mySuisseID experience » | mySuisseID experience know who you're dealing with... | savoir à qui on a affaire... | wissen mit wem mann zu tun hat...2011-03-07T15:51:50Z http://mysuisseid.net/blog/feed/WordPress Tito Espinoza <![CDATA[Plan your SuisseID implementation carefully]]> http://mysuisseid.net/blog/?p=175 2011-02-21T21:15:11Z 2011-02-19T09:35:16Z

mySuisseID experience - know who you're dealing with... | savoir à qui on a affaire... | wissen mit wem mann zu tun hat...

Success factors for the implementation of SuisseID in an existing environment

Plan your SuisseID implementation carefully

]]> mySuisseID experience - know who you're dealing with... | savoir à qui on a affaire... | wissen mit wem mann zu tun hat...

The implementation of SuisseID in your existing infrastructure is not just a technical challenge. It may also require thorough analysis and re-definition of your identity management and authentication processes. It’s an objective that calls for carefull reflection and thinking.  It can be vital to overcome the psychological barrier of accepting a third party like “La Poste”, “Swisscom” or “QuoVadis” to take the role of trusted supplier;  any such change is worthy to be addressed from the outset in order to avoid any misunderstanding.

“The implementation of SuisseID in your infrastructure is not just a technical challenge. The fundamental changes are worthy to be addressed from the outset in order to avoid any misunderstanding!”

Process

The pivot of the SuisseID process is the proper identification and authentification of the “to-be” holder of the certificate by a Certificate Authority (CA).

SuisseID - Card with chip

In the case of the Swiss Post (“La Poste”) the CA is their daughter company SwissSign. They rely on two elements to be able to issue a certificate.

One the one hand is the employee at your local post office that checks the presented ID for validity, verifies the match with the person in front (photo) and makes a copy  thus certifying the authenticity (and therefore trustworthiness) of the copy. This service is know as their “yellow ID” product.  Other parties that can certify authenticity of a proof of identity are notaries or local councils. Alternatively you can have one or several employees trained and certified for this role within your organisation (ID @ Office, point 3.2.2.3 (only available in German). Once this identification has been carried out, the user’s documentation will allow them to submit their forms and apply for a SuisseID.

One the other hand we see the SwissSign employee that receives and treats each request in combination with the authenticated ID copy.  A subset of the personal data from the identification document (e.g. a passport) is stored in the identity provider service (IDP) operated by the Certificate Authority. The only way to retrieve that data is by strong authentication with the IDP using the appropriate SuisseID authentication certificate; They make sure that only trusted (i.e. attributes that are present on the ID) are registered as attributes of the client. In the end a client receives a card with a chip and a (USB or external) card reader.

With the SuisseID standard this chip contains two certificates; one certificate for the purpose of authentication and one certificate for the use signing electronically. Both certificates only contain the bare minimum of personal information on the chip, but all  information that is available through the IDP will be based strictly on the information from the Passport or Identity card.

“SuisseID for your access management is like integrating an electronic passport in your authentification processes.”

Implementation of SuisseID in your corporate environment is like integrating an electronic passport in your authentication procedure. This passport is issued and guaranteed by a third party who can vouch for the validity of the information contained therein. Hence the importance of accepting this third party as a trusted body.

In the case of “La Poste” the yellow identification with its certified copy lies at the heart of the trusted third party principle, by which many different atributes like names, surname and date of birth are validated and integrated into the database of the SuisseID IDP.

Some more about technical principles

From a technical standpoint, the implementation of SuisseID in the company infrastructure uses the application programming interfaces (APIs) by which it is possible to connect programmatically. These APIs are documented, and architects can specify the requests needed to be made to the Identity Providers (IDP), in order to technically implement the SuisseID in the identity management and authentication mechanisms of the company.

But although technical aspects define constraints and a framework within which identity management and authentication must take place, the level of usability should be prioritized. Particularly in the context of a company having its own identity repository (eg. centralized directory), it will be necessary to define the levels of integration between the existing identities repository and the external IDPs, to specify access to various IT-resources or programs as linked to each identity.

This is why in the analysis phase it is important to anticipate on some of the following processes:

  • Set the necessary attributes of your digital identity – the SuisseID proposes 15 attributes as a “standard” set.
  • Define the process for the creation of an identity with SuisseID.
  • If you have existing electronic identities, it might be worthwhile to define the process of linking the existing authentication with the SuisseID authentication. This is the case of a company that already offers online services and has defined its own identity management processes.
  • In the case of SuisseID connection with existing identities, it might also be worth to define a process for unlinking a SuisseID authentication in order to allow authentication mechanisms as initially implemented without SuisseID.
  • Define the various user authentication mechanisms to access online services: uniquely SuisseID or maintain multiple mechanisms – as SuisseID is currently not yet sufficiently widespread, the company might focus instead on maintaining several authentication mechanisms.
  • Establish a process for releasing the SuisseID – it is possible to use the process defined by the IDP.
  • Define an identity process and association rules in relation to existing business repositories.
  • Manage the exceptions to identities association rules.

As can be seen from the not exhaustive list of processes above, the analysis will require a great deal of attention, especially since SuisseID is still a young solution providing significant potential for organizational simplification. It does also still leaves open many questions without clear answers from the IDP;  it allows room for interpretation and provides options for each implementator to create its own solution related to its own needs.

Liked this post? Subscribe to our RSS feed and get loads more!

