ID card – vision in action

Tarvi MartensSK, Estonia

The Vision: 1997

Let’s assign electronic identity to every Estonian and give them means for

electronic signing!

Surrounding World

• 10-year passports issued from 1992 will expire in 2002: perfect timing for introducing new type of document

• SEIS specifications: 1998• FINEID: launched 2000• Digital Signature Act: 2000

The ID-Card

• Roll-out started 2002• “Compulsory”

for all residents from age 15+

• October 2006: 1 000 000th card issued (population: 1.35M)

• eID part allows fore-authentication anddigital signing

Card issuance

CMB Regional CMB Regional Offices ( 15 sites )Offices ( 15 sites )

CACA

RARA

RARA(bank office)(bank office)

Certification Centre LtdCertification Centre Ltd

Public Directory

6. PIN codes sent by courier

2. Request for Personalisation

5. ID Card with Private Keys and Certificates

7. Personalised ID Card with Certificates and PIN envelope handed over

4. Certificates

...

TRÜB Baltic ASTRÜB Baltic AS

3. Request for Certificates

Citizenship and Migration BoardMinistry of Internal Affairs

Afterservice

1. Application

eID applications

• E-ticketing (non-PKI)• Secure e-mail• Authentication

All internet banks E-government Any other major e-service

• Digital signing Universal replacement of handwritten

signature

• Internet voting

ID-card as a ticket for public transportation

e-Tickets

Population Registry

Mobile

Internet

Cash

Person must possess and show an ID-card when buying or verifying a ticket

Fixed-line

ID-card for secure e-mail

• The authentication certificate contains an e-mail address Surname.Lastname[.X]@eesti.ee

• All S/MIME mailers are usable• The eesti.ee server runs a

forwarding service• Usable for secure C2C, B2C and G2C

communication

ID-card authentication

Universal Digital Signature

• Public sector is obliged to accept digitally signed documents

• Digital signature is universal Open user group Any relation – government, business, private

• Focus on document concept Equivalent to what we are doing on paper

• Innumerable quantity of “applications”

DigiDoc architecture

DigiDoc-library (Win/Unix/C/Java)CSP

PKCS#11

OCSP

XMLID card

Win32 Client

DigiDoc portal

Application

COM-library WebService

ApplicationApplication

Mobile-ID

MSSP

DigiDoc for end-user

• DigiDoc Client Desktop application Lets users sign, verify

signatures etc ID Card not needed for

document verification Comes with ID-card

base software

• DigiDoc portal https://digidoc.sk.ee Signing, verification,

co-signing by multiplepersons

Internet voting

• Happened first in October 2005• First pan-national binding occasion

in the World• Used 5 times in total• ID-card as an enabling tool

• Normal application vs. Rocket Science?

I-voting: Main Principles

• All major principles of paper-voting are followed• I-voting is allowed during period before Voting

Day• The user uses ID-card or Mobile-ID

System authenticates the user Voter confirms his choice with digital signature

• Repeated e-voting is allowed Only last e-ballot is counted

• Manual re-voting is allowed If vote is casted in paper during absentee voting days,

e-vote(s) will be revoked

The spread of Internet voting

47

62

44

61 63

9 317

30 275

58 669

104 413

140 846

0

10

20

30

40

50

60

70

80

2005 local 2007 national 2009 EP 2009 local 2011 national

0

20000

40000

60000

80000

100000

120000

140000

160000

Overall turnout Internet voters

Flip side of the coin

• 1,000,000 ID-cards

• 30,000 electronic users (2006)

Why won’t they go e?

• Habits Strong tradition of banks-provided

authentication service

• Barriers Need for smart-card reader and software

• No awareness promotion ID-cards are perceived as merely

physical documents Unawareness about security benefits

Who is driving ?

TaxDeclarations

Public sector service

Once in a year Once in a week

Online banking

Private sector service

“Computer Security 2009”

• Co-operation program between private and public sector

• Aims for safe information society in general

• Special target: ten-fold increase of eID users (300,000 by the end of 2009)

• Achieved: February 2010

Measures for CS09

• Pressure by banks Termination of authentication service to 3rd

parties Reduction of transaction limits with passwords

• Availability Alternative PKI-based tokens/methods Redundant service network

• Wide support and usability Support for alternative platforms

(Mac,Linux,..)

• Awareness and training

Reader distribution

- card reader- https://installer.id.ee- Price ca 6 EUR

• Available at retail stores• Sold by banks• Giveaways in campaigns

ID card software: 2nd generation

• Multi-platform Card drivers (CSP/PKCS#11) Card maintenance tool Digital signing

• Libraries• Webservice• Desktop client

• Launched 2011 by LGPL terms.

Alternative eID - MobileID

• PKI-capable SIM cards Requires replacement of

SIM

• Instantly ready to use No specific software

required

• Equal legal power and security with ID-card

• Launched: May 2007• Available from all major

GSM operators

User view: entry

User view: mID authentication

User’s view: mobile PIN-entry

SwedbankControl code

0342Enter?

SwedbankControl code

0342Enter?

Enter PIN1

****Enter PIN1

****Sending

message...Sending

message...

User view: I’m in!

Digi-ID

• Another PKI token for redundancy• Delivered over-the-counter• Same electronic content as ID-card• Not a travel document• Validity: 3 years

• Launched:10.2010

id.ee

CS2009: impact

0

50000

100000

150000

200000

250000

300000

350000

400000

450000

500000

2005

VII

2005

X

2006

I

2006

IV

2006

VII

2006

X

2007

I

2007

IV

2007

VII

2007

X

2008

I

2008

IV

2008

VII

2008

X

2009

I

2009

IV

2009

VII

2009

X

2010

I

2010

IV

2010

VII

2010

X

2011

I

2011

IV

Morale (1)

• PKI stands for Public Key Infrastructure

• There are no services nor applications before The Infrastructure is built Roads generate no benefit, transportation

does People do not buy cars unless there are

roads

• Infrastructure first

Morale (2)

• Roads were ready in 2006• Since then we have been teaching

people about the wonders of transportation Car manufacturing (services) Driving schools (promotion &

awareness)

The Result

• 560 000 ID-card users ~50% of cardholders

• 360 000 “frequent users” have used it within past 6 months

• Around 3 Mio signatures created per month• Around 5 Mio e-authentications per month• 1/4 of votes is casted electronically (2011)

• Enormous savings in time and environment

Additional Information

• PKI & CA www.sk.ee• ID-card practices www.id.ee• Digital signature software

www.openxades.org• I-voting www.vvk.ee

Contact point:tarvi@sk.ee