© Fedict 2011. All rights reserved

EID in BelgiumINSU - Stockholm – 24/Oct/2011

Bart Hanssens

© Fedict 2011. All rights reserved

Introduction

© Fedict 2011. All rights reserved | p. 3

Electronic ID Card (front)

© Fedict 2011. All rights reserved | p. 4

Electronic ID Card (back)

© Fedict 2011. All rights reserved | p. 5

Electronic ID Card

Compulsory8 million cards

Contact card

Basic infoName, address, gender, unique national numberLow-res photo (no advanced biometrics)

2 Key-pairsSigning and authentication (same PIN code)No PIN-code caching for signing

© Fedict 2011. All rights reserved | p. 6

Some applications

Tax on WebMost “popular”

Police on WebReport shoplifting, vandalism, bike theft

National e-Lottery

Loyalty card

Library card

© Fedict 2011. All rights reserved | p. 7

Community

Almost all components are open sourceLGPL, not EUPL

Multi-channel supportHelpdesk for middlewareGoogle group / mailing list, twitter, ...

Demo site, documentation, videos, ...

© Fedict 2011. All rights reserved

Components

© Fedict 2011. All rights reserved | p. 9

Classic middleware

Open sourceLGPL, not EUPL

Windows, MacOS, Linux 32/64-bitUser-friendly “quick install” available

Small SDKV3: own APIV4: PKCS#11 v1.2

Issue: user still has to install it manually

© Fedict 2011. All rights reserved | p. 10

Federal Authentication Service

SAML 2

eID card and token

SupportedFederal, Regional, Municipalities

© Fedict 2011. All rights reserved | p. 11

BrowserJBOSS

New architecture: IDP example

EID Card

IDP Trust Service

Applet

Website

jtrustOCSPBelgiu

m

Module

© Fedict 2011. All rights reserved | p. 12

Applet

Java SE 6

Communicates directly with the cardNo middleware required !

Supported on recent (desktop) browsersIE 7+, Firefox 3+, Chrome 9+, SafariAuto-installs correct JRE

© Fedict 2011. All rights reserved | p. 13

Identity Provider

Uses Applet and Trust Service

JBoss 6 package

Communicates with Relying Parties (sites)

Multi-protocolSAML 2, OpenID 2, WS-FederationIntegrators don't have to be eID experts !

Not available as service (yet)Best effort support

© Fedict 2011. All rights reserved | p. 14

Trust

Trust ServiceChecks validityOCSP or (cached) CRL

jTrust libraryCRLValidation of X509 certificatesAlternative to Java Certification Path Validator API

© Fedict 2011. All rights reserved | p. 15

Drupal eID – IDP module

Will be released as open sourceNOT the Coworks module on Drupal.org

Reuses Drupal's openid codeBut “core” openid module must be disabled

User-friendly:Log in button: no need to remember URLSelf-registration with eID

Mapping of eID info to Profile module fieldsOpenID AX Schema

© Fedict 2011. All rights reserved | p. 16

Digital Signature Service

Uses Applet, Trust and Timestamp Service

XAdES-X-L

Sign any XML “document”ETSI ASiC (ZIP)ODF / OOXMLDefine your own format

VisualisationAdmin can register trusted XSLTsOptionally: embed eID photo“green mark” in OpenOffice / MS-Office

© Fedict 2011. All rights reserved

Demo: Drupal and eID

© Fedict 2011. All rights reserved | p. 18

Step 1: push beID button

© Fedict 2011. All rights reserved | p. 19

Step 2: insert eID card

© Fedict 2011. All rights reserved | p. 20

Step 3: enter PIN code

© Fedict 2011. All rights reserved | p. 21

Step 4: enter email address

© Fedict 2011. All rights reserved

More info

© Fedict 2011. All rights reserved | p. 23

References

http://eid.belgium.be

http://code.google.com/p/eid-applet/

http://code.google.com/p/eid-idp/

http://code.google.com/p/eid-dss/

http://code.google.com/p/jtrust/

https://www.e-contract.be

© Fedict 2011. All rights reserved

Questions ?

© Fedict 2011. All rights reserved

Thanks !Fedict – Federal Public Service ICTMaria-Theresiastraat 1/31000 Brussels (Belgium)www.fedict.be

bart.hanssens[at]fedict.be | @BartHanssens