YobiWiki - User contributions [en]

Belgian eID

2008-03-05T07:48:18Z

212.71.5.64: /* Thunderbird security module */

Belgian eID is part of the efforts of the government for [[Belgian eGov]]
==Officials==

* [http://eid.belgium.be Official eID portal]
* [http://repository.eid.belgium.be/FR/Index.htm Certificates]
* [http://status.eid.belgium.be/ eID services]
* [http://crl.eid.belgium.be/ Revocation lists] and [http://ocsp.eid.belgium.be/ OCSP server]
* [http://eid.belgium.be/fr/navigation/documents/37129.html Circulaires (fr) eID Home / Villes et communes / Quoi / Circulaires] Among others: 3) FORMULAIRE DE RENONCIATION AUX CERTIFICATS DE LA CARTE D’IDENTITE ELECTRONIQUE AU MOMENT DE LA DEMANDE DE LA CARTE 10) MODELE D’ATTESTATION D’ACTIVATION OU DE REVOCATION DES CERTIFICATS APRES ACTIVATION DE LA CARTE 11) MODELE D’ATTESTATION DE SUSPENSION ET DE REACTIVATION DES CERTIFICATS
* [http://www.certipost.be CertiPost], by Belgacom & La Poste/De Post
** [http://www.certipost.be/x500/X500.html Certipost E-Trust™ Public X500 Directory Search]

==Usage & Software==

* [http://www.belgium.be/zip/eid_datacapture_fr.html Middleware & developer's kit]
** There are also Debian packages, cf below my tests under Linux
** [http://developer.novell.com/wiki/index.php/EID-belgium eID configuration toolkit by Novell]
* [http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/WebHome Danny De Cock's page on eID] (same as http://www.godot.be)
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396900.aspx short intro]
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396901.aspx how to use the eID card within your .NET apps]

==Misc==
* http://www.foo.be/eID/ Official data, spec sheet etc (outdated)
* [http://belsec.skynetblogs.be/tag/1/E-ID Belsec blog entries] about the eID
* [http://www.uvcw.be/no_index/e-communes/dossier_eid/Belgian_eID_Run-time_Users_guide.pdf Belgian E-ID runtime guide windows/linux pdf]
* [http://www.porvoo8.rrn.fgov.be/porvoo8/doc13/09_porvoo8-bruegger18_Italy.pdf Open source interoperability and E-ID pdf]
* [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/belpic_eid_version_numbering_v1.5.2.pdf The versioning of E-ID pdf]
* [http://porvoo10.net/p10/10_porvoo10-bud-25.pdf The road to European E-ID interoperability pdf]
* [http://www.microsoft.com/belux/nl/eid/ Microsoft and the eID], just an old marketing buzz? (I wouldn't complain...)
* [http://samba.grep.be/~wouter/beid-screencast.ogg], BeID screencast of what should have been shown at Fosdem 2008, by Wouter. (still waiting for the video of the presentation...)
* [http://www.lalibre.be/societe/cyber/article/404626/la-carte-d-identite-electronique-permettra-de-s-enregistrer-sur-ebay.html] La carte d'identité électronique permettra de s'enregistrer sur eBay

==I revoked my certificates==
===Why?===
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring. I knew they were talking about two certificates without understanding their difference, so let's revoke both. Note that it doesn't mean my eID is not valid, eID card activation is mandatory. The eID card is a proof of identity and residence of a person in Belgium. eID certificates activation is a choice of the holder of the eID (opt-in), he/she can decide to activate or revoke the certificates. (cf [http://www.certipost.be/dpsolutions/en/eid-faq.html FAQ])
===How?===
It was quite epic.
 I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil servants :-)
 I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
* [Me] Good morning, I come for my eID and... I want to get rid of the certificates
* [Her] You what? Is it possible? Never heard about that
* [Me] Yes, yes, see (and I show her what's in her User Manual)
* ... (takes a while to digest the info)
* [Her] Ha ok, you've to fill Annex 3, (shouting behind her shoulder) JOSETTE, DO WE HAVE ANNEX 3???
* [Josette] ANNEX WHAT??
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/03_-_FORMULAIRE_RENONCIATION_CERTIFS.pdf Annex 3 (pdf)])
* ... (meanwhile she has no idea what to do on the eID to fulfill renouncement and I agree with her, the Manual was unclear so we went for activation+revocation)
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/10_-_Attestation_activ_Certificats(18-10)_27-07.pdf Annex 10 (pdf)])
* [Her] Can I take your copies before you fill them? I'll make copies for ourselves.
So today the official Annex 3&10 forms of this civil office are mine :-D Who knows, maybe I crafted the form... ;-)

It is "funny" to see that everywhere the activation of the certificates is presented as optional, the choice being left to the citizen, blablabla, but in reality most of the citizen just don't know about this possibility (and most of the civil servants, well I hope that since my story, things have evolved a bit) and the civil servants doesn't ask you the question.

