Authentication, digital signatures and PKI issues - Part 1 - Archive
Argentina Digital Signature
Law - This site provided by the Argentinean Government provides
information about the Law of Digital Signature, which has been
promulgated in December of 2001. It also explains how to obtain a
digital certificate. The site is in Spanish and English.
Electronic Authentication. Industry Canada, 22 April 2004. "Authentication is a process that attests to the attributes of participants in an electronic communication or to the integrity of the communication. All Canadians - individuals, businesses, and governments - share an interest in ensuring that electronic communications are secure..."
- Lucienne Robillard Launches Electronic Authentication Principles. OTTAWA, Canada News Wire, May 13, 2004 -- "The Honourable Lucienne Robillard, Minister of Industry and Minister responsible for the Economic Development Agency of Canada for the Regions of Quebec, today announced the Government of Canada's latest action to build trust in a digital environment in the 21st century economy with the launch of Principles for Electronic Authentication..."
for Democracy and Technology - Authentication Privacy Principles Working Group,
July 14, 2003. "Interest in authentication systems has increased dramatically
over the last two years. But widespread adoption of the technologies will only
occur if individuals trust that strong privacy and security protections have
been built into authentication systems..."
The Digital Object Identifier System - is an
identification system for intellectual property in the digital environment.
Developed by the International DOI Foundation on behalf of the publishing industry,
its goals are to provide a framework for managing intellectual content, link
customers with publishers, facilitate electronic commerce, and enable automated
try digital watermarking, By Brian Robinson. Government e-Business, May
30, 2003. "Vermont and New Jersey are the first states to consider using
digital watermarking to secure driver's licenses -- something that's become
a matter of urgency in the wake of a nationwide explosion of identity theft..."
Electronic Government: Towards New Forms of Authentication, Citizenship and Governance, by Miriam Lips (OII), John Taylor (Caledonian Business School & OII) & Joe Organ (OII) - Oxford Internet Institute (OII) - in pdf format. (This document requires the use of Adobe Acrobat Reader) (113kb) "This paper is grounded in empirical work derived from an ESRC-sponsored research project conducted by the authors and based at the Oxford Internet Institute (OII), entitled 'Personal Identification and Identity Management in New Modes of e-Government' (reference: RES-341-25-0028)..."
Authentication Is No Longer Optional, By Kirill Popov and Loren McDonald Clickz, July 7, 2004. "E-mail authentication services have arrived, and they're taking hold fast. Both the Federal Trade Commission (FTC) and the Anti-Spam Technical Alliance (ASTA) of companies such as Microsoft, Yahoo!, EarthLink, and AOL have made their positions clear: The next major step in the coordinated war on spam must address the fraud-prone nature of current e-mail technology..."
E-mail sender authentication: It works but doesn’t stop spam, By William Jackson. Government Computer News, 31 August 2004. "A growing number of companies are using e-mail authentication protocols to help verify the Internet domain in an e-mail sender’s address, but that is not keeping spam out of mailboxes..."
E-mail authentication: Cost, standards remain problems, by Grant Gross. IDG News Service, 11 November 2004. "E-mail authentication can help fight the growing spam e-mail problem, but vendors need to come up with a single, open standard to avoid confusion and crippling costs for small ISPs (Internet service providers), participants in a U.S. government summit said Wednesday..."
- EEMA unifies EU member states on e-Sig directive - EEMA (the European
forum for electronic business) will bring together legal experts from more
than 18 European countries at the QEII conference centre in London on September
25 to compare the differing interpretations and states of implementation of
the European Electronic Signatures Directive, which should have been introduced
into the law of each European country by July 19 2001.
- The European Electronic Signature Directive was introduced by the European
Commission to ensure that electronic signatures (every kind of electronic
authentication attached to, or logically associated with other electronic
data) should be able to have the same legal validity as a hand-written
signature. This could include biometric authentication, Message Authentication
Codes (MAC), public key authentication schemes and even the typed name
at the end of an e-mail. The resulting 'qualified' electronic signature
needs to be based on a certificate that meets specific requirements and
has to be generated with a secure signature-creation device. [pdf] (124kb) (To view
this document you will need to have Acrobat Reader
installed on your computer)
signatures set for Europe. Europemedia, 15 August 2002. "Digital signatures
will have legal recognition throughout Europe from next month...."
law may take years to be accepted. Europemedia, 2 September 2002. "The
recently introduced E-signature law will do little to change prevailing business
practices and it may be years before it is accepted by consumers and businesses,
according a report by the Warsaw Business Journal...."
progress identified in e-ID projects across Europe. eGovernment News –
19 June 2003 – EU & Europe-wide – e-Identification. "The
largest-ever expert meeting on the subject of electronic identity in Europe
took place in Oslo (Norway) in late May, when 61 government and private sector
specialists from 18 countries gathered for the third international conference
of the Porvoo e-ID Group..."
