e- Estonia - 10 years of experience

Transcription

1 e- Estonia - 10 years of experience Lessons learned Jüri Voore, Estonian Cer;fica;on Centre

2 PROJECT MILESTONES o First ideas in 1997 o Law on personal iden;fica;on documents: Feb, 1999 o Digital Signature Act: March, 2000 o Government accepted plan for launching ID- card: May, 2000 o 2001 : Tender for ID card produc;on & personalisa;on service won by Swiss TRÜB AG o Sept 2001 : Cer;fica;on service contract tendered to AS Ser;fitseerimiskeskus o First card issued: Jan 28, 2002 o October 2006: th card issued

3 MILESTONES VOL 2 o 2004 ID card as e- ;cket in public transport o 2005 world first Internet vo;ng o 2007 first mobile ID issued o 2011 new DigiDoc so\ware o 2011 mobile ID as na;onal electronic ID document o 2011 mobile ID used in Internet vo;ng o March 2012: users for e- services

4 WHAT IS ESTONIAN eid card o o eid card is Police and Borderguard Board issued ID + travel document. Max. validity 5 years It is mandatory document for all EST residents star;ng of age 15 o Contains: ü Visual personal informa;on ü Personal data file ü Cer;ficate for authen;ca;on (along with e- mail address Forename.Surname@ees;.ee) ü Cer;ficate for digital signature

5 110 DB X-road 5 ~ ~ April users users 550 org. 200 DB 1,100,000

6 SINGLE SOURCE FOR USERS ESTONIAN ID CARD, PKI AND DIGITAL SIGNATURES Jüri Voore Estonian Certification Center

7 o Common plajorm in Estonia - DigiDoc Full- scale architecture for digital signatures and documents ü Document format ü Program libraries (C, Java, COM) ü End- user client DigiDoc Client ü End- user portal DigiDoc Portal ü Webservice Application Win32 Client COM-library DigiDoc architect DigiDoc portal WebService Application Application o o o Based on interna;onal technical standards XML- DSIG, contains subset of ETSI TS extensions XAdES Includes real- ;me validity confirma;on of a cer;ficate (OCSP) Long- term validity of a documents is ensured MSSP Mobile-ID DigiDoc-library (Win/Unix/C/Java) OCSP XML CSP PKCS#11 ID card

8 ID-card versus Mobile ID Internetipank Internetipank ID card (PIN 1,2) ID card reader PC with ID card reader and ID card Mobile-ID SIM card (PIN 1,2) Mobile phone Any PC connected to public Internet

9 Description of the solution " SK has been offering mobile ID (MID) solution since 2007 " SK was driving development and implementation of requirements in " SK is offering the CA and TSP service for 4 different mobile operators " Unique toolset to combine WPKI and PKI possibilities

10 General architecture E-Services SK TSP Mobile Operators Time Stamp Service SK and other Certification Authorities

11 General technical architecture

12 Digital signature cost-benefit calculator There are 80 million digitally signed documents! All in all people/companies have saved The study carried out with University of Tartu, Eesti Loto and Eltel Networks showed that if the customer service time spent per customer is 10 minutes If the document consist of 4 pages If there are 2 copies If there are 500 documents in a month If 20% of the documents are sent by mail Company saves 9100 / a year Calculate how much money You could save

13 Focus on digital signature! o Public sector is obliged to accept digitally signed documents o Digital signature is universal ü Open user group ü Any rela;on government, business, private o Focus on document concept ü Equivalent to what we are doing on paper But how about cross- border digital signature?

14 LESSONS LEARNED project start o Important ques;ons in genng started: ü Is ID card mandatory or voluntary? Lessons ü Infrastructure Learned How or services to start first? o PKI enabled ID card is just a tool for accessing services. o Mo;va;on both service providers and users must have the necessity to use ID card for authen;ca;on and digital signing o Public- private partnership is vital ü It is reasonable to set up ONE COMMON Root- CA /trust chain ü Public investments are minimized by service contracts with private vendors ü Technology risks to be handled by private vendors o Time is the most valuable resource ü Public procurement disputes can mess up ;me- table ü Poli;cal and legal issues will take a lot of ;me

15 LESSONS LEARNED VOL. 2 o Posi;ve enforcement of electronic services o Use solu;ons based on proven interna;onal standards (if exist) o Share common infrastructure with private sector o Provide open source s/w tools and drivers o Distribute in mass ID card readers at affordable price o Main usage volume comes from private services not from e- government services o There is never too much promo;on and training for end users o Users privacy and security stands on a top o Learning by doing leads to mistakes admit, correct and learn from it o Avoid home- blindness and project fa;gue o Future is in mobile ID and

16 LESSONS LEARNED vol.3 Government: let the private sector take initiative promote all aspects of information society create and maintain the legislative framework view IT developments together with public administrative reform promote a project based development (more chance for selfcorrection, if something doesn t work) Count new channels as mobile and social media And finally, as government: take care of your culture and language (nobody else will do it for you)

17 Useful links: Thank you! Jüri Voore, Estonian Cer;fica;on Centre