Some days ago I attended a European wide seminar on e-ID, organised by eema . I was surprised by the number of attendees, most of the people actually came from government institutions : cities, countries, regions, European commission. Not that many actually came from software or hardware vendors, security advisors, people I expected to see more of at this kind of event, especially with all the attention in the IT market around electronic identity management.
There was a series of countries presenting their vision on the e-ID : Estonia, Belgium, Austria, Poland.. Some with completed deployments some with upcoming logistical challenges. Europe did his part of the sessions. This is an audience which was reasonably quiet the whole day, but suddenly I could hear some criticism for the complex programs the EC proposed regarding European e-ID interoperability and standardisation.
What is new ? Why the buzz around e-ID ? Electronic authentication has been around for a while now, in Belgium we have the SIS card, which authenticates us as a social insured person. But this was deployed in 1998, nine years ago ! What has changed ? Actually very little. True, e-ID is getting deployed in some countries, others are thinking about it, but everybody, even the most mature e-ID countries like Estonia are screaming for the Killer Application. “We need the killer app !”, “Give us the killer app ! “…
Application ? What do you mean ? Have we not learned over the last years that once we have new capabilities, like e-ID, we should not frame it into one application ? Electronic identity management is a service, it is not an application. It is a common component servicing its basic core functionality, electronic authentication and potentially authorisation, to other services which might have a more business face, tax declaration, on line banking, on line voting,.. Isn’t the perceived failure of e-ID project due to this error we make ? How many authentication mechanisms do we own, each of us ? As a Belgian citizen I have 3 : my e-ID, my digitalised passport and my SIS card. Next to that I have a dozens of cards, tokens, and passwords to authenticate myself. Getting rid of all tokens but one is not achievable, so we need something else, a federated identity service. There have been some initiatives in the past like the Liberty Alliance which had very ambitious goals which were spot, but then did not happen, let us hope that will evolve anyway.
e-ID as a service has huge potential, we have most of the technical components like SAML, XACML, .. to send around authentication and authorisation assertions and policies around based on physical tokens like a citizen e-ID. But we need to make sure to apply it in a correct way, loosely coupling between the identity system and the service enablement layer is one, propagation of identity across different layers is a second one. But that is material for a future post.