1. Smart cards issued by governments to identify their citizens (Electrionic Identification Cards: e-IDs).
2. Smart cards issued by banks to substitute magnetic strip cards (EMVs).

This third post describes the second type. We’ve analysed the situation in 31 european countries (EU-27 plus Liechtenstein, Iceland, Norway and Switzerland). This is what we’ve found:

In 2010, all European bank cards, some 590 million of them, will be smart cards (EMVs) with strong authentication and digital signature capabilities.

If you don’t believe us, read on:

European banks that plan to launch EMV smart cards

Short answer: all of them.

In 2000 the European Commission decided that to foster innovation (Lisbon Agenda) the single market must make it easier to move money around the EU. Specifically, cross-border payments should not cost more than domestic payments. In other words, you can use your bank card in another EU country and they won’t charge you any more commission to withdraw money as they do in your home country. This initiative is known as the Single Euro Payment Area or SEPA. The SEPA zone encompasses 31 european countries (EU-27 plus Liechtenstein, Iceland, Norway and Switzerland).

To make SEPA a reality, all the EU banks need to agree on the same standards and implement the same procedures to ensure interoperability at the moment of accepting a card. To give an example, a cash machine (ATM) in Austria should be capable of accepting and understanding a card issued by an Italian bank. Said and done: the standard was developed by Europay, Mastercard and Visa and they called it EMV (the initials of the three companies). EMV will mean that there will be no difference between national and transfers within Europe. EMV will make SEPA a reality – meaning cheaper payments and faster money transfers between countries in the eurozone.

The EMV standard is based on “Smart cards with a microprocessor chip” and this microprocessor chip is capable of storing not just financial applications (EMV) but also other types of application such as strong authentication and digital signature. As you can see, EMV cards are (or have the capability to be) similar in functionality to eID smart cards. The only difference is that they are issued by a bank instead of a government.

EMV deployment phases in Europe

The banks of these 31 countries are obliged by SEPA to migrate all their magnetic strip cards to EMV smart cards. They have from January 2008 to 31st December 2010 to do the migration.

Experts consider that most of these countries will have completed the migration to EMV by 2009, one year before the deadline:

• 2006: United Kingdom has already completed 90-100%. France 50-90%. Rest 10-50%.
• 2007: United Kingdom and France will have completed 90-100%. Rest 50% to 90%.
• 2008: All will have completed 90-100%, except for Germany, which will have completed 50-90%.
• 2009: All will have completed 90-100% of migration to EMV.

Conclusions

If you live in Europe, you will soon have an EMV smart card in your pocket.
Europe is the undisputed leader at global level in EMV deployment (since 2002 – see slides 3 and 5 of this presentation). Europe has more than 50% of the total number of smart cards in the world (of the 590 million smart cards worldwide, 300 million are in Europe). Europe has more smart cards than magnetic strip cards (of the 587 million bank cards in Europe, 300 million are smart cards). The obligations imposed by SEPA on European banks mean that Europe will increase this lead.

We’re not saying that all EMV cards will be capable of digital signature (like the majority of eID cards). We are saying that (1) if the banks want to use it, the technology is there and (2) many do plan on using it. In our conversations with the main card issuers in Spain, the majority have plans to incorporate signature certificates in the chips. The objective is that the client identifies his/her self and signs online with a card and the look and feel of the bank. Once the adverts start, it’s difficult to imagine the rest of the banks failing to offer the same functionality.

EMV around the world

Europe is not alone: Banks in various countries are migrating their magnetic strip cards to EMV smart cards (Turkey, Brazil, Taiwan, Japan, Malaysia etc.).

As of year-end 2006 there were 3 billion bank cards in circulation. Of these, between 515 (source: GIA Cartes Bancaires) and 590 million (source: Deutsche Bank) were microprocessor smart cards:

• Europe: 300 million smart cards.
• Asia/Pacific: 150 million smart cards.
• South America: 140 million smart cards.
• USA: Has no EMV-compliant cards and, as with e-ID cards, is reluctant to introduce them.

