Published on

Overview of Dutch eGovernment developments.

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Struggling with eGovernment Nationaal Uitvoering Programma
  2. 2. Objectives <ul><li>… to illustrate IT development in a complex, federated environment </li></ul><ul><li>… to show how minimal agreements have been realized </li></ul><ul><li>… to identify missing parts </li></ul>
  3. 3. Federation implies agreement on minimal… <ul><li>Interoperability: </li></ul><ul><ul><li>Semantic interoperability </li></ul></ul><ul><ul><ul><li>shared semantics for an application area like government </li></ul></ul></ul><ul><ul><ul><li>choreography between two organizations </li></ul></ul></ul><ul><ul><ul><li>dynamic chain configuration based on service composition and internal processes </li></ul></ul></ul><ul><ul><li>Technical interoperability </li></ul></ul><ul><ul><ul><li>syntax and envelope </li></ul></ul></ul><ul><ul><ul><li>transport protocols </li></ul></ul></ul><ul><li>Security and trust </li></ul><ul><ul><li>at three levels: </li></ul></ul><ul><ul><ul><li>transport level (SSL/TLS) </li></ul></ul></ul><ul><ul><ul><li>end-to-end security </li></ul></ul></ul><ul><ul><ul><li>application level security </li></ul></ul></ul><ul><ul><li>identity and identity management </li></ul></ul><ul><ul><li>delegation of authority </li></ul></ul><ul><ul><li>data privacy </li></ul></ul>
  4. 4. Agenda <ul><li>The challenge </li></ul><ul><li>Brief history – the basis for a common architecture </li></ul><ul><li>Stakeholders – governance issues </li></ul><ul><li>Government architecture: principles, standards and operation </li></ul><ul><li>NUP Components for local governments </li></ul><ul><li>Digikoppeling – interoperability for government </li></ul>
  5. 5. IT Governance in a dynamical changing political and technical environment is the challenge! <ul><li>Federation of autonomous organizations based on their responsibilities defined by laws and regulations (Thorbecke’s house - 1848) </li></ul><ul><ul><li>democracy (first and second chamber, government, municipality elections, etc.) </li></ul></ul><ul><ul><li>government organization with responsibilities of civil servants (departments, agencies, provinces, municipalities, waterboards) </li></ul></ul><ul><li>Thorbecke’s house implies a dilemma: </li></ul><ul><ul><li>policy makers have to deal with changes imposed by democracy, which is not stable for IT development taking years. </li></ul></ul><ul><ul><li>IT requires continuity: institutionalization with a strategy and governance </li></ul></ul><ul><li>The challenge is “to remain organized in an ever changing environment” </li></ul><ul><ul><li>keywords: change, flexible, agile, adaptable </li></ul></ul><ul><ul><li>there is not yet an agreed vision of IT </li></ul></ul><ul><ul><li>rapid changes imposed by laws need to be implemented rapidly. Is IT able to adapt rapidly? </li></ul></ul>
  6. 6. … to innovate government in an every changing environment….. government operation and structure technical innovation national politics cultural changes These forces have a relation with each other. <ul><li>individualization </li></ul><ul><li>globalization </li></ul><ul><li>IT as utility </li></ul><ul><li>efficient, agile (small) government with lower administrative burden </li></ul><ul><li>nationalization and privatization </li></ul><ul><li>changing laws and regulations </li></ul>global challenges <ul><li>safety and security </li></ul><ul><li>cyber warfare </li></ul><ul><li>environment </li></ul>
  7. 7. Technical innovation implies that IT is becoming the 5 th utility (‘cloud computing’) <ul><li>Architecture as an instrument based on new paradigms </li></ul><ul><ul><li>Service oriented architecture </li></ul></ul><ul><ul><li>Event Driven Architecture </li></ul></ul><ul><ul><li>Rule based process configuration </li></ul></ul><ul><ul><li>Cloud Computing: SaaS, PaaS, IaaS </li></ul></ul><ul><li>Future Internet: </li></ul><ul><ul><li>vital infrastructure </li></ul></ul><ul><ul><li>broadband </li></ul></ul><ul><ul><li>Internet of things (IPv6) </li></ul></ul><ul><ul><li>privacy, security </li></ul></ul><ul><ul><li>semantic interoperability </li></ul></ul><ul><li>Everything is ‘data’ – shift from processes to data: </li></ul><ul><ul><li>‘ unstructured’ content (multimedia) versus structured data </li></ul></ul><ul><ul><li>new search algorithms, new visualization paradigms </li></ul></ul><ul><li>Smart devices </li></ul><ul><li>Social computing </li></ul><ul><ul><li>co-creation (e.g. in crisis management) </li></ul></ul>
