Professional Documents
Culture Documents
eID in Belgium
8.220.456 citizen eID cards (full deployment) 511.774 foreigner eID cards 186.011 kids eID cards RSA 1024 smart card QC with 5 year validity FedICT: Federal ICT PKI, client software, SOA solutions National Registry user database, card issuing
Fedict 2010. All rights reserved | p. 2
Technology
Main eID feature: secure, remote authentication Main usage of eID: client-server environments Primary client-server environment: web browser Middleware (MW) targets eID on the desktop MW SDK comes with sample eID Applet Mutual SSL has some usability issues We want more eID enablers Developers, developers, developers
Fedict 2010. All rights reserved | p. 3
Position eID as a Service Focus less on the basic infrastructure (PKI) Move towards solutions to improve usability Explicitly target the web browser environment Deliverables:
Software building blocks: products SOA building blocks: web services Developers: easy to use software building blocks Architects: SOA integration via web services Other Federal Departments: SLA contracts
Fedict 2010. All rights reserved | p. 4
Target audience:
Supported product
Product OSS
Service
Supported Service
CRL: signed list with revoked certificates OCSP: online certificate status service TSP: time-stamping service eID Content Viewer Crypto modules PKCS#11: Windows, Mac OS X, Linux CSP: Windows tokend: Mac OS X SDK: identification + MW Applet OSS: http://code.google.com/p/eid-mw/
eID Middleware
Java 6 Web Browser eID component Identification, authentication, signatures via eID OSS: http://code.google.com/p/eid-applet/ Uses a software PC/SC proxy Emulates different eID profiles via the proxy Online test PKI https://env.dev.eid.belgium.be/
Identification (who are you?) Authentication (is it really you?) Signatures (did you once claimed this?) Administration (PIN change, PIN unblock)
Platforms: Windows, Mac OS X, Linux Browsers: Firefox, MS IE, Safari, Chrome Secure (CCID) & interactive eID card handling Browser client-runtime management
Demo
eID Middleware eID Applet Identification eID Applet Authentication
SSL
eID Applet
CSP minidriver
PKCS#11
OCSP
CRL
TSA
NTP
Trust List
List of all QC issuing CA's per EU Member State Cross-border signature validation by applications http://tsl.belgium.be OSS: http://code.google.com/p/eid-tsl/ Certificate validation via XKMS2 SOAP web service Improves the QoS related to PKI validation Ready for Trust List integration & XAdES OSS: http://code.google.com/p/eid-trust-service/ Initially available as an OSS product eID Trust Service as a real service during phase 2
Fedict 2010. All rights reserved | p. 11
Demo
Behaves like a production eID smart card Scope is pure technology delivery Not to be positioned against the federal token: Application specific trust model (out of scope) Application specific distribution model (out of scope) Deliverables: eID Quick-Key Manager (Java 6 Desktop) Manual targeting different blank smart cards Can be used as: Temporal solution in case of unavailability eID R&D platform for development of future eID
eID is the only token supported Uses the eID Applet, eID Trust Service Tunneled entity-authentication SAML2 based IdP protocol Generic IdP protocol layer with OpenSSO integration Is not a complete IAM solution! Attributes and other tokens are out of scope! Could be used by IAM for eID token support Integration with web applications is primary goal Uses the eID Applet, eID Trust Service, TSL XAdES-X-L according to the Service Directive
Fedict 2010. All rights reserved | p. 14
ODF 1.2 Signatures (OpenOffice.org) Office OpenXML Signatures (Office 2007) XAdES v1.3.2 X-L eID citizen information Full name, date of birth Address Photo
Human-readable signature argumentation Open standard Adobe specific signature extensions PAdES versus XAdES Domain specific document format Processability Service Directive shifts towards XAdES Service versus Desktop Sign Verification
eID
OpenOffice
XAdES
Office 2007
Demo
eID Applet ODF Signature eID Applet OOXML Signature eID DSS (XMLDSig & XAdES-BES)
Thank you
Fedict Maria-Theresiastraat 1/3 Rue Marie-Thrse Brussel 1000 Bruxelles TEL. +32 2 212 96 00 | FAX +32 2 212 96 99 info@fedict.belgium.be | www.fedict.belgium.be