ik zoek nog een aardige foto
Classification of assurance levels
Filling in the open norm for electronic communication
Mariette Lokin | Logius | april 2011
AgendaGrowth of e-services
Open norms in Dutch legislation
Means for authentication
The STORK framework
Joining these together: a classification scheme for assurance levels
2
Growth e-services… …development in legislation
3
Electronic signatures Act
Electronic communication ActElectronic communication Act
Legislation • Open norm: sufficiently reliable
• Electronic communication Act Communication should be sufficiently reliable Similar guarantees as in ‘paper’ communication Electronic communication does not require a higher reliability than conventional communication.
• Electronic signatures Act Electronic signature has the same legal status as written signature, if method used is ‘sufficiently reliable’, in view of its goal and the circumstances in which it is used.
Means for authentication
Several national solutions for identification/authentication/authorisationDigiDDigiD MachtigenPKI.overheideHerkenning
First steps towards European standaardisation of assurance levels STORK
5
Assurance levels STORK
6
MinimalMinimalLimited
Reasonable
Reasonable
HighHigh
None MaximalSufficient as in open norm
Required reliability
7
?supply ofe-servicessupply ofe-services supply
of meanssupply
of means
Filling in the open norm• A risk approach?
• Government organisations are not uniqueStandard decision processes for permits, grants, taxes etc.Thus: defining ‘families of services’- requesting information- submitting an application- tax filing- accounting
• The mirror image of risks: criteria and interests- specific legal requirements- volition- personal data involved (Data protection Act)- individual economic interest- public interest (collective economic interest, violation of law)
Mariette Lokin | Logius | April 2011
Filling in the open norm (2)• Interests and criteria elaborated in all possible aspects that can occur in
services
• Risk increasing and decreasing circumstances
• Validated and refined by real life cases of participating agencies
• Result: Menu (default classification of the required assurance level per category of services) Cookbook with recipies (for accounting (audits) or in case of motivated divergence)
• Agencies implement in their own organisation and processes
Discussion
• What kind of approach for classification of assurance levels is used in EU-member states?
• Does this approach sound feasible?
• Possibilities for standardisation or coöperation?