Suscipe is a forum for entrepreneurs coorganized by the student associations in Spain of the London Business School, the Massachusetts Institute of Technology (MIT), and the Standford University, as well as by the Association of former interns of “la Caixa”, in collaboration with the Escuela Técnica Superior de Ingenieros Industriales de la Universidad Politécnica de Madrid.

The following is event’s program (pdf). The event is free of charge and you can attend only the parts you are interested in:

• 19:15: Innovative Project: Tractis
• 20:00: Special Guest: Angel Iglesias, founder of Ikusi, a Spanish company with over 700 employees present in more than 80 countries
• 21:15: Networking event

My presentation will be focused on the project itself, whereas Angel Iglesias will talk about his activity and entrepreneurial experience. The event will take place in the Escuela Técnica Superior de Ingenieros Industriales de Madrid, Room 3 (c/ José Gutierrez Abascal 2. Zona Paseo Castellana - Nuevos Ministerios).

Francisco Hernández, one of Suscipe’s coordinators, told me that 113 people have already confirmed their assistance, but there is still room for more. Whether you use Tractis or not, if you are starting your own project, or are interested in spending some time with people that want to make a difference, I will be happy to meet you in person.

The Glider Awards are the awards Negonation gives its most valuable collaborators. What’s new to this edition is that all awards have been decided by the Negonation staff (vs. collaborators votes in past editions). This comes in response to a strategy that we have been following since mid last year in order to decrease the number of collaborators and increase the intensity of the collaboration with a few.

The first winner, with an award of 1000 €, is José Luis Gordo Romero. José Gordo is a regular winner of these awards: he already received recognition in past editions and, this time, he’s won first place again, being the first collaborator in Tractis history who has received the title of Glider Hacker twice (the first time being in the first edition of the Awards). Over the past few months –actually, since the beginning of the project–José has been helping us on a regular basis with system administration, server configuration, server certificates, DNS administration, back-ups, etc. Working with him is a real pleasure. He is professional, competent, and honors all of his commitments. Tractis wouldn’t be the same without you, José!

The second Glider Award, also worth 1000 €, goes to Choan Gálvez. We met Choan through Diego Lafuente, our Creative Director. Choan is a true magician of javascript and the creator of Protomean–the contract editor used in Tractis. In addition to handling himself really well in the, poorly documented, javascript world, Choan is an enthusiast of short stories and board games.

Despite not receiving a prize in cash, a special mention goes to Tatiana Nubiola, our linguistic guru, guardian of the style guide and enthusiast of the Academy of the Spanish Language and its dictionaries. She is responsible for most of the English translations and copy choices you see in Tractis. This makes Tatiana the first collaborator awarded with a Glider that (1) is a woman, (2) lives abroad (NY State, for those of you who were wondering), and (3) doesn’t program a single line of code. Tatiana is proof that you don’t need to know how to program to be a hacker.

Congratulations to the winners!

PS I apologize for the late post, I promise to post sooner next time.

For the past year and a half, I’ve been translating the Negonation blog from Spanish to English so that you can read the thoughts and opinions of the Spanish contributors. After thinking long and hard, I recently came to the conclusion that I could no longer dedicate enough time and effort to do this job well, so this is my ‘goodbye’ post.

I’d like to thank David Blanco and the rest of the Negonation team for giving me the opportunity in the first place and for giving me the space to learn and mature as a translator. I have learnt a great deal about digital signatures, authentication and application design and development as well as vastly improved my Spanish. Thanks very much guys. I’ll definitely continue to follow the blog and wish you all the best of luck in the future.

Before I go, I’d like to share a few thoughts about translation. Firstly I have to confess: I am not a professional translator; I am a programmer. I also do not speak Spanish natively. So, when I initially took on the job of translating the Negonation blog, I thought the hardest part would be understanding the Spanish posts, and I was right; at least initially. But soon, my level of Spanish improved and I began to realise that the real problem of translation is one of representation.

What do you do when a Spanish sentence doesn’t have an exact translation to English? Do you translate word-for-word and stay true to the original content or do you stay true to the original meaning of the content? For example, in Spanish the construct ‘tanto X como y…’ means ‘both X and Y…’ in English, but the literal translation is ‘As much X as Y…’. Guess which one I used at the start?

