e-‐Estonia -‐ 10 years of experience
Transcription
e-‐Estonia -‐ 10 years of experience
e-‐Estonia -‐ 10 years of experience Lessons learned Jüri Voore, Estonian Cer;fica;on Centre PROJECT MILESTONES o o o o o o o o First ideas in 1997 Law on personal iden;fica;on documents: Feb, 1999 Digital Signature Act: March, 2000 Government accepted plan for launching ID-‐card: May, 2000 2001 : Tender for ID card produc;on & personalisa;on service won by Swiss TRÜB AG Sept 2001 : Cer;fica;on service contract tendered to AS Ser;fitseerimiskeskus First card issued: Jan 28, 2002 October 2006: 1 000 000th card issued MILESTONES VOL 2 o o o o o o o 2004 ID card as e-‐;cket in public transport 2005 world first Internet vo;ng 2007 first mobile ID issued 2011 new DigiDoc so\ware 2011 mobile ID as na;onal electronic ID document 2011 mobile ID used in Internet vo;ng March 2012: 500 000 users for e-‐services WHAT IS ESTONIAN eID card o eID card is Police and Borderguard Board issued ID + travel document. Max. validity 5 years o It is mandatory document for all EST residents star;ng of age 15 o Contains: ü Visual personal informa;on ü Personal data file ü Cer;ficate for authen;ca;on (along with e-‐mail address Forename.Surname@ees;.ee) ü Cer;ficate for digital signature 110 DB X-road 550 org. ~ 45 000 ~ 400 13 000 April 2010 users users www.ega.ee 5 1,100,000 200 DB SINGLE SOURCE FOR USERS – WWW.ID.EE ESTONIAN ID CARD , PKI AND DIGITAL SIGNATURES Jüri Voore Estonian Certification Center Common plajorm in Estonia -‐ DigiDoc DigiDoc architect o Full-‐scale architecture for digital signatures and documents ü Document format ü Program libraries (C, Java, COM) ü End-‐user client – DigiDoc Client ü End-‐user portal – DigiDoc Portal ü Webservice o Based on interna;onal technical standards XML-‐DSIG, contains subset of ETSI TS 101 903 extensions “XAdES” o Includes real-‐;me validity confirma;on of a cer;ficate (OCSP) o Long-‐term validity of a documents is ensured Application Win32 Client DigiDoc portal Application Application COM-library WebService DigiDoc-library (Win/Unix/C/Java) CSP PKCS#11 MSSP XML Mobile-ID Mobile ID OCSP ID card ID-card versus Mobile ID etiIntern pank • ID card (PIN 1,2) • ID card reader • PC with ID card reader and ID card etiIntern pank • Mobile-ID SIM card (PIN 1,2) • Mobile phone • Any PC connected to public Internet Description of the solution " " " " SK has been offering mobile ID (MID) solution since 2007 SK was driving development and implementation of requirements in www.wpki.eu SK is offering the CA and TSP service for 4 different mobile operators Unique toolset to combine WPKI and PKI possibilities General architecture E-Services SK TSP Mobile Operators Time Stamp Service SK and other Certification Authorities General technical architecture Digital signature cost-benefit calculator • There are 80 million digitally signed documents! All in all people/companies have saved 60 000 000 € • The study carried out with University of Tartu, Eesti Loto and Eltel Networks showed that • if the customer service time spent per customer is 10 minutes If the document consist of 4 pages If there are 2 copies www.sk.ee If there are 500 documents in a month If 20% of the documents are sent by mail Company saves 9100 € / a year Calculate how much money You could save http://eturundus.eu/digital-signature/ Focus on digital signature ! o Public sector is obliged to accept digitally signed documents o Digital signature is universal ü Open user group ü Any rela;on – government, business, private o Focus on document concept ü Equivalent to what we are doing on paper But how about cross-‐border digital signature ? LESSONS LEARNED – project start o Important ques;ons in genng started: ü Is ID card mandatory or voluntary? Lessons Learned – How start first? ü Infrastructure or sto ervices o PKI enabled ID card is just a tool for accessing services. o Mo;va;on – both service providers and users must have the necessity to use ID card for authen;ca;on and digital signing o Public-‐private partnership is vital ü It is reasonable to set up ONE COMMON Root-‐CA /trust chain ü Public investments are minimized by service contracts with private vendors ü Technology risks to be handled by private vendors o Time is the most valuable resource ü Public procurement disputes can mess up ;me-‐table ü Poli;cal and legal issues will take a lot of ;me LESSONS LEARNED VOL. 2 o o o o o o o o o o o “Posi;ve enforcement” of electronic services Use solu;ons based on proven interna;onal standards (if exist) Share common infrastructure with private sector Provide open source s/w tools and drivers Distribute in mass ID card readers at affordable price Main usage volume comes from private services not from e-‐government services There is never too much promo;on and training for end users Users privacy and security stands on a top “Learning by doing“ leads to mistakes – admit, correct and learn from it Avoid “home-‐blindness” and “project fa;gue” Future is in mobile ID and … LESSONS LEARNED vol.3 Government: • • • • • let the private sector take initiative promote all aspects of information society create and maintain the legislative framework view IT developments together with public administrative reform promote a project based development (more chance for selfcorrection, if something doesn’t work) • Count new channels as mobile and social media • And finally, as government: take care of your culture and language (nobody else will do it for you) Useful links: www.id.ee www.sk.ee Thank you ! Jüri Voore, Estonian Cer;fica;on Centre [email protected]