[HN Gopher] ID systems analysed: e-Estonia (X-Road)
___________________________________________________________________
ID systems analysed: e-Estonia (X-Road)
Author : Sami_Lehtinen
Score : 80 points
Date : 2022-01-18 15:04 UTC (7 hours ago)
(HTM) web link (privacyinternational.org)
(TXT) w3m dump (privacyinternational.org)
| tuukkah wrote:
| And if you look at the list at the end of the article, X-Road
| isn't just Estonia anymore.
| elric wrote:
| Would be nice to be able to see it in action to get a better
| sense of it.
|
| Belgium has had smartcard-based e-ID for nearly two decades now
| (and they've recently added alternative forms of authentication
| for some services). It hasn't been a terribly great success.
| People do use it, if reluctantly.
|
| My biggest gripe with it is that whenever I have to authenticate
| or sign anything, I have no way of verifying _what exactly_ I 'm
| signing. I'm asked to enter a PIN, after which something is
| signed on the eID. But did I really just authenticate to the VAT
| service? Or did I agree to sell my first born child to Satan? I
| have no way to tell.
| sam_lowry_ wrote:
| As with the Proton payment network some 20 years ago, the
| Belgian state ceeded to all-powerful lobbying and weakened eID
| by e.g. disabling the encryption bit or by disallowing email
| signing outside of the state-sanctioned websites.
|
| eIDs could have been wonderful little tools. Instead, they were
| forced on citizen's and now, we are facing an even worse setup
| with the Itsme app that links the smartphone to state services
| and degrades the owners of free, opensource or just rooted
| phones to second-class citizens by disallowing them access.
|
| Some time ago Belgium also gave up its digital sovereignty by
| cancelling its Root CA. Instead, it now uses Digicert ROOT CA
| which is controlled by a US entity.
| elric wrote:
| Proton was way ahead of its time. It was great. And I was
| saddened to see it fail.
|
| Itsme is pretty terrible all around. Their idea of "security"
| is ... quaint. Sadly they're not the only ones who are
| forcing people onto the non-rooted Android/iOS-duopoly. But
| unlike eID, Itsme isn't required for anything yet. AFAIK
| anything that requires Itsme also works with eID ... for now.
| fvdessen wrote:
| The eID card was doomed from the start by terrible usability.
| No device can read those cards natively, you needed a dongle.
| It also didn't work with native web technologies, you needed
| browser extensions. And if you lose your card, you need a
| weeks long replacement process, and cannot use your eID in
| the meantime.
|
| Same problem with proton. Payment terminals needed to ask the
| consumer if they wanted to pay with proton or debit, and that
| added a few seconds of delay for the processing of every
| customer, which actually cost a lot to big supermarket
| chains, more than they saved with proton, and thus they
| dumped proton, and everybody followed suit.
|
| Their functional successors, Itsme and Payconic have on the
| other hand great usability and thus have achieved much bigger
| successes.
| elric wrote:
| Ah yes, Payconiq, which only works on a small subset of
| walled garden devices. As opposed to a cheap card which
| fits in anyone's wallet. A proton payment was essentially
| two button presses, card selection + OK. It only added
| delay because some terminals were slow or weren't very user
| friendly. Paying with Payconiq in a shop isn't any faster
| than Proton. Someone (or something) still has to decide
| which payment method is going to be used. And quite
| frankly, if two seconds is too much friction for a physical
| payment, I hope you never find yourself in a shop when the
| Payconiq system is down.
| villuv wrote:
| While I agree that using card with computer is usually
| quite a bit annoying, but misplacing the card is not so big
| deal. A quick replacement card can be issued in less than
| an hour but it is not a "physical ID" (no photo), only
| electronic. It costs a bit more than normal eID card and it
| has shorter validity period. This can be active in parallel
| with the full eID card.
|
| I personally rarely use ID card electronically, but I use
| mobile ID (phone sim application) instead which is much
| more convenient. Unfortunately this is phased out in this
| year and I haven't seen any full replacement for it so far.
| sam_lowry_ wrote:
| Proton could have been anonymous. Instead, it had all the
| downsides of cash without being anonymous.
|
| Itsme is state-controlled single sing on. Payconiq is
| blended into banking apps, lately.
| xbar wrote:
| e-Estonia and X-Road have gotten a lot right over a long period
| of time, but selecting and relying on Gemalto was clearly not one
| of them--rolling out useless, vulnerable cards for 9 months is
| impressively bad execution.
|
| In its current design and implementation, X-Road is interesting.
| For example, Data Embassies are a notion that I can get behind. I
| suppose that is why there are so many countries evaluating it.