What about if the original post contains something that you think is unclear or could be better expressed? Well, I think that you have to use your ‘artistic license’ here, but you have to use it very carefully because yes, you are making it clearer for the end user but you are also reducing the quality of the translation. People want to read what the original author wrote, not what you think he/she should have written.

It is not surprising that the posts I found most simple to translate were those that dealt with computing concepts. I knew the vocabulary in Spanish and I write IT documents on a frequent basis in English. By far the hardest were the posts that dealt with legal issues. Complicated issues, words I’ve never heard before in Spanish (and in some cases their English counterparts!) and (with all due respect to the authors), something in which I am less interested.

I hope that my mistakes along the way have not impeded your enjoyment of this blog and I hope that you have learnt as much as I have from each of the posts.

Thanks very much for following the blog.

Kevin McCormack

How it all started

When we first started out with Tractis, we had a start page similar to the one we have now. When I say similar, I mean that it had the same organisation of data as it has now: start session, tour etc.

At that time, Tractis was a closed project, only open to a group of beta testers who could invite anyone to join them. It was a start page a bit like a trailer of what would come later in August 2007. Our application, which was growing, had a darker look and feel than the current one and was the best we could do to invite people to discover Tractis back then, given that the number of DNIe (Spanish electronic ID) cards was low in Spain.

But later came the launch of the site in version 1.0. Tractis stopped being a beta, closed to the public and we began to offer the possibility of registration. We totally refactored the application; new sections, new conventions, new graphical style etc. We opened the application to everyone so that they could discover Tractis. We made the most of our knowledge, out standard way of programming so that Google would bring us an immense quantity of visitors who who register and use our application, mostly to share templates.
While the number of visitors rose considerably, it produced collateral damage which we identified: people began to think that Tractis was a site just for sharing templates. This is really untrue: we specialise in digital signature and, in addition, integration of digital signature and identity verification (authentication) services for third parties and if people only realise this by surprise, it doesn’t help us much.
Now that the DNIe is thriving, we wanted to promote the business tools we have so that Tractis didn’t end up as just a template creation tool. We designed a page with content functions for two concrete cases. This way we could transmit more information about the main function of Tractis to our new users in addition to other marvellous things: free smart card reader, API, new editor, digital signatures etc.

Production

We created many sketches with paper and pen. Later, the entire sketch is transferred to PDF with elements of our GUI kit and fantasy copy from the application used to give us a clear panorama.

The code was the hard part, but it was entertaining creating a new page. We use a pretty popular slider called Coda Slider. It saved us quite a few hours of development but we, of course, had to get our hands dirty getting the slider working with the usage schema we have for Tractis: use cases, different quantities of tabs per use case, colours, contents etc. The coding and deployment work lasted about a week.

Another important aspect to consider when we talk about design and programming is the copy. Many people, myself included, forget to comment that this essential part of the development makes the project much more solid and gives it form. In addition it’s something so vital for us that in each new development we try to make the most of good copy with the design and programming so that no one feels lost in the application. The new start page, in addition, needs this: a clear explanation as to what Tractis is, what it is used for and the advantages of using it.

The result

What you can appreciate today when you go to our address is a start page that has information produced exclusively for two types of users: those that are new to Tractis and habitual users. Each case has a set of information and tools.

The non-registered users can discover more about our main speciality: a tool to make and sign contracts online which remain valid in the off-line world, in addition to our interesting smart card reader promotion, registering with a single click, learning more about the Tractis API and more. Our main objective here is that people understand what Tractis is and that they register.

The habitual users of Tractis don’t need to see all of this so we give them a box to start a session quickly and we describe on screen all the cool things that we are developing so that our users turn into power users. We want our users to make the most of the application. Knowing the details of the API, using the reader, understanding our tariffs, collaborating with Tractis and future functional innovations in the application. Our main objective in this case is that the user can quickly start a session and learns in a relaxed manner the new things that the platform offers.

Your opinion

We continue to be open to your suggestions, actually, we urge you to send us more because without doubt they are really useful. We know that we cannot make 100% of the people happy but we’ll never reject one of your suggestions. It is vital for a company that their users give them suggestions, even the crazy ones. For us, your suggestions, your comments - whether from the blog or using the “feedback” link in the application - give us a great feeling.

Until the next announcement!

