Belgian eID

Belgian eID is part of the efforts of the government for Belgian eGov

Officials

• Official eID portal
• Certificates
• eID services
• Revocation lists and OCSP server

Usage & Software

• Middleware & developer's kit
  • Debian packaged
• eID configuration toolkit by Novell
• Danny De Cock's page on eID (same as http://www.godot.be)
• short intro
• how to use the eID card within your .NET apps

Articles

• Belgian eID and privacy
• ADAPID project

Misc

• http://www.foo.be/eID/

My attempts under Linux

I'm using the IDream ID-SMID01 SmartCard reader, bought for 10€

Installing beidgui and dependencies:

apt-get install beidgui
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd 
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

Exploring

pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2

Firefox security module

To add the security module to Firefox:

apt-get install libbeid2-dev libbeidlibopensc2-dev

Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

If I try to connect to federal sites like Tax-on-web, being identified by my card, I get an error -12222 even before I'm prompted to type my PIN, is it because my certificates are revoked?

SSH

Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):

Package: openssh-client-sc                                                          
Architecture: any                                                                   
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...

I recompile ssh with smartcard support.

apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot

Sending my public key to the ssh server:

pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'

Then logging, being prompted for my PIN:

ssh -I 0 user@host.com

TODO

http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids