Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

TIIME 2013 Tuesday Session 1: eID in your country: where is it today, where is it heading?

Representatives from Sweden, Denmark, Austria, Netherlands, Australia, UK, Norway, US, Canada and Spain.

Swedish eID
----------
- Started in 2000, digital signatures was as valid as a physical signature
- PKI based
- Companies supplied to become issuers.
- Bank consortium (BankID)
- Bank
- Telco companies
- ID trusted by government
- Not issued by government
- 2011 BankID started using Mobile BankID
- Moving from old framework to new.
- SAML based
- eGov2
- saml2int
- Discovery
- Central metadata
- Central signing service


Denmark
----------
NemID don't use social security number. You can use your PID number to get a personal number.
- Started in 2002 a telco got a contract
- Software certificate
- Did now work, to difficult to use.
- 2007-2008, got a new contract with the banks.
- Everybody uses bank issued eID called NemID
- Mandatory to use if you want to for example use games on internet.
- Trade your house must be done
- Used by public and banks.
- Certificates stored centrally
- Banks use short term certificates
- Public use SAML
- Private websites can phish username and passwords.
- New initially coming to remove java applet.
- 1.5 million transactions


Norway
----------
- 3 different eID:s in Norway
- BankID by banks action as registration authorities
- Uses PKI and central run OSCP.
- 1.3 million transactions per day
- Mobile BankID with keys on SIM
- ByPass, card based certificate.
- National lottery
- other smaller
- They have a signing portal (saml based).
- No national ID cards in norway. 3-4 attempts to get it going but have not got it working yet.
- Users have a common secure login
- They have a solution to separate citizens and corporate where citizens can sign for corporates using own personal certificate.


UK
----------
- Id framework. idap.
- Announced 2 years ago with zero budget.
- Move gov services to the digital world
- They have selected 4 or 5 IDP to supply ID:s. (Paypal, Dutch DigiID pwc are behind it.)
- They are going to buy assertions from identity providers that provides LOA 1-3. LOA is defined per IDP.
- IDP and SP must be air gapped. How is that resolved?
- Go live September 2013. Not done yet.
- Will it be dumped?


Netherlands
----------
- Governance control signing
- Not used for authentication
- DigiID (username and password, self registered). Used by tax office, pensions and other government business.
- A-select based protocol
- Added SAML in a non standard way so that normal software don't work.
- National drivers license registration want to issue eID
- Bank uses OTP solutions, they have also set up a federation for online payments.
- Can't ask questions like "Is user over 16?".


Spain
----------
- Official electronic identity card. 2006.
- 47 million citizen's
- You get a new identity card when old does not work. will take 10 years. Is that to long?
- You have 2 certificates, one for signing and one for authentication
- Admin structure is a bit complex
- Wide range of different types of services.
- Before the official eID there was around 80 certificate providers that used software certificates.
- To use the card you need a card reader.
- Software is not user friendly
- When you get the card you get a PIN but it's never changed by users.
- ICT Literacy is a challenge
- Certificates
- You have to go to police station to unlock PIN using biometrics.
- You have to go to police station to get new certificate after 30 month.


Australia
----------
- Don't have anything centrally.
- And it's a lobby against it.
- There is a point system.
- You have to have a number of points to open a bank account.


Austria
----------
- Solved the air gap between the IDP and the SP.


US
----------
- NSTIC


Canada
----------
- Exiting things are happening!