European Electronic Signature Standardisation Initiative (EESSI) open meeting:
"European Signatures vs Global Signatures". June 30, 2003. "The
current status of the IDA bridge CA project was presented at the EESSI international
open meeting "European Signatures vs Global Signatures". The
meeting, held in Rome on 7 April 2003, was co-organised by the ICT Standards
Board and InfoCamere, the informatics company of the Italian chambers of commerce
3: Way forward for e-ID in Europe -- Electronic-Identity.org, 16June
2003. "The third international conference of the Porvoo e-ID Group
was arranged in Oslo, Norway, in late May. The meeting resulted in the
highest number ever of Government and private sector specialists assembled
on the subject of electronic identity in Europe - 61 individuals from
18 countries. Way forward for electronic identity (e-ID *) in Europe.
The third international conference of the Porvoo e-ID group - Substantial
progress in e-ID projects across Europe..."
of a blueprint for electronic identification projects in Europe. eGovernment
News – 10 June 2003 – EU & Europe-wide – e-Identification.
"The European Commission-supported consortium “eEurope Smart
Card” (eESC) has released the final version of its Electronic Identity
White Paper, providing insight and recommendations for the development
of interoperable electronic identity cards in the EU Member States..."
Identity White Paper, final version - in pdf formt. (To view this
document you will need to have Acrobat
Reader installed on your computer) (1.745mb)
- Trust List Usage Recommendations for a Bridge/Gateway CA Pilot for Public Administrations. Auteur: Bart Callens – Product Manager Certipost, Modification date 12 September 2003. Version: 1.0 - in pdf format. (This document requires the use of Adobe Acrobat Reader) (1576kb) "Purpose of this study is to define recommendations on the usage of Trust Lists within the Bridge/Gateway CA Pilot project. Therefore, suggestions for an acceptable Trust Model, based on interview results from a previous study  are proposed. Existing standards and application support are also investigated. The conclusion of this study is that one preferably makes use of the emerging TSL (ETSI TS STF 220-1) standard for use within the Bridge/gateway CA Pilot, as this standard incorporates the requirements following to the European Directive on digital Signatures and is as such most likely to be accepted and pushed within the different member states..."
- Use of e-signatures for e-government applications needs to be more consistent across Europe, finds new research. eGovernment News – 29 October 2003 – EU & Europe-wide – eIdentification/Legal aspects. "The European Commission has released on 20/10/2003 a detailed report on “Legal and market aspects of electronic signatures”, which brings some new insight regarding the use of electronic signatures in the EU, among other things for e-government services..."
- EU builds online 'backbone'. Kablenet, 29 April 2004. "Europe has a new scheme aimed at identifying and authenticating e-services users. The European Commission has awarded a contract to a group of businesses and academic bodies for developing an e-government "backbone" across the continent..."
- EU plans single open architecture for European identity authentication & IDs. Public Technology, 30 April 2004. "A consortium of leading European businesses and academic institutions has signed a contract with the European Commission to conduct research into the development of a simple, coherent and interoperable electronic identification and authentication architecture to underpin e-government applications in the EU and beyond..."
GUIDE - Creating a European Identity Management Architecture for eGovernment - Overview - "GUIDE is conducting research and technological development with the aim of creating an architecture for secure and interoperable e-government electronic identity services and transactions for Europe . The project's approach is multi-disciplinary and includes technology, procedural and policy development across Europe . GUIDE consists of 23 organisations from 13 countries. GUIDE's vision is to enable Europe to become the global leader of e-government services through the creation of an open architecture for identity authentication..."