| Avamander wrote:
| The mistakes made have been described thoroughly by Arnis
| Parsovs if you want to read more, but I want to say that
| Gemalto is not necessarily the true cause. For example there
| are known cases of keys being generated outside the smartcard,
| Gemalto or no Gemalto, you can make grave mistakes when you
| have flawed processes or rules.
| sofixa wrote:
| Nice overview! IMHO all countries need e-government services (
| with graceful fallbacks for old/technically illiterate/etc.
| people), and most can probably use X-Road without needing to
| reinvent the wheel.
| whoopdedo wrote:
| > graceful fallbacks for old/technically illiterate/etc. people
|
| That attitude toward offline people should not be so
| dismissive. Being able to continue operations without relying
| on the computer systems is a "when" not an "if". Maintaining
| those fallbacks is good practice to prepare for that situation.
| kasperni wrote:
| In Denmark ~95% of the population receives all communication
| from the government on both national and local level
| electronically. The rest are exempt and receives them using
| plain old mail.
| Avamander wrote:
| It has it's own pitfalls, like consent not being a founding
| design goal, but considering the alternatives it's only five
| steps forward one step back.
|
| That aside, it would indeed be usable, but the realist in me
| sees that profit motives will cause a NIH-syndrome-like result.
| Ten years late since X-road was created and extra ten years
| late due to reimplementing and five times over the budget.
|
| I have higher hopes that eIDAS and ASIC-E will gain adoption,
| those could significantly reduce the absolute pain in the ass
| that is dealing with some parts of Europe and their paper and
| fax-based bureocracy. (No, a faxed signature or a gas bill is
| not a valid method of identifying someone)
| jyriand wrote:
| I'm using X-Road services every day. Mainly for signing
| documents/contracts and doing bank transactions. But you don't
| have to use ID-card for that. Instead, you can use Mobile-ID and
| Smart-ID. Also, if I'm not mistaken e-residency[0] is built on
| top of X-road.
|
| 0 - https://www.e-resident.gov.ee/
| csdvrx wrote:
| As technically interesting as using a card to sign stuff may be,
| I don't want that to be the government responsibility, as it then
| opens the door for it to be used in ways that limit our freedoms:
| a system that's too perfect can uniquely identify you, in ways
| that prevent disassociation (ex: the place of birth on the
| passport is of great interest to some totalitarian places, while
| only citizenship should matter..)
|
| So for me, the ideal ID system is decentralized, self-
| declarative, and the weight of the proof depends on the length of
| history, not on "who" says it's true: there should be many such
| services where you could declare a name and an address and
| anything else you wish (phone, email...)
|
| The value after a few weeks would be close to nil, so you could
| decide to "increase it" by having several people vouch for you
| (strength in numbers) instead of relying on a "who" (public
| notary).
|
| Or you could totally decide that you care about your
| freedom/independence/whatever and NOT ask for any vouching. It
| may be hard, but after a few years of reliably receiving mail and
| orders at that address, it would acquire some serious weight - a
| bit like you tend to trust online accounts that have been open
| for some year.
|
| Among many other things, this would also allow anyone the
| opportunity to "change" easily: want a new name/move to a new
| address/etc: create a revocation certificate for the old, sign it
| with the new, boom you inherit the credential history!
|
| It's just a quick idea, but it shows how IDs could be more like
| URLs (multiple competing services, and you could have a few at
| the same time, why not!) by moving away from the current system
| that's a direct descendant of the census (give the lord a list of
| people to tax them) and the passport (limit freedom of movement
| during the war)
|
| At the core, I believe people should be in control of their
| identity, not governments or states.
| hyperman1 wrote:
| I have a governement id and a google logon. I worry a lot more
| about google than the gov.
|
| There are legally enforced limits to what can be done with my
| gov id. Regulations say who can see it, what it can be used
| for, and a court for when things go wrong. If thing go too bad,
| a public backlash will occur, and politicians are very
| sensutive to it. Not perfect, but it works.
|
| Google/Microsoft/Facebook, otoh, have no obligations to you.
| They use your id as they see fit. They revoke your id as they
| see fit. They prove to be bad stewards, have invisible
| everchanging rules, and only 1 punishment for violating it.
| Meanwhile you have to have an id with all if them, or network
| effects eill give you trouble when others use a service to
| contact you.
|
| You're idea will not put people in control of their id, it
| would put the bigcorps in control of it. When big enough, a
| corporation is like governement's evil twin.
| csdvrx wrote:
| Well, we're the opposite then: If I want to be over and done
| with google, it's super easy. And if I don't think they
| delivered value for what I pay, I can have the payment
| reverted by my CC. And try as they might, google will have
| trouble putting me in jail or killing me :)
|
| So yes, I _really_ love that they have no obligation for me.