  8. 8. How did the government address these issues (history) <ul><li>2001 Min. BZK - ‘Andere overheid’ resulting in </li></ul><ul><ul><li>Stichting ICTU (ICT Uitvoeringsorganisatie) </li></ul></ul><ul><ul><li>OSOS – open source and open standards </li></ul></ul><ul><ul><li>Advies Overheid – open, transparant, no wrong door </li></ul></ul><ul><ul><li>SBG – Reference data </li></ul></ul><ul><ul><li>EGEM – eGov for municipalities </li></ul></ul><ul><ul><li>RYX (to DWR) </li></ul></ul><ul><ul><li>PKIOverheid – security infrastructure </li></ul></ul><ul><ul><li>others </li></ul></ul><ul><li>2003 establishment of eGovernment principles (‘Andere Overheid’) </li></ul><ul><li>2005  initiatives of government organizations </li></ul><ul><ul><li>Manifest Group (large agencies and municipalities) </li></ul></ul><ul><ul><li>GovUnited and Dimpact (eGov functionality for municipalities) </li></ul></ul><ul><li>2006  rapid increase of initiatives and change of naming, e.g. </li></ul><ul><ul><li>PIP – Personal Internet Portal (mygov) </li></ul></ul><ul><ul><li>eProv – eGov for provinces </li></ul></ul><ul><ul><li>Overheid Antwoord – KCC, Advies Overheid, Antwoord voor Bedrijven </li></ul></ul><ul><ul><li>RENOIR (includes architecture) </li></ul></ul><ul><ul><li>NOIV and BFS (was OSOS) </li></ul></ul><ul><ul><li>EGEM over to VNG (2010: KING) </li></ul></ul><ul><ul><li>SGGV – companies </li></ul></ul><ul><ul><li>GMV – delegation of rights (politic issues with DigiD) </li></ul></ul><ul><ul><li>etc. </li></ul></ul>
  9. 9. History - continued <ul><li>2006  raising GBO, now Logius – maintenance generic eGov components </li></ul><ul><ul><ul><ul><ul><li>DigiD </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>OTP </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>etc. </li></ul></ul></ul></ul></ul><ul><li>2008  establishing NUP (formerly National Urgency Program) </li></ul><ul><ul><ul><ul><ul><li>set of components for decentral governments </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>control: Min BZK DG DRI, coordination with VNG (and KING) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>execution: ICTU/Renoir </li></ul></ul></ul></ul></ul><ul><li>2009  Digital Workspace Central Government (DWR – ‘anyplace’, ‘anytime’) </li></ul><ul><ul><ul><ul><ul><li>controlled by DG OBR of Min BZK </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>governed by the Central Government CIO (Hillenaar) </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Technical infrastructure </li></ul></ul></ul></ul></ul><ul><ul><ul><ul><ul><li>Common workspace for civil servants of the central government </li></ul></ul></ul></ul></ul><ul><li>2010 Evaluation of NUP (Doctors van Leeuwen) </li></ul><ul><li>2011 NUP should be completed and implemented end of BZK DG DRI future of ICTU? function of Logius? continuity? </li></ul>
  10. 10. Overview of current ICTU programs and projects in the context of NUP
  11. 11. Stakeholder initiatives by central government <ul><li>Min BZK is responsible for </li></ul><ul><ul><li>eGovernment implementation by local organizations (DG DRI - NUP) and central government (DG OBR)) </li></ul></ul><ul><ul><li>responsible for the GBA (persons) </li></ul></ul><ul><li>Min EZ is responsible for </li></ul><ul><ul><li>central register of companies (NHR) </li></ul></ul><ul><ul><li>decreasing administrative burden for companies </li></ul></ul><ul><ul><li>location policy related to EU Service Directive </li></ul></ul><ul><li>Min VROM is responsible for several initiatives supported by new laws </li></ul><ul><ul><li>a large number of registers (BAG - buildings, addresses, parcels (Cadastre)) </li></ul></ul><ul><ul><li>a new permit structure (‘omgevingsvergunning’, Wabo) </li></ul></ul><ul><ul><li>a new way of registering zoning plans (new Wro) </li></ul></ul><ul><li>Min LNV intends to improve its services to primary companies </li></ul><ul><ul><li>registration in NHR </li></ul></ul><ul><ul><li>delegation of rights </li></ul></ul><ul><ul><li>new service provision </li></ul></ul><ul><ul><li>increase food safety (VWA, with VROM). </li></ul></ul><ul><li>Min Fin is trying to reduce the administrative burden for companies </li></ul><ul><ul><li>Single Window, AEO, permits, etc. in cooperation with VWA </li></ul></ul><ul><ul><li>tax payments, electronic invoicing, business reporting (XBRL) </li></ul></ul><ul><li>Min VWS tries to govern changes in health care </li></ul><ul><ul><li>improve self assisted living (Wmo, Regelhulp) </li></ul></ul><ul><li>Min V&W: is initiating actions via RWS </li></ul><ul><ul><li>improve mobility (cargo and persons) </li></ul></ul><ul><ul><li>improve modal split (cargo) </li></ul></ul>
  12. 12. Stakeholders at agency level are faced by rapid changes due to policy decisions <ul><li>Agencies coordinate in the Manifest Group to meet these challenges </li></ul><ul><li>Basically investigating cost reduction for IT development </li></ul><ul><ul><li>to apply basic, stable registers for all types of laws </li></ul></ul><ul><ul><li>to re-use each others register data </li></ul></ul><ul><ul><li>to automatically relate law and IT support of that law </li></ul></ul><ul><ul><li>to apply AI type of technology for user interaction with these IT systems (e.g. INDIGO) </li></ul></ul><ul><ul><li>to become interoperable they have to agree on semantics </li></ul></ul><ul><li>Belastingdienst for instance is looking at </li></ul><ul><ul><li>automation of all types of tax declaration (‘vooringevuld’) </li></ul></ul><ul><ul><li>reduce the administrative burden and improve location policy by new technology (Single Window, SGGV, DigiPoort) </li></ul></ul>
