OpenID for all Estonians

When thinking about OpenID and its use cases I usually have registering accounts with web services and commenting on blogs in mind; I am probably not the only one thinking in that direction although there are countless other possibilities, Sun’s OpenID server being one of them (Sun OpenID=Sun employee).

Estonian eID

Today I have come across an example which goes way beyond Sun’s example (see Ma.gnolia bookmark). Estonia started issuing electronic Identity Cards (eID) in 2002 to its citizens. Those eID’s will be OpenID’s soon! Beta tests are running at the moment.

Although Estonia is a small country with just 1.37 million inhabitants more than one million Estonians and foreigners residing in the country will have an OpenID. Open.id.ee=Estonian eID. Those OpenID’s are very secure because smart cards are required which make phishing and identity theft impossible.

Besides being identity cards and OpenID’s those eID’s have a lot more functions. They contain two certificates for authentication and signing and a permanent email address which is forwarding emails to people’s real email provider; it is also used as a health card so there is no need for an extra card.
Other applications can be developed by using core components of the eID software. Estonians can use their eID for tax declaration, public transport, WiFi access, and even internet voting. Quite impressive actually.

Privacy

While the eID seems to be a very comfortable authentication tool privacy issues occur, of course. It could be the wet dream of some politicians. However the Estonian Data Protection Act allows just 12 people access to personal data; police and tax officials have only access after a court order. More information on security and privacy can be obtained here.

Information on eID:

eID in action: Estonia
National profile for eGovernment IDM initiatives in Estonia
ID.ee

16 thoughts on “OpenID for all Estonians

  1. About privacy: First, the open.id.ee service, once announced, shall be open source. Second – current ‘public naming’ scheme with full names in the OpenID shall have a sibling namespace where the OpenID forwarded to the service shall be anonymous (no personal information, different for every site) yet there is a guarantee, that every eID holder has only one uniq identifier for the given site. To use it easily, websites shall have to use OpenID 2.0 and identifier_select feature what means ‘OpenID provider shall figure out the OpenID to send to the service’. This is exactly what OpenID is for – if you use eID cards in the most secure way – by using them to open the SSL connection to the web server (what is OK for banks and e-voting etc) – you expose all your personal information to the remote party. Very often you don’t want to do that.

    Anyway, I have an English writing in the works that describes a bit more the reasons, technical challenges and possibilities and future of OpenID questions ‘Who? (you are)’ and ‘How? (do you assert that)’ in the context of open.id.ee. This comes together with the ‘public 1.0 beta’ (currently there is ‘public 0.1 beta’ online, for months already)

    Also – please note that the very next step is cross-EU support what has been already tested in real life but is not a priority for Estonian OpenID-s.

    Martin – creator of open.id.ee

  2. Thanks a lot for sharing some more details on how OpenID will work with eID. I think eID is an intriguing project; combining it with OpenID makes sense in many ways. I’ll certainly watch this project. :)

  3. I know nothing about this, so I’m not saying you’re wrong, but:

    > “smart cards are required which make phishing and identity theft impossible”

    Surely “impossible” is overstating it?

  4. I think that the smart cards are a form of 2FA. So only 1 part of the 2 factors is ever exposed. Even if a MITM was to intercept a request the value is only valid for that point in time so useless when trying to replay a request or use it another time. That’s probably a simplification of how it works…

  5. I guess I have to erase the word impossible from my vocabulary now.

  6. > I guess I have to erase the word “impossible� from my vocabulary now.

    When describing how easy it is to break into any computer system, then yeah, I think so :)

  7. Why only for Estonia? eID sounds like something we all need because it seems to be more secure than OpenID. And about the ssl certificates, those should make us feel safe when giving out personal data but we can’t trust any site that presents us a certificate.

    1. In the meantime some other countries have introduced electronic ID cards (Belgium, Finland,…). Those cards are secure but can be compromised as I had to learn from some other people, e.g. Marc Wilcox’ post (see comment above).

Comments are closed.