1. Smart cards issued by governments to identify their citizens (Electrionic Identification Cards: e-IDs).
2. Smart cards issued by banks to substitute magnetic strip cards (EMVs).

This third post describes the second type. We’ve analysed the situation in 31 european countries (EU-27 plus Liechtenstein, Iceland, Norway and Switzerland). This is what we’ve found:

In 2010, all European bank cards, some 590 million of them, will be smart cards (EMVs) with strong authentication and digital signature capabilities.

If you don’t believe us, read on:

European banks that plan to launch EMV smart cards

Short answer: all of them.

In 2000 the European Commission decided that to foster innovation (Lisbon Agenda) the single market must make it easier to move money around the EU. Specifically, cross-border payments should not cost more than domestic payments. In other words, you can use your bank card in another EU country and they won’t charge you any more commission to withdraw money as they do in your home country. This initiative is known as the Single Euro Payment Area or SEPA. The SEPA zone encompasses 31 european countries (EU-27 plus Liechtenstein, Iceland, Norway and Switzerland).

To make SEPA a reality, all the EU banks need to agree on the same standards and implement the same procedures to ensure interoperability at the moment of accepting a card. To give an example, a cash machine (ATM) in Austria should be capable of accepting and understanding a card issued by an Italian bank. Said and done: the standard was developed by Europay, Mastercard and Visa and they called it EMV (the initials of the three companies). EMV will mean that there will be no difference between national and transfers within Europe. EMV will make SEPA a reality - meaning cheaper payments and faster money transfers between countries in the eurozone.

The EMV standard is based on “Smart cards with a microprocessor chip” and this microprocessor chip is capable of storing not just financial applications (EMV) but also other types of application such as strong authentication and digital signature. As you can see, EMV cards are (or have the capability to be) similar in functionality to eID smart cards. The only difference is that they are issued by a bank instead of a government.

EMV deployment phases in Europe

The banks of these 31 countries are obliged by SEPA to migrate all their magnetic strip cards to EMV smart cards. They have from January 2008 to 31st December 2010 to do the migration.

Experts consider that most of these countries will have completed the migration to EMV by 2009, one year before the deadline:

• 2006: United Kingdom has already completed 90-100%. France 50-90%. Rest 10-50%.
• 2007: United Kingdom and France will have completed 90-100%. Rest 50% to 90%.
• 2008: All will have completed 90-100%, except for Germany, which will have completed 50-90%.
• 2009: All will have completed 90-100% of migration to EMV.

Conclusions

If you live in Europe, you will soon have an EMV smart card in your pocket.
Europe is the undisputed leader at global level in EMV deployment (since 2002 - see slides 3 and 5 of this presentation). Europe has more than 50% of the total number of smart cards in the world (of the 590 million smart cards worldwide, 300 million are in Europe). Europe has more smart cards than magnetic strip cards (of the 587 million bank cards in Europe, 300 million are smart cards). The obligations imposed by SEPA on European banks mean that Europe will increase this lead.

We’re not saying that all EMV cards will be capable of digital signature (like the majority of eID cards). We are saying that (1) if the banks want to use it, the technology is there and (2) many do plan on using it. In our conversations with the main card issuers in Spain, the majority have plans to incorporate signature certificates in the chips. The objective is that the client identifies his/her self and signs online with a card and the look and feel of the bank. Once the adverts start, it’s difficult to imagine the rest of the banks failing to offer the same functionality.

EMV around the world

Europe is not alone: Banks in various countries are migrating their magnetic strip cards to EMV smart cards (Turkey, Brazil, Taiwan, Japan, Malaysia etc.).

As of year-end 2006 there were 3 billion bank cards in circulation. Of these, between 515 (source: GIA Cartes Bancaires) and 590 million (source: Deutsche Bank) were microprocessor smart cards:

• Europe: 300 million smart cards.
• Asia/Pacific: 150 million smart cards.
• South America: 140 million smart cards.
• USA: Has no EMV-compliant cards and, as with e-ID cards, is reluctant to introduce them.

