You are here: Resources > FIDIS Deliverables > Interoperability > D4.1: Structured account of approaches on interoperability > 
Protecting identities and inherent interoperability problems  Foreword
 Use of credentials systems in e-commerce


Identification and authentication in G2C digital interactions

Sabine Delaitre and Ioannis Maghiros, JRC 


This section first introduces the European context of the identification and authentication of Citizen to Government (C2G) in digital interactions. The reverse digital interaction, G2C, or government to citizen, is then defined along with the related processes of identification and authentication. In addition, we will examine interoperability. In order to illustrate the G2C interaction, two case studies and the related interoperability issues are presented: the European passport and the driving license. 




Modernisation will enable the inter-linking of systems, information and ways of working, within or between administrations, nationally or across Europe, or with the private sector. Therefore, an agreement on common standards and specifications is essential to support life-event and information sharing eGovernment services, as well as R&D into interoperability for networked organisations that in future will deliver new and innovative public services (see below). The policy context encompasses privacy, secure services and access to services related to the availability of services. More precisely, the policy context for the present topic is under the terms of the Lisbon Agenda (for the driving license for instance), eEurope 2005 and Pan-European for interoperability. The challenge of eGovernment is to ensure trust and security and this requires special attention to the use of identity in identification and authentication processes.

Figure : European framework of eGovernment


In general, three categories of interactions characterise eGovernment: 

  1. G2C, government to citizen 

  2. G2B, government to business and  

  3. G2G, government to government 




Digital interaction G2C 


This section focuses on G2C interactions. The following figure (see ) describes this type of interaction and shows who is the citizen for the government and who is the government for the citizen.



Figure : G2C interactions in eGovernment


For the citizen, government is composed of various ministries, offices and institutes, and for the government, the citizen is an employee, a taxpayer, a voter. To achieve interaction between both sides, several types of services are placed by government at the disposal of citizens. With a view to the good management of these services, security and trust are two key pillars. Hence the need arises to identify and authenticate the citizen, and to facilitate internal communication within government. Therefore, interoperability and identity play a vital role. 


Chain of trust: identity and interoperability 


Firstly, interoperability is essential for digital interaction in eGovernment in order to facilitate internal communication and to ensure security. Several characteristics of interoperability come into the picture. Vertically, interoperability is required within the same sector, while horizontally interoperability is needed across both public and private sectors and the scope of interoperability has to be regional, national, and even European. The framework of the interoperability is composed of three dimensions: social and political (informal), formal and technical. The social and political (informal) dimension encompasses a top-down vision (from national to local, e.g. UK and France), the bottom-up vision (from local to national, e.g. Germany) and the mixed vision (e.g. in Austria). It also includes being able to identify the actors and organisational processes involved in the delivery of a specific e-government service and achieve agreement among these on how to structure their interactions, such as defining the integration of services according to the life or business situation of users. At the informal level it relates to ensuring that the meaning of the information exchanged is not lost in the process - that it is contained and understood by the involved people, applications, and institutions. The formal dimension relates to contracts and policies. The technical dimension refers to merging IT systems and software, defining and using open interfaces, standards and protocols, covering technical issues stemming from linking up computer systems, including open interfaces, middleware, accessibility and security services.  


Secondly, identity is a vital concept for digital interaction. Indeed, identity and online interaction directly involve the enactment of the identification and authentication processes for ensuring trust and security. The identity requirements are related to: 

  1. security of the collection, transmission and storage of information in secure databases and servers,  

  2. privacy concerning the information exchanged and shared  

  3. robustness and availability of services and transactions made online 

  4. legislative and regulatory framework, including electronic documents, digital signature and records management. 


Identification is a process (1:N) for recognising the user - who is the user? - whereas authentication is a process (1:1) for confirming a user’s identity. In the latter case, different information can be used such as a password or PIN, i.e. “what the user knows”, a smart card or a driving licence, i.e. “what the user has”, or biometrics data, fingerprint or voice, i.e. “what the user is or does”. Both processes require two steps, registration and enrolment (see ).


The registration step is the process by which a citizen (C) obtains a user ID to access online services. 



The enrolment step is the process by which a user provides government (G) information, e.g. user ID and personal data, in order to obtain a credential, such as a PIN, for subsequent authentication. Enrolment is completed when the user returns to the site in order to activate the PIN. 

Figure : graphical view of registration and enrolment processes


These different processes demonstrate the need for a chain of trust at different levels for the identity. 


