The issue of mandate/authorisation management (determining the rights and responsibilities of a specific entity) is closely linked to the issue of identification (determining who an entity is). This is most apparent in the representation of legal entities: any form of identity management targeted towards legal entities implicitly requires a form of mandate management, since legal entities by definition must be represented by a duly authorised natural person.
However, even outside the scope of the representation of legal entities, mandate management is a crucial issue. For the purposes of this section, we will examine which countries have integrated some form of mandate management into their eIDM policies, defined as the ability to grant and revoke the permission to an entity to perform a clearly defined legal action on behalf of another entity. This can includes the representation of legal entities, the representation of tax payers by their accountants, or generally speaking any representation by a service provider of his/her client.
In the table below, we will also examine the broader topic of role management or authorisation management. This distinction has been made because a number of countries have installed specific eIDM systems for closed user groups, including doctors, lawyers, notaries public, civil servants of one or more departments, etc. These closed systems by definition entail a role management /authorisation component.
Thus, this section examines both mandate management (the ability to grant and withdraw specific mandates to specific entities), and authorisations in general.
All surveyed countries have been classified into one of three categories:
• None, i.e. no systematic form of mandate/authorisation management was reported to exist in that country;
• Ad hoc, i.e. a solution has been implemented for one or more application types, but no generic mandate management / authorisation solution exists;
• Systematic, i.e. a generic approach to the creation and revocation of mandates / authorisations has been implemented.
This leads us to the following overview:
Country Status (Systematic / Ad hoc / None)
Description / Details
Austria Systematic The Citizen Card concept allows signed XML structures to be stored on the card, which identify mandate giver, mandate holder and the terms of the mandate (which can be in free text form). How such mandates work in practice is a matter of implementation.
Belgian Systematic (was: ad hoc)
For specific sectors (e.g. eHealth), Belgium uses a system of sector specific service integrators which link specific mandates/authorizations to generic identification/authentication systems like the eID card. The service integrator will determine their mandate/authorization on the basis of authentic databases that it manages through a network of intermediaries (like e.g.
hospitals).
Bulgaria None The legal framework distinguishes between the author and the titular of a signature. For legal
persons, a natural person can be chosen to be the author on behalf of a legal person who is then the titular. Both fields are included in the certificates being used.
Croatia None N.A.
Cyprus None N.A.
Czech Republic None Limited systems are in place that allow a natural person to represent a legal entity, using a sufficient authentication mechanism for the natural person and conditional upon providing evidence that the natural person is authorised to represent the legal entity.
Denmark Ad hoc Authorization must be done through the receiving application/service, not via the certificate itself. It is thus up to the service provider to develop authorization systems if needed. These authorization systems are typically based on the identity gained through certificate information and other external or internal registers.
Estonia Ad hoc (was: none) There is no generic system in place for handling mandates and authorisations. However, corresponding information is available over the X-Road secure network from corresponding registries. It is possible to find out whether the person is a CEO of the company or whether he is a medical professional by querying corresponding registry – provided that access to that registry is granted.
Finland None Limited systems are in place that allow a natural person to represent a legal entity, e.g. through the KATSO system.
France None N.A.
Germany None The S.A.F.E. – Secure Access to Federated E-Justice/E-Government – concept aims at the secure registration, authentication and authorization as well as the secure storage of communication participants30. Implementation starts in 2009, production rollout in the area of E-Justice is scheduled for 2010.
Greece None N.A.
Hungary None N.A.
Iceland Ad hoc Authorization must be done through the receiving application/service on an ad hoc basis.
Employee certificates are available to natural persons in legal entities. In these certificates the
30 For details see: http://www.justiz.de/ERV/Grob-_und_Feinkonzept/Abstract_of_the_core_concepts.pdf
legal entity is the subscriber but the employee is the holder of the certificate. The subject field in the certificates includes ID-number (SSN#) of the legal entity and the employee.
Ireland None N.A.
Italy None N.A.
Latvia None The Electronic Declaration System (EDS) can be used both by natural and legal persons, which is an implied mandate system. See below.
Liechtenstein None N.A.
Lithuania None N.A.
Luxembourg None A few username/password systems allow a representative of a legal entity to be indicated, which is an implicit form of rudimentary mandate management.
Malta Ad hoc Limited systems are in place, e.g. mandates can be given to accountants and tax consultants to file on-line tax declarations. A more extensive system is planned in the future.
The Netherlands None N.A.
Norway None Limited systems are in place that allow a natural person to represent a legal entity, including through the Altinn platform.
Poland None N.A.
