This section focuses on the functionality of the Public Key Infrastructure (PKI). These are the main identity providers used in above mentioned PKI based authentication systems. On the PKI side we need to focus on certificate policies, which need to be commonly agreed on the participating countries.
We also need to focus on the revocation method used in the surveyed countries. When building an pan-European gateway the solutions will need trust and this can only be achieved when trust chains and full knowledge of the current trust is available.
Specifically, the overview reports:
• Name of the country.
• The Description section provides the name or nature of the system.
• The Certificate/PKI Details section describes which types of certificates are provided.
• The Directory/validation section describes how certificate life circle is managed (revocation and revocation publishing).
Country Description Certificate/PKI Details Directory/validation details Austria The Main Association
of Social Insurance Organisations (Public sector CA for citizen cards)
Two key pairs: a qualified signature for authentication and the second key pair for electronic signatures or encryption. (192 bit elliptic curve cryptography (ECDSA) for both key pairs.) Current Insurance PKI platform is gradually being replaced. New health insurance card supporting 256 Bit ECDSA will be rolled out beginning 2010 (A-Trust).
Certificate
Revocation Lists (CRL) and the Online Certificate Status Protocol (OCSP).
Austria The A-Trust PKI system (Qualified Private sector CA for citizen cards)
Two key pairs: a qualified signature for authentication and the second key pair for electronic signatures or encryption. (192 bit elliptic curve cryptography (ECDSA) for the qualified signature and 1536 bit RSA for the second key pair.)
Additionally issuance of the next generation bank cards supporting 256 Bit ECDSA starts in 2009.
Certificate
Revocation Lists (CRL) and the Online Certificate Status Protocol (OCSP).
Belgium National ID card Two certificates: one for authentication, and one for electronic signatures, with only the latter being considered as
Bulgaria Private Private Certificate Authorities The list of the CSPs issuing certificates for electronic signatures applicable for eGovernment applications is available at the Communications Regulation Commission website88.
Certificate
Revocation List (CRLs) are used
Bulgaria Public, Integrated Environment for
Exchange of
Electronic Documents (IEEED).
IEEED will be PKI based and will use Single CA Model. The CA will be part of a hierarchy. The PKI will not be linked to other PKI infrastructures through a Bridge-CA network. The users of IEEED will use UES for signing the exchanged statements and documents.
Not specified
Croatia Private, The FINA
E-CARD. FINA offers the service of
certifying and issuing digital certificates to both retail and corporate clients. FINA presently provides three types of digital certificates - signature certificates, authentication certificates and encryption certificates.
Czech Private Private Certificate Authorities Not specified Denmark OCES certificates In the OCES framework there is
only one level in the hierarchy, due to the fact that the root key of the OCES-CA signs all certificates. The OCES CA has been webtrusted and therefore the root certificate has been included in both Microsoft’s and Mozilla’s certificate store for trusted authorities.
OCES certificates comply with the ETSI TS 101 862, X509v3, RFC
88 See at http://crc.bg/section.php?id=182&lang=bg
OCES digital signatures are software-based digital signatures.
They can also be obtained on hardware (such as eToken or smart cards). No matter the media, the certificate refers to the same certificate policy.
Estonia National ID card The Estonian ID-card uses a single CA model. However, CA certificates for ID-card certification tend to change, so there are currently two CA certificates (ESTEID-SK and ESTEID-SK 2007) in use, both certificates (The VRK RootCA and VRK CA certificate) and two user certificates (authentication and non-repudiation). certificates are protected by different PIN codes.
Statement has been made that certificate carrier will be changed from smart cards to another more flexible media (e.g. USB-tokens) up a CA hierarchy with
a general
accreditation body (the COFRAC Comité français
d’accréditation).
This body accredits certifications authorities which qualifies trust service providers, according to the requirements stated in the PRIS. Usually sector specific settings.
Three levels of trust in use Middle, Strong and Strengthened.
Sector specific.
Germany Public Electronic Health Card (eGK),
Electronic ID card (ePA), No available specifications
Greece Public / Private In the case of the Syzefxis PKI system, this is managed by the contractors, i.e. the ADACOM, OTENET/OTE consortium.
Internet X.509 Public Key Infrastructure Certificate and CRL Profile, April 2002 (RFC 3280).
89 The Personal Identification Code (PIC) is a unique number assigned to every Estonian citizen and resident.
Greece Public The implementation of the PKI of the HERMES project is under development. The security infrastructure uses VeriSign VSP 3.9 PKI platform together with Intercede MyID CMS and nCipher Timestamping devices.
The issued digital certificates will be either software certificates or certificates generated and stored in Secure Signature Creation Devices (smart cards and USB tokens)
No available
specifications
Iceland eIDs on bank cards Islandsrot PKI architecture is a single CA Model/Hierarchical.
