Worldwide Identity, Authentication and Signature
Local information
Basics
The diverging vocabularies, for example between EU and US, introduce a lack of clarity. Most EU Member States have some form of identity card, and many countries are introducing
electronic identity cards. Other countries opt for identity based on documents such as the driving license.
Europe talks about Electronic Signatures (ES), Advanced Electronic Signatures (AES), and Qualified Electronic Signatures (QES). The objective is to give legal effect to non-traditional signatures, if a number of conditions are met. The sought legal effect is the equivalence with
the traditional ('wet') signature, and most European Civil Codes have been updated to reflect this.
The US Federal ESIGN Act of 2000 defines electronic signatures broadly. In the US, the term
'digital signature' is mostly used to refer to PKI (Public Key Infrastructure) signatures.
ICAO
ISO
- ISO/IEC 18013 - Wikipedia
- ISO/IEC 18013 mDL - Wikipedia
- UL has a product to help test an app's conformance with the ISO 18013-5 standard
- ISO mDL ISO/IEC 18013-5, interface specifications for digital credentials on mobile devices
- This document establishes interface specifications for the implementation of a driving licence in association with a mobile device. This document specifies the interface between the mDL and mDL reader and the interface between the mDL reader and the issuing authority infrastructure. This document also enables parties other than the issuing authority (e.g. other issuing authorities, or mDL verifiers in other countries) to:
- use a machine to obtain the mDL data;
- tie the mDL to the mDL holder;
- authenticate the origin of the mDL data;
- verify the integrity of the mDL data.
- The following items are out of scope for this document:
- how mDL holder consent to share data is obtained;
- requirements on storage of mDL data and mDL private keys.
- Trust model: An mDL verifier generally trusts mDL information if both the following conditions are met:
- The mDL verifier can verify that the mDL was issued by a bona fide Issuing Authority.
- The mDL verifier can confirm that the mDL information has not been changed since it was created by
the Issuing Authority.
- ISO/EC 18013-5 supports the above conditions by way of public-private key cryptography. If an mDL verifier can:
- Obtain an Issuing Authority’s public key;
- Trust that it really is that Issuing Authority’s public key;
- Trust that the Issuing Authority’s private key has not been compromised; and
- Successfully authenticate an mDL issued by that Issuing Authority using said public key;
- then the conditions stated above are met.
- To facilitate items 1 to 3, ISO/IEC 18013-5 defines a Verified Issuer Certificate Authority List (VICAL). In concept, a VICAL Provider collects public keys from bona fide Issuing Authorities, confirms that the Issuing Authority manages its keys securely, aggregates the public keys into one VICAL, and provides the VICAL to mDL verifiers
Other initiatives
Public sector
Private sector
- CA/Browser Forum - voluntary organisation of leading CA's and browser manufacturers, leading CA's and OS/Browser manufacturers, publishers of
EV SSL Certification Guidelines, Network and CS Security Requirements, Baseline Requirements for the issuance and management of publicly trusted certificates (and also for code-signing
certificates
- Common CA Database - operated by Mozilla - also includes Microsoft and Google
- a repository of information about externally operated Certificate Authorities (CAs) whose root and intermediate certificates are included within the products and services of CCADB root store members
- Dennis Jackson - Mozilla pQWACS
- RWOT Rebooting Web of Trust - rebooting PGP's WOT
- TOIP Trust over IP - Linux Foundation/Sovrin inspired
- The ToIP model was originally inspired by the Hyperledger Aries work on digital identity wallets and agents. The focus has been on secure key pair generation and storage along with secure verifiable credential exchange and storage. However that scope is steadily expanding to be inclusive of other decentralized identity stack architectures and protocols.
- Developing a complete architecture for Internet Digital Trust
- Working groups include:
- Governance Working Group
- Technology Working Group
- Inputs and Semantics Working Group: Overlays Capture Architecture (OCA) schema specifications; ontology transformation guides (e.g., FHIR-OCA transformation guide); data modeling publications (e.g., Good Health Pass (GHP) Interoperability Blueprint chapter on “Standard Data Models and Elements”); pre-standards specifications (e.g., Privacy Controller credential specification for automating privacy rights...
- TOIP wiki
- GAIN - financial institutions global identity management - Cloud Signature Consortium, LEI, ...
SOLID - Tim Berners-Lee and Lalane Kagal
Basics
See also local files:
Intro:
Solid (derived from "social linked data") is a proposed set of conventions and tools for building decentralized social applications based on Linked Data principles. It relies as much as possible on existing W3C standards and protocols. These are:
- RDF (by default Turtle, otheriwse JSON-LD and RDFa)
- WebID 1.0 (Web Identity and Discovery) to provide universal usernames/IDs for Solid apps, and to refer to unique Agents (people, organizations, devices). WebIDs, when accessed, yield WebID Profile documents (in Turtle and other RDF formats).
- FOAF vocabulary is used both in WebID profiles, and in specifying Access Control lists.
