7.3. Authentication framework
Regulation
Regulation
REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT
AND OF THE COUNCIL of 23 July 2014 on electronic identification and
trust services for electronic transactions in the internal market and repealing
Directive 1999/93/EC
http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32014R0910&from=EN
Scope
- authentication and identification
- electronic signatures and electronic seals
- web-page authentication
- related services and issues
Why eIDAS identi cation and authentication it is important for cloud systems?
- default authentication for public systems
- possible for the use in private sector - if the public systems succeed to implement eIDAS smoothly, then the private systems will follow
- cross-border by default, so easier for deploying in cloud systems
- oriented on building interoperability
Impact
Practical impact unclear:
- it can inhibit many useful authentication technologies and slow down the progress
- the story of electronic signatures can repeat
- not compatible with the most effcient techniques working today
- political compromise: following the roaming concept which contradicts EU policy on personal data protection
Identi cation
- electronic identification means the process of using person identifica- tion data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person;
- electronic identifiation means a material and/or immaterial unit containing person identification data and which is used for authentica- tion for an online service; read more
- person identification data means a set of data enabling the identity of a natural or legal person, or a natural person representing a legal person to be established; question
Authentication
- authentication means an electronic process that enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed; read more
Challenges
- different countries and different authentication systems
- a public system must accept all authentication systems notified in EU every country can notify almost any system forcing other countries to implement it
- it has to adjust to any kind of user's devices
- enforcing de facto monopoly by those countries that will be first in implementing the protocols?
Incompatible existing examples:
- Germany
Personalausweis - http://www.personalausweisportal.de/EN/Home/home_node.html - Austria
Bürgerkarte - https://www.buergerkarte.at/en/ - Estonia
eID Card and Mobile ID - http://eid.eesti.ee/index.php/A_Short_Introduction_to_eID
Details
18 September 2015, EU Commission will determine minimum technical speci cations, standards and procedures with reference to which assurance levels low, substantial and high
After reading the links about incompatible examples, you can take the quiz
Question 1.
For which country authentication is based on symmetric cryptography?
Question 2.
For which country authentication enables tracability of a citizen?
Question 3.
For which country authentication secure against replay attacks?
Question 4.
For which country authentication at public bodies only?
Question 5.
For which country authentication supports a separate pseudonym for each service?
Question 6.
For which country authentication is incompatible with eIDAS?
Article 6: Mutual recognition
- When an electronic identification using an electronic identification means
and authentication is required under national law or by administrative practice to access a service provided by a public sector body online in one Member
State, the electronic identification means issued in another Member State
shall be recognized in the first Member State for the purposes of cross-border
authentication for that service online, provided that the following conditions
are met: read more
- the electronic identification means is issued under an electronic identification scheme that is included in the list published by the Commission pursuant to Article 9; read more
- the assurance level of the electronic identification means corresponds to an assurance level equal to or higher than the assurance level required by the relevant public sector body to access that service online in the first Mem- ber State, provided that the assurance level of that electronic identification means corresponds to the assurance level substantial or high; read more
- the relevant public sector body uses the assurance level substantial or high in relation to accessing that service online. read more
Assurance level low
refer to an electronic identification means in the context of an electronic identification scheme, which provides a limited degree of confidence in the claimed or asserted identity of a person, and is characterized with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of misuse or alteration of the identity; fact
Assurance level substantial
... which provides a substantial degree of confidence ... question
Assurance level substantial
... which provides a higher degree of con dence in the claimed or asserted identity of a person than electronic identi cation means with the assurance level substantial, and is characterized with reference to technical speci cations, standards and procedures related thereto, including technical controls, the purpose of which is to prevent misuse or alteration of the identity.
Details
18 September 2015, EU Commission will determine minimum technical
specifications, standards and procedures with reference to which assurance
levels low, substantial and high.
These security requirements will have crucial importance for the market