W3C home > Mailing lists > Public > public-webid@w3.org > June 2015

Re: How Estonia is using X.509 for Identity, payments, voting and much more

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 12 Jun 2015 14:55:34 +0200
Message-ID: <CAKaEYh+fjdqUXY6MubpZiHtgNFQSzK7bLcQQmakugM_Zzm9DGw@mail.gmail.com>
To: public-webid <public-webid@w3.org>, public-rww <public-rww@w3.org>
Some developer resources:

e-Residency can be easily integrated into your desktop web application in a
few hours. It uses client-side SSL certificates that have been a
cryptographic standard for nearly 20 years.

https://e-estonia.com/e-residents/for-developers/

https://github.com/open-eid/hwcrypto.js

https://e-estonia.com/e-residents/for-developers/

*<?php*

*// Get variables*

$certificate = getenv(“SSL_CLIENT_S_DN”);

$status = getenv(“SSL_CLIENT_VERIFY”);

*// Check for success*

if($status != “SUCCESS” || substr($certificate, 0, 33) !=
“/C=EE/O=ESTEID/OU=authentication/”) exit();

$id = explode(“/”, $certificate, 8);

*// Print results*

echo “First name: ” . explode(“=”, $id[5], 2)[1] . “\n”;

echo “Last name: ” . explode(“=”, $id[6], 2)[1] . “\n”;

echo “ID code: ” . explode(“=”, $id[7], 2)[1] . “\n”;

*?>*



On 11 June 2015 at 22:26, Melvin Carvalho <melvincarvalho@gmail.com> wrote:

