[Chapter-delegates] ISOC France consulted on "IDénum" by the Ministry

Lucy Lynch lynch at isoc.org
Thu Feb 25 07:51:06 PST 2010 

On Thu, 25 Feb 2010, Patrick Vande Walle wrote:

>
>
> Dear Odile and Gérard,
>
> Three years ago, the Belgian authorities have
> introduced the electronic identity card, with chip and PIN. Website here:
> http://eid.belgium.be/fr/ (French and Dutch). The only widespread use I am
> aware of is to allow people to file their taxes trough the Internet. It is
> also used when requesting birth certificates, by the police for identity
> checks, etc. See for example the income tax web site:
> http://www.taxonweb.be/
>
> The adoption by the private sector has been very
> low. There once was a project between authorities and Microsoft to use this
> ID card to identify minors when they want to access adult discussion fora,
> but I am not sure it ever materialized. I know one insurance company where
> purchasing contracts online is possible with this ID card.
>
> In general,
> the public is quite reluctant to use such tools when they are unsure what
> it is being used for and by whom. The fact that its usefulness is limited
> to the home country is certainly playing a role, too.

There are a number of authentication related schemes being tested and
(as Patrick indicates) many of the more complicated (2 and 3 factor)
initiatives are tied to activities that require a high level of identity
proofing to protect both parties in a transaction. One would hope
that the required use is carefully scoped to protect both parties.

This sounds like an attempt to nationalize two steps from the classic
authentication chain:

     * Something you know (eg. a password). This is the most common kind of 
authentication used for humans. We use passwords every day to access our 
systems. Unfortunately, something that you know can become something you 
just forgot. And if you write it down, then other people might find it.
     * Something you have (eg. a smart card). This form of human 
authentication removes the problem of forgetting something you know, but 
some object now must be with you any time you want to be authenticated. 
And such an object might be stolen and then becomes something the attacker 
has.
     * Something you are (eg. a fingerprint). Base authentication on 
something intrinsic to the principal being authenticated. It's much harder 
to lose a fingerprint than a wallet. Unfortunately, biometric sensors are 
fairly expensive and (at present) not very accurate.

(see: http://www.cs.cornell.edu/Courses/CS513/2005FA/NNLauthPeople.html)

and it stops short of the bio-metric data requirement.

As several folks have already indicated chip+PIN has some known
security issues so getting this right won't be easy.

> On the practical
> side, adoption may also have been slowed by the technical environment
> required. A limited choice of supported reading devices, operating systems
> and browsers means it is not easy to get it to work. See for example
> http://eid.belgium.be/fr/Comment_installer_l_eID/Quick_Install/ It fails
> teh "clueless grandmother test" every time.

The Swiss have a program running that tries to put tools in the hands
of end users: http://www.swisssign.com/ but again, as Patrick says,
adoption is limited due to usability issues.

As end-users and service providers (including governments) continue to 
negotiate across the Internet with increasing valuable user data (bank 
information, private health care information, etc.) the needs for 
verification, consent, and accountability will rise on both sides of the 
equation. In some cases, as an end-user, I want a high level of trust
before I share my valuable data!

I think it's a positive sign that government is inviting you into the 
process and I encourage you to monitor this effort and report back!

- Lucy

> Hope this helps,
>
> Gérard,
> toutes mes félicitations pour votre élection. Au plaisir de vous rencontrer
> bientôt.
>
> Patrick Vande Walle
>
-------------- next part --------------
_______________________________________________
Chapter-delegates mailing list
Chapter-delegates at elists.isoc.org
http://elists.isoc.org/mailman/listinfo/chapter-delegates

More information about the Chapter-delegates mailing list