- From: <Joerg.Heuer@telekom.de>
- Date: Fri, 23 Jan 2015 16:48:34 +0100
- To: <anders.rundgren.net@gmail.com>, <timothy.holborn@gmail.com>, <public-credentials@w3.org>
... no problems with bashing a few of Germany's failures to achieve more security by creating 'ideal' systems which only work in an 'ideal world' (good characterization, Anders!), except those parts that might have been contributed, or voted for, by my company, of course... ;-) Jörg -----Original Message----- From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com] Sent: Freitag, 23. Januar 2015 14:56 To: Timothy Holborn; W3C Credentials Community Group; Heuer, Jörg Subject: Re: Australian ID and other IDs (like Germany) On 2015-01-23 13:06, Timothy Holborn wrote: > FYI > > > "My ideal is to be in a situation where the MyGov platform was available to every level of government and people could have a single, secure, digital identity that enabled transactions from the local council, the state government, so everything from childcare allowances, to your rates, stamp duty, traffic fines," he said." > > SOURCE: > http://www.smh.com.au/it-pro/government-it/tony-abbott-promotes-malcol > m-turnbull-to-take-charge-of-egovernment-20150123-12wstp.html > > Tim.H. Since this has been my working field since almost two decades back I have a few things to add to the table :-) Countries have come up with entirely different solutions to the ID-problem. Uniting such concepts are as easy as solving the middle-east conflict. The by far simplest and most efficient systems are the one used in Estonia and Sweden where each citizen have a unique citizen-ID which serves as a "key" in every public-sector database. A difference between Sweden and Estonia is that in Sweden physical ID and electronic IDs are provided as separate items. Electronic IDs are primarily supplied in mobile phones. I believe this is a *much* better concept than eID-cards. In the other end of the spectrum we find Germany and Austria who have created very complex systems which may be fantastic from a privacy-point of view but suffers from a dark side as well: The German system is very little used (=useless). Pardon me Jörg :-) In fact, I think that most of the s.c. privacy-preserving technologies including Google's U2F in *practice* doesn't offer what they claim since you in almost all cases need some kind of "handle" back to the user which typically is an e-mail address. But an e-mail address is a globally unique static long-lived identity, aka GUID. Yes, privacy-minded folks have bunch of different e-mail addresses to cope with this but personally I care more about the other 98% who (naively?) anticipate that their data and identities are handled in an appropriate manner. To continue with my slashing of Germany, their famous "sicherhetsinstitut", BSI have created a system for preserving privacy regarding biometrics in passports which 10 years after the initial design have only reached pilot stage!!! Again, when you really analyze the system (EAC/SPOC) you will note that it doesn't preserve privacy except when used in an ideal world (where such measures would be unneeded anyway). Just to round out the scheme they have created HSM-based PKI-protocols that are completely broken security-wise as well. I implemented this system for my previous employer...I still feel ashamed, it was the worst IT-system I have ever worked with. Good luck with the Australian ID program! You'll need it :-) Anders
Received on Friday, 23 January 2015 15:49:07 UTC