  13. 13. Local governments are organized in different ways <ul><li>Municipalities (VNG/KING) </li></ul><ul><ul><li>point of contact for citizens and companies (cie. Jorritsma) </li></ul></ul><ul><ul><li>rapid increase of required functionality with less budget, support for implementing required changes (various laws like Wabo, Wmo, nWro, etc.) </li></ul></ul><ul><ul><li>Customer Contact Centers (KCC, ’14’) </li></ul></ul><ul><ul><li>shared services for small municipalities </li></ul></ul><ul><ul><li>combining forces for developing SaaS solutions (GovUnited) or mid office software (Dimpact) </li></ul></ul><ul><ul><li>improve interoperability (StUF – Standaard Uitwisseling Formaat) </li></ul></ul><ul><li>Provinces (IPO) </li></ul><ul><ul><li>committed to use NUP </li></ul></ul><ul><ul><li>political pressure to reduce the number of provinces </li></ul></ul><ul><ul><li>contact with citizens/companies only for the larger once (environmental affairs) </li></ul></ul><ul><li>‘ Waterschappen’ (Waterschapshuis) </li></ul><ul><ul><li>under pressure for merging with provinces </li></ul></ul><ul><ul><li>centralized technology development for all Waterschappen </li></ul></ul>
  14. 14. Important developments at EU level <ul><li>European Interoperability Framework </li></ul><ul><ul><li>general principles for interoperability between government organizations </li></ul></ul><ul><ul><li>DG Enterprise and Industry - IDABC Unit, in collaboration with DG Internal Market and Services </li></ul></ul><ul><li>EU Service Directive </li></ul><ul><ul><li>one point of contact for companies within a Member State to another Member State </li></ul></ul><ul><ul><li>active by the end of 2009 </li></ul></ul><ul><ul><li>implemented as a portal ( </li></ul></ul><ul><li>EU funded programs: </li></ul><ul><ul><li>STORK – identity management ( </li></ul></ul><ul><ul><li>PEPPOL – electronic procurement ( http:// / ) </li></ul></ul><ul><ul><li>SPOCS – Single Point of Contact ( www. eu - spocs . eu ) </li></ul></ul><ul><li>… and several other initiatives, e.g. in global trade (Single Window) </li></ul>
  15. 15. A reminder government operation and structure technical innovation national politics cultural changes global challenges <ul><li>5 th utility </li></ul><ul><li>architecture </li></ul><ul><li>future internet </li></ul><ul><li>data orientation </li></ul><ul><li>smart devices </li></ul><ul><li>social computing </li></ul>
  16. 16. Architecture was the first to consider with the objective to coordinate projects and IT changes - NORA <ul><li>2006 – NORA version 1: </li></ul><ul><ul><li>213 pages describe the architecture </li></ul></ul><ul><ul><li>identification of components: </li></ul></ul><ul><ul><ul><li>multi channeling for public services </li></ul></ul></ul><ul><ul><ul><li>single point of entry – , personal internet page </li></ul></ul></ul><ul><ul><ul><li>identification numbers – BSN - PKI and eNIK (electronic identity card) </li></ul></ul></ul><ul><ul><ul><li>eforms </li></ul></ul></ul><ul><li>2007 – NORA version 2: </li></ul><ul><ul><li>283 pages </li></ul></ul><ul><ul><li>changes: </li></ul></ul><ul><ul><ul><li>embedding in governance structure </li></ul></ul></ul><ul><ul><ul><li>actualization of components </li></ul></ul></ul><ul><ul><ul><li>improve explanations </li></ul></ul></ul><ul><li>2009 – NORA version 3: </li></ul><ul><ul><li>shift from individual government architecture with SOA to interoperability </li></ul></ul><ul><ul><li>ten basic principles that closely reflect NUP, supported by derived principles (2010) </li></ul></ul>
  17. 17. NORA was applied further at various governmental levels. <ul><li>Central Government – MARIJ (resulting in departmental architectures like DIVA – DoD) </li></ul><ul><li>Provinces - PETRA </li></ul><ul><li>Municipalities – GEMMA </li></ul><ul><li>Waterboards - WILMA </li></ul>
  18. 18. NORA - overview
  19. 19. 10-NORA principles (political correct): <ul><li>Apply generic components and standards </li></ul><ul><li>Re-use of data already known by governments </li></ul><ul><li>Assure data privacy </li></ul><ul><li>Transparency (data, process, and lead times) </li></ul><ul><li>Improve public service delivery by re-use of customer data </li></ul><ul><li>Demand driven service delivery </li></ul><ul><li>Inclusion supported by multi channeling </li></ul><ul><li>Pro-active service delivery </li></ul><ul><li>Define Quality of Service </li></ul><ul><li>High precision and recall of public services </li></ul>
  20. 20. Core is the definition of ‘Public Service’ (NORA 3.0) <ul><li>A public service relates to the execution of a public task </li></ul><ul><li>Any type: </li></ul><ul><ul><li>services offered to citizens and companies (permit, funding, passport, etc.) </li></ul></ul><ul><ul><li>policy services (organizing election, defining laws, etc.) </li></ul></ul><ul><li>All services supplied by government: </li></ul><ul><ul><li>municipalities, provinces, departments, etc. </li></ul></ul><ul><ul><li>agencies, health care, educational services </li></ul></ul><ul><li>All types of end-users: </li></ul><ul><ul><li>citizens and companies </li></ul></ul><ul><ul><li>other governmental organizations </li></ul></ul>
  21. 21. IT components are ….