Given the benefits of smart cards, it is just a matter of time before banks around the world change from magnetic strip to smart cards. The growth potential in this sector lies in the prospective migration of the 2.5 billion magnetic strip cards in circulation. Deutsche Bank estimates smart card growth of 18% CAGR in the payments industry between 2006 and 2010. In 2006 430 million smart cards were sold – 12% penetration, with France and Germany leading the way. In 2007 544 million were expected to have been sold (34% attributable just to EMV migration). In 2010, 600 million smart cards are expected to be sold every year with 26% penetration.

By 2010 there will be 830 million EMV cards in Europe, Asia and Latin America.

Something is changing, don’t you think?

Next post (and the last in the series): “Smart cards in Europe: Conclusions”.

1. Smart Cards issued by governments in order to identify their citizens (“Electronic IDentification Cards” or “e-IDs”).
2. Smart Cards issued by banks to replace magnetic strip bank cards (“EMVs”).

This second post focus on the first case. We have analyzed the current status of e-ID implementations in 32 European countries, representing 565 million people (source: Eurostat). Our findings can be summarized as follows:

By 2010, 437 million people (82% of the European population) will live in countries with electronic ID cards (e-IDs).

If you don’t believe us, keep on reading:

Countries in Europe that already have an e-ID scheme

Ten countries, representing 153 million inhabitants (27% of the European population):

1. Spain (44,474,600): Spain started to introduce an e-ID sheme ( DNI electrónico ) in March 2006. As of November 2007 a total of 1,500,000 e-IDs had been issued. From December 2007 e-IDs will be issued throughout Spain. Projections are: 6.5 million e-IDs issued by December 2008 and 18 million by December 2009. Besides the electronic ID, Spain also has 14 commercial certification authorities (lawyers, notaries, registrars, regional governments, banks, etc.). See also physical description, demo and video of the DNIe.
2. Italy (58,751,711): Having completed two experimental phases in 2003 and 2004, Italy is currently deploying its Carta d’identità elettronica (CIE). By October 2005 2 million CIEs had been issued. The aim is to replace 40 million conventional ID cards by 2011 at a rate of 8 million per year. Apart from the CIE, Italy has 19 commercial certification authorities.
3. Portugal (10,569,600): Following the initial introduction of e-ID cards in February 2007, Portugal is preparing to start a full-scale rollout in 2008 and expects to issue 2 million Cartão de Cidadão per year. By July 2008 the new e-ID should be available throughout the country. Portugal also has 1 commercial certification authority.
4. Belgium (10,511,400): Belgium started deployment of its eID in September 2004. To date, 6,500,000 eIDs have been issued. Plans are to reach 8,000,000 by December 2009. Belgium has 2 commercial certification authorities. The Belgian government also issues e-IDs to minors and non-nationals.
5. Sweden (9,047,800): Sweden began to introduce its nationellt identitetskort in October 2005. So far, some 3,000,000 e-IDs have been issued (almost all in software format). Sweden is a special case in that e-IDs are not issued by the government but by authorized companies (banks, system integrators, etc.).
6. Austria (8,265,900): The rollout started in 2000 and is already complete. There are some 8,000,000 Bürgerkarte (citizen cards) in circulation. An original feature in this case is that there is no “one” type of e-ID: an e-ID can be stored in government-issued cards, bank cards or SIM cards.
7. Finland (5,255,580): The Finnish e-ID, or FINEID , like the Austrian one, can be stored in smart cards, bank cards or SIM cards. It was launched in 1999 but did not include an electronic signature until 2004. The Finnish government announced plans to issue around 135,000 FINEIDs by the end of 2007. Citizens who so wish may include their health insurance information in their FINEID.
8. Estonia (1,344,700): Estonia is probably the most advanced country in Europe in the adoption of electronic signatures by the general population. The Estonian ID-Card was launched in January 2002 and today is used by more than 1,000,000 citizens (almost 90% of the population). The Estonian government is working to create a Mobile-ID, so that the certificate can be stored in mobile devices.
9. Norway (4,770,000): Norway’s main commercial certification authorities are Telenor and the banks. Norwegians can obtain their e-ID from lottery offices, social security offices and banks. The certification authorities responsible for issuing certificates are ZebSign and BankID.
10. Iceland (307,700): The Icelandic government has reached an agreement with the banks under which all debit cards issued after the end of 2007 will incorporate government e-IDs.

