My Hackergotchi

Updated: Never — Philip's Blog

Now featuring regular updates!

Tue, 30 Sep 2008

17:12 – The eID saga continues

Christophe would like me to clarify why I feel you should distrust your Belgian eID card. Is "blogging" the new Usenet? This interaction feels a bit like "letters to the editor".

That aside, however.

I have no particular problem with the eID being a smartcard. The fact that most "variable" data about my identity is stored on a chip rather than printed on the card is probably even an improvement. No need to get a new card issued when moving, for instance. Unlike the old card, it's also a standard size and it fits in my wallet.

My problem is that the certificates can't be trusted.

It is unacceptable that the keys have been generated by someone other than me. This basically cripples the foundations of PKI from the get-go. But this is only the tip of the iceberg.

Of particular interest in Christophe's post is this:

Knowing that the government can create their own certificates (you do thrust [sic] them as a CA) they can easily generate new certificates that contain 'valid' data. There is no need to keep the private keys of the population to perform identity hijacking.

Why on earth would I trust the government's CA? Even if I happen to trust the CA, why would I trust the certificates signed by it?

Aside: I don't consider the fact that the government has innumerable ways of impersonating me to be a valid excuse for handing them yet another way.

The key point is "trust": a certificate does not automatically become "trusted" just because a CA has signed it.

Remember the role of a CA in the PKI model: the CA verifies that the entity controlling the private key of a certificate matches the owner of that certificate. Control over the private key is the critical point. In addition to verifying the ownership of the certificate, the CA should really also verify the owner's crypto-hygiene. Since that is not possible, a CA signature alone does not make a certificate trusted.

When you "trust" a CA, you trust it to verify the owner. Unless you also trust the private key to only be under the control of the owner, you still can't trust the certificate.

What then is the point of a CA? It saves you from the tedious and potentially time-consuming task of verifying the identity of the certificate owner. You should still verify that the owner can be trusted. If the owner prints his private key in the morning paper, can you trust his certificate?

You might trust the Belgian government to verify ownership of the certificate, but you know you can't trust it to verify control over the keys. This makes the certificates worthless.

The authentication key can't be trusted to authenticate against a system because you did not generate it and you don't know how many copies of the private key are in circulation. Anyone with control over the private key can authenticate as you on any system you configure to trust the public key.

The signature key is even worse because the law requires people to trust it. Think about that for a moment. Anyone with control over the private key you didn't generate can enter into legally binding contracts pretending to be you and legally, the people they are entering into these contracts with have to accept that they are you, even if they know that the certificate cannot be trusted because the private key is suspect.

The fact that nobody ever checks CRLs makes these "third-party generated keys" even more problematic. If the machines which generate the keys are compromised, someone can generate and sign a certificate purporting to be me of which I'm not even aware and use it to sign legally-binding contracts as me. And even people who know better than to trust a certificate only on the say-so of a CA signature are legally required to accept this signature as being made by me.

That is why it is not enough to simply get your key revoked -- you should keep proof that you have revoked your keys. It will still be a serious pain in the ass to prove that the signature was not made by you, but your empty smart card and the piece of paper at least allow you to retain some form of control over your identity.

PKI systems only work if the private key is secure. Certification authorities don't tell you that a certificate can be trusted, they only tell you that the certification authority believes that the certificate is owned by entity named on it.

I find it incredibly scary that the law equates the presence of a CA signature with a trustworthy certificate. Which brings me rather neatly to another rant-worthy subject "EV certificates" being "trusted" by webbrowsers.

When a website presents you with an "EV certificate", it will turn the address bar green and claim the certificate can really be trusted. This is total madness. The only difference between an "EV certificate" and a "normal" one is the price and the level of identify verification undertaken by the CA. I have yet to encounter the first CA which verifies the private key hygiene of applicants.

Users are sheep. They will see the green bar and say "ah, trusted"! The fact that they may be trusting someone who had an unencrypted copy of his private key on a USB stick he forgot on the train yesterday is a minor irrelevant detail. Nothing to worry about.

Generate your own keys. And don't trust certificates whose keys you don't trust. Actually, just trust nobody.

[ category: /activism | 16 comments on this entry ]

Unfortunately I do need my EID in order to file VAT-declarations, Jaarrekeningen, Tax-declarations via the internet.
Or would you prefer that this information was send by snail-mail to the VAT-office, NBB and Tax-office?

Posted by wannes at Wed Oct 1 09:11:56 2008
Wannes: I outsource such things to trained professionals.  I honestly don't care how they get to where they're going.  Postal pigeon works for me.  As long as they get there.  I would prefer not to put my identity up for grabs for the sake of minor conveniences.

Posted by Philip Paeps at Wed Oct 1 10:35:40 2008
@Wannes

I do all those things by old-fashioned snail-mail paper ways...  because I do not trust the digital systems the government created.

