Information Cards and Gov Cards

Tuesday Session 1 Space D

Conference: IIW 10 May 17-19, 2009 this is the complete Complete Set of Notes

Convener: Drummond Reed

Notes-taker(s): Marc Licciardi

2 weeks ago at the European ID conference. The German government is rolling out the Government ID card for all citizens for 100% of the citizens. It will be an electronic ID card that works on line. The European standard is that the government issued very strong ID and they have been working on how they can use these ID’s for online ID.

German privacy laws presented a strong conflict. But the EU is working hard on how government ID cards can be used for online ID.

Clarification:  They are issuing physical cards, but what is the link to online ID. There are different solutions. Some have an online reader that can read your car, but others have an electronic version. The German government is promoting industry development and propagation of readers.

Netherlands and BC government have programs they are working on and they will explain what they are doing and then open up to the group.

The Netherlands are doing something slightly different. They will not issue a card. They say if you have an e-government service that uses a broker that can connect to card issuers, which can issue cards to companies and individuals. One person could have multiple credentials. So there is freedom of choice for multiple accredited providers, but when the individual interacts with the government they need to have some ID from accredited service.

Companies can then use power of attorney to get cards on behalf of their employees. They are opening it up to B2G, B2B and B2C and C2B.

They are deploying a citizen to government record access to health records. There is a unique scheme for accessing the health records. The main reason for their thinking was that the limited use ID card was not well adopted. So they are identifying more useful cards.

What Types of businesses can get credentials: Lawyers, Banks, Telecom providers, specialist providers, some will produce one level of assurance only and others will produce higher LOA. The fee between the RP and Broker is based on the level of assurance.

They are pushing for a centralized fee setting. Part of the scheme is that there is some recourse back for failed identification. This is described as a contractual model.

Norway has a system that uses the Bank ID model that is restricted to the banks, which capture 99.7% of their citizens. In Norway sitting next to those banks systems they have additional systems.

In the Netherlands the government will accept any of the accredited agency.

In tax filing the accountant is given a power of attorney to act on behalf of the filer, so there is a credential entity interacting with the government.

From a usability perspective, a user goes to a government part and logs in, and then relying party validates the through the broker to the credential issuer to validate the person and that validation is returned to the broker back to the relying party.

The Dutch government is not going to issue ID cards because it is relying on a variety of already issued ID cards. So there is a business incentive for issuing parties to be part of the credentialing process.

How many schemes are there in the NL, there is just one scheme, any credit issuer that takes part in the scheme can answer. There are 17 market players to develop the market rules for the schemes.

A large like Shell can apply and enter into an issuing role. They are accredited in both a legal, technical and business details. So there are technical profiles and policies.

￼

The term scheme in the NL is layered in three layers, which are infrastructure and protocol agreements, Functional agreements and then Business and government agreements. This three-layered set of agreements is called a scheme. The government’s role is in a collaborative development stage, which will be transferred to a scheme government, which is controlled by the participating companies, which will be audited externally. Above these three-layered agreements are the competitive propositions in the market place.

There is also a legal impulse in Europe to mandate that the top two layers have to be able to cooperate on the top two levels.

Large companies can fill the roles in the card issuer and broker stages as well as long as they can meet the assurance levels, but they are allowed to get credentialed.

When you start to make it a business network the layers become very interdependent. All of this is being built on top of existing legislation as the foundation. There are some discussions on passing specific legislation because some of the interaction is on the edge of the expectation of the laws.

What’s happening in the US for open government in the same roles. In the US,

In OIX terminology. The three layers are called the Trust Factor

Point 1. In what the US government is trying to solve

In this program the Trust Frameworks is broken into Technical Profiles, of which they did two, one for Open ID 2.0, which is right now approved for LOA1, and for IMI approved for 1,2 and 3; There is also a SAML profile available for 1,2,3, and 4.

Trust Frame providers, OIX and Kantara. ￼

The GSA anticipates that there will be deals struck between the IDP and the GSA for the higher assurance levels.

In the NL the cost of issuing the credential can drive the assurance level requirement so that the high cost forces the consideration.

In the US government there is a risk assessment done on RP that says you must have this assurance level.

In the NL model the relationship is between the IDP and the Broker and the broker has the liability.

Right now OIX has not necessarily been the hub to provide the higher assurance level.

In the NL the interchange fees can be negotiated between the broker and the IDP.

The RP can go to the broker and get the fees for the varying credit issuers. The Canadian government is looking to set up a similar relationship. But the US government is looking to make deals directly with the IDP.

For Inter-federation in the EU as large company you can get accredited to participate in one of the various roles or use an existing accredited entities.

The relationships in the NL are based on two party trust at each of the legs. They can agree on the security, there are some rules.

There is an attempt to make the SAML more of a feature in the trust framework by ICANN. It will utilize SAML metadata.