Fedict Eid Roadmap 2010
-
Upload
twmailinator -
Category
Documents
-
view
30 -
download
2
Transcript of Fedict Eid Roadmap 2010
© Fedict 2010. All rights reserved
FedICT eID Roadmap 2010Frank Cornelis
03/03/2010
© Fedict 2010. All rights reserved | p. 2
eID in Belgium eID cards issued (16/01/2010)
8.220.456 citizen eID cards (full deployment) 511.774 foreigner eID cards 186.011 kids eID cards
Technology RSA 1024 smart card QC with 5 year validity
Involved major governmental organizations: FedICT: Federal ICT
– PKI, client software, SOA solutions National Registry
– user database, card issuing
© Fedict 2010. All rights reserved | p. 3
eID CardCurrent Usability Status
Main eID feature: secure, remote authentication
Main usage of eID: client-server environments
Primary client-server environment: web browser
Middleware (MW) targets “eID on the desktop”
MW SDK comes with “sample” eID Applet
Mutual SSL has some usability issues
We want more eID enablers
Developers, developers, developers
© Fedict 2010. All rights reserved | p. 4
eID Roadmap Strategy Position eID as a Service
Focus less on the basic infrastructure (PKI)
Move towards solutions to improve usability
Explicitly target the web browser environment
Deliverables: Software building blocks: products SOA building blocks: web services
Target audience: Developers: easy to use software building blocks Architects: SOA integration via web services Other Federal Departments: SLA contracts
© Fedict 2010. All rights reserved | p. 5
eID Project Lifecycle and eID Team
Artifact
ProductOSS
Supportedproduct
Service SupportedService
PMBert Beyl
ArchitectFrank Cornelis
Service ManagerSam Van Den Eynde
SponsorPeter Strickx
© Fedict 2010. All rights reserved | p. 6
Operational eID Projects eID PKI infrastructure
CRL: signed list with revoked certificates OCSP: online certificate status service TSP: time-stamping service
eID Middleware eID Content Viewer Crypto modules
– PKCS#11: Windows, Mac OS X, Linux– CSP: Windows– tokend: Mac OS X
SDK: identification + MW Applet OSS: http://code.google.com/p/eid-mw/
© Fedict 2010. All rights reserved | p. 7
Operational eID Projects (cont'd) eID Applet: aka browser eID Middleware
Java 6 Web Browser eID component Identification, authentication, signatures via eID OSS: http://code.google.com/p/eid-applet/
eID Test Environment Uses a software PC/SC proxy Emulates different eID profiles via the proxy Online test PKI https://env.dev.eid.belgium.be/
eID Minidriver Targets Windows 7
© Fedict 2010. All rights reserved | p. 8
New eID AppletFeatures Exposes all eID functionality:
eID Identification (who are you?) eID Authentication (is it really you?) eID Signatures (did you once claimed this?) eID Administration (PIN change, PIN unblock)
Platforms: Windows, Mac OS X, Linux
Browsers: Firefox, MS IE, Safari, Chrome
Secure (CCID) & interactive eID card handling
Browser client-runtime management Auto-installation of required JRE No need for installed eID Middleware
© Fedict 2010. All rights reserved | p. 9
DemoeID Middleware
eID Applet Identification
eID Applet Authentication
© Fedict 2010. All rights reserved | p. 10
eID Architecture Overview
eID
readerCCID
PC/SC
PKCS#15 PKCS#1
authentication
signatures
eID IdP
PKCS#11CSPtokend
minidriver
SSL eID AppletPKI
CRLOCSP
DSS
TSA
TSP
CA
NTPID
SAML
XAdESNR
OpenIDIdP
IAM
identification
TSL
InfoCard
pinpad
XKMS
WS-Trust
PKCS#7
trust
XMLDSigODF
OOXML
© Fedict 2010. All rights reserved | p. 11
eID Projects in execution Trust List
List of all QC issuing CA's per EU Member State Cross-border signature validation by applications http://tsl.belgium.be OSS: http://code.google.com/p/eid-tsl/
eID Trust Service Certificate validation via XKMS2 SOAP web service Improves the QoS related to PKI validation Ready for Trust List integration & XAdES OSS: http://code.google.com/p/eid-trust-service/ Initially available as an OSS product eID Trust Service as a real service during phase 2
© Fedict 2010. All rights reserved | p. 12
DemoeID Trust Service
© Fedict 2010. All rights reserved | p. 13
eID Projects in execution (cont'd) eID Quick-Key Toolset
Behaves like a production eID smart card Scope is “pure technology delivery” Not to be positioned against the federal token:
– Application specific trust model (out of scope)– Application specific distribution model (out of scope)
Deliverables:– eID Quick-Key Manager (Java 6 Desktop)– Manual targeting different blank smart cards
Can be used as:– Temporal solution in case of unavailability eID– R&D platform for development of future eID
© Fedict 2010. All rights reserved | p. 14
Visible eID Projects in the pipeline eID Identity Provider
eID is the only token supported Uses the eID Applet, eID Trust Service Tunneled entity-authentication SAML2 based IdP protocol Generic IdP protocol layer with OpenSSO integration Is not a complete IAM solution!
–Attributes and other tokens are out of scope! Could be used by IAM for eID token support
eID Digital Signature Service Integration with web applications is primary goal Uses the eID Applet, eID Trust Service, TSL XAdES-X-L according to the Service Directive
© Fedict 2010. All rights reserved | p. 15
New Approach on Signatures
Pragmatic: based on eID Applet technology
XML Signatures ODF 1.2 Signatures (OpenOffice.org) Office OpenXML Signatures (Office 2007)
Signature extension framework XAdES v1.3.2 X-L eID citizen information
– Full name, date of birth– Address– Photo
Signature Service based on OASIS DSS
© Fedict 2010. All rights reserved | p. 16
PDF versus XML Signatures
Human-readable signature argumentation
Open standard
Adobe specific signature extensions
PAdES versus XAdES
Domain specific document format
Processability
Service Directive shifts towards XAdES
Service versus Desktop Sign Verification
© Fedict 2010. All rights reserved | p. 17
Browser
eID Applet Signature Architecture
eID AppleteID Applet
Service
eID
SignatureSPI
XML SignatureService
ODF SignatureService
OOXML SignatureService
client server
XAdESOpenOffice Office 2007
PKCS1-RSA
© Fedict 2010. All rights reserved | p. 18
DemoeID Applet ODF Signature
eID Applet OOXML Signature
eID DSS (XMLDSig & XAdES-BES)
© Fedict 2010. All rights reserved
Thank youFedictMaria-Theresiastraat 1/3 Rue Marie-ThérèseBrussel 1000 BruxellesTEL. +32 2 212 96 00 | FAX +32 2 212 96 [email protected] | www.fedict.belgium.be