MultiPKI Validation Platform for eID and eSignature Services (MPVP)

Published on: 24/07/2007

The Ministry of Public Administrations of Spain, in order to promote eGovernment and encourage the use of the new citizen´s Electronic Identity Card, has set up a MultiPKI Validation Platform (MPVP) that provides free Electronic Identity and Signature Services (eID Services) to eGovernment Applications. These eID services are applicable to all the qualified electronic certificates issued by all the Certification Service Providers accredited in Spain, included the two qualified certificates of the citizen´s eID card. The service is available to all eGovernment applications of the country that can benefit of incorporating eIDs and eSignature functions in their administrative procedures.

Policy Context

According to the Spanish law 59/2003 of electronic signature, any company set up as a Certification Service Provider (CSP) can issue electronic certificates, which complying with a series of requirements can identify electronically any individual over the internet. At the moment there are a multitude of companies and organisations set up as CSP and, consequently, multiple electronic qualified certificates. The progressive introduction of the national identity electronic document (DNIe) in the national territory required a change at the Government Services Provided by the Public Organisations to guarantee its acceptance as an authentication and eSignature mechanism for citizens. This multiplicity of certificates, and the lack of interoperability of the latter, forced in 2006 the Ministry of Public Administration (MAP), within its natural competence of promoting and encouraging the development of the Electronic Government, to develop a platform designed to check the electronic identity of a citizen/ business, independently of the type of certifcate that the latter uses in its electronic relations with the Public Administration. In this context, the MultiPKI validation platform named @firma has established a secure service to verify the state and validity of the qualified certificates used by citizens and companies in any eGov service, among them the ones of the national eID card. This service can validate and handle all the accredited Certification Service Providers in the country, and 99 types of qualified certificates (the vast majority of qualified certificates) from 12 Certification Service Providers and a foreign one (Portuguese eID Card). All transactions related to eDocument/forms signing and verification, citizens and business eID authentication, time stamping services, completion of electronic signatures in log-term formats, etc can be requested to the MPVP by any eGov administrative portal.

Description of target users and groups

The main users of the MPVP service are eGovernment applications and portals of the Spanish Public Administration (at state, regional and local level). These users can benefit of incorporating eIDs and eSignature in their administrative procedures by just connecting their systems to the MPVP services. Currently there are 67 public administrations using these services. Indirectly, end-users are the citizens that benefit of the possibility of using any qualified certificate available in the country to make any eGovenrment transaction (authentication, electronic signature) over the internet, as long as the eGovernment portals are using the MPVP services.

Description of the way to implement the initiative

The project is run and managed by the Ministry of Public Administrations of Spain. All the SW developments that are the basis of the services provided by the MPVP are subcontracted to Telvent Interactive, but the copyright is kept for all the Public Administration in the country. The original SW coding was carried out by the Regional Government of Andalusia, which later on freely released the SW codification to the Ministry of Public Administrations that took over the initial developments in order to develop and set up the MPVP. On the other hand, central and regional public administrations can actively participate in various groups that define the service roadmap, such as enhancements and new functionalities to be incorporated in the centralised service or, following a free software philosophy, get access to the software developments product behind the validation services if they wished to set up their own MPVP in their premises for their specific needs.

Technology solution

Open source technologies. The platform services have been defined as a Service Oriented Architecture (SOA) based on the following elements: - Web Services specifications based on WSDL, WS-Security (WSS) and WS-Interoperability (WS-I) Basic Profile v1.1 from OASIS. - Securization of the Web Services through the use of Binary Security Tokens following the WSS specification with XMLDsig and XADES as eSignature formats. - Establishment of secure communication channels between the participants through SSL protocol. - Validation of digital certificates following the OCSP protocol (RFC 2560) - Cryptographic and ciphering algorithms (symmetric and asymmetric cryptography) - Use of electronic certificates - Time Stamping Services (TSA) based on RFC 3161 - eSignature standards implemented in the Platform: CMS and Advanced and long-term eSignature formats such as: CADeS, XADeS - Future implementation of OASIS-DSS profiles for digital signature verification and Time-stamp protocols.

