© Fedict 2011. All rights reserved
EID in BelgiumINSU - Stockholm – 24/Oct/2011
Bart Hanssens
© Fedict 2011. All rights reserved
Introduction
© Fedict 2011. All rights reserved | p. 3
Electronic ID Card (front)
© Fedict 2011. All rights reserved | p. 4
Electronic ID Card (back)
© Fedict 2011. All rights reserved | p. 5
Electronic ID Card
Compulsory8 million cards
Contact card
Basic infoName, address, gender, unique national numberLow-res photo (no advanced biometrics)
2 Key-pairsSigning and authentication (same PIN code)No PIN-code caching for signing
© Fedict 2011. All rights reserved | p. 6
Some applications
Tax on WebMost “popular”
Police on WebReport shoplifting, vandalism, bike theft
National e-Lottery
Loyalty card
Library card
© Fedict 2011. All rights reserved | p. 7
Community
Almost all components are open sourceLGPL, not EUPL
Multi-channel supportHelpdesk for middlewareGoogle group / mailing list, twitter, ...
Demo site, documentation, videos, ...
© Fedict 2011. All rights reserved
Components
© Fedict 2011. All rights reserved | p. 9
Classic middleware
Open sourceLGPL, not EUPL
Windows, MacOS, Linux 32/64-bitUser-friendly “quick install” available
Small SDKV3: own APIV4: PKCS#11 v1.2
Issue: user still has to install it manually
© Fedict 2011. All rights reserved | p. 10
Federal Authentication Service
SAML 2
eID card and token
SupportedFederal, Regional, Municipalities
© Fedict 2011. All rights reserved | p. 11
BrowserJBOSS
New architecture: IDP example
EID Card
IDP Trust Service
Applet
Website
jtrustOCSPBelgiu
m
Module
© Fedict 2011. All rights reserved | p. 12
Applet
Java SE 6
Communicates directly with the cardNo middleware required !
Supported on recent (desktop) browsersIE 7+, Firefox 3+, Chrome 9+, SafariAuto-installs correct JRE
© Fedict 2011. All rights reserved | p. 13
Identity Provider
Uses Applet and Trust Service
JBoss 6 package
Communicates with Relying Parties (sites)
Multi-protocolSAML 2, OpenID 2, WS-FederationIntegrators don't have to be eID experts !
Not available as service (yet)Best effort support
© Fedict 2011. All rights reserved | p. 14
Trust
Trust ServiceChecks validityOCSP or (cached) CRL
jTrust libraryCRLValidation of X509 certificatesAlternative to Java Certification Path Validator API
© Fedict 2011. All rights reserved | p. 15
Drupal eID – IDP module
Will be released as open sourceNOT the Coworks module on Drupal.org
Reuses Drupal's openid codeBut “core” openid module must be disabled
User-friendly:Log in button: no need to remember URLSelf-registration with eID
Mapping of eID info to Profile module fieldsOpenID AX Schema
© Fedict 2011. All rights reserved | p. 16
Digital Signature Service
Uses Applet, Trust and Timestamp Service
XAdES-X-L
Sign any XML “document”ETSI ASiC (ZIP)ODF / OOXMLDefine your own format
VisualisationAdmin can register trusted XSLTsOptionally: embed eID photo“green mark” in OpenOffice / MS-Office
© Fedict 2011. All rights reserved
Demo: Drupal and eID
© Fedict 2011. All rights reserved | p. 18
Step 1: push beID button
© Fedict 2011. All rights reserved | p. 19
Step 2: insert eID card
© Fedict 2011. All rights reserved | p. 20
Step 3: enter PIN code
© Fedict 2011. All rights reserved | p. 21
Step 4: enter email address
© Fedict 2011. All rights reserved
More info
© Fedict 2011. All rights reserved | p. 23
References
http://eid.belgium.be
http://code.google.com/p/eid-applet/
http://code.google.com/p/eid-idp/
http://code.google.com/p/eid-dss/
http://code.google.com/p/jtrust/
https://www.e-contract.be
© Fedict 2011. All rights reserved
Questions ?
© Fedict 2011. All rights reserved
Thanks !Fedict – Federal Public Service ICTMaria-Theresiastraat 1/31000 Brussels (Belgium)www.fedict.be
bart.hanssens[at]fedict.be | @BartHanssens