> My life under Estonia's digital government Analyst Charles Brett is a fan
>  2 Jun 2015
>
> There is much government talk about the economic importance of enabling a
> digital society. Yet little coherent in the UK seems to materialise – bits
> here and there imperfectly integrated and with insufficient commitment.
> Just think of the multiple UK initiatives over the years. That such slow
> progress is a given calls into question whether a digital society is beyond
> deliverable?
>
> The example of Estonia, offers a startling contrast (and one different
> from that of the European Commission <http://bit.ly/1EjJ4Fq> as
> summarised by *The Reg* earlier this year). Before going into how Estonia
> delivers, consider my own experience in Tallinn when obtaining an
> e-Resident card.
>
> That Estonia introduced the concept of an e-Resident
> <http://bit.ly/1O7nQoV> was previously described in *The Register* in
> October 2014 where it was also pointed out that anyone wanting to be an
> e-Resident had to visit Estonia twice - once to apply and then a second
> time to return to pick up your e-Resident card if granted.
> Tallin-bound
>
> In the Autumn of 2014 my wife was posted to Tallinn, Estonia’s capital,
> for six months. One of the delights of being a technology analyst is you
> can you work anywhere there is good internet access. Estonia has excellent
> internet coverage plus 4G available throughout the country (even in rural
> areas – a matter or government policy). In addition, ‘being ‘local’ means
> you can explore the digital business scene.
>
> So, armed with my identification documents, I went to a designated
> e-Resident office, having previously made an appointment online (of
> course). Although I brought passport-sized photos I was directed to a
> standard-seeming photo-booth which took my picture. Then I met a courteous
> Estonian officer who swiftly took my details and bio-identifiers while also
> linking to my electronic pictures from the photo-booth. I was told I would
> receive an email in two weeks if my application was not refused.
>
> Thirteen days later the promised email arrived. I returned to the same
> office to sign for a package that included my e-Resident card and a neat,
> and super-small USB e-Resident card reader. Nothing in the process could
> have been simpler or more easily delivered (and from 1 April 2015 it has
> been possible to achieve the same at selected Estonian embassies.)
>
> With an e-Resident card you can set up a business remotely operating from
> Estonia. As an e-Resident you can do everything legally required for a
> business by electronic means from afar, including setting up a company,
> signing contracts, opening bank accounts, making and receiving payments and
> paying all taxes.
>
> Estonia’s e-revolution has already reached far and deep
>
> As *The Register* wrote back in October, “holding the card does “not
> entail full legal residency or citizenship or right of entry to Estonia”
> (but) it does allow “secure access to Estonia’s digital services and an
> opportunity to give digital signatures in an electronic environment. ...
> Such digital identification and signing is legally fully equal to
> face-to-face identification and handwritten signatures in the European
> Union.”
>
> So, how did Estonia achieve all this? It was not a short process. Yet
> Estonia’s e-revolution has already reached far and deep, bringing together
> citizens, government and business. Second, integration has been combined
> with security and appropriate data ownership. Third, Estonia took its time
> in establishing what is now a credible e-society - some 15 years after it
> originally started back in 2001 (yes, that long ago). Today’s Estonian
> citizen can (though he or she does not have to):
>
>    - Identify themselves, via e-ID, an electronic identity system
>    - Vote (iVote, available since 2007)
>    - Complete tax returns (and make payments or receive refunds)
>    - Obtain and fulfil prescriptions (eHealth)
>    - Participate in census completion
>    - Review accumulated pension contributions and values
>    - Perform banking, including making and receiving payments
>    - Pay and interact with utilities (like water, gas and electricity)
>    - Interact with the education system (e-Education)
>    - Set up businesses
>    - Sign contracts
>    - And more.
>
> The above embrace a broad swathe of the economic and personal activities
> and applies as much to government and business as to the individual. As
> such the Estonian e-society provides facilities to all stakeholders in the
> country, and with some interesting side effects.
>
> For example, digitising the police now enables a police officer in a
> patrol car to verify a car’s legality and insurance by querying the car
> registration system. If this shows the owner is a driver who has been
> convicted of a drink-driving offence within the past two years the police
> officer can stop and breathalyse that driver. Convicted drunk-drivers know
> this; unsurprisingly repeat drink-driving re-offences have fallen.
> Conversely, electronic voting is less popular because Estonians value their
> new found freedom to choose and many dress up in order to go to their
> polling station.
>
> All of the above depend on the acceptance of some fundamentals (an aspect
> which successive UK governments have shown little appetite to address).
> These were agreed right from the inception of the Estonian e-Society
> initiative and specifically included:
> A matter of principles
>
> *1.* decentralisation combined with interconnectivity: there is no
> central database; every stakeholder (government department, business or
> even individual) has the freedom to choose its own system in its own time
> with the guiding principle being that all participating systems be able to
> work together
>
> *2.* adoption of a secure open platform approach; the intention is any
> institution (or individual) be able to use a publicly provided public key
> infrastructure
>
> *3.* a commitment to an open-ended process; capabilities are encouraged
> to evolve, grow and improve organically
>
> 4. investment in a long term commitment to a suitable infrastructure,
> particularly provision of two vital ingredients – a common middleware stack
> (‘X-Road’ ) and a secure e-Identity (or e-ID).
>
> Arguably the first three above are about principles. These are easy to
> pronounce on but not necessarily easy to adopt or deliver. What marks out
> Estonia so far is the way it has honoured its ongoing commitment to these
> principles over more than a decade.
> Follow the X-Road
>
> Furthermore, acceptance is accelerating because, with time, the
> incremental cost of adding a function or service reduces once a trusted
> infrastructure is in place. Adding the online national census capability
> cost only the census software, less than €10K, because the infrastructure
> was already in place. The creation of the e-Resident initiative was a
> logical, and practical extension, of what was already possible for Estonian
> citizens.
>
> The fourth is about practicality. As the slide below shows, the X-Road is
> the mechanism which connects all the decentralized components together.
> This is what enables Estonia’s various databases and registers, whether
> public or private, to link up and operate irrespective of what individual
> platform they use. In this the ‘adapter server’ is the key integration
> element which enable different applications to work together.
>  [image: Screenshot showing estonia digital goverment organisation chart]
>
> Similarly, e-ID is the nationally standardized system for verifying each
> individual’s identity to the online environment (the ‘security server’ in
> Figure 1). This opens the door to provision of e-services which offer
> security and trust (the basis for the e-Resident card), and Estonia has
> gone further than most in four additional dimensions:
>
>    - it has introduced differentiation between roles associated with an
>    e-ID; a civil servant, for example, can act as an individual or can act as
>    his or her job demands, with quite different rights, accesses and
>    privileges associated with his or her job
>    - digital privacy is enshrined in law (Estonians argue their country
>    has the strongest legislative protections, accompanied by stiff penalties
>    for digital infractions or abuse)
>    - the adoption of specific extending legislation where needed, for
>    example for medical records; these are owned by the individual who
>    authorizes doctors to use his or her patient’s medical records (using the
>    e-ID to authenticate and record this authorization)
>    - citizens have rights to access and inspect data held about them;
>    transparency breeds trust, over time.
>
> Estonia has not stopped at this. To provide demonstrable accuracy it
> exploits blockchain technology (though not that from Bitcoins) to establish
> trust and verification. Data and interactions use a blockchain (from
> Guardtime, an Estonian company) to guarantee a record of the state of any
> component within the network and data stores.
>
> The implications of this are immense. It means that any unauthorized
> change in the state, which can be regarded as attack on accuracy, can be
> detected. Whether this ‘attack’ comes from outside or from (say) an
> employee on the inside, record alteration is recorded while the original
> remains (or is shown to have been tampered with).
> Conclusion
>
> Estonia proves that a digital society is practical today. Yet, apart from
> Finland which is adopting the Estonian technology base, other European
> countries including the UK lag behind. If it took Estonia 15 years to reach
> where it has today, and with a population of less than 1.5M, how long will
> it take the UK, France, Germany or Italy? Will e-Societies ever emerge in
> these place in a coherent and meaningful way? Does this mean that large
> countries are doomed to fall behind?
>
> The sad aspect about such conclusion is that a proven technology base to
> support an e-Society - X-Road and e-ID- exists. Yet recognition of what
> Estonia delivers is ignored by those, especially fellow partners in the EU
> who seem to think they will provide better - at some unpredictable point in
> the future.
>
> Estonia shows us that a digital society is practical today. We, as
> citizens, should demand the same vision, coordination, commitment,
> inclusivity and consideration of the needs and practicalities of all
> stakeholders.
>
> Instead we have politicians posing about the importance of digital
> societies in order to get re-elected, and global multi-nationals exploiting
> our personal data for their benefit.
>
> We need not wait interminably for an e-Society. But, outside Estonia and
> Finland, it looks as if we will. And any e-Society must be underpinned by
> commonly accepted principles, as well as practical technologies, which
> recognise the rights of all participants. ®
>
> http://www.theregister.co.uk/2015/06/02/estonia/
>
> Some more links:
>
> https://e-estonia.com/e-residents/about/
> http://en.wikipedia.org/wiki/Estonian_ID_card
> http://estonia.eu/news/563--estonias-e-residency-goes-global.html
>
>
Received on Friday, 12 June 2015 12:56:08 UTC

This archive was generated by hypermail 2.3.1 : Friday, 12 June 2015 12:56:08 UTC