PKI: The Key to Electronic Identity Initiatives? Overview of models and examples Stijn Bijnens, SVP Identity Management, Cybertrust

1
PKI The Key to Electronic Identity
Initiatives?Overview of models and
examplesStijn Bijnens, SVP Identity Management,
Cybertrust
2
PKI?

• Already around for a long time
• Celebrating 30 years of PKI - October 26 2006
• A lot of hype in 1999 2000 during the dot.com
  boom
• After the dot.com crash perceived to be
• Highly complex
• Not integrated in applications
• Issues with smartcard readers
• Expensive
• Not needed
• PKI Please Kill It
• But, its getting a second chance

3
Governments are in the Drivers Seat

• National Initiatives
• Citizen ID cards
• Health Cards
• Employee Cards of Federal and Local Governments
  (HSPD 12)
• Military Card
• Electronic Driver Licenses (urgent need for
  standard)
• International Initiatives
• E-passports (ICAO 9303-1)
• Digital Tachograph (Europe)

4
Drivers in Government ID projects

• E-government projects
• Egov portals require strong authentication
• Tax on web, VAT, etc
• Government employees internally
• Physical Access Control
• Buildings, Borders,
• First responders
• New Applications
• E-ticketing in public transport
• Online Age Verification
• Chat groups for children

5
Models of deployments

• Co-source
• Shared management
• of the solution
• Government performs some of the tasks (i.e.
  registration procedures)
• Outsourcer provides part of the processes and IT
  infrastructure

• Outsource
• Full management of
• the solution
• 24X7 Monitoring Management
• Full hosting of required hardware
• Outsources performs registration

• Inhouse
• inhouse deployment
• of the solution
• enterprise software is used
• Inhouse processes and procedures

6
Examples of National ID solutions

• The different models are used today by
  Governments. The registration process is key.

Co-source

• Outsource
• BankID used by governmental portals in Norway

Inhouse
7
BBS Bankenes BetalingsSentral AS

• The Norwegian Banks Payments and Clearing Center
• Norways primary clearing house for financial
  payments
• Jointly owned by Norwegian banking community
• Bank ID Project Bank-common Trust for web-based
  Transactions
• Business Requirement
• Extend proven transaction management expertise
  within a Web-driven environment
• Provide centralized trust service for the
  Norwegian banking community
• Manage disparate range of financial and merchant
  organizations
• Facilitate broadest range of e-business
  transactions for multiple user groups
• Initially focused on 1.6 million Netbank users
  (for online payments)

8
(No Transcript)
9
Examples

• The different models are used today by
  Governments. The registration process is key.

• Estonia has a public/private operational
  structure

Co-source

• Outsource
• BankID used by governmental portals in Norway

Inhouse
10
Examples

• The different models are used today by
  Governments. The registration process is key.

• Estonia has a public/private operational
  structure

• Co-source
• Belgian Government provides registration
  processes

• Outsource
• BankID used by governmental portals in Norway

Inhouse
11
Example 1 EID in Belgium

12
Examples

• The different models are used today by
  Governments. The registration process is key.

• Estonia has a public/private operational structure

• Co-source
• Belgian Government provides registration
  processes

• Outsource
• BankID used by governmental portals in Norway

Inhouse
13
Inhouse solutions at Governments?

• Examples
• Intelligence Defense
• Law enforcement
• Trend we see
• When it is citizen related --i.e. governments
  interacting with the public governments tend to
  go for a co-sourced solution
• Estonia
• Belgium
• Finland
• SSP platform for the US Federal Government

14
Decision Criteria

• Costs
• Leverage a shared infrastructure
• physical, logical
• policies and procedures
• accreditation
• Time To Market
• Risk Mitigation
• Project Risk
• Technology Risk (i.e. RSA vs. Elliptic curve)
• Liability of the Registrar
• Use Case (general vs. specific)
• The more specific use the easier to outsource

15
Addressing the concerns
Highly complex Managed services approachOn-demand certificate model
Not integrated in applications Microsoft, Adobe,
Issues with smartcard readers More standards and off the shelf support
Expensive Economies of scale Outsourcing
Not needed Legal framework, confidentiality, non repudiation -gt driven by legislation
16
PKI is getting a second chance

• Government are the innovators today
• Large deployments are reducing the cost
• Businesses are picking up the government schemes
• The software industry is endorsing it...finally.
• New legislation will drive the adoption