more on the french certificate idenum scheme from Story Henry on 2010-02-09 (public-xg-socialweb@w3.org from February 2010)

From: Story Henry <henry.story@bblfish.net>
Date: Tue, 9 Feb 2010 07:44:55 +0100
To: foaf-protocols@lists.foaf-project.org, public-xg-socialweb@w3.org
Message-Id: <730FC243-DFB4-4FB2-A5E2-DDDEFE319FAA@bblfish.net>
The French Minister of internet related affairs recently proposed a certificate based national identity scheme. She goes into more detail about her certificate identity project in a recent blog post

In French:
  - http://nkm-blog.org/idenum%C2%A0-petites-mises-au-point/

In English using Google Translate:
  - http://bit.ly/b6c3NR

Nathalie Kosciusko-Morizet outlines her responses to internet based critiques (she is @nk_m on Twitter) in 4 main sections, which she looks into more detail after pointing out that a number of other European countries use certificates (Austria, Norway, Italy, are cited...)

OPENID
======

 + OpenID does help reduce password requirements, but nobody is guaranteeing the identity of the user.
  [ note: this is true of the use of foaf+ssl that we are putting it to, but of course it could be used also for IDeNum generated certificates. At the simplest level: if the WebID of the user is https://idenum.fr/ID123#hjs then knowing idenum.fr's policy for generating those IDs and the legal backing it has, would be enough for a high level of trust being able to be placed in what the representation returned by that URI says. It would remain to formalize such content in a way so as to make this generalizable across countries perhaps, and similar institutions. 
   Of course the french government is big enough that its clients do not need to use HTTPS dereferencing of WebIDs as we do in foaf+ssl. It will be well known enough that service providers will find it easy to add the Idenum certificate to their keychain, and trust the information given there.
]

 + as a result of course OpenId is not supported by banks and government institutions. [and it is not very secure of course one could add]

 + many other countries are using certificates as identity online

 + The European Information Security Agency ENISA just published a report on international Electronic ID interoperability and does not mention OpenID but does mention these certificate schemes:     
	http://www.enisa.europa.eu/act/it/eid/xborderauth
   [ I have not read it yet ]

   These use standard technology and can be made interoperable. An EU project called STORK is looking into this. [ could use semweb technologies here ]

 + Some sites like FaceBook are not interested in the real identity of users but just in their profiles. Sites like ebay on the other hand could find having an ID to be very helpful.


National Identity Card (CNIE)
=============================

There is another project regarding a national identity card called CNIE, which is a different project. CNIE can help you cross borders. Idénum just has information about your name, and a numeric ID. CNIE also uses the same technology [X509 I suppose] but only on an electronic card (bank card with a chip on it). Idénum will work on USB sticks, portable phones, and many more supports.

Privacy Issues
==============

There is very little info on these certificates. Your name and a number.

If a site wishes to exchange information collected on the user, this has to be an indispensable part of the service it is giving, and accepted by the user, as stipulated in law on information and freedom from 1978.

Will everyone start requiring such certificates? Will people start requiring blog posters to use their ID? Studies have shown that this is not so, such as the study by Caroline Lancelot-Miltgen (rewarded by the CNIL an organism of Computer Liberties in France). Such requests would frighten off customers 

[ and I suppose those profiles wont say very much about them: so it would be a lot more interesting for a blog to have a profile of me which tells them about my blog posts, my interests, my latests and the people I am currently following on Twitter. It is quite clear that this is not going to be something the government will want to start guaranteeing ]

Will this mean the state will know everything people are doing? No: The state will not be producing certificates itself. This will be delegated to a number of companies.

[ and I suppose that the advantage of certificates is that people can verify an identity without making a request to the certificate issuer ]

Also citizens can have more than one certificate from each of these companies.


Economic Models
===============

There will be a cost of getting these certificates. As opposed to OpenId which does not require any verification, and can therefore be free, certificates do require some identity verification, and therefore have a cost.

This cost need not be paid by the internaut, but can as in Sweden, be paid by the service providers using these certificates.


Security
========

The security of the system will be determined by the National Agency of Information Systems security ANSSI.  There is a double protection built into IDENUM, as it requires a certificate and a number.


Hope this helps,

	Henry



Social Web Architect
http://bblfish.net/
Received on Tuesday, 9 February 2010 06:45:33 UTC