Electronic ID Card and Identification Service Development in Georgia Mikheil Kapanadze.
-
Upload
gyles-dean -
Category
Documents
-
view
241 -
download
2
Transcript of Electronic ID Card and Identification Service Development in Georgia Mikheil Kapanadze.
Contact Interface
• 2 Certificates, issued by PSDA• Online Authentication• Digital Signature (Qualified)
• Secured with 2 distinct PIN codes
PKI Applet
• Compliant with ICAO 9303• Personal Data Storage• Secured with BAC
ICAO LDS Applet
Contactless Interface
• MIFARE Application Directory• Citizen’s Social Status data (if
applicable)• Any 3rd party data can be deployed• Custom-built secure reader-writer
devices are available
MIFARE 1k Classic (Emulated)
• Compliant with ICAO 9303• Personal Data Storage• Secured with BAC
ICAO LDS
PKI Applet in Details
• Two 2048-bit RSA Keys, secured by Different PIN codes• 4 digits for Online Authentication, 6 digits for Signature
• Authentication PIN, E-Signature Transport PIN and PUK are delivered in secured envelope
• E-Signature PIN Code is set by the citizen
Secure Key Storage
• Two Certificates, issued by PSDA and two CA certificates• Certificate renew is possible
Certificate Storage
Certification and Trust Services
• Certificates are issued instantly during personalization• Certificate Validity – 2.5 Years• CRL and OCSP services, with DR and load-balancing
PSDA Certification Authority
• GEO Root CA• GEO Authentication CA (For Authentication Certificates)• GEO Signing CA (For qualified e-Signature Certificates)
CA Hierarchy
• RFC 3161 Time-stamping, mainly used for digital signatures• DR and load-balancing
PSDA Time Stamping Authority
ID Card as SSCD
• Signature key (RSA 2048) is generated on the card• The private key never leaves the card• The key material cannot be extracted from the card
Private Key Security
• 6-digit signature PIN is never delivered to the citizen• Instead, we supply 5-digit transport PIN in secured envelope• Signature PIN can activated ONLY ONCE• Signature PIN change is possible. Reset is NOT• … and it makes some problems with people who lost their envelopes
immediately
PIN code Security
Current ID Card Team
• 5 People• Head of the Team• Chief Architect• Business Consultant• 2 Junior Developers
Small Team
• 2 highly skilled professionals for technical aspects• 3 highly skilled professionals for business-related aspects• Juniors are developing their skills rapidly
Skilled People
• Highly-skilled professionals from IT, Research and Development and other departments of PSDA are involved on demand
• Inter-agency cooperation on key subjects
External Support
Current Projects
Digital Signature Portal• Free Web-based signing with ID card, with possible commercial extensions• Document sharing with multiple signers• Signature Verification (ongoing)
Identity Verification Service• Based on OpenID 2.0, AX 1.0 and PAPE• Free service with possible commercial extensions
Digital Signature for Legal Entities (Ongoing)• Signing as company’s authorized representative• Signing as a notary representative• Electronic Apostille
Current Projects
Student Card• In cooperation with the Ministry of Education, on 2012• Based on the concept of Citizen’s Social Status• Students have discounts for many product (including ID card
itself)
Citizen’s Social Status• 5 statuses can be written simultaneously on the card• 255 statuses can be defined• Statuses can be viewed using special application• Uses card’s MIFARE emulator
Personal Signatures
Current Status• It’s possible to upload PDF document on the portal and sign• You can share the document for signing to anothers• Signature Format: PAdES• Verification report will be added soon
Access conditions• FREE for all eID holders, with limited space and document
lifetime• It’s possible to have broader limits (or no limits at all) for extran
payment
Signatures for Legal Entities
• The project is ongoing• One of the TOP PRIORITIES of Year 2013 for PSDA
Current Status
• Signing contracts on behalf of organization• Notary services to eliminate paper documents as much as
possible• Issuing electronically signed birth certificates, property
ownership etc.• Electronic Apostille
Possible fields of application
Challenges for Legal Entity Signatures
• Signature seems to be always performed by some natural person and then sealed
• Do we really need to identify signer on the birth certificate?• This is generated from the electronic system anyway!• Workflow actions must be securely logged in the system. And
possibly go to Archive then
Who is signing?
