Ministry of Public Administration www.mju.gov.si, e: gp.mju@gov.si Tržaška cesta 21, 1000 Ljubljana t: 01 478 83 30, f: 01 478 83 31 Republic of Slovenia Certification service and electronic identification – PKI in Slovenian government Aleš Pelan, M.Sc. Directorate for e-Government and Administrative Processes Ministry of Public Administration

Digital Certificate Digital Certificate = Presents a modern alternative to old fashioned forms of identification Content: Name and surname of the holder Unique number Public key E-mail address ...... Certified by the certificate authority DN: cn=Ales Pelan, ou=certificates, o=state-institutions,c=si Serial #: 8391037 Start: 15/7/2008 14:20 End: 15/7/2013 14:50 E-mail: Ales.Pelan@gov.si Key: CA DN: ou=SIGOV-CA, c=SI

Legal Bases for Digital Certificates Electronic Commerce and Electronic Signature Act (2001, novel in 2004) Decree on Conditions for Electronic Commerce and Electronic Signing Personal Data Protection Act Secret Data Protection Act CA Policy (public and internal part of rules)

Register of CSP’s (Certificate Service Providers) Regulated in ECESA (electronic, digitaly signed form) Managed by Ministry of Higher Education, Science and Technology Basis for Certificate-based e-services in Slovenia (instead of cross-certification) 5 CSP’s issuing qualified certificates: SI*CA (CA at MPA) HALCOM CA AC NLB POŠTA CA SI-MoD-CA

SI*CA Slovenian Governmental Certification Authority Slovenian General

SI*CA Slovenian Time Stamping Authority Country Signing Certification Authority Slovenia

Types of digital certificates Enterprise certificates Web certificates Encryption/decryption Digital signature Authentication Secure delete Web communication e-mail Web communication (SSL, TLS) e-mail (S/MIME) Usage private public Validity of keys 3 years en./de., signature 5 years authentication Characteristics Valid for 5 years No automatic extension of validity Automatic extension of validity Keeping of decryption keys

Types of digital certificates Public administration Natural and legal persons Enterprise certificates: employees organizational units servers TSA systems Enterprise certificates : employees organizational units servers Web certificates : employees organizational units servers code signers OCSP responders Web certificates: employees organizational units servers code signers citizens

o=state-institutions SIGEN-CA public directory (digital certificates & CRL) c=si X500.gov.si (LDAP, HTTP access) o=state-institutions ou=sigen-ca firma1 ou=companies firma2 firma3 … ou=companies-web firma1 firma2 firma3 … ou=individuals

Data of certificate holders and legal persons serial number of digital certificate holder’s ID number holder’s tax number ID number of legal person tax number of legal person Connectional table Access for services: legal basis agreement Levels of access: data acquisition data validation 2345680712012 1103986715158 95962158 5874483000 28232801 2345680812017 1903969500853 32542186 5874483000 28232801 2345680912011 0104971500476 89159659 1358561000 33714789 2345681012014 0504953500645 16186575 1358561000 33714789 2345681112019 5119645002051 98783653 1358561000 33714789 2345681212013 2307976500283 11745889 5874424000 40016803 2345681312018 1403966500019 25978977 5874424000 40016803 …

Registration authority SI*CA Policy Application Registration authority SIGOV-CA SIGEN-CA Applicant Reference number Authorization code DC holder

Registration authority SI*CA Public Admini- stration MPA Administrative units (68) Citizens Embassies & Consulates (45) Legal persons Tax offices (24)

SI*CA certificates in e-services e-Government (e-SPA, OSS, e-taxes, Intrastat, e-notary, e-reporting, e-geodetic data, e-farm …) e-banking (Abanet, e-Banka Celje, DBS NET, Bank@Net, Dh-Plus, E-LON, KaD.Net …) e-businesses (SiOL, Elektro Ljubljana, Mobitel, miniMAX, EBA …) other (e-student, M servis …)

SI-TSA (Slovenian Time-Stamp Authority) Trusted time stamp is an electronically signed certificate from a certifying authority that confirms data content at the stated time. SI-TSA Issuing trusted time stamps for applications; Intended for public administration institutions and bussinesses (agreement); Interface: Web service (SOAP) and RFC 3161 ASN.1 service.

CSCA-SI (Country Signing Certification Authority - Slovenia) EU Member States must issue passports with Biometric identifiers (facial image) after 28 August 2006 - Council Regulation No 2252/2004 of 13 December 2004; Countries in Visa waiver Permanent Program had to fulfill the same requirement till 26 October 2006; Biometric data stored on a contactless radio chip and digitaly signed; CSCA-SI issues digital certificates for Document Signers in Slovenia; Operational since June 2006.

Bussiness issues PKI – one of infrastructural services at MPA availability of services: free services for government and citizens paylable services for legal persons (16.000 contracts,300.000 EUR of yearly income) maintanance costs: usually as a percentage of purchase price monthly cost per CA approx. 5.000 EUR (covering HW and SW for core CA and RA services; no costs for business premises, common infrastructure and employees included)

Critical success factors suitable internal organization compulsory policy documents (CP, CPS…) pre-defined standard procedures strict division of responsibilities/roles min two employees per role trained stuff (min 9 persons for 8 roles to be correctly covered) integration of certificates in e-services: test PKI environment tool for creating dig. signatures (XML/PDF) CA certificates in web browsers (IE,FF…)

And the future? web RA autoregistration identification by Post m-PKI certificates on mobile phones CVCA-SI e-passports with fingerprints CVCA -> DV -> IS e-ID e-gov functionality (digital certificates) project currently on-hold

Any further questions: Ales.Pelan@gov.si Additional information: http://www.gov.si/ca/eng/index.htm sigov-ca@gov.si