Countries in Europe that are planning to launch e-IDs in 2008

Eight countries, representing 184 million inhabitants (32% of the European population):

1. Germany (82,438,000): Germany has declared on various occasions that it intends to deploy its Digital IDCard in 2008, which will include the ability to use pseudonyms online. Germany has 8 commercial certification authorities.
2. France (62,518,600): After various delays (to incorporate feedback from the public), France has stated its intention to put its Identité Nationale Electronique Sécurisée (INES) into effect in 2008. The plan is to include electronic signatures, although the first generation of cards may not have this functionality. France has 11 commercial certification authorities.
3. Netherlands (16,357,992): The Dutch DigiD service offers three levels of security: low (username & password), medium (SMS authentication) and high (on-card PKI). So far, 6 million citizens use low DigiD for authentication, while 2 million use medium DigiD. The high-security DigiD, known as eNIK , may be introduced in 2008. The Netherlands has 4 commercial certification authorities.
4. Hungary (10,076,600): Requirements and specifications for the development of the Hungarian e-ID, HUNEID, and its prototype implementation were published at the end of 2004. Introduction is expected in January 2008.
5. Bulgaria (7,679,200): Following the optimistic government announcement that issuance of e-IDs would start in 2007, the rollout is now expected to start in 2008. The Bulgarian Government owns 1 commercial certification authority, which is authorized to issue digital certificates to citizens.
6. Latvia (2,291,000): Following the passing of e-ID regulations by the Latvian Council of Ministers, the introduction of e-IDs is scheduled for 2008. Latvia has 1 commercial certification authority.
7. Slovenia (2,003,400): The Slovenian e-ID project was officially launched in February 2003 but was then suspended. A fresh start is expected in 2007-2008. Slovenia has 4 commercial certification authorities.
8. Malta (404,346): Malta is taking a four-pronged approach to the deployment of electronic IDs. The third phase started in 2007. All that remains is the fourth stage, which includes the issue of e-ID cards. Everything suggests this could happen in 2008.

Countries that are planning to launch e-ID schemes after 2008

Seven countries, representing 134 million inhabitants (23% of the European population):

1. United Kingdom (60,393,100): The National Identity Scheme is currently under development by the UK Identity and Passport Service (IPS). Its main goal is to introduce e-ID cards in the UK. Procurement of e-ID cards has already started and suppliers will be selected in May 2008. The first e-IDs are expected to be issued to British citizens in 2009 or 2010. The United Kingdom also has 4 commercial certification authorities.
2. Ireland (4,209,000): In June 2004 the Irish government established the framework for Public Service Cards(PSC), which will be used for authentication and electronic identification. Following Portugal’s example, the PSC will include a range of functions (social services, medical card, etc.).
3. Poland (38,518,241): Poland is studying the possibility of introducing an e-ID card, known as a Multifunctional Personal Document (MPD), to replace a variety of identity cards. Poland is aware of the need for an e-ID and is undecided whether to set up a new state-owned CA to issue MPDs or to delegate the role to commercial CAs. Changes in the law are needed. Poland has 4 commercial certification authorities.
4. Romania (21,610,200): Romania has started to work on e-IDs and biometric passports and has already issued an international invitation to tender for these projects. Romania has 5 commercial certification authorities.
5. Slovakia (5,389,100): The Slovakian government has plans to introduce e-IDs (called “BIFO”) and passports. Slovakia has 9 commercial certification authorities. Since March 2007, Slovakian citizens holding a digital certificate have had 1,000 “contact points” where they can sign electronically.
6. Lithuania (3,403,300): No e-IDs have been issued as yet, but the government is treating e-IDs as a priority. The Lithuanian e-ID will be multifunctional (government, health, loyalty programs, tickets, etc.). It is thought that it could be launched in 2009-2010. Lithuania has 1 commercial certification authority. To popularize electronic signatures, the government will issue 300,000 certificates to citizens completely free of charge before 2009.
7. Cyprus (766,414): The government of Cyprus has stated its intention to issue e-IDs but has provided no further information.

Countries that have no plans to launch e-ID schemes but that have commercial certification authorities

Three countries, representing 83 million inhabitants (14% of the European population):

1. Turkey (72,500,000): Turkey has 3 commercial certification authorities.
2. Czech Republic (10,251,790): The Czech Republic has 3 commercial certification authorities.
3. Luxembourg (480,222): Luxembourg has 1 commercial certification authority.

