Interesting papers on Belgian EID by Pieter Verhaegen:
The Belgian e-ID card is a smart card that allows Belgian citizens to prove their identity and to sign electronic documents. Private information such as the owner's name, his address, a digital picture of the owner and his National Registry Number (Social Security Number) is stored on the card and signed by the government. Two PIN-protected key pairs allow digital authentication and signing.
Pilot projects for foreigner and kids e-ID cards are being executed.
To use the card in (web) applications the user needs a card reader and a middleware application (by the fedict government service). Applications typically interact with the card via an API offered by this middleware, which is documented in the developer guide.
The card's public keys are embedded in a certificate containing the RRN and the name of the card holder, signed by the government. The private keys can only be activated (not read) with a PIN code.
Some of Pieter's remarks
- The unique identity key is the National Registry Number (RRN). The Belgian Privacy commission states that this key may only be stored by applications after official approval by them (National register act of 8/8/1983, ammended 25/3/2003, art 5), as mentioned in the FAQ. The FAQ sugggests to use a hash instead of the RRN.
- As the RRN is not protected by the PIN, developers tend to think that just reading it is sufficient for authentication, rather that using client side SSL authentication.
- Once the authentication PIN is entered, the authentication certificate can be used multiple times without notifying the user. A malicious application might authenticate to other sites on the user's behalf
Some tips on using e-ID in an application.