Ever since the infamous “Signaturgesetz” (law for the regulation of electronic signatures) had passed the Bundestag (parliament) in Germany, the industry moaned about the “signature inhibition effect” this law had and still has. Attending the not so obviously related event on the “Industrialization of Cybercrime” some weeks ago, organized by Bitkom and the Ministry of Economics in Berlin, I finally heard one of the well-known lawyers, Mr. Harder from Munich, admit, that the lawyers might have “over - engineered” the whole thing! Well, the next sentence was Mr. Harders' attempt to put that into perspective, claiming that at least: “it's very secure” (sic!).
Why do I molest you with this, on your journey to broaden your knowledge about ID management? Let me explain: a good portion of the attendees of that event at the BMWi also turned out to be attending the well-known OmniCard conference here in Berlin.
While on that event representatives of BKA (FBI-like law enforcement) and Ministries tried to convince the audience that we need yet tighter control (compare: Patriot Act in the US, I disagree!) and more multi-national cooperation (to help more efficient law enforcement action against (cyber-)terrorists (which I agree with), the representatives of the BSI (Federal Office for Information Security) and academia tried to promote the advantages of the up and coming electronic ID card (ePA, elektronischer Personalausweis), scheduled for autumn 2010.
This new national ID card will contain a contact-less (similar to, but not really RFID) smartcard chip that contains your personal information. This “electronic ID” card shall resemble the same benefits and use-cases online, that are prevalent “in real life”, aka in the liquor store, hotel reception desk or the like it will enable you to reveal/prove just what you want to prove: your age, your name, your address, simply all attributes available on the eID you wish to reveal.
The BSI, in close cooperation with several German companies and universities, is developing a trust infrastructure that allows the average citizen to “identify” himself to a service offered on the internet. This includes the distribution of certificates to the service´ webserver in advance, which will allow the citizen to do what the internet society yet failed to provide: mutual, trustworthy authentication! No more “green bars”, no more phishing … you get the point (and hopefully the slightly sarcastic tone of my words…).
Undisputed, the idea behind the architecture is great. Not only shall it prove the authenticity of an online service to the user (and its right to access the required portion of the eID info stored inside the ePA), it will also improve trustworthiness of users / consumers to the vendor (aka, relying party).
I was kindly informed that the "eCardAPI" in fact is broadly based on accepted standard technology, as can be seen by browsing the respective documents HERE: http://www.bsi.bund.de/literat/tr/tr03112/index.htm
What I wanted to express, though, is that the proposed usage of the technology in the field will comprise rather complex and not "well-established" processes and standards with regard to mutual authentication! Especially, the proposed usage as onlineID for citizens does give me a headache: if a user wants to use a certain a service online, the SP must present a government issued certificate as access credential to read the citizens´ ID info from the card (and to authenticate himself to the user). This process IS based on standard certificates, granted! But we have been using certificates (or NOT using!) certificates for quite a while now...
What makes the industry and politicians think, that this pretty gift-wrapped PKI monster will be accepted by citizens, let alone online-users? Every time I check for a XXX-site that wants to validate my age, Mr. Schäuble gets an update of my misdemeanor? Oh yes, national security...
I guess when it comes to National Security, we Germans are no more and no less suspicious about letting others peek into our cards as the US guys (or any other nation)…
Or is this just another case of engineering hybris, the kind that led to the TollCollect disaster and billions of Euro of toll not being collected due to “engineering problems” with the now famous OBU (on-board units) for the trucks rolling on our highways?
Sometimes I wonder, if this “protection of national interest” really helps to stay ahead of things, security wise. Ok, the tremendous amount of money spend INSIDE our borders helps our security industry – but with re-inventing the wheel over and over again? Well, before my writing becomes too cynical to have this published and before any federal agents “make a house call”
I better get this off my chest: the ePA will not only contain the (mandatory) eID functionality, but will also provide you with a (opt-in!) personal digital certificate (yeah, right, one of those supporting the most successful legislation on electronic signatures I ranted about earlier). This is really a big advantage: 15 years after “riding a dead horse” (promoting qualified electronic signatures, QES) became en-vogue in Germany, a new bright and shiny saddle and some silver spores (aka, indirectly Government issued digital ID certificates) shall help us ride that dead horse more efficiently. It looks like I fail miserably in turning this post into something positive.
Oh, wait! There is hope! I will be able to use my cool new ePA with its eID to digitally issue my income-tax reimbursement (ELSTER, Elektronische Steuererklärung). And the federal as well as state governments are looking into setting up a bunch of publicly available services, which I can authenticate to with my ePA.
Hopefully, I am not the only technology craving analyst to check these services out as this little my example helps to understand my concerns: one of the more senior and tech-savvy OmniCard attendees told me, that he was very happy to be able to access his pension/retirement fund info with his QES card. He was recently asked to decide within weeks notice, if would like to participate in a partial retirement plan his company offered. The paper-inquiry to get the latest pension statements and extrapolation of his future retirement funds would have taken 2-3 weeks – thus the secure electronic access helped to save his day – and provide him with early retirement! He was curious how many people actually use this service and the quick answer he received was a bit scary. Only a hand full of people had ever used this way of secure access. My tax euros at work!
Anyway, the accompanying technology fair had some very interesting tokens to check out, and I brought some home for further evaluation. Especially a “ready-to-deploy” secure mobile banking solution from SIZ using a CertGate microSD with JCOP chip raised my interest. A very close second place goes to Gieseke+Devrient for their secure mail+surf stick based on Firefox and Thunderbird with a (comparable) secureID card, but using an USB-stick as interface. I will dive a little deeper with samples I acquired - prepare yourself for the strong-auth/token report, that we are compiling this quarter – some shiny new toys might find the way to your desk for evaluation soon - either as a consumer or as employee!