Countries that have no plans to launch e-ID schemes and no commercial certification authorities

Four countries, representing 21 million inhabitants (4% of the European population):

1. Greece (11,125,200): The Greek government has plans to create 5 government-owned certification authorities.
2. Denmark (5,427,400).
3. Croatia (4,442,803).
4. Liechtenstein (34,905).

Conclusion

In Europe, in terms of population:

• 27% of the population of the 32 European countries lives in a country that has an e-ID scheme (at varying stages of implementation).
• 32% lives in a country that is planning to launch e-IDs in 2008.
• 23% lives in a country that is planning to launch e-IDs after 2008.
• 14% lives in a country that has no plans to launch e-IDs but that does have commercial certification authorities.
• 4% lives in a country that has no plans to launch e-IDs and no commercial CAs.

Europe is not alone: Various countries have started issuing national identity cards in the form of e-ID smart cards (China, Qatar, Morocco, Thailand, Hong Kong, Oman, etc.). Some are planning to do so in the near future (Peru, Argentina, Brazil, Mexico, etc.). Others are considering the possibility (U.S.A., Russia, etc.). Although eID is a small segment of the overal smart card market, all the experts agree that it has the strongest growth prospects (21% CAGR) and is likely to grow dramatically over the next few years. Of all the emerging new applications of smart cards this is the largest market because the number of ID cards in circulation (worldwide, 1 in 2 people has an ID card, i.e. 3 trillion IDs) is much greater than the number of passports (1 in 10 people), transport cards (1 in 3), or driving licenses. According to the “Deutsche Bank Smart Cards report 2007″, e-ID smart cards in the “Other: Government ID, Passport, Health, Transport” category had 7% penetration worldwide in 2006. Projections are that an average of 400 million e-ID smart cards will be issued each year, reaching 17% penetration in 2010. If these projections are met:

In 2015, 84% of people with an ID will have an e-ID.

Something is changing, don’t you think?

Next post: Smart Cards in Europe: EMV Avalanche.

What is a smart card?

It is a card, similar to a credit card, that includes a chip/microcomputer capable of executing different types of applications including “authentication” and “digital signature”.

This is a smart card issued by the Portugese government:

This is a smart card issued by a Belgian bank:

This is a smart card issued by a German telecommunications firm:

The main idea: many different organizations in many different companies issue many different smart cards.

There are two types of smart card, depending on the type of chip:

• Smart card with memory chip: cheaper. Contain only non-volatile memory, perform a single function and don’t process data. Not capable of performing digital signature. Used predominantly in transport, PayTV, corporate security, pre-paid telephones, loyalty programs etc. This type of card is becoming obsolete. They represent 4% of the market (by value) and demand is increasing but only in single-digit figures.
• Smart card with microprocessor chip: more expensive. They are a type of mini-computer that includes processor, memory and an operating system on the chip. Can be single- or multi-application, in which case, the microprocessor is capable of running different applications, including authentication and digital signature. Predominately used in government (“e-IDs”), banking (“EMV”) and telecommunications (“SIM”), health etc. applications. Microprocessor cards represent the future of smart cards. They are applicable to a wide range of sectors, a large part of which are in the early phases of development. They represent 96% of the market (by value) and demand keeps rising.

Why should I care?

Because a smart card with a microprocessor chip allows strong authentication (verification of identity) and digital signature. Both (authentication and signature) are extremely powerful tools which will soon become ubiquitous. The massive deployment of smart cards with authentication and digital signature have the potential to change the way we interact on the Internet, do electronic commerce and how we deal with anonymity and privacy online.

And there’s more. Europe, for technological and legislative reasons, is at the centre of the tsunami:

1. Technology: Europe has (and will have) the highest concentration of smart cards capable of digital signature in the world. It’s not just that Europe has more than 50% of the smart cards in the world (300 million according to “Deutsche Bank Smart Cards report 2007″) but also that, as we’ll demonstrate in this series of posts, it is about to receive 1 billion smart cards with microprocessors issued by governments and banks.
2. Legislation: European directive 1999/93/CE on digital signature names “qualified digital signature” as the most advanced form of digital signature and gives it the same effect as a hand-written signature. For a digital signature to have “qualified” status, it should be generated by a “Secure Signature Creation Device” like, for example (you’ve guessed it) the chip on a smart card. And yes, you read that correctly – “the same effect as a hand-written signature”. So, the discussions as to whether the technology is secure or not are irrelevant. The law, by default, assumes that it is. If one of the parties denounces the signature, they bear the responsibility of proof i.e. they must demonstrate that the technology and processes used in the qualified digital signature were not secure (I’ll save you the suspense…no one is going to do this). A technology blessed by the law. Checkmate. End of discussion. We’ve studied 30 countries (the EU-27 plus Croatia, Turkey and Liechtenstein) and they’ve all implemented the directive. In summary, Europe enjoys uniform “qualified digital signature” legislation that gives the same power to digital signatures as hand-written ones.

The massive deployment of smart cards with digital signature backed up by the law promises great benefits (more agile relationships with government, secure electronic commerce, lower bank commissions…) but also serious implications for your rights and liberties as a citizen and consumer. Surprisingly, whether it’s for lack of knowledge, incredulity or voluntary blindness, this matter is not receiving the attention it deserves from the internet community.

We all know what happens when you don’t make a decision: reality decides for you.

Why is no one talking about this?

There are three reasons:

1. Whether we like it or not, the “conscience” of the internet, the A-list bloggers, the main thinkers and analysers of the net are in the USA. Whether we like it or not, europeans typically echo the movements, initiatives and debates that are generated in the USA and there they don’t know, understand or care what happens in Europe.
2. The majority of Europeans think that this is nothing new. Smart cards have been in circulation for years and nothing bad has happened. They don’t understand that they are thinking of smart cards with memory chips and not the microprocessor type. They look the same from the outside but inside they’re not.
3. Many people doubt that “digital signature” will be widely adopted. Digital signature and Public Key Infrastructure (PKI) have been around many years and nothing bad has happened. They don’t realise that it hasn’t worked until now for business not technological reasons. Before there was no business case: no company was willing to assume the cost of issuing digital signature cards to their employees, providers and clients. Now that the costs have fallen, European governments have decided to assume this responsibility and oblige the banks to do the same.

This time it’s serious. The ball is in our court.

Next post: “Smart cards in Europe: e-ID avalanche“.

Companies always have to choose between various options to reduce costs and maximise benefits. They must decide whether to rent or buy offices, to externalise or otherwise certain business functions: with outsourcing, offshoring and other strategies that, in the end, help develop the core competence of the company without submitting it to increases or decreases in the size of the workforce or property required according to demand.

In the IT field, such decisions are normally related to software development: the typical ‘do we do it in-house or externally?’ question. But it is not very common to apply similar strategies to other areas in the IT field.

In the area of IT infrastructure (where the company’s services run), such thoughts are often dismissed because the criticality of the applications leads to thoughts that it is not a good idea to delegate their operation, not even a small part of them, to a third party for fear of losing ‘total control’. Right now, and with increasing frequency – above all in the internet company sector – there is an increasing perception that it is not necessary for the company to develop its own infrastructure to run its applications. Some even decide that they don’t even need their own infrastructure to develop their core business.

If we translate the problem to a more common equivalent – when we flick a switch to turn on a light, we want illumination and we don’t really care where the electricity is produced, we simply want the thing to work. We don’t need a nuclear power station at home to light a bulb, but if we have a company and electricity is the key to developing our business, we will surely want to maintain the electricity supply in case of failure. In such cases it would be more practical to think of having multiple failover providers other than becoming our own provider.

Utility computing: IT like water or electricity

For years this thought has been shaped by the leading computer companies who want IT converted into just another commodity, such as electricity, gas or water, for client companies.

Currently certain components such as computation or storage are being commoditised to a sufficiently mature level that they can be used by companies in production environments, something which is important because it permits economies of scale in supply companies who can therefore offer a better service at a better price.

So, we could have our application running on virtual servers which we pay for according to usage, our backups or content to serve could be on remote storage servers, meaning that we would avoid spending on backup and storage devices (the cost of a good backup system can be significant). We could serve certain content by employing content delivery networks (giving the impression of having a data centre near the client) and bit by bit externalise certain infrastructure services to specialist providers reducing costs and improving the quality of service.
We could go even further and adapt certain components to be available such that they are provided by specialist 3rd party companies. This way we would avoid the development and maintenance costs, which in certain cases can be an important part of the budget for an application. We could optimise and externalise if it is not adding value to our application.

