@firma- National Validation Authority for eID and eSignature Services (@firma)

Published on: 04/05/2009
Document

@firma is a multiple PKI Validation Authority offering validation services for qualified certificates and also verification of digital signatures to third relying parties, mainly eGOV applications.

The Ministry of Presidency of Spain (part of the competences recently transferred from the former Ministry of Public Administrations), in order to promote eGovernment and encourage the use of the new citizen's Electronic Identity Card, launched in 2006 the multiple PKI Validation Platform @firma that provides free Electronic Identity and eSignature Services to eGovernment applications of Spain. @firma is based on a software development originally made by the Regional Government of Andalusia to set-up its own Validation Authority. In fact, in 2005 the Regional Government of Andalusia signed a bilateral agreement with the Ministry of Public Administration of Spain in which the latter was given the licence rights to modify, adapt and further develop the SW developments initially carried out by the Regional Government of Andalusia. As a consequence of this agreement, all the SW developments behind the Central VA @firma are property of any Public Administrations of the country, following a similar model to the EUPL software licence.

Policy Context

According to the Spanish law 59/2003 of electronic signature, any company established as a Certification Service Provider (CSP) can issue electronic certificates. PKI certificates allow for the electronic identification of any individual over the internet. In Spain at the moment there are several companies and organisations established as a CSP and, as a consequence, multiple electronic qualified certificates available for citizens and business. The progressive roll-out of the national identity electronic document (DNIe) in the national territory required some adaptations to the government services in order to incorporate the national eID card as an authentication and eSignature mechanism for citizens. Due to this variety of certificates, and the lack of interoperability of electronic signatures, the Ministry of Public Administration (MAP) decided in 2006, as a part of its role of promoting and encouraging the development of the Electronic Government, to develop a platform designed to check the electronic identity of a citizen or a business, regardless of the type of certifcate that the latter use in their electronic relations with the Public Administration. In this context, the MultiPKI validation platform named @firma has established a secure service to verify the status and validity of the qualified certificates used by citizens and companies at any eGov service, and among them the ones of the national eID card. This service can validate and handle all the accredited Certification Service Providers in the country and 96 types of qualified certificates (the vast majority of qualified certificates) from 12 Certification Service Providers. All transactions related to eDocument and forms signing and verification, citizens and business eID authentication, time stamping services, completion of electronic signatures in log-term formats, etc can be requested to @firma by any eGov service.

Description of target users and groups

The main users of @firma services are eGovernment applications and portals of the Spanish Public Administration (at statal, regional and local level). These users can benefit of incorporating eIDs and eSignature in their administrative procedures by just connecting their systems to the @firma services. Currently there are 67 public administrations using these services. Indirectly, the end-users are the citizens that benefit of the possibility of using any qualified certificate available in the country to make any eGovenrment transaction (authentication, electronic signature) over the internet, as long as the eGovernment portals are using @firma services.

Further to this, the recent law on eGOV dated 2007 (Ley 11/2007) for the Electronic Access to Public Services by the citizens, establishes the obligation of the Ministry of Presidency (former Ministry of Public Administration) to put at disposal of all eGOV services in the country, a set of common infrastructures and services, such as a Central Validation Authority, as part of the national strategy for eGOV to make all Public Services available to citizens over the internet by the end of 2009, at least in the field of the central government.

Description of the way to implement the initiative

The project is currently ran and managed by the Ministry of Presidency of Spain. All the SW developments that are the basis of the services provided by @firma are subcontracted to a private partner, but the copyright is kept for all the Public Administration in the country. The original SW coding was carried out by the Regional Government of Andalusia, which later on freely released the SW codification to the Ministry of Public Administrations that took over the initial developments in order to develop and set up @firma. On the other hand, central and regional public administrations can actively participate in various groups that define the service roadmap, such as enhancements and new functionalities to be incorporated in the centralised service or, following a free software philosophy, get access to the software developments product behind the validation services if they wish to set up their own @firma in their premises for their specific needs.

Technology solution

Open source technologies are used. The platform services have been defined as a Service Oriented Architecture (SOA) based on the following elements:

  • Web Services specifications based on WSDL, WS-Security (WSS) and WS-Interoperability (WS-I) Basic Profile v1.1 from OASIS.
  • Securization of the Web Services through the use of Binary Security Tokens following the WSS specification with XMLDsig and XADES as eSignature formats.
  • Establishment of secure communication channels between the participants through SSL protocol.
  • Validation of digital certificates following the OCSP protocol (RFC 2560)
  • Cryptographic and ciphering algorithms (symmetric and asymmetric cryptography).
  • Use of electronic certificates.
  • Time Stamping Services (TSA) based on RFC 3161.
  • eSignature standards implemented in the Platform: CMS and Advanced and long-term eSignature formats such as: CADeS, XADeS.
  • OASIS-DSS profiles for digita signature verification and Time-stamp protocols.

