AK IT-Security 1. Representation with electronic mandates. Bernd Zwattendorfer Graz,

Size: px

Start display at page:

Download "AK IT-Security 1. Representation with electronic mandates. Bernd Zwattendorfer Graz,"

Leon Farmer
5 years ago
Views:

AK IT-Security 1 Representation with electronic mandates Graz, 05.11.

1 AK IT-Security 1 Representation with electronic mandates Graz, Das E-Government Innovationszentrum ist eine gemeinsame Einrichtung des Bundeskanzleramtes und der TU Graz

2 Overview» Motivation» General Information» Types of Representation» Mandate Approaches» Mandates within the Austrian e- Government» Electronic Mandates» Architecture» Login Process Flow Graz,

3 Overview» Motivation» General Information» Types of Representation» Mandate Approaches» Mandates within the Austrian e- Government» Electronic Mandates» Architecture» Login Process Flow Graz,

4 Motivation Login Identification/Authentication Electronic Signature Graz,

5 Motivation Login Identification/Authentication Electronic Signature Graz,

6 Why Mandates Bilateral authorization For certain actions Graz,

7 Why Mandates Bilateral authorization For certain actions Company representative Association representative Bridge between nonnatural and natural persons Graz,

8 Why Mandates Accountant Lawyers Professional representation Official representative Bilateral authorization For certain actions Company representative Association representative Bridge between nonnatural and natural persons Graz,

9 Overview» Motivation» General Information» Types of Representation» Mandate Approaches» Mandates within the Austrian e- Government» Electronic Mandates» Architecture» Login Process Flow Graz,

10 Types of Representation» A natural person representing another natural person» A natural person representing a legal person» A legal person representing a natural person» A legal person representing another legal person/entity Graz,

11 Mandates - Vocabulary» Mandator» (Machtgeber oder Vertretene) The mandator is the person in who's behalf an action is performed. The mandator is in original possession of the rights and roles respectively. Graz,

12 Mandates - Vocabulary» Representative (Proxy)» Machthaber oder Vertreter (Bevollmächtigte) The representative is the person acting on behalf of the mandator. The rights or roles have been transferred to the representative via mandate. The transfer of this rights (roles) does not change them for the mandator. Graz,

13 Mandates - Vocabulary» Intermediary» Intermediär oder Mittler The intermediary is the person acting as a broker between the mandator and the representative within the process of transferring rights between these two parties. Graz,

14 Types of Mandates Representative Intermediary Mandator Ref: Rössler Graz,

15 Types of Mandates» Bilateral Type (Direct representation)» The mandatory empowers the representative (proxy) to act in her name.» Substitution Type (Indirect representation)» Mandator empowers intermediary» Mandator allows the intermediary to empower a substitute for representing the mandator» Intermediary chooses a substitute (the real proxy) to act in her name» Intermediary and substitute can both represent the mandator» Delegation Type (Direct representation)» Mandator empowers intermediary» Intermediary acts in the name of the mandator and empowers another entity (the proxy) to act in the name of the mandator» Proxy becomes empowered to act in the name of the original mandator» Intermediary and not the mandator establishes the relation Graz,

16 Overview» Motivation» General Information» Types of Representation» Mandate Approaches» Mandates within the Austrian e- Government» Electronic Mandates» Architecture» Login Process Flow Graz,

Approach 1 Free Text Mandate Me, Alice A., born on 1.1.1980 living in Graz, authorizes Bob B., born on the 1.1.1970 living in Vienna, to represent me at the Big-Money-Bank.

17 Approach 1 Free Text Mandate Me, Alice A., born on living in Graz, authorizes Bob B., born on the living in Vienna, to represent me at the Big-Money-Bank. The mandate covers: - Dealing in stocks The mandatory is not allowed: - To execute deals over Euro The mandate ends with the Mandate Me, Alice A., born on living in Graz, authorizes Bob B., born on the living in Vienna, to represent me at the Big-Money-Bank. The mandate covers: - Dealing in stocks The mandatory is not allowed: - To execute deals over Euro The mandate ends with the Graz,

18 Approach 2 Explicit Registration Mandator registers the mandate manually Application DB Graz,

19 Approach 3 Attribute certificates Attribute certificate Function=Staff Role=Director Role_Until=2015 TransLimit=EUR Graz,

