This document is a preview generated by EVS

Size: px

Start display at page:

Download "This document is a preview generated by EVS"

Egbert Lambert
5 years ago
Views:

1 CEN WORKSHOP CWA April 2005 AGREEMENT ICS English version Best Practice Manual for card scheme operators exploiting a multi-application card scheme incorporating interoperable IAS services This CEN Workshop Agreement has been drafted and approved by a Workshop of representatives of interested parties, the constitution of which is indicated in the foreword of this Workshop Agreement. The formal process followed by the Workshop in the development of this Workshop Agreement has been endorsed by the National Members of CEN but neither the National Members of CEN nor the CEN Management Centre can be held accountable for the technical content of this CEN Workshop Agreement or possible conflicts with standards or legislation. This CEN Workshop Agreement can in no way be held as being an official standard developed by CEN and its Members. This CEN Workshop Agreement is publicly available as a reference document from the CEN Members National Standard Bodies. CEN members are the national standards bodies of Austria, Belgium, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Slovakia, Slovenia, Spain, Sweden, Switzerland and United Kingdom. EUROPEAN COMMITTEE FOR STANDARDIZATION COMITÉ EUROPÉEN DE NORMALISATION EUROPÄISCHES KOMITEE FÜR NORMUNG Management Centre: rue de Stassart, 36 B-1050 Brussels 2005 CEN All rights of exploitation in any form and by any means reserved worldwide for CEN national Members. Ref. No.:CWA :2005 E

2 Table of Contents Foreword Scope Informative References Definitions and abbreviations Definitions Abbreviations Electronic Identity e-id card Interoperability requirements Levels of Risk and attendant identity assurance Drivers for the Public Sector: Vision and Benefits of e-id Card Drivers for the Private Sector Public/Private Partnership on e-id/ias services Multi-application Card Schemes Multi-application Cards Government issued IAS driven Multi-application Card Scheme Models Domains of e-id Card Applications Wider considerations Risk Analysis and Policy Management The Core Principles e-id card System Integration general policy guidelines Smart Card Scheme and Third Party Scheme Relationships Scope of Identity Management Policies Solutions Service implementation and legal/administration guidelines Legal framework for MA card with e-id/ias Cost management and transparency Privacy Code of Conduct Business Case Analysis Generic Considerations Risk Evaluation Methodologies System Integrator Role Cost Sharing Modalities Peer Support Mechanisms Good practices in egovernment IAS projects Participation in the Porvoo e-id Group

3 EXECUTIVE SUMMARY This document is intended for use by central government and local government smart card scheme operators. It provides guidance and recommendations on the practical operation and extension of schemes that exploit cards incorporating a reliable pan-european interoperable public e-id for identification, authentication and electronic signature services. In the context of this CWA, the Card Issuer supported by the Card Scheme Operator role, invites Service Providers to use the government e-id card IAS services for their own business. These providers may accept, refuse or negotiate details. In the event of a positive decision by both parties the card issuer may accept loading on-card data and applications in order to enable service providers offering their services. The rationale of the card issuer and service providers in establishing this partnership may include the desire to increase the value of the card to the benefit of their citizens and/or to reduce their costs. The main goal of this document is to help accelerate provision and take-up of such public-private initiatives in government issued IAS enabled multi-application card schemes. It is assumed that the card scheme has been established and therefore the emphasis is on operational issues and extension and evolution opportunities. The guidelines concentrate on the business and legal issues for service implementation and administration. Special attention is given to the risk analysis, business models and legal framework provisions for secure application download and delete mechanisms. Generic guidelines for cost transparency and privacy issues, and related features in some typical areas of application are included. 3

4 Foreword The production of this CWA (CEN Workshop Agreement) was formally accepted at the e-authentication Workshop's kick-off meeting on The document has been developed through an Expert Project Team and the collaboration of contributing partners participating in CEN/ISSS WS e-authentication, This CWA has received the support of the Workshop participants. A list of company experts who have supported the document's contents may be obtained from the CEN/ISSS Secretariat. This CWA consists of the following parts, under the general title 15264: Part 1: Architecture for a European interoperable eid system within a smart card infrastructure Part 2: Best Practice Manual for card scheme operators exploiting a multi-application card scheme incorporating interoperable IAS services Part 3: User Requirements for a European interoperable eid system within a smart card infrastructure This CEN Workshop Agreement is publicly available as a reference document from the National Members of CEN : AENOR, AFNOR, BSI, COSMT, DIN, DS, ELOT, IBN/BIN, IPQ, IST, MSA, NEN, NSAI, NSF, ON, SEE, SIS, SFS, SNV, UNI. 4

