PKI (digital ID security services) extension of RESPONSE ON CONSULTATION DOCUMENT ON THE FINAL REPORT OF THE EXPERT GROUP ON E-INVOICING

Transcription

1 Datum: (6). Commission européenne Internal Market and Services DG BE-1049 Bruxelles PKI (digital ID security services) extension of RESPONSE ON CONSULTATION DOCUMENT ON THE FINAL REPORT OF THE EXPERT GROUP ON E-INVOICING Alphabet AB has been answering the EC questionnaire based on the final report of the expert group on einvoicing. Alphabet would like to extend this response with a special topic, PKI digital certificates, ID-cards. A total absence of security systems and solutions available for SMEs and private persons. PKI means encrypted business protection administration and is a developed security technology that would make a big difference in security and efficiency in electronic invoicing and business. The main problem is to make it work in all member countries of the EU, set up a market available for all and to reasonable costs. However it would be much more efficient if the EC organise a hierarchical PKI strategy and service system serving ell the member states of the union. Digital identities is not a national related issue, and is better made in a common process. The EC report on einvoicing, only mention this topic very brief and it is a strategic implementation topic. Alphabet highlight it as a future fundamental base technology of the EU electronic invoicing strategy. Because of this Alphabet AB suggest the EC to start a study on this topic of PKI and digital as well as human physical IDs (including the Schengen aspects) should be available for all parties on an equal bases. This in the interest of the common free trade in Europe, including the electronic invoicing and electronic business administration task, Alphabet AB suggest the EC to create a single EU PKI and ID strategy covering all needs and all possible users including SMEs, private and legal person trustee needs. Enhancing over internet as transport protocol of electronic invoicing should be included in the strategy. PKI, encryption and protection systems of data, data transfer and systems The last years the PKI technology has been developed in to commercial product systems and trustee relations and could turn into infrastructure. This technology is very interesting in securing information, in closed user groups. And matters like System access security are much needed. We are talking about business relations, like clients and consultants relations, like the accountant/audit consultants where they would be able to create secure relations zones with its clients. But also where the consultant is able to live in secure professional zones together with their Alphabet AB, SE Adress: Internet: Telefon: S:t Eriksgatan 48 jan.bergstrom@alphabet.se Stockholm, Sweden

2 2 special interest organisations or information providers support. Zones of certified customers and suppliers and in procurement relations. It is something that is very attractive to every party and every type of user companies. It is something that is also related to electronic invoicing. There are two main problems with this technology: o The introduction, installation and maintenance processes are complicated and need in-house expert staff to run it and consultant experts to install it. We need standard SW products. o Local trust capabilities of closed user groups are in general made non -available by the issuer of the trust security systems, the main issuing CAs. General public digital IDs CAs has switched off the ability to allow local lower level CAs to operate. Levels like small user, customer, client, interest groups and smaller companies system access security needs. It means the entire PKI technology is only available for large companies and organisations, due to that they pay for huge project implementations, like implementations for a hospital or a police organisation. For the large it is more expensive than necessarily, due to this structure. It means SMEs are only allowed into it as customers (of banks, tax authorities etc). So PKI is not available for SMEs in electronic invoicing, and in fact a really wanted feature for all. This topic should be in the attention of the EC regarding electronic invoicing. It would even be possible to think of cases where a family, likes to have their own trusted closed user group of the computers and data, if it would be available easy and cheap. The market is not free and it will not appear without decisions and most likely political initiatives are needed Noticeable is that the last versions of for instance Windows (after Windows Me) do not even have any single users encryption features. Users would like to have one physical ID-card that they can use as a digital ID-card attaching it to a reader, doing all kind of login services with computers as well as other encryption or identification needs. National or private CAs Some of the EU member states governments have built up national trustee systems based on governmental CAs. In such cases often the same authority is the issuer of physical ID cards. These countries like Finland and Estonia has much better service to SMEs and private users than countries that hasn t national governmental CAs. But far from everything is available even there, for the small. However users in countries with only private CAs are completely restricted to the issuer s policies. Often banks or joint PKI-groups of banks do have private CAs services available. But most of these actors have switched off this ability of lower CAs to issue extra certificates. Manly due to the fact nobody pays for the support and it is not in the issuing party s interest to make local lower level CAs operations available on their main ID-carrying media (ID-cards and PKI-SW). There is a slight difference in basic interest in national or huge private companies acting as CAs. But in general the needs of the SMEs are often not understood by even governments and the solutions stay poor. An EC based CA hierarchy could be a solution to make PKI available for every level and business of the society of the EU The basic problem is in the top of the CA hierarchy is not seeing any need or commercial possibilities of creating room for lower level CAs. Some governments in the EU might get a full understanding of SME and even private persons need for PKI. But the problem is that it is very unlikely all governments of the EU would understand the issue.