Portugal Ad hoc In relation of the representation of businesses and namely for the issuance of the commercial CA certificate, the practice adopted in Portugal (by Multicert, the Portuguese certification service provider major player) is to require the presentation of legally and up-date companies certificates.
In relation to some professions, such as lawyers and notaries, electronic authentication is made possible by the use of a digital certificate proving the professional quality of the user, as will be further explained below. These certificates are issued within the scope of the Ordem dos Advogados (Lawyers Bar Association) and the Ordem dos Notários (Notaries Order).
Romania None N.A.
Slovakia None Limited systems are in place that allow a natural person to represent a legal entity, by identifying the capacity of the natural person in a specific PKI certificate.
Slovenia Ad hoc Limited systems are in place that allow a natural person to represent a legal entity, by identifying the capacity of the natural person in a specific PKI certificate. In addition, systems of mandating
are integrated within applications that allow other natural persons to represent legal persons.
Spain Ad hoc Limited systems are in place, e.g. the recognition of “collaborators” by the Tax Agency.
Sweden Ad hoc The framework agreements with the recognised issuers eIDs differentiate between several types of eIDs, including eIDs issued to groups, authority stamps and functions within a company, which is an implied form of mandate management. Another examples is Swedish healthcare, which is building up a general mandate management system based on general public personal eID cards. The name of the system is SITHS (Secure IT for health services).
A healthcare CA is established for the country.
Each hospital and clinics can act as RA issuing secondary certificates to be stored on the cards.
These secondary certificates can carry information of place in organisation, mandates etc.
Turkey None N.A.
United Kingdom None N.A.
The results can be summarised as follows:
• 22 countries out of 32 (39%) have no form of mandate/authorisation management, other than the allocation of certificates or credentials to the representatives of a specific legal entity.
• 8 countries out of 32 (25%) have implemented an ad hoc form of mandate/authorisation management covering specific applications or service types, most typically by supporting PKI certificates issued to specific user groups (e.g. lawyers’ certificates, doctors’ certificates), or by establishing or leveraging ad hoc administrative databases that link generic identifiers to a legal capacity.
• Only two countries have implemented systems of mandate/authorisation management which can be characterised as systematic: the Austrian open approach to mandates, and the Belgian systematic approach to authorisations.
Austria has created a generic system of mandate management, relying on the central sourcePIN Register Authority. In this system, ‘Electronic mandates are XML records that hold the identifiers of both the constituent and the representative. The electronic mandate is signed by the sourcePIN Register Authority and stored in the citizen card of the representative. The scope of such mandates is specific and explicitly given in the mandate. It can thus also be a general power of attorney, if this is stated as such. The XML structure contains a field “Textual Description” which describes the scope of the mandate, which can take any arbitrary content (human readable), essentially in the same way that a conventional paper mandate does.
Depending on the complexity of this description and the context in which the mandate is being used, automatic recognition of such mandates may or may not be possible. An example of mandates that can be automatically recognised is power of procuration. With electronic mandates technical means to check its validity and to revoke mandates have been introduced.
This is provided by a service of the sourcePIN Register Authority that operates similar to and has been derived from the online certificate status protocol (OCSP).’ Thus, this system creates a true electronic equivalent of the traditional mandate.
The Belgian approach in contrast does not focus on such open mandates, but rather on a consistent approach to authorisations, based on the use of a Policy Enforcement Model31. The Policy Enforcement Model basically operates by distinguishing the functions of identification, authentication, the verification of attributes and mandates, and authorisation. In this model, generic identification tools (such as eID cards) are used to identify or authenticate users. A Policy Enforcement Point will then determine the contact point (Policy Decision Point) should be consulted to determine whether the appropriate authorisation is available. The Policy Decision Point makes this decision by contacting an underlying database of authorisations, a so called Policy Information Point. A Policy Information Point could be managed by any organisation authorised to do so, including public sector bodies (like social security organisations), but also e.g. professional bodies of doctors, lawyers, accountants, etc.
- Graphical representation of the Policy Enforcement Model, taken from
http://www.ksz-bcss.fgov.be/documentation/fr/documentation/Presse/Annexe_catalogue_services_base_metiers.pdf - ‘Portaal’
means ‘Portal’; ‘Authentieke Bron’ means ‘Authentic source’; and ‘Mandaten’ means ‘Mandates’ -
It should be noted however that both the Austrian and Belgian systems are operational, but are only taken up to a limited extent in eGovernment applications at this stage.
In conclusion, despite the fact that mandate management is considered to be an important component of identity management as a whole, most surveyed countries have not yet made significant progress in this field.
31 See
http://www.ksz-bcss.fgov.be/documentation/fr/documentation/Presse/Annexe_catalogue_services_base_metiers.pdf for a description of this model.