MultiPKI Validation Platform for eID and eSignature Services. Miguel Alvarez Rodriguez (Ministry of Public Administrations). Spain
14/08/2007
The Ministry of Public Administrations of Spain, in order to promote eGovernment and encourage the use of the new citizen´s Electronic Identity Card, has set up a MultiPKI Validation Platform (MPVP) that provides free Electronic Identity and Signature Services (eID Services) to eGovernment Applications. These eID services are applicable to all the qualified electronic certificates issued by all the Certification Service Providers accredited in Spain, included the two qualified certificates of the citizen´s eID card. The service is available to all eGovernment applications of the country that can benefit of incorporating eIDs and eSignature functions in their administrative procedures

10 August 2007

Description of the case

Start date - End date

March 2006 To July 2007

Project size

Implementation: €1,000,000-5,000,000. Yearly cost: €1,000,000-5,000,000.

Target Users

Citizen, Administrative

Target Group

The main users of the MPVP service are eGovernment applications and portals of the Spanish Public Administration (at state, regional and local level). These users can benefit of incorporating eIDs and eSignature in their administrative procedures by just connecting their systems to the MPVP services. Currently there are 67 public administrations using these services. Indirectly, end-users are the citizens that benefit of the possibility of using any qualified certificate available in the country to make any eGovenrment transaction (authentication, electronic signature) over the internet, as long as the eGovernment portals are using the MPVP services. This is the current user’s composition: 37 users from the central administration; 12 regional governments and 18 local governments. All of them add-up a total figure of 134 eGovernment services using the MPVP system. As the roll-out of the national eID card is expected to be completed by the end of 2007, it is expected an increasing number of users for the public administration, especially at regional and local level (in Spain there are almost 8000 municipalities).This figure leads up to around 500.000 transactions per month, and it is expected to reach almost 1 million by the end of 2007.

Policy Context

According to the Spanish law 59/2003 of electronic signature, any company set up as a Certification Service Provider (CSP) can issue electronic certificates, which complying with a series of requirements can identify electronically any individual over the internet. At the moment there are a multitude of companies and organisations set up as CSP and, consequently, multiple electronic qualified certificates. The progressive introduction of the national identity electronic document (DNIe) in the national territory required a change at the Government Services Provided by the Public Organisations to guarantee its acceptance as an authentication and eSignature mechanism for citizens.

This multiplicity of certificates, and the lack of interoperability of the latter, forced in 2006 the Ministry of Public Administration (MAP), within its natural competence of promoting and encouraging the development of the Electronic Government, to develop a platform designed to check the electronic identity of a citizen/ business, independently of the type of certifcate that the latter uses in its electronic relations with the Public Administration.

In this context, the MultiPKI validation platform named @firma has established a secure service to verify the state and validity of the qualified certificates used by citizens and companies in any eGov service, among them the ones of the national eID card. This service can validate and handle all the accredited Certification Service Providers in the country, and 69 types of qualified certificates (the vast majority of qualified certificates) from 12 Certification Service Providers. All transactions related to eDocument/ forms signing and verification, citizens and business eID authentication, time stamping services, completion of electronic signatures in log-term formats, etcetera can be requested to the MPVP by any eGov administrative portal.

Multi-channel issues

As the MPVP provides a centralised service aimed to unburden eGovernment applications of all the tasks related to incorporate and validate electronic identifications for citizens when there is a need to authenticate them by means of qualified certificates, or just create and verify the eSignature when citizens are making administrative transactions over the internet with public services, the service is not directly provided for citizens, so multi-channel access to the service it not an issue.

However, the centralised service provides enough eID features to eGovernment portals so they have the possibility to implement new technologies and means of communications for citizens to get access to those eGovernment services, i.e. the use of mobile phones with qualified certificates embedded to perform administrative procedures over the phone itself.

For example, one of the MPVP users is the multi channel Administrative Portal 060 (known as the Administration Internet Portal) with all online services provided by the State Administration. This portal provides access to information related to administrative procedures of all the public administrations in the country and also links to the available eGovernment services in the country. Those services can be accessed through the mobile phone, the internet or just face-to-face in several 060 offices deployed across the country (more information).

Technology

Open source technologies

The platform services have been defined as a Service Oriented Architecture (SOA) based on the following elements:

- Web Services specifications based on WSDL, WS-Security (WSS) and WS-Interoperability (WS-I) Basic Profile v1.1 from OASIS.

- Securization of the Web Services through the use of Binary Security Tokens following the WSS specification with XMLDsig and XADES as eSignature formats.

- Establishment of secure communication channels between the participants through SSL protocol.

- Validation of digital certificates following the OCSP protocol (RFC 2560)

- Cryptographic and ciphering algorithms (symmetric and asymmetric cryptography)

- Use of electronic certificates

- Time Stamping Services (TSA) based on RFC 3161

- eSignature estandards implemented in the Platform: CMS and Advanced and long-term eSignature formats such as: CADeS, XADeS

- Future implementation of OASIS-DSS profiles

for digital signature verification and Time-stamp protocols

 

Impact, innovation and results

Impact

The MAP claims this project as one of the essential pieces for the already ongoing development of the eID and the electronic signature in Spain, and from which all eGov services are already experiencing the benefits, with no cost for them. Today, 134 eGovernment services are actively using the MPVP (37 central administrations; 12 regional and 18 local governments). All major eGoverment services in the country are already using the MPVP services (except the Inland Revenue and the Social Security, with their own validation systems), so the level of penetration of the service related to eGov transactions on eID and eSignature is quite high.

