Working Group for the Swedish eID Framework

Meeting minutes - 2019-09-25

Attendees

Martin Lindström, DIGG/IDsec Solutions
Stefan Santesson, DIGG/IDsec Solutions
Roger Fagerud, DIGG
Dragoljub Nešić, Verisec
Nina Tatomir, Verisec
Gunnar Klintberg, CGI
Andreas Wanberg, CGI
Emil Sunesson, Inera/CGI
Fredrik Engström, Inera/CGI
Roberth Lundin, Cybercom
Patrik Wallström, Nexus
Stefan Halén, Internetstiftelsen
Rasmus Larsson, Internetstiftelsen

Agenda/presentation

Agenda and presentation (in Swedish)

Below we include the contents for each slide in English (prefixed with "From the presentation").

Minutes

Suggested changes

PrincipalSelection extension

From the presentation:

SAML does not have a standardized way of passing a known identity along in an AuthnRequest.

Has been a problem for signing services.

Has led to different, less good, solutions.

A signature service does not want to prompt for the person identity number when the user signs (since he or she has most likely given this info at the time of logging in).

At this point: Most relevant for IdP:s that prompt for personal identity number.

SHOULD-requirement for IdP:s and not a MUST to be backwards compatible.

For future versions we should use MUST.

See presentation for SAML example.

Everyone agreed that there is a need to standardize this.

There is a draft published at https://docs.swedenconnect.se/technical-framework/updates/ELN-0614_-_Principal_Selection_in_SAML_Authentication_Requests.html.

Gunnar had a request that if an identity is passed using the PrincipalSelection extension the eIDAS node from a signature service, the eIDAS node should assert that the user-id (eIDAS ID) corresponds to the passed in identity before displaying the signature message. This is a good idea, but can be implemented in the eIDAS node without any changes being made to the technical framework.

Upgrade to the latest version of SAML2Int

From the presentation:

The new SAML2Int is available at: https://kantarainitiative.github.io/SAMLprofiles/saml2int.html.

Unfortunately it is a little bit too much "bleeding edge" ...

Subject Identifier Attributes (has little or no support in most implementations).

Removal of Subject NameID.

Usage of Scope elements.

Discussion: Should we build the next version of the technical framework upon this version and make explicit exceptions from what we don't want to use/request or should our specification be made "self-contained", meaning that explicitly mention all the requirements that we have?

It was decided that we refer only to new SAML2Int as being an "inspiration", but make our technical framework normatively detached from SAML2Int, meaning that every requirement should be expressed within our specification (with the exceptions of references to core specifications and profiles).

Distinct requirements concerning algorithm support

From the presentation:

We should look at section 2.3 of the new SAML2Int.

AES-GCM algorithms are not implemented by all deployments yet - AES-CBC should be the default for a while longer.

RSA 1.5 for key transport will be black-listed.

SHA-1 as digest in signatures will be black-listed.

IdP:s should support consuming <md:EncryptionMethod> from SP metadata. In these cases, the SP:s that want to receive, for example, messages encrypted using AES-GCM can announce it in metadata.

During the last year it has been clear that we need to document what should (and must) be supported concerning algorithms.

Everyone agrees that there is a need to clearly document what should be supported.

Editors note: We will probably add a MUST requirements for Identity Providers to support AES-GCM.

Uncertified LoA 3

From the presentation:

BankID is not audited and approved according to LoA 3. Nor are the IdP:s implementing BankID-authentication.

IdP:s within Sweden Connect implementing BankID support should use the dedicated uncertified-loa3 URI instead.

There are installations (outside of Sweden Connect) where loa3 URI:s are used by BankID and Telia IdP:s...

Support needed in SP and signature services needed ...

This is really an informational issue, where Martin asked everybody to not misuse loa3.

Entity categories for contracts

From the presentation:

All IdP:s within the Sweden Connect-federation are not available to every SP. For BankID (and Telia) IdP:s the use is controlled by business agreements and contracts.

The system of choice 2017 (Valfrihetssystem 2017) defines the contract entity category: http://id.swedenconnect.se/contract/sc/eid-choice-2017.

IdP:s within Sweden Connect, but not part of the System of choice 2017 (Valfrihetssystem 2017) should define their own (customer specific) URI:s. For example, Cybercom defines http://id.swedenconnect.se/contract/Cybercom/Pensionsmyndigheten/Leveransavtal-SYS-2015-71 that tells that Pensionsmyndigheten may use their IdP.

For a future central Discovery Service the use of there categories is essential to facilitate matching.

Informational item with no further discussion.

Updated BankID profile

From the presentation:

Rules for QR-code usage. Desired behaviour is declared by a SP using entity category in metadata - http://id.swedenconnect.se/general-ec/1.0/bankid/qr-code.

Rules for using PrincipalSelection.

Recommendations for auto-start logic.

Recommendations for cancel.

Questions were raised why we declared a specific QR-code entity category for BankID. Why not use a generic identifier that affects other IdP:s also?

Martin replied that for Freja, it is more or less their choice how they would like to offer authentication services, where for BankID we have a little bit of different scenario where there are several IdP:s, but most important, the number of users that have been accustomed of a specific way of logging on using BankID.

