Resources
- Identity Use Cases & Scenarios.
- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.6: Study on ID Documents
Back-Office Systems
In addition to the infrastructure that is obvious for the user such as the ID document, reader technology, software to use the ID document or biometric sensors in many cases a remote infrastructure is used. This infrastructure provides reference data of different type depending on the technical method that is used and / or allows for logging of transaction data or the use of ID documents in general. These remote infrastructures are also called back-office systems. In this chapter we are introducing back-office systems that are highly relevant for ID documents.
PKI
Public key infrastructure (PKI) in general has been introduced in the FIDIS Deliverable 3.2 (Gasson, Meints, Warwick 2005). In this documents we will focus on current developments to reach interoperability on a technical level in Europe with respect to ID document, as this was not covered in the FIDIS Deliverable 3.2.
Especially relevant for ID documents are differences that can be observed among European countries in the way the PKI is operated. While the registration and certification for example in Austria and Belgium is done by the public administration (supported by enterprises), registration and certification is done by private enterprises for example in Germany and Sweden. In addition to the differences there is no European Root-CA. As a result electronic signatures today are on a technical level not interoperable in Europe.
Currently we observe two approaches to address the technical aspects of interoperability of authentication procedures including the use of electronic signatures: The GUIDE project and bridge-CAs.
GUIDE uses a federated network identity management approach (Guide 2005). General scenarios taken into account in the GUIDE project are principals logging onto a pan-European Governmental Service (PEGS) in a foreign country. In these cases the PEGS has no possibility to authenticate the foreign user (principal). To do this an Identity Provider (IP) in the home country of the principal is needed. This IP provides in general two basic services:
Authentication Service (AS) and
Attribute Provider Service (APS)
In cases where principal, PEGS and IP use standardised interfaces such as the GUIDE Interface communication would be quite simple as shown in the following figure:
Figure : International authentication and athorisation using GUIDE interfaces and services
Such an interface is not introduced so far; existing interfaces normally support national IPs only. In addition different communicational standards such as Liberty, SAML, Shibboleth and WS-* are supported and different document formats are used.
To overcome this situation GUIDE proposes the introduction of Gateways equipped with the GUIDE Software Agent (GSA). This agent transforms data formats and standards used by PEGS and IPs (in this example a remote procedure call (RPC) able web service application programming interface (WS API)) into an intermediary GUIDE profile as shown in the following figure:
Figure : Gateways transforming nationally used data formats and standards for authentication
An alternate concept compared to the GUIDE-approach is the use of a so-called bridge-CA. Mainly driven by German and Austrian Certificate Authorities (CAs) the European Bridge CA (EB-CA) offers interoperability of PKI and electronic signatures to her members (private and public organisations) in Europe, the US and Asia.
Denis Royer | 11 / 56 |