Embed Size (px)
Citation preview
Mobile-ID as enabler for Government services
Jürgen Niinre
R&D managerR&D manager
EMT / TeliaSonera Estonia
Table of contents
• Main reasons and Governmental use cases for Mobile-ID– Tax declaration– Voting
• Mobile-ID endorsement by Government– Mobile-ID issuing– Mobile-ID issuing– Mobile-ID auditing
22 May 20142
Main reasons for Mobile-ID
Standard security tokens are uncomfortable and hard to use with Smartphones and tablets
22 May 2014 Graphical Guideline for PPT3
The spread of internet voting
Source http://www.vvk.ee/voting-methods-in-estonia/engindex/statistics/
Declaring tax
82%
86%
88%
91%92% 93%
94% 95% 95%
400000
500000
600000
700000
Natural person's income tax declarations 1999-2013http://www.emta.ee/pressimaterjalid
22 May 20145
3%9%
21%
36%
59%
74%
0
100000
200000
300000
1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
physical declarations
e-declarations
In case of Mobile-ID...
� Insert PIN 1
� Enter phone number� Verify verification code
Enter your telephone number
I-votingcontrol code
7030Enter?
Enter PIN1****
The message is sent, please wait. To use the Mobil-ID in your telephone please enter your Mobile-ID PIN1 code after you have received a SMS with
the same verification code, which you can see here:
You are identified
Welcome
You are voting in the 2011 parliamentary elections. This is the official elections, where the electronic votes are equal to votes on paper. Following
are the choices for candidates in your residence electoral district.
Ballot completion
� Choose a candidate
Whom do you choose for the parliament?
Click the desired candidate's name
My choice is:
Your district is:
Candidate nr. 821HELMI LOOPMANN
Eesti Pensionäride Erakond
Confirmation (mobile-ID)
� Confirm your choice by signing digitally
� Insert PIN 2 � Verify verification code
I-votingcontrol code
3654Sign?
Enter PIN2*****
The message has been sent, please wait. Confirm your Mobile-ID in your mobile phone by entering the Mobil-ID PIN2 code after you have received a SMS with the
same verification code, which you can see here:
Vote received
Your vote has been received
You can change your vote while the electronic voting is open (24 Feb to 2 March) or by voting in paper on pre-voting days at a polling station (28 Feb to 2 March). On election-day (6
March) you can’t change your vote!
If you have casted several electronic votes only the last vote will be taken into account. If you have voted on paper at a
polling station your electronic vote is withdrawn.
If you wish to verify whether your vote arrived as casted, please use your Android app and take a picture of the QR
code on the right.
Please close the application. For enhanced security pleaseremove the ID card from the reader!
Government endorsement for Mobile-ID
• Law change needed (Identity Documents Act, Election Acts, numerous regulations)
• Changes in Mobile-ID issuance process (Government authority makes the final decision on issuance)
• Auditing the whole Mobile-ID service is necessary (systems, • Auditing the whole Mobile-ID service is necessary (systems, documentation, contracts, processes)
• Government body needs new process to monitor and reevaluate changes (new SIM chips, new profiles, etc)
22 May 201411
Mobile-ID issuance
22 May 201412
Mobile-ID auditing by Government
• Government has usually no pre-existing requirements for Mobile-ID (no clue)
• Government IT security organizations have little experience with security of mobile devices, SIM cards, applets
• Mobile operator is usually lifting the responsibility of security incidents to mobile (device) vendor and userincidents to mobile (device) vendor and user
• Mobile device vendors are usually slow to act on fixing (no STK support, etc)
• End result = Government wants to know/see everything about Mobile-ID ☺
22 May 201413
Mobile-ID auditing by Government II
Typical list of documentation & requirements needed from Mobile-Operator:
• un-personalized SIM card requirements
• un-personalized SIM card storage
• un-personalized SIM card labelling
• personalization
• key generation and loading
• personalized SIM card storage
• SIM card API description (STK, NFC)
• Mobile-ID SIM card (SSCD) testing and validation on
most of the mobile devices on market
• User manuals
• User PIN codes management
• Authentication use-case documentation
• Digital signature use-case documentation
• personalized SIM card activation in mobile network
• personalized SIM card certificate issuing
• SIM card software upgrades
• SIM card key management
• SIM card key deletion
• API documentation to Mobile-ID service
• Mobile-ID applet full documentation
• 3rd party evaluation on Mobile-ID SIM application
22 May 201414
• Possibility to remote wipe
• Monitoring access
• Servicde recovery
• Security incident handling
Quite a lot of info and not easily available !
Mobile-ID auditing by Government III
• Current ides of working is : give us all the info, documentation, data that you have we will sort it out
• Manageable for bigger and more focused operators, however not feasible for smaller operators and MVNO-s
• Preferred way – to have a list of concrete requirements Mobile • Preferred way – to have a list of concrete requirements Mobile operator needs to fulfill
• Plea for ETSI : Harmonize the requirements for (Mobile)eID for Mobile Operators for easier qualification by Government!
22 May 201415