  22. 22. .. and an architectural blueprint for a government organization mid office back office front office Digi-kop-peling
  23. 23. Another picture shows more detail (municipalities)
  24. 24. Why a mid office? Difference with ESBs? <ul><li>Basically issue: </li></ul><ul><ul><li>back office systems are ‘closed’ systems supporting civil servants </li></ul></ul><ul><ul><li>back office systems are not constantly available (no 24x7) </li></ul></ul><ul><ul><li>data is copied to mid office </li></ul></ul><ul><li>Mid office functionality: </li></ul><ul><ul><li>business processes support, workflow aligned with business processes in back offices </li></ul></ul><ul><ul><li>service orchestration </li></ul></ul><ul><ul><li>adapters to back office systems </li></ul></ul><ul><ul><li>various data storage functionality: </li></ul></ul><ul><ul><ul><li>document management </li></ul></ul></ul><ul><ul><ul><li>geodata </li></ul></ul></ul><ul><ul><ul><li>product management </li></ul></ul></ul><ul><ul><ul><li>temporary data storage </li></ul></ul></ul><ul><ul><ul><li>case management (‘zaaksysteem’) </li></ul></ul></ul>
  25. 25. … so we have SOA, but now we have to consider new IT innovations … <ul><li>Can government make use of cloud computing or are shared service centers the optimal solution? Governance of cloud computing differs from shared service center governance </li></ul><ul><li>Can government operate as a platform to citizens and companies (GaaP)? </li></ul><ul><li>How to deal with social computing for e-participation? </li></ul><ul><li>Can we use social computing in crisis management? </li></ul><ul><li>What can open linked data contribute to political/strategic objectives? </li></ul><ul><li>Is it possible to compare geographical approaches with administrative data? </li></ul><ul><li>What is the impact on governance by all innovations? What is the vision for the future? </li></ul><ul><li>These are addressed by: </li></ul><ul><ul><li>policy makers within departments </li></ul></ul><ul><ul><li>solution providers to increase the attractiveness of their solution </li></ul></ul><ul><ul><li>government organizations that want to increase their attractiveness to citizens, companies, tourists, etc. </li></ul></ul><ul><ul><li>universities and research institutes, research projects, etc. </li></ul></ul>
  26. 26. A vision depends on politics. A vision will give a focus for action. TIME GOAL Actions driven by strategy Where are we now? Silo’s Mission: Why are we here? Values: What are our enduring principles and beliefs? Vision: Where do we want to be in 2020? Strategy: How do we get there? Citizen society eGovernment Andere Overheid
  27. 27. What is influencing a citizens society? Citizens Society from government to governance Future Internet: to a data society Social Computing : self controlling networks of citizens and companies Economy : lessen administrative burden, economize Single Issue politics : democracy by social computing networks A free democracy for all is the basis (inclusion)
  28. 28. NORA does not consider such a vision, an IT strategy and governance to achieve these changes. <ul><li>Strategic principles – guiding principles for realizing a vision </li></ul><ul><li>Tactic standards define required actions for reaching these principles </li></ul><ul><li>Operational solutions – all projects and programs to fulfill the tactical standards </li></ul><ul><li>Currently: </li></ul><ul><li>Most discussion focuses on operational solutions. </li></ul><ul><li>Everyone agrees on strategic principles </li></ul><ul><li>The issue is development of an agreed vision of the future changes, based on for instance political decisions. </li></ul>
  29. 29. Strategic principles need to be formulated at policy level <ul><li>.. to increase the quality of service </li></ul><ul><li>.. to reduce the administrative burden </li></ul><ul><li>.. to operate transparent </li></ul><ul><li>.. to improve participation in democracy and governance </li></ul><ul><li>.. to include all persons (elderly, disabled, etc.) </li></ul><ul><li>.. to improve efficiency </li></ul><ul><li>.. to reduce internal costs </li></ul>
