Title: PKI: The Key to Electronic Identity Initiatives? Overview of models and examples Stijn Bijnens, SVP Identity Management, Cybertrust
1PKI The Key to Electronic Identity
Initiatives?Overview of models and
examplesStijn Bijnens, SVP Identity Management,
Cybertrust
2PKI?
- Already around for a long time
- Celebrating 30 years of PKI - October 26 2006
- A lot of hype in 1999 2000 during the dot.com
boom - After the dot.com crash perceived to be
- Highly complex
- Not integrated in applications
- Issues with smartcard readers
- Expensive
- Not needed
- PKI Please Kill It
- But, its getting a second chance
3Governments are in the Drivers Seat
- National Initiatives
- Citizen ID cards
- Health Cards
- Employee Cards of Federal and Local Governments
(HSPD 12) - Military Card
- Electronic Driver Licenses (urgent need for
standard) - International Initiatives
- E-passports (ICAO 9303-1)
- Digital Tachograph (Europe)
4Drivers in Government ID projects
- E-government projects
- Egov portals require strong authentication
- Tax on web, VAT, etc
- Government employees internally
- Physical Access Control
- Buildings, Borders,
- First responders
- New Applications
- E-ticketing in public transport
- Online Age Verification
- Chat groups for children
5Models of deployments
- Co-source
- Shared management
- of the solution
- Government performs some of the tasks (i.e.
registration procedures) - Outsourcer provides part of the processes and IT
infrastructure
- Outsource
- Full management of
- the solution
- 24X7 Monitoring Management
- Full hosting of required hardware
- Outsources performs registration
- Inhouse
-
- inhouse deployment
- of the solution
- enterprise software is used
- Inhouse processes and procedures
6Examples of National ID solutions
- The different models are used today by
Governments. The registration process is key.
Co-source
- Outsource
- BankID used by governmental portals in Norway
Inhouse
7BBS Bankenes BetalingsSentral AS
- The Norwegian Banks Payments and Clearing Center
- Norways primary clearing house for financial
payments - Jointly owned by Norwegian banking community
- Bank ID Project Bank-common Trust for web-based
Transactions - Business Requirement
- Extend proven transaction management expertise
within a Web-driven environment - Provide centralized trust service for the
Norwegian banking community - Manage disparate range of financial and merchant
organizations - Facilitate broadest range of e-business
transactions for multiple user groups - Initially focused on 1.6 million Netbank users
(for online payments)
8(No Transcript)
9Examples
- The different models are used today by
Governments. The registration process is key.
- Estonia has a public/private operational
structure
Co-source
- Outsource
- BankID used by governmental portals in Norway
Inhouse
10Examples
- The different models are used today by
Governments. The registration process is key.
- Estonia has a public/private operational
structure
- Co-source
-
- Belgian Government provides registration
processes
- Outsource
- BankID used by governmental portals in Norway
Inhouse
11Example 1 EID in Belgium
12Examples
- The different models are used today by
Governments. The registration process is key.
- Estonia has a public/private operational structure
- Co-source
-
- Belgian Government provides registration
processes
- Outsource
- BankID used by governmental portals in Norway
Inhouse
13Inhouse solutions at Governments?
- Examples
- Intelligence Defense
- Law enforcement
- Trend we see
- When it is citizen related --i.e. governments
interacting with the public governments tend to
go for a co-sourced solution - Estonia
- Belgium
- Finland
- SSP platform for the US Federal Government
14Decision Criteria
- Costs
- Leverage a shared infrastructure
- physical, logical
- policies and procedures
- accreditation
- Time To Market
- Risk Mitigation
- Project Risk
- Technology Risk (i.e. RSA vs. Elliptic curve)
- Liability of the Registrar
- Use Case (general vs. specific)
- The more specific use the easier to outsource
15Addressing the concerns
Highly complex Managed services approachOn-demand certificate model
Not integrated in applications Microsoft, Adobe,
Issues with smartcard readers More standards and off the shelf support
Expensive Economies of scale Outsourcing
Not needed Legal framework, confidentiality, non repudiation -gt driven by legislation
16PKI is getting a second chance
- Government are the innovators today
- Large deployments are reducing the cost
- Businesses are picking up the government schemes
- The software industry is endorsing it...finally.
- New legislation will drive the adoption