eID
Another thing I had to do was a feasibility study on eID. This means I had to look into this technology, research what the possible uses are, if they can be implemented and how they have to be implemented.
The eID project is an initiative from the Belgium government, to replace the current passport of every citizen by an eID card. This is a smartcard which looks like the current Belgian passport, and contains certificates and identity data on its chip. Main functionalities of the eID card are data capture, authentication and digital signature.
Data capture is used in applications to read identity data from the card, such as name, address, gender and others. This gives an advantage to business applications which use this data, because it takes less time to enter the data, and no more typing errors can occur.
Authentication is done by using a certificate on the card. When the private key of the certificate is accessed, the eID middleware, provided by the government, will show a dialog asking for the PIN code of the card. Normally, only the owner of the cards knows this code, and can allow access to the private key. Authentication could be used on websites, physical locations, client-server applications and others.
A digital signature can be used to proof that some content originates from a certain user and has not been modify along the way. Possible uses are signing an email or a document. With eID, a digital signature has the same legal proof as a written one.
Every eID card contains an authentication and digital signature certificate, signed by the Citizen CA, which itself is signed by the Belgium Root CA.
When a citizen request and eID card at his municipality, it gets registered at the population registry, which requests a new certificate. After this a citizen can logon to a website, which will validate the certificate trough the OCSP protocol with the CA.
On the eID file system there are two main directories. One contains the specific user data in a proprietary format and the other one is PIN protected and contains the certificates.
Windows applications can use the Crypto API to access the certificates while everything else can use PKCS#11. There are also toolkits which hide the internal workings of the card.
A certificate always has to be validated, meaning the validity period has to be checked and the serial number of the certificate has to be checked with OCSP or against a CRL.