1.
eID interoperability through open source software
Martin Paljak
OpenSC Project
www.opensc-project.org

2.
Quick background check
• Dealing with Estonian eID (1st generation) since 2003
• Involved with OpenID (“OpenID for Estonians, OpenID.ee”)
• Open source security/crypto/smart cards/identity software
• Maintainer/lead developer of OpenSC Project since 2010
• All opinions expressed are my own

3.
Agenda
• What is OpenSC
• Problems observed from earth
• Why open source matters
• How OpenSC can help

4.
OpenSC

5.
OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers

6.
OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to
access cryptographic capabilities of smart cards
• Standards are published or defined by market

7.
OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to
access cryptographic capabilities of smart cards
• Standards are published or defined by market
• Cross platform (Windows, Mac OS X, Linux/Unix)
• PKCS#11, CryptoAPI (minidriver), Tokend/CDSA

8.
OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to
access cryptographic capabilities of smart cards
• Standards are published or defined by market
• Cross platform (Windows, Mac OS X, Linux/Unix)
• PKCS#11, CryptoAPI (minidriver), Tokend/CDSA
• PKCS#15 (ISO7816-15, IAS-ECC, PIV, EstEID, ...)
• Card personalization tools

9.
OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to
access cryptographic capabilities of smart cards
• Standards are published or defined by market
• Cross platform (Windows, Mac OS X, Linux/Unix)
• PKCS#11, CryptoAPI (minidriver), Tokend/CDSA
• PKCS#15 (ISO7816-15, IAS-ECC, PIV, EstEID, ...)
• Card personalization tools
• “OpenSC has become the defacto open source smartcard provider”

10.
OpenSC enables applications!

11.
OpenSC enables applications!
• Firefox - HTTPS authentication
• Thunderbird - S/MIME signatures and encryption
• Google Chrome - HTTPS authentication
• E-voting - vote signing and authentication
• OpenSSH - authentication
• Safari - HTTPS authentication
• Mail.app - S/MIME signatures and encryption
• Outlook - S/MIME signatures and encryption
• Open(Libre)Office - digital signatures
• Internet Explorer - HTTPS authentication
• Adobe Acrobat - digital signatures
• OpenVPN - authentication
• Putty - authentication
• WinSCP - authentication

12.
Real life applications, right now.

13.
OpenSC supports*
• Estonian eID
• Finnish eID
• Spanish eID*
• Belgian eID
• Portuguese eID
• Italian eID
• IAS-ECC*
• PIV/CAC
• Latvian eID*
* - work in progress or other but-s or limitations

14.
Problems with eID software projects
• Initiation & execution
• Trust
• Sustainability
• Interoperability
• Innovation

15.
Regulators endorse execution, incl. open source.

16.
Initiation & execution

17.
Initiation & execution
• Reduced platform availability

18.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)

19.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.

20.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)

21.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium

22.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain

23.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal

24.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia

25.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost

26.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost
• Client software is complex and interweaved. Cost

27.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost
• Client software is complex and interweaved. Cost
• Keeping up with software changes is challenging

28.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost
• Client software is complex and interweaved. Cost
• Keeping up with software changes is challenging
• 1st iteration tends to “fail”

29.
Trust

30.
Trust
• STOP ABUSING THIS WORD!

31.
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats

32.
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”

33.
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption

34.
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption
• Does not always mean “cryptographically assured”

35.
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption
• Does not always mean “cryptographically assured”
• Who will be the first to publish on-card application?

36.
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption
• Does not always mean “cryptographically assured”
• Who will be the first to publish on-card application?
• Ergo I’m no cloud believer

37.
Sustainability Interoperability

38.
Sustainability

39.
Sustainability
• Silos

40.
Sustainability
• Silos
• 27x same mistakes? Probably.

41.
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?

42.
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?

43.
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5

44.
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5
• Niche market, requires specific skills

45.
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5
• Niche market, requires specific skills
• Cost

46.
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5
• Niche market, requires specific skills
• Cost
• A plant only grows if you water it

47.
Innovation

48.
Innovation
• Commodity vs niche product
• Easily available, interchangeable

49.
Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID

50.
Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement

51.
Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement
• Does open source lead the innovation or jog behind the cool guys?

52.
Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement
• Does open source lead the innovation or jog behind the cool guys?
• Import vs export

53.
Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement
• Does open source lead the innovation or jog behind the cool guys?
• Import vs export
• Fibonacci innovation?

54.
How can OpenSC help?
• Grassroots community of specialists from different countries
• Share knowledge and experiences
• No politics. “Show me the solution that works”
• Joint lobby group to collaborate with other (open source) projects
• Make Firefox (close to 1/3 of the market) to fix their bugs
• A reference implementation
• Provide a common framework and platform for collaboration, interoperability
and innovation

55.
Thank you!
Questions?
opensc-project.org
@MartinPaljak.net