Posted by guy at Wed Oct 1 10:42:22 2008
Philip,

Do you use a blacklist for your comments? If so: do you mind sharing it because my comment got rejected ...
I presume one cannot enter the word "taxes" in your blog? :-)

Posted by wannes at Wed Oct 1 11:47:19 2008
Wannes: yes - I use a blacklist, but it's hopelessly buggy.  You are not the only person to complain about it.  I will spend some time to fix it "Any Decade Now"[tm].  It's a bit difficult to share the blacklist as a comment since naturally it will be rejected. ;)

Posted by Philip Paeps at Wed Oct 1 11:58:54 2008
Note that if your comment contains blacklisted words, the rejection will say it was blacklisted.  If the captcha system was moody, it will just say "rejected".  Another bug which needs fixing some year.

Can you tell I don't like "web interfaces"?  I rather fix bugs in my kernel.

Posted by Philip Paeps at Wed Oct 1 12:00:15 2008
I encounterd both rejections: blacklist and your refresh-some-more-until-the-fibonacci-question-comes-up-again-captcha

I'll try to split my comment to work out where the dangerous word is :)

Posted by wannes at Wed Oct 1 12:23:53 2008
@Philip. I am one of those trained professionals ;-) I can assure you most mordern-aged accountants/bookkeepers file everything via the internet. The fact that you get an instant receipt is one of the advantages.

You probably signed a power of attorney (volmacht) for one of the professionals in order to let them represent you. Do you trust them (and their handling of certificates?) and are willing to give them complete possibility to file your tax-declarations with their EID ?

Posted by wannes at Wed Oct 1 12:24:31 2008
For the record: I understand your complaints and ill feelings with the Belgian EID, (and share them in some ways). But for some people it is impossible to work without them.

Posted by wannes at Wed Oct 1 12:25:48 2008
Almost there. The dangerous word in Philip's blacklist is hidden in this phrase:

@Guy: now you can. In the future it will no longer be possible to file tax-declarations the snail-mail-way. As an added bonus: filing "jaarrekeningen" via the internet is c h e a p e r.

Posted by wannes at Wed Oct 1 12:31:36 2008
I don't dispute that using certificates and such is easier and c h e a p e r than the paper way, but the wide-scale deployment of certificates with untrustworthy keys is the problem.

In a "proper" PKI system, the citizen who needed certificates (ie: only accountants and such) would generate a keypair and take a certificate signing request to the government.  An official would verify his identity and cause it to be signed with the government CA.

Additionally, the certificates would only be used for individual-government communication, not individual-individual communication.

This still doesn't solve the private key problem.  You can't trust every citizen to securely handle his private key.  Many citizens use Microsoft "Windows" and other broken systems.  These cannot be trusted to generate secure private keys.  So there would have to be education and probably a form of testing and licensing.

I see PKI for government communication working only for very limited use-cases and very specific groups of people.  Like accountants.

Currently, the system is totally flawed.

Posted by Philip Paeps at Wed Oct 1 13:25:34 2008
My accountant does have my permission to file my taxes for me, but I still need to sign paper copies.  If the filed copies turn out not to match the paper copies, I hope my signature on the signed paper will be sufficient proof that they are the "true copies".

You cannot enforce non-repudiation in a broken PKI system with untrustworthy keys.  You can't repudiate that something was signed with a certain key, but you can argue that the key was not under the control of its stated owner.

Posted by Philip Paeps at Wed Oct 1 13:28:37 2008
Why should you not trust the government? It is bound by the law, and the law is written by representatives of the people who demand the right to privacy and the rule of law. Unlike a commercial entity, it has nothing to gain from impersonating you.
I think you worry more about the technical competence of the employees of and consultants for the state. Well, impersonating someone or otherwise abusing their privileged access to information is a crime.
You are wrong if you state that if someone impersonates you with a copy of your private key, you are legally bound to what they sign in your name. If someone forges your autograph on a piece of paper, you have the same problem, and that forgery is just as illegal. Either way, you need to prove that you did not sign that document in a court of law.

Posted by Zombie at Sat Oct 4 11:45:38 2008
This threath is as hypothetical as your life: non-existing. Do you get off at producing this kind of crap?

Oh, and do you want some cheese with your whine?

Greetz,
Bill

Posted by Bill Gates at Sun Oct 5 02:48:54 2008
Zombie: I don't trust the government because I don't trust anybody.  And I do trust the people working for the government even less than the government itself.  It may be a crime to impersonate people, but that doesn't mean we should make it easier for them.  It is significantly easier to prove (handwriting analysis) that someone didn't sign something using a pen than proving that someone didn't sign something electronically.  There is nothing linking an electronic signature to "me".

"Bill Gates": I don't expect a Microsoft user to understand.

Posted by Philip Paeps at Sun Oct 5 14:23:05 2008
Zombie: I will give you four reasons not to trust the government:
* one
* nine
* eight
* four

Posted by Amedee at Tue Nov 11 02:14:26 2008

Name:

Email:

URL:

Comment:


Prove that you are not a spammer: