Comments on: Open Source Identity Management: eID Cards’ Spec Finally disclosed! http://robertogaloppini.net/2008/05/16/open-source-identity-management-eid-cards-spec-finally-disclosed/ “equally critical of proprietary and open source myths, advocating software choice beyond marketing and romanticism” Fri, 12 Mar 2010 16:24:38 +0000 http://wordpress.org/?v=2.7.1 hourly 1 By: Roberto Galoppini http://robertogaloppini.net/2008/05/16/open-source-identity-management-eid-cards-spec-finally-disclosed/comment-page-1/#comment-662118 Roberto Galoppini Tue, 01 Dec 2009 11:45:05 +0000 http://robertogaloppini.net/2008/05/16/open-source-identity-management-eid-cards-spec-finally-disclosed/#comment-662118 I don't know an "out-of-the-box" open source replacement for that, sorry. I don’t know an “out-of-the-box” open source replacement for that, sorry.

]]> By: Saurabh http://robertogaloppini.net/2008/05/16/open-source-identity-management-eid-cards-spec-finally-disclosed/comment-page-1/#comment-662102 Saurabh Mon, 30 Nov 2009 12:43:44 +0000 http://robertogaloppini.net/2008/05/16/open-source-identity-management-eid-cards-spec-finally-disclosed/#comment-662102 Hi Roberto, We are trying to Replace MS Identity Lifecycle Management for an Organization of 8000 employees, is there any solution you suggest ? Hi Roberto,

We are trying to Replace MS Identity Lifecycle Management for an Organization of 8000 employees, is there any solution you suggest ?

]]> By: Roberto Resoli http://robertogaloppini.net/2008/05/16/open-source-identity-management-eid-cards-spec-finally-disclosed/comment-page-1/#comment-410763 Roberto Resoli Tue, 27 May 2008 15:00:08 +0000 http://robertogaloppini.net/2008/05/16/open-source-identity-management-eid-cards-spec-finally-disclosed/#comment-410763 The CIE filesystem is a great new for everybody, like me and Bud, interested in open source as a way to lower the barrier between citizens and eGovernment. It seems that a lot of already done work is being unlocked (Bud, Emanuele, who else? :-) ). CNS and CIE are indeed different beasts, but they MUST[1] be interoperable. The main difference, apart form external appearance, is that CIE does not have a Digital Signature service on board, even if the last rules (November 2007, the same that stated the filesystem disclosure) specifically indicate this possibity. CNS is not the best practice around, from the Open Source point of view. It is currently not possible to support it, because some operations (Digital Signature in particular) are protected using symmetric cryptography ("Secure Messaging") whose secret keys are embedded in the card, and then in the opaque, proprietary software that deals with it. The need of protection (but not its implementation) is mandated by an EU regulation about Electronic Signature[2], which sets the level of security (CWA 14169 -> Common Criteria, EAL4+) for "Secure Signature Creation Devices" (SSCD). Technically, a "Trusted Path" and "Trusted Channel" must be estabilished between SSCD and SCA (Signature Creation Application). The actual running implementation is such that CNS cards coming from different manufacturer (and even different batches of cards from the same manufacturer!) are not interoperable (even if all the specifications involved are the same, the secret key is not!). The corrently under study European Citizen Card proposes a different approach; in related technical (CWA 14890, chapter 8) a protocol involving asymmetric cryptography is outlined, in which the key for Secure Messaging is generated on the fly, more or less in an SSL/TLS fashion. May be this could be the next step on the way of a really open and interoperable eID infrastructure. If someone wants to go deep in the subject, i prepared a package[3] collecting several of the regulations quoted here, along with a presentation I made for the last Italian Free Software Conference. [1] <a href="http://www.cnipa.gov.it/site/it-IT/Attivit%C3%A0/Certificatori_accreditati/Carta_Nazionale_dei_Servizi/" title="CNS - CNIPA" rel="nofollow">CNS on CNIPA web site</a> (in italian). "La completa corrispondenza informatica tra CNS e CIE assicurerà l’interoperabilità tra le due carte e la continuità di servizi all’utente che passi della Carta Nazionale dei Servizi alla Carta d’Identità Elettronica" that is: "The complete informatic match between CNS and CIE will assure interoperability between the two cards and continuity of service to the user moving from CNS to CIE." [2]"COMMISSION DECISION of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council" <a href="http://www.interlex.it/testi/pdf/dec030714.pdf" title="Commission Decision" rel="nofollow">PDF on Interlex web site</a> (in English) [3] <a href="http://www.confsl.org/images/files/workshops/workshop_sc-egov-floss.zip" title="SmartCards, eGov, Free Sw" rel="nofollow">zipped package</a> from the "SmartCards, eGovernment and Free Software" workshop on the <a href="http://www.confsl.org" rel="nofollow">ConfSL08 website</a>. The CIE filesystem is a great new for everybody, like me and Bud, interested in open source as a way to lower the barrier between citizens and eGovernment. It seems that a lot of already done work is being unlocked (Bud, Emanuele, who else? :-) ).
CNS and CIE are indeed different beasts, but they MUST[1] be interoperable.
The main difference, apart form external appearance, is that CIE does not have a Digital Signature service on board, even if the last rules (November 2007, the same that stated the filesystem disclosure)
specifically indicate this possibity.