  30. 30. These principles can be transformed in various tactical standards implemented by operational solutions, e.g. <ul><li>single identification </li></ul><ul><ul><li>DigiD, Delegation of rights, </li></ul></ul><ul><li>data re-usability by government organizations </li></ul><ul><ul><li>basic registers (GBA, BAG, NHR) </li></ul></ul><ul><ul><li>Single Window for goods flows </li></ul></ul><ul><ul><li>requires identification and authentication </li></ul></ul><ul><ul><ul><li>DigiD for persons </li></ul></ul></ul><ul><ul><ul><li>Delegation of rights </li></ul></ul></ul><ul><ul><ul><li>Identification for companies (not yet solved) </li></ul></ul></ul><ul><li>transparency of operation </li></ul><ul><ul><li>open (linked) data – public available data (free or against reasonable costs; local initiatives) </li></ul></ul><ul><ul><li>sharing public services (SC) </li></ul></ul><ul><ul><li>service levels – transparency of process, including deadlines (no action) </li></ul></ul><ul><li>no wrong door - access </li></ul><ul><ul><li>Single Point of Contact for foreign companies </li></ul></ul><ul><ul><li> for persons </li></ul></ul><ul><ul><li>mijnoverheid for services and their status </li></ul></ul><ul><ul><li>DigiPoort for messaging with companies </li></ul></ul><ul><ul><li>examples of service composition, e.g. NewtoHolland, onderwijsenbijverdienen </li></ul></ul>
  31. 31. Federation requires interoperability, security and trust, but yet we always define new systems and solutions. <ul><li>Examples: </li></ul><ul><ul><li>departments: DWR </li></ul></ul><ul><ul><li>social security: DKD, Regelhulp </li></ul></ul><ul><ul><li>health care: LSP (Landelijk Schakel Punt) </li></ul></ul><ul><ul><li>permits: OmgevingsLoket </li></ul></ul><ul><ul><li>public transport: NDW, OVW </li></ul></ul><ul><ul><li>disclosure of common data (basisregisters): GOB </li></ul></ul><ul><ul><li>etc. </li></ul></ul><ul><li>Only technical components in NUP: </li></ul><ul><ul><li>DigiD, DigiD Machtigingen, eHerkenning voor Bedrijven </li></ul></ul><ul><ul><li>Digikoppeling (structure for standards) </li></ul></ul><ul><ul><li>Digimelding (application) </li></ul></ul><ul><ul><li>Gemeenschappelijke ontsluiting Basisregisters (application) </li></ul></ul><ul><li>Semantics is yet to be addressed </li></ul><ul><ul><li>many large projects fail (e.g. UWV-Belastingdienst) </li></ul></ul><ul><ul><li>huge development costs, different solutions that are not interoperable </li></ul></ul><ul><ul><li>several examples of inconsistency and incompleteness can be found at </li></ul></ul><ul><li>Security and trust are driven by politics (e.g. DigiD Machtigingen), without risk assessment </li></ul>
  32. 32. Agenda <ul><li>The challenge </li></ul><ul><li>Brief history – the basis for a common architecture </li></ul><ul><li>Stakeholders – governance issues </li></ul><ul><li>Government architecture: principles, standards and operation </li></ul><ul><li>NUP Components for local governments </li></ul><ul><li>Digikoppeling – interoperability for government </li></ul>
  33. 33. Agenda for interoperability in an open (federated) environment. <ul><li>Security and privacy </li></ul><ul><li>Interoperability </li></ul><ul><ul><li>technical standards (envelope: DigiKoppeling, data structuring: StUF) </li></ul></ul><ul><ul><li>semantics and choreography (StUF? SC?) </li></ul></ul>
  34. 34. Overview of NUP access, inclusion & transparency data re-use semantics? certificate unique identification technical standards (Digipoort not mentioned) stimulation new solutions and systems
  35. 35. Access, inclusion, and transparancy <ul><li>Webrichtlijnen: accessibility of web pages to all </li></ul><ul><li>Samenwerkende Catalogi: sharing references to public services </li></ul><ul><li>Antwoord voor Bedrijven: disclosure of all relevant government content to companies </li></ul><ul><li> personal internet page </li></ul><ul><li>Antwoord © : </li></ul><ul><ul><li>disclosure of all relevant government content to citizens </li></ul></ul><ul><ul><li>data transparency (metadata of web pages, based on Dublin Core) </li></ul></ul>
  36. 36. Basisregisters
  37. 37. Identification and authentication - DigiD <ul><li>Three security levels: </li></ul><ul><ul><li>basic: user name password </li></ul></ul><ul><ul><li>medium: user name, password, transaction code (via SMS) </li></ul></ul><ul><ul><li>high: identity card with PKI certificate </li></ul></ul><ul><li>Embedded in government portals </li></ul><ul><li>Returns BSN </li></ul><ul><li>Software solution: A-Select, open source software developed by Alfa&Ariss (Enschede) </li></ul>
  38. 38. A-Select infrastructure
  39. 39. Public Key Infrastructure for the Dutch government (PKIoverheid) - objective <ul><li>identification and authentication of customer of a service (person) or service itself </li></ul><ul><li>non-repudiation (active attack) </li></ul><ul><li>privacy, integrity and confidentiality (passive and active attack) </li></ul><ul><li>asymmetrical algorithms: private and public key </li></ul><ul><li>certificate: user data and public key encrypted by CSP (Certification Service Provider) </li></ul><ul><li>several CSP’s with a top level Policy Authority </li></ul>
