European Workshop on Trust & Identity

In cooperation with GeantLogo184x80

EIW 2013 Tue Session 2C

A) Linking STORK: Use Cases for high-assurance eIDs in existing federations

B) STORK - SAML Interoperability

There are EU eID pilots in several areas, like STORK for citizen, epSOS for eHealth, PEPPOL for e-Procurement,, e-Codex for e-Justice, SPOCS for implementing the service directive.

The goal ist to make national eIDs interoperable in Europe.

Current pilots are on remote registration for students in the Erasmus program; e-Banking, remote opening of branches of companies – this includes role management using mandates; and epSOS for eHealth services.

One aspect are QAA levels, roughly equivalent to LoA. Each country can map their local assurance levels. ISA is in charge of updating the QAA specification.

Who pays for credentials? – in most countries. The gateways (PEPS) are usually

Where could eIDs be used?
- could be used for everything, like procurement, if eIDs would be available.
- FI – create corporate accounts
- Could it be used as a second factor? – Need to get in contact with national authority – for STORK2 it is up to the govt to decide which SP can connect, as STORK2 is still a large scale pilot
- Researchers have bee criticizing lack of higher assurance in existing higher education federation. In practicing researchers are running small closed systems instead of federations.

2 problems with life sciences: a) cost of enrolment; b) need for credentials outside NRENS.

Banks could become IdPs for STORK, if recognized by government. What does the business model look like?

Is it possible to use other IdPs?

Issues: many identifiers? How are they links. In Austria there is a dedicated registry that will link up foreign identities with an Austrian identifier on first use.

There are some other restrictions with identifiers: Not allowed to transmitted abroad, or are sector specific. STORK uses virtual identifiers, that are similar to SAML persistent IDs.

EduGAIN – started 5 years with SAML2int as interop protocol/profile, using gateways for interoperability. Now it evolved to a system that is using SMAL2Int as lingua franca internally and externally everywhere.

Would it make sense to have multiple PEPS in one country? If the government would not like to take liability, the private sector could take up their own PEPS.

When will STORK go live? Projects are already n production, but issues like SLA, liabilities, etc. are not solved yet. It would be possible to set up services in parallel and integrate those later; STORK is not inhibiting any private sector activities.

IdP discovery: User needs to select the country providing the identity, and then is redirected to the country PEPS.

Does STORK encompass ECP? -> no support for non-web browsers. Will be addressed in other projects like Future-ID.