Digital signature on demand

Within this type of components ripe for being provided by specialised 3rd parties, we find public key and digital signature infrastructure, more and more vital in applications, above all in the internet world, but which are complex and are non-trivial to develop.

In this field, there is a tendency to use existing libraries in the product or install already developed products – open source or commercial – from third parties. The problem is that development, installation and maintenance of these types of solution is not very accessible.

They’re only within reach of companies that have huge budgets and, even in these cases, they often lack the know-how or don’t budget for maintenance and continuous improvement of the infrastructure. The result is deployments that don’t represent the total cost of ownership (TCO), quickly become obsolete, are deployed in a buggy state or even aren’t deployed at all.

The field of public key infrastructure was the first of the two to make a move and now today certain activities, such as the role of issuing certificates, is limited to a small group of specialist providers, given that it is an activity that requires an large amount of money and strength to put into production.

People are still waking up to the complexity of digital signature infrastructures and while very few consider developing their own certification agency, it is common to attempt to develop a digital signature authority (be it for creation, validation, signing or storage).

A good idea is to apply a similar criteria to that of certification agencies and delegate the digital signature services to a third party and therefore concentrate on developing our main business activity.

In fact, more and more public institutions and private companies in Spain are making use of third party platforms that offer public key and digital signature infrastructure services, opening a new IT market and reinforcing the idea that such critical jobs should be centralised to specialised providers who can take advantage of economies of scale to optimise cost and maximise the quality of the end product.

We believe that this is an important idea since the domains of public key infrastructure and digital signature should be something that companies can integrate in their applications without the need for large sums of money or effort as has been the case till now. We realise how complicated it can be to solve these problems because we too have been there and for this reason we decided to open our digital signature services and offer them as third-party services because in the Internet, security should be a commodity, not a luxury.

The Belgian “eID”

Now you can use your Belgian eID to sign in Tractis. The “eID” is equivalent to the Spanish electronic ID card (DNIe) i.e. it is a government-issued card that incorporates a chip with a certificate that permits authentication (verifying your identity) and fully legally-binding digital signatures.

The Belgian government issues three types of eID:

1. eID for Belgian citizens (“eID“).
2. eID for Foreigners (“La carte pour étranger“).
3. eID for children (“Kids-ID“)

We will initially support the first two (citizens and foreigners). Given that children cannot sign contracts, we will incorporate “Kids-ID” in the future just for authentication (secure chats etc.). You can find up-to-date information on which certificates we support in our help section.

If you live in Belgium and still don’t have your eID, you can ask for one in the service area of your town or city or wait until they automatically issue you one sometime before the end of 2009. The price of your eID will depend on the area in which you live, generally between 10 or 15€. If you have an eID and want to use it with Tractis, you need a smart card reader (we will give you one for free) and to install the drivers for the Belgian eID on your computer.

Why Belgium?

As we have stated in previous posts, our objective for 2008 is international expansion in Europe. The reason why we have chosen to start in Belgium is that it is one of the countries that has pioneered e-IDs (electronic IDs). Belgium has 10.5m inhabitants and the majority now have e-IDs (more than 80% of the population in the three regions – Flandes, Valonia y Bruselas-Capital). In addition, there are a large number of applications and services that make use of digital signatures. They started the roll-out in September 2004 and now more than 7,000,000 people have an eID. The government plans to reach 8,000,000 in December 2009.

International Expansion: With your help

Belgium is the first country that we have launched in outside of Spain and marks the start of our international expansion. In the coming months, we willl start adding more than 30 countries. We are now working to incorporate certificates for Estonia, Portugal, Austria and others.

We would like to thank Rodolphe Cardon of Lichtbuer, Lieutenant d’aviation at Belgian Air Force and expert in digital signatures for his help in testing signatures with the Belgian eID.

Is Tractis not yet available in your country? Help us translate the interface to your language, investigate the legislation in your jurisdiction or perform tests with your preferred certificate. Your help in any of these areas would be very valuable for launching Tractis in your country. Contact us.

Right now there are more than 3 million and in 2008 it will reach 9 million.

The Spanish police force has just made public the fact that there are now more than 3m electronic ID cards in the country. The Electronic National Identity Document (eDNI) is the new identification document in Spain.