@firma supports the verification of digital signatures and validation of accompanying signing certificates. Multiple signatures are also supported: independent signatures or co-sign signatures and also countersignatures are handled; enveloping,enveloped and detached signatures are supported.

For Time Stamping Services (TSA), there is also the option of a basic RFC 3161 client to make requests instead of building the OASSI DSS-based web-service.

The VA supports signatures based on a hash value of the signed document(s) or files,or signed documents with embedded signatures for the following formats:

  • PKCS#7, CMS, CADES-BES, -T, -C, -X, -XL, -A following ETSI TS 101 733 version 1.7.4 (2008-07); multiple signatures are supported.
  • XMLDsig, XADES-BES, -T, -EPES, -C, -X, -XL, -A following ETSI TS 101 903 versions 1.1.1, 1.2.2 (only verification but not creation) and 1.3.2 (2006-03); for all formats enveloped, enveloping, detached and multiple signatures are supported.
  • PDF and ODF signatures.
Technology choice: Mainly (or only) open standards

Main results, benefits and impacts

@firma is the first major centralised service aimed at providing free horizontal electronic services to all the public administrations of the country. This is really an exceptional case in Spain,where already 300 eGovernment services are actively using the validation system(62 public authorities from the central administration, 12 regional governments and 27 local governments). The Ministry of Presidency of Spain acknowledges this project as one of the essential pieces for the uptake of eID and electronic signatures in Spain, and from which all eGov services are already experiencing the benefits, with no cost for them. Having in mind on one hand that by 2010 50% of the Spanish Public Procurement must be made by electronic means (eProcurement) with digital certificates, and that on the other hand that there is an eGov service removing the legal obligation for citizens to present paper photocopies for administrative transactions already providing 200 000 transactions through @firma, and furthermore, that 16 million citizens will be already in possession of the eID card, the number of transactions of @firma in 2010 could increase even further from the current figure of 1.2 million transactions per month,helping to achieve an earlier than expected ROI.

Return on investment

Return on investment: €5,000,000-10,000,000

Track record of sharing

In order to create a European interoperable eID Management by 2010 allowing the mutual recognition of other countrys eID and eSignatures, @firma is a good case to extend to the rest of Europe as a proxy or centralised national eID verification service. Other countries could also create a common and centralised eID and eSignatures service for their own eGovernment applications existing within their borders in a rational and cost effective way. Also, the existence of a national eID Service in each country would help to create a European eID Management scheme where each nation would offer and exchange eID and eSignature verification services of their nationals living abroad through the interconnection of the various national front-end services, helping to create and deploy pan European eGovernment services and also the free movement of citizens and companies.

In addition to this, @firma is in the process of supporting other MS CA´s such as the Portuguese eID card. In the short and medium term @firma will have to incorporate all the foreign qualified CAs included in the MS TSL as part of the obligation derived of the transposition of the Services Directive, in addition to the CAs to be incorporated in the Stork project for a large scale pilot on eID. This approach would change if there were a central VA in Europe in charge of cross-border validation services or the possibility that other Member States also established a national VA to which make requests and referral cross-border validations.

Lessons learnt

We believe that @firma experience in Spain can be translated to the European Level.

In order to create a European interoperable eID and signature framework enabling the mutual recognition of other countrys eID and eSignatures, @firma is a good case to extend to the rest of Europe by either:

  • Launching a PanEuropean proxy or centralised eID/ signature verification service of all qualified certificates available in Europe operated by a supranational organization and at disposal of MS eGOV services or,
  • creating a federation of @firmas following the Spanish federated model where each MS operates an instance of @firma and therefore provides the validation services of the qualified certificates included in its own national domain to other MS. This solution would be a kind of cluster of interconnected national VAs that provide cross-border validation Services from a MS to another.

Lesson 1 - @firma has already being pointed out by the EU Commission in the context of the IDABC Preliminary study on Mutual Recognition of eSignatures for eGovernment Applications across Europe, as a very good example of efficient validation for eSignature: "The limited number of supported CSPs is a major barrier to interoperability. If every application would have to support all European established CSPs, the situation will quickly become unmanageable. A very good example of efficient validation has been set-up in Spain.The way how Spain has solved the validation problematic would certainly be a good practice to take into account at the European level".

Lesson 2 - This centralised building up approach to create a common service providing eID and eSignature features to eGovernment applications has been proved to be a rational and cost effective approach and a key enabler for the eID in Spain. It has unburden eGovernment applications of the hard tasks of developing SW modules to deal with the creation/ verification of the eSignature, the handling of crypto libraries, CRL and OCSP protocols for the verification of digital certificates or the need of physical network connection to all Certification Service Providers of the country.

Scope: National