Anyway. We (Martin) could not really argue in favour of just specifying this for BankID. Therefore, we will make changes in the drafts so that we remove the specific entity category for BankID and introduce a corresponding URI that is generic.

See Issue 96 for more details.

When discussing BankID there were questions about why we publish a specific profile for BankID, but say nothing about how Telia eID should be implemented within the federation. The reason for this is that Telia isn't used much anymore, and we haven't had any requirements to specify anything for those IdP:s. However, if the need arises we will look into it.

Declared algorithm support

For the presentation:

SAML v2.0 Metadata Profile for Algorithm Support Version 1.0 should be followed.

<md:EncryptionMethod>, <alg:DigestMethod>, <alg:SigningMethod>.

Enables better interoperability concerning choice of algorithms.

If AES-GCM is supported, this should be declared using <md:EncryptionMethod> in metadata.

Informational item with no further discussion.

Samordningsnummer/Coordination number

From the presentation:

Not the be equated with a Swedish personal identity number (personnummer).

Has only meaning for the issuer of the number.

Does not fit into a national federation.

Informational item with no further discussion.

Certificate profile for SignRequest

From the presentation:

A signing certificate can be generated according to different certificate profiles.

We will define a number of profile identifiers.

Which profiles are of interest?

MUST or SHOULD?

We will prepare the protocol so that it is possible to request a specific certificate profile, but will not define any profile identifier at this point.

Transaction evidence in signing certificates

From the presentation:

https://github.com/swedenconnect/technical-framework/issues/69

Store transaction ID in AuthContext in the certificate

Store SAD-payload in AuthContext in the certificate

Informational item with no further discussion.

Other changes

From the presentation:

Updates of underlying references.

Name change. E-legitimationsnämnden to Sweden Connect.

Introduction document is now translated into English.

Informational item with no further discussion.

Other specifications and standards

From the presentation:

Normative specifications for signature services

Be a part of the technical framework?

Federation specific rules and requirements

Currently a bit hard to find at swedenconnect.se

Tie the trust framework (Tillitsramverket) more tightly together with the Swedish eID Framework (Tekniskt ramverk).

Is a CPS, alternatively a certificate policy, for the CA issuing signature certificates needed?

About the signature service specifications:

We all agreed that there is a need to take control of the normative specifications for signature services. As it is today, it is very hard to find the specifications, and they are in Swedish.

The working group suggests that all signature service specifications are written in English, and that it is developed and published from a GitHub repository. Should DIGG want to publish it from their own domain, this can also be accomplished.

The working group also suggests that there is a special working group that discusses, and leads, future development of the normative specifications.

About federation specific rules:

The working group agrees that there need to be a Sweden Connect Federation Policy in place. This policy would cover things that are not explicitly mentioned in the technical framework.

Currently we have some federation rules that can be found on swedenconnect.se, but we need to be more explicit on the matter.

Us a CPS/certificate policy needed for signature service CA:s?

Currently, a CA should follow the ETSI certificate policy. Stefan claimed that this is sufficient.

Other federations

From the presentation:

How does Sweden Connect relate to other Swedish federations?

Collaboration aiming to homogenize and to facilitate for integrators and product providers.

The working group discussed the matter and saw that the Swedish federations all are built upon the SAML WebSSO profile and "follows" SAML2Int. The differences are mainly:

Different attribute representations,
different trust frameworks and thus different authentication context URI:s,
the Swedish eID Framework has special purpose URI:s used during "authentication for signature".

We decided to try to involve each other in our respective work in order to understand, and hopefully make sure that our federations do not grow apart more that necessary. The aim should be that vendors should be able to have solutions that work for several federations.

Also, after the meeting Martin and Stefan discussed how we could solve the problems with the so called sigmessage URI:s used to indicate that a sign message has been displayed. See issue 95 for our suggestion.

When discussing the challenge that integrators and vendors face we came up the the proposal that there should be some sort of "Quality mark" that stands for "Compliant with Sweden Connect". We will bring this to DIGG.

The Technical Framework - Now and in the future

From the presentation:

Interoperability in practise - How do we improve?

Support when developing against the Technical Framework

Reference implementations

Cooperation

Workshops

Future ways of working

Mailing list?

More committers

Implementations in a common test environment (sandbox)

Gunnar raised one thing regarding taking part in the work of developing the specifications for the Technical Framework and the signature service. It is hard for integrators (that are often working as consultants) to convince their management that they should be allowed to spend time for this kind of work. He suggested that DIGG creates a "group" to which all participants pay a fee. Only members are this group are allowed to respond to tenders concerning signature services and eID-solutions. By taking part in the work for the Technical Framework the fee could be reduced.

The Technical Framework - Roadmap

From the presentation:

Support for LoA 4 in the federation

Requires "holder of key" or something corresponding.

LoA 1 & 2

Do we need to do anything in the Technical Framework?

Other attribute profiles

Get rid of sigmessage URI:s

Specifications for validation assertions and services

Common API:s for signature service support services (Stödtjänster)

OpenID Connect

Regarding "Getting rid of sigmessage URI:s", se issue 95. We will most likely include this is the coming version of the Technical Framework.

The work has started on "specifications for validation assertions and services". It will be done openly, and the specs and implementations will be published to GitHub.

The group discussed OpenID Connect, and there are use cases for OpenID Connect and signature services.