• Sometimes, it’s a person (CEO of the company, etc)• Sometimes the key is under control of the organization’s electronic
system
By whom the key is controlled?
Possible solution: Attribute Certificates
• We don’t need to establish additional issuing facilities and manage additional secure tokens
• Attribute certificate can be issued online to eID user• National Agency of Public Registry, Notary chamber, etc. can
act as attribute authorities
Advantages
• Attribute authorities must have required software in place• Content of AC must be standardized• Short-lived AC or OCSP calls?
Challenges
And how about birth certificates, etc.?
• We can mandate using HSM for secure key storage• There will be a special, standard procedure of issuing and
enrolling certificate in HSM• Thus we may say we have an SSCD and the signature is qualified
Possible solutions
• Do we really need such a complexity?• Especially, if we may need e-Apostille for such documents?• Do we need to establish sector-based CA’s? (For banks,
insurance, government, etc.)
Open Questions
E-Signature and E-Document Law
• Mainly based on European Directive 1999/93/EC
Adopted in 2008
• We are establishing an inter-agency working group to propose new changes in law
Changes are Planned
• Regulations about certificate authority accreditation are in place• Other regulations may be introduced
Technical regulations
Signature and Document Formats
• The current law considers only textual information as an electronic document
• We use PDF (based on ISO/IEC 32000-1) format
Document Format
• Signatures of *AdES family of ETSI standards were found to be permitted under the Georgian signature law
• PAdES (ETSI TS 102 778) signatures are used• PAdES-LTV is highly recommended as citizen’s certificates
expire in 2.5 years
Signature Format
Next Plans for Signatures
Minimize scanned documents and save timeIf your diploma is electronic, there is no need to look for a scanner to upload it in online job
application system
Promote digitally-born documentsDo all graduates need paper-based university diploma?
Make E-Signatures usable in everyday lifeBy further simplification of eID usage, other signature schemas, etc.
eID Login Applet
• Written as Java Applet• Distributed freely• Can be embedded in any website
Key Features
• You still need to write server-side logic• You still need to fight with broken Java installations on
clients’ machines
Challenges for Integrators
Centralized Authentication System
• Based on OpenID 2.0• Uses Attribute Exchange 1.0 to deliver person’s
information to Relying Party
Key Features
• Easy to integrate• Well-documented• Avoids problems with broken Java installation
Additional Features
Integration with Civil Registry WS
• SOAP web service which gives personal data• Right now sharing with 3rd parties is possible only after
written consent of the data subject• It’s a commercial service
What is Civil Registry WS?
• Implement web-based consent using digital signature• Thus, it’s possible to cover additional segment of clients
Integration Possibilities
Agency Profile
• LEPL Public Service Development Agency is an entity under umbrella of the Ministry of Justice of Georgia
• Established in 2012, based on Civil Registry Agency
Who is PSDA?
• Supporting development of innovative public services• Supporting reforms in Georgia• Establishment of Civil Registry• Other activities for supporting innovation
Goals of the Agency
Key Project: Seafarer’s Identity Documents
• Seafarers identity document is a special document under regulations of International Labor Organization
• It’s mainly based on ICAO 9303 with some important modifications• Apart from SID, seafarers must also have documents which prove their
qualification and competency
What is SID?
• We implement this project In cooperation with Maritime Transport Agency of Georgia
• Full cycle of document issuing: from application collection to printing and delivery
• First phase of the project is already done• Georgian seafarers can now get new-generation documents
PSDA Role
Thank You!
Mikheil KapanadzeHead of Identification Service Development Unit
Public Service Development AgencyMinistry of Justice of [email protected]