Given the benefits of smart cards, it is just a matter of time before banks around the world change from magnetic strip to smart cards. The growth potential in this sector lies in the prospective migration of the 2.5 billion magnetic strip cards in circulation. Deutsche Bank estimates smart card growth of 18% CAGR in the payments industry between 2006 and 2010. In 2006 430 million smart cards were sold - 12% penetration, with France and Germany leading the way. In 2007 544 million were expected to have been sold (34% attributable just to EMV migration). In 2010, 600 million smart cards are expected to be sold every year with 26% penetration.

By 2010 there will be 830 million EMV cards in Europe, Asia and Latin America.

Something is changing, don’t you think?

Next post (and the last in the series): “Smart cards in Europe: Conclusions”.

1. Smart Cards issued by governments in order to identify their citizens (”Electronic IDentification Cards” or “e-IDs”).
2. Smart Cards issued by banks to replace magnetic strip bank cards (”EMVs”).

This second post focus on the first case. We have analyzed the current status of e-ID implementations in 32 European countries, representing 565 million people (source: Eurostat). Our findings can be summarized as follows:

By 2010, 437 million people (82% of the European population) will live in countries with electronic ID cards (e-IDs).

If you don’t believe us, keep on reading:

Countries in Europe that already have an e-ID scheme

Ten countries, representing 153 million inhabitants (27% of the European population):

1. Spain (44,474,600): Spain started to introduce an e-ID sheme ( DNI electrónico ) in March 2006. As of November 2007 a total of 1,500,000 e-IDs had been issued. From December 2007 e-IDs will be issued throughout Spain. Projections are: 6.5 million e-IDs issued by December 2008 and 18 million by December 2009. Besides the electronic ID, Spain also has 14 commercial certification authorities (lawyers, notaries, registrars, regional governments, banks, etc.). See also physical description, demo and video of the DNIe.
2. Italy (58,751,711): Having completed two experimental phases in 2003 and 2004, Italy is currently deploying its Carta d’identità elettronica (CIE). By October 2005 2 million CIEs had been issued. The aim is to replace 40 million conventional ID cards by 2011 at a rate of 8 million per year. Apart from the CIE, Italy has 19 commercial certification authorities.
3. Portugal (10,569,600): Following the initial introduction of e-ID cards in February 2007, Portugal is preparing to start a full-scale rollout in 2008 and expects to issue 2 million Cartão de Cidadão per year. By July 2008 the new e-ID should be available throughout the country. Portugal also has 1 commercial certification authority.
4. Belgium (10,511,400): Belgium started deployment of its eID in September 2004. To date, 6,500,000 eIDs have been issued. Plans are to reach 8,000,000 by December 2009. Belgium has 2 commercial certification authorities. The Belgian government also issues e-IDs to minors and non-nationals.
5. Sweden (9,047,800): Sweden began to introduce its nationellt identitetskort in October 2005. So far, some 3,000,000 e-IDs have been issued (almost all in software format). Sweden is a special case in that e-IDs are not issued by the government but by authorized companies (banks, system integrators, etc.).
6. Austria (8,265,900): The rollout started in 2000 and is already complete. There are some 8,000,000 Bürgerkarte (citizen cards) in circulation. An original feature in this case is that there is no “one” type of e-ID: an e-ID can be stored in government-issued cards, bank cards or SIM cards.
7. Finland (5,255,580): The Finnish e-ID, or FINEID , like the Austrian one, can be stored in smart cards, bank cards or SIM cards. It was launched in 1999 but did not include an electronic signature until 2004. The Finnish government announced plans to issue around 135,000 FINEIDs by the end of 2007. Citizens who so wish may include their health insurance information in their FINEID.
8. Estonia (1,344,700): Estonia is probably the most advanced country in Europe in the adoption of electronic signatures by the general population. The Estonian ID-Card was launched in January 2002 and today is used by more than 1,000,000 citizens (almost 90% of the population). The Estonian government is working to create a Mobile-ID, so that the certificate can be stored in mobile devices.
9. Norway (4,770,000): Norway’s main commercial certification authorities are Telenor and the banks. Norwegians can obtain their e-ID from lottery offices, social security offices and banks. The certification authorities responsible for issuing certificates are ZebSign and BankID.
10. Iceland (307,700): The Icelandic government has reached an agreement with the banks under which all debit cards issued after the end of 2007 will incorporate government e-IDs.

