- From: Story Henry <henry.story@bblfish.net>
- Date: Tue, 9 Feb 2010 09:37:37 +0100
- To: foaf-protocols@lists.foaf-project.org, public-xg-socialweb@w3.org
Following through some more on the links in the Minister's web site, one finds that she mentions a few other similar European systems. Austria : http://www.buergerkarte.at Norway : http://www.bankid.no Finland : http://www.fineid.fi Estonia : http://www.id.ee Italy: http://www.crs.lombardia.it; http://www.regione.sicilia.it/crs From the Austrian Web site one reaches a page of compatible devices of which the following for example: http://www.cryptoshop.com/index.php The types of devices store the private key on a non world readable partition, that only crypto hardware can touch. So if software requires the encryption of something it makes a request to these types of hardware first, which does the encryption or signature. The device can furthermore ask the user for a password, so as to reduce the misuse in case it is lost or stolen. Certain Browsers can then use such devices to set up SSL sessions. Firefox is one such browser, Bruno Harbulot told me though finding the correct drivers is problematic. This is presumably why the state won't get into the business of distributing those devices, but will leave it to public companies and institutions to take care of these details. As I understand the state will probably have a master key and some process by which it can (un)certify those companies if they don't apply the general rules. My guess is that since the Minister mentioned this helping reduce the number of passwords the user needs to remember, this was because she was thinking of these devices using X.509 technology and https to identify the user. I don't know another technology that would be widely enough deployed to be useable... But I suppose even that is open. All the state is requiring is that such an identity solution be in case where the state can have a master key. Henry On 9 Feb 2010, at 07:44, Story Henry wrote: > The French Minister of internet related affairs recently proposed a certificate based national identity scheme. She goes into more detail about her certificate identity project in a recent blog post > > In French: > - http://nkm-blog.org/idenum%C2%A0-petites-mises-au-point/ > > In English using Google Translate: > - http://bit.ly/b6c3NR > > Nathalie Kosciusko-Morizet outlines her responses to internet based critiques (she is @nk_m on Twitter) in 4 main sections, which she looks into more detail after pointing out that a number of other European countries use certificates (Austria, Norway, Italy, are cited...) > > OPENID > ====== > > + OpenID does help reduce password requirements, but nobody is guaranteeing the identity of the user. > [ note: this is true of the use of foaf+ssl that we are putting it to, but of course it could be used also for IDeNum generated certificates. At the simplest level: if the WebID of the user is https://idenum.fr/ID123#hjs then knowing idenum.fr's policy for generating those IDs and the legal backing it has, would be enough for a high level of trust being able to be placed in what the representation returned by that URI says. It would remain to formalize such content in a way so as to make this generalizable across countries perhaps, and similar institutions. > Of course the french government is big enough that its clients do not need to use HTTPS dereferencing of WebIDs as we do in foaf+ssl. It will be well known enough that service providers will find it easy to add the Idenum certificate to their keychain, and trust the information given there. > ] > > + as a result of course OpenId is not supported by banks and government institutions. [and it is not very secure of course one could add] > > + many other countries are using certificates as identity online > > + The European Information Security Agency ENISA just published a report on international Electronic ID interoperability and does not mention OpenID but does mention these certificate schemes: > http://www.enisa.europa.eu/act/it/eid/xborderauth > [ I have not read it yet ] > > These use standard technology and can be made interoperable. An EU project called STORK is looking into this. [ could use semweb technologies here ] > > + Some sites like FaceBook are not interested in the real identity of users but just in their profiles. Sites like ebay on the other hand could find having an ID to be very helpful. > > > National Identity Card (CNIE) > ============================= > > There is another project regarding a national identity card called CNIE, which is a different project. CNIE can help you cross borders. Idénum just has information about your name, and a numeric ID. CNIE also uses the same technology [X509 I suppose] but only on an electronic card (bank card with a chip on it). Idénum will work on USB sticks, portable phones, and many more supports. > > Privacy Issues > ============== > > There is very little info on these certificates. Your name and a number. > > If a site wishes to exchange information collected on the user, this has to be an indispensable part of the service it is giving, and accepted by the user, as stipulated in law on information and freedom from 1978. > > Will everyone start requiring such certificates? Will people start requiring blog posters to use their ID? Studies have shown that this is not so, such as the study by Caroline Lancelot-Miltgen (rewarded by the CNIL an organism of Computer Liberties in France). Such requests would frighten off customers > > [ and I suppose those profiles wont say very much about them: so it would be a lot more interesting for a blog to have a profile of me which tells them about my blog posts, my interests, my latests and the people I am currently following on Twitter. It is quite clear that this is not going to be something the government will want to start guaranteeing ] > > Will this mean the state will know everything people are doing? No: The state will not be producing certificates itself. This will be delegated to a number of companies. > > [ and I suppose that the advantage of certificates is that people can verify an identity without making a request to the certificate issuer ] > > Also citizens can have more than one certificate from each of these companies. > > > Economic Models > =============== > > There will be a cost of getting these certificates. As opposed to OpenId which does not require any verification, and can therefore be free, certificates do require some identity verification, and therefore have a cost. > > This cost need not be paid by the internaut, but can as in Sweden, be paid by the service providers using these certificates. > > > Security > ======== > > The security of the system will be determined by the National Agency of Information Systems security ANSSI. There is a double protection built into IDENUM, as it requires a certificate and a number. > > > Hope this helps, > > Henry > > > > Social Web Architect > http://bblfish.net/ > >
Received on Tuesday, 9 February 2010 08:38:16 UTC