Islandsrot is currently not linked to other PKI infrastructures through an existing Bridge-CA network.
There are two standard x509 client certificates on the bank cards, one for Authentication (standard SSL/TLS), and one for Non-Repudiation-Signatures (Qualified signature certificate).
The certificates (and the corresponding private keys) are stored on smart-cards (ISO-7816 – PKCS#15).
National Service card The authentication digital certificate, whose common name does not directly contain (at least in the CIE and CNS cases) the name of the holder. Instead it contains the SHA-1 hash of the file “Dati Personali” (personal data).
No available
specifications.
Latvia The trusted certification service providers (VAS Latvijas Pasts)90
The smart card holding a certificate for qualified signatures used for creation of electronic signatures and an unqualified authentication certificate used for authentication and stamping of electronic documents with time-stamps.
All methods are used: CRL & Delta CRL, & OCSP.
Lichtenstein The e-ID card The e-ID card is based on PKI technology, and incorporates two certificates: one for encryption, and one for electronic signatures, with only the latter being considered as qualified.
No information
90 Similar type of specification will be used with National eID card.
Currently not used, under development.
Lithuania UAB “Skaitmeninio sertifikavimo
centras”91 (“SSC”) and
“Bite Lietuva”
Usually the digital certificate contains the following data: public key of the holder, name of the holder, the term of validity of the public key, the name of the certification services provider, serial number of the certificate, digital signature of the organisation issuing the certificate.
Real time verification of the status of
Luxembourg The Luxtrust CA Smart card holding two certificates together with their respective private keys. One is exclusively used for authentication and the second exclusively for signature.
Other functions of LuxTrust include: Signing Server Certificate, SSL and Object Signing Certificates, Trusted Time Stamp and Tailor Made LuxTrust Solutions.
Not Specified
Malta The Government CA Certificates are intended solely for client authentication to electronic services offered through the portal of the Government of Malta. While these certificates are technically capable of use for other Advanced Electronic Signature (or “digital” signature) purposes, such use is entirely at the subscriber’s risk.
The Government CA publishes CRLs at regular intervals.
Buypass AS Buypass is the Certification Authority (CA) for Buypass Class 3 Certificates. Buypass Class 3 Certificates may be used to verify the identity of a person, for encryption of data and for electronic signatures. Buypass Class 3 Certificates must not be used to sign software, certificates or revocation lists.
BankID All BankID certificates shall contain a unique object identifier (OID) that points to a specific certificate policy.
There is a procedure for the use of on-line control fo revocation
(OCSP) where
91 www.ssc.lt
Certificates under this policy can be used between private persons and service providers for authentication and digital signature.
The certificates can only be used towards BankID service providers Authentication CA (only issues authentication certificates).
Slovak eGovernment PKI
system - Planned The authentication mechanism will be based on PKI and the private key will be included on the smart card
Not specified
Slovenia Halcom CA and Posta
CA Halcom CA: A standard certificate
has single key pair and is mostly used in web browsers; it can be used for creating digital signatures and encrypting data.An advanced certificate consists of two key pairs: one for digital signing and the other for encrypting data. Mobile certificate consists of two key pairs: one for digital signing and the other for
An advanced certificate consists of two key pairs: one for digital
SIGOV-CA issues digital certificates to public servants. On the other hand SIGEN-CA issues certificates to natural and legal
92 The Portuguese State has set up a CA hierarchy with the Portuguese Root CA (ECEE) at the top.
The ECEE certifies the private keys of the CAs in the government domain including the e-ID Citizen CA.
certificates:
-web certificate has single key pair and is mostly used in web browser.
-advanced certificate consists of two key pairs: one for digital signing and the other for encrypting data.
Slovenia AC NLB This CSP issues only one type of certificates – web certificates.
They have a single key pair and are mostly used in web browsers.
The intended usage of these certificates is to enable e-banking for the users. certification authorities: The “AC Raiz” (AC Root) only issues certificates for itself and its AC Subordinates. The “AC Subordinada” or certification authority subordinated to the AC Root. Its function is the issuance of certificates for holders of electronic certificates.
Two types of certificates (digital signature and authentication certificates issued by CAs subordinated from the CA root).
The standard for the publication of certificates is Online Certificate Status Protocol (OCSP) and as a method for revocation, the lists of revocation of certificates (CRL) are used.
Sweden Swedish eID Swedish eIDs exist both as smart cards and as files stored on the hard disk; some issuers offer both options.
As mentioned earlier, the latest public procurement process in 2008 led to the following suppliers of eID services: The framework agreements are valid until June 2011. Nordea Bank, Bank ID (several banks) and Telia Sonera.
The Online
93 Details of the eID card’s PKI run by the National Police Department. Other accredited CA are free to create their own non-hierarchical systems, without the existence of a country’s CA root that signs all the existing PKIs in the country.