===Some details about those certificates===
The eID contains 2 signature certificates, so you cannot encrypt with them, just sign.
* One labeled "Authentication" is for daily use
** To log in on SSL websites such as [http://minfin.fgov.be/taxonweb/ Tax-on-web] or [http://www.saferchat.be SaferChat] or even your bank e.g. [http://www.keytradebank.com/pdf/eID_en.pdf Keytrade has implemented it (pdf)] with CRL check
** For signing mails with S/MIME
** For your own purpose, to log on your SSH server, SSL server, VPN etc
* One labeled "Signature" is for special cases
** It has a equivalent legal value as a hand-written signature and is referred as non-repudiation signature.
** According to [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/applicability_en.pdf CertiPost applicability guidelines (pdf)], the electronic signature still cannot replace a hand-written signature in a number of cases
**It's automatically revoked for minors under 18 years as they cannot sign legally yet.
**From [http://www.certipost.be/dpsolutions/en/eid-faq.html Certipost FAQ]: ''Non-repudiation guarantees that one cannot deny having performed an act. E.g. any message signed using a person's digital signature can only have come from this person. The signing person can not claim that the message was not originated by him. In other words, non-repudiation means that information '''cannot be disclaimed''', similar to a '''witnessed''' handwritten signature on a paper document.'' ''to be checked in the law''
** Normal pkcs software doesn't seem to be able to use it (?)
** Should be used only through the Government software which prompts you with a special GUI and warnings about the legal power of this signature
* [http://www.certipost.be/dpsolutions/en/rem-overzicht.html CertiPost e-Registered mails] is using the non-repudiation signature
* [http://www.certipost.be/dpsolutions/en/e-signing-overview.html CertiPost e-Signing] is using the non-repudiation signature
* Both are protected by the same PIN which is typed on your (unsafe) PC

===What says the law===
Sorry, here are french version abstracts.
 '''9 JUILLET 2001. - Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification''', date de publication au Moniteur: 29 septembre 2001
 Morceaux choisis:
* Art. 4. § 1er. A défaut de dispositions légales contraires, nul ne peut être contraint de poser un acte juridique par voie électronique.
* § 4. Sans préjudice des articles 1323 et suivants du Code civil, une signature électronique avancée réalisée sur la base d'un certificat qualifié et conçue au moyen d'un dispositif sécurisé de création de signature électronique, est assimilée à une signature manuscrite, qu'elle soit réalisée par une personne physique ou morale.
* § 5. Une signature électronique ne peut être privée de son efficacité juridique et ne peut être refusée comme preuve en justice au seul motif :
** que la signature se présente sous forme électronique, ou
** qu'elle ne repose pas sur un certificat qualifié, ou
** qu'elle ne repose pas sur un certificat qualifié délivré par un prestataire accrédité de service de certification, ou
** qu'elle n'est pas créée par un dispositif sécurisé de création de signature.
* ''Wait a minute, ANY electronic signature NOT being based on a qualified certificate and NOT created in a secure environment CANNOT be refused as a legal proof??? Maybe it's me or the triple-negation sentences (lawyers, lawyers...) but it looks like § 5 goes much further than § 4''

===What do I think today?===
====Catastrophe scenario====
* Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
** you know, the kind of stuff that never happens, anyway it's now [http://eid.belgium.be/fr/navigation/documents/39814.html your problem] even if the official middleware [http://blog.didierstevens.com/2007/12/31/how-can-i-trust-the-beid-runtime/ is not signed]
**And apparently even some readers with integrated keypads are [http://belsec.skynetblogs.be/post/5426553/belgian-eid-nr-11--keyloggers-work-with-eid not safer :-(]
**And apparently even commercial standalone smatcard terminals are [http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf not safer :-( (pdf)]
**And, oh, I did a small test with [[Keyloggers|lkl, a userland keylogger]] and of course the PIN typed into the beid graphical prompt could be easily captured.
* He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
* Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
* The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.

