[OpenID - Eu] Privacy and Security Risks when Authenticating on the Internet with European eID

Robert Ott ott at jnet.ch
Wed Dec 23 22:51:51 UTC 2009


Hi Ragnar,

Thanks a lot for your information on the situation in Norway. As you mentioned, such a very 'business' driven approach can be good for business application, but it usually results in a solution only used by bigger companies such as Banks. Usually, the public community can not use the same eID for other purposes. However, as your solution is already a few years in place, it was probably not possible to do otherwise. Just if I think of the client drivers problem for accessing hard token based X509 solutions, there were many problems of the vendors of such solutions to provide drivers for the various operating systems. Usually such solutions ended up in a Windows only solution, which was also not good. But I think many of these issues have been resolved or got better over the past years.

I think if a eID project starts today (as we do in Switzerland with SuisseID), we have the advantage to relay on technology available today and I believe our approach to base on X509 client certificates with different vendors will have a good change to succeed. Not at last because it will be quite easy to bridge that to OpenID.

Regards

Robert, OpenID Switzerland

On 22.12.2009, at 22:27, Ragnar T. Jónasson wrote:

> Hi all,
> 
> In Norway, a "roaming" eID solution has been used for years.
> Private keys are kept centrally
> Citizens use OTP solution to access the central server where everything is done "magically"
> Requires service providers to "adapt" and is not what anyone (in their right minds) should really classify as PKI or strong authentication. It is only as strong as the OTP solution being used => not PKI => arguable whether or not this would be accepted cross-border by nations requiring strong authentication
> This solution is more of a business solution than a technical solution
> Result: Very few service providers
> 
> I'm only guessing, maybe Henrik can clarify... is it really the intention of .DK to go for a similar solution?
> And if so ... 
> Why? :O)
> 
> Merry xmas all!
> Best 
> Ragnar T
> 
> 
> -----Original Message-----
> From: openid-eu-bounces at lists.openid.net [mailto:openid-eu-bounces at lists.openid.net] On Behalf Of Robert Ott
> Sent: 22. desember 2009 18:25
> To: Henrik Biering
> Cc: Kick Willemse; openid-eu at lists.openid.net
> Subject: Re: [OpenID - Eu] Privacy and Security Risks when Authenticating on the Internet with European eID
> 
> Hi Hendrik,
> 
> On 22.12.2009, at 12:59, Henrik Biering wrote:
> 
>> Robert Ott wrote:
>>> Now to the OpenID scenario. As SuisseID is based on standard X-509 certificates, there is no barrier that OpenID providers can accept these client certificates and map such certificates to already existing OpenID's. There are providers such as MyOpenID and our Clavid service providing such functionality for free. Thus, user centric OpenID scenario's are already possible today.
>>> 
>>> 
>> This direct model does not work for Danish citizens as the government and the one company to which they have outsourced the ID management (http://www.danid.dk) requires payment from any company that accepts client certificates from a user. This is clearly not a scalable model - and in particular not workable as regards international use.
> On what foundation will they insist of doing so? If a server accepts ALL client certificates, it will be up to the user to provide his client certificate to an identity provider. I think they would only have possibility to disallow anybody to use their CA. But we don't need that for an OpenID provider accepting ALL certificates. We can try that as soon as you can get hold of a eID in your country.
>> 
>> 
>> Kick Willemse wrote:
>>> 2. In the NL an additional role is introduced "authentication broker" to
>>> make sure all the RP's do not have to implement all the different SAML IDP
>>> services individually (And manage all national/ international contractual
>>> relationships).
>>> 
>>> 
>> Not the least for the reason mentioned in my response to Robert, this "Authentication broker" model is also what we are currently looking into. 
> Oh, is see. But it is an interesting model.
>> 
>>> 3. I think using the e-ID could help to keep OpenID decentralised.
>>> Individuals could use their e-ID to certify their own openid server?
>>> 
>> Effective from 1 July 2010 danish citizens will no longer be able to access their own private key. This will be stored centrally with DanID. There has been lots of heated discussions in various IT related media about this change.
> I don't get this point. If the user does not have the private key (e.g. on a hard token), he won't be able to initiate an SSL connection using client certificates. Do you mean that eID in Denmark will not be based on SSL client certificates?
> 
> I think we have to wait until we have real access to such eID to find out how we can open that to the OpenID world.
> 
> Robert, OpenID Switzerland.
> 
> _______________________________________________
> eu mailing list
> eu at lists.openid.net
> http://lists.openid.net/mailman/listinfo/openid-eu
> Landsbankinn (NBI hf.), kt. 471008-0280, Austurstræti 11, 155 Reykjavík, er skráð hlutafélag og starfar samkvæmt heimild og undir eftirliti Fjármálaeftirlitsins. 
> Landsbankinn (NBI hf.), Austurstræti 11, 155 Reykjavík. is incorporated in Iceland with limited liability (Reg. No: 471008-0280) and is authorised and regulated by the Financial Supervisory Authority in Iceland (Fjármálaeftirlitið).
> 
> Fyrirvari/Disclaimer: http://www.landsbanki.is/disclaimer



More information about the eu mailing list