Some thoughts about eID

Submitted by DenRaf on Tue, 02/05/2008 - 21:22

Phil Teuwen (not verified)

Wed, 02/06/2008 - 01:16

Well you don't get a new card just because you move.
You'll get a new card if you move AND forgot your PIN ;-)
Otherwise they just update the info on the card.

But you're perfectly right: you don't know if anybody else have your private key as well...

I did move half a year ago and had just to bring my card at the town-hall,
it took exactly 30 seconds (excluding waiting my turn) to change the addr of my card.

So it is changeable !

Btw, there are even empty slots for extra keys (gpg/cacert/...)

No, there is no need to distribute your public key separately as it is distributed with your signature. The only thing the other side needs is the public root-cert from Belgium.

But YES there are some (other) security design flaws in the system of the card. But that wasn't the main purpose of my reply

It's been a year since the first implementations around eID started showing up. Yeah indeed, just before FOSDEM or maybe that's just coincidence, but my thoughts are still the same.

I think, and I'm not alone in this case, there is a security flaw. And not just one that's quickly solvable, but a flaw in design. The thing is, you get your card with a private key and you just don't know who else has your key. Ain't it the goal of keys, that you create a private key and you distribute your public key?

And now some other really nice thing about it. It's not writable. Of course not you say, but listen up.

Say, you move to an other place. Wouldn't it be nice, to just be able to change that? I can understand you need to go to the city hall of your new place, and prove you come to live there, but that it is at least a quick write over. But no, it's not. You need to go back home, cause they have to order a new eID for you. After 2 weeks, you get your new card, with your new address, but also with a new private/public key pair. Now you can warn all your friends, who have signed your key, you have a new one, again.

So, instead of using an eID, use a smart-card with your own keys, this way you at least can control them.