You are on page 1of 29

Achieving mutual recognition and

interoperability of eID
for eGovernment services in the EU

John Stienen
EUROPEAN COMMISSION
DIRECTORATE-GENERAL FOR INFORMATICS
European eGovernment Services (IDABC)

09/04/2008

Outline
The policy context
ICT Policy Support Programme Pilots
IDABC study on eSignatures
IDABC study on eID
2

09/04/2008

Outline
The policy context
ICT Policy Support Programme Pilots
IDABC study on eSignatures
IDABC study on eID
3

09/04/2008

The policy context


Manchester Ministerial Declaration Electronic
Identity Management
eIDM: By 2010: Secure means of electronic
identification recognised across the EU
eDoc: By 2010: Framework for the use of authenticated
electronic documents across the EU
Single Market Review Action Plan
i2010 eGovernment Action Plan
4

09/04/2008

Manchester Ministerial
Declaration, 24 November 2005
No citizen left behind inclusion by design
By 2010 all citizens become major beneficiaries
By 2010 innovative ICT, trust, awareness, skills for inclusion

ICT for efficient and effective government


By 2010 high user satisfaction
By 2010 adm. burden reduction, efficiency, transparency,
accountability

Delivering high impact services


By 2010 100% e-procurement available, 50% take-up
By 2010 deliver other high impact services for growth and jobs

Trusted access by means of eIDM across the EU


By 2010 interoperable eIDM for public services across the EU
By 2010 electronic document recognition framework

09/04/2008

i2010 eGovernment Action Plan :


interoperable eIDM as key enabler
2006: Roadmap setting measurable objectives and
milestones for a European eIDM framework by 2010 based
on interoperability and mutual recognition of national eIDM
(adopted on 25 April 2006).
2007: Agree common specifications for interoperable eIDM in
the EU.
2008: Large scale pilots of interoperable eIDMs in crossborder services and implementing commonly agreed
specifications.
2009: eSignatures in eGovernment: Undertake review of
take-up in public services.
2010: Review the uptake by the Member States of the
European eIDM framework for interoperable eIDMs.

09/04/2008

Single Market Review


COM(2007) 724 final
ICT is essential for the good functioning of the "e-Internal Market",
creating interoperable services such as e-invoicing, e-procurement and
e-customs. With the rapid development of these technologies, there is
the risk that Member States opt for different or incompatible solutions,
and that new "e-barriers" would emerge for the end users. The
Member States and the Commission, working together, need to
redouble their efforts to avoid market fragmentation and promote
commonly agreed ICT solutions.
Building on on-going work in the field of e-government, the
Commission will present in 2008 a specific Action Plan to further
promote the implementation of mutually recognised and interoperable
electronic signatures and e-authentication (electronic identity) between
the Member States, thereby facilitating the provision of cross-border
public services.

A road map for a pan-European


eIDM framework by 2010

09/04/2008

Outline
The policy context
ICT Policy Support Programme Pilots
IDABC study on eSignatures
IDABC study on eID
9

09/04/2008

eGovernment Objectives
ICTPSP Call 2007 Overview

Pilots
Pilots
Type
Type BB

Towards
Towardspan-European
pan-Europeanrecognition
recognitionof
ofe-IDs
e-IDs
Mutual
Mutualrecognition
recognition&&interoperability
interoperabilityof
of
electronic
documents
electronic documents
Accessible
Accessible&&inclusive
inclusiveeGovernment
eGovernmentservices
services
Combined
Combineddelivery
deliveryof
ofsocial
socialservices
services
Promoting
Promotinglocal
localand
andregional
regionaleParticipation
eParticipation

Themati
Themati
cc
Network
Network
ss

10

Stimulating
Stimulatingmeasurement
measurementof
ofimpact
impactand
anduser
user
satisfaction
satisfaction
Brokering
Brokeringpan-European
pan-EuropeaneGovernment
eGovernmentsolutions
solutions
and
services
online
and services online

09/04/2008

Budget allocation: 24 M

Pilots
Pilots
Type
Type AA

Enabling
EnablingEU-wide
EU-widepublic
publiceProcurement
eProcurement

ICTPSP Pilots type A


Pilots areas defined by Member States in the context of agreed political
declarations (e.g Manchester declaration)
eGovernment call 2007 two (2) Large Scale Pilots focused on
Interoperability, with direct involvement and leadership of Member States:
EU-wide
EU-widepublic
public

eProcurement
eProcurement

Pan-European
Pan-European
recognition
recognitionof
ofeIDs
eIDs

Implementation
Implementation of
of an
an integrated
integrated EUEUwide
electronic
public
procurement
wide electronic public procurement
solution
solution

