Dear Web Signature-lovers,
Apparently there is some light in this tunnel since
at least five competing efforts have been raised more or less
simultaneously. Somewhat oddly, they all have a European
heritage.
Anders Rundgren
Invitation #1:
http://middleware.internet2.edu/pki06/agenda.pdf
Wednesday there will be a short WASP (Web Activated Signature Protocol)
presentation by yours truly
Invitation #2:
---- Original Message -----
From: Bud P.
Bruegger
Sent: Monday, February 27, 2006 09:14
Subject: Invitation to eForum eID WG meeting, March 8,
Brussels We would like to invite you to participate in a workshop that the eForum organizes for March 8 in Brussels. We have put together an intensive work session to launch an international collaboration on two topics: * An URL Programming Interface (UPI) for web access to smart card services * Server-Side Privacy-Enhancement. The former topic is important in order to create a central point of control for the access of smart card services, such as digital signature, over the web. The approach has originally been proposed by Sun Microsystems and is integral part of the Austrian Citizen Card Concept (in the Security Layer). It promises to bring increased security and a much increased user experience (consistent look and feel across web applications) as compared to the excessive diversity of current solutions. If work on this topic progresses well, a possible objective is to launch a formal standardization of the approach (e.g., in CEN). The latter topic is of high interest in several European countries and any European consensus approach with a chance of acceptance necessarily has to include privacy-enhancement. Note that privacy issues will become more pressing in the future when strong authentication with eIDs will be ubiquitously used in all aspects of our information society in both government and private services. An prerequisite for such a large-scale use of eIDs is that our strategies include solid concepts of privacy enhancement. We are aware of several groups being interested or already working on these topics and attempt to start an effort of early harmonization and consensus building. The objective of the March 8 meeting is to form groups of active players that agree to work on these topics and to agree on the objectives and necessary work steps. While the bulk of work is expected to be done in virtual collaboration over the Internet, we plan to organize also future meetings in person to facilitate progress of work. The working groups are open to participation and attempt to follow a pragmatic and result-oriented style of active participation. Please, feel free to distribute this invitation to possibly interested parties. Draft Agenda -------------------- 09:00 - 9:30 : Welcome and explanations of STREAM 1 and STREAM 2 STREAM 1 1. Which ministries were involved in the BELPIC project and what was the role of them? 2. What was/is the budget of the project? 3. What are the main obstacles encountered since the roll-out? (if they are different from the ones which were mentioned earlier coming out from the pilot) 4. Business plan STREAM 2 09:30 - 10:30: Intro to work approach and intro of participants 10:30 - 11:00: Position Paper: Intro to the UPI approach (Bruegger, Comune di Grosseto) 11:00 - 11:30: Position Paper: The Security Layer implementation of UPI (Roessler A-SIT, MODINIS-IDM or Hayat, TU-Graz) 11:30 - 12:00: Definition of Objectives of the UPI work Deliverable: consensus on objectives 12:00 - 12:30: initial idea of UPI tasks Deliverable: initial list of task (for later refinement and task assignments) 12:30 - 13:30: LUNCH break 13:30 - 14:00: Introduction to eID privacy enhancement (Meints, Privacy Commission Schleswig-Holstein/FIDIS/PRIME) 14:00 - 14:30: Position Paper: Sector-Specific PINs in the Austrian Citizencard Concept (Roessler or Hayat) 14:30 - 15:00: Position Paper: Server-Side Sector-Specific IDs and Partial Identities (Bruegger) 15:00 - 15:30: Definition of Objectives of Privacy-Enhancement work Deliverable: consensus on objectives 15:30 - 16:00: initial idea of Privacy-Enhancement tasks Deliverable: initial list of task (for later refinement and task assignments) 16:00 - 16:30 Decision on Necessary Infrastructure for Virtual Collaboration Deliverable: Commitments necessary to get virtual work going in short term Meeting Place ---------------------- meeting will take place e-Forum C/O STERIA Benelux 36 Bd du Souverain B-1170 Brussels HOTELS CROWN PLAZA Brussels City Centre rue Gineste 3 1210 Brussels http://ichotelsgroup.com CITADINES APART'HOTEL Av de la Toison d'or 61-63 1060 Brussels www.citadines.com L'Auberge du REPOS DES CHASSEURS Av Charles Albert 11 1170 Brussels www.repos-des-chasseurs.com COTE JARDIN (Bead and Breakfast) Av Leopold Wiener 70 B 1170 Brussels http://users.swing.be/cote.jardin NO CREDIT CARD ACCEPTED how to get there : http://www.steria.be/tools/route_fr.htm Contact person Baudouin de Sonis Executive Director TEL : + 32 (0)2 566 67 83 GSM : + 32 4 75 96 06 28 Background --------------------- Service Delivery over the Web (UPI) Often, eIDs are defined in terms of their IAS functionality. IAS stands for:
No standard exists for the other two functionalities, leading to a situation where every web application uses a different mechanism. For example, even the exactly same task may be implemented in different java applets, browser-plugins or active-X controls by different applications. This lack of standardization is the cause of serveral problems:
Even more importantly, a highly critical component of digital signature is a "trusted viewer" that guarantees that users actually sign what they believe to sign--nothing different and nothing more. The very idea to receive a trusted viewer from a remote host in the form of an applet code is rather frightening. The enforcement of policy is similarly problematic. While true that the java virtual machine supports the enforcement of policy, these mechanims are incompletely understood by the average user and confronted with the possibly different needs of multiple applets, users who run into problems of finding a secure combined policy are likely to do anything that gets the applications running--including the removal of important safeguards. The probematics of a consistent enforcement of policy is also evident in the fact that different web application can use different technologies to implement the functionality (applets, active-X controls, plugins). Finally, the multiple implementations of the same functionality by different web applications make it impossible to achieve a consistent look and feel. The introduction of new technologies such as digital signature in society is by itself a daunting task; if key tasks such as trusted viewer or consent to signing look different with every application, the battle is likely lost from the very beginning. This discussion illustrates the strong importance of creating a single point of control for the implementation of Identification and digital signature of eIDs. The most promising solution that creates such a single point of control is a so called URL Programming Interface (UPI) that exposes the smartcard services through a HTTP interface. It makes it possible to use HTTP and HTML Forms as only elements of communications between web-application, browser, and smartcard. These are ubiquitous standards easy to find on all platforms and all browsers. The UPI approach was originally proposed by Sun Microsystems Laboratories (http://www.javaworld.com/javaworld/jw-11-1999/jw-11-javadev.html, http://www.javaworld.com/columns/jw-developer-index.shtml, http://research.sun.com/projects/dashboard.php?id=45) and has since been adopted by others (e.g., http://www.microexpert.com/smartcardurl.html). This solution is also integral part of the Austrian eID software (security layer): http://www.iaik.tugraz.at/research/publications/2002/ACSAC2002.pdf A proof of concept implementation for digital signature of web-forms with UPI has been presented at the Porvoo 8 meeting: http://www.porvoo8.rrn.fgov.be/porvoo8/agenda.php Possible objectives of the work include
Possible work items include:
Server-side privacy enhancement technology Current eIDs have been designed particularly from the point of view of e-Government and they can be regarded as government-issued identities. An identity typically comes with a national person identification number or code, in the sequel simply called person ID. The full return on investment in the large-scale roll-out of eID cards can only be obtained if government issued eID cards are used as universal means for bringing high levels of authetication and security to all the online-services in all sectors. This would be a security-revolution of the current Internet and would enable a very large number of services that are currently not possible to offer due to security or privacy risks. While a government issued person ID can usually be used without problems in government domains, its use in other sectors such as healthcare or private sectors is usually problematic from a privacy point of view. The danger is that unrelated data from different sectors become easily linkable based on a person ID. While this is a cultural judgement, an identity management solution cannot be accepted across Europe unless it uses different person IDs in different sectors, thus avoiding linkability. An elegant solution to this problem has been proposed by the Austrian government in the form of a single source ID for a person from which a one-way mapping can derive an unlimited number of sector-specific IDs. While Austria has implemented this on the client-side, thus breaking with standards such as X.509 and TLS/SSL and currently deployed browsers, there is a possibility of implementing this concept on the server-side, while staying completely compatible with these standards and with the client-solutions currently deployed by various national eID projects. Ing. Bud P. Bruegger, Ph.D. +39-0564-488577 (voice), -21139 (fax) Servizio Elaborazione Dati e-mail: bud@comune.grosseto.it Comune di Grosseto jabber: bud@jabber.no Via Ginori, 43 http://www.comune.grosseto.it/cie/ 58100 Grosseto (Tuscany, Italy) http://www.comune.grosseto.it/interopEID/ |