatures         Human-readable signature argumentation Open standard Adobe specific signature extensions PAdES versus XAdES Domain specific document format Processability Service Directive shifts towards XAdES Service versus Desktop Sign Verification © Fedict 2010. 16 .

17 . All rights reserved | p.eID Applet Signature Architecture client Browser eID Applet server PKCS1-RSA eID Applet Service Signature SPI XML Signature Service eID ODF Signature Service OOXML Signature Service OpenOffice XAdES Office 2007 © Fedict 2010.

18 .Demo eID Applet ODF Signature eID Applet OOXML Signature eID DSS (XMLDSig & XAdES-BES) © Fedict 2010. All rights reserved | p.

be © Fedict 2010.belgium.fedict. All rights reserved .belgium. +32 2 212 96 00 | FAX +32 2 212 96 99 info@fedict.be | www.Thank you Fedict Maria-Theresiastraat 1/3 Rue Marie-Thérèse Brussel 1000 Bruxelles TEL.