Countries in Europe that are planning to launch e-IDs in 2008

Eight countries, representing 184 million inhabitants (32% of the European population):

1. Germany (82,438,000): Germany has declared on various occasions that it intends to deploy its Digital IDCard in 2008, which will include the ability to use pseudonyms online. Germany has 8 commercial certification authorities.
2. France (62,518,600): After various delays (to incorporate feedback from the public), France has stated its intention to put its Identité Nationale Electronique Sécurisée (INES) into effect in 2008. The plan is to include electronic signatures, although the first generation of cards may not have this functionality. France has 11 commercial certification authorities.
3. Netherlands (16,357,992): The Dutch DigiD service offers three levels of security: low (username & password), medium (SMS authentication) and high (on-card PKI). So far, 6 million citizens use low DigiD for authentication, while 2 million use medium DigiD. The high-security DigiD, known as eNIK , may be introduced in 2008. The Netherlands has 4 commercial certification authorities.
4. Hungary (10,076,600): Requirements and specifications for the development of the Hungarian e-ID, HUNEID, and its prototype implementation were published at the end of 2004. Introduction is expected in January 2008.
5. Bulgaria (7,679,200): Following the optimistic government announcement that issuance of e-IDs would start in 2007, the rollout is now expected to start in 2008. The Bulgarian Government owns 1 commercial certification authority, which is authorized to issue digital certificates to citizens.
6. Latvia (2,291,000): Following the passing of e-ID regulations by the Latvian Council of Ministers, the introduction of e-IDs is scheduled for 2008. Latvia has 1 commercial certification authority.
7. Slovenia (2,003,400): The Slovenian e-ID project was officially launched in February 2003 but was then suspended. A fresh start is expected in 2007-2008. Slovenia has 4 commercial certification authorities.
8. Malta (404,346): Malta is taking a four-pronged approach to the deployment of electronic IDs. The third phase started in 2007. All that remains is the fourth stage, which includes the issue of e-ID cards. Everything suggests this could happen in 2008.

Countries that are planning to launch e-ID schemes after 2008

Seven countries, representing 134 million inhabitants (23% of the European population):

1. United Kingdom (60,393,100): The National Identity Scheme is currently under development by the UK Identity and Passport Service (IPS). Its main goal is to introduce e-ID cards in the UK. Procurement of e-ID cards has already started and suppliers will be selected in May 2008. The first e-IDs are expected to be issued to British citizens in 2009 or 2010. The United Kingdom also has 4 commercial certification authorities.
2. Ireland (4,209,000): In June 2004 the Irish government established the framework for Public Service Cards(PSC), which will be used for authentication and electronic identification. Following Portugal’s example, the PSC will include a range of functions (social services, medical card, etc.).
3. Poland (38,518,241): Poland is studying the possibility of introducing an e-ID card, known as a Multifunctional Personal Document (MPD), to replace a variety of identity cards. Poland is aware of the need for an e-ID and is undecided whether to set up a new state-owned CA to issue MPDs or to delegate the role to commercial CAs. Changes in the law are needed. Poland has 4 commercial certification authorities.
4. Romania (21,610,200): Romania has started to work on e-IDs and biometric passports and has already issued an international invitation to tender for these projects. Romania has 5 commercial certification authorities.
5. Slovakia (5,389,100): The Slovakian government has plans to introduce e-IDs (called “BIFO”) and passports. Slovakia has 9 commercial certification authorities. Since March 2007, Slovakian citizens holding a digital certificate have had 1,000 “contact points” where they can sign electronically.
6. Lithuania (3,403,300): No e-IDs have been issued as yet, but the government is treating e-IDs as a priority. The Lithuanian e-ID will be multifunctional (government, health, loyalty programs, tickets, etc.). It is thought that it could be launched in 2009-2010. Lithuania has 1 commercial certification authority. To popularize electronic signatures, the government will issue 300,000 certificates to citizens completely free of charge before 2009.
7. Cyprus (766,414): The government of Cyprus has stated its intention to issue e-IDs but has provided no further information.

Countries that have no plans to launch e-ID schemes but that have commercial certification authorities

Three countries, representing 83 million inhabitants (14% of the European population):

1. Turkey (72,500,000): Turkey has 3 commercial certification authorities.
2. Czech Republic (10,251,790): The Czech Republic has 3 commercial certification authorities.
3. Luxembourg (480,222): Luxembourg has 1 commercial certification authority.