20 Approach 4 - Systematic» Study about eid interoperability in the EU Mandate management was still altogether rare. [October 2009] 22 countries out of 32 (69%) have no form of mandate / authorization management, other than the allocation of certificates or credentials to the representatives of a specific legal entity. 8 countries out of 32 (25%) have implemented an ad hoc form [ ] covering specific applications or service types; only two countries have [ ] which can be characterized as systematic: Austria (operational, also for STORK mobile eid) Belgium (busy to set up the solution) Graz,

21 Overview» Motivation» General Information» Types of Representation» Mandate Approaches» Mandates within the Austrian e- Government» Electronic Mandates» Architecture» Login Process Flow Graz,

22 Mandates within the Austrian E-Government Citizen Card for mandate-based actions ( 5 (1) E-GovG)» Proof of an upright mandate relationship» Citizen Card of the representative» Permissibility of the mandator has to be registered» Through confirmation at the SRA» Professional representation (Berufsmäßige Parteienvertretung) and official representatives (Organwalter) ( 5 (2/3) E-GovG)» Authorization according to professional provisions» Characterization of professional authorization» Defined object (OID) within the signature certificate Graz,

representation (Berufsmäßige Parteienvertretung) and official representatives (Organwalter) ( 5 (2/3) E-GovG)» Authorization according to

23 Mandates within the Austrian E-Government Citizen Card for mandate-based actions ( 5 (1) E-GovG)» Proof of an upright mandate relationship» Citizen Card of the representative» Permissibility of the mandatory has to be registered» Through confirmation at the SRA» Professional representation (Berufsmäßige Parteienvertretung) and official representatives (Organwalter) ( 5 (2/3) E-GovG)» Authorization according to professional provisions» Characterization of professional authorization» Defined object (OID) within the signature certificate Graz,

24 Electronic Mandates» Equal to the electronic transcription of a conventional mandate» Technical framework defined by the SourcePIN Register Act (StZRegV,4)» Registration of the power of representation» Data of an electronic registration:» Unique identity assigned to the mandator» Scope of the power of representation» Other necessary constraints Graz,

Electronic Mandates Mandator Representative

constraints Name Date of birth SourcePIN Optional, if

mandate contents and possible constraints

25 Electronic Mandates Mandator Representative Intermediary Date and place of issuance Scope and other constraints Name Date of birth SourcePIN Optional, if involved Global properties optional Description of the mandate contents and possible constraints Electronically signed by the SourcePIN Register Authority Graz,

Transaction limit Constraints concerning the

26 Electronic Mandates Contents and Constraints: Textual description of the scope Time constraints Transaction limit Constraints concerning the immediate scope Collective mandates Others Graz,

27 Electronic Mandates Composition of a mandate s textual description Textual description of the scope Standard textual contents (normtext) Standard textual contents with variable text fields Free text Graz,

28 Electronic Mandates XML Schema Graz,

29 Graz,

30 Former System ( )» Static info boxes» Registration of the electronic mandate within the Citizen Card software Graz,

31 Enrollment Process Application Signature Store XML mandate Check Graz,

32 Drawbacks» Manual enrollment process» Potential outdated information» Market coverage CCS» Online CCS» Citizen Card dependent Graz,

33 Online-Mandates» Central vs. decentralized» Access to constitutive registers» Business register» Business service portal» Register of bilateral mandates» Just-in-time (JIT) generation» Data of the mandator» SourcePIN» Contents/constraints» No revocation necessary Graz,

34 Overview» Motivation» General Information» Types of Representation» Mandate Approaches» Mandates within the Austrian e- Government» Electronic Mandates» Architecture» Login Process Flow Graz,

35 The Austrian eid Infrastructure SourcePIN Register Authority Domain Central Register of Residents BMR Bilateral Mandate Register (Natural Persons) SourcePIN Register SPR CRR Business Registers (Legal Persons) operated in different organizational domains SR Central Register of Associations Supplementary Register for Other Concerned Parties Company Register (CR) Mandate Issuing Service (MIS) SourcePIN Register Gateway (SPR-GW) Supplementary Register for Natural Persons User Domain Citizen Citizen Card Software (CCS) Service Provider Domain MOA-ID Online Application (OA) Austria Foreign Country Foreign Identity Provider Foreign Citizen STORK Infrastructure (PEPS) F-IdP Graz,

36 Online Mandates - Architecture Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Selection Legal Persons Representative (Proxy) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

