e-‐Estonia -‐ 10 years of experience

e-­‐Estonia -­‐ 10 years of experience Lessons learned Jüri Voore, Estonian Cer;fica;on Centre PROJECT MILESTONES o 
o 
o 
o 
o 
o 
o 
o 
First ideas in 1997 Law on personal iden;fica;on documents: Feb, 1999 Digital Signature Act: March, 2000 Government accepted plan for launching ID-­‐card: May, 2000 2001 : Tender for ID card produc;on & personalisa;on service won by Swiss TRÜB AG Sept 2001 : Cer;fica;on service contract tendered to AS Ser;fitseerimiskeskus First card issued: Jan 28, 2002 October 2006: 1 000 000th card issued MILESTONES VOL 2 o 
o 
o 
o 
o 
o 
o 
2004 ID card as e-­‐;cket in public transport 2005 world first Internet vo;ng 2007 first mobile ID issued 2011 new DigiDoc so\ware 2011 mobile ID as na;onal electronic ID document 2011 mobile ID used in Internet vo;ng March 2012: 500 000 users for e-­‐services WHAT IS ESTONIAN eID card o  eID card is Police and Borderguard Board issued ID + travel document. Max. validity 5 years o  It is mandatory document for all EST residents star;ng of age 15 o  Contains: ü  Visual personal informa;on ü  Personal data file ü  Cer;ficate for authen;ca;on (along with e-­‐mail address Forename.Surname@ees;.ee) ü  Cer;ficate for digital signature 110 DB
X-road
550 org.
~ 45 000
~ 400
13 000
April 2010
users
users
www.ega.ee
5
1,100,000
200 DB
SINGLE SOURCE FOR USERS – WWW.ID.EE ESTONIAN ID CARD ,
PKI AND DIGITAL SIGNATURES
Jüri Voore
Estonian Certification Center
Common plajorm in Estonia -­‐ DigiDoc DigiDoc architect
o  Full-­‐scale architecture for digital signatures and documents ü  Document format ü  Program libraries (C, Java, COM) ü  End-­‐user client – DigiDoc Client ü  End-­‐user portal – DigiDoc Portal ü  Webservice o  Based on interna;onal technical standards XML-­‐DSIG, contains subset of ETSI TS 101 903 extensions “XAdES” o  Includes real-­‐;me validity confirma;on of a cer;ficate (OCSP) o  Long-­‐term validity of a documents is ensured Application
Win32
Client
DigiDoc
portal
Application
Application
COM-library WebService
DigiDoc-library (Win/Unix/C/Java)
CSP
PKCS#11
MSSP
XML
Mobile-ID
Mobile
ID
OCSP
ID card
ID-card versus Mobile ID
etiIntern
pank
•  ID card (PIN 1,2)
•  ID card reader
•  PC with ID card reader
and ID card
etiIntern
pank
•  Mobile-ID SIM card (PIN 1,2)
•  Mobile phone
•  Any PC connected to
public Internet
Description of the solution
"
"
"
"
SK has been offering mobile ID (MID)
solution since 2007
SK was driving development and
implementation of requirements in
www.wpki.eu
SK is offering the CA and TSP service for 4
different mobile operators
Unique toolset to combine WPKI and PKI
possibilities
General architecture
E-Services
SK TSP
Mobile Operators
Time Stamp
Service
SK and other
Certification Authorities
General technical architecture
Digital signature cost-benefit calculator
•  There are 80 million digitally signed documents!
All in all people/companies have saved 60 000 000 €
•  The study carried out with University of Tartu, Eesti Loto and Eltel
Networks showed that
•  if the customer service time spent per customer is 10 minutes
If the document consist of 4 pages
If there are 2 copies
www.sk.ee
If there are 500 documents in a month
If 20% of the documents are sent by mail
Company saves 9100 € / a year
Calculate how much money You could save
http://eturundus.eu/digital-signature/
Focus on digital signature ! o  Public sector is obliged to accept digitally signed documents o  Digital signature is universal ü  Open user group ü  Any rela;on – government, business, private o  Focus on document concept ü  Equivalent to what we are doing on paper But how about cross-­‐border digital signature ? LESSONS LEARNED – project start o  Important ques;ons in genng started: ü  Is ID card mandatory or voluntary? Lessons Learned – How start first? ü  Infrastructure or sto ervices o  PKI enabled ID card is just a tool for accessing services. o  Mo;va;on – both service providers and users must have the necessity to use ID card for authen;ca;on and digital signing o  Public-­‐private partnership is vital ü  It is reasonable to set up ONE COMMON Root-­‐CA /trust chain ü  Public investments are minimized by service contracts with private vendors ü  Technology risks to be handled by private vendors o  Time is the most valuable resource ü  Public procurement disputes can mess up ;me-­‐table ü  Poli;cal and legal issues will take a lot of ;me LESSONS LEARNED VOL. 2 o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
o 
“Posi;ve enforcement” of electronic services Use solu;ons based on proven interna;onal standards (if exist) Share common infrastructure with private sector Provide open source s/w tools and drivers Distribute in mass ID card readers at affordable price Main usage volume comes from private services not from e-­‐government services There is never too much promo;on and training for end users Users privacy and security stands on a top “Learning by doing“ leads to mistakes – admit, correct and learn from it Avoid “home-­‐blindness” and “project fa;gue” Future is in mobile ID and … LESSONS LEARNED vol.3
Government:
• 
• 
• 
• 
• 
let the private sector take initiative
promote all aspects of information society
create and maintain the legislative framework
view IT developments together with public administrative reform
promote a project based development (more chance for selfcorrection, if something doesn’t work)
•  Count new channels as mobile and social media
•  And finally, as government: take care of your culture and language
(nobody else will do it for you)
Useful links: www.id.ee www.sk.ee Thank you ! Jüri Voore, Estonian Cer;fica;on Centre [email protected]