eid and setup of CA

collarlimabeansSecurity

Feb 23, 2014 (3 years and 10 months ago)

65 views



Gert roeckx

March 2012

Warsaw

eid and setup of CA

eID Card Types

Citizens


Kids




Foreigners









eID card


Kids
-
ID



Foreigners’ card

eID

Card Content



ID






ADDRESS





Authentication

Signature

PKI
-

data

Citizen Identity Data

RRN = National
Register number

Root CA



CA



RRN

RRN

SIGNATURE

RRN

SIGNATURE

140x200 Pixels

8 BPP

3.224 Bytes







Issued certificates

0,1
mio

0,3 mio

3,9 mio

5,2 mio

4,3 mio

4,1 mio

3,5 mio

5,8
mio

7
mio

2003
2004
2005
2006
2007
2008
2009
2010
2011
Issued certificates
2003
-

2011

Total 2003
-
2011:
34 MIO

Issued certificates

Issued certs 2011

h
oliday period


more Kids ID

800 K


700 K


600 K


500 K


400 K


300 K


200 K


100 K


01 02 03 04 05 06 07 08 09 10 11 12



7



2.9
mio



3.8
mio



8.6
mio



12.2
mio



25.7
mio

2007
2008
2009
2010
2011
OCSP request 07
-
’11

Tax
-
On
-
Web
(Citizen)

Tax
-
On
-
Web
(Business)


01 02 03 04 05 06 07 08 09 10 11 12

180 K


160 K


140 K


120 K


100 K


80 K


60 K


40 K


20 K

OCSP request avg/day 2011

Secrets of success

10


Card for every citizen


Value added for all the actors


Use of
eid

by
gov

as

a starting multiplier effect


Joined collaboration

of public & private



GOV <
-
>
citizen

/ business



Tax
-
on
-
Web



Ehealth / Social
insurance


Business <
-
>
citizen








Banking

Government CA

Foreigners ’ CA

Citizen CA

Admin CA

Auth
Cert

Cert
Admin

Card
Admin

eID

Certificates Hierarchy

GlobalSign

Belgium

Root CA

CRL

CRL

CRL

CRL

Card Administration:
update address, rekey ,
store certificates,…

Certificates for
Government web servers,
signing citizen files, public
information,…

Sigining
Cert

Auth
Cert

Sigining
Cert

Code
Sign

Cert

RRN

Cert

Server

Cert


CPS (Certificate Practice Statement)


= legal document that describes how the CA manages the
certificates it issued


CP (Certificate Policy)


= document that describes the roles & responsibilities &
liability of the different actors


These documents should be agreed (accepted, signed,…)
befor the 1 certificate is issued !





Policy


Change


Incident
-

Capacity management


Demand has increased during past years


OCSP , # certificates


EU demands additional feature (Biometric)


Need of procedures to cope with change in
demand


Correct handling of changes, incidents and
capacity are the cornerstones of a successful IT
service

IT services


A PKI is based on TRUST


Challenging Internet environment


A strong rigorous Security Policy is enforced


For example


Both external and internal access is controlled


Physical access only by dual presence


Design of the PKI,
off
-
line

CA’s

, …

Security


Service level
agreement


Results

from

the business case of the eID


Guarantees the quality of the service


Monitoring

Control

Objects



OCSP, CRL


Certificate

issuance



Defined

KPI’s



SLA
for

life

?


If the business case changes


Adapt

the service


Adapt

the SLA


SLA


WebTrust of CA


SAS 70


ISO 27002


National & European law requirements


Auditing & accreditation

Gert.roeckx@certipost.com

www.certipost.com

Thank you !