37 Mandate Sources Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Selection Legal Persons Representative (Proxy) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

38 Mandate Sources» Data sources where mandate information is retrieved from» Natural persons» Bilateral mandates register» Non-natural persons» Legal mandates» Constitutive registers (e.g. business register)» Delegated mandates» Business service portal Graz,

39 Bilateral Mandates Register Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Selection Legal Persons Representative (Proxy) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

40 Bilateral Mandates Register» Mandate Management System (MMS)» Registration of bilateral mandates between natural persons» Operated by the SRA» Functions» Register mandates» Delete mandates» Revoke mandates» Manage active mandates Graz,

41 MMS Mandate Registration Step 1 Graz,

42 MMS Mandate Registration Step 2 Graz,

43 MMS Mandate Registration Step 3 Graz,

44 MMS My Mandates Graz,

45 MMS History Graz,

46 Mandate Sources Legal Persons Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Selection Legal Persons Representative (Proxy) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

47 Business Register Source Registers Statist. Registers Business Register Company Register ZGR Tax Kammern attributes ZVR LFBIS URS Statistical Business Register LFR Agriculture and Forestry register Existence Business Register Graz,

48 Business Service Portal» Central web portal of the Federal Government for companies» Pendant to Help.gv.at Graz,

49 Mandate Issuing Service Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Selection Legal Persons Representative (Proxy) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

50 Mandate Issuing Service (MIS)» Online mandate service» Operated by the SRA» Web services (for e-gov applications)» Requesting a mandate» Fetching a mandate» Web-GUI» Selection of a mandate by the user» Login for professional representatives Graz,

51 Overview» Motivation» General Information» Types of Representation» Mandate Approaches» Mandates within the Austrian e- Government» Electronic Mandates» Architecture» Login Process Flow Graz,

52 Login Process Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Selection Legal Persons Representative (Proxy) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

selects the Citizen Card or the mobile phone signature Business Register Business Register

53 Login Process (1) Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Representative (Proxy) Selection Legal Persons Mandator selects in Vertretung anmelden and selects the Citizen Card or the mobile phone signature Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

54 Login Process (2) Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Representative (Proxy) Selection Legal Persons The next step is a standard citizen card login. Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

55 Login Process (2.1) Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Representative (Proxy) Selection Legal Persons Displaying the data to be signed (DTBS) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

56 Login Process (3) Application MOA-ID SourcePIN Register Authority (SRA) MIS MOA-ID contacts the MIS and forwards: Identity Link Signature certificate RedirectURL (User to be redirected after selection) Reference value (revision/audit) Bilateral Allowed mandates (e.g. Bilateral mandate) Mandator Selection Legal Persons Representative (Proxy) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

57 Login Process (4) Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Representative (Proxy) Selection Business Register Legal Persons The MIS returns a session-id that is used by MOA-ID for fetching the selected mandate. Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

58 Login Process (5) Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Representative (Proxy) Selection ZVR Business Register Company Register Legal Mandates Legal Persons The MIS starts a search for active mandates within the source registers based on the data received from MOA-ID. Business Register Portal (USP) As an identifier for the search the sspin of the ERsB representative is used. Delegated ( Gewillkürte ) Mandates Graz,

59 Login Process (5.1) Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Representative (Proxy) Selection Legal Persons For natural persons Bilateral mandate register Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

60 Login Process (5.2) Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Selection Legal Persons Representative (Proxy) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

61 Login Process (5.2.1) Application SourcePIN Register Authority (SRA) For legal persons Legal mandates MOA-ID Business register Bilateral contains: Companies register Central register of associationsmandator MIS Supplementary register for others concerned Selection Legal Persons Representative (Proxy) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

62 Login Process (5.2.2) Application SourcePIN Register Authority (SRA) MOA-ID Bilateral Mandator MIS For legal persons delegated mandates Selection Business service portal Legal Persons Representative (Proxy) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

63 Login Process (6) Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Representative (Proxy) Selection The representative Legal Persons is forwarded to the selection-gui provided by the MIS. After the mandate has been selected the MIS creates the electronic mandate and signs it. Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

64 Login Process (7) Application SourcePIN Register Authority (SRA) MOA-ID MIS Bilateral Mandator Representative (Proxy) Selection Business Register MOA-ID Legal fetches Persons the signed mandate The session-id acquired in step 4 has to be included in the request. Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