and Policy Forum
Analysis of International Electronic and Digital Signature
Implementation Initiatives A Study Prepared for the Internet
Law and Policy Forum (ILPF) September, 2000 - "Many jurisdictions
have been setting up implementation schemes designed to provide
technical guidance to allow the general legal framework for
electronic authentication to work in practice. Such schemes may
include (1) national and international standards for electronic
authentication products and services; (2) regulatory schemes for
the supervision, accreditation, and certification of particular
authentication products and services; and (3) guidelines, best
practices, and similar documentation for the operation of
electronic authentication systems. Such schemes may be set forth in
national legislation, international or regional regulatory
principles, guidelines drafted by commercial or policy
organizations, or other initiatives.... "
The Role Of
Certification Authorities In Consumer Transactions: A Report Of
The Ilpf Working Group On Certification Authority Practices Draft,
Dated April 14, 1997 - This Report represents a preliminary
analysis of certain questions relating to legal issues involved in
the emerging service business of certification authorities,
particularly those arising in consumer transactions. The scope of
this Report has been limited intentionally to focus on the selected
legal environment in the United States, although additional
information has been provided on German law, the directives of the
European Commission and laws in other jurisdictions. In addition,
this Report only addresses consumer transactions taking place in an
"open system," where a CA provides services to any consumer
desiring services without regard to the contractual obligations
between the consumer or the merchant and any payment system.
Liberty Alliance Project - http://www.projectliberty.org/
agencies join digital ID alliance, By Rutrell Yasin. Federal Computer
Week, March 5, 2003. "Two leading federal agencies have joined an alliance
of organizations working to address digital identity challenges..."
Liberty bid gets fed support, by Jim Hu, ZDNet Australia, March 6, 2003.
"The US General Services Administration and the Department of Defense
on Wednesday announced that they will join the Liberty Alliance Project, which
aims to standardise Web authentication..."
Alliance Gains More Support - Government agencies are the latest to back Web
identity standard, by Scarlet Pruitt, IDG News Service, PC World, March
7, 2003. "The U.S. General Services Administration and the U.S. Department
of Defense have become some of the latest members to join the Liberty Alliance
Project for implementing open standards for identity management on the Web..."
The National Electronic Authentication Council (NEAC) has been
established by the Government to enhance business and consumer
confidence in e-commerce through overseeing the development of a
national framework for electronic authentication of online
communications. In particular, NEAC will provide a national focal
point on authentication matters, encourage interoperability between
different systems and the development of relevant technical standards
and provide information and advice to industry, government and
NEAC has released two reports that provide advice and information on
the key issues of the legal liability of electronic authentication
transactions, and on the integration of Business E-Commerce systems
and the use of authentication technologies in electronic transactions.
National Identification System
Raising the platform, by Jack Schofield. The Guardian, June 2, 2005. "Right after New Labour re-announced its plans for a national eID (electronic identity) card, Hewlett-Packard launched an all purpose platform called NIS (National Identification System) and flew a dozen of us journalists to Geneva for a four-hour press conference..."
- Public Key Infrastructure (PKI) for the Dutch Government - Selected
Radings on Aspects and Trends of eGovernment in the EU - "The Dutch government's
Public Key Infrastructure Task Force http://www.pkioverheid.nl is preparing
the way for the full introduction of a public key infrastructure (PKI) by
the end of 2002. This infrastructure is intended for almost all types of secure
interchange and transactions with the government in public sector communications.
These communications will include exchanges between government agencies and
the public, government and the business community and between government agencies
- Dutch Government to build PKI-based authentication gateway. eGovernment News – 28 October 2003 – Netherlands – Identification & Authentication. "The US government may have abandoned its plans for an e-authentication gateway, but not everybody in Europe has yet given up on the idea of building a central authentication infrastructure for online government services. The Dutch Government has indeed announced plans for a PKI-based middleware infrastructure designed to provide secure access to e-government services for citizens and businesses..."
Oasis (Organization for the Advancement of Structured Information Standards)
- Action plan developed for PKI adoption, by Ryan B. Patrick, Computerworld, 25 March 2004. "An e-business standards watchdog last month unveiled a comprehensive action plan aimed at kickstarting the adoption of Public Key Infrastructure (PKI) technology. The OASIS (Organization for the Advancement of Structured Information Standards) PKI Action Plan builds on the results of a series of surveys conducted by the OASIS PKI Technical Committee with IT staff who have deployed or attempted to deploy it..."
Public Access Control to
Electronic Information: Final report approved by steering
committee on 17th December 1997. Report of consultancy undertaken for
Multimedia Victoria by Professor Ron Sacks-Davis, Dr James Thom, Dr
Justin Zobel, from RMIT Multimedia Database Systems.
