[OpenID] OpenID Registration Scenario

Martin Paljak martin at paljak.pri.ee
Thu Jul 12 19:14:11 UTC 2007 

On 12.07.2007, at 20:47, John Wang wrote:
> Thanks for mentioning the Estonia eID project. According to https:// 
> open.id.ee/about/english, Estonia eID "has not yet been offically  
> launched and is in public beta

You should go to www.id.ee where the *eID* project dwells. IIRC first  
cards were handed out around year 2002 and eID is as official as it  
can get (including the first national scale internet e-voting that  
took place in Estonia some time ago).

http://open.id.ee is about *openID*  and yes, that is currently  
floating in the void (mostly because summertime is THE time to have  
your vacation in Estonia). Paperwork has been fixed but unfortunately  
there are no resources to complete it currently. And because the  
final version depends on OpenID 2.0 to allow anonymous identities it  
is maybe even good... And all in all it is good to give everybody  
involved some time to think about the OpenID space a bit..

Please note that there is no hard political connection between eID  
(the smart card) and open.id.ee (OpenID based upon eID). Just like  
AOL can provide OpenID-s with their usernames-passwords database  
OpenID-s can be provided upon existing eID infrastructure. But rest  
assured:  if OpenID proves itself as a viable technology - it will be  
as official and guarded (security of the OP) as the rest of the  
infrastructure.

> My guess is the following is a marketing, not technical, claim  
> "Your online identity can never be stolen because your OpenID is  
> attached to your real identity." Never is a very strong word. One  
> way to make this difficult to steal would be to require biometrics  
> at known/controlled authentication points but even in those  
> situations, compromise can happen. I didn't see any biometric  
> component for the eID so I'm not sure how it would be tied to one's  
> real identity.
Depends on how you classify a feature. I would say it is a design  
side-effect rather than a technical or marketing feature.
You don't need biometrics (that match a person to a database record  
every time used) as a real human being matches your 'body' to the  
record when issuing the card and credentials to use the card.

Think of eID cards as debit cards and your identity or 'unstealable  
openid'  as your account in the bank. If somebody steals your wallet  
you can always go to the bank and get a new card that 'references'  
the same account in the bank. At the moment you get your new card,  
old one is marked as 'stolen' and is not usable. You can suffer some  
damages (have reasonable daily limits!) but nobody can claim your  
whole account.

Of course, identity theft as such is always possible (if you loose  
your passport with your wallet and a trained criminal changes the  
picture in the passport and goes on to do some Bad Stuff with your  
bank account).

What phishing-free OpenID that you can not easily impersonate is  
trying to solve is the most common complete identity theft done by  
password phishing, keyloggers and such.

> Also, what do you mean by "bundle"? Is it an external USB device or  
> built right into the computer as an internal, unremovable (except  
> with screwdriver) component? I'm not sure about the eID project but  
> just giving free external readers to people hasn't been successful  
> in getting them to use them in the past.

It depends on the seller. There are readers that replace the obsolete  
3.5" floppy drive and there are ones with USB cable (I prefer USB  
ones). What is important: you get a reader with your computer and it  
works out of the box (if you buy your computer with software).


> I'm sure most of the people on this list can be classified as  
> "early adopters" but will it pass the "grandmother test"?
I believe 5 years is enough time to get beyond early adopters. I  
don't know about grandmothers but that's not the primary target as  
well. The people who save most are the ones who are most active -  
grandmas usually are old and slow and don't have to deal that much  
with government or business.

>
> > After all, why don't end users have magstripe readers for credit
> > cards with their personal computers today?
> > The hardware as been available but I don't think the benefits
> > justify the additional costs.
>
> Magnetic stripes is not a technology to compare with smart cards
> (even though you can find them both on credit cards) Magstripe is
> just a way of 'reading data' whereas smart cards provide actual value
> (crypto) not just a bunch of bits to blindly read.
>
> They are different in terms of technology but they have the same  
> reader issues from an end user perspective. People have been trying  
> to get Internet users on smart cards for over 10 years.

The problem (reader hardware) is the same but the benefits (don't  
know what to write down as the benefit of magnetic stripes) are  
different. The rollout of national scale eID cards in Europe is the  
sign that the technology is mature and it is important to get a  
critical mass of users  and urge companies to create services to  
exploit the amount of smart cards out there.

-- 
Martin Paljak
http://martin.paljak.pri.ee

More information about the general mailing list