Domain: id.ee
Stories and comments across the archive that link to id.ee.
Comments · 14
-
Re:So
I found the source for their
.deb packages here https://installer.id.ee/media/... so it shouldn't be complicated to compile it on other linux distros. -
Re:So
Estonia has the least proprietary implementation - take a look at https://www.id.ee/?lang=en you can even compile the middleware from source, and on linux they interface with pcscd.
-
Re:Estonia
PS: A link to their National ID card management website: http://www.id.ee/
-
my method
I have a php page on my https server, it's a not published link, you have to know it to get to it. It has two forms, one for the domain name/website name/whatever identifier and one for my super secret password.
It generates a list of several hashes from the combination of the two inputs for use as passwords. A list in case a site is hacked or password expires or whatever. In that case I have to remember that web site requires the second instead of the first item on the list.
I also should not access the URL from a random virus ridden PC at some friend's place. In that case I could use my phone to generate the password. Though then I probably should not use that PC at all.
I use several hashes in sequence so there are no rainbow tables on google, not that my master password is weak. And I can use several master passwords for different kind of websites (amazon, paypal, etc vs randomtorrent.xxx, slashdot.org).
So, I don't know any passwords of any websites by heart and they are all different. I need to know a specific URL or have a the php file on hand and know the master password to generate the correct password. Kinda 2-factor auth!
It is a bit cumbersome, but I implemented the solution when a website where I used one of my generic passwords was hacked. They script kiddies recorded the passwords of users during logon and later the list username+passwords was published. Changing the passwords on all the websites (and websites I had forgotten I even had a account on) sucks.
I needed a system that I could use from anywhere and any device and used a unique password for each website. So I created a few lines of php. I also have the php file on another ssl server as a backup too.
And yes, should anybody hack the webserver and discover the php file and it's purpose I'll be fucked. They'll record the master password and then I've lost all the passwords. However I thinks it's still a better system than having the same password on many sites.
As for banks, internet voting (we don't have electronic voting, only paper ballot and internet voting, no atm like machines) and communicating with the state, well I live in Estonia which means I have an ID card but I prefer Mobile ID (private keys on a smart card and on a SIM card). Mobile ID rocks. The SIM card acts as a smartcard, so the private keys never leave it. Data exchange works via SMS, so I can use it pretty much anywhere in the world where there's internet and phone reception - and the PC doesn't ever see any passwords.
-
my method
I have a php page on my https server, it's a not published link, you have to know it to get to it. It has two forms, one for the domain name/website name/whatever identifier and one for my super secret password.
It generates a list of several hashes from the combination of the two inputs for use as passwords. A list in case a site is hacked or password expires or whatever. In that case I have to remember that web site requires the second instead of the first item on the list.
I also should not access the URL from a random virus ridden PC at some friend's place. In that case I could use my phone to generate the password. Though then I probably should not use that PC at all.
I use several hashes in sequence so there are no rainbow tables on google, not that my master password is weak. And I can use several master passwords for different kind of websites (amazon, paypal, etc vs randomtorrent.xxx, slashdot.org).
So, I don't know any passwords of any websites by heart and they are all different. I need to know a specific URL or have a the php file on hand and know the master password to generate the correct password. Kinda 2-factor auth!
It is a bit cumbersome, but I implemented the solution when a website where I used one of my generic passwords was hacked. They script kiddies recorded the passwords of users during logon and later the list username+passwords was published. Changing the passwords on all the websites (and websites I had forgotten I even had a account on) sucks.
I needed a system that I could use from anywhere and any device and used a unique password for each website. So I created a few lines of php. I also have the php file on another ssl server as a backup too.
And yes, should anybody hack the webserver and discover the php file and it's purpose I'll be fucked. They'll record the master password and then I've lost all the passwords. However I thinks it's still a better system than having the same password on many sites.
As for banks, internet voting (we don't have electronic voting, only paper ballot and internet voting, no atm like machines) and communicating with the state, well I live in Estonia which means I have an ID card but I prefer Mobile ID (private keys on a smart card and on a SIM card). Mobile ID rocks. The SIM card acts as a smartcard, so the private keys never leave it. Data exchange works via SMS, so I can use it pretty much anywhere in the world where there's internet and phone reception - and the PC doesn't ever see any passwords.
-
Re:Well as Phil Z. has said..The reason PGP, and GPG as well, fail is because PKI is just too difficult to setup and maintain
<snip>
IMO for the lack of secure options for communication are that corporations and governments don't WANT secure applications being adopted. Take Estonia, for example, where government has set up and is maintaining certificate based PKI infrastructure. When you receive a government issued ID card you can enroll for certificate free of charge. That certificate is then valid, among other things, for signing and encrypting email.So in this case the infrastructure would be there but there aren't that many users that would sign or encrypt their emails. I wouldn't say that the problem in this case is the government but the users. It's all there, free of charge, but people don't see any reason to start using it.
More details are available, in English, from the www.sk.ee and www.id.ee.
-
Re:Is it that much of a deal?I live in continental Europe and I have an ID card... Same here. In Estonia, the ID car allows me to do a lot of things fast and online. (for more, read http://www.id.ee/?lang=en)
I can sign documents (if I have no card reader available, I can use mobile phone and web), vote, travel, etc.
BTW, ALL of YOU have a SSI or an other similar ID number so why all this tin-hatt paranoia?
Do you really think that if you have 2 or more ID numbers (SS, Pasport, DL etc), your "privacy" is some how "protected"? Dear americanos, look what they do to you in your own country... do I even have to mention your airports? :) -
Re:What m-voting is and isn't
There's some more info about Mobile-ID system in same page:
http://www.id.ee/11000 -
What m-voting is and isn't
M-voting and E-voting aren't that different after all.
In case of E-voting, user identification is done using a smart card (to digitally sign your vote. And no, the procedures make sure no one can see how you voted.) With the so-called "m-voting", the crypto chip is simply in the mobile's SIM card, to eliminate the need for a smart card reader.
Here's a small (and somewhat disturbing) animation about how mobile-id works: http://www.id.ee/public/Mobiil_ID_multikas/ (in Estonian, but the visuals might still make sense) -
Re:How about this...No it does not!
m-ID is a technology that ties the national ID card with the SIM. This mean You can have only one valid m-ID AFAIK.
Just a little info about it http://id.ee/?id=10995.
PS! m-ID is allot better than the usual ID card as its always with you and does not need any special hardware
:) -
Estonian E-Voting System
If you want to know how proper Internet Voting System works, then read Estonian E-Voting System - General Description
The only prerequisite for a country to use the system is that it has to deploy PKI at first... -
some screenshots
-
Re:info?
Estonia has an electronic ID card. You can read about it here(in english) http://www.id.ee/pages.php/0303 and about Estonian Internet voting from here http://www.vvk.ee/elektr/docs/Yldkirjeldus-eng.pd
f -
Re:Copy-proof cards
Estonia is also planning to issue smart cards as national ID cards starting from 2002. The project's website has very limited information in English, but the card will feature asymmetric cryptography (as it is designed to be main instrument to implement the digital signatures passed into law on March 8, 2000) and currently the project is in stage of tendering offers from smart card producers.
Since I was involved in the initial research, I have a couple of useful links:
- Kömmerling's & Kuhn's paper Design Principles for Tamper-Resistant Smartcard Processors is probably something everyone has to read before speaking up on the issue of physical security of these things.
- Schneier's & Shostack's paper Breaking Up Is Hard To Do: Modeling Security Threats for Smart Cards is a good read on the logical security issues.