The Electronic Service Delivery (ESD) project of the Victorian
Government breaks new ground in public access to electronic
information. The vision of the project sees citizens remotely
accessing a wide range of information held by government and
non-government agencies, including personal information about those
individuals. Access to this information needs to be controlled, to
allow individuals to easily access their own information while
providing adequate privacy protection. While it is desirable to adapt
existing manual systems for access control, they frequently rely on
ad-hoc procedures (such as assessing trustworthiness from face-to-face
interaction) that do not easily translate to an electronic
environment. In this report, procedures and guidelines for controlling
public access to electronic information are presented.
The report identifies categories of information that contain sensitive
Information for which no user authentication is required, such as
accessing a public registers, and
Information for which access control is required, containing
sensitive information pertaining to an individual or company.
Although public registers must be made available to the general public, this
report identifies privacy concerns that arise if unrestricted online searching
of public registers is permitted. The report identifies techniques for limiting
search capabilities to restrict access, and recommends this as an area for further
study so that privacy concerns can be minimised and both current practices and
public confidence with respect to access to public registers can be maintained.
To develop access control procedures for transactions involving
information relating to an individual or company, the report
recommends that a distinction be made between establishing the
information that is to be accessed, called data identification, and
establishing who is undertaking the transaction, called user
authentication. The report identifies and classifies techniques that
can be used for data identification and for user authentication. These
techniques can be used by agencies for the purposes of providing
access control for electronic transactions. By distinguishing data
identification from user authentication, the issues of access control
are clarified and it is easier to develop access control mechanisms
that provide secure access to the right information.
To establish a uniform approach to access control by Government
agencies, consideration needs to be given as to whether the number and
use of unique user identifiers needs to be controlled and to what
extent centralised coordination of user access control mechanisms is
useful. Four options for data identification are presented in the
report and each of these options is evaluated on the basis of their
ability to identify relevant data, protect the privacy of individuals,
be commercially viable, be easy to adopt by government agencies, and
be easily used by the public. These options were presented to a
workshop of the steering committee and two of the options were
recommended as preferred approaches, namely:
A distributed scheme of agency-allocated unique identifiers, and
Schemes for which no unique identifiers are required.
Currently, individuals are assigned many unique identifiers, such as credit
card numbers, account numbers, and licence numbers; the distributed solution
provides for this practice to continue in an electronic delivery environment.
It will be possible to store many of these identifiers on a smart card; to safeguard
data privacy, it is recommended that these identifiers be encrypted using both
the agency's key and the citizen's key. With these techniques, government
agencies will be able to continue to use their current means of data identification,
these identifiers will remain confidential between the citizen and the respective
agencies, and other data privacy risks, such as data matching, will be minimised.
The schemes for which no unique identifiers are required permit
agencies to continue to use other current means of data
identification, but require the agencies to develop data matching
algorithms. These are not always reliable and involve manual checking
in some certain circumstances.
Identification schemes based on the use of a small number of unique
identifiers or requiring a centralised database for their management
were not recommended for adoption, due to concerns about risks to data
Guidelines for agencies to develop access control mechanisms are
presented in the report. The recommended approach involves the
Background and familiarisation with the issues,
Analysis of data and transactions,
Determination of the category of information involved,
Establishment of data identification requirements,
Establishment of user authentication requirements, and
Review of data identification and user authentication to confirm
whether the agency is able to determine that the user has the
authority undertake the transaction.
To determine the level of access control required for a given transaction,
the recommended procedure is based on first determining how the correct data
will be identified and then determining how the user will be authenticated.
Since data identification usually provides some knowledge about the likely user,
the approach presented in the report for authenticating the user is based on
using this knowledge and augmenting it only when it is necessary.
Security Assertion Markup Language (SAML)
Show Us Your ID - The proliferation of distributed Web-based applications complicates the task of identifying online users. SAML might be the answer, By Tod Newcombe. Government Technology, July 2004. "For years, counties have struggled to automate one of government's most paper-intensive transactions. The recording of land documents leapt forward in the mid-1990s when imaging technology first turned paper deeds, titles and releases into digital images that could be electronically captured, indexed, stored and retrieved at will..."
Ministry e-identifies its employees. eGovernment News – 18 July 2003
– Spain – eIdentification. "The Ministry of Economy is the
first organisation of the Spanish central administration to have fully incorporated
digital identification in its internal processes, it was announced on 8/07/2003..."