Official estimates suggest that there will be more than 5m eDNI cards by the end of 2008. Given that at the end of 2007 there were 2m, this suggests that 4m will be issued in 2008. Paco Ros, Secretary of State for Communications, and Salvador Soriano, Deputy Director General of Information Society Services were kind enough to meet us in February and confirmed to us that these predictions were deliberately ‘conservative’.

This graph uses data published by the Spanish police force (real and projected) and shows the evolution of the distribution of the DNIe. Each block represents half a million eDNI cards. You can see that from summer 2007 an average of 400,000 cards were issued every 45 days, 500,000 in February 2008 and, we understand that some 20,000 are now issued every day i.e. 600,000 a month. At this rate, 9m cards will have been issued by the end of this year.

In March, all police stations will issue only DNIe

Another interesting piece of information is that right now, 90% of police stations issue only DNIe and during the month of March, they expect to reach 100%. If this aim is achieved, in April it won’t be possible to get an old DNI. Therefore, they’re studying initiatives to encourage people to renew their DNI before it expires, at no cost to the citizen. On this map, you can find the nearest police station which will issue you an eDNI.

The adoption of all police stations along with the appointment system recently put in place should stabilise the demand and eliminate the long queues that people have suffered to get an eDNI. The government is waiting to resolve this capacity problem before increasing the budget for distributing the eDNI. Very soon promotional campaigns, free card readers with newspapers etc. will become commonplace. It seems a good time to start to think about making the most of this new and powerful infrastructure.

“Photo-telegraphy allowed any writing, signature or illustration to be sent faraway – every house was wired”

Jules Verne, Paris in the 20th Century, 1863

We are pleased to introduce Manuel José Lucena López as a new guest blogger in September. Manuel is a PhD in Information Technology from Jaén University (Spain), a recognized expert in cryptography and a regular collaborator in Kriptópolis. His book Criptografía y Seguridad en Computadores (a free electronic book under the Creative Commons license) is a classic in Spain, a reference book used in dozens of universities by thousands of students who take their first steps in this circle.

Manuel banked on Negonation from the start. In fact, he is one of the first negonators. In 2004, when the project was merely an abstract heap of ideas, we would meet on the first Saturday of each month in Madrid in a room given to us by the people at Biblioteca de las Indias Electrónicas. The collaborators came from all over Spain; Manuel came from Jaén each Saturday after a long train ride. Manuel now works in the X.509 certificate validation algorithm of our Validation Authority. A detailed mathematical task which suits him to a tee and whose result will be made into free software.

Without further ado, maestro, welcome to the blog. Post no. 50 is all yours…

Anyone who’s been to London will immediately recognize the famous warning sign in the underground stations whose aim is to remind us to mind the gap between the platform and wagons. In IT, there is something very similar: we have to manage in various planes and consider the gaps between them.

Every time we want to solve a problem using computers, we necessarily have to move in three different universes, each one with its own rules: firstly, there is the real world, the everyday world, which is where the problem usually arises; secondly, but no less important, is the abstract world, where the mathematical formalisms (usually algorithms) that help to build the necessary software lie; and finally, there is the world of electrons, cables, bits, memories, buses and other electronic components of the computer itself, which provides support to the algorithms while helping create representations of the problems and their corresponding solutions that are readable in the real world. For example, it is no use designing a very beautiful algorithm that is mathematically elegant and impeccable if the physical support where it must run – the computer – is unable to execute it in a practical way.

The digital signature is one of those applications in which those three planes interact in a more fascinating way and where, at the same time, the “gaps” between each plane are more evident. This would explain many of the difficulties experienced by several digital signature applications when reaching the general public.

When people sign a document in the traditional way, they produce a mark as a result of the interaction between the pen or fountain pen and the paper, and which responds to the biomechanical characteristics of their arm. Those characteristics can be analyzed by a graphologist in order to detect a forgery. But don’t let us fool ourselves: a signature can be forged. The thing is we know that the probability of achieving this is low, and we have learnt to accept that risk (like so many others), so we sleep at night without too many problems.

