Transcript Belgian e-Leaders without Borders Workshop on ICT for Open

eid and setup of CA
Gert roeckx
March 2012
Warsaw
eID Card Types
Citizens
Kids
Foreigners
eID card
Kids-ID
Foreigners’ card
eID Card Content
PKI- data
Citizen Identity Data
ID
ADDRESS
Authentication
Signature
Root CA
CA
RRN
RRN
SIGNATURE
RRN
SIGNATURE
140x200 Pixels
8 BPP
3.224 Bytes
RRN = National Register number
Issued certificates
Issued certificates 2003 - 2011
7 mio
Total 2003-2011: 34 MIO
5,8 mio
5,2 mio
4,3 mio
4,1 mio
3,9 mio
0,1 mio
2003
3,5 mio
0,3 mio
2004
2005
2006
2007
2008
2009
2010
2011
Issued certificates
Issued certs 2011
800 K
700 K
600 K
500 K
400 K
holiday period  more Kids ID
300 K
200 K
100 K
01
02 03 04
05 06
07 08 09
10
11 12
OCSP request 07-’11
€ 25.7 mio
€ 12.2 mio
€ 8.6 mio
€ 2.9 mio
2007
€ 3.8 mio
2008
2009
7
2010
2011
OCSP request avg/day 2011
180 K
160 K
Tax-On-Web
(Citizen)
140 K
Tax-On-Web
(Business)
120 K
100 K
80 K
60 K
40 K
20 K
01
02
03
04
05
06
07
08
09
10
11
12
Secrets of success
• Card for every citizen
• Value added for all the actors
• Use of eid by gov as
a starting multiplier effect
• Joined collaboration
of public & private
10
GOV <-> citizen / business
Tax-on-Web
insurance
Ehealth / Social
Business <-> citizen
• Banking
eID Certificates Hierarchy
GlobalSign
Belgium
Root CA
Admin CA
Citizen CA
CRL
Card
Admin
Cert
Admin
Card Administration:
update address, rekey ,
store certificates,…
Foreigners ’ CA
CRL
Auth
Cert
Sigining
Cert
Government CA
CRL
Auth
Cert
Sigining
Cert
CRL
Server
Cert
Code
Sign
Cert
RRN
Cert
Certificates for
Government web servers,
signing citizen files, public
information,…
Policy
• CPS (Certificate Practice Statement)
= legal document that describes how the CA manages the
certificates it issued
• CP (Certificate Policy)
= document that describes the roles & responsibilities &
liability of the different actors
• These documents should be agreed (accepted, signed,…)
befor the 1 certificate is issued !
IT services
• Change – Incident - Capacity management
– Demand has increased during past years
• OCSP , # certificates
• EU demands additional feature (Biometric)
– Need of procedures to cope with change in
demand
– Correct handling of changes, incidents and
capacity are the cornerstones of a successful IT
service
Security
• A PKI is based on TRUST
• Challenging Internet environment
• A strong rigorous Security Policy is enforced
– For example
• Both external and internal access is controlled
• Physical access only by dual presence
• Design of the PKI, off-line CA’s , …
SLA
• Service level agreement
– Results from the business case of the eID
– Guarantees the quality of the service
• Monitoring Control Objects
– OCSP, CRL
– Certificate issuance
• Defined KPI’s
– SLA for life ?
• If the business case changes
– Adapt the service
– Adapt the SLA
Auditing & accreditation
•
•
•
•
WebTrust of CA
SAS 70
ISO 27002
National & European law requirements
Thank you !
[email protected]
www.certipost.com