Turkey Electronic certificate
service providers Qualified Certificate Service Providers need to comply with following standards: ETSI TS 101 456, CWA 14167-1, ETSI TS 101 862, ITU-T Rec. X.509 V.3, ETSI TS 102 176-1, IETF RFC 3647, CWA 14167-1, ETSI TS 101 456 and ISO/IEC 17799.
Devices and device verification needs to comply with: CWA 14169 or assured to EAL4+ in accordance to ISO/IEC 15408 (-1,-2,-3) and CWA 14171 (verification device).
Each certificate service provider has their own policies.
Based on the PKI information table, the following global conclusions can be drawn:
• Out of 32 countries, 26 have reported some details of their PKI systems (19 in previous study)
o 12 of these countries are using both CRL and OCSP methods (same as in previous study).
o 5 of these countries are only relying to CRL (2 in previous study)
o 9 of these countries have not specified the method used. Usually this is because PKI is privately operated and these decisions are made by the commercial company (7 in previous study).
4.7.2.3 Username / Password systems
This section focuses on the password based authentication systems. These are either private or public by nature.
Specifically, the overview reports:
• Name of the country.
• The Description section provides the information about who is providing these services and what type of services.
• The User group provides detailed information about to whom these services are for.
• The Details/Authentication section provides more information about solution and authentication it self.
Country Description Users group Details/Authentication usage
Croatia94 eGovernment, eHealth, eJustice and eEducation services system maintains own identity management access his/her personal data electronically by presenting password and PIN number
Cyprus Theseas Customs, Excise
System Registered users of
the system (usually traders)
It is designed for the traders to connect to the system via the Internet electronic payment of customs duties through the banks. communication with The Czech Social Security Administration, Ministry data that the user sends to the system.
Czech A social security number The Ministry of Justice (only they have an access to social security number database)
Compares personal IDs and social security numbers
94 All eGovernment applications/systems are also accessible to qualified certificates holders, who are identified to public administration bodies. But because there is no method to create eID certificates to the citizens these systems are listed in this table.
Czech Personal identity number (or other data sufficient to uniquely identify person)
The identification is made only through the connection of data from a qualified certificate and the personal identity number in the signed form.
Estonia Bank ID95 Several commercial
applications where users can log-on using their Bank ID logon.
The authentication is done through specified bank authentication.
Mostly using password-list or password-device.
Germany the Hamburg Gateway Hamburg Gateway is a one-stop access online registration with
user name and
password. Security level two requires registration in person at any of the decentralized customer centers, based on the presentation of the personal identity card.
Hungary The Client Gate Specified eGoverment application users.
The user provides his or her user name and password in the login process, and the Client Gate sends to the application the name, the e-mail address, a registration register of the System of Central Electronic Services.
Ireland The Public Service Broker All users of public
services Uses two distinct parts.
95 Banks will cease providing authentication services to 3rd parties, this will lead to expanded usage of ID-Card.
government agencies.
Authentication is done using password and to share information using standardised XML envelopes
Lithuania Application specific usage of Usernames and passwords (in eBanking also code genarators).
Users of specific
application. Some applications assign user name upon e-mail upon conclusion of agreement on data supply via electronic means with the eGovernment service provider – state institution. In some of application users can choose their own
username and
password.
Luxembourg Many applications such as
e.g. eTVA E.g. eTVA
application allows a user to submit VAT on prior authorisation after a (handwritten) application form is submitted by the user.
Malta There several different e-services offered by the Government
Application-based offered by various departments and authorities system for electronic authentication.
The DigiD supported
eGovernment services Several different
services (e.g. Tax Registered DigiD users get username and
96 eTVA is changing to be used only with Luxtrust certificate.
Netherlands services, student
Passwords are stored in a DGITA database using a “one way password” scheme.
Communications use the SSL protocol.
Portugal Customs the
NCTS-network (New
Computerised Transit System)
The system whereby all declarations are sent electronically identification and a password. Technically similar to Tax system.
Portugal The Direct Social Security (Segurança Social containing a password (the user must change this password when accessing the program for the first time).
The site uses Safe Transactions SSL 128 Bits, with a web-server
Portugal Citizen’s Portal (Portal do
Cidadão) Is a web platform
developed by UMIC
that mainly
centralises
information to be provided to citizens about all matter of Public
After registering and after having inscribed the respective data, the system send the user by an email containing a link that the user must access in order to get the registration.
Administration. Logging on to the system thereafter uses a username/password system.
Slovakia The Central Portal of
Public Administration. Access to public services. (e.g.
eTendering application)
Authentication through the username and password
Spain eGoverment services that can be accessed by username and password
The National Cadastre and Land Records Service or at the Virtual Office of the Tax Agency, among others.
The user can choose to use
password/username or
certificate to
authenticate.