- Authentication (for logins, page personalization and more) is done via the WebID-TLS protocol. WebID-TLS extends WebID Profiles to include references to the subject's public keys in the form of X.509 Certificates, using Cert Ontology 1.0 vocabulary. The authentication sequence is done using the HTTP over TLS protocol.
- HTML5 keygen. Unlike normal HTTPS use cases, WebID-TLS is done without referring to Certificate Authority hierarchies, and instead encourages host server-signed (or self-signed) certificates. In Solid, certificate creation is typically done in the browser using the HTML5 keygen element, to provide a one-step creation and certificate publication user experience.
- Authorization and access lists are done using Basic Access Control ontology (see also the WebAccessControl wiki page for more details).
- Support for WebID-OIDC as another primary authentication mechanism is on its way. It is based on the OAuth2/OpenID Connect protocols, adapted for WebID based decentralized use cases.
- The Linked Data Platform (LDP) standard is used for reading and writing generic Linked Data resources through HTTP operations on web resources.
Playground
Legacy
Solid project and specifications
Solid and W3C
Inrupt company
- Inrupt - commercial startup co-founded by CEO John Bruce and CTO Sir Tim Berners-Lee
- Inrupt.net - cloud-hosted instance of the open source software Node Solid Server
- Created primarily to provide open source application developers with Pods to test against
- Products include:
- Inrupt Enterprise Solid Server - A production-grade Solid server produced and supported by Inrupt
- Node Solid Server - An open source server created by MIT
- Javascript Solid Client Libraries
- Javascript Solid React SDK
Solid in Belgium
Synergies
Other software
Global legislation
- Uncitral - UN Commission on International Trade Law, six Working Groups:
- Working Group I - Micro, Small and Medium-sized Enterprises
- Working Group II - Dispute Settlement
- Working Group III - Investor-State Dispute Settlement Reform
- Working Group IV - Electronic Commerce- (addresses electronic authentication and trust services)
- Working Group V - Insolvency Law
- Working Group VI - Security Interests
- UNECE - United Nations Economic Commission for Europe (UNECE)- one of the five UN regional commissions, trade facilitation recommendations and electronic business standards
- UNECE/CEFACT- Centre for Trade Facilitation and Electronic Business, subsidiary of the UNECE Committee on Trade
- UNESCAP - Economic and Social Commission for Asia and the Pacific, the UN regional development arm for the Asia-Pacific, includes facilitation of cross-border paperless trade
Europe
Travellers that want to enter the Schengen zone enter according to the Schengen Border Code (SBC).
DG HOME and related
- DG Home Affairs - established in 2010 - including visas, residence permits for non-EU, document security, borders and smart borders, ...
- Frontex Agency External Borders
- eu-LISA Large-scale Information Systems Agency, operates SIS II, VIS, EuroDAC
US and Canada
US Federal - GSA - FICAM
IDManagement.gov is a website about the Federal Identity, Credential, and Access Management (FICAM) program, which helps federal agencies enable access to systems and facilities for the right person, at the right time, for the right reason.
Trust Services providers offer services related to identity and credentialing of persons and operate within identity federations, specifically including:
- Issuing and managing person identity and device identity certificates using PKI.
- Issuing and managing person identity credentials for PIV and Common Access Card (CAC) hardware credentials that are tied to PKI.
- Issuing and managing person identity credentials using other identity federation technologies (for example, a person may be identity-proofed, have an account in the service, and use one-time password credentials to authenticate).
Categorisation by type of identity and credential and population served:
- Government Identity Services – Covers the FPKI Shared Service Providers (SSPs). Issues certificates for federal workforce identity, including for PIV credentials. A subset of the FPKI SSPs also issue and manage government enterprise device certificates.
- Business Identity Services – Covers PIV-Interoperable (PIV-I), and other PKI certificates. For persons who are affiliated with a business; state, local, tribal, or territorial government; or non-profit organization. Often used by a business person to digitally sign documents with the U.S. government as a business representative or to authenticate to a small number of government applications.
- Trust and Auditing of Services – Covers PKI Bridges that are cross-certified into the FPKI. For non-governmental organisations e.g. in healthcare (SAFE), aerospace and defence (TSCP).
Further info:
- US - GSA - IDmanagement.gov - FICAM -
- IDmanagement.gov - Trust Services-
- Provided by service providers that have an identity federation agreement with the U.S. government.
- The services provided rely upon a level of trust to be established with the U.S. government.
- This trust is managed through legal agreements; technology agreements; and regular auditing of the services, procedures, and practices. These agreements and audits are managed by the Federal Public Key Infrastructure (FPKI).
- Overview of Certification Authorities in the FPKI: see the list of PIV CAs and Agencies, or the FPKI Graph.
