Electronic ID Card and Identification Service Development in Georgia

Mikheil Kapanadze

What is Georgian eID Card?

Dual-Interface Chip

contact

contactless

Contact Interface

• 2 Certificates, issued by PSDA• Online Authentication• Digital Signature (Qualified)

• Secured with 2 distinct PIN codes

PKI Applet

• Compliant with ICAO 9303• Personal Data Storage• Secured with BAC

ICAO LDS Applet

Contactless Interface

• MIFARE Application Directory• Citizen’s Social Status data (if

applicable)• Any 3rd party data can be deployed• Custom-built secure reader-writer

devices are available

MIFARE 1k Classic (Emulated)

• Compliant with ICAO 9303• Personal Data Storage• Secured with BAC

ICAO LDS

PKI Applet in Details

• Two 2048-bit RSA Keys, secured by Different PIN codes• 4 digits for Online Authentication, 6 digits for Signature

• Authentication PIN, E-Signature Transport PIN and PUK are delivered in secured envelope

• E-Signature PIN Code is set by the citizen

Secure Key Storage

• Two Certificates, issued by PSDA and two CA certificates• Certificate renew is possible

Certificate Storage

Certification and Trust Services

• Certificates are issued instantly during personalization• Certificate Validity – 2.5 Years• CRL and OCSP services, with DR and load-balancing

PSDA Certification Authority

• GEO Root CA• GEO Authentication CA (For Authentication Certificates)• GEO Signing CA (For qualified e-Signature Certificates)

CA Hierarchy

• RFC 3161 Time-stamping, mainly used for digital signatures• DR and load-balancing

PSDA Time Stamping Authority

ID Card as SSCD

• Signature key (RSA 2048) is generated on the card• The private key never leaves the card• The key material cannot be extracted from the card

Private Key Security

• 6-digit signature PIN is never delivered to the citizen• Instead, we supply 5-digit transport PIN in secured envelope• Signature PIN can activated ONLY ONCE• Signature PIN change is possible. Reset is NOT• … and it makes some problems with people who lost their envelopes

immediately

PIN code Security

Current Figures

700 000 cards are already issued

The Number is Growing

Rapidly

Current ID Card Team

• 5 People• Head of the Team• Chief Architect• Business Consultant• 2 Junior Developers

Small Team

• 2 highly skilled professionals for technical aspects• 3 highly skilled professionals for business-related aspects• Juniors are developing their skills rapidly

Skilled People

• Highly-skilled professionals from IT, Research and Development and other departments of PSDA are involved on demand

• Inter-agency cooperation on key subjects

External Support

Current Projects

Digital Signature Portal• Free Web-based signing with ID card, with possible commercial extensions• Document sharing with multiple signers• Signature Verification (ongoing)

Identity Verification Service• Based on OpenID 2.0, AX 1.0 and PAPE• Free service with possible commercial extensions

Digital Signature for Legal Entities (Ongoing)• Signing as company’s authorized representative• Signing as a notary representative• Electronic Apostille

Current Projects

Student Card• In cooperation with the Ministry of Education, on 2012• Based on the concept of Citizen’s Social Status• Students have discounts for many product (including ID card

itself)

Citizen’s Social Status• 5 statuses can be written simultaneously on the card• 255 statuses can be defined• Statuses can be viewed using special application• Uses card’s MIFARE emulator

DIGITAL SIGNATURE SERVICES

Personal Signatures

Current Status• It’s possible to upload PDF document on the portal and sign• You can share the document for signing to anothers• Signature Format: PAdES• Verification report will be added soon

Access conditions• FREE for all eID holders, with limited space and document

lifetime• It’s possible to have broader limits (or no limits at all) for extran

payment

Signatures for Legal Entities

• The project is ongoing• One of the TOP PRIORITIES of Year 2013 for PSDA

Current Status

• Signing contracts on behalf of organization• Notary services to eliminate paper documents as much as

possible• Issuing electronically signed birth certificates, property

ownership etc.• Electronic Apostille

Possible fields of application

Challenges for Legal Entity Signatures

• Signature seems to be always performed by some natural person and then sealed

• Do we really need to identify signer on the birth certificate?• This is generated from the electronic system anyway!• Workflow actions must be securely logged in the system. And

possibly go to Archive then

Who is signing?

