The Citizen Card is an easy to use, physical and electronic document that allows the identification of citizens on several communications channels (face-to-face or data/voice-only) to contact the Public Administration and Private Entities.
Both the face-to-face and the data/voice only interactions are supported by high level security, with legal value, consistent to the traditional face-to-face identification methods. The card will facilitate citizens’ everyday life when engaging public services in-person through the telephone or the internet.
The Citizen Card is presented as a true citizenship enabler certificate, assuming the form of:
- Physical ID: visually identifies the citizens (exactly as a traditional ID Card).
- Digital authentication document that allows the citizen to identify and authenticate himself in procedures regarding public and private entities (using a personal PIN).
- Digital signature document that allows citizens to sign digital documents with a recognised electronic signature with the respective legal validity.
The creation of recognised digital signatures and the authentication for all Portuguese citizens, is possible through two digital certificates (X509 v3) that are included in the card.
Description of the way to implement the initiative
The electronic authentication and recognised digital signature provided by the Citizen Card is possible through two IT platformsl: the Public Administration Interoperability Platform (iAP) and the Authentication Provider (FA).
Interoperability Platform (iAP):
The Public Administration Interoperability Platform provides, among other functionalities, robust mechanisms for the authentication and management of identities, facilitating secure access to public organisms and transactional control mechanisms that guarantees the quality of data during the use of electronic services, going beyond the central Gateway for electronic payment.
During the conception of the platform model, open standards imposed themselves as a strategic option, to ensure a greater level of interoperability. The adoption of an architecture devised for services for the implementation of complex systems with considerable dimensions, as is the case for the solutions for the integration of the Public Administration, ensures the levels of adaptability and adherence to the change possible to anticipate, leaving an open door for upcoming evolutions and improvements that might further raise.
This architectural typology allows for a sustained framing, supported by a set of rules and practices that define the availability of relevant functions, perceived as services, correctly measured to the users. The services are made available through a single interface format, based on standards, while hiding the implementation mechanics.
The Interoperability platform is supported by a set of components that are devised to accomplish its objectives. Its architecture can be decomposed in several acting areas:1. Core Components – aggregate the central components to the use of the platform as a support tool for the integration and data services. Adapting components to the several entities’ systems, internal message processing pipelines, orchestration manager and Identities Federation are also included in this area.
2. Transversal Components – ranging all the Interoperability Platform areas and responsible for the functionalities of security and data privacy, registration and treatment of exceptions, as well as global monitoring.
3. iAP – Web Interface – it’s the visible layer of the interoperability and service sharing in the Public Administration. They provide an integrated image of information and functionalities available for the public entities. The following components belong to this domain:
o Service Directory – responsible for listing and managing the electronic services available through the Platform;
o Management Interface – allows for the Public Administration functions of management and monitoring of the platform, specific to the entities they represent. Makes possible to access services management, as well as the monitoring and operational management of services in use.
o iAP Website – visible interface from outside the platform, with information referring to services and functionalities, materialised on the website www.iap.gov.pt.
4. External Systems – they work independently, but intimately coupled with the domain of the Interoperability Platform. They are subsystems that have specific functionalities, but basilar to the functioning of the complete architecture, acting as supporting features with added value. The following components belong to this domain:
o @gov.pt Authentication – set of components that provide electronic authentication mechanisms to the Public Administration (and private entities upon request), ensuring the following functionalities:
1. Authentication Provider – will be described in the following section.
2. Authentication for EU Citizens – providing the access to services of the Portuguese Public Administration to citizens of other member-states and the access of Portuguese citizens to electronic services of other EU Member-States.
3. Attributes Provider – allows fobtaining attributes, with express citizen authorisation, for the execution of electronic services over the internet.
4. Single Sign-On – persistent citizen authentication while he navigates different Public Administration electronic services.
o Payment Platform and SMS Gateway – external systems, already existing and in productive use, that are to be made available on a integrated way and potentiated by the Interoperability Platform, specially with the use of composed services or in entirely orchestrated processes.
Technology solution
Authentication Provider (AP):
The Authentication Provider follows from the necessity of uniquely identifying a Citizen Card bearer (and user of services) to the websites of each Organism, achieving respective sectoral identification. This solution has the objective of becoming the single authentication point for citizen when regarding the public administration and even private organizations. The Authentication Provider expects therefore, to facilitate and accelerate the accession process and use of the citizen card for authentication of the citizen towards public services.
The following interactions can be depicted in the following diagram:
1. The citizen tries to access the private area of a Organisation’s portal, and to do so, he’s required to present his secure identities.
2. The Organisation’s Portal relays the authentication process and redirects the Citizen to the Authentication Provider (AP), together with an authentication request digitally signed.
3. The AP will validate the request for the citizen’s credentials and demand the PIN. During this process, the AP will follow some internal operations:
o Validate the citizen’s credentials using the Citizen Card public-key infrastructure (PKI), via the Online Certificate Status Protocol (OCSP).
o Obtain the attributes requested from the different qualified attribute providers, through the Interoperability Platform. This process can include gathering data from the Identity Federation or other Organizations.
4. The identity and attributes of the Citizen are validated and digitally signed by the AP that will redirect the Citizen to the portal of the original Organization. The Organisation will, then, validate and use the data accordingly.
Main results, benefits and impacts
Since 2007, when the requests for Citizen Cards started to be available to the public, and until the end of February 2012, more than 7 million cards have been issued. As it can be seen on the graphic below, 2011 had a lower number of requests than the previous year. This is due to the existence of old traditional ID cards that don’t have a validity date (lifetime) that, so far, do not require replacement.
At the available services level, there is a considerable set of entities that already use the Authentication Provider (a IT solution that allows for the authentication of the citizen in online services through the Citizen Card), increasing the number of available functionalities associated to the Citizen Card. In the following table, the adherent parties are listed, as well as the ones expected to adhere in 2012.
Considering that the Citizen Card is already disseminated and in use by more than 7 million portugueses, AMA has been focused on augmenting and improving the services provided, be it authentication or qualified electronic signature. In that sense, some projects are being coordinated by or have the AMA participation:
System for the Certification of Professional Attributes of the Citizen Card
AMA, benefiting from the whole technologic infrastructure for electronic identification that is already disseminated among all portuguese people, is implementing a system that will allow for the use of the Citizen Card as a support for differently flavoured certification and authentication, such as professional certificates, through the system of Certification of Professional Attributes with the Citizen Card (SCCC).
The main focus of this project is to develop a system that will allow for the use of the Citizen Card to create digital signatures and authentication in different professional qualities/attributes (medic, architect, public servant, etc...).
Lessons learnt
The electronic authentication with the Citizen Card it’s a added-value to the Citizen but also to the public entities, since it guarantees the authenticity of a citizen’s request for an online service, de-materializing processes and reducing costs. Even considering that the number of available services using the Citizen Card is already significant, AMA is available and invites all public entities to adhere to the Authentication Provider for the Citizen Card, as well as to the Interoperability Platform.
The interested entities that may wish to associate themselves to these technological platforms only need to contact AMA, to start an assessment on how is the best way to assure integration, quickly and simply. To do so, it’s as simple as e-mailing iap@ama.pt.