Fedict Eid Roadmap 2010

© Fedict 2010. All rights reserved

FedICT eID Roadmap 2010Frank Cornelis

03/03/2010

© Fedict 2010. All rights reserved | p. 2

eID in Belgium eID cards issued (16/01/2010)

8.220.456 citizen eID cards (full deployment) 511.774 foreigner eID cards 186.011 kids eID cards

Technology RSA 1024 smart card QC with 5 year validity

Involved major governmental organizations: FedICT: Federal ICT

– PKI, client software, SOA solutions National Registry

– user database, card issuing


eID CardCurrent Usability Status

Main eID feature: secure, remote authentication

Main usage of eID: client-server environments

Primary client-server environment: web browser

Middleware (MW) targets “eID on the desktop”

MW SDK comes with “sample” eID Applet

Mutual SSL has some usability issues

We want more eID enablers

Developers, developers, developers


eID Roadmap Strategy Position eID as a Service

Focus less on the basic infrastructure (PKI)

Move towards solutions to improve usability

Explicitly target the web browser environment

Deliverables: Software building blocks: products SOA building blocks: web services

Target audience: Developers: easy to use software building blocks Architects: SOA integration via web services Other Federal Departments: SLA contracts


eID Project Lifecycle and eID Team

Artifact

ProductOSS

Supportedproduct

Service SupportedService

PMBert Beyl

ArchitectFrank Cornelis

Service ManagerSam Van Den Eynde

SponsorPeter Strickx


Operational eID Projects eID PKI infrastructure

CRL: signed list with revoked certificates OCSP: online certificate status service TSP: time-stamping service

eID Middleware eID Content Viewer Crypto modules

– PKCS#11: Windows, Mac OS X, Linux– CSP: Windows– tokend: Mac OS X

SDK: identification + MW Applet OSS: http://code.google.com/p/eid-mw/

http://code.google.com/p/eid-mw/


Operational eID Projects (cont'd) eID Applet: aka browser eID Middleware

Java 6 Web Browser eID component Identification, authentication, signatures via eID OSS: http://code.google.com/p/eid-applet/

eID Test Environment Uses a software PC/SC proxy Emulates different eID profiles via the proxy Online test PKI https://env.dev.eid.belgium.be/

eID Minidriver Targets Windows 7

http://code.google.com/p/eid-applet/

https://env.dev.eid.belgium.be/


New eID AppletFeatures Exposes all eID functionality:

eID Identification (who are you?) eID Authentication (is it really you?) eID Signatures (did you once claimed this?) eID Administration (PIN change, PIN unblock)

Platforms: Windows, Mac OS X, Linux

Browsers: Firefox, MS IE, Safari, Chrome

Secure (CCID) & interactive eID card handling

Browser client-runtime management Auto-installation of required JRE No need for installed eID Middleware


DemoeID Middleware

eID Applet Identification

eID Applet Authentication


eID Architecture Overview

eID

readerCCID

PC/SC

PKCS#15 PKCS#1

authentication

signatures

eID IdP

PKCS#11CSPtokend

minidriver

SSL eID AppletPKI

CRLOCSP

DSS

TSA

TSP

CA

NTPID

SAML

XAdESNR

OpenIDIdP

IAM

identification

TSL

InfoCard

pinpad

XKMS

WS-Trust

PKCS#7

trust

XMLDSigODF

OOXML

PDF


eID Projects in execution Trust List

List of all QC issuing CA's per EU Member State Cross-border signature validation by applications http://tsl.belgium.be OSS: http://code.google.com/p/eid-tsl/

eID Trust Service Certificate validation via XKMS2 SOAP web service Improves the QoS related to PKI validation Ready for Trust List integration & XAdES OSS: http://code.google.com/p/eid-trust-service/ Initially available as an OSS product eID Trust Service as a real service during phase 2

http://tsl.belgium.be/

http://code.google.com/p/eid-tsl/

http://code.google.com/p/eid-trust-service/


DemoeID Trust Service


eID Projects in execution (cont'd) eID Quick-Key Toolset

Behaves like a production eID smart card Scope is “pure technology delivery” Not to be positioned against the federal token:

– Application specific trust model (out of scope)– Application specific distribution model (out of scope)

Deliverables:– eID Quick-Key Manager (Java 6 Desktop)– Manual targeting different blank smart cards

Can be used as:– Temporal solution in case of unavailability eID– R&D platform for development of future eID


Visible eID Projects in the pipeline eID Identity Provider

eID is the only token supported Uses the eID Applet, eID Trust Service Tunneled entity-authentication SAML2 based IdP protocol Generic IdP protocol layer with OpenSSO integration Is not a complete IAM solution!

–Attributes and other tokens are out of scope! Could be used by IAM for eID token support

eID Digital Signature Service Integration with web applications is primary goal Uses the eID Applet, eID Trust Service, TSL XAdES-X-L according to the Service Directive


New Approach on Signatures

Pragmatic: based on eID Applet technology

XML Signatures ODF 1.2 Signatures (OpenOffice.org) Office OpenXML Signatures (Office 2007)

Signature extension framework XAdES v1.3.2 X-L eID citizen information

– Full name, date of birth– Address– Photo

Signature Service based on OASIS DSS


PDF versus XML Signatures

Human-readable signature argumentation

Open standard

Adobe specific signature extensions

PAdES versus XAdES

Domain specific document format

Processability

Service Directive shifts towards XAdES

Service versus Desktop Sign Verification


Browser

eID Applet Signature Architecture

eID AppleteID Applet

Service

eID

SignatureSPI

XML SignatureService

ODF SignatureService

OOXML SignatureService

client server

XAdESOpenOffice Office 2007

PKCS1-RSA


DemoeID Applet ODF Signature

eID Applet OOXML Signature

eID DSS (XMLDSig & XAdES-BES)

Fedict Eid Roadmap 2010

Documents

Transcript of Fedict Eid Roadmap 2010