European Electronic Identity Practices

Country Update of SpainDate: 26 May 2005

CA organisation I

• Responsible CA organisation:

National Spanish Police Department.

(Ministry of Interior ).

• The background of the organisation (private/public): Public

CA organisation II

• Double CAs Infrastructure. Root CA technology A, and two SubCAs Technology A and B.

• We have 380 Police Station where all Spanish people can get their eID-card.

• The Card Factory is FNMT (Spanish Royal Mint).

Status of National legislation on eID I

• Are eID specific regulations enacted and in place? Yes– Directive 1999/93/CE.– Law 59/2003 of Electronic signature.– Directive 1995/46/CE, Directive 97/66/EC, Directive 2002/58/CE.

Regulation (EC) 45/2001. About processing of personal data. – Organic Law 15/1999, of protection of data of personal character.– Organic Law 1/1992, of protection of city life – The Decree 196/1976 regulates the DNI (National Identity Card).– It has been partially modified by Royal Decree 1189/1978,

2002/1979, 2091/1982, 1245/1985.– Minister of Interior orders of July 12, 1990 and April 26, 1996 – Royal Decree 896/2003 regulates the Pasports.

Status of National deployment of eID

• Name of the project: DNI electrónico • Plans, piloting or implementation? We should

be starting and the end of 1Q of 2006

• The eID card is mandatory for all >= 14 years

• Starting date of issuance: End of 1Q of 2006

Status of National deployment of eID

• Envisioned total number of cardholders: 35.000.000

• Number of inhabitants:42.000.000• Expected number of cards/eID certs by end of

2007: – 5.000.000 eID-Cards.– 10.000.000 Certificates.

Status of national deployment of eID

• Basic functionalities of the eID card:- official ID document: Yes- European travel document: Yes, but not ePasport - support of on-line access to e-Services: Yes

• Validity period of the card/certificates: – eID-card: 5 or 10 years depending the age of the

cardholder.– Certificates: 30 months.

Status of national deployment of eID

• Price in Euros of the cards:- for the citizen: Tbd.

- for the card issuer: Tbd - price for the card reader and software: Out of Scope

- any additonal costs for the user/relying party: None

• From whom and how may the citizen obtain the end/user packages: From Project and partners Website.

Basic ID function I

• Inside the eID-card we only stored: - Two Certificates (Autentication & No repudiation).

- Personal National Identifier. - first & second family name, given name - date of birth - nationality

- Fingerprint for MoC.- Application for MoC.- Hash personal data.

• Personal data is held only in the certificates, and printed in the Policarbonate (PC).

Basic ID function II

• We have two Certificates: – Autentication is free.– Signature (N R), is protected by PIN.

• Our project is out of the ICAO LDS scope. There is another project that we undertake in the near future.

Basic Authentication function

• What Cardholder Verification mechanism is used: - PIN? Yes - Biometrics? Yes, MoC, for Certificate update.

• Is there a PKI supported cardholder authentication mechanism? Yes.

• Is there a mutual device authentication mechanism? Yes for issue & update. No for USE

Basic Signing function

• Is a PKI supported signing mechanism (certificate and keypair) present for e-transaction services (non –repudiation)?Yes. And our eID CARD is:

- CC EAL 4+.

- CWA – 14169. SSCD type 3. - CWA – 14890–1. Application Interface for smart

cards used as Secure Signature Creation Devices.

Part 1: Basic requirements.

eID based services

• What kind of services (include examples) are accessible to cardholders based on acceptance of the cards / eID Certificates:

Law 59/2003 of Electronic signature, artº 16 “All public administration should used, if it is possible, the signing mechanism of spanish eID”

- The “Agencia Estatal de Administración Tributaria” (for tax declaration)

- The “Seguridad Social” (Social Security).

eAuthentication Business models; financial

• What are the Charging/Revenue mechanisms?– There are only charges for card expedition or

update. The expedition and update of the certificates are free of charge.

• What charges are levied for use of the card? None.• Is there a charge for checking certificates and if so who

pays for this? NO• Has a cost benefit analysis been compiled for the eID

scheme? If yes what are the main conclusions? Out of scope

eAuthentication Business models; public/private partnership

• Are non government bodies allowed to use the IAS or other card functions in support of their services? YES, Only IAS.

The CARD will never be used as health insurance card

or bank card. Only as Id CARD & travel document.

• Is the card a multi-application smart card?

Yes, Only Cryptographic & Match on Card

eAuthentication Business models; public/private partnership

• What is the level of usage of supported services (number of transactions per card per year)?

Without limits

eAuthentication Business models; cross border usage

• Are there agreements with other national smart card issuers for mutual recognition of cards? (Status of Memorandum of Understanding (MOU) with other CAs)

Not nowadays, but we are open to all type of Understanding.

Other Interoperability issues

• What is the level of Current Compliance with each of the following international standards or group activities (Full/Planned/None):– CWA eAuthentication (under development): Tbd

– CWA 14169 Secure Signature creation device: FULL.

– CWA 14890 – 1 : FULL

– CEN 224 –15 European Citizen Card (under development): Tbd

– ISO/IEC JTC1 SC 37 biometric standards: FULL.

– ISO/IEC JTC1 SC 17 IS 24727 (under developmment): Tbd

– ICAO recommendations: Planned, for 2007

Current use and plansin Biometrics (if applicable)

• Technical solution(s): We are working with Sagem and Siemens in the field of Match On Card.

We store an Algoritm & template inside the CHIP.

We use ISO/IEC 7816-4, ISO/IEC 7816-11, ISO/IEC 19785, ISO/IEC FDIS 19794-2.

Next plans

• We will aim to transform our eID in eID with ePasport funcionality.

• We will use Dual or Hybrid smart Card for this task.

Porvoo Group cooperation issues

• List of issues to be overcome and recommended Porvoo Group members actions that would support accelerated deployments: We want to talk with Microsoft/SUN/Linux Comunnity to include our CSP/PKCS#11 and Root CA Public Key in their OS.

Environment

... ClientApplication

RTF,HTML,PDF

XML

Firma plugin / applet(PKCS#7 / XML)

E-Mail (S/MIME)

Web (SSL)

Logon

(Kerberos)

PC/SC DriversMicrosoft Resource Manager

DNIe PKCS#11

Netscape Internal PKCS#11

Netscape Internal Services

RSA BaseCSP

DNIeCSP

CryptoAPI

Authenticode

More information

• Web-pages for the project/eID issues:

www.dnielectronico.policia.es (under construction)

• email: dnielectronico@policia.es

Thank You!