<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8"> <meta name="Generator" content="Microsoft Word 15 (filtered medium)"> <style></style> </head> <body lang="EN-GB" link="blue" vlink="purple"> <div class="WordSection1"> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Hi all, I am not able to comment on specifics at national level, and clearly there have been (are) many concerns expressed about the security of eID systems, whether handled by private or government entities. <o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">But you may be interested in the background provided by the European Commission, including links to the 2014 regulation on eID, as well as follow-up Commission ‘implementing decisions’ detailing in particular minimum tech specs, interop and security requirements for eID schemes here: <a href="https://ec.europa.eu/digital-single-market/en/trust-services-and-eid">https://ec.europa.eu/digital-single-market/en/trust-services-and-eid</a> <o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Their Twitter page (@EU_eIDAS) also has references to various national-level initiatives like the ongoing amendment of the eID law in Finland. <o:p></o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></p> <p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US">Jean-Jacques<o:p></o:p></span></p> <p class="MsoNormal"><a name="_MailEndCompose"><span style="font-size:11.0pt;font-family:"Calibri",sans-serif;color:#1F497D;mso-fareast-language:EN-US"><o:p> </o:p></span></a></p> <p class="MsoNormal"><b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif">From:</span></b><span lang="EN-US" style="font-size:11.0pt;font-family:"Calibri",sans-serif"> cooperation-wg [mailto:cooperation-wg-bounces@ripe.net] <b>On Behalf Of </b>Julius ter Pelkwijk<br> <b>Sent:</b> 06 May 2016 08:43<br> <b>To:</b> Gordon Lennox <gordon.lennox.13@gmail.com>; Cooperation WG <cooperation-wg@ripe.net><br> <b>Subject:</b> Re: [cooperation-wg] eIDs<o:p></o:p></span></p> <p class="MsoNormal"><o:p> </o:p></p> <div> <p class="MsoNormal">From what I know:<o:p></o:p></p> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal"><a href="https://www.rijksoverheid.nl/onderwerpen/digitale-overheid/inhoud/digitale-veiligheid-en-identiteit/naar-1-standaard-voor-elektronische-identiteit">https://www.rijksoverheid.nl/onderwerpen/digitale-overheid/inhoud/digitale-veiligheid-en-identiteit/naar-1-standaard-voor-elektronische-identiteit</a> (dutch only)<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Its the successor of what we call "Digi-D". Although it is supposed to be "strong", all you need is an username + password + SMS code (if its enforced). Authentication goes online and passwords are sent by mail, you will never have to go to the muncipality to verify yourself.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">The question I have though is the fact that the system is NOT governed by the government, but by private companies. They are specifically talking about "brokers", who can verify + sign in on your name. From what I understand, you can give someone else through your eID access to your account (and basically be able to sing in their name). Those brokers will ask for a certain fee for their services and they need to be validated, so its unlikely that everyone is able to connect their system to it. Its similar to what we call "iDeal", a payment system similar to paypal but then with banks. You pay a transaction fee of 25 cents as a company, but you are not allowed to charge customers. For the brokers, they claim that a fee of 0.05-0.10 cents per transaction is normal (so, every time you log in, its costing 5 cents). You also don't need an eID card, they mention that your phone can also be used as an eID (in combination with a passcode).<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Two things that they put down as possible "users" in the private sector are financial institutes + webshops. The first one for credit loans (buy now, pay later) and webshops for validating that the user is 18 years or older. I can think that a lot of other companies (like casino's) would also like to be able to use this system.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">The question I am still thinking about is the "security" aspect. I work in a place where we supply IT systems to muncipalities, and when I hear sometimes how they are working with their "secure" email systems like CORV (supplied by KPN), I can say that I have reasonable doubts that when this system is going to be in place that when someone at the muncipality forgets to update their servers (or the supplier forgets to update their system) that a lot of private/personal information can end up in some Russian black market. Not to mention that the system needs to be "hackable" by brute-force, in case of fraud. Its specifically mentioned in the papers that in case of fraud they need to be able to retrieve the master key by "brute-forcing" their systems.<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Greetings,<o:p></o:p></p> </div> <div> <p class="MsoNormal"><o:p> </o:p></p> </div> <div> <p class="MsoNormal">Julius<o:p></o:p></p> </div> </div> <p class="MsoNormal"><o:p> </o:p></p> <div> <div> <p class="MsoNormal">On Thu, May 5, 2016 at 9:36 PM Gordon Lennox <<a href="mailto:gordon.lennox.13@gmail.com">gordon.lennox.13@gmail.com</a>> wrote:<o:p></o:p></p> </div> <blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0cm 0cm 0cm 6.0pt;margin-left:4.8pt;margin-right:0cm"> <p class="MsoNormal" style="margin-bottom:12.0pt">We had a presentation on EU eIDs at Dublin if I remember well.<br> <br> Then we had the (still unofficial) draft Communication on platforms - as previously mentioned on the list - where eIDs are again mentioned.<br> <br> Now here is the UK take:<br> <br> <a href="https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify" target="_blank">https://www.gov.uk/government/publications/introducing-govuk-verify/introducing-govuk-verify</a><br> <br> If anyone has information from their country on this it might be nice to share.<br> <br> (I am not sure why I wrote “nice” there.)<br> <br> :-)<br> <br> Gordon<br> <br> <o:p></o:p></p> </blockquote> </div> </div> </body> </html>