PKI: The Key to Electronic Identity Initiatives?Overview of models and examples

Stijn Bijnens, SVP Identity Management, Cybertrust

©2005 Cybertrust. All rights reserved. www.cybertrust.com

PKI?

Already around for a long time… Celebrating 30 years of PKI - October 26 2006

A lot of hype in 1999 – 2000 during the dot.com boomAfter the dot.com crash perceived to be :

Highly complex Not integrated in applications Issues with smartcard readers Expensive Not needed PKI == Please Kill It

But, it’s getting a second chance

©2005 Cybertrust. All rights reserved. www.cybertrust.com

Governments are in the Driver’s Seat

National Initiatives: Citizen ID cards Health Cards Employee Cards of Federal and Local Governments (HSPD 12) Military Card Electronic Driver Licenses (urgent need for standard)

International Initiatives: E-passports (ICAO 9303-1) Digital Tachograph (Europe)

©2005 Cybertrust. All rights reserved. www.cybertrust.com

Drivers in Government ID projects

E-government projects: Egov portals require strong authentication

• Tax on web, VAT, etc … Government employees internally

Physical Access Control Buildings, Borders, … First responders

New Applications E-ticketing in public transport

Online Age Verification Chat groups for children

©2005 Cybertrust. All rights reserved. www.cybertrust.com

Models of deployments

OutsourceFull management of the solution 24X7 Monitoring &

Management Full hosting of

required hardware Outsources

performs registration

Co-sourceShared management of the solution Government performs

some of the tasks (i.e. registration procedures)

Outsourcer provides part of the processes and IT infrastructure

Inhouse inhouse deployment of the solution enterprise software

is used Inhouse processes

and procedures

©2005 Cybertrust. All rights reserved. www.cybertrust.com

Examples of National ID solutions

The different models are used today by Governments. The registration process is key.

Outsource

BankID used by governmental portals in Norway

Co-source Inhouse

©2005 Cybertrust. All rights reserved. www.cybertrust.com

BBS – Bankenes BetalingsSentral AS

The Norwegian Banks’ Payments and Clearing Center Norway’s primary clearing house for financial payments Jointly owned by Norwegian banking community

Bank ID Project: Bank-common Trust for web-based Transactions

Business Requirement: Extend proven ‘transaction management’ expertise within a Web-driven

environment Provide centralized trust service for the Norwegian banking community Manage disparate range of financial and merchant organizations Facilitate broadest range of e-business transactions for multiple user

groups Initially focused on 1.6 million ‘Netbank’ users (for online payments)

©2005 Cybertrust. All rights reserved. www.cybertrust.com

©2005 Cybertrust. All rights reserved. www.cybertrust.com

Examples

The different models are used today by Governments. The registration process is key.

Outsource

BankID used by governmental portals in Norway

Co-source Inhouse

Estonia has a public/private operational structure

©2005 Cybertrust. All rights reserved. www.cybertrust.com

Examples

The different models are used today by Governments. The registration process is key.

Outsource

BankID used by governmental portals in Norway

Co-source

Belgian Government provides registration processes

Inhouse

Estonia has a public/private operational structure

©2005 Cybertrust. All rights reserved. www.cybertrust.com

Example 1 : EID in BelgiumCumulative EID Certificates (After Correction)

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000

Mar-03

Jun-03

Sep-03

Dec-03

Mar-04

Jun-04

Sep-04

Dec-04

Mar-05

Jun-05

Sep-05

Dec-05

Mar-06

Jun-06

Date

# of

Cer

tific

ates

©2005 Cybertrust. All rights reserved. www.cybertrust.com

Examples

The different models are used today by Governments. The registration process is key.

Outsource

BankID used by governmental portals in Norway

Co-source

Belgian Government provides registration processes

Inhouse

Estonia has a public/private operational structure

©2005 Cybertrust. All rights reserved. www.cybertrust.com

Inhouse solutions at Governments?

Examples : Intelligence & Defense Law enforcement

Trend we see : When it is citizen related --i.e. governments interacting with the

public– governments tend to go for a co-sourced solution :• Estonia• Belgium• Finland• SSP platform for the US Federal Government• …

©2005 Cybertrust. All rights reserved. www.cybertrust.com

Decision Criteria

Costs Leverage a shared infrastructure :

• physical, logical• policies and procedures• accreditation

Time To Market Risk Mitigation

Project Risk Technology Risk (i.e. RSA vs. Elliptic curve) Liability of the Registrar

Use Case (general vs. specific) The more specific use the easier to outsource

©2005 Cybertrust. All rights reserved. www.cybertrust.com

Highly complex Managed services approachOn-demand certificate model

Not integrated in applications Microsoft, Adobe, …

Issues with smartcard readers More standards and off the shelf support

Expensive Economies of scale Outsourcing

Not needed Legal framework, confidentiality, non repudiation -> driven by legislation

Addressing the concerns

©2005 Cybertrust. All rights reserved. www.cybertrust.com

PKI is getting a second chance

Government are the innovators today

Large deployments are reducing the cost

Businesses are picking up the government schemes

The software industry is endorsing it...finally.

New legislation will drive the adoption