Germany: Was: How Estonia is using X.509 for Identity, payments, voting and much more

https://www.linkedin.com/grp/post/104314-6014166396592799747

Germany did it the "right" way.  Unfortunately this way is riddled with hardships as can be found in the LinkedIn comments...

Sweden did it the "wrong" way with "Apps", mobile phones and banks as issuers which simply reused existing infrastructures reducing costs and hassles to a minimum.
The Swedish system do suffer from various security flaws but availability is still the #1 feature.

Anders

On 2015-06-11 22:27, Melvin Carvalho wrote:
> FYI:
>
> ---------- Forwarded message ----------
> From: *Melvin Carvalho* <melvincarvalho@gmail.com <mailto:melvincarvalho@gmail.com>>
> Date: 11 June 2015 at 22:26
> Subject: How Estonia is using X.509 for Identity, payments, voting and much more
> To: public-webid <public-webid@w3.org <mailto:public-webid@w3.org>>, public-rww <public-rww@w3.org <mailto:public-rww@w3.org>>
>
>
>   My life under Estonia's digital government
>
>
>     Analyst Charles Brett is a fan
>
> 2 Jun 2015
>
> There is much government talk about the economic importance of enabling a digital society. Yet little coherent in the UK seems to materialise – bits here and there imperfectly integrated and with insufficient commitment. Just think of the multiple UK initiatives over the years. That such slow progress is a given calls into question whether a digital society is beyond deliverable?
>
> The example of Estonia, offers a startling contrast (and one different from that of the European Commission <http://bit.ly/1EjJ4Fq> as summarised by /The Reg/ earlier this year). Before going into how Estonia delivers, consider my own experience in Tallinn when obtaining an e-Resident card.
>
> That Estonia introduced the concept of an e-Resident <http://bit.ly/1O7nQoV> was previously described in /The Register/ in October 2014 where it was also pointed out that anyone wanting to be an e-Resident had to visit Estonia twice - once to apply and then a second time to return to pick up your e-Resident card if granted.
>
>
>       Tallin-bound
>
> In the Autumn of 2014 my wife was posted to Tallinn, Estonia’s capital, for six months. One of the delights of being a technology analyst is you can you work anywhere there is good internet access. Estonia has excellent internet coverage plus 4G available throughout the country (even in rural areas – a matter or government policy). In addition, ‘being ‘local’ means you can explore the digital business scene.
>
> So, armed with my identification documents, I went to a designated e-Resident office, having previously made an appointment online (of course). Although I brought passport-sized photos I was directed to a standard-seeming photo-booth which took my picture. Then I met a courteous Estonian officer who swiftly took my details and bio-identifiers while also linking to my electronic pictures from the photo-booth. I was told I would receive an email in two weeks if my application was not refused.
>
> Thirteen days later the promised email arrived. I returned to the same office to sign for a package that included my e-Resident card and a neat, and super-small USB e-Resident card reader. Nothing in the process could have been simpler or more easily delivered (and from 1 April 2015 it has been possible to achieve the same at selected Estonian embassies.)
>
> With an e-Resident card you can set up a business remotely operating from Estonia. As an e-Resident you can do everything legally required for a business by electronic means from afar, including setting up a company, signing contracts, opening bank accounts, making and receiving payments and paying all taxes.
>
>     Estonia’s e-revolution has already reached far and deep
>
> As /The Register/ wrote back in October, “holding the card does “not entail full legal residency or citizenship or right of entry to Estonia” (but) it does allow “secure access to Estonia’s digital services and an opportunity to give digital signatures in an electronic environment. ... Such digital identification and signing is legally fully equal to face-to-face identification and handwritten signatures in the European Union.”
>
> So, how did Estonia achieve all this? It was not a short process. Yet Estonia’s e-revolution has already reached far and deep, bringing together citizens, government and business. Second, integration has been combined with security and appropriate data ownership. Third, Estonia took its time in establishing what is now a credible e-society - some 15 years after it originally started back in 2001 (yes, that long ago). Today’s Estonian citizen can (though he or she does not have to):
>
>   * Identify themselves, via e-ID, an electronic identity system
>   * Vote (iVote, available since 2007)
>   * Complete tax returns (and make payments or receive refunds)
>   * Obtain and fulfil prescriptions (eHealth)
>   * Participate in census completion
>   * Review accumulated pension contributions and values
>   * Perform banking, including making and receiving payments
>   * Pay and interact with utilities (like water, gas and electricity)
>   * Interact with the education system (e-Education)
>   * Set up businesses
>   * Sign contracts
>   * And more.
>
> The above embrace a broad swathe of the economic and personal activities and applies as much to government and business as to the individual. As such the Estonian e-society provides facilities to all stakeholders in the country, and with some interesting side effects.
>
> For example, digitising the police now enables a police officer in a patrol car to verify a car’s legality and insurance by querying the car registration system. If this shows the owner is a driver who has been convicted of a drink-driving offence within the past two years the police officer can stop and breathalyse that driver. Convicted drunk-drivers know this; unsurprisingly repeat drink-driving re-offences have fallen. Conversely, electronic voting is less popular because Estonians value their new found freedom to choose and many dress up in order to go to their polling station.
