PKI in Sweden

1
PKI in Sweden
Björn Scharin Swedish Agency for Public
Management
2
History 1

• Smart card authentication within the
  administration since 1994? all terminal cards
• The National Social Insurance Board
• The National Tax board
• The National Police Board
• etc
• SEIS Secure Electronic Information in Society
• Standardisation of CP, certificates, cards etc
• Interoperability testing tool SAT

3
History 2

• Framework agreements electronic identity cards
  1999
• feedback to complicated to purchase
• low volumes
• A number of investigation on the future way
• Qualified Electronic Signatures Act (SFS
  2000832) 2001-01-01

4
CATCH 22

• Public organisations find no motivation to build
  net based services when there are so few people
  in Sweden that can be electronically
  authenticated and present safe electronic
  signatures.
• Swedish people will not purchase smart cards or
  other electronic means for identification when
  there are so few public services to use.

5
Conclusions from different investigations

• One identity to reach all agencies (National ID
  number in certificate)
• Build on investments in the market (public
  procurement)
• Organisations which already has an Infrastructure
• Organisations which has a large number of
  Identified customers
• Focus on formats and not on where the the keys
  are stored - advanced electronic signatures -
  good enough
• The agencies shall pay for certificates or usage
• As easy as possible for
• 1. The citizen
• 2. The agency

6
Commission from the ministry of Justice in
December 2000
The Swedish National Tax Board in co-operation
with The Swedish Agency for Public Management,
The National Social Insurance Board and The
Swedish Patent and Registration Office has got
the responsibility to

• During an introductionary phase co-ordinate the
  administration of certificates for electronic
  identification and digital signatures in Swedish
  public services.
• Evaluate the activities and report to the
  Government before March 1st 2003

The Project
7
.
The Project

• Draw up common guidelines and routines for the
  use of certificates in public services.
• Co-ordinate the demands and needs of public
  services on the event of procurement of public
  certificates and services for identification and
  electronic signatures.
• Co-ordinate common needs and services to build a
  well functioning infrastructure for the use of
  electronic signatures in public services
• Take care of information and guidance to public
  services in these matters

8
The Project
Deliveries

• Report September 2000 strategy for dissemination
  
• Requirements for framework agreements
• Analysis of (large) agencies needs for
  electronic identification and signatures
• Publication Guiding principles for use of
  certificates etc in public services
• Publication Guideline on the use of electronic
  identification and signatures in the public
  sector
• Coming activities
• More guidelines
• Marketing and information
• Co-ordinated purchases from the framework
  agreements

9
Build a PKI Bottom Up
10
The two parts of the Framework agreement
PERSONAL ID (PID)
SERVICE ID (SID)

• Certificate describing a person as an individual

• Certificate describing a person as an employee

11
Personal ID
PERSONAL ID (PID)
SERVICE ID (SID)

• The Service Electronic identification
• Agency identifies citizen
• Citizen identifies agency
• Agency stamp

• The Product Build your own PKI
• Agency identifies employee
• Agency identifies organisation
• Agency identifies function
• etc..

12
What we have purchased
CA
24h-Agency
Citizen
13
Bottom up problems
Co-operation between the vendors
24h-Agency
14
Requirements
15
PID vendors
POT 2 500 000
Today 70 000 POT 1000 000
OWN
Today gt50 000 POT gtgtgt
OWN
OWN / Verisign
Today 70 000 POT gtgtgt
16
Service ID
SERVICE ID (SID)
PERSONAL ID (PID)

• The Product Build your own PKI
• Agency identifies employees
• Agency identifies organisation
• Agency identifies function
• etc..

• The Service Electronic identification
• Agency identifies citizen
• Citizen identifies agency
• Agency stamp

17
Build your own PKI
AGENCY
Producer of keys
certificates and
revocation
information
CAC
Software
VENDOR
Server
18
Requirements
19
SID vendors
SMARTTRUST PERSONALSECURE OFFICE
POSTEN / INTEGRIS
SMARTTRUST PERSONAL
POSTEN
SMARTTRUST PERSONALSetCSP
TELIA / (VERISIGN)
20
One electronic identity for everything
PID
SID
Front office
Back office
21
One agencys total cost
Bankernas ID-tjänst Nordea
Posten and or Telia Posten/Telia

Svensson
Svensson
Svensson
Basic fee
Transactions fee
Relying fee Relying fee

• Cost of using certificates paid for by another
  organisation or by individuals

Cost of certificates

• Cost of using certificates issued by the banks.
  No cost for the certificate pair

• Cost of buying certificates

22
Conformance to the draft TB1 minimum requirements

• Certificate format - ok
• Not yet any qualified certificates
• Business model where the revocation information
  CRL/OCSP arent always free
• The most spread certificates to the public in
  Sweden, will probably be soft