While identity information is definitely the property of the individual, the information is increasingly shared across social networks, commercial services and Government, with or without the individual’s consent. How can we, as individuals, survive in the digital identity world while still being able to utilise our identity information as an asset to our own advantage in a controlled way? How can society - through legal measures, culture and technology - contribute to an environment where privacy and ownership to personal information are respected?
Although the term ‘claim’ is not necessarily used in the papers in this ePractice Journal issue, a claims-based approach is actually the foundation for many of them. Any piece of identity information is released to relying parties as a claim, supported by evidence of certain strength, i.e. assurance level. The relying party must assess the assurance level and determine whether or not this is sufficient to accept the claim. In this interaction, a fundamental property should be that only the necessary information is released; enough to serve the purpose of the individual but not more. These principles should be at the core of the future Single European Digital Identity Community.
At the ‘unique identification of a real identity with high certainty’ end of the identity management scale, we have the paper by Ali al-Khouri, ‘PKI in Government Digital Identity Management Systems’. The paper describes the governmental eID approach of the United Arab Emirates. The Government issues smart cards featuring physical ID, electronic (PKI-based) eID and biometrics with mandatory enrolment of the entire population in conjunction with an identity management system for Government services. This creates a clear foundation for trust and security of eGovernment services. The paper also reminds us that Europe and European countries are not the only ones leading the way in the eID area.
Arne Tauber, Thomas Zefferer and Bernd Zwattendorfer, in their paper ‘Approaching the Challenge of eID Interoperability – An Austrian Perspective’, further contribute to the Government eID story by describing the Austrian eID scheme, which is also based on Government issued eID but allows several eID ‘tokens’ to be used as long as solutions meet defined requirements for security and functionality. An identity management system including privacy enhancement by use of different identifiers for different Government sectors is a central part of this architecture. Furthermore, this paper extends the scope of eGovernment across borders by showing how the Austrian system is smoothly integrated with the pan-European interoperability system piloted by the STORK large scale pilot project.
Another approach at identity management for both eGovernment and other application areas is presented by Jon Shamah’s paper ‘3rd Generation eID – Digital Identity for Widespread National Use and the Opportunities for Revenues’. The paper suggests a ‘3rd generation scheme’ consisting of ecosystems of public and private eID solutions. In this approach, hubs act as ‘identity brokers’ between eID providers (issuers) and service providers. All connected services can be accessed by users of all connected eIDs as long as the assurance level of the eID matches the requirements of the service.
Linking on to the issue of assurance levels, Maurizio Talamo and Christian Schunck contribute the paper ‘Re-thinking the Evaluation of eID Credentials to Simplify Interoperability’. In an eID ecosystem, different credentials must be made interoperable, if necessary by linking them together. The paper describes the conditions to achieve this, such as linking unique identifiers, compatible semantics of attributes and determination of assurance levels for credentials and attributes.
Along the same lines, Tachmasib Dadashev and Moudrick Dadashov, in their paper ‘The Mathematical Model for Classification and Control of Digital Identity Data’, show directions through formal (mathematical) reasoning for combining attributes and creating the basis for a decision on whether or not an ‘identity’ (consisting of a set of properties) belongs in a certain domain or not. Events (desired or undesired, such as a security incident) in a domain, can then involve the members of the domain. An ‘identity’ can be anything from a unique identifier linked to a person, to an anonymous, in principle, set of attributes.
This scale of ‘identity’ from unique identification of a person to anonymity suggests that the link between human and digital identity may not always be needed. Libor Neumann, in his paper ‘Cyber Identity is NOT Human Identity – A System Weakness Analysis of Current eID Technologies’ argues that human and digital (cyber) identities are fundamentally disparate and that they shall be connected only when absolutely necessary. The case of the paper is remote authentication and access control to computer systems, which may only need a cyber-identity with no need of knowing the human identity. The arguments can however be extended to other use cases.
Identity information may be said to have no value on its own. The value comes from the use; what is enabled by good identity schemes. The paper by Daniel Medimorec, ‘SPOCS: Interoperable eGovernment Services in the Context of the Services Directive’, presents the SPOCS large-scale pilot project. Electronic procedures in support of the EU Services Directive by default must be carried out across borders and must encompass use of signed documents, trusted document transfer and storage. Part of the SPOCS approach is the interconnection of existing eDelivery and eSafe solutions to exchange documents across borders.
A clearly related use case is presented by Aitor Orobengoa, Xabier Sabalza and Iñaki Suarez in their paper ‘The Growing Relevance of Electronic Safe Boxes and Electronic Post Boxes as Real Citizen-Centric High Impact eGovernment Services’. The paper shows how document centric communication can be enabled in general. A post box is an endpoint of an eDelivery system (to use the SPOCS term) while a safe box is essentially the same as a SPOCS eSafe. Electronic post boxes will allow people to receive documents (in a wide definition of this term) in a secure and reliable way. Safe boxes, which may be combined with post boxes, will enable people to store and manage their digital documents in a secure and reliable way.
These services themselves may be regarded as high-impact services but the main value lies in the enablement of other trustworthy services from governmental as well as private actors. The content of this ePractice Journal issue spans from practical use cases and experiences, from solutions that are in daily use to papers presenting new theoretical approaches to identity management. All together they contribute interesting reading and good knowledge in the direction of the future single European digital identity community.