European Electronic Identity Practices

Country Update of FinlandSpeaker: Päivi PösöDate: 26.5.2005

CA organisation

• Responsible CA organisation: Population Register Centre (PRC)

• The background of the organisation: PRC operates under Ministry of the Interior

• Description of the existing CA infrastructure: PRC is the CA in public sector. We have outsourced the ICT-technology.

Status of National legislation on eID

The position of PRC as the CA is based on the Population Register Act

PRC shall ensure that the parties of certified electronic transactions can be authenticated

and that messages and document can be electronically signed and enciphered

Status of National legislation on eID

• In Finland the police issues the ID cards and PRC the citizen certificates in these

• PRC may issue citizen certificates also for other cards or technical means.

• Certificates are quality certificates based on the Act of Electronic Signatures

Status of National legislation on eID

• Are eID specific regulations enacted and in place? Yes

- The Population Information Act and Decree (1993)

- The Identity Card Act (1999)- Act on Electronic Services and

Communication in the Public Sector (2003)- Directive on Electronic Signatures- Act on Electronic Signatures (2003)

Status of National deployment of eID

• Co-operation with telecommunication

operators

• Citizen certificate in Sim-card

• Easy to use, no additional equipments

Status of National deployment of eID

• Is the card obligatory? No

• Starting date of issuance: 1.12.1999

Status of National deployment of eID

• Number of citizen certificates issued by 30-04-2005 : 78.000 issued, at the moment 65.000 valid cards

• Number of inhabitants: 5.235.000 • Yearly growth rate (percentage):

35.000• Expected number of cards/eID certs

by end of 2007: 135.000

Status of national deployment of eID

• Basic functionalities of the eID card:- official ID document: Yes- European travel document: Yes- support of on-line access to e-Services: Yes- social security information on the card: Yes

• Validity period of the card/certificates: 5 years

Status of national deployment of eID

• Price in Euros of the cards:- for the citizen: 40 € - for the card issuer: 40 €

- price for the card reader and software: 20 – 40 €- any additional costs for the user/relying party:No additional costs

• From whom and how may the citizen obtain the end/user packages: PC-stores

Basic ID function

• What cardholder data is electronically stored in the card: - national identifier- family name, given name - email (optional)

Basic ID function

• Are these data elements in a dedicated data file? No - Is the file ’openly accessible’? No - If not, how is the file protected? PIN - Does the data file comply with the ICAO LDS? Yes

• Is the personal data (also) held in a certificate? Yes

Basic Authentication function

• What Cardholder Verification mechanism is used: - PIN? Yes - Biometrics?No

- Is introduction of biometrics envisioned? Under survey, not active

• Is there a PKI supported cardholder authentication mechanism? Yes

• Is there a mutual device authentication mechanism? No

Basic Signing function

• Is a PKI supported signing mechanism (certificate and key pair) present for e-transaction services (non –repudiation)? Yes

• - The card holder´s authentication certificate• - The card holder´s digital signature certificate• - PRC´s CA certificate

eID based services

• What kind of services (include examples) are accessible to cardholders based on acceptance of the cards / eID Certificates:

www.etu-klubi.fi

eID based services

Examples of Sevice provider using the Fineid Card

• Tax administration• Several Cities• Several Insurance Companies• OKO Bank• Social Insurance Institution• Electronic Forms Finland – service• The Finnish Defence Forces

eID based services

Total number of eID based services accessible by cardholders by 30.04.2005: Over 50

• Goal (in numbers/ percentage) of eID based services to be accessible to cardholders by the end of 2007: At least 200

eAuthentication Business models; financial

• What are the Charging/Revenue mechanisms? eID card costs 40 €

• What charges are levied for use of the card? Free of charge

• Is there a charge for checking certificates? No• Has a cost benefit analysis been compiled for

the eID scheme? This is the basic infrastructure in Finland

• Is there a study report available? No

eAuthentication Business models; public/private partnership

• Are non government bodies allowed to use the IAS or other card functions in support of their services? Yes

• Is the card a multi-application smart card? No– If No, are there any plans for this and in what

timeframe?– Co-operation with cities and municipalities

eAuthentication Business models; public/private partnership

• What is the level of usage of supported services (number of transactions per card per year)?

- No reliable studies of this• What is the approach to and experience

with card branding? There are information and logos of the Social Insurance Institute of Finland and cities/municipalities

eAuthentication Business models; cross border usage

• Are there agreements with other national smart card issuers for mutual recognition of cards? (Status of Memorandum of Understanding (MOU) with other CAs):

• MOU was made with Estonia in 2003.• Co-operation is under preparation in TIFI-

project with many countries.

Other Interoperability issues

• What is the level of Current Compliance with each of the following international standards or group activities (Full/Planned/None):

– CWA eAuthentication (under development):planned

– CWA 14890 Secure Signature creation device:planned

– CEN 224 –15 European Citizen Card (under development):none

– ISO/IEC JTC1 SC 37 biometric standards:none

– ICAO recommendations: all

Current use and plansin Biometrics (if applicable)

• Technical solution(s): • Type of project(s):• Application areas:

– Under survey, based on the experiences coming from the biometric passport.

Lessons learned so far

Prerequisites for success• easy to use• social and health care services• broad, cross-administrative co-operation• co-operation with the private sector• supporting and guiding service

providers

Next plans

• Biometric passport in co-operation with the Ministry of Interior, Police Department

• Co-operation with teleoperators and banks to have the citizen certificates on there platforms – already with one bank and one operator

• 64k Java chips on the first of June 2005• Co-operation with cities and municipalities

Porvoo Group cooperation issues

List of issues to be overcome:• Open Source Card reader software?

Could this be an easier way for pan European usage?

• The collision of the RSA algorithm at the moment. What will be the next step –elliptic curve cryptography? Should we try to study this more?

More information

• Web-pages eID issues: www.fineid.fi www.vaestorekisterikeskus.fi

• email: paivi.poso@vrk.intermin.fi

Thank You!