European Electronic Identity Practices Country Update of Finland Speaker: Päivi Pösö Date:
CA organisation Responsible CA organisation: Population Register Centre (PRC) The background of the organisation: PRC operates under Ministry of the Interior Description of the existing CA infrastructure: PRC is the CA in public sector. We have outsourced the ICT- technology.
Status of National legislation on eID The position of PRC as the CA is based on the Population Register Act PRC shall ensure that the parties of certified electronic transactions can be authenticated and that messages and document can be electronically signed and enciphered
Status of National legislation on eID In Finland the police issues the ID cards and PRC the citizen certificates in these PRC may issue citizen certificates also for other cards or technical means. Certificates are quality certificates based on the Act of Electronic Signatures
Status of National legislation on eID Are eID specific regulations enacted and in place? Yes - The Population Information Act and Decree (1993) -The Identity Card Act (1999) -Act on Electronic Services and Communication in the Public Sector (2003) -Directive on Electronic Signatures -Act on Electronic Signatures (2003)
Status of National deployment of eID Co-operation with telecommunication operators Citizen certificate in Sim-card Easy to use, no additional equipments
Status of National deployment of eID Is the card obligatory? No Starting date of issuance:
Status of National deployment of eID Number of citizen certificates issued by : issued, at the moment valid cards Number of inhabitants: Yearly growth rate (percentage): Expected number of cards/eID certs by end of 2007:
Status of national deployment of eID Basic functionalities of the eID card: - official ID document: Yes - European travel document: Yes - support of on-line access to e-Services: Yes - social security information on the card: Yes Validity period of the card/certificates: 5 years
Status of national deployment of eID Price in Euros of the cards: - for the citizen: 40 - for the card issuer: 40 - price for the card reader and software: 20 – 40 - any additional costs for the user/relying party: No additional costs From whom and how may the citizen obtain the end/user packages: PC-stores
Basic ID function What cardholder data is electronically stored in the card: - national identifier - family name, given name - (optional)
Basic ID function Are these data elements in a dedicated data file? No - Is the file openly accessible? No - If not, how is the file protected? PIN - Does the data file comply with the ICAO LDS? Yes Is the personal data (also) held in a certificate? Yes
Basic Authentication function What Cardholder Verification mechanism is used: - PIN? Yes - Biometrics?No - Is introduction of biometrics envisioned? Under survey, not active Is there a PKI supported cardholder authentication mechanism? Yes Is there a mutual device authentication mechanism? No
Basic Signing function Is a PKI supported signing mechanism (certificate and key pair) present for e- transaction services (non –repudiation)? Yes - The card holder´s authentication certificate - The card holder´s digital signature certificate - PRC´s CA certificate
eID based services What kind of services (include examples) are accessible to cardholders based on acceptance of the cards / eID Certificates:
eID based services Examples of Sevice provider using the Fineid Card Tax administration Several Cities Several Insurance Companies OKO Bank Social Insurance Institution Electronic Forms Finland – service The Finnish Defence Forces
eID based services Total number of eID based services accessible by cardholders by : Over 50 Goal (in numbers/ percentage) of eID based services to be accessible to cardholders by the end of 2007: At least 200
eAuthentication Business models; financial What are the Charging/Revenue mechanisms? eID card costs 40 What charges are levied for use of the card? Free of charge Is there a charge for checking certificates? No Has a cost benefit analysis been compiled for the eID scheme? This is the basic infrastructure in Finland Is there a study report available? No
eAuthentication Business models; public/private partnership Are non government bodies allowed to use the IAS or other card functions in support of their services? Yes Is the card a multi-application smart card? No –If No, are there any plans for this and in what timeframe? –Co-operation with cities and municipalities
eAuthentication Business models; public/private partnership What is the level of usage of supported services (number of transactions per card per year)? - No reliable studies of this What is the approach to and experience with card branding? There are information and logos of the Social Insurance Institute of Finland and cities/municipalities
eAuthentication Business models; cross border usage Are there agreements with other national smart card issuers for mutual recognition of cards? (Status of Memorandum of Understanding (MOU) with other CAs): MOU was made with Estonia in Co-operation is under preparation in TIFI- project with many countries.
Other Interoperability issues What is the level of Current Compliance with each of the following international standards or group activities (Full/Planned/None): –CWA eAuthentication (under development):planned –CWA Secure Signature creation device:planned –CEN 224 –15 European Citizen Card (under development):none –ISO/IEC JTC1 SC 37 biometric standards:none –ICAO recommendations: all
Current use and plans in Biometrics (if applicable) Technical solution(s): Type of project(s): Application areas: –Under survey, based on the experiences coming from the biometric passport.
Lessons learned so far Prerequisites for success easy to use social and health care services broad, cross-administrative co-operation co-operation with the private sector supporting and guiding service providers
Next plans Biometric passport in co-operation with the Ministry of Interior, Police Department Co-operation with teleoperators and banks to have the citizen certificates on there platforms – already with one bank and one operator 64k Java chips on the first of June 2005 Co-operation with cities and municipalities
Porvoo Group cooperation issues List of issues to be overcome: Open Source Card reader software? Could this be an easier way for pan European usage? The collision of the RSA algorithm at the moment. What will be the next step – elliptic curve cryptography? Should we try to study this more?
More information Web-pages eID issues: Thank You!