Stork Stands for Strong
I am Dutch. My parents are Swedish. My daughter is Spanish and my older sister has UK citizenship. This is not a joke, and we do not have an illegal business or fake passport printing machine. We have all acquired citizenship of different countries by naturalization, except for my daughter who is genuinely Spanish, that is by birth. But what matters for this story is the cyber-world, with its cyber-frontiers not necessarily coinciding with natural member states frontiers, and my desire to use my cyber or electronic identity across these frontiers. For example, I would like to use my Dutch electronic identity (e-ID) card to manage the traffic fine (where and how did it happen?) that I got last summer in Spain. And of course, I would like to do it in a SECURE (I will come back later to this) and seamless manner.
Now, all this has been partially enabled through the STORK project that was finalized in 2012. This delivered e-ID interoperability and enabled secure cross-border access to online services in several European countries by using their home country e-ID credentials. STORK received support from the European Commission (and is currently being used for ECAS – European Commission Authentication Service) and involved 14 EU Member State Governments: Austria, Belgium, Estonia, France, Germany, Italy, Luxembourg, the Netherlands, Portugal, Slovenia, Spain, Sweden, the UK and Iceland (as an EEA member). And all of this coordinated by Atos’ Research & Innovation department (ARI).
A few questions quickly come to mind: What about countries that do not have an electronic ID card, such as the UK? What about interoperability and compatibility with the other, non-governmental standards, solutions or identity and service providers? And why should the EC spend so much money (we are talking about a “7 zeros” project) just to solve the problems of weird families such as mine? But let us take it step by step, unveiling the whole issue surrounding the use of e-ID issued by, or on behalf of, a Member State.
In 2012, the European Commission published a proposal to encourage the take-up of e-signatures and e-identities across Europe. This new draft regulation will update the existing e-Signatures Directive, extending its scope to include new services such as e-stamping or e-seals which are meant to guarantee the origin and the integrity of an electronic document. The Commission Staff Working Paper accompanying this proposal mentions the STORK project not once, but rather 27 times, leading some critics to dub it as the “STORK regulation”. To allay the critics, the Commission underlines that the new legislation would not oblige member states that do not have electronic IDs to introduce them. However, they also say that member states that refuse to use e-IDs will be cut off from the advantages of easier identification across borders. An incentive will be established for member states to equip themselves with e-IDs.
But STORK is not alone. There are numerous standards (published and de facto) that are related to digital identity. There are sector specific standards (e.g. travel ICAO Doc 9303 or financial 3Dsecure), there are technical standards for e-ID ranging from e.g. CAdES or ETSI TS 101 456 to open identity standards such as OpenID or OAuth. Many of these standards are linked to the subject of authentication, although often they are more concerned with interoperability than the quality of the authentication per se. For example, 3D Secure is a standard created by the card schemes to allow card issuers to authenticate cardholders during a transaction when the card is not present. The standard specifies how the merchant can redirect the customer to their card issuer to complete the authentication process, however it does not specify the authentication method that is used. This standard, as well as many others, is therefore agnostic on the authentication mechanism. The SEMIRAMIS project uses many federated identity standards, but when it comes to the authentication method we simply re-used the existing STORK mechanism. After all, STORK API is available as the open source software and can be downloaded from the EC portal.
In the cyber-world we talk about electronic authentication as a process of establishing confidence in user identities electronically presented to an information system. The level of confidence depends on multiple factors, i.e. how the identity is defined and captured during a registration process, the type of credential/token, the management of credential/token, the verification process etc. Combining these factors gives a scheme or framework the possibility to define levels of authentication assurance.
And here is where STORK comes into play: besides the United States NIST standard, STORK QAA (Quality of Authentication Assurance) is the only attempt to bring order and enable a comparison between the authentication mechanisms. As I mentioned before, I want to access certain services in a highly SECURE manner, so standards such as QAA and related metrics would certainly help me to distinguish between high and low security. As a matter of fact, the United States government has already certified certain identity providers and assigned them LOA (level of assurance).
The STORK QAA framework includes four levels of authentication assurance and facilitates the mapping of national levels and eID solutions onto each other. There are member states that have multiple authentication solutions with different assurances at the national level but with equal assurance in the STORK framework (e.g. Luxembourg and France). There are also member states that have several authentication solutions with equal assurance on the national level but with different assurance in the STORK framework (e.g. Italy and Estonia). But the real problem might be with member states that do not have authentication solutions that map onto the highest STORK level (e.g. the UK) and this implies that many UK citizens could never access some services in the other member states. This of course depends on service providers that must make a risk assessment regarding their services and decide for themselves if the highest level is the optimal or the best choice.
One way or another, there is an economic driver to align and to enable seamless and (more or less) secure access to services in the other EU member states. Many service providers will accept identity providers with the lower QAA or LOA (think about mobile apps that accept GoogleID) in order to reach more clients, but it is probably acceptable that only a few of them request high QAA for very sensitive services. For example, both my older sister and myself would like to access personal health records of our parents in Sweden. So I can imagine that my Dutch e-ID card would be accepted as a mean of authentication for that service, while the UK userID plus password that my sister has, would not.
This is also what STORK2.0 , another ‘7 zero’ project, hopes. This project builds on the results of STORK and it now has 58 partners from 19 countries. It also tackles building blocks for interoperable legal identities and mandates, on top of the interoperability infrastructure developed in STORK. It will also deliver an update of the QAA model to include attributes, legal entities and mandate agreements, as well as a cost model that promotes the business take-up of STORK QAA.
To be completely honest, I do not envisage using my Dutch electronic identity (e-ID) card in 2013, at least not to access online services in another country. I have also not been using DigiD, that has lower QAA level or Burgerpin, as it was known before. However, security thresholds are changing and a strong authentication requirement might become a necessity, not a luxury. The word “strong” is “sterk” when translated to Dutch, and “stark” in Swedish. In “EU” language it should be probably “STORK”.