Plan your SuisseID implementation carefully

]]> 0 Jan-Paul Theunissen <![CDATA[SuisseID, one step at a time]]> http://mysuisseid.net/blog/?p=10 2011-03-07T15:49:45Z 2011-02-03T22:13:12Z

mySuisseID experience - know who you're dealing with... | savoir à qui on a affaire... | wissen mit wem mann zu tun hat...

In this article we discuss how SuisseID can help using a standard authentification process over the Internet for bespoke needs. The common attributes as well as organisation specific attributes are discussed and an idea is launched for using SuisseID in a medical process.

SuisseID, one step at a time

]]> mySuisseID experience - know who you're dealing with... | savoir à qui on a affaire... | wissen mit wem mann zu tun hat...

A journey of a thousand miles begins with a single step. SuisseID – the recently defined Swiss standard for electronic identities could well be amongst one of the first steps on the long journey to make the Internet a place where one can “wheel and deal” in confidence and safety.

By integrating SuisseID as a means of authentication it’s now quite easily possible for any online service to establish a relationship based on trusted and guaranteed customer attributes. If the customer so agrees of course, that is! No longer is it necessary to develop, use or upkeep a bespoke identification process.

SuisseID - USB Reader from Swiss Post

Personal data available on the fly

With 15 personal attributes available on the fly (see Table-1) from which 5 another can be deducted (see Table-2) Internet users who have and use a SuisseID can just as easily order a new mobile phone subscription (currently requires a visit to the shop for identification and proof of address) or a bunch of flowers on account (granted, if the flowershop allows). That’s all in all a great first step!

In a recent project for a government body we were able to reduce the complexity of an existing authentication and enrollment process drastically by completely eliminating registered letters as part of the process. Not only did this greatly improve the through-time and user-friendliness for the customer, at the same time it increased conversion and reduced our clients’ costs. But what to do if in a next step would one requires information that’s simply not provided by this “standard”?

An example; prescription medication

When my wife recently came back with a doctor’s prescription I was wondering how it’s possible that in today’s day and age pharmacies are still allowed to hand out prescription medication on the basis of a piece of paper with some print, poor handwriting and a signature. How do they know if a doctor is really a doctor -with a degree and all- and not some charlatan? How can they be sure the patient didn’t slip in another drug? If the first issue could be dealt with by the use of some (electronic) directory, I am not equally convinced if the second issue can be dealt with at all. The question has remained unanswered so far but I’d be interested if anyone here can give me his opinion and feedback.

Linking back to the story of electronic identity, in a scenario such as with the prescription, SuisseID could provide an answer and next step. Imagine that the association of medics in Switzerland were to decide to make their paper subscription notebook “abuse-proof”. In that case an improved and paperless process is easy to imagine.

Let’s first assume that each doctor is registered by the association. Secondly that this same association is willing to maintain this registry in an electronic (yet secured) format that is accessible with the SuisseID standard. In this form such a registry could be considered a Claim Assertion Service [CAS info only available in FR | DE | IT].

Now whenever a patient requires prescription medication, the doctor creates an entry for this order in a central database. To get access to this database she needs to authentificate herself. Using her SuisseID and the Association’s Claim Assertion Infrastructure this acces is granted thus acknowledging that she is registered as a doctor with them. The medication is added to a record with a unique ID number (order number) which is printed and given to the patient. The patient can now go to the pharmacy with this number where they retrieve the corresponding line items and prepare the order. When the transaction is finished this information is automatically passed on to the insurance company of the patient to make sure the payment is processed.

Who dares…?

Clearly there are many other possibilities to use the Claim Assertion Service [CAS info only available in FR | DE | IT]. The question really is which organisations, companies and other bodies are interested to join us on our thousand mile journey. Whatever your journey is, we’d like to hear from you.

Appendix

Friendly NameDescription
Given namesGiven names
First NamePreferred name or first name of a Subject.
Every IdP/CAS MUST use the first name appearing in givenNames for this purpose.
Last NameSurname, Family name
Date of BirthIf the date is only partially known, this attribute MUST NOT be returned.
Date of BirthMay be returned in any ofthe following formats:YYYY or YYYY-MM orYYYY-MM-DD
Place of BirthPlace of birth according to an official identification document.
This attribute is not applicable for a Swiss citizen.
OriginPlace of origin according to Swiss ID card or passport.
Not applicable for foreigners.
Gender0:unspecified 1:male 2: female
NationalityISO 3166-1 alpha-3 codes with modifications
(use 000 for stateless persons, use RKS for Kosovars)
Identification NumberNumber of the identification document, limited to 9 characters, in accordance to
the machine readable zone MRZ as defined in [22] (trailing filler characters must be removed).
Identification Kind0: Passport 1: ID 2: Stateless
Issuing CountryIssuing country for the identification document (see Nationality except for 000)
Issuing OfficeIssuing Office
Identification Issued OnIssuance date of the identification document
Identification Valid UntilValid-through date of the identification document

Table-1: SuisseID Plain Core Assertion Attributes (source:  SuisseID Specification – page 30)

Friendly NameDerived fromType
Age (derived)xs:unsignedInt
Over 16 year (derived)(return true, iff Age >= 16)xs:boolean
Over 18 year (derived)(return true, iff Age >= 18)xs:boolean
Is mature (derived)(return true, iff Age >= 18)
0 = False
1 = True
2 = Unknown		xs:token
Is Swiss Citizen (derived)(return true, iff nationality == “CHE”)xs:boolean

Table-2: SuisseID Derived Core Assertion Attributes (source:  SuisseID Specification – page 36)

Liked this post? Subscribe to my RSS feed and get loads more!

SuisseID, one step at a time

]]> 0