3 3 It is unlikely national PKI solutions would integrate into one market, and PKI isn t restricted to states or national interests. The EU with its EC Internal Market and Services DG has interests in a well working common business environment. It could very well set up a CA policy and operate a CA hierarchy for all its member states, all business and citizens. The EC Internal Market and Services DG could have the political statement to secure PKI availability in every level of business of the society in all its member states and common for all the union. Organisation of a CA hierarchy The EC Internal Market and Services DG could create a sub-division organisational body, as a top-ca. From it, a hierarchy of sub-cas operating according to a specified EC structure and regulation, doing all the service for every level and business of the society of all the EU. The sub-cas could be banks, authorities for their own needs. But for SME, member organisation, their clients, families and even private persons needs special sub-cas or CA agents. Sub-CAs or CA agents providing this services, that could be like ISPs or web-hotels doing domain services for customers. A Sub-CA setting up the small closed user groups and security systems, based on the basic digital identity. The PKI service agents like internet web-hotel providers would do this service as a part of their services they offer their customers. They have the skill being able performing it after instructions and education. The problem of legal persons certificates In Sweden we have a problem with legal persons digital certificates, there are none. The electronic VAT reporting is a typical example. The VAT administration of the tax authority introduced eskd, an electronic reporting service of VAT declaration. The tax authority supports a number of PKI systems allowing users with such digital ID to access this VAT reporting service. It meant that the tax client managing director was able to get a digital ID from the bank, digitally report VAT and sign it to the tax authority. However the volumes did not come. The problem was identified as who the people signing the manual VAT reports really were. Often, they were not as the law prescribes, the managing director. It was the wife, the accounting consultant, the economy manger etc signing it. In many cases the managing director did commanded them, to do it. This lead to a change in the law allowing delegation of the signing responsibility to someone else, like the wife, the accounting consultant, the economy manger etc to do it. They filled in a form, and it was OK, This in turn lead to the problem that the employees of the accounting consultant companies started to make objection arguments, It is not me, but the accounting firm that in fact is the trusted party, by the customer!. There is also a problem when people stop working for a trusted party, having the rights still a long time after quitting. And it takes a long time for the new employed to get the rights. Having to run to the customers getting the forms signed again. In fact the problem is that it is a legal person and not a physical person, really is the trustee. The em ployees also complained they did not want their private SW certificates be installed on their employers computers. HW human ID cards are much better in this respect, everything personal is carried with the user. With a physical ID-cards, such is not lent out to others. This means that an ID security system must be able to handle legal persons trustee rights. One person representing the legal person must be able to tell (as a kind of sub-ca) who belongs to the trustee group of the legal person, and it must work with the tax authorities trustee system. Today this is not possible in Sweden and very annoying.

4 The media, a standardised EU ID-card? The other side of this topic is the issuing media, the physical ID cards carrying the digital ID-data for ID-card readers to read, also need to be organised in the same project. It is very important to have physical human ID-cards available and all parties wants them the same as the carrying card of the digital ID. Digital IDs are useful and could solve many problems with physical IDs today. In the Schengen system the ID-cards are a central topic. This issuing process of physical ID-cards could also be organised in a hierarchy by the EC Internal Market and Services DG certified physical ID-card issuing parties.. Such certified physical ID-card issuing parties could be authorities but also private companies like banks or trusted specialised Id-card issuing companies in a free market of competition. Driving licences all over Europe could be integrated, and really a digital ID quality of the card. The problems of national physical ID-cards The Schengen agreement forces the members from 1990 to issue IDcards according to the agreement creating the pass free travel zone. However the Schengen ID-card regulations demands some extra data like nationality and place of birth. Something that as soon as the Schengen agreement was signed by Sweden, a law stating information of place of birth and nationality to be intruding the private integrity. So Sweden refuses to issue ID-cards with the full Schengen regulations. Almost nobody cares but some is a huge security risk In practice this means that no Swedish ID-card is valid for Schengen travel, but almost nobody cares. Showing a Swedish driving licence (the same issuing technology as Swedish private ID-cards) is completely acceptable for all airlines, except Ryan air, Norwegian and Baltic air. Most likely acting on the instructions from the Swedish government, stating Swedish ID-cards are not valid for Schengen travel. Other flight companies act most likely from other countries instructions. The German customs, the French gendarmerie and the Greek police certainly find these Swedish ID-cards OK. I tried. Many thinks that the Swedish government want to lock in their citizens involved in special legal cases, this way. Passports can legally be withdrawn, and travel restrictions announced, but ID-cards can not be taken from the user. There is a long tradition of taking the passports for people considered in risk of leaving the country facing legal charges. The Schengen agreement threatens to wreck this tradition because in practice it is impossible to keep people in the country the Schengen way. In anyway this has caused a situation where the third party the EU and Schengen citizens of Sweden are in doubts of their Schengen rights are valid, if the flight companies will make troubles at the airport or not showing the ID-card. This is not the standard, the Schengen agreement is meant to be and this uncertainty is limiting the free trade of Europe and Swedish business. Standardised EC ID-cards? There could very well be other countries making the same kind of fuzz to their citizens trying to invoke past rights signed off with the signing of the Schengen agreement. This is something the EC Internal Market and Services DG should not support and actively try to find good solutions for all the citizens of the EU according to the Schengen agreement. ID cards should be seen as private security, not state security. Making standard Schengen ID-cards with both physical and digital IDs makes such information printed on the cards like place of birth 4

