RE: German eID from Martin Gaedke on 2011-02-08 (public-xg-webid@w3.org from February 2011)

From: Martin Gaedke <martin.gaedke@informatik.tu-chemnitz.de>
Date: Tue, 8 Feb 2011 14:05:17 +0100
To: "'Henry Story'" <henry.story@bblfish.net>, "'WebID XG'" <public-xg-webid@w3.org>
Message-ID: <01a301cbc790$d5f851b0$81e8f510$@informatik.tu-chemnitz.de>
Sorry for being silent this morning, I just bought one of those simple and
insecure readers to play with. It is a REINER SCT cyber Jack RFID basis
Contactless Smartcard Reader.

On Windows, it uses Microsoft's Usbccid smartcard reader (WUDF) and as soon
as the "logincard" comes in play it the OWOK light 1.0 driver is installed
as well. 


For those interested in the XML version of the card (official comments in
English), it is here:
https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Technische
Richtlinien/TR03112/API/CardInfo_eGK_1-2-0_1-5-1_1-3-0_xml.xml;jsessionid=4F
9135E31E38B62936BA8D7476D6E881?__blob=publicationFile


All API, protocol and architecture specific details (in English) are at the
end of the resource, which Henry mentioned already:
https://www.bsi.bund.de/ContentBSI/Publikationen/TechnischeRichtlinien/tr031
12/index_htm.html


It looks like some details of the process for providing software that makes
use of the signature laws/components can be seen at the following:
http://www.bundesnetzagentur.de/cln_1911/SiteGlobals/Forms/Suche/Expertensuc
he_Formular.html?view=processForm&queryResultId=9246469&pageNo=0
the term "Herstellererklärung" can be understood as contract with government
- that the company applies the rules defined in the signature laws (SigG and
SigV). 

One of the products mentioned, applies: PKCS#7 detached, PKCS#7 enveloped
and PDF Signatures based on Adobe PDF V 1.6 adbe.pkcs7.detached

Based on the laws mentioned, they apply the hash-algorithms SHA-1/256/512
and RIPEMD-160 RSA  and for RSA with different key-length depending on the
year, so i.e. until end of 2007 1024-bit key were treated as secure, and
right now they think 1976/2048 bit key length can be seen as secure until
2014.


The CVCA certificate life cycle is described here:
https://www.bsi-fuer-buerger.de/SharedDocs/Downloads/DE/BSI/ElekAusweise/CVC
A/Certificate_Policy.pdf;jsessionid=521EACD0CB56BF69464FA649D9C0323D?__blob=
publicationFile

Here it is also said, the certificate must meet the rules described in
TR03110 - in English here:
https://www.bsi.bund.de/ContentBSI/EN/Publications/Techguidelines/TR03110/BS
ITR03110.html
and 
https://www.bsi.bund.de/cae/servlet/contentblob/532066/publicationFile/27971
/TR-03110_v201_pdf.pdf

In general, looks like WebID could be possible (but obviously very
political)

Cheers,
Martin









---------------------------------------------------------------------
Prof. Dr.-Ing. Martin Gaedke 
Chemnitz University of Technology  
Faculty of Computer Science  
Distributed and Self-organizing Computer Systems Group     
Straße der Nationen 62  
D-09107 Chemnitz  
Germany     
      
Phone:    +49 (371) 531-25530 
E-Mail:   martin.gaedke@informatik.tu-chemnitz.de    
Web Site: http://vsr.informatik.tu-chemnitz.de             
XING:     https://www.xing.com/profile/Martin_Gaedke 
LinkedIn: http://www.linkedin.com/in/gaedke    

For further information on Web Engineering:    
* International Society for Web Engineering http://www.iswe-ev.de/     
* Int. Conf. on Web Engineering 2011: http://icwe2011.webengineering.org/   
* Journal of Web Engineering: http://www.rintonpress.com/journals/jwe/



> -----Original Message-----
> From: Henry Story [mailto:henry.story@bblfish.net]
> Sent: Dienstag, 8. Februar 2011 11:11
> To: WebID XG
> Cc: Martin Gaedke
> Subject: German eID
> 
> In Monday's teleconf Martin Gaedke pointed out
> 
> gaedke: regarding electronic IDs, there is something going on in Germany
...
> also in other countries ongoing <webr3> like the US too <gaedke>
> http://www.epass.de/ <gaedke> http://www.personalausweisportal.de/
> 
> I found the technical details here
> http://www.personalausweisportal.de/cln_102/SharedDocs/Downloads/DE/
> Technik_Flyer.html?nn=830460
> 
> As I understand these card work with a public key infrastracture. The CA
is
> certificate is a Card Verifiable Certificates ISO 7816, and the
certificates for
> the qualified electronic signature are X509 certs.
> 
> It will require client software that supports the eCard-API, and an eID
server.
> These are defined here www.bsi.bund.de.
> 
>  1. BSI TR-03110 EAC und PACE
>  2. BSI TR-03112 eCard-API
>  3. BSI TR-03127 Architektur
>  4. BSI TR-03130 eID-Server
> 
> Perhaps the picture here helps
> https://www.bsi.bund.de/ContentBSI/Publikationen/TechnischeRichtlinien/
> tr03112/index_htm.html
> 
> Not sure how international these standards are, or how open.
> 
> 
> It would be intresting to see if browsers can interact with these cards,
if they
> contain an X509 certificate, and if these could contain a WebID.
> 
> Henry
> 
> 
> Social Web Architect
> http://bblfish.net/
Received on Tuesday, 8 February 2011 13:05:51 UTC