  40. 40. Delegation of authority – DigiD Machtigingen <ul><li>Creation of a central store with authorizations </li></ul><ul><li>Only for Natural Persons (1) </li></ul><ul><li>Basic functionality like: </li></ul><ul><ul><li>create </li></ul></ul><ul><ul><li>activate </li></ul></ul><ul><ul><li>delete </li></ul></ul><ul><ul><li>retrieve </li></ul></ul><ul><ul><li>change </li></ul></ul><ul><ul><li>… </li></ul></ul><ul><li>Important issue: delegation is to support those that do not use public services over Internet </li></ul>NP NP RP RP authorizing entity authorized entity 1 2 3 4
  41. 41. Identification and authentication for companies – eHerkenning bedrijven NHR company delegated employee delegation register authentication server certification authority identification server service provider eHerkenning infrastructure Who requires to execute a service with a security level? person identification validate delegation government market
  42. 42. eHerkenning voor Bedrijven considers certificates for delegation of authority. <ul><li>applicable to 2, 3, and 4 </li></ul><ul><li>standards: SAML, XACML </li></ul>NP NP RP RP authorizing entity authorized entity 1 2 3 4
  43. 43. With respect to service provision by government, a person acts <ul><li>to meet his own goals (DigiD) </li></ul><ul><li>to meet the goals of another person based on delegation of authority </li></ul><ul><li>as an employee for a company with certain rights attached to his role </li></ul><ul><li>Role: rights applicable to more than one individual </li></ul>
  44. 44. Conceptually, we distinguish 4 components <ul><li>Mandate (MA): </li></ul><ul><ul><li>authorization: delegation of authority </li></ul></ul><ul><ul><li>features: authorizing entity, authorized entity, service </li></ul></ul><ul><ul><li>variations: one time use, period, more than one service </li></ul></ul><ul><ul><li>readable for everyone, can be a physical document </li></ul></ul><ul><li>Proof of Mandate (PMA) – statement of delegation: </li></ul><ul><ul><li>proof that delegation of authority is given by authorizing to authorized entity </li></ul></ul><ul><ul><li>tamper proof </li></ul></ul><ul><ul><li>certification authorities provide the Proof </li></ul></ul><ul><ul><li>refers to the certificate used for identification (DigiD, smart card, bank card, etc.) </li></ul></ul><ul><ul><li>contains the Mandate (MA) </li></ul></ul><ul><ul><li>chain of mandates possible </li></ul></ul><ul><li>Identity (ID): </li></ul><ul><ul><li>identifying data for a person (BSN or KvK-nr) or object (e.g. computer) </li></ul></ul><ul><li>Certificate (CERT): </li></ul><ul><ul><li>official proof of identity (e.g. DigiD for citizens) </li></ul></ul><ul><ul><li>provided by trusted organization </li></ul></ul><ul><li>Role : a mandate for particular services </li></ul>
  45. 45. Proof of Mandate (PMA) - technically <ul><li>Based on PKI: </li></ul><ul><ul><li>Mandate (MA) with reference to certification means for identity </li></ul></ul><ul><ul><li>enciphered by the public key of a service provider (P k SP ) </li></ul></ul><ul><ul><li>enciphered by the secret key of the certification authority providing the Proof of Mandate (S k CA ) </li></ul></ul><ul><li>Public key of service provider can be a generic key for all public services to support service of more than one government organization </li></ul>PMA=S k CA {P k SP {MA}}
  46. 46. Application – two scenario’s: <ul><li>Interactive, web access to public services </li></ul><ul><li>Exchange of business documents (permit requests, tax declarations, etc.) </li></ul>
  47. 47. First scenario – interactive web access to services <ul><li>An individual represents another individual: </li></ul><ul><ul><li>offer Proof of Mandate (PMA) </li></ul></ul><ul><ul><li>in case the PMA contains and identity, a certificate (CERT) for authentication needs to be provided; the PMA contains the type of certification that needs to be provided </li></ul></ul><ul><ul><li>example: if BSN is given, DigiD is the certificate </li></ul></ul><ul><ul><li>a PMA or CERT can be provide before actually activating the service or is provided to validate for execution of the service </li></ul></ul><ul><li>An individual acts for its own purposes </li></ul><ul><ul><li>DigiD is currently the certificate, no PMA required </li></ul></ul>
  48. 48. Variations for message exchange: <ul><li>Exchange of business data in an envelope (current situation </li></ul><ul><li>Secure connection </li></ul><ul><li>A company (RP) is authorized to operate on behalf of an individual (NP) </li></ul><ul><li>There is a legal footing to authenticate the identity of an employee (em) acting on behalf of a company </li></ul><ul><li>There is a legal footprint to authenticate the identity of an employee that is authorized to execute a service delegated by a person to his employer. </li></ul>envelope(business data) https(envelope(business data)) envelope(business data, PMA NP,RP ) envelope(business data,PMA RP,em ,CERT em ) envelop(business data, PMA NP,rP ,PMA RP,em ,CERT em ) RP Service Provider https(envelope(business data(, PMA*(,CERT))))