Spanish Government approves new bill on electronic signature. eGovernment News – 17 June 2003 – Spain – e-Identification. "The Spanish Council of Ministers has approved on 6/6/2003 a new bill on electronic signature, designed to promote a more widespread use of the digital signature for e-commerce and e-government. The legislation was drafted by the Ministry of Science and Technology in collaboration with the Ministries of Public Administration, Economy, Interior and Justice. It draws on the experience and advances made since the introduction of the Royal Decree on Electronic Signature of 1999..."
Spanish Parliament approves e-signature law. eGovernment News – 12 December 2003 – Spain – Legal aspects. "The Spanish Parliament approved on 11/12/2003 a new law on electronic signatures. The legislation, drafted by the Ministry of Science and Technology in collaboration with the Ministries of Public Administration, Economy, Interior and Justice, aims at promoting a more widespread use of digital signatures for e-commerce and e-government..."
Sweden - Using Electronic ID Cards - A guide for
users and Application Developers
The Swedish public sector has been working on a EID concept for some
years (http://www.seis.se/), but so
far the visible outcome has been restricted to the Customs' and IRS'
communications with industry. The EID card shall support three basic
Strong user authentication
Confidentiality for messages and communication using encryption
Digital signatures for message authentication, data integrity and
The purpose of the guide is to provide information on the EID card - what it
is, how it works and where it can be used. The guide is organised as follows:
1. Basic functions of the Electronic ID card, as well as the concepts
of digital certificates and electronic identiy document.
2. Concept of Public key Infrastructure - PKI
3. The basics of the technology upon which the security of the EID
card application rests including:
how to perform strong authentication
how confidentiality of sensitive information is supported
how digital signautres are created and verified
4. How additional application certificates may be added to the EID
5. Examples of application areas for the EID card.
Transport Accident Commission
Public key infrastructure for TAC
- secure messaging and legal validity for electronic documents.
Presentation to Multimedia Victoria, 9 June 2000. (ppt97 2.77mb)
- Cards on the table, Kablenet, 10 October 2001. "The UK's smartcard
policy group is finally getting down to work..."
- HMG's minimum requirements for the verification of the identity of individuals.
Version 1.1, 12 February 2002. (E-government strategy framework policy
and guidelines). Draft for public Consultation. This note describe's HMG's
minimum requirements for the Validation and Verification of an individual's
identity as part of the process of issuing a digital certificate or a PIN
or Password for use with e-government services.
- Digital certificates fail
government project, By Andy McCue. Vnunet.com, 20 June 2002. "The government
is looking at alternative technology for authenticating users of its online
services following the failure of digital certificates to take off. ..."
e-Envoy gets on with ID. Kablenet, 5 July 2002. "The UKs Office
of the e-Envoy has made its own contribution to the thorny issue of identity..."
- Bacs PKI tipped as security
standard, By Sarah Arnott. vnunet, 12 September 2002. "Clearing house
develops smartcard-based security system. A Public Key Infrastructure (PKI)
security system developed by clearing house Bacs is likely to become the online
trading standard for UK business...."
signs on the digital line. Kablenet, 18 November 2002. "Two UK Government
agencies are ready to use digital signatures -- the first initiative of its
kind within Whitehall..."
New e-authentication scheme unveiled. eGovernment News - 17 March 2003.
"A new e-authentication scheme was recently unveiled by Telecommunications
company British Telecom (BT) and data management software provider GB Group.
The new system, called URU (pronounced “You Are You”), is a web
service that takes the identification details provided by an individual and
compares them to a range of reference information..."
is 'not working'. Kablenet, 12 June 2003. "Inadequate technology
for online transactions is a 'huge problem' for those in charge of e-government,
admits a leading Whitehall official. The e-envoy's office has started searching
for new ways to authenticate the users of e-services as existing technology
is "not working", a senior UK Government official revealed on 11
- Forget the password. Kablenet, 16 April 2004. "Staff in one area of the UK Home Office are using biometric technology instead of passwords to access their computers. A Home Office organisation that regulates the security industry is to use a biometric authentication system to enable offsite workers to gain access to their laptops and PCs..."
Last updated: 7 May 2010
- Authentication, digital signatures and PKI issues - Part 2 - Archive
- Archived resources regarding authentication issues, electronic/digital signatures and public key infrastructure which has relevance to government. This second part includes articles about authentication, digital signatures and PKI in the United States, as well as articles about e-authentication in the United States.
- Authentication, digital signatures and PKI issues - Part 3 - Archive
- Archived resources regarding authentication issues, electronic/digital signatures and public key infrastructure which has relevance to government. This third part includes articles about e-authentication and email authentication in the United States, user authentication issues as well as general articles and links.