Imagine you get a Swiss electronic identity. What should it look like?
Fedpol asked the Swiss edu-ID team to comment on their concept of a federal eID.
A starting point
In Sweden more than 50% of citizens already have an eID – an identity originally issued by the private sector (as banks) and developed further towards a standardised identity assertion and a more federated approach. Meanwhile, in Switzerland the foundation for a federal electronic identity will now be laid by presenting an eID concept to the Federal Council and then by starting the process to implement it in law.
As e-identities are widely used in Switzerland and also issued by several organisations (SuisseID, MobileID, Swiss edu-ID etc.), in May 2015 the Federal Office of Police (fedpol) started a consultation about the proposed eID concept. SWITCH provided our statement among a group of 68 companies and institutions with expertise in Identity Management. Now the interpretation of the answers and conclusions are available.
Illuminating the Swiss eID landscape
We see many similarities between the two initiatives (although for different contexts). That implies that e-identity projects could learn from each other and for Swiss edu-ID to have a close eye on such recommendations could be a good idea for our users.
The consultation process fedpol chose helps to illuminate the e-identity landscape in Switzerland, to initiate interaction between different players and to better position different products and projects.
It remains to be seen how the concept of a federal eID will be further developed after this consultation phase. SWITCH is ready to contribute further to the elaboration of a comprehensive solution.
eID and Swiss edu-ID
The following are some of the concepts and measures that have been proposed to improve the federal eID. How those points are handled within Swiss edu-ID, similarities and differences between the eID approaches are explained below:
|Target audience||Aimed at Swiss citizens, and potentially also for the foreign resident population||is additionally available for people around the world who are linked to or collaborating with Swiss Higher Education institutions, e.g. members of international research projects|
|Application process||High barrier to application as physical presence in a governmental office is required. Possible simplification by introducing three quality levels for identities with an online delivery of the low-level identity||tries to keep barriers for the user as low as possible with a self-registration process, and has already implemented quality statements on attribute level. Currently 4 levels are available to allow high flexibility. It is also possible to extend this by the creation of general statements about the quality of an identity, if services need it and if they are able to interpret such quality information.|
|Business model||Registration fees and IdP costs should be paid by the user. Higher acceptance may be attained if users have to pay only for obtained services (“pay per use”) and if federal administration accepts the eID on their web portals||business model is not finalised yet but important principles are mentioned in the Business Model Working Group Report. One of them is to not charge the user for basic identity management since the main beneficiary of this service are Higher Education Institutions and their partners. Therefore a cost-sharing model has to be developed.|
|Distribution of functions||Acceptance of eID has to be provided by established providers and an attribute service with personal ID accounts should be provided by the federation.||architecture includes distribution of functions between the central IdP and local Attribute Providers.
It’s not clear if SWITCH may become one of the licenced eID providers, but the eID could help to increase the quality of Swiss edu-ID attributes or complement it with an additional “strong” identifier (restricted use of AHVN13).
|Additional functions and trust services||Respondents propose the federal eID should have a connection to qualified electronic signatures, encryption and secure transaction services etc.||is currently not designed for such purposes and there are no concrete use cases available so far. Nevertheless such connections may be of interest in the future.|
|Identifiers for legal entities and “things”||Some respondents see non human entities such as organisations or “things” in the sense of ‘Internet of Things” as additional target groups.||is designed as an identifier and service for individuals with focus on academic environment. There’s currently no use case for such extensions in our context. A relation between individuals and things as computers and other equipment may be added in the future but rather in form of linked identities.|
|Benefit||Respondents note that users may not see an obvious benefit and this could be an obstacle. Launching services that will use eID in advance or regulatory requirements for the use of eID in certain contexts could resolve this.||can create immediate benefit for some services – especially those profiting from self-registration and requiring basic/simple identities. Nevertheless further development and adaptations are planned to cover also other (higher) requirements to fulfill the expectations and create sufficient benefit for all institutions.|
|Risks||A deeper risk evaluation could be necessary since security is an important requirement for high quality identities and trust services.||security is an important issue since a central IdP increases some risks, and manipulation or theft of identities and attacks on services grow worldwide. Good governance, a clear, well specified security concept and audits will help to overcome these challenges.|
|Interoperability & Standards||Orientation to international standards and interoperability with other eID systems is seen as very important.||is based on international standards and focuses on interoperability with widely used e-identities (as social identities), and identities and services used in research and education.|
|Legal Base||Several respondents asked for clarification and coordination of legal aspects.||has to clarify the legal situation for partners and users. The Regulations Working Group has discussed legal questions and the advice of data protection commissioners was obtained.|
|Roadmap||A tighter project plan could prevent the development of independent, non interoperable solutions by market actors.||was also recommended to speed up because some institutions are ready to go ahead and parallel operation of SWITCHaai and Swiss edu-ID increases costs. Nevertheless the development is highly related to use cases and can’t be pushed without institutional contributions. A core part is the implementation at institutions. To support that it is intended to submit a cooperation project in August 2016.|
|Communication||Some respondents propose a comprehensive marketing and communication strategy.||needs broad communication measures since new stakeholder groups have to be addressed and success is highly dependent on acceptance of institutions and users. The Swiss edu-ID team supports this and we use this blog inform the community regularly about project progress and related topics.|
Read more about the consultation.