Last fall produced news in the field of global identity assurance and trust frameworks that the Republic of Estonia will extend their national identity card program to offer issuance of credentials to non-residents.  We at Electrosoft find this news particularly interesting due to its relevance to current plans by the Kantara Initiative’s Identity Assurance Working Group, whose 2015 road map includes plans to modernize and globalize the Kantara Initiative’s identity assurance trust framework, (the Kantara Identity Assurance Framework or IAF).  The IAF is a FICAM approved trust framework that approves identity and credential services operating at Levels of Assurance 1, 2 and 3.  Specifically, the 2015 goals for the IAF trust framework include globalization of the IAF by monitoring and aligning as appropriate with both:

• Multi-national and/or international equivalent frameworks such as the ISO/IEC JTC1/SC 27/WG 5 identity management standardization effort, the European Union’s electronic identification and trust services program (eIDAS), ITU-T efforts such as the Joint Coordination Activity for Identity Management (JCA-IdM) and the Identity Management Global Standards Initiative (IdM-GSI), as well as;
• National frameworks such as the United States’ FICAM Trust Framework Solutions program, the United Kingdom’s Identity Assurance program, the Government of Canada’s Standards on Identity and Credential Assurance or the Government of New Zealand’s RealMe program. 

The Estonian electronic residency program is interesting because it expands the potential user base for a national framework to a potentially global user base, thus offering one potential model for a functioning universal online trusted identity.

The Republic of Estonia is a small but strategically important European state on the Baltic Sea. A member of the Organisation for Security and Co-operation in Europe (OSCE), NATO, and the European Union, Estonia is a lightly populated but well educated and traditionally “wired” country. In 2007 the nation was the subject of a cyber-attack that disrupted access to online services of government and commercial institutions.  In response to the attacks, Estonia founded the National Cyber Defense League (Küberkaitseliit in Estonian). Tallinn, the capital city, is host to the NATO Cooperative Cyber Defense Center of Excellence (CCDCOE) devoted to cyber security research and development.  The Estonian government’s national cyber security strategy emphasizes the state’s commitment to developing national cyber defense capabilities, combating cyber crime, and working with partners to promote international cyber security policies.  Estonia has a history of foreign occupation from 1940 until 1991, so one is not surprised to see “ensuring the digital continuity of the state” among the cybersecurity objectives listed in that document.

In 2007, Estonia established a national identity card (ID-kaart) that stores X.509 based digital credentials on a chip, along with identity data including name, gender and a national identification number and biometric information in the form of iris and fingerprint scans.  The cards are issued after a face-to-face identity proofing session performed by personnel of the Police and Border Guard.  In Estonian law, digital signatures based on the cards have equivalent legal status to written signatures, and the cards are used for authentication to financial systems, as transit ticket storage devices, and they are used by citizens to authenticate to Estonia’s internet based voting system. Obtaining the identity card is mandatory for Estonian citizens and permanent residents age 15 and up.

In December 2014, Estonia announced the roll out of their “e-resident program” that permits the issuance of identity cards to people outside the country.  These cards confer no specific rights within Estonia, but they enable authentication and digital signature, with strong support for those functions including certificate validation services and the availability of open source toolkits to utilize the cards. At this time, applicants must apply in-person in Estonia, but there are plans to establishing issuing authorities at Estonian embassies in Washington DC and New York City.  This program provides an interesting use case of strong credentials bound to strongly proofed identities, supporting authentication and digital signature services, and available to individuals regardless of where they live if they have the resources and motivation to obtain them. 

We look forward to the implementation of the program, and we are making plans within the Kantara Initiative’s identity assurance working group to establish a liaison relationship with the Estonian authorities in an effort to knit together global policy frameworks in support of more trusted identity ecosystems for all.

Contributed by:  Scott Shorter