OpenID for all Estonians

May 22, 2007 in Identity, OpenID by Carsten Pötter | View Comments

When thinking about OpenID and its use cases I usually have registering accounts with web services and commenting on blogs in mind; I am probably not the only one thinking in that direction although there are countless other possibilities, Sun’s OpenID server being one of them (Sun OpenID=Sun employee).

Estonian eID

Today I have come across an example which goes way beyond Sun’s example (see Ma.gnolia bookmark). Estonia started issuing electronic Identity Cards (eID) in 2002 to its citizens. Those eID’s will be OpenID’s soon! Beta tests are running at the moment.

Although Estonia is a small country with just 1.37 million inhabitants more than one million Estonians and foreigners residing in the country will have an OpenID. Open.id.ee=Estonian eID. Those OpenID’s are very secure because smart cards are required which make phishing and identity theft impossible.

Besides being identity cards and OpenID’s those eID’s have a lot more functions. They contain two certificates for authentication and signing and a permanent email address which is forwarding emails to people’s real email provider; it is also used as a health card so there is no need for an extra card.
Other applications can be developed by using core components of the eID software. Estonians can use their eID for tax declaration, public transport, WiFi access, and even internet voting. Quite impressive actually.

Privacy

While the eID seems to be a very comfortable authentication tool privacy issues occur, of course. It could be the wet dream of some politicians. However the Estonian Data Protection Act allows just 12 people access to personal data; police and tax officials have only access after a court order. More information on security and privacy can be obtained here.

Information on eID:

eID in action: Estonia
National profile for eGovernment IDM initiatives in Estonia
ID.ee

Tags: eID software, Estonia, even internet voting, web services

  • eddiepetosa
    Why only for Estonia? eID sounds like something we all need because it seems to be more secure than OpenID. And about the ssl certificates, those should make us feel safe when giving out personal data but we can't trust any site that presents us a certificate.
  • In the meantime some other countries have introduced electronic ID cards (Belgium, Finland,...). Those cards are secure but can be compromised as I had to learn from some other people, e.g. Marc Wilcox' post (see comment above).
  • eddiepetosa
    Ok, thanks for the prompt answer!
  • > "While the eID seems to be a very comfortable authentication tool privacy issues occur, of course."

    This is what I'm most concerned about. I posted about it here:
    http://passpack.wordpress.com/2007/05/25/openid...

    Cheers,
    Tara
  • I finally found some time and willingness to write a blog post in English. It covers the same subject and might be of interest. http://martin.paljak.pri.ee/2007/05/25/openid-smart-cards-and-security-risks/
  • > I guess I have to erase the word “impossibleâ€? from my vocabulary now.

    When describing how easy it is to break into any computer system, then yeah, I think so :)
  • Carsten Pötter
    I guess I have to erase the word impossible from my vocabulary now.
  • Mark Wilcox
    I've written my own response here with examples of how this system could break at
    http://blogs.oracle.com/mwilcox/2007/05/24#a149
  • Anon
    I think that the smart cards are a form of 2FA. So only 1 part of the 2 factors is ever exposed. Even if a MITM was to intercept a request the value is only valid for that point in time so useless when trying to replay a request or use it another time. That's probably a simplification of how it works...
  • Carsten Pötter
    Well, Simon Willison is asking a similar question. So am I really completely wrong? As far as I know scammers need a smart card as well to log in even if they know my password.

    Anyone more knowledegable about smart cards than me?
blog comments powered by Disqus