|
| And if Google/Microsoft/Facebook can do ID, there will
| certainly also be a Linux solution, and I'll use it :)
| hyperman1 wrote:
| The US government has no trouble killing or jailing people,
| even with only a half functioning id system. In fact I have
| no idea how it's acceptable to give everybody a social
| security number and then claim it is but a secret and a
| public identifier. It's the worst of both worlds.
|
| Now without google account, you're locked out of a big
| chunk of the android world. I recently joined a group using
| hangouts, google account required. School and docter and a
| few others started to use ms teams since corona, requiring
| a microsoft account. I don't have facebook yet, but it
| costs me a lot of mini second hand sales in the
| neighbourhood. There are other such cases.
|
| I could try to re-educate every one of these groups, but
| after a full time job and a family, that's not how I want
| to spend my time. There's a short amount of time to spend
| in life, and a worthy cause on every street corner. Feel
| free to mock me for not choosing these particular hills to
| die on.
|
| I'd rather have consumer protection and/or anticompetitive
| action. The governement can spend some of my tax money on
| it, as it's their job. Meanwhile I'll use my id to log in
| at my healthcare provider, knowing that if they are stupid
| enough to sell that data, they get a backlash from the
| public opinion and some very unwanted attention of the
| courts.
| DocTomoe wrote:
| > I have a governement id and a google logon. I worry a lot
| more about google than the gov.
|
| See, it's the exact opposite for me: Google never built
| extermination camps. They are thus inherently more
| trustworthy than any government.
| KennyBlanken wrote:
| > I don't want that to be the government responsibility, as it
| then opens the door for it to be used in ways that limit our
| freedoms: a system that's too perfect can uniquely identify
| you, in ways that prevent disassociation (ex: the place of
| birth on the passport is of great interest to some totalitarian
| places, while only citizenship should matter..)
|
| You mean like social security numbers, which tell anyone where
| you were born, down to a fairly limited range of zipcodes?
|
| Or how about driver's license databases, which include your
| ethnicity, possibly your religion, etc? You think the guys in
| black helicopters are going to let a pesky little thing like
| "get the state's drivers license database" stop them,
| particularly when there's already a national clearing house
| system so states don't issue duplicate licenses, licenses to
| people who owe money or have had their license revoked, etc?
|
| General hand-wave-y conspiracies about national ID cards making
| it easier for everyone to be death-camped are just a right-wing
| attempt to harm federal government effectiveness so they can
| continue to hamstring everything it does and then shout about
| how ineffective it is and thus it needs to be cut.
|
| If the government wants to ship you off to gas chambers, it can
| do that just fine without a functional federal identity system
| and in the meantime everyone's lives would be significantly
| easier. Imagine if everything you did with local/state/federal
| government and healthcare no longer involved a page worth of
| identity crap, just presenting a free ID card.
| csdvrx wrote:
| > You mean like social security numbers, which tell anyone
| where you were born, down to a fairly limited range of
| zipcodes?
|
| Indeed, I want none of that. I wish I could ask the SS to
| delete my registration and let me deal with the consequences.
|
| > You think the guys in black helicopters are going to let a
| pesky little thing like "get the state's drivers license
| database" stop them
|
| It may be nothing much, but anything that can make the work
| of a potential abusive government HARDER should be done.
|
| > particularly when there's already a national clearing house
| system so states don't issue duplicate licenses, licenses to
| people who owe money or have had their license revoked, etc?
|
| And you nail it: with the system I proposed, there would be
| duplicates, and people owning money etc. It'd be messy. And
| that's good: because that's where freedom is often found, in
| messy systems.
| toomuchtodo wrote:
| You're an outlier in your belief systems. People don't want
| messy, they want convenience and assurances.
| csdvrx wrote:
| > You're an outlier in your belief systems. People don't
| want messy, they want convenience and assurances.
|
| It seems to me that people care more and more about their
| privacy.
|
| As for convenience, most people I know use an iphone with
| an android tablet and a windows computer, so by revealed
| preferences I'd say their actions speak louder than their
| words.
| motohagiography wrote:
| To me the interesting vulnerabilities in these schemes previously
| were the "offline mode," where you need to be able to present a
| verifiable cryptgram without access to the issuers network. As I
| remember from several years ago, compatability with chip-on-card
| schemes that lacked the processing capabilities for RSA or space
| for ECC keys meant you needed to design the ID scheme to use
| symmetric key protocols, which forced offline modes to cache
| single use keys and the security of those were provided by
| counters and timers.
|
| Once you move to mobile devices and "digital id" like the SMART
| Health vax passports, you can use asymmetric key based protocols,
| and you can do the offline verification by distributing the
| public part of the user certificate signing key to verifier
| devices. If it requires compatability with physical cards, it's
| using single use symmetric or stored keys for offline mode, and
| if it doesn't, it can use asymmetric keys for a verification
| protocol. In the latter case, my impression was that absractly,
| the vax passport verification protocol was not unlike JOSE/JWS
| tokens today.
