20160201 - Meeting minutes, Monday 1rst February 2016 - OpenNCP Task Force - eID.

Owned by michele.foucart
Last updated: Feb 02, 2016
4 min read

eID task force meeting.

 

Estimated: 16:00 to 17:00 CET.

Performed:  to CET.

Agenda:

  1. Obtain an accurate situation point on the current status of e-SENS eID BB integration on the OpenNCP V2.4.0;

  2. Propose a plan for next activities regarding e-SENS eID BB integration on the OpenNCP (without being limited by March 2016 - end of e-SENS, if not extended);

  3. [Post Pone to next meeting] Discussion on regarding the eID and CEF articulation. CEF eID DSI, CEF eHealth DSI (not time sensitive)
  4. Next Steps

Location:

  • AdobeConnect:

http://ec-wacs.adobeconnect.com/openncp/
Room Passcode:  Ask if necessary michele.foucart or markus.kalio
------------------------------------------------------------------------------------------------
If you have never attended an Adobe Connect meeting before:
Test your connection: http://ec-wacs.adobeconnect.com/common/help/en/support/meeting_test.htm
Get a quick overview: http://www.adobe.com/products/adobeconnect.html
Adobe, the Adobe logo, Acrobat and Adobe Connect are either registered trademarks or trademarks of Adobe Systems Incorporated in the United States and/or other countries.
------------------------------------------------------------------------------------------------

Licinio Kustra Mano

Natasha Carl

michele.foucart

@ Alice

@ Sebastiaan van der Peijl

Massimiliano Masi

Soeren Bittins

Joao Cunha

Alexandre Santos

Meeting Notes:

0. Housekeeping:

  • Alice (DG DIGIT, CEF eID Expert)
  • Sebastian (Deloite [DG DIGIT], implementation eID).

  1. eID CEF Study (from @Alice)
    • eHealth eID Strategy (policy, technical), study recommendations to DG Santé....
      • Needed to understand the status of each MS (MS readiness status are very different from each other);
      • eHealth Network Joint Action (JAseHN): 
        • JAseHN: T5.2 Electronic Identification for eHealth
      • 4th and 5th Workshop, e-SENS eID team;

Obtain an accurate situation point on the current status of e-SENS eID BB integration on the OpenNCP V2.4.0;

e-SENS WP5.2 eID Business Leves

LEVELDescriptionBB Dev STATUSOpenNCP Integration StatusOpen Issues
Level 0 – manual input of ID – traditional epSOS

This is the most basic level of identification. It only requires the Health Professional to identify the patient by requesting his/her ID, and enter it manually in the system. This is the approach used in the epSOS pilot.

The main advantage of this level is in an emergency setting where no other method of identification and authentication is available. 

NONEDONENONE
Level 1 – Passive read of eID token – e-SENS LARMS

This level requires the existence of an eID token, usually this token is a smart card. The token has identification attributes that can be publicly read.

In the eSENS project the asset used provide this level is the e-SENS Local Attribute Mapping and Retrieval Service (LARMS). This level is safer than the previous, because of the input of the identification is automatic and not manual. 

DONEDONENONE
Level 2 – Localy signed eID with token – e-SENS LAM

This level also requires the existence of an eID token, as the previous on, but this token has to be capable of patient authentication, usually by entering a PIN code.

In the eSENS project the asset used provide this level is e-SENS Local Authentication Module (e-SENS LAM) with the Digital Signature Add-On (DSig).

Signing of a patient consent is made possible with the introduction of this level.

This level is safer than the previous, because the introduction of the identification attributes is authenticated by the patient. In this level, as well in the previous ones, a network connection is not needed. The inexistence of a network connection, and thus the connectivity to a PKI (Public Key Infrastructure) to validate this authentication is a liability, which, however, can be mitigated by the signature and certificate validation performed through the ACS in country-A. Consequently, it is possible to issue a mismatched data disclosure request (e.g. signing with a certificate of someone else) or using an irregular certificate (e. g. suspended) in country-B but it should not be able to successfully pass ACS inspection in A.

DONE

(maintenance)

IN PROGRESS

1st Step:

  • provision of authenticated attributes

2nd Step:

  • Capability of signing the SAML assertion created by the TRC service, with the certificates of the SmartCard instead of using the NCP certificates.
Issues identified on:.....
Level 3 – Localy signed eID with realtime validation – LAM+This level has the same functionality of the previous, but with the availability of a network connection and connectivity to the required PKI infrastructures. This level mitigates the liability introduced in the previous level. So the validation of the authentication of identification and patient consents is possible.- Full advantage of having access to Country A to validate the identification and signature of certificates.

IN PROGRESS

Ready but not yet Released.

NOT STARTED

- Codification of attributes, with STorK and eIDAS there is a limitation on the attributes can be coded (Doctor name), that causes loss of semantic on the exchange of the information. - Wow can the eIDAS token support this requirements? "http://www.futureid.eu/attributes/common/cardIssuerCountry":"it", "http://www.futureid.eu/attributes/cardType":"it-cns", "http://www.futureid.eu/attributes/common/healthInsuranceId":{"urn:oid:1.2.3.4.5.6.7.8.9":"030225BM526"}, "http://www.stork.gov.eu/1.0/surname":"INCONTATTOZERO", 

  • @Alice: Will be following this up. Report on (4th and 5th February workshop: focused on the adapter from STorK 2 to eIDAS)
  • Soeren Bittins: Prepare problem Statement.
Level 4 – Distributed Cross-Border Authentication (DCA)This level introduces the e-SENS Authentication Broker, that is leveraged by the STORK 2.0/ eIDAS infrastructure. All authentication and authorisation activities are fulfilled outside of the local environment based on an initial authentication information acquired locally from an eID token.NOT STARTEDNOT STARTED

Access to Stork 2 instance (DE is not part of the system)

  • Currently is being evaluated by a German partner access to eIDAS service in Germany.

For sake of integration, can we work with a citizen from a different nationality with a Stork 2 system running.

  • For testing purposes STorK: @Alice may point the eSENS eID for eHealth, to a test environment so that development activities can proceed.
Level 5 – Virtual eID (mobile eID)

This level leverages the previous by giving the possibility of authentication and authorisation on without the need of a physical eID token, just using a mobile app a smartphone with a virtual token, specifically developed for this. 

NOT STARTEDNOT STARTED
  • Soeren Bittins is currently studying materials that just came out recently published materials from e-SENS. Follow up in next meeting.

 

Next Steps:

  1. Meetings:
    1. Biweekly meeting:
      •  16:00 CET
      •  16:00 CET
    2. Other e-SENS / EC relevant meetings to follow/attend:
      • e-SENS workshop 4th and 5th February;
      • Webinar on 9th February - Consolidation strategy for the different solutions; AliceV: invite the group to attend;

  2. Events:
    1. IHE 2016 CAT  -  11-15 April 2016 (Bochum, Germany)   http://www.ihe-europe.net/connectathon/cat-2016
      • What can be tested?
        • December: we tested the eID, but the Change Proposal was not delivered in time.
        • February: DG Sante is taking over the the CP that can be incorporate in the Specifications;
        • April: 
          • eID Level 3;
          • More MS testing the eID;
      • Who's willing to attend?
        • To early to answer...