5 1 Scope This document is directed at central government and local government Card Scheme Operators. It provides guidance and recommendations on the practical operation and extension of government schemes that exploit cards incorporating a reliable pan-european interoperable public e-id for identification, authentication and electronic signature services. The focus is on business and legal issues required for secure application download and delete mechanisms and on secure management of the use of interoperable e-id functionalities by public-private commercial partners. Background, guidelines on requirements, main recommendations and best practices for use of reliable pan-european interoperable e-id/ias within an egovernment issued and public-private partnership based multi-application card scheme (MAS) are presented in the following sections. Electronic Identity Multi-application smart card schemes Risk analysis and Policy Management Service implementation and legal/administration guidelines Business Case Analysis Peer feedback and support mechanisms It is assumed that the card scheme has been established and that therefore the emphasis is on operational issues and extension and evolution opportunities. 2 Informative References Approach for business case analysis of using PKI on smart cards for government-wide applications / General Services Administration. Washington, DC: GSA, January Authentication for e-government: best practice framework for authentication / New Zealand State Services Commission, April ISBN (see Considerations for multi-application multi-sector smart cards (National Smart Card Project report WP3-01, December 2003) Cyber-security and the future of identity / Marc Bogdanowicz and Laurent Beslay (Published in The IPTS Report, Issue Number 57, September 2001) e-government Strategies: Best Practice Reports from the European front line / Jeremy Millard (PRISMA Project Coordinator) (see Electronic Identity White Paper v1.0 June 2003 prepared by eeurope Smart Cards / Trailblazer 1 Public Identity (Also published in Open Smart Card Infrastructure for Europe, Volume 4 March 2003) Electronic Signature and Digital Identity/ Guest Editors: Javier López-Muñoz, Apollònia Martínez- Nadal, and Ahmed Patel (UPGRADE: The European Journal for the Informatics Professional, Vol. V, No. 3, June The Estonian ID card and Digital Signature Concept: principles and solutions (Whitepaper, version March 10, 2003) 5

6 Framework to reinforce the exchange of good practices in e-government : a contribution to eeurope 2005 (Version 6, 20/04/2004) (see Government Smart Card Handbook / U.S. General Services Administration. February 2004 Identity management: a whitepaper / National Electronic Commerce Coordinating Council, KY December 2002 (see An Internet Business framework for government Agencies / Miriam Fergusson (Published in Electronic commerce: opportunity and challenges/ edited by Syed Mahbubar Rahman and Mahesh S. Raisinghani. Idea Group Inc., 2000) The legal and market aspects of electronic signature: legal and market aspects of the application of Directive 199/93/EC and practical applications of electronic signatures in the Member States, the EEA, the Candidate and the Accession countries / Jos Dumortier and others, (Study for the European Commission DG Information Society, Service contract Nr. C Final report October, 2004) Meeting on electronic identity management for egovernment: meeting held at EC-DG INFSO-C6 Brussels, 27 January 2004 / report by Marc Wilikens, JRC Open Smart Card Infrastructure for Europe, March 2003 Volume 3: Global Interoperability Framework for identification, authentication and electronic signature (IAS) with smart cards (includes Deployment Strategy) Volume 4: Public electronic identity: electronic signature and PKI Volume 5: Multi-applications (Trailblazer 7 Deliverables) (R)e-balancing government / Jeremy Millard (PRISMA Project Coordinator) (see Reachservices Broker Security model v June 2003 / Reach Agency, Dublin Specification and Guidelines of business cases / SINCE (EU contract IST ) November 2003 State of the art of Research on legal issues related to the Information Society technologies: contribution to the LEGAL-IST proposal Consortium to the e-business summit, Dublin, April 2004 / Gerald Spindler and others Summary of responses to the survey of legal and policy frameworks for electronic authentication services and e-signatures in OECD member countries (DSTI/ICCP/REG92003)9/FINAL, 3-Aug-2004 / Working party on Information Security and Privacy Working Document on on-line authentication services / Article 29 Data protection Working Party (1054/03EN WP 68, adopted on 29 January 2003 (see 6

This document is a preview generated by EVS

This document is a preview generated by EVS CEN WORKSHOP CWA 15264-1 April 2005 AGREEMENT ICS 35.240.15 English version Architecture for a European interoperable eid system within a smart card infrastructure This CEN Workshop Agreement has been