• Sometimes, it’s a person (CEO of the company, etc)• Sometimes the key is under control of the organization’s electronic

system

By whom the key is controlled?

Possible solution: Attribute Certificates

• We don’t need to establish additional issuing facilities and manage additional secure tokens

• Attribute certificate can be issued online to eID user• National Agency of Public Registry, Notary chamber, etc. can

act as attribute authorities

Advantages

• Attribute authorities must have required software in place• Content of AC must be standardized• Short-lived AC or OCSP calls?

Challenges

And how about birth certificates, etc.?

• We can mandate using HSM for secure key storage• There will be a special, standard procedure of issuing and

enrolling certificate in HSM• Thus we may say we have an SSCD and the signature is qualified

Possible solutions

• Do we really need such a complexity?• Especially, if we may need e-Apostille for such documents?• Do we need to establish sector-based CA’s? (For banks,

insurance, government, etc.)

Open Questions

E-Signature and E-Document Law

• Mainly based on European Directive 1999/93/EC

Adopted in 2008

• We are establishing an inter-agency working group to propose new changes in law

Changes are Planned

• Regulations about certificate authority accreditation are in place• Other regulations may be introduced

Technical regulations

Signature and Document Formats

• The current law considers only textual information as an electronic document

• We use PDF (based on ISO/IEC 32000-1) format

Document Format

• Signatures of *AdES family of ETSI standards were found to be permitted under the Georgian signature law

• PAdES (ETSI TS 102 778) signatures are used• PAdES-LTV is highly recommended as citizen’s certificates

expire in 2.5 years

Signature Format

Next Plans for Signatures

Minimize scanned documents and save timeIf your diploma is electronic, there is no need to look for a scanner to upload it in online job

application system

Promote digitally-born documentsDo all graduates need paper-based university diploma?

Make E-Signatures usable in everyday lifeBy further simplification of eID usage, other signature schemas, etc.

AUTHENTICATION SERVICES

eID Login Applet

• Written as Java Applet• Distributed freely• Can be embedded in any website

Key Features

• You still need to write server-side logic• You still need to fight with broken Java installations on

clients’ machines

Challenges for Integrators

Centralized Authentication System

• Based on OpenID 2.0• Uses Attribute Exchange 1.0 to deliver person’s

information to Relying Party

Key Features

• Easy to integrate• Well-documented• Avoids problems with broken Java installation

Additional Features

Citizen’s consent on attribute exchange

Integration with Civil Registry WS

• SOAP web service which gives personal data• Right now sharing with 3rd parties is possible only after

written consent of the data subject• It’s a commercial service

What is Civil Registry WS?

• Implement web-based consent using digital signature• Thus, it’s possible to cover additional segment of clients

Integration Possibilities

ACTIVITY IN OTHER FIELDS

Agency Profile

• LEPL Public Service Development Agency is an entity under umbrella of the Ministry of Justice of Georgia

• Established in 2012, based on Civil Registry Agency

Who is PSDA?

• Supporting development of innovative public services• Supporting reforms in Georgia• Establishment of Civil Registry• Other activities for supporting innovation

Goals of the Agency

Key Project: Seafarer’s Identity Documents

• Seafarers identity document is a special document under regulations of International Labor Organization

• It’s mainly based on ICAO 9303 with some important modifications• Apart from SID, seafarers must also have documents which prove their

qualification and competency

What is SID?

• We implement this project In cooperation with Maritime Transport Agency of Georgia

• Full cycle of document issuing: from application collection to printing and delivery

• First phase of the project is already done• Georgian seafarers can now get new-generation documents

PSDA Role

QUESTIONS?

Thank You!

Mikheil KapanadzeHead of Identification Service Development Unit

Public Service Development AgencyMinistry of Justice of Georgiamkapanadze@sda.gov.ge