A digital signature has to be analyzed using the aforementioned three planes. In the mathematical plane, we can say that we have techniques that provide an extraordinarily high security level, so the risks at this level are practically zero. However, it gets complicated (very much so) if we want to build a “real” solution for the real world. In fact, when I digitally sign a document, in reality it is the computer that is making the calculations, and my role is limited to contributing some kind of proof (password, device, etc.) to accredit my identity. And the process of providing that proof, from the time it comes from me to the moment it is reflected in the appropriate sequence of bits inside the computer’s memory, can become a real minefield. Going through it in an absolutely secure way is practically impossible but I am convinced that, if done appropriately, the risks can be reduced to considerably lower levels than those present in the traditional signature.

The Tractis project has shown me the enormous importance of correctly minding all the gaps between the digital signature from a mathematical standpoint and the digital signature as an application for real world users. After listening to the team’s members, I realize the complexity of making things simple and useful for people. I don’t know if this adventure will be successful but I can safely say that, in pure Hollywood style, if anyone can achieve it, it is them.

Julian Inza debuts as one of our first guest bloggers. Julian is a recognized expert in digital signatures and security. He has an impressive CV which can be summarized as “he invented the digital signature sector in Spain”. In 1995, he designed Spain’s first Certification Authority and, subsequently, he’s been involved in nearly all the others (Banesto, FESTE, Camerfirma, etc.) directly or as an adviser. He was Senior Vicepresident of Mobipay International and a pioneer in nearly all electronic banking initiatives (virtual banking, virtual TPV, WAP banking, cyberstore [GPL license], SET Fácil, pre-paid virtual cards, etc.).

He is currently the General Manager of Albalia Interactiva, Coordinator of Foro de Evidencias Electrónicas and a Professor at Instituto de Empresa. He has his own blog, “Todo es electrónico,” and he likes Ska.

It’s been great working with him and with Fernando Pino of Albalia. It’s hard to imagine other people with more knowledge about digital signatures and, at the same time, who want to learn new things.

The 1999/93/EC Directive on Electronic Signatures states that, in the last 7 years, an electronic signature with certain requirements is equal to a handwritten signature but that, without those requirements, it also has legal effects.

Until now, all the systems implementation that accepted electronic signatures, especially those using transnational software, such as the Tax Authorities or any telematic registers of the Public Authorities, limited (illegally) the certificates that could be used in the electronic signatures to those issued by a few Certification Service Providers. That is to say, in addition to the few situations where digital signatures can be used, they are badly implemented.

I am proud to announce that Tractis is ending that situation and, to some extent, thanks to Fernando Pino and yours truly. Thanks to David Blanco for his confidence in Albalia Interactiva and the fact that he has enabled us to develop our ideas of what a correct electronic signature implementation should be like in this project.

Although ease of use is one of the Project’s essential factors, what is actually concealed is an infrastructure that implements concepts such as ES-C “Complete Signatures” that are defined in the TS 101 903 standard and automatic recognition of Certification Service Providers with total guarantee.

It’s not a trivial challenge. The European Commission’s Information Society Thematic Portal publishes the information to which article 11 of the Directive refers. According to that article, member States must indicate how to find all the Certification Service Providers that operate in their sphere. Until two months ago, Spanish data were not available, even though the Spanish Ministry of Industry, Tourism and Trade posted on its web site a list of CSPs which had notified their data, in accordance with Electronic Signature Law 50/2003.

Therefore, at this moment, Tractis is the solution in any category, accepted by more certification authorities, without being detrimental to the security level required of an information society’s service provider of this type. Moreover, the system is flexible and enables new providers to enter easily. It can even be extended to provide support to PGP-based firms if the parties recognize themselves in this identification mode, although this may not be the best consideration from a legal standpoint.

Including time information and validation in electronic signatures creates long-term digital proof which will be welcomed by users if they have to exercise their rights with Tractis’ trustworthy third-party services a long time after the signature of the contract and even in conventional disputes.

I can’t hide the fact that I’m proud to present the baby right now when the parents are about to give birth to it officially, at which time I will join the other “people in labor” at Negonation, wishing this innovating family all the best in raising their computer offspring.

In short, when guaranteeing our identity, the document’s integrity and our willingness to accept it, we are not much better than the illiterate muleteer. What can we do? I will personally start signing with an X from now on, to save on pens more than anything else.
For anyone who thinks that the example of the illiterate guy is obsolete in developed countries, I recommend looking at the bottom part of this US form.