During the month of May 2007, 500.000 transactions were performed by the platform, and the figure is increasing on a monthly basis. By the end of the year the figure is expected to reach a million transactions per month. As the eID national card is being deployed throughout the country, the current level of penetration is low (600.000 eID cards issued out of a total 44 Million population). Next year 6 million citizens will get it.

Having in mind that by 2010 50% of the Spanish Public Procurement must be made by electronic means (eProcurement), that the eGov service suppresses the legal obligation for citizens to present paper photocopies for administrative transactions (already providing 100.000 transactions through the MPVP but expected to double in the next few months), and that 6 million citizens will already be in possession of the eID card, the number of transactions will increase dramatically in 2008, possibly up to 2/3 million transactions per month.

The current ROI, having in mind the technical investment and the number of transactions performed by the service, shows the following balance:

- Investment during 2006 + 2007: 3,5 mill €

- Transactions already made: 3 million (end May 2007)

- Expected figures: 8,2 million transactions expected by the end of the first year.

- Cost per transaction at the moment: 0,43 €

This means a cost-effective service, much rational than a distributed structure with all public administrations having to develop and implement SW modules to handle eSignature creation/ verification and certificates validations against all CSP in the country. A realistic assumption is to estimate a total cost of 3 € per traditional administrative transaction, having to move phisically to the office (papercost, time spent by the civil servant, time spent by the citizen or business company…). Taking into account the cost of investment for developing each eGov service, it appears quite a large margin to assume that the ROI for the MPVP has already been met.

With a population of 44 million, a 100% penetration of eIDs card in the medium term, only 20% of it making eGov transactions in the next few years (low profile assumption) and 5 transactions per year, the estimation adds up to 44 million transactions per year. As the system must also count with companies and civil servants making eGov transactions, the figure could increase up to 60 million transactions per year. With these estimated figures, the unitary cost per transaction will be reduced to 0,07 € per transaction, assuming also expenses of 4 million € per year as the service must improve to be able to handle the increased number of transactions.

The conclusion is that total cost for the Public Administration of having the centralized service when 60 million transactions are performed per year, will be rather negligible as eID and eSiganture will penetrate and serve to the vast majority of eGov services.

Innovation

The MultiPKI Validation Platform is the first major centralised service aimed at providing free horizontal electronic services to all the public administrations of the country. This is really an exceptional case in Spain, where already 134 eGovernment services are actively using the validation system (37 public authorities from the central administration; 12 regional governments and 18 local governments).

This approach is a rational and cost effective one. According to the EU directive, the number of CSP cannot be restrictive. By the means of a centralised service that can provide validation services of all the CSP established in the country, and in the future other EU´s CSP, public administrations do not need to invest in technical infrastructure, computing/ servers and communications in order to interconnect their systems to each CSP to get access to the validation services, neither they need to develop PKI and crypto-tools in order to handle eSignature verification or digital certificates validations.

The platform also provides a Support Desktop where all the public administrations can get technical help in order to get access and use the services. Besides, all users can participate actively in various groups which define the new functionalities to incorporate in the centralised service, or following a free software philosophy get access to the software developments behind the validation services if they wished to set up their own MPVP in their premises for their needs.

Track record of sharing

In order to create a European interoperable eID Management by 2010 allowing the mutual recognition of other country’s eID and eSignatures, the MPVP is a good case to extend to the rest of Europe as a proxy or centralised national eID verification service.

Other countries could also create a common and centralised eID and eSignatures service for their own eGovernment applications existing within their borders in a rational and cost effective way. Also, the existence of a national eID Service in each country would help to create a European eID Management scheme where each nation would offer and exchange eID and eSignature verification services of their nationals living abroad through the interconnection of the various national front-end services, helping to create and deploy pan European eGovernment services and also the free movement of citizens and companies.

Management approach

The project is run and managed by the Ministry of Public Administrations of Spain. All the SW developments that are the basis of the services provided by the MPVP are subcontracted to Telvent Interactive, but the copyright is kept for all the Public Administration in the country.

The original SW coding was carried out by the Regional Government of Andalusia, which later on freely released the SW codification to the Ministry of Public Administrations that took over the initial developments in order to develop and set up the MPVP.

On the other hand, central and regional public administrations can actively participate in various groups that define the service roadmap, such as enhancements and new functionalities to be incorporated in the centralised service or, following a free software philosophy, get access to the software developments product behind the validation services if they wished to set up their own MPVP in their premises for their specific needs.

Lessons learnt

- The MPVP has already being pointed out by the EU Commission in the context of the IDABC Preliminary study on Mutual Recognition of eSignatures for eGovernment Applications across Europe, as a very good example of efficient validation for eSignature: "The limited number of supported CSPs is a major barrier to interoperability. If every application would have to support all European established CSPs, the situation will quickly become unmanageable. A very good example of efficient validation has been set-up in Spain. The way how Spain has solved the validation problematic would certainly be a good practice to take into account at the European level".

- This centralised building up approach to create a common service providing eID and eSignature features to eGovernment applications has been proved to be a rational and cost effective approach and a key enabler for the eID in Spain. It has unburden eGovernment applications of the hard tasks of developing SW modules to deal with the creation/ verification of the eSignature, the handling of crypto libraries, CRL and OCSP protocols for the verification of digital certificates or the need of physical network connection to all Certification Service Providers of the country.