Use of PKI 


In most European countries there are continuing e-government initiatives which are considering PKI for access and digital signatures.  These initiatives are pursuing the following benefits:

  1. Time savings for information processing inside the government bodies and reduced response time for citizens, 

  2. Cost savings as a consequence of decreased transaction time and cost, increased accuracy and productivity, reduced paper-based maintenance and operating costs, better and more trusted ways of allowing users to pay for services provided, 

  3. Enhanced service to inside users, to public and other entities, 

  4. Improved quality and integrity of data, compared with paper-based systems. 


Although the implementation of PKI systems for digital signatures, e-ID, or e-Government services is only in the initial stages, it has already come up against the following barriers: 

  1. Complexity and initial investment required to set up infrastructure, 

  2. Lack of consumer initiatives (e-applications, convenience) vs. costs (card reader, software), 

  3. Lack of standards, in particular for the interoperability of certificates and signed envelopes, the cross-checking of certificates issued by a third party Certification Authority (CA), the usage of certificates by applications, the certificate handling by directories, and time stamping. In the absence of standards, some countries in the process of implementing PKI for digital signatures, have developed their own specifications which may lead to interoperability problems in the future, 

  4. The legal and procedural regulation aspects of building mutual trustworthiness recognition across CAs and across countries and related jurisdiction, that is, mutual recognition of policies, contractual agreements and legal frameworks (on digital signatures and contractual liabilities), 

  5. Difficulties in building technical interoperability across different CAs in particular, at application level, in the use of cryptographic techniques, attribute certificates, smart card technologies and registration schemes. 


National, European and global working groups are actively debating these issues, developing potential interoperability models (e.g., Cross-certification, Bridge CA, Certificate Trust List, etc.) and carrying out pilots to achieve both technical and legal interoperability (e.g., ICE-TEL and PKI challenge projects, PKI interoperability Testbed, etc.). 


Case studies 


This section deals with two case studies: European passport and driving licence. In both cases the main objective is to ensure security, safety and freedom of movement. Because these identity documents may be equipped with microchips, digital interactions are possible. 


European passport

The policy framework for European passport encompasses several ISO standards and a European directive. The solution will be fully conformant to relevant standards, such as ISO 7816-15 for the identification cards, part 15: cryptographic information application, ISO 14443 concerning contactless chips, ISO WG3 for security techniques, and will collaborate with Schengen Information System and ICAO (International Civil Aviation Organization) specifications. The directive 95/46/ECon data protection is applicable as it concernes the processing of personal data, including biometric data.


From a technical point of view, the European passport is a smart card addressing security needs, including two biometric data for verifying the authenticity of the document as well as the identity of the holder. This approach aims to render the passport more secure by a legally binding instrument on minimum standards for harmonised security features, and at the same time, to establish a reliable link between the genuine holder and the document by introducing biometric identifiers. The smart card would be contactless and would have the capacity to store digital signatures, ensuring authenticity and integrity of data, together with the capacity to store encrypted data. The two biometric identifiers are the digital photographs of face and fingerprint (not the template). As to the second biometric identifier, it is left to the discretion fo the Member States whether they store the fingerprints on the storage medium and/or in a national database.  


Resolution 6 (Porvoo group) supports the provision for interoperability aspects to be included in international standards in the smartcard, certification infrastructure, and biometric domains. ICAO recommends a 32K chip as a minimum standard. However, as it may be necessary to store a facial image and fingerprint images, a 64K chip would be more appropriate, especially if Member States wish to add some alphanumeric data. In order to ensure interoperability, the quality standards for the digital photograph set out by ICAO should be respected.


Driving licence 


The policy framework for the driving license encompasses the Lisbon agenda and several European directives. The directive 91/439/EEC is the reference text and mainly describes the categories of driving license, of vehicles, the conditions for the issue of a driving license, the minimum ages for the various categories, the driving tests and the minimum standards of physical and mental fitness. The directive 96/47/EEC concerns the plastic card model and the directive 2003/59/EC deals with the professional drivers. 


The driving license is a plastic card aimed at giving high protection against fraud, and in the case of microchips, the stored data would be the information printed on the card. No subsequent usage is foreseen. But a need for harmonization remains as to the validity periods and the periodicity of medical checks for professional drivers.  


Two aspects of the interoperability in driving licences are: the technical specification for the microchip and the standards related to the medical requirements and training; for example, the validity of the licenses and the medical examination frequency.  


Protecting identities and inherent interoperability problems  fidis-wp4-del4.1.account_interoperability_02.sxw  Use of credentials systems in e-commerce
8 / 15