|
| The main failure modes are if the signing key gets compromised
| (as there was news one recently did) and someone starts
| generating fake vax passports and dilutes the system, or
| exploiting the recovery process where people can duplicate
| someones cert by getting it reissued to them.
|
| Reality is, in a society with an internal passport system where
| you have to show papers for everyday movements, any
| constitutional rights or freedoms cannot be guaranteed because by
| being obligated by law to present ID, you are no longer a
| protected member of a citizenry with rights to move and
| associate, and in that instance you are are reduced to a
| political minority of one.
|
| I get we need ID for online services (I do a lot of work in this
| field), but we do not need national identity cards to accomplish
| any goals those services provide.
| def_true_false wrote:
| How do you prove that you are a citizen in countries without
| IDs? Do you just use birth certificates for everything
| important?
| dijit wrote:
| In the UK; weird.
|
| 2 proofs of address, bank statements/utility bills etc; that
| are sent to your address with your name on.
|
| 1 form of citizenship proof such as birth certificate.
|
| Additionally, Depending on "proof" level: notarized passport
| photo (by someone who is considered trustworthy, police
| officer, business owner, doctor) and whom is not related but
| whom you have known greater than 5 years.
|
| Also additionally, parents birth certificates.
|
| Had to do the last two to get my passport, notarized passport
| photo with two different people that were not family that I'd
| known for 5 years.
| kasperni wrote:
| Recently moved to the UK from Denmark. E-government wise I
| would say the UK is at least 10 years behind. And now
| instead of just one authority that has my details. I've
| lost count of how many places I've had to send a copy of my
| passport. It just does not make any sense to not have some
| kind of national eID.
| alibarber wrote:
| How easy is it to access that in Denmark though if you're
| not a citizen? I moved from the UK to Finland and had to:
|
| - Visit the Imigration office with my passport (as an EU
| citizen I might add) where they took a copy
|
| - Visit the local registry office with a bit of paper
| from the above, and my passport, where they took a copy
|
| - Visit the tax office with my passport, where they took
| a copy
|
| - Only then could I visit the police station with my
| passport (where, you guessed it) and/or a bank, with the
| passport (yes the photocopier worked well there too) in
| order to get access to the E-ID service. Which I will
| agree does make e-government superior to that of the UK,
| but, it was not 'frictionless' in the begining.
|
| Also, a lot of EU people get caught out by the first step
| requiring an appointment which is usually months out (as
| being non-eu, weirdly you're almost in a better position
| because you can, or rather have to, get that done before
| you leave your own country)
|
| Completely agree though that even as a citizen and living
| there all my life (until a couple of years ago) - the
| 'gas bill/bank statement' thing is a massive PITA.
| However a lot of places are trying to work out a better
| system and will use credit reports and fuzzy logic to
| validate your information to a threshold they're happy
| with. This is also something the government themselves
| are working on. Interestingly, as much as the Finnish
| system has saved me time, I just don't agree with the
| idea that the government should maintain some centrally
| accessible and enforceable registry of where everyone
| lives.
| motohagiography wrote:
| "Important" is the key word there. Going to a restaurant,
| leaving ones house, going to concerts, participating in
| sports, are not an important time to show a linked
| identification document and have it remotely verified by an
| authority, and recorded. Contriving the important instances
| is what makes internal passport systems oppressive.
| KennyBlanken wrote:
| I mean, in the US for decades "are you a citizen" seems to
| have revolved around whether you can present a yellowed piece
| of paper that has absolutely zero security features: your
| social security card. Sometimes a birth certificate, which
| has only slightly more security features.
| marcosdumay wrote:
| > Reality is, in a society with an internal passport system
| where you have to show papers for everyday movements, any
| constitutional rights or freedoms cannot be guaranteed
|
| Well, theoretically they can, it's just a system that is so
| easy to exploit that it doesn't make sense to lose time talking
| about the unexploited state.
|
| Anyway, the entire problem here is with the "show your papers
| for everyday movements" part, not with the government making
| your papers easy to use.
| motohagiography wrote:
| It seems so reasonable, but when you make something easy,
| people (governments) do it. ID cards are an attractive
| nuissance for authoritarian personalities, you just don't
| equip them if you want to live without abuse.
|
| I've worked in privacy, and unless you make an explicit and
| specific law against something, orgs are going to find a way
| to abuse it. One can absolute be in favour of identity cards
| and internal passports, but they should just not couch their
| authoritarian urges in "convenience," and try to make it seem
| like it's our own idea for our own good.
___________________________________________________________________
(page generated 2022-01-18 23:01 UTC)