>
> All of the above depend on the acceptance of some fundamentals (an aspect which successive UK governments have shown little appetite to address). These were agreed right from the inception of the Estonian e-Society initiative and specifically included:
>
>
>       A matter of principles
>
> *1.* decentralisation combined with interconnectivity: there is no central database; every stakeholder (government department, business or even individual) has the freedom to choose its own system in its own time with the guiding principle being that all participating systems be able to work together
>
> *2.* adoption of a secure open platform approach; the intention is any institution (or individual) be able to use a publicly provided public key infrastructure
>
> *3.* a commitment to an open-ended process; capabilities are encouraged to evolve, grow and improve organically
>
> 4. investment in a long term commitment to a suitable infrastructure, particularly provision of two vital ingredients – a common middleware stack (‘X-Road’ ) and a secure e-Identity (or e-ID).
>
> Arguably the first three above are about principles. These are easy to pronounce on but not necessarily easy to adopt or deliver. What marks out Estonia so far is the way it has honoured its ongoing commitment to these principles over more than a decade.
>
>
>       Follow the X-Road
>
> Furthermore, acceptance is accelerating because, with time, the incremental cost of adding a function or service reduces once a trusted infrastructure is in place. Adding the online national census capability cost only the census software, less than €10K, because the infrastructure was already in place. The creation of the e-Resident initiative was a logical, and practical extension, of what was already possible for Estonian citizens.
>
> The fourth is about practicality. As the slide below shows, the X-Road is the mechanism which connects all the decentralized components together. This is what enables Estonia’s various databases and registers, whether public or private, to link up and operate irrespective of what individual platform they use. In this the ‘adapter server’ is the key integration element which enable different applications to work together.
>
> Screenshot showing estonia digital goverment organisation chart
>
> Similarly, e-ID is the nationally standardized system for verifying each individual’s identity to the online environment (the ‘security server’ in Figure 1). This opens the door to provision of e-services which offer security and trust (the basis for the e-Resident card), and Estonia has gone further than most in four additional dimensions:
>
>   * it has introduced differentiation between roles associated with an e-ID; a civil servant, for example, can act as an individual or can act as his or her job demands, with quite different rights, accesses and privileges associated with his or her job
>   * digital privacy is enshrined in law (Estonians argue their country has the strongest legislative protections, accompanied by stiff penalties for digital infractions or abuse)
>   * the adoption of specific extending legislation where needed, for example for medical records; these are owned by the individual who authorizes doctors to use his or her patient’s medical records (using the e-ID to authenticate and record this authorization)
>   * citizens have rights to access and inspect data held about them; transparency breeds trust, over time.
>
> Estonia has not stopped at this. To provide demonstrable accuracy it exploits blockchain technology (though not that from Bitcoins) to establish trust and verification. Data and interactions use a blockchain (from Guardtime, an Estonian company) to guarantee a record of the state of any component within the network and data stores.
>
> The implications of this are immense. It means that any unauthorized change in the state, which can be regarded as attack on accuracy, can be detected. Whether this ‘attack’ comes from outside or from (say) an employee on the inside, record alteration is recorded while the original remains (or is shown to have been tampered with).
>
>
>       Conclusion
>
> Estonia proves that a digital society is practical today. Yet, apart from Finland which is adopting the Estonian technology base, other European countries including the UK lag behind. If it took Estonia 15 years to reach where it has today, and with a population of less than 1.5M, how long will it take the UK, France, Germany or Italy? Will e-Societies ever emerge in these place in a coherent and meaningful way? Does this mean that large countries are doomed to fall behind?
>
> The sad aspect about such conclusion is that a proven technology base to support an e-Society - X-Road and e-ID- exists. Yet recognition of what Estonia delivers is ignored by those, especially fellow partners in the EU who seem to think they will provide better - at some unpredictable point in the future.
>
> Estonia shows us that a digital society is practical today. We, as citizens, should demand the same vision, coordination, commitment, inclusivity and consideration of the needs and practicalities of all stakeholders.
>
> Instead we have politicians posing about the importance of digital societies in order to get re-elected, and global multi-nationals exploiting our personal data for their benefit.
>
> We need not wait interminably for an e-Society. But, outside Estonia and Finland, it looks as if we will. And any e-Society must be underpinned by commonly accepted principles, as well as practical technologies, which recognise the rights of all participants. ®
>
>
> http://www.theregister.co.uk/2015/06/02/estonia/
>
> Some more links:
>
> https://e-estonia.com/e-residents/about/
> http://en.wikipedia.org/wiki/Estonian_ID_card
> http://estonia.eu/news/563--estonias-e-residency-goes-global.html
>
>

Received on Saturday, 13 June 2015 21:21:54 UTC