Implementation
Implementation of
of an
an EU
EU wide
wide
interoperable
system
for
recognition
interoperable system for recognition of
of
eID
and
authentication
eID and authentication

enabling
enabling companies,
companies, in
in particular
particular
SMEs,
from
one
state
to
respond
SMEs, from one state to respondto
topublic
public
procurements
in
any
other
state.
procurements in any other state.

enabling
enabling businesses,
businesses,citizens
citizens to
touse
usetheir
their
national
electronic
identities
in
national electronic identities in any
any
Member
State
Member State

11

09/04/2008

Outline
The policy context
ICT Policy Support Programme Pilots
IDABC study on eSignatures
IDABC study on eID
12

09/04/2008

IDABC Programme
Objectives

Identifying, supporting and promoting the development and


establishment of eGovernment services

Target groups

Administrations, Business and Citizens

History

Experience since 1995, IDABC is a follow-up to IDA and IDA II


Programmes

Duration

5 years (2005-2009)

Global budget

148.7 million EUR


Actions are Commission-driven and implemented via public
procurement

Managed by

13

Directorate-General for Informatics

09/04/2008

IDABC Programme
Key elements of IDABC Work Programme :
Projects of Common Interest (PCI): support (budget and
guidance) within the Commission services to sectoral
projects that have legal base from an existing Community
legislation (e.g. PLOTEUS, IMI, LISFLOOD, SANREF,
TRACES)
Horizontal Measures (HM): designed to support sectoral
projects and eGovernment services generally by providing
basic infrastructure (network, CIRCABC, PKI), security
measures (eID, eSignatures), interoperability measures
(European Interoperability Framework, XML Clearing
house), spread of good practise (OSS repository, eGov
observatory)

14

09/04/2008

IDABC Preliminary study on mutual


recognition of eSignatures
Analyses the requirements in terms of interoperability of
electronic signatures for different eGovernment
applications, and to provide recommendations on how to
improve interoperability
Provides an overview of applications per Member State
concentrating on:
the type of electronic signature legally required
the applicable technical restrictions
Makes a proposal on how to disseminate the results, e.g.
through a mutual information mechanism on electronic
signature requirements.
Studied 127 eGovernment applications described in details
in 29 country profiles (27 MS + 2 CC)
15

09/04/2008

eSignatures:
Analysis, identified issues (1)
127 eGovernment applications processed:
90 using eSignatures
37 using electronic certificates as authentication means
Main sectors referenced:
eTaxes: 29 applications, One-stop shop portal: 12 applications
eProcurement: 11 applications
eHealth: 4, eJustice: 3, Social Security: 3,
Regulations tend to remain technology neutral
Administrations have large autonomy in choosing the right solution
for their applications
Cross border interoperability is not considered to be a priority
Mutual recognition: application owners presently have no way of
determining which signature solution providers meet the security and
reliability requirements of their applications.

16

09/04/2008

eSignatures:
Analysis, identified issues (2)
Qualified
signature
Austria
Belgium
Ireland
Italy
Latvia
Portugal
Slovakia
Spain
Sweden
Germany
Estonia

17

Qualified
certificate
Bulgaria
Croatia
Czech Republic
Slovenia
Finland
France
Turkey
Greece
Hungary
Malta
The Netherlands
Romania

Advanced
signature
Denmark
Hungary
Luxembourg
Malta
Poland
Portugal
Slovakia

Simple
Authentication
signature
Ireland
Cyprus
United Kingdom
Finland
Ireland
Lithuania
Luxembourg
Malta
The Netherlands
Portugal
United Kingdom

09/04/2008

eSignatures:
Conclusions
Dissemination of available information on national
practices should be improved
There is a link and sometimes confusion between the
concepts and implementation of authentication and
electronic signatures
The trend is toward PKI solutions, hence this is where
initiatives should focus
A federated validation solution is needed to permit the
validation and the establishment of trust for foreign
signatures. Member States opinions on EU involvement
and the role of the private sector should be sought
18

09/04/2008

eSignatures:
List of supervised CSPs

19

09/04/2008

eSignatures:
Federated Validation

20

09/04/2008

Outline
The policy context
ICT Policy Support Programme Pilots
IDABC study on eSignatures
IDABC study on eID
21

