Updates from Bud Bruegger Toggle Comment Threads | Keyboard Shortcuts

  • Bud Bruegger 2:09 pm on May 16, 2008 Permalink | Reply  

    Open Source Identity Management: eID Cards’ Spec Finally disclosed! 

    In Europe, Italy is one of the forerunners of smartcard deployment and not surprisingly, it has a long-standing history of eID cards and a noteworthy rollout. Together with Spain it is the first big European country to ready to start the general roll-out of eID cards to all citizens.

    The “e” in eIDs is really only as good as the services that the card provides access to–without services, an eID card is nothing but a piece of plastic (with a chip).  To enable a card to use services requires software, namely something called middleware that interfaces the web browser to the smartcard.  Maximizing service access and thus the value perception by citizens, means to “eID-enable” as many environments and applications as possible.

    What will seem natural to most Open Source people out there, but often less so to government organizations, is that a single organization cannot easily support all desirable/necessary cases very easily–this is a simple conseguence of the ever increasing scarcity of resources.

    Applied to eIDs, most governments provide eID middleware for the “major platforms” which can range from only Windows to a maximum of Windows, Mac OS X, and Linux on Intel.  Do you want to access an eID-protected service from your mobile device running Symbian, or from some embedded device that runs Linux on a Strong ARM processor, or even only from Linux on PowerPC?–well, don’t count on governments to help you out any time soon.

    So a key factor to using eIDs ubiquitously, and thus create value to citizens, is to enable third, non-government parties to develop and distribute middleware where it is missing. Unfortunately, this is not possible in every European country.  While some national eID projects have published their technical specs from the very beginning, others have treated them as confidential and thus prohibited third parties from filling in the gaps.  Considering that ID documents are related to “national security” and that government decision makers more often come from a legal than a technical background, this is not as surprising as it may first seem to computer security experts.

    In view of the significant negative consequences of unnecessary confidentiality, it is very nice to observe that decisions can indeed change!  Italy was one of the European countries who considered the spec of their eIDs confidential.  This has in the past prohibited the support of Italian eIDs on non-Windows platforms.  Also, the current middleware [that is part of the pilot project and may be replaced for the general roll out] does not play well with Mozilla Firefox (even on Windows). Thankfully, all these are now restrictions of the past since the full spec was indeed published yesterday. I believe that this is the merit of many unnamed people, acting behind the scenes, who used many ways and various opportunities, invested an enormous amount of personal energy, to drop by drop hollow the stone and remove the rocky mountain that blocked the way to freedom.  This is the moment for gratitude and for encouraging others with the message that it is not easy, but it is possible and at times it succeeds.

    So what will the gained freedom bring us and the citizens who have an Italian eID in their pockets?  Here is my take on predicting the future:  In a relatively short time, support for the Italian eID card will be added to OpenSC that already supports most other European eIDs and the American PIV.  This will provide multi-platform middleware for use by Firefox browers, Virtual Private Networks, Secure Shell, Linux logon, and other applications. Also, commercial players will more easily be able to provide out-of-the-box eID-support in their operating systems or on their devices (such as set top boxes).

    I hope that this foreseeable positive development will become a visible experience that demonstrates the benefits of openness and influence those countries who still keep their specs confidential: The community can amplify resources and thus achieve what a single player (in eIDs mostly a government) simply cannot even hope to do.  So let us work on making this a reality, let the community provide significant help in making eIDs a success, and from time to time let us remind people that it is openness that made this all possible.

    Technorati Tags: Open Source Identity Management, eID, smartcard, eID spec

    • Emanuele Pucciarelli 8:47 am on May 27, 2008 Permalink

      I hadn’t read your take before doing this, but it turns out to be correct. There is a patch adding support for CNS/CIE, and I hope it gets into trunk soon, so that the next release of OpenSC features support as well.

    • Bud P. Bruegger 11:24 am on May 27, 2008 Permalink

      About two years ago, I wrote OpenSC support for CIE and had also submitted it to the Ministry in order for them to publish it on their open source repository (I had an NDA, never received the spec, and it was never published). Haven’t had time to port it to the latest version and for legal reasons, couldn’t publish it (and the same for my python library to access CIE, pyCIE), but Roberto Resoli (Comune di Trento) has started to work with my old code. But let’s just work together to create a single PKCS#11 for CIE and CNS (the current CIE ARE different from CNS in some respect..). Some people officially involved with CNS are also interested in this work. Let’s join and produce a single well-tested solution.


