Ein wachsendes Bedürfnis nach einer digitalen Identität
Digitale Identität verstehen
Identity Owner (IO) |
• Owner and controller of a digital identity • Uses their digital identity to conveniently and securely identify themselves in digital transactions • Natural person (e.g. Alice or Bob) |
Identity provider (IdP) |
• Responsible for the provision of a digital identity • Verifies an individual’s identity and issues the corresponding digital credentials to ascertain their digital identity • Government agency (e.g. passport office) or government-recognised organisation (e.g. bank) |
Relying Party (RP) |
• Relies on a digital identity for onboarding of new customers and authentication of existing customers • Integrates digital identity in its operating model to improve the user experience and increase efficiency • Industry-agnostic role including businesses (e.g. online shops) and government agencies (e.g. tax offices) |
Broker |
• Ensures interoperability in the ecosystem and enhances privacy by preventing tracking actions across different roles • Intermediates the data flow between the Identity Provider and the Relying Party • Neutral organisation (e.g. infrastructure provider) |
Attribute Provider (AP) |
• Offers additional attributes that are not collected by the Identity Provider during registration • Additional attributes allow Relying Parties to accelerate their digital processes and offer more tailored services • Government agency (e.g. fedpol), state-affiliated company (e.g. Post) or private company (e.g. Telco) |
Service provider |
• Offers electronic trust services such as digital signatures • Electronic trust services allow providers to enhance and expand the interactions and services within the ecosystem • Private company (e.g. Telco) |
Core roles | Ecosystem-dependent roles |
Digitale Identität in der Schweiz: Wo stehen wir heute?
Entwurf eines Bundesgesetzes über elektronische Identifizierungsdienste (D-eID-Gesetz)
1 Identity Owner |
• Requirements for applying for an eID: (Art. 3) a. Swiss citizens with valid ID b. Foreigners with valid ID based on FNIA c. Foreigners whose identity can be proved in a special procedure |
• The eID is personal, non-transferrable (Art. 12) and voluntary (Art. 3) • A duty of care applies to the owner to prevent abuse (Art. 12) |
2 Identity Provider (IdP) |
• Issuing eIDs requires formal recognition from eID-Commission (EIDCOM) (Art. 13) • Identity Providers ensure interoperability of their eID solutions |
• Recognition is granted for three years (Art. 14) and requires meeting (operational) requirements such as such as skilled staff, data protection & security and reporting (Art. 15) |
3 Relying Party (RP) |
• Relying Parties need a contractual agreement with the Identity Provider to define security level as well as organisational and technical processes (Art. 20) |
• Relying Parties can use the eID registration number for identification (Art 21) • Relying Parties are required to accept any eID for the required security level (Art. 22) |
4 Role of the state |
Like in the physical world, the state assumes a pivotal role in the digital identity ecosystem: • The federal office police (fedpol) is responsible for identity verification, providing verified personal identification data to the Identity provider (Art. 6) and assigning the Identity Owner a unique eID registration number |
• The EIDCOM is responsible for the IdP recognition and publishing a list with all IdPs (Art. 25) as well as maintaining an information system to support their activities (Art .24) |
5 Security levels |
• 3 different security levels: Low, Substantial, High (Art.4) • Principal of downward compatibility (Art. 4): An eID issued with a higher security level can also be used, if a lower level is required |
• The security levels differ by the number of personal identification attributes (Art. 5) as well as the rules for issuance, usage and operation (Art. 6) |
6 Data protection |
In some aspects, the data protection provisions of the eID Act go beyond the Federal Act on Data Protection: • Processing of personal identification data is limited to the purpose of identification as long as the eID is valid (Art. 9) |
• The transfer of personal identification data is limited to the necessary minimum and requires consent (Art. 16) • Personal Identification data, usage data and other data have to be kept segregated (Art. 9) |
7 Lifecycle |
• An eID is issued by the Identity Provider together with an authentication mean after the fedpol has verified the applicant’s identity and assigned him an eID registration number (Art. 6) |
• An eID can be temporarily blocked by the IdP for example in the event of suspected fraud or loss of the password • The fedpol can revoke the eID registration number, if the eID is no longer used on a permanent basis |
8 Fees |
• The fedpol and the EIDCOM can charge fees on a pay-per-use basis for their provisions and services. The Federal Council specifies the fees in an ordinance and considers whether an IdP charges a fee for issuing an eID. (Art. 27) | • Queries regarding the validity of an eID are free of charge (Art. 27) |