18 Apr 2023 1

ACCESSING ON LINE SERVICES PROTECTED BY THE ITALIAN EID

GIOVANNI MANCA

National Center for Information technology in Public Administration

(CNIPA)

18 Apr 2023 2

The scenario

• About 15.000.000 of National Services Card (CNS)

• About 2.500.000 of Electronic Identity Card (CIE)

• Development of e-Health services, payment services (EMV non-compliant) and electronic document interchange.

• Large use of digital signature (qualified signature) that can be installed in eID smart cards.

18 Apr 2023 3

Electronic Identity Card (CIE)

• Italian Electronic Identity Card (CIE) is a plastic ID1 format “hybrid” card with a chip and an optical memory band .

• On the front of the card, the layout has an upper zone for personal data and photo of the holder, and a lower zone – ICAO MRZ (Machine Readable Zone) – for the automatic reading of the same data, codified on three lines and printed in OCRB, readable with specific devices.

• On the back side, besides other personal data, there is the microchip, an optical memory stripe (only for security purposes, not for data storage) and a security hologram.

• The microchip is ISO/IEC 7816 compliant with an EEPROM of 64k (new project). In the future will be possible to implement contactless functionalities.

18 Apr 2023 4

National Services Card (CNS)

• It’s a set of rules.

• It’s issued by a public administration.

• It will be used to access online services issued by public administration and private sector. It cannot be used for personal identification (there aren’t physical security characteristics).

• The smart card used for digital signature are CNS compliant.

• Specific services can be installed in the smart card (fidelity card, contactless services, parking, etc.).

18 Apr 2023 5

Software libraries

• Free file system.

• Free software libraries interfacing the smart card.

• Free software libraries to use the online services (server side).

• These libraries will be “open source”.

18 Apr 2023 6

WHAT DOES INTEROPERABILITY MEAN IN EID ?

• Interoperability: “The capability to communicate, execute programs, or transfer data among various functional units in a manner that requires the user to have little or no knowledge of the unique characteristics of those units” (ISO/IEC 2382-01).

• In EID, the logical flow is: owner, validity of eid, digital identity, access, authorizations, logging, privacy aspects must be strongly guaranteed.

18 Apr 2023 7

EID INTEROPERABILITY (1)

• Some considerations about “interoperability”, a term adopted in different circumstances.

• There are many kinds of “interoperability”: technical, bridge, standard, service, etc.

• When many options are included in the specifications of interoperability, the probability of its functioning are reduced.

• We should avoid keep the level of interoperability at a low level. The real world makes this level quickly useless.

18 Apr 2023 8

EID INTEROPERABILITY (2)

• The European experience in electronic signature highlighted obstacles to be removed before getting to a full interoperability.

• We have the EU Directive (1999/93/EC), some technical specifications, dozen of standards and a 1% interoperability.

• To avoid making the wrong choice, a different way should be opened.

• ECC (CEN/TS 15480) is a good starting point.

18 Apr 2023 9

EID INTEROPERABILITY (3)

• The first step is defining the desired type of interoperability.

• The idea that “the standards emerge from the market” is revealed wrong.

• A better approach is the “mixed” one, like that adopted for the e-passport, supported by the precise commitment of the European Commission on the aspects of inter-change on trust levels.

• Liberty Alliance, Federated TLS, Cardspace are good approaches. Their use should be placed in the EU frame as a duty and not as an option.

• In this case, some countries could observe that the option does not protect the already done investments.

18 Apr 2023 10

Italian models for the delivery of online services

• The Italian CIE and CNS work in the same way on the front-office side, but they have two different ways of interacting with the back-office.

• When services are delivered directly through a three-level architecture (client, web services, database), SSLv3 is used with authentication procedures depending on the specific kind of application.

• In the case of services delivered in a “distributed” way, the security architecture adopts SAML.

• A relevant project involving the Italian Regions is ICAR (Regional Applicative Cooperation Infrastructure).

18 Apr 2023 11

An example: ICAR (SAML)

DOMINIO RICHIEDENTE

Local ProxyService Provider

GPA

4:Ricerca profilo

1: Accesso

3: Raccolta portafoglio di

asserzioni

7: Portafoglio di asserzioni

2: Richiesta identità

8: Richiesta di autorizzazione

al servizio

9: Decisione

5: Autenticazione / SSO

Identity Provider

Albo della Federazione

Profile Provider

Attribute Provider

6: Raccolta attributi

Source: Francesco Meschia

18 Apr 2023 12

Evolution of interoperability in Europe (1)

• In Europe there is a large number of identity management projects.

• In Europe there is a large number of applicative cooperation.

• What is the reason?

• Which of them, after their conclusion, will have the value and strength of becoming the “European model”?

18 Apr 2023 13

Evolution of interoperability in Europe (2)

• A possible road map could be:

ECC for the smart card and the services “card based” structure.

An architecture for the trust chain (a common format should be chosen).

The authentications should be established.

The organization model for delivery of services should be chosen.

A European Directive should be issued.

18 Apr 2023 14

Conclusion and suggestions (1)

• The experience of Directive 1999/93/EC though that the market does not tell the rules allowing everyone exchanging data.

• The political, legal, cultural and technological complexity of new Europe will lead to adopt the excellent indications of the EU Commission in a non omogeneus way on the technical level.

• This situation encourage the acceptance of compromise in technological realizations.

18 Apr 2023 15

Conclusion and suggestions (2)

• In Europe, the EID has more than 20 different implementations (Modinis report).

• To make IDs interoperable, a precise EU address should establish in a clear way:

The relevant data for the identity of the person (fiscal code, e-mail address, serial number, social security number, etc.)

Which services are wanted Who is the subject authorizing the procedure (e-procurement,

change address, e-payments, etc.)

• Digital signature is watching us!

18 Apr 2023 16

Contact

Institutional Web-site:

www.cnipa.gov.it

For further information, please contact:

manca@cnipa.it