  49. 49. A basic question would be: how do we use this mechanism? <ul><li>Delegation is already arranged in many application areas: </li></ul><ul><li>Goods flows via ports/airports: </li></ul><ul><ul><li>permits </li></ul></ul><ul><ul><li>authorized traders, known traders, etc. </li></ul></ul><ul><ul><li>risk analysis </li></ul></ul><ul><li>Administration for SME and ZZP: </li></ul><ul><ul><li>tax declarations </li></ul></ul><ul><li>Risk analysis is required to establish the mechanism to be used. </li></ul><ul><li>Agreement on concepts and structure like ‘Proof of Mandate’ ‘Certificate’ are required. </li></ul>
  50. 50. Data privacy can be governed by agreements <ul><li>Besluit Voorschrift informatiebeveiliging rijksoverheid (VIR2007) </li></ul><ul><ul><li>different access levels, e.g. access only when proof of Mandate can be provided (limited access), highly secure, etc. </li></ul></ul><ul><li>VIR – Bijzondere informatie (VIRBI) </li></ul><ul><li>NIR – Normenkader Informatiebeveiliging Rijksweb </li></ul><ul><li>Access levels by means of roles (mandates) can be given to content </li></ul><ul><li>Disclosure of content only to those that can provide the proof that they have the mandate </li></ul><ul><li>Internal content: mandate linked to user name/password (what we normally call RBAC) </li></ul>
  51. 51. Digikoppeling – the technical issue of interoperability NORA identification and authentication Digikoppeling architecture envelope standards compliance service Service Registry Gateway ebMS WUS ebMS WUS
  52. 52. There are some organizational and technical issues. <ul><li>WUS – synchronous data exchange </li></ul><ul><li>ebMS – asynchronous messaging </li></ul><ul><li>WUS is widely accepted, used and supported by software. </li></ul><ul><li>WUS is not really applied by government applications: </li></ul><ul><ul><li>most are asynchronous </li></ul></ul><ul><ul><li>asynchronous use other standards (e.g. EDI, XBRL, XML Schema over http(s), etc.) </li></ul></ul><ul><li>ebMS: </li></ul><ul><ul><li>only applied by the department of legal affairs, but </li></ul></ul><ul><ul><li>they are also going to apply WSDL (WUS?) </li></ul></ul><ul><ul><li>worldwide limited number of implementations (most EDI) </li></ul></ul><ul><ul><li>limited number of software providers support ebMS (e.g. Axway, Oracle) </li></ul></ul>
  53. 53. Digikoppeling and other open standards like StUF DigiKoppeling Data dictionair and definitions (RSGB) Flows and message structures (StUF)
  54. 54. Basically, Digikoppeling specifies the envelope and its elements. envelope application data
  55. 55. StUF framework of semantics of application data. This won’t work, consider education that has other standards for instance for accessibility of educational material, sharing student data, etc.
  56. 56. How to use Digikoppeling
  57. 57. Digikoppeling – WUS (WSDL, UDDI, SOAP) based on WS-I Basic Profile 1.1 <ul><li>Best effort: </li></ul><ul><li>synchronous messaging </li></ul><ul><li>no particular QoS (e.g. receipt acknowledgements, duplicate detection </li></ul><ul><li>End-to-end security, based on WS-Security </li></ul><ul><li>best effort </li></ul><ul><li>identification of service consumer and message encryption </li></ul>Optional    2W-be-SE Best effort unsigned Optional -   2W-be-S Best effort signed End-to-end security - Encrypted - Signed Optional  2W-be Best effort Attachments Point to point (TLS/SSL) Digikoppeling 2.0 WUS Transport characteristics Profile names
  58. 58. WUS standards WS-I BP 1.2 SOAP 1.1 binding for MTOM 1.0 WS-I BP 1.2 WS-Addressing metadata WS-I Basic Security Profile 1.0 WS-Security 1.0 WS-I Basic Security Profile 1.0 SSL 3.0 PKI Overheid 1.1 Internet X.509 PKI and CRL profile (RFC3280) WS-I BP 1.1 HTTP over TLS (RFC2818) WS-I BP 1.1 TLS 1.0 (RFC2246) WS-I BP 1.1 XML schema (structures and data types WS-I BP 1.1 XML 1.0 (second edition) WS-I BP 1.1 WSDL 1.1 WS-I BP 1.1 SOAP 1.1 WS-I BP 1.1 HTTP 1.1 (RFC2616 Based on Standards
  59. 59. Examples of envelope elements <ul><li>wsa:To intended receiver (destination) and </li></ul><ul><li>reply endpoint (intended receiver to reply) </li></ul><ul><li>wsa:Action semantics of message (message type) </li></ul><ul><li>wsa:MessageID unique id. of message </li></ul><ul><li>wsa:RelatesTo message is relates to other with mess. id. </li></ul><ul><li>wsa:ReplyTo </li></ul>
  60. 61. ebMS is een end-to-end messaging protocol tussen één of meer toepassingen van twee organisaties. toepassing toepassing messaging stack (Message Handler) messaging stack (Message Handler) gateway transport transport messaging protocol application application business transactions (BPSS or otherwise) organisation A organisation B control data for internal routing interface interface