Countries that have no plans to launch e-ID schemes and no commercial certification authorities

Four countries, representing 21 million inhabitants (4% of the European population):

1. Greece (11,125,200): The Greek government has plans to create 5 government-owned certification authorities.
2. Denmark (5,427,400).
3. Croatia (4,442,803).
4. Liechtenstein (34,905).

Conclusion

In Europe, in terms of population:

• 27% of the population of the 32 European countries lives in a country that has an e-ID scheme (at varying stages of implementation).
• 32% lives in a country that is planning to launch e-IDs in 2008.
• 23% lives in a country that is planning to launch e-IDs after 2008.
• 14% lives in a country that has no plans to launch e-IDs but that does have commercial certification authorities.
• 4% lives in a country that has no plans to launch e-IDs and no commercial CAs.

Europe is not alone: Various countries have started issuing national identity cards in the form of e-ID smart cards (China, Qatar, Morocco, Thailand, Hong Kong, Oman, etc.). Some are planning to do so in the near future (Peru, Argentina, Brazil, Mexico, etc.). Others are considering the possibility (U.S.A., Russia, etc.). Although eID is a small segment of the overal smart card market, all the experts agree that it has the strongest growth prospects (21% CAGR) and is likely to grow dramatically over the next few years. Of all the emerging new applications of smart cards this is the largest market because the number of ID cards in circulation (worldwide, 1 in 2 people has an ID card, i.e. 3 trillion IDs) is much greater than the number of passports (1 in 10 people), transport cards (1 in 3), or driving licenses. According to the “Deutsche Bank Smart Cards report 2007″, e-ID smart cards in the “Other: Government ID, Passport, Health, Transport” category had 7% penetration worldwide in 2006. Projections are that an average of 400 million e-ID smart cards will be issued each year, reaching 17% penetration in 2010. If these projections are met:

In 2015, 84% of people with an ID will have an e-ID.

Something is changing, don’t you think?

Next post: Smart Cards in Europe: EMV Avalanche.

What is a smart card?

It is a card, similar to a credit card, that includes a chip/microcomputer capable of executing different types of applications including “authentication” and “digital signature”.

This is a smart card issued by the Portugese government:

This is a smart card issued by a Belgian bank:

This is a smart card issued by a German telecommunications firm:

The main idea: many different organizations in many different companies issue many different smart cards.

There are two types of smart card, depending on the type of chip:

• Smart card with memory chip: cheaper. Contain only non-volatile memory, perform a single function and don’t process data. Not capable of performing digital signature. Used predominantly in transport, PayTV, corporate security, pre-paid telephones, loyalty programs etc. This type of card is becoming obsolete. They represent 4% of the market (by value) and demand is increasing but only in single-digit figures.
• Smart card with microprocessor chip: more expensive. They are a type of mini-computer that includes processor, memory and an operating system on the chip. Can be single- or multi-application, in which case, the microprocessor is capable of running different applications, including authentication and digital signature. Predominately used in government (”e-IDs”), banking (”EMV”) and telecommunications (”SIM”), health etc. applications. Microprocessor cards represent the future of smart cards. They are applicable to a wide range of sectors, a large part of which are in the early phases of development. They represent 96% of the market (by value) and demand keeps rising.

Why should I care?

Because a smart card with a microprocessor chip allows strong authentication (verification of identity) and digital signature. Both (authentication and signature) are extremely powerful tools which will soon become ubiquitous. The massive deployment of smart cards with authentication and digital signature have the potential to change the way we interact on the Internet, do electronic commerce and how we deal with anonymity and privacy online.

And there’s more. Europe, for technological and legislative reasons, is at the centre of the tsunami:

1. Technology: Europe has (and will have) the highest concentration of smart cards capable of digital signature in the world. It’s not just that Europe has more than 50% of the smart cards in the world (300 million according to “Deutsche Bank Smart Cards report 2007″) but also that, as we’ll demonstrate in this series of posts, it is about to receive 1 billion smart cards with microprocessors issued by governments and banks.
2. Legislation: European directive 1999/93/CE on digital signature names “qualified digital signature” as the most advanced form of digital signature and gives it the same effect as a hand-written signature. For a digital signature to have “qualified” status, it should be generated by a “Secure Signature Creation Device” like, for example (you’ve guessed it) the chip on a smart card. And yes, you read that correctly - “the same effect as a hand-written signature”. So, the discussions as to whether the technology is secure or not are irrelevant. The law, by default, assumes that it is. If one of the parties denounces the signature, they bear the responsibility of proof i.e. they must demonstrate that the technology and processes used in the qualified digital signature were not secure (I’ll save you the suspense…no one is going to do this). A technology blessed by the law. Checkmate. End of discussion. We’ve studied 30 countries (the EU-27 plus Croatia, Turkey and Liechtenstein) and they’ve all implemented the directive. In summary, Europe enjoys uniform “qualified digital signature” legislation that gives the same power to digital signatures as hand-written ones.

The massive deployment of smart cards with digital signature backed up by the law promises great benefits (more agile relationships with government, secure electronic commerce, lower bank commissions…) but also serious implications for your rights and liberties as a citizen and consumer. Surprisingly, whether it’s for lack of knowledge, incredulity or voluntary blindness, this matter is not receiving the attention it deserves from the internet community.

We all know what happens when you don’t make a decision: reality decides for you.

Why is no one talking about this?

There are three reasons:

1. Whether we like it or not, the “conscience” of the internet, the A-list bloggers, the main thinkers and analysers of the net are in the USA. Whether we like it or not, europeans typically echo the movements, initiatives and debates that are generated in the USA and there they don’t know, understand or care what happens in Europe.
2. The majority of Europeans think that this is nothing new. Smart cards have been in circulation for years and nothing bad has happened. They don’t understand that they are thinking of smart cards with memory chips and not the microprocessor type. They look the same from the outside but inside they’re not.
3. Many people doubt that “digital signature” will be widely adopted. Digital signature and Public Key Infrastructure (PKI) have been around many years and nothing bad has happened. They don’t realise that it hasn’t worked until now for business not technological reasons. Before there was no business case: no company was willing to assume the cost of issuing digital signature cards to their employees, providers and clients. Now that the costs have fallen, European governments have decided to assume this responsibility and oblige the banks to do the same.

This time it’s serious. The ball is in our court.

Next post: “Smart cards in Europe: e-ID avalanche“.

I must Create a System, or be enslav’d by another Man’s;
I will not Reason and Compare: my business is to Create.

“Jerusalem: The Emanation of the Giant Albion“. William Blake.

Companies always have to choose between various options to reduce costs and maximise benefits. They must decide whether to rent or buy offices, to externalise or otherwise certain business functions: with outsourcing, offshoring and other strategies that, in the end, help develop the core competence of the company without submitting it to increases or decreases in the size of the workforce or property required according to demand.

In the IT field, such decisions are normally related to software development: the typical ‘do we do it in-house or externally?’ question. But it is not very common to apply similar strategies to other areas in the IT field.

In the area of IT infrastructure (where the company’s services run), such thoughts are often dismissed because the criticality of the applications leads to thoughts that it is not a good idea to delegate their operation, not even a small part of them, to a third party for fear of losing ‘total control’. Right now, and with increasing frequency - above all in the internet company sector - there is an increasing perception that it is not necessary for the company to develop its own infrastructure to run its applications. Some even decide that they don’t even need their own infrastructure to develop their core business.

If we translate the problem to a more common equivalent - when we flick a switch to turn on a light, we want illumination and we don’t really care where the electricity is produced, we simply want the thing to work. We don’t need a nuclear power station at home to light a bulb, but if we have a company and electricity is the key to developing our business, we will surely want to maintain the electricity supply in case of failure. In such cases it would be more practical to think of having multiple failover providers other than becoming our own provider.

Utility computing: IT like water or electricity

For years this thought has been shaped by the leading computer companies who want IT converted into just another commodity, such as electricity, gas or water, for client companies.

Currently certain components such as computation or storage are being commoditised to a sufficiently mature level that they can be used by companies in production environments, something which is important because it permits economies of scale in supply companies who can therefore offer a better service at a better price.

So, we could have our application running on virtual servers which we pay for according to usage, our backups or content to serve could be on remote storage servers, meaning that we would avoid spending on backup and storage devices (the cost of a good backup system can be significant). We could serve certain content by employing content delivery networks (giving the impression of having a data centre near the client) and bit by bit externalise certain infrastructure services to specialist providers reducing costs and improving the quality of service.
We could go even further and adapt certain components to be available such that they are provided by specialist 3rd party companies. This way we would avoid the development and maintenance costs, which in certain cases can be an important part of the budget for an application. We could optimise and externalise if it is not adding value to our application.

