The standards
The basic idea behind the X.509 PKI is to have cryptographically sound security mechanisms for authentication, signing and non-repudiation. Every individual entity in the PKI has its own key pairs (public-private), often several pairs for the different operations. For protection of the private keys, there must be ‘secure signature-creation devices’. This usually implies having smart cards and using secure smart card readers. The methods employed are those typically used within a financial institution, the military or even parts of a large private enterprise – where there is very strict control of the complete technical environment coupled with proper education of the end-users and support. However, these methods do not work in our open Internet-based world, where security starts and ends with the endusers – the citizens and their PCs. The resulting complexity leads to services being less attractive to use. Traditional pen and paper is easier and less obstructive than the technology designed to facilitate that very service.
A national perspective
The result of the legislation is that it has actually prevented the adoption of electronic identification instead of promoting it. The failure is evident by looking at what has been achieved so far. After 10 years of intense bureaucracy and tens of millions of Euros, we have still not been able to implement a national eID scheme in Sweden. Even though there is a Swedish national ID card (NIDEL) capable of holding an electronic ID, it is empty. The card is basically a brick! Essentially we are at the same point now as we were a decade ago. It is clear that something is fundamentally wrong.
In the end, it is always a question of resources. What prevents the national eID scheme from being deployed on a large scale is the unreasonably high cost per operation, in relation to the benefit. The high costs preventing the adoption of the solution stem from:
- the technical complexity which calls for extensive end-user education and rollout of special purpose end-user hardware and software
- substantial help desk costs to support end-users
- the tailoring of solutions for the single purpose of citizen-to-authority communication; relatively few operations will ever be made per eID
- the huge legal liabilities associated with the issuing of identities
- the high integration costs for the relying parties
- poor user experience – the security mechanisms are inherently insecure as people make mistakes – cases of fraud will have to be handled appropriately.
A provider of electronic identities will have to transfer all these costs, via the relying parties, to the end-users. The scheme will only be viable if these costs can be recovered from end-users. In the current proposal for a national eID scheme in Sweden the state would perform a co-ordinating function for the authorities by purchasing the services of issuing identities from private corporations. This service is unlikely to be cheap, which would prevent any commercial application. End-users would have to pay for it with higher taxes. In reality, therefore, the practical use of electronic identification will only happen when the tools for supporting it are significantly simplified.
Privacy concerns
Technical complexity is not the only concern with PKI. Even if every single European citizen had his or her own national eID with three individual key pairs, an individual ‘secure signature-creation device’ and the education to handle it, it would be unacceptable to use it for any other purpose than in communicating with financial institutions and authorities, because of the privacy concerns it raises.
The X.509 certificate carries all the information associated with the identity, and is easily copied into a database in every imaginable situation. It can be looked up in directories, it can be eavesdropped or cross-referenced with other databases, and there is no way of selectively hiding information. Engineers have been trying to compensate for these concerns with complicated cryptographic schemes built into the smart cards. But the functions do not fulfil their purpose; if it is not evident for the card-holders how or even if their identities are protected, then the function is not useful. The holders of identity cards must be in control of the mechanisms that allow them to use the identification service in a safe manner. It must be evident what actually happens, what information is revealed, to whom and when. The user must be given a chance to cancel the operation before the information is revealed and, in the case of accepting an agreement or signing, to see what is actually going to be signed or agreed. These safety controls should be fulfilled by any national eID scheme.
The way forward
Fundamentally, there needs to be a costbenefit analysis of eID, where the costs in complexity are compared with the risks we are trying to mitigate, i.e., the benefits of a security mechanism. In some sectors, strong cryptography, legislation and cryptographic signatures are necessary – where there are substantial risks involved that justify the use of this technology, and where the inertia and stability of a strictly controlled environment are advantages rather than deficiencies, such as in the financial sector.
However, in almost every other case, the risks do not in any way justify the costs of the qualified certificates. Given this, it would be better to design an entry-level solution for eID, which is:
- cheaper and suitable for all applications – authorities, commercial and non-profit
- easier to use and deploy
- and allows for protection of our personal data.
A good solution is to build upon the concept of identity providers – a broker of identity information which performs the identification process and relays relevant information to the relying parties. Upon successful identification in a particular context, the identity provider would issue electronic tickets for this specific context, assuring the identity of the holder, and would attach the relevant identity information. There is a unique identifier for each relationship, which cannot be crossreferenced with other relationships.
The identity provider would also be able to collect meta-information related to the subjects, such as if they are the authorised signatory for an organisation, have a medical license or are a student, or even to include a private name space for the corporation where they are currently employed. This system would allow for much greater flexibility than having separate identities for each context, as proposed by others.
Before a successful identification the user would be presented with the information agreed to be released to the relying party. At this point the user would have the option to accept or cancel, which makes it easy to fulfil legislative requirements such as Directive 95/46/EC on the protection of personal data.
Several independent identity providers can interoperate within a federation. The federation would establish policies under which identity providers should issue and handle identities. Identities within the federation would be interoperable and only the data exchange protocols would have to be co-ordinated. Such protocol already exists, e.g., the Security Assertion Markup Language (SAML) version 2, as standardised by the Organisation for the Advancement of Structured Information Standards (OASIS).
The means for users to identify themselves could vary. Different situations may require different assurance levels, which would allow users to select the technical solution that best fits their needs in every situation. National eIDs, in the rare cases they actually exist, could be used as one. Arbitrary security tokens could also be used as long as they comply with the policy for that assurance level within the federation.
This would enable all existing and future technical solutions for identifying ourselves to be deployed, to protect an individual’s identity information and preserve anonymity, while also enforcing legal responsibility for actions taken online. Both the qualified certificates and other means for identification would also be held in the same infrastructure.
Accepting agreements and contracts could be achieved by having a trusted third party, an electronic variant of notarius publicus, signing the document while asserting both parties have accepted the content. The environment provided by the trusted third party would be harder to manipulate than the end-user’s PC, and would also provide a better user experience by presenting the exact contents of the agreement.
Start simple
We should try to start simple and solve the most urgent problems first. Solutions must be designed to meet demands from all sectors and to provide the usability and protection of personal data as needed for everyday use. Basic cost-benefit analysis can identify which technical solutions are feasible and justified. However, it is important to understand that the concept of identity providers is not mutually exclusive with the use of national eID, which would enable us to move forward in a rational way, fulfilling all the requirements for a sound and reliable solution for identification. The certificates in a national eID scheme may be used just as any other reliable means of identification to the identity provider. End-users’ methods for identification are totally transparent to the relying parties, and are therefore irrelevant. The identity provider will supply the proper protection of personal data. Let’s move forward in this rational way.
The idea in this article originally appeared in the ENISA Quarterly Review, 3rd Quarter 2008. www.enisa.europa.eu/eq