CNS is not the best practice around, from the Open Source point of view.
It is currently not possible to support it, because some operations (Digital Signature in particular) are protected using symmetric cryptography
(”Secure Messaging”) whose secret keys are embedded in the card, and then in the opaque, proprietary software that deals with it.

The need of protection (but not its implementation) is mandated by an EU regulation about Electronic Signature[2], which sets the level of security (CWA 14169 -> Common Criteria, EAL4+) for “Secure Signature
Creation Devices” (SSCD). Technically, a “Trusted Path” and “Trusted Channel” must be estabilished between SSCD and SCA (Signature Creation Application).
The actual running implementation is such that CNS cards coming from different manufacturer (and even different batches of cards from the same manufacturer!) are not interoperable (even if all the specifications
involved are the same, the secret key is not!).

The corrently under study European Citizen Card proposes a different approach; in related technical (CWA 14890, chapter 8) a protocol involving asymmetric cryptography is outlined, in which the key for Secure Messaging is generated on the fly, more or less in an SSL/TLS fashion.
May be this could be the next step on the way of a really open and interoperable eID infrastructure.

If someone wants to go deep in the subject, i prepared a package[3] collecting several of the regulations quoted here, along with a presentation I made for the last Italian Free Software Conference.

[1] CNS on CNIPA web site (in italian).

“La completa corrispondenza informatica tra CNS e CIE assicurerà
l’interoperabilità tra le due carte e la continuità di servizi
all’utente che passi della Carta Nazionale dei Servizi
alla Carta d’Identità Elettronica”

that is:

“The complete informatic match between CNS and CIE will assure
interoperability between the two cards and continuity of service
to the user moving from CNS to CIE.”

[2]“COMMISSION DECISION of 14 July 2003
on the publication of reference numbers of generally recognised standards for electronic signature
products in accordance with Directive 1999/93/EC of the European Parliament and of the Council”

PDF on Interlex web site (in English)

[3] zipped package from the “SmartCards, eGovernment and Free Software” workshop on the ConfSL08 website.

]]> By: Bud P. Bruegger http://robertogaloppini.net/2008/05/16/open-source-identity-management-eid-cards-spec-finally-disclosed/comment-page-1/#comment-410593 Bud P. Bruegger Tue, 27 May 2008 10:24:22 +0000 http://robertogaloppini.net/2008/05/16/open-source-identity-management-eid-cards-spec-finally-disclosed/#comment-410593 About two years ago, I wrote OpenSC support for CIE and had also submitted it to the Ministry in order for them to publish it on their open source repository (I had an NDA, never received the spec, and it was never published). Haven't had time to port it to the latest version and for legal reasons, couldn't publish it (and the same for my python library to access CIE, pyCIE), but Roberto Resoli (Comune di Trento) has started to work with my old code. But let's just work together to create a single PKCS#11 for CIE and CNS (the current CIE ARE different from CNS in some respect..). Some people officially involved with CNS are also interested in this work. Let's join and produce a single well-tested solution. -b About two years ago, I wrote OpenSC support for CIE and had also submitted it to the Ministry in order for them to publish it on their open source repository (I had an NDA, never received the spec, and it was never published). Haven’t had time to port it to the latest version and for legal reasons, couldn’t publish it (and the same for my python library to access CIE, pyCIE), but Roberto Resoli (Comune di Trento) has started to work with my old code. But let’s just work together to create a single PKCS#11 for CIE and CNS (the current CIE ARE different from CNS in some respect..). Some people officially involved with CNS are also interested in this work. Let’s join and produce a single well-tested solution.

-b

]]> By: Emanuele Pucciarelli http://robertogaloppini.net/2008/05/16/open-source-identity-management-eid-cards-spec-finally-disclosed/comment-page-1/#comment-410439 Emanuele Pucciarelli Tue, 27 May 2008 07:47:40 +0000 http://robertogaloppini.net/2008/05/16/open-source-identity-management-eid-cards-spec-finally-disclosed/#comment-410439 I hadn't read your take before doing this, but it turns out to be correct. There is a <a href="https://www.opensc-project.org/opensc/ticket/177" rel="nofollow">patch</a> adding support for CNS/CIE, and I hope it gets into trunk soon, so that the next release of OpenSC features support as well. I hadn’t read your take before doing this, but it turns out to be correct. There is a patch adding support for CNS/CIE, and I hope it gets into trunk soon, so that the next release of OpenSC features support as well.

]]>