5 5 and citizenship obsolete. It can be removed from the Schengen ID-card specifications. A standard handheld reader IP-communicating over mobile phones in the pocket over Bluetooth could make any standard equipped officer of any authority able to read the digital content and connect to the ID-service database of the Schengen agreemen t. Standardised ID-cards are much easier to read and is safer for all. It should be stated it is illegal to take an ID card from a person. The ID card should both be a personal object and seen as the users private integrity. It should be seen as the key to rights, not to be governed. Something that could by the EU be established as human personal rights with the UN and in international agreements between governments. It would also with ID-cards with digital data telling it, solve a huge problem for refugees not being approved refugee status yet. Private specialist companies issuing ID-cards? By tradition ID-cards in Sweden has been privately issued by the post, the banks, the authority the user serves under or private employers. Usually performed by ID-card issuers like ID-kort and Rollfilm. The governmental issuing of Swedish national ID-cards of Schengen has wrecked the structures of private issuers of ID-cards to a very large extent. And ID-card security availability in Sweden is today much lower than before the EU and Schengen membership. The private issuer aspect of the past in Sweden is very much in line of the common market and free competition idea. The moving the issuing to the police and the tax authority, has increased the customers costs at least five times without any obvious increase in production costs or security services. The increased price is just a matter of market or authoritarian price setting. Cards were issued by any post or bank office. The police and the tax authority has one office each, in a county. So there are good reasons to organise an issuing policy of physical IDcards with digital ID card carrying facilities from an EC based trust. A trust that could be decentralised to certified private com panies and authorities in competition. Giving good service and good pricing for a good standardised security service for all use for all parties in the EU. Together with a structure of a hierarchy of PKI CAs or agents it will give the users the right tools for trade, business and private travel and security needs of all cases. It will make it possible to solve this security issue for electronic business and administration like einvoicing. An international service A service hub set up by the EC (most likely in a sub-organisation) could very well supply this service world wide, on the same basis as for their EU member state citizens. Many countries outside the EU has no capabilities of performing such systems for their own countries and we have seen the local national fuzz with present regulations in the EU. In fact the IDs are not related to states and nationalities but to human individuals, so configurations of trusted groups of users. Something that is important available for all, even SMEs and private persons as a part of the free trade of Europe. It would benefit Europe s trade relations with other countries all using the same ID system. So there is no reason not issuing rights to hierarchies stretching out of the borders of the EU, on the same basis as inside the EU/Schengen area. The digital data in the card has different context for different users. Standard computer solutions providers Another problem is supply of HW and SW solutions. Card readers are cheap today and in many cases available built into PC notebooks.

6 But the SW packages and the installations of the PKI systems are huge fuzz. Systems are usually indeed SW OS dependent proprietary solutions and takes a day or two to install by a specialist consultant. There is because of this a need of much better standardised technical SW solutions and a need for PKI service providers. SW solutions possible to be bought standard packages and a funding of mainly open source solutions development for any OS are wanted. The PKI service providers could very well be the web-hotel providers putting up PKI servers supplying their customers with these special PKI solutions. The present PKI system suppliers in Sweden are busy and can t expand fast enough, to take care of all customer needs. 6 Suggestion Certainly I am not the man to tell exactly how, but the EC could very well start an expert group solving these practical tasks. Alphabet AB suggest the EC commission to take up a study of how to solve the PKI and ID topics in general and all its side tracks to solutions equal available for all, all of our business and private society. I like to highlight this issue and I hope you see our points of this topic. Another security topic related to einvoicing security track ability It is not possible to get volumes of einvoicing based on leased https based services of einvoice exchange service providers. Systems like the internet bank and other companies supplying this kind of service. The reason is that a majority of the companies in the EU would never pay the fees or buy the technical solutions of these systems, voluntarily. The second reason is that this einvoicing market must include private users and SMEs only having an reader to receive einvoices and treat them as physical invoices, only receiving them in digital form. Volumes of electronic invoicing would not be developed if we do allow such technical restrictions. Not being service minded enough the PDFs over , could also win the competition and the entire project goes bust. And we need a solution possible to grow with, XML with XSL (or something). We need an based transport standard of einvoices. As the report of the expert group notes the protocol gives in the transport protocol itself, no security in the content of the invoices themselves. There are however two factors that are important to notice: o If a PKI solution covering all citizens of the EU in all levels of business and private use is developed, such security is possible. o The major problem with the SMTP and POP server protocols are that the issuer is not traceable and leaves an open space for spam and fraud. A new generation server protocols handling traceable s and readers notifying the user if it is, would make a difference. Very likely, soon many users would switch and only receive and read traceable s, getting protection against spam mail, this way. This view makes the protocol, the security and traceability topics very interesting to have investigated and solutions presented. Alphabet AB is suggesting the EC to start such a study. Jan Bergström / Alphabet AB There is also a special sidetrack and that is supply of standardised PKI solutions for data transfer like between mainframe systems of data files, where no persons are directly involved, but regular batch jobs.