Digitalization is something that affects us all, mostly in positive ways. Usually digitalization means that transactions we make in our daily lives can, and are in a majority of cases, done over the Internet, using computers or mobile devices. In a digital society many services are offered over the Internet, such as government services, banking, stock market, and even voting in some cases although that is probably not for everyone yet in decades to come.
Digitalizing government services and banking frees up time and travel and makes the system more efficient. Everything you can imagine, from starting a business, applying for permits, tax reporting, unemployment reporting, health care, payments, opening bank accounts and applying for loans, can be done digitally from any location you happen to be at.
Digitalization is not without dangers, nothing is. Making things available conveniently over the Internet means that it is also conveniently available for criminals. Fishing and fraud to steal money are common issues and being able to get an ID on-line in someone else’s name can cause a lot of trouble for the victim. Large scale fraud attempts against citizen are now possible from anywhere in the world, which also makes it harder to catch criminals and to recover for example stolen funds.
With this in mind, to be able to offer these services over the Internet, a solid security infrastructure is needed. There are lots of practical lessons to learn from various countries who have implemented the digital society in different ways.
EU and eIDAS
EU is currently at the forefront of digitalization to a large extent driven by the eIDAS legislation, high Internet penetration and high costs- The high cost structure in EU makes it ripe for cost savings and increasing efficiency at large. Some countries have pushed it very far like Estonia and Sweden, while some are a bit slower, but the trend is moving fast everywhere.
Most transactions within EU are still local for each country, and some transactions are only relevant locally, but the goal is to make EU a more open and efficient common market. This is by large thought to be achieved with a goal called the Digital Single Market.
Since EU consist of, to a large extent, independent states, it is achieved through the EU wide legislation, eIDAS, which each member state must implement and abide with. Some effects of the eIDAS legislation is that it is harder to make local rules that hinder competition from other countries, business transactions become cheaper and more efficient between member states and citizen have efficient processes needed in their daily life even if they live abroad from their home country.
To support digitalization, in a secure way, eIDAS defines Trust Services needed.
Trust Services PKI Infrastructure
eIDAS defines providers of needed trust services as Trust Service Providers, TSPs for short. TSPs are regulated by the government, but not controlled by the government, so there is a competitive market for TSPs. A typical TSP offer PKI security services which are not new in itself, issuance of digital certificates, time stamp services and document signatures. An example PKI infrastructure for TSPs is seen in figure 1.
“Digitalizing government services and banking frees up time and travel and makes the system more efficient. Everything you can imagine, from starting a business, applying for permits, tax reporting, unemployment reporting, health care, payments, opening bank accounts and applying for loans, can be done digitally from any location you happen to be at.”
Of course, it is not only sufficient to build technical infrastructures. It is also important that legislation support the trust services and digitalization efficiently, securely and without barriers.
Reusing the Trust Services Infrastructure
An important aspect of building up a trust service infrastructure is that once built up, which is time consuming and costly, it can be re-used for new purposes. By building on new services step by step, using the established, robust, trust services, digitalization can progress in an increasing pace. One example of this is how the new payment services directive, PSD2, in EU reuses the eIDAS trust service PKI infrastructure to open up banking to be more efficient with less lock-in effects.
For any large-scale initiative to gain wide-spread traction using open standards is imperative. Different actors must be able to provide implementations and services on the same conditions avoiding lock-in effect and costly proprietary solutions.
For trust services this is achieved by using open security standards such as X.509 certificates, RFC 3160 time stamps, SAML or similar standard for authentication and information exchange. Participating to defining and using these standards should be open to participation for all parties who can contribute. This can form a healthy eco system with participants from all parts of society, which is needed to fulfill the vision of a digital society. Luckily there is no lack of open standards in the area of PKI.
Long Term Vision
It is not done overnight to create a thriving eco system. Often you run into the hen-and-egg dilemma, meaning that before enough attractive services are available on-line there are no users, and it is not attractive for services to invest in going on-line until there are enough users. Some recommendations are:
- Keep a long-term vision, don’t give up
- Build a reusable infrastructure, PKI can be used for many purposes
- Encourage open eco systems, let innovation thrive
- Use open standards, avoid vendor lock-in
- Focus on user benefit, citizen will not be forced into something that doesn’t make sense
- Adapt to local circumstances, not everything can be copied (but a lot can be)
- Adapt legislation to the digital world
Let innovation thrive with secure digital services in all aspects of users’ lives.
Disclaimer: This article has been published in SecureMAG Volume 11, 2019