eid and setup of CA

collarlimabeansΑσφάλεια

23 Φεβ 2014 (πριν από 3 χρόνια και 3 μήνες)

52 εμφανίσεις



Gert roeckx

March 2012

Warsaw

eid and setup of CA

eID Card Types

Citizens


Kids




Foreigners









eID card


Kids
-
ID



Foreigners’ card

eID

Card Content



ID






ADDRESS





Authentication

Signature

PKI
-

data

Citizen Identity Data

RRN = National
Register number

Root CA



CA



RRN

RRN

SIGNATURE

RRN

SIGNATURE

140x200 Pixels

8 BPP

3.224 Bytes







Issued certificates

0,1
mio

0,3 mio

3,9 mio

5,2 mio

4,3 mio

4,1 mio

3,5 mio

5,8
mio

7
mio

2003
2004
2005
2006
2007
2008
2009
2010
2011
Issued certificates
2003
-

2011

Total 2003
-
2011:
34 MIO

Issued certificates

Issued certs 2011

h
oliday period


more Kids ID

800 K


700 K


600 K


500 K


400 K


300 K


200 K


100 K


01 02 03 04 05 06 07 08 09 10 11 12



7



2.9
mio



3.8
mio



8.6
mio



12.2
mio



25.7
mio

2007
2008
2009
2010
2011
OCSP request 07
-
’11

Tax
-
On
-
Web
(Citizen)

Tax
-
On
-
Web
(Business)


01 02 03 04 05 06 07 08 09 10 11 12

180 K


160 K


140 K


120 K


100 K


80 K


60 K


40 K


20 K

OCSP request avg/day 2011

Secrets of success

10


Card for every citizen


Value added for all the actors


Use of
eid

by
gov

as

a starting multiplier effect


Joined collaboration

of public & private



GOV <
-
>
citizen

/ business



Tax
-
on
-
Web



Ehealth / Social
insurance


Business <
-
>
citizen








Banking

Government CA

Foreigners ’ CA

Citizen CA

Admin CA

Auth
Cert

Cert
Admin

Card
Admin

eID

Certificates Hierarchy

GlobalSign

Belgium

Root CA

CRL

CRL

CRL

CRL

Card Administration:
update address, rekey ,
store certificates,…

Certificates for
Government web servers,
signing citizen files, public
information,…

Sigining
Cert

Auth
Cert

Sigining
Cert

Code
Sign

Cert

RRN

Cert

Server

Cert


CPS (Certificate Practice Statement)


= legal document that describes how the CA manages the
certificates it issued


CP (Certificate Policy)


= document that describes the roles & responsibilities &
liability of the different actors


These documents should be agreed (accepted, signed,…)
befor the 1 certificate is issued !





Policy


Change


Incident
-

Capacity management


Demand has increased during past years


OCSP , # certificates


EU demands additional feature (Biometric)


Need of procedures to cope with change in
demand


Correct handling of changes, incidents and
capacity are the cornerstones of a successful IT
service

IT services


A PKI is based on TRUST


Challenging Internet environment


A strong rigorous Security Policy is enforced


For example


Both external and internal access is controlled


Physical access only by dual presence


Design of the PKI,
off
-
line

CA’s

, …

Security


Service level
agreement


Results

from

the business case of the eID


Guarantees the quality of the service


Monitoring

Control

Objects



OCSP, CRL


Certificate

issuance



Defined

KPI’s



SLA
for

life

?


If the business case changes


Adapt

the service


Adapt

the SLA


SLA


WebTrust of CA


SAS 70


ISO 27002


National & European law requirements


Auditing & accreditation

Gert.roeckx@certipost.com

www.certipost.com

Thank you !