- IDmanagement.gov - FPKI- Federal PKI
- FPKI tools- including validation and graph
US GOV supported - OIX
- US OIX - Open Identity Exchange - rooted in US GSA/UK
- The Obama administration asked the U.S. General Services Administration (GSA) how to leverage open identity technologies to allow the American public to interact with federal websites such as the National Institute of Health (NIH), the Social Security Administration (SSA), and the Internal Revenue Service (IRS). At the 2009 RSA Conference, the GSA sought to build a public/private partnership with the Open ID Foundation (OIDF) and the Information Card Foundation (ICF) in order to craft a workable identity information framework that would establish the legal and policy precedents needed to establish trust for Open ID transactions.
- The partnership eventually developed a trust framework model. Further meetings were held at the Internet Identity Workshop in November 2009, which resulted in OIDF and ICF forming a Joint Steering Committee. The committee’s task was to study the best implementation options for the newly created framework.
- The US Chief Information Officer recommended the formation of a non-profit corporation, the Open Identity Exchange (OIX). In January 2010, the OIDF and ICF approved grants to fund the creation of the Open Identity Exchange. OIX was the first trust framework provider certified by the US Government.
US GOV NSTIC/IDESG
- US - IDESG - Identity Ecosystem Steering Group (IDESG) a voluntary, public-private partnership built around NSTIC
- US - Idmanagement.gov - HSPD-12, PIV, ICAM (Identity, Credentials, Access Management), ...
- US - Idecosystem.org - ID Ecosystem Steering Group - the NSTIC ecosystem - IDESG
- US - Idecosystem.org - document repository
- US Kantara took over IDESG role in 2018
- "bridge" in Swahili
- offers service providers 3rd party conformity assessment and assurance approval against its NIST 800-63-3
- including UMA - User Managed Access
US GOV - DHS
US other
Middle East and Africa
Asia and Pacific
ASEAN
Association of Southeast Asian Nations (ASEAN).
- Akredi - Asian travel wallet, blockchain-based, Azure-cloud
Japan
Japanese Laws and Regulations
The accreditation entity of e-Signature Act is Ministry of Internal Affairs and Communication, Ministry of Justice and Ministry of Economy, Trade and Industry. These ministries certify a Specified Certification Business (SCB) and Designated Investigative Organization (DIO), which audits (the language of the original author is "investigates") the SCB. The DIO then reports the audit report to the competent ministry, who then receives and makes a decision to or not to accredit the SCB.
- Legislation - overview:
- Act on Electronic Signature and Certification Business - Act No. 102 of May 31, 2000
- Enforcement Order on Electronic Signatures and Certification Business
- Implementation Ordinance on Electronic Signatures and Certification Business
- Guidelines on the Accreditation of Specified Certification Business based on the Act on Electronic Signatures and Certification Business
- Policies of the Investigation by Designated Investigative Organization based on the Act on Electronic Signatures and Certification Business
- List of the Accreditation criteria
From ETSI: 'Furthermore, and although not able to compare perfectly, JCAN Trusted Service Registration and ETSI EN 319 403 [i.54] are about the same criterion and therefore can assume a level of equivalence in scope.'
Japanese entities
Cabinet Office
The Japanese Cabinet Office, through its Council for Science Technology and Innovation (CSTI) leads the national program SIP (Cross-ministerial Strategic Innovation Promotion Program).
Digital Agency/J-LIS/Kojinbango/JPKI and related
Other
- Japanese Digital Trust Forum
- Japanese Accreditation Body (JAB)
- JIPDEC - Japan Information Processing and DEvelopment Center
- JNSA Japanese Network Security Association
- JNSA - electronic signatures
- JP - IT Promotion Agency (IPA) - IT Security Centre - depends from the Ministry of Economy, Trade and Industry (METI), cooperates with JPCERT
- JCAN operated by JIPDEC through GlobalSign JP
- JCAN is a service, offered by GlobalSign, to issue digital certificates
- A JCAN certificate is a certificate for an individual within a company on the Internet, and can be used to certify the organization to which the person belongs, the position, etc.
- JCAN CPS
- GPKI
- Japanese Government PKI (GPKI) - originally CAs per Ministry plus a Bridge CA, later centralised into a Government Shared CA plus LRA and RAs in the Ministries
- Japanese GPKI - OSCA
- The 'Government Position' Certification Authority started operation in September 2007. Since November 2007, we have been mutually authenticated with a bridge certification authority.
- A bridge CA mediates a relationship of trust (hereafter referred to as “mutual certification”) between a certification authority on the side of an administrative agency and a private certification authority, etc. Eliminates the complexity of cross-certifying individually.
India
- IN - Indian UIDA - relying on ISO 19794-X:20005, ISO 19785-1 and IAFIS-IC-0110 (V3) WSQ Grey-scale fingerprint image compression specification
- IN - SmartId - one of the enrolment agencies for UIDA, and technology provider
China
Malaysia
- MY - MyKAD EID
- part of the Malaysian Government Multipurpose Card (GMPC) initiative
- introduced by the National Registration Department in 2001
- the first card in the world that incorporates both photo identification and fingerprint biometric data on an embedded chip
- MY - MyKAD EID - wikipedia
- MY - MyKAD development - MyKadPro
Taiwan
Australia
Russia
- Russia - National Certification Authority