09/04/2008

IDABC
eID Interoperability for PEGS
Based on existing actions at the EU level (e.g. Modinis Study on ID
Management in eGovernment (DG INFSO), IST projects GUIDE,
FIDIS and PRIME (DG INFSO), work by the Porvoo Group, etc),
a strategy for eID Interoperability shall be elaborated that includes
as a minimum :
a survey and comparison of the national eID legal instruments for the
27 MS + 2 CC + 3 EEA;
a survey and description of the national technical solutions
implemented in each of the 27 + 2 + 3 Countries for the national eID.
a market assessment of the ID Management technical solutions; in
particular a high-level description of the concept of federated identities
and its applicability for interoperability of eIDs shall be produced;
a proposal and an impact assessment of a multi-level authentication
mechanism;
Common specifications for interoperable eID solutions shall be drafted
based on the results of the elaborated strategy for eID interoperability

22

09/04/2008

eID:
Identity resources
27 issue identity cards (84%); 7 are currently deploying eID
cards to the public; 14 more are in the process of designing
eID cards for future roll-out
Apart from smart cards, in 12 countries out of 32 (37.5%) the
use of non-card tokens was reported; predominantly soft PKI
certificates
All countries use general identifiers in some form; specific
legal protection of such identifiers was reported in 20 of the
32 surveyed countries (62.5%)
Formal acceptance of an authentic source principle was
uncommon, being reported in only 5 countries out of 32
(16%). A further 9 countries (28%) had informally adopted
the principle, with another 3 (10%) planning to do so

23

09/04/2008

eID:
Authentication
A total of 14 countries out of 32 (44%) reported using
public sector controlled PKI systems, with a total of 16
systems being reported. Of these 16 systems, 10 were
open to private sector use (62.5%).16 countries out of 32
(50%) reported using public/private sector controlled PKI
systems.
75% of countries use PKI as a key authentication strategy
Username/password systems also remain very popular. In
total, 20 countries out of 32 (62.5%) have reported using
login systems as a key component of their eIDM strategy,
with 27 systems in total being reported. Of the reported
login systems, 17 were simple username/password
systems; 8 required a challenge/response system; and 2
required password calculators.
24

09/04/2008

eID:
Mandates/roles
27 countries out of 32 (84%) have no form of mandate
management, apart from the static allocation of certificates
or credentials to the representatives of a specific legal entity
4 countries out of 32 (12.5%) have implemented an ad hoc
form of mandate management covering specific
applications or service types, most typically by allowing the
designation of an authorised representative in an
administration specific database
Only Austria has created a generic system of mandate
management, relying on the central source PIN Register
Authority

25

eID:
Multilevel authentication
15 out of 32 countries (47%) allow some form of multilevel
authentication structure to be derived; but only in 4 of these
countries can a formal authentication policy be identified
From a practical perspective, in most of these countries the
acceptance (formal or informal) of an authentication policy
has had a limited impact on the use of the applications
The practical impact of authentication policies has been
very limited thus far

26

09/04/2008

eID:
Legal/policy analysis
The received responses confirmed the expectation that no
specific legal framework with regard to entity authentication
exists in any of the 32 surveyed countries
While a legal framework has often been created with regard
to electronic identity cards (specifically which information
they contain and what form they should take), the question
of which elements legally constitute an entitys identity has
not been explicitly regulated in any of the countries; nor has
any of the countries implemented a generic legal
framework detailing on what authentication is, and at which
point authentication requirements have been met

27

09/04/2008

eID:
Technical/infrastructure analysis
No common specification exists for tokens and application
middleware. Hardware tokens were not specified in 19
countries out of 32 (59.5%) and middleware applications
were not specified in 20 countries out of 32 (62.5%)
28 countries out of 32 (87.5%) are either using or planning to
use some sort of certificate based identities
22 countries out of 32 (68%) have implemented some level
of certificate based authentications to their eGovernment
services; 7 of the surveyed countries did not have any
specific eGovernment applications to present
23 countries out of 32 (72%) did not report a systematic
preference for industrial standards; with only SAML being
reported with any regularity (7 out of the 32 (22%))

28

09/04/2008

More information
The IDABC Programme: http://ec.europa.eu/idabc
e-mail: idabc@ec.europa.eu
CIP Programme: http://ec.europa.eu/cip
ICT Policy Support Programme: http://
europa.eu/ict_psp

29

09/04/2008