W3C home > Mailing lists > Public > public-xg-webid@w3.org > February 2011

Re: German eID

From: Henry Story <henry.story@bblfish.net>
Date: Tue, 8 Feb 2011 13:07:03 +0100
Cc: nathan@webr3.org, WebID XG <public-xg-webid@w3.org>, Martin Gaedke <martin.gaedke@informatik.tu-chemnitz.de>
Message-Id: <B0BB7C84-414E-469E-9D7F-FFA287782820@bblfish.net>
To: Dirk-Willem van Gulik <Dirk-Willem.van.Gulik@BBC.co.uk>
So if I can try to summarise what I understand up to now. Please let me know where
I go wrong.

1- These systems use TLS/SSL to authenticate users
  => this is good because it means the key piece is compatible with WebID and is
   standard

2- They place the private key on hardware devices that do the crypto
  => so there is nothing here that is very different from the hardware security 
  devices we mentioned on the wiki such as the open source german privacy foundation key
  http://www.w3.org/wiki/Foaf%2Bssl/Clients#Hardware_security
  => these devices require drivers to communicate with keychain/browser

3. The government (or whatever agency) becomes a CA 
  + it signs the certificates that ship with the devices
  + it distributes the certificate to relying parties

4. Relying parties need to trust the keys
  + this means that any web site that wants to ask server certificates needs the CA cert
  + presumably they use SSL certificate_authorities field in the CERTIFICATE REQUEST message, to filter out the certificates by the government CA
  => if all governments in the world wanted their citizens to communicate this
   would make for a very long list of certificate_authorities
  => it is more likely that this will be quite limited in use

In any case if the above is the setup, then WebID can be retrofitted easily into the eID solution. This would then allow
  - much better browser experience (the browser could fetch info from the WebID Profile
    to adapt its look and feel)
  - linkeability of profiles (could be useful)
  - perhaps a government IAN, where a foaf:Group of world governements can be published
    on the web for each server to use as a way of identifying these special certs and their
    meanings.

The german site seemed to suggest that this could also be used for verifying partial
identities like someone's age. I am not sure technically how that works with TLS. Are they using something else that we need to look into?

Question:
   - other EU countries are moving in the eID direction. Are these all based on the same standards?

    


On 8 Feb 2011, at 11:47, Dirk-Willem van Gulik wrote:

> On 8 Feb 2011, at 10:29, Nathan wrote:
> 
>> Henry Story wrote:
>>> <webr3> like the US too
>> 
>> http://www.nist.gov/nstic/
> 
> If you want to see (or play with it) - have a look at EJBCA.org - it will happily do software/file based certs/keys - so one can experiment quite a bit without needing much chipcard readers or HSM kit.
> 
>>> It would be intresting to see if browsers can interact with these cards, if they contain an X509 certificate, and if these could contain a WebID.
>> 
>> Firefox does to some degree, it's the most advanced crypto wise:
>> 
>> https://developer.mozilla.org/en/javascript_crypto
>> 
>> There is scope to get this "in to" all the browsers, because it simply needs spec'd properly, and it's one of the to-do (html wg or webapps) specs which needs an editor / written..
> 
> Keep in mind that a lot of the current chipcards, identitycards, ecards, tax-office cards and signing cards are pre-made by some issuer (e.g. the passport office or the chamber of commerce) rather than at home. So that means you just have the right PKCS#11 dll/.so installed which gets picked up by your browser. And even if there is a plugin (like *) they are just a thin stub (See http://nauseamedialis.org/belgian_eid_archlinux - the register.html page just tells your browser where the pkcs#11 middleware is - the rest is nothing to do with that - but pure mngt UI). And it is increasingly common to have that *html page & DDL sitting on the card as well - making that part appear as a FAT file system over USB.
> 
> I guess that what I am trying to say is that there is a whole class of pure end user cases which need a lot less from the browsers than the full manage-yourself case.
> 
> Dw
> 
> *: https://addons.mozilla.org/en-US/firefox/addon/belgium-eid/
> 

Social Web Architect
http://bblfish.net/
Received on Tuesday, 8 February 2011 12:07:40 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:22 UTC