65 Login Process Application MOA-ID MOA-ID forwards the SAML Assertion to the application. Besides the identity data of the mandator the assertion also contains the identity data of the representative, respectively Bilateral the complete electronic mandate. SourcePIN Register Authority (SRA) MIS Mandator Selection Legal Persons Representative (Proxy) Business Register Business Register Portal (USP) ZVR Company Register Legal Mandates ERsB Delegated ( Gewillkürte ) Mandates Graz,

66 Mandates and E-Delivery» Use-case: Representative acknowledging reception of an e-delivery document» Scenario 1: Reception on behalf of a non-natural person» A non-natural person may not act on behalf of itself but always a natural person acts on behalf. E.g.: a general manager may manage the delivery account of it s company.» Scenario 2: Reception on behalf of a natural person» A person representing another person and acting on her behalf. The delegation of the power of representation is represented by an electronic mandate. E.g.: Person B is allowed to accept an electronic delivery on behalf of person A.» A general manager delegates a mail mandate to a secretary that is now allowed to accept deliveries. Graz,

67 Login (Example) Graz,

68 Login (Example) Graz,

69 Login (Example) Graz,

70 Login (Example) Graz,

71 Login (Example) Graz,

72 Login (Example) Graz,

73 Login (Example) Graz,

74 Professional Representation» Object Identifier of the public administration» ISO/IEC » Root-OID for the Austrian administration: » OID 1 International Standards Organization (ISO)» OID 1.2 ISO Member Body» OID Austria (ASI Austrian Standard Institute)» OID Austrian public administration» Professional representation Graz,

75 Professional Representation» Professional representation Graz,

76 Professional Representation» OID Professional representation » Defines professional representatives» Classification according to profession» Notary property » Lawyer property » Civil engineer property » Official representative property Graz,

77 Professional Representation Graz,

78 Official Representative / Professional Representative Graz,

79 Natural Person Representation Graz,

80 Legal Person Representation Graz,

81 Risk-Free Testing» Testing system without implications» Test environment» Productive system» Graz,

82 Next Steps Accountant Lawyers Professional representation Official representative Bilateral authorization For certain actions Company representative Association representative Bridge between nonnatural and natural persons Graz,

83 Next Steps For Businesses Single Point of Contact EU Services Directive (DL-RL) EU Large Scale Pilots (e-id Pilot STORK 2 ) Digital Agenda EU-States Accountant Lawyers Professional representation Official representative Bilateral authorization For certain actions Company representative Association representative Bridge between nonnatural and natural persons Graz,

84 Conclusion» Mandates required for E-Government» Concept of electronic mandates» Dynamic and Flexible» Online mandate system» Central & user-friendly» Access to fresh information from registers» Professional representatives and official representatives» Systematic approach Graz,

85 References» E-Government-Law: SourcePIN Register Act: FassungVom= » MMS (Productive): MMS (Risk-free Testing): MIS (Productive): MIS (Risk-free Testing): Demo-Login: Electronic mandate specification: Example for logins using mandates» MyHelp citizen portal: Delivery service MeinBrief: Delivery service of the Federal Computing Centre (BRZ): Postserver.at delivery service: DVR-Online: Publications:» Tauber, A., Rössler, T. Professional Representation in Austrian E-Government, Proceedings of the 8th International Conference EGOV, 2009» Leitold H., Tauber A., A Systematic Approach to Legal Identity Management - Best Practice Austria, ISSE 2011» Zwattendorfer B., Tauber A., Stranacher K., Cross-Border Legal Identity Management, EGOV 2012» Rössler, T. Empowerment through Electronic Mandates Best Pratice Austria, I3E, Nancy, 2009.» Tauber A., Zwattendorfer B., Stranacher K,Elektronische Identität und Stellvertretung in Österreich,DACH 2013 Graz,

86 Control Questions» Which technical approaches for implementing electronic mandates do exist?» What are the main elements of an electronic mandate?» Describe the advantages of a centralized approach using electronic mandates compared to a decentralized approach.» Describe the features of the mandate management system (MMS).» Describe the features of the mandate issuing service (MIS).» Name the source-registers for mandate information.» Describe the process of representative intervention (vertretungsweises Einschreiten) using the following components step-by-step: mandator, MOA-ID, MIS, source register» Give a rough description of the concept of professional representatives (respectively official representatives). Graz,

87 Thanks for your attention!