Digital signature on demand

Within this type of components ripe for being provided by specialised 3rd parties, we find public key and digital signature infrastructure, more and more vital in applications, above all in the internet world, but which are complex and are non-trivial to develop.

In this field, there is a tendency to use existing libraries in the product or install already developed products - open source or commercial - from third parties. The problem is that development, installation and maintenance of these types of solution is not very accessible.

They’re only within reach of companies that have huge budgets and, even in these cases, they often lack the know-how or don’t budget for maintenance and continuous improvement of the infrastructure. The result is deployments that don’t represent the total cost of ownership (TCO), quickly become obsolete, are deployed in a buggy state or even aren’t deployed at all.

The field of public key infrastructure was the first of the two to make a move and now today certain activities, such as the role of issuing certificates, is limited to a small group of specialist providers, given that it is an activity that requires an large amount of money and strength to put into production.

People are still waking up to the complexity of digital signature infrastructures and while very few consider developing their own certification agency, it is common to attempt to develop a digital signature authority (be it for creation, validation, signing or storage).

A good idea is to apply a similar criteria to that of certification agencies and delegate the digital signature services to a third party and therefore concentrate on developing our main business activity.

In fact, more and more public institutions and private companies in Spain are making use of third party platforms that offer public key and digital signature infrastructure services, opening a new IT market and reinforcing the idea that such critical jobs should be centralised to specialised providers who can take advantage of economies of scale to optimise cost and maximise the quality of the end product.

We believe that this is an important idea since the domains of public key infrastructure and digital signature should be something that companies can integrate in their applications without the need for large sums of money or effort as has been the case till now. We realise how complicated it can be to solve these problems because we too have been there and for this reason we decided to open our digital signature services and offer them as third-party services because in the Internet, security should be a commodity, not a luxury.

The Belgian “eID”

Now you can use your Belgian eID to sign in Tractis. The “eID” is equivalent to the Spanish electronic ID card (DNIe) i.e. it is a government-issued card that incorporates a chip with a certificate that permits authentication (verifying your identity) and fully legally-binding digital signatures.

The Belgian government issues three types of eID:

1. eID for Belgian citizens (”eID“).
2. eID for Foreigners (”La carte pour étranger“).
3. eID for children (”Kids-ID“)

We will initially support the first two (citizens and foreigners). Given that children cannot sign contracts, we will incorporate “Kids-ID” in the future just for authentication (secure chats etc.). You can find up-to-date information on which certificates we support in our help section.

If you live in Belgium and still don’t have your eID, you can ask for one in the service area of your town or city or wait until they automatically issue you one sometime before the end of 2009. The price of your eID will depend on the area in which you live, generally between 10 or 15€. If you have an eID and want to use it with Tractis, you need a smart card reader (we will give you one for free) and to install the drivers for the Belgian eID on your computer.

Why Belgium?

As we have stated in previous posts, our objective for 2008 is international expansion in Europe. The reason why we have chosen to start in Belgium is that it is one of the countries that has pioneered e-IDs (electronic IDs). Belgium has 10.5m inhabitants and the majority now have e-IDs (more than 80% of the population in the three regions - Flandes, Valonia y Bruselas-Capital). In addition, there are a large number of applications and services that make use of digital signatures. They started the roll-out in September 2004 and now more than 7,000,000 people have an eID. The government plans to reach 8,000,000 in December 2009.

International Expansion: With your help

Belgium is the first country that we have launched in outside of Spain and marks the start of our international expansion. In the coming months, we willl start adding more than 30 countries. We are now working to incorporate certificates for Estonia, Portugal, Austria and others.

We would like to thank Rodolphe Cardon of Lichtbuer, Lieutenant d’aviation at Belgian Air Force and expert in digital signatures for his help in testing signatures with the Belgian eID.

Is Tractis not yet available in your country? Help us translate the interface to your language, investigate the legislation in your jurisdiction or perform tests with your preferred certificate. Your help in any of these areas would be very valuable for launching Tractis in your country. Contact us.