  61. 62. Functionality of ebMS; each of these components adds elements to the envelope. SOAP processing Header processing Header parsing Message Packaging Security Services Reliable Messaging Service Error Handling Transport Interface Message Service Interface
  62. 63. There is some specific functionality that is not in WUS or related standards
  63. 64. ebMS also has a number of profiles in Digikoppeling. It is applied for asynchronous messaging. Optional     osb-rm-e Reliable - Encrypted Optional   n.a.  osb-be-e Best effort – Encrypted Optional -    osb-rm-s Reliable – Signed Optional -  n.a.  osb-be-s Best effort – Signed Optional - -   osb-rm Reliable Messaging Optional - - n.a.  osb-be Best effort Att. Encrypted Signed reliable TLS/SSL CPA creation OSB 1.0 & OSB 1.1 Transport Characteristics Profile names
  64. 65. Finally <ul><li>History </li></ul><ul><li>Architecture - NORA </li></ul><ul><li>NUP and two of its components: </li></ul><ul><ul><li>identification and authentication </li></ul></ul><ul><ul><li>Digikoppeling </li></ul></ul>
  65. 66. Wout Hofman Ph.D., M.Sc. TNO Information and Communication Technology Brasserplein 2 P.O. Box 5050 2600 GB Delft The Netherlands T +31 15 285 71 29 M +31 6 224 998 90 F +31 15 285 73 49 [email_address]
  66. 67. Extra – defining semantics <ul><li>Starting point: independent of technical solutions (Digikoppeling, StUF, etc.) </li></ul><ul><li>Important aspects: </li></ul><ul><ul><li>mediation: dialogue between customer and service provider with the object to reach a goal </li></ul></ul><ul><ul><li>execution: choreography of interactions in which the goal is reached </li></ul></ul><ul><ul><li>based on government service delivery processes </li></ul></ul><ul><li>Solutions: </li></ul><ul><ul><li>government as Abstract State Machine </li></ul></ul><ul><ul><li>semantics based on reference data (basisregisters) and modeled as ontology </li></ul></ul><ul><ul><li>state transitions: pre- and post-conditions </li></ul></ul><ul><ul><li>dynamic chains of state transitions based on goals </li></ul></ul><ul><li>Similar approaches: </li></ul><ul><ul><li>WSMO </li></ul></ul><ul><ul><li>OWL-S </li></ul></ul>
  67. 68. Service Delivery processes
  68. 69. An overview of concepts applied in a case Citizens and companies Life Events and themes Activity chaining Reference data Dynamic interaction models are based on chaining of post- and pre-conditons of activities A state transition exposed as public service to citizens and companies pre-condition post-condition Semantic model User requirement expressed as real world event user selection Formulating real world events in natural language Persons, buildings, addresses, income, etc. That which is (intended) to happen in the real world Event Activity Concepts, associations and rules representing the state of the real world as stored by government organizations Representation of pre-defined interaction models Guidance to available services. Dynamic Interaction Model Activity A Activity B Activity C
  69. 70. We take an architectural approach - Archimate. government/ public service Digikoppeling
  70. 71. A public or government service is at the center. Each group represents conceptually a system.
  71. 72. These systems are accessible by services supported by Digikoppeling. These services are implemented in pre- and post conditions and firing rules.
  72. 73. An example – pre-condition <ul><li>Exist : instances of concepts have values that are not restricted, e.g. a person has a drivers licence or not. Only the fact that an instance for a concept exists or not needs to be expressed. </li></ul><ul><li>Member : instances of a concept are member of instances of another concept, e.g. a location is in a region. Validation of this particular example might be by means of geographical coordinates of a location within those of a region. </li></ul><ul><li>Set : instances of concepts have values from a discrete of a set or a subset of that set, e.g. the gender of a person has to be known as male or female. </li></ul><ul><li>Range : instances of concepts are within a given range. The range is specified by its lower and upper boundaries or only an upper or a lower boundary. An example is income categorization for tax purposes. The lower and upper boundaries are of the same type as the type of the concept, e.g. if the concept is of data type ‘date and time’ with for instance a format ‘YYYYMMDDHHMM’, the lower and upper boundaries are expressed in the same type. </li></ul><ul><li>Derivation : it must be possible to express instances of derived concepts, e.g. a summation of instances like the total income of a person based on income from individual jobs. </li></ul><ul><li>Combinations of any of the above (‘AND’ and ‘OR’). </li></ul><ul><li>Each of these can be validated by a service (see before). </li></ul>