Saturday, July 14, 2007

eCards and CardSpace

Yesterday, Friday 13th July 2007, I attended a workshop "Biometrics and eCards".

My main interesst was the "eCard API" which is currently standardized in Germany. This API is intendet to standardize the access of applications to the cards issued by the German government. My first impression of the eCard API was that it is quite (!) complex. Building a complying smartcard, reader and dll/jar/so looks challenging.
Several participants from the industry complaint that the standardization process is not open enough, to late and that the dead-lines are too short. My impression was that everybody exept delegates from the BMI and BSI seemed to agree.

Why am I blogging about this here? Because I was happy to learn that Identity Management and Privacy could be found everywhere. It was certainly not the main focus of many talks but CardSpace and SAML and WS-* etc popped up here and there and people I talked to during the breaks all had profound knowledge of this.
This gave me the thought that current and future projects envolving smartcards are not doomed from the beginning.
Germany was one of the first countries to have laws regarding electronic/digital signatures, but all projects (e.g. e-Vergabe) trying to utilize this and/or to make money from it (eCommerce/eGovernment) currently live in the dark and remote parts of public attention and economic success. By which I don't want to say that this projects are not necessary. They are important projects but people and companies are reluctant to use them until they are forced to by law.

One new project I found especially interessting. Mr. Thomas Biere (BSI) gave a talk about "B├╝rgerportale" (citizen portal). One of the functions of the portal is that of a identity/attribute/claims provider. The federal government plans to have these portals be operated by private companies which are certified by the government. Interessting. Mr. Biere said, that they are talking to major ISPs about this.
I am curious how this will work out in the end. Will the Id/STS primarily issuing the claims _it_ knows about a subject or will the main focus be on the usage of government issued/asserted claims. Id/STS interoperability is planned to be left to the operators... Interoperabilty to the portals of germany's states is an open issue too. Integration of emerging other solutions like openElster are open too.

There is a lot of work to do to make the identity revolution happen ;-)
But we will certainly by part of it. (Hm. Don't interprete this post too much in term s of what subsidiaries of Deutsche Telekom will do. These posts are _my_ posts)


The Mad Scientist said...

The most "interesting" thing about German eCard standards is that in order for a server to send a signed message to another organization, the German's use a human "hostage" as the official signer.

Fortunately, Scandinavian governments have rejected this method and use and organization-only signature which is like a secure letterhead. Who is actually behind the message may be stated in the message itself.

In Germany, a paper-invoice do not need a signature while an electronic ditto does. And it must of course be a hostage-signature otherwise is would not be compliant with German signature laws.

Is the hostage-signature more secure than the org (only)-signature maybe? I would say no because the process of certifying an employee (ID+association) does not scale well and leads to zillions of trust anchors (click "yes" to enable this CA). To cope with that you need another thing that does not work well, the "bridge CA" concept.

Axel Nennker said...

Hi Anders, I don't want to go into this too much, because I want the topics of this blog to be related to CardSpace, OpenId, Liberty Aliance, SAML, WS-* ...
I see your point but to my knowledge people are allowed to have multiple cards, which they can use to sign documents in different roles.
If you want to go deeper into this, then I suggest you create a post in your blog. -Axel

The Mad Scientist said...