Principles & Guidance for eidas interoperability track eidas and IAM working side by side 14 November 2017

Transcription

1 Principles & Guidance for eidas interoperability track eidas and IAM working side by side 14 Brussels

2 Contents 1. Objectives of this presentation 2. The identity and trust marketspace 3. eidas nodes 4. IAM and eidas working side by side 2

3 Objective of this presentation To present a short overview of today's eidas market in the view of the evolving Identity and Access (IAM) market. To introduce the national 'eidas node' concept To illustrate how the solutions offered through the system of eidas nodes can contribute to addressing the challenges faced in today's IAM projects To discuss emerging trust models 3

4 The eidas identity and trust marketspace Regulatory & legal Endorser DG CONNECT eidas Enforcer Courts Demand Supply Business Trust interactions eid ID National Competent Authority Technology providers Business interactions ID assurance process Hardware producers Business Users Influencers & Associations Intermediaries & facilitators IT Consulting Law Consulting Systems providers etrust s Trust Trust Supervisor Trust assurance process Trust Anchor Technology providers Integrators 4

5 Overlapping service providers (random selection) Certification authorities Digital signature specialists Software / document management companies Digital security companies Postal operators Telco providers 7

6 GSMA s MobileConnect 8

7 Eduroam Eduroam (education roaming) is the secure, world-wide roaming access service developed for the international research and education community Based on a network of Radius servers Eduroam s coverage according to (dark blue means covered ) 9

8 ICAO 9303 e-passport infrastructure Part 1 MRP Machine Readable Passports (2006) Passports Volume 1 MRPs with Optical Character Recognition Volume 2 Specifications for electronically enabled passports with biometric identification capability Part 2 MRV Machine Readable Visas (2005) Part 3 MROTD - Machine Readable Official Travel Documents (2008) - Volume 1 MROTD with OCR Visas Official Travel Documents - Volume 2 Specifications for electronically enabled MROTD with biometric identification capability The Supplement includes the latest specifications that have been adopted by the TAG/MRTD and will be incorporated into the next edition of Document

9 Automatic Border Control based on ICAO 9303 Document/chip Document holder versus security features & Document bearer check SIS/VIS checks 11

10 eidas - the big picture Interoperability and cross-border basics: eidas (EU 910/ implementing acts) created the legal foundation Stork/Stork2/eSense created the technical interoperability for identities: Working software, reference implementation Community building Connecting Europe Facility (CEF) funds Member State implementations IENA - Innovation and Networks Executive Agency CEF management Internet philosophy complemented by European Interoperability Framework (EIF), For eidas TS: CEN and ETSI via Mandate 460 funding (mandate to create standards supporting eidas) Status: 12

11 eidas Interoperability infrastructure eidas nodes CIR (EU) 2015/1501, in particular Article 12 thereof, introduced the possibility to implement the interoperability framework by developing technical specifications. The Version 1.0 technical specifications consist of four separate documents, each concerning a specific area: eidas_message_format_v1.0.pdf eidas_interoperability_architecture_v1.00.pdf eidas_-_crypto_requirements_for_the_eidas_interoperability_framework_v1.0.pdf eidas_saml_attribute_profile_v1.0_2.pdf Available at: 13

12 eidas and IAM working side by side Scenario 1 eidas directly Consumer Authentic source Credentials Assume no IAM at SP If Consumer is from a notified eidas country, reliance can be taken on its scheme eidas scheme Non-eIDAS scheme Member State B Member State A eidas scheme: state-guaranteed cross-border identity recognition 15

13 eidas and IAM working side by side Scenario 2 eidas as bootstrap Authentic source Credentials Credentials Credentials Consumer eidas scheme Private Scheme Derived scheme Non-eIDAS scheme Member State E.g. Bank or Telco On-boarding E.g. Belgium: itsme (4 banks, 3 telcos) Germany: verime Consortium Deutsche Bank, Deutsche Telekom, Axel Springer, Daimler, Lufthansa,... eidas scheme: state-guaranteed cross-border identity recognition 16

14 eidas and IAM working side by side Scenario 3 eidas step-up for private IdP Credentials Consumer Private Scheme eidas scheme Step-up To eidas LOA Member State A eidas scheme: state-guaranteed cross-border identity recognition 17

15 KYC/AML Regulation Know Your Customer/Anti-Money Laundering Current AML legislation are based on: - FATF Recommendations - Directive 2005/60/EC - Directive 2006/70/EC - National law Directive 2015/849 (4AMLD) entered into force as of June 26, 2017 but is not yet fully transposed on a Member State level The European Compromise text issued on October 28, 2016 (5AMLD) introduces amendments to 4AMLD related to: - use of electronic identification and trust services (as per the eidas Regulation) for KYC on-boarding, accessing funds and/or tracing electronic transactions. Face2face application/verification: Customer Due Diligence (CDD) Remote application/verification: Enhanced Due Diligence (EDD) 18

16 eidas in KYC - on-boarding phases Know Your Customer Phase Application Description Client application providing the required identity and KYC attributes for later verification and collection. Verification Authenticity check of documents Identity check of the applicant Anti-fraud check of the document and the applicant Collection How the attributes are collected and documented. Management How the collected attributes are managed. This phase may be recurring. 19

17 Know Your Customer eidas support 20

18 Know Your Customer eidas support QWAC / Trust Mark Corroborating information with e-signature or e-seal 21

19 Emerging trust models - roles Endorser Enforcer Functional Consumer interactswith Functional Entities (persons, enterprises, legal persons, automata) are free to interact; Such interactions take place because the entities expect to obtain utility from the interactions; Prior to such interactions, entities may be interested in obtaining some comfort regarding the actual existence and qualifications of their counterparts in the interaction; 22

20 Emerging trust models - roles Endorser Enforcer Functional Consumer doesinvoke claimseffect interactswith doesinvoke Functional claimseffect Evidence Claim Status To ensure the utility of the interaction is realised, participants may call upon services that not directly contribute to functional aspects of the interaction, but rather provide evidence that the interaction took place, and under which conditions; The invocation of such evidence services may lead to beneficial effects by providing proofs of commitments of participants during the interaction, or by guaranteeing the moment in time an interaction took place, or the order in which interactions took place. 23

21 Emerging trust models - roles Endorser Enforcer Functional Consumer interactswith Functional doesinvoke claimseffect doesinvoke claimseffect EvSP Monitor doesmonitor Evidence doesassess Claim Status doesassess doesmonitor CsSP Monitor doesappoint doesappoint EvidenceAssurance Assessor ClaimAssurance Assessor There are many sources of information available, and an entity may also provide information about himself. Furthermore, there is a high variation in the degree of control over information sources, but there are no globally accepted semantics. 24

22 Emerging trust models roles & artefacts Endorser Enforcer Functional Consumer participatesin claimseffect Rulebook Interaction Evidence participatesin isgeneratedfrom doesinvoke Functional claimseffect doesinvoke isgeneratedby doessupportclaim Claim ClaimedEffect doessupporteffect EvSP Monitor doesmonitor Evidence doesassess Claim Status doesassess doesmonitor CsSP Monitor doesappoint doesappoint EvidenceAssurance Assessor ClaimAssurance Assessor 25

23 Further references Overview+-+eID (created by the German company ecsec)