Technology choice: Mainly (or only) open standards

Main results, benefits and impacts

The MultiPKI Validation Platform is the first major centralised service aimed at providing free horizontal electronic services to all the public administrations of the country. This is really an exceptional case in Spain, where already 134 eGovernment services are actively using the validation system (37 public authorities from the central administration; 17 regional governments and more than 18 local governments). The MAP claims this project as one of the essential pieces for the already ongoing development of the eID and the electronic signature in Spain, and from which all eGov services are already experiencing the benefits, with no cost for them. Having in mind that by 2010 50% of the Spanish Public Procurement must be made by electronic means (eProcurement), that the eGov service suppresses the legal obligation for citizens to present paper photocopies for administrative transactions (already providing 100.000 transactions through the MPVP but expected to double in the next few months), and that 6 million citizens will already be in possession of the eID card, the number of transactions will increase dramatically in 2008, possibly up to 2/3 million transactions per month. The current ROI, having in mind the technical investment and the number of transactions performed by the service, shows the following balance: - Investment during 2006 + 2007: 3,5 mill € - Transactions already made: 3 million (end May 2007) - Expected figures: 8,2 million transactions expected by the end of the first year. - Cost per transaction at the moment: 0,43 €. This means a cost-effective service, much rational than a distributed structure with all public administrations having to develop and implement SW modules to handle eSignature creation/verification and certificate validations against all CSP in the country. A realistic assumption is to estimate a total cost of 3 € per traditional administrative transaction, having to move physically to the office (papercost, time spent by the civil servant, time spent by the citizen or business company…). Taking into account the cost of investment for developing each eGov service, it appears quite a large margin to assume that the ROI for the MPVP has already been met. With a population of 44 million, a 100% penetration of eIDs card in the medium term, only 20% of it making eGov transactions in the next few years (low profile assumption) and 5 transactions per year, the estimation adds up to 44 million transactions per year. As the system must also count with companies and civil servants making eGov transactions, the figure could increase up to 60 million transactions per year. With these estimated figures, the unitary cost per transaction will be reduced to 0,07 € per transaction, assuming also expenses of 4 million € per year as the service must improve to be able to handle the increased number of transactions.

Return on investment

Return on investment: €5,000,000-10,000,000

Track record of sharing

In order to create a European interoperable eID Management by 2010 allowing the mutual recognition of other country’s eID and eSignatures, the MPVP is a good case to extend to the rest of Europe as a proxy or centralised national eID verification service. Other countries could also create a common and centralised eID and eSignatures service for their own eGovernment applications existing within their borders in a rational and cost effective way. Also, the existence of a national eID Service in each country would help to create a European eID Management scheme where each nation would offer and exchange eID and eSignature verification services of their nationals living abroad through the interconnection of the various national front-end services, helping to create and deploy pan European eGovernment services and also the free movement of citizens and companies.

Lessons learnt

Lesson 1 - The MPVP has already being pointed out by the EU Commission in the context of the IDABC Preliminary study on Mutual Recognition of eSignatures for eGovernment Applications across Europe, as a very good example of efficient validation for eSignature: “The limited number of supported CSPs is a major barrier to interoperability. If every application would have to support all European established CSPs, the situation will quickly become unmanageable. A very good example of efficient validation has been set-up in Spain. The way how Spain has solved the validation problems would certainly be a good practice to take into account at the European level”.

Lesson 2 - This centralised building up approach to create a common service providing eID and eSignature features to eGovernment applications has been proved to be a rational and cost effective approach and a key enabler for the eID in Spain. It has unburden eGovernment applications of the hard tasks of developing SW modules to deal with the creation/verification of the eSignature, the handling of crypto libraries, CRL and OCSP protocols for the verification of digital certificates or the need of physical network connection to all Certification Service Providers of the country.

Scope: National