    • Roberto Resoli 4:00 pm on May 27, 2008 Permalink

      The CIE filesystem is a great new for everybody, like me and Bud, interested in open source as a way to lower the barrier between citizens and eGovernment. It seems that a lot of already done work is being unlocked (Bud, Emanuele, who else? 🙂 ).
      CNS and CIE are indeed different beasts, but they MUST[1] be interoperable.
      The main difference, apart form external appearance, is that CIE does not have a Digital Signature service on board, even if the last rules (November 2007, the same that stated the filesystem disclosure)
      specifically indicate this possibity.

      CNS is not the best practice around, from the Open Source point of view.
      It is currently not possible to support it, because some operations (Digital Signature in particular) are protected using symmetric cryptography
      (“Secure Messaging”) whose secret keys are embedded in the card, and then in the opaque, proprietary software that deals with it.

      The need of protection (but not its implementation) is mandated by an EU regulation about Electronic Signature[2], which sets the level of security (CWA 14169 -> Common Criteria, EAL4+) for “Secure Signature
      Creation Devices” (SSCD). Technically, a “Trusted Path” and “Trusted Channel” must be estabilished between SSCD and SCA (Signature Creation Application).
      The actual running implementation is such that CNS cards coming from different manufacturer (and even different batches of cards from the same manufacturer!) are not interoperable (even if all the specifications
      involved are the same, the secret key is not!).

      The corrently under study European Citizen Card proposes a different approach; in related technical (CWA 14890, chapter 8) a protocol involving asymmetric cryptography is outlined, in which the key for Secure Messaging is generated on the fly, more or less in an SSL/TLS fashion.
      May be this could be the next step on the way of a really open and interoperable eID infrastructure.

      If someone wants to go deep in the subject, i prepared a package[3] collecting several of the regulations quoted here, along with a presentation I made for the last Italian Free Software Conference.

      [1] CNS on CNIPA web site (in italian).

      “La completa corrispondenza informatica tra CNS e CIE assicurerà
      l’interoperabilità tra le due carte e la continuità di servizi
      all’utente che passi della Carta Nazionale dei Servizi
      alla Carta d’Identità Elettronica”

      that is:

      “The complete informatic match between CNS and CIE will assure
      interoperability between the two cards and continuity of service
      to the user moving from CNS to CIE.”

      [2]”COMMISSION DECISION of 14 July 2003
      on the publication of reference numbers of generally recognised standards for electronic signature
      products in accordance with Directive 1999/93/EC of the European Parliament and of the Council”

      PDF on Interlex web site (in English)

      [3] zipped package from the “SmartCards, eGovernment and Free Software” workshop on the ConfSL08 website.

    • Saurabh 1:43 pm on November 30, 2009 Permalink

      Hi Roberto,

      We are trying to Replace MS Identity Lifecycle Management for an Organization of 8000 employees, is there any solution you suggest ?

    • Roberto Galoppini 12:45 pm on December 1, 2009 Permalink

      I don’t know an “out-of-the-box” open source replacement for that, sorry.

  • Bud Bruegger 11:14 am on October 12, 2007 Permalink | Reply  

    Open Source Identity Management: 12th Poorvo Group meeting, 18-19 October, Grosseto (Italy) 

    The Conference on Interoperable European Electronic Identities – organised by the Porvoo Group – will take place on the 18th and 19th of October in Grosseto.

    One of the main topics of the conference will be the issues of eID interoperability in which the city of Grosseto has been particularly active.

    The forcePoorvo Group logo

    I write this personal note after a journey of well more than three years in the land of electronic IDs (eIDs). It was a journey guided by ideal of simple and pragmatic solutions, helped and often even made possible by consistently engaging various communities who brought objectives in reach that would otherwise have been hopelessly beyond my resources, and evidently of open source both in use and in development.

    The Porvoo 12 meeting represents a culmination point of this journey, some kind of arrival, and therefore this note.

    More than three years ago I changed my hat by entering a local public administration—the Comune di Grosseto—and by diving into a completely unknown field of identity management with smartcards, access control, and all the rest. My task being to guide the administration to find a good and sustainable (thus open source) solution for identity management with the Italian eID card(s). And the environment was definitely challenging with a lot of information close to impossible to come by, initially no one to talk to, and being in a position of utter unimportance since eIDs are done by national governments, not local administrations.

    (More …)

Compose new post
Next post/Next comment
Previous post/Previous comment
Show/Hide comments
Go to top
Go to login
Show/Hide help
shift + esc