====So what will I do next time?====
* I'll probably accept the Authentication certificate to be able to play around with it.
* For sure I'll revoke the Signature certificate unless they change their architecture.
** Not the same PIN than the other certificate.
** Better than 4 digits (& 3 attempts so 3 chances over 10000)
** Probably they limited themselves to one single small PIN in order to pass the [http://www.kafka.be Kafka test] ;-)
** Even then:
*** Then I could use it but only on trusted devices, that's another story...
*** You get the PIN & PUK by post if I remember well, this could be eavesdropped but you can change your PIN... So as the PUK can unlock the PIN 12 times, the attacker has 36 chances over 10000, one over 278, mmm... And who said humans can generate random PINs? ;-)

===Privacy and other security considerations===
* [http://idcorner.org/2005/07/04/the-belgian-eid-card-calamity/ Another] [http://www.idcorner.org/?p=121 consideration] I didn't talk about yet: PRIVACY
* Whoever sees your public certificate (which happens e.g. if you log to a SSL website with your card or '''if you simply send a signed email''') sees your [http://www.ibz.rrn.fgov.be/ RRN ("rijksregistratienummer")] BTW here is [http://fr.wikipedia.org/wiki/Num%C3%A9ro_de_registre_national how it's constructed]: It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for men, uneven for women) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, and you know how the control sum is done (97-JJMMDDXXX%97), you only miss two and a half numbers coming from a linear incremental counter (001, 003,...) to recompile his national register number. For mine it takes less than 40 attempts it you proceed logically...
* [http://minfin.fgov.be/taxonweb/ Tax-on-web] announce it but what about the others and your mail correspondants? ''Suite à l'utilisation de votre moyen d'authentification (carte d'identité électronique ou token citoyen), le SPF Finances a connaissance de votre numéro de registre national. Conformément à l'arrêté royal du 25/04/1986 autorisant certaines autorités du Ministère des Finances à utiliser le numéro d'identification du registre national des personnes physiques, votre numéro de registre national n'est utilisé dans ce contexte qu'à des fins d'identification pour l'accès aux applications du SPF Finances. La loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel s'applique à ce traitement d'identification dont le responsable est le SPF Finances, Boulevard Albert II, 33 à 1030 Bruxelles.''
* Other "funny" facts: Belgium government doesn't bother about cross-certification with any common Root CA so when you want to visit an official site supposedly secured such as https://ccff02.minfin.fgov.be/CCFF_Authentication/choseLoginMethod.do or https://mijndossier.rrn.fgov.be you're kindly asked to blindly trust the certificate, years after phishing was invented, sigh...
* And even "better": for Firefox, [http://www.certipost.be/dpsolutions/en/e-signing-faq.html CertiPost e-Signing] requires you to download and install their CA certificate and to trust it for identifying everything: web sites, mail users and software! Here the download of the CA certificate is done... on pure http, sigh...
* [https://www.cosic.esat.kuleuven.be/adapid/ ADAPID project] is a consortium of researchers and industry representatives in Flanders decided to take action in an attempt to help avoid a national privacy calamity. After a first (non-public) report, the ADAPID project won the financial support of IWT-Flanders. ADAPID officially started July 1st, 2005 and will run until June 30th, 2009.
* Normally the third and definitive version of the eID should have been rolled out begin of this year (2008) but I've no idea what are the changes.
* [http://www.cirb.irisnet.be/site/fr/eid/ethicalid/index_htm Ethical-ID] is a software which presents to the e.g. swimming pool employee the only relevant data e.g. the residence city.

==My attempts under Linux==
I'm using the [[IDream ID-SMID01 SmartCard reader]], bought for 10€

Installing beidgui and dependencies:
apt-get install beidgui beid-tools
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

UPDATE: There is a version 2.6.0-3 available in unstable
apt-get install -t unstable beidgui beid-tools

There are 2 (optional) daemons provided with beid-tools:
* beidcrld Automatic CRL download
* beidpcscd The privacy filter monitors all commands sent to the card. When an application requests to read the identity data, address or photo from the eID card, the filter will display a message and ask the user's consent it's listening on port tcp 2500 and beidcrld, firefox-bin and icedove-bin are constantly speaking with it...

===Exploring===
pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2
# For a little demo...
beid-pkcs11-tool --slot 0 --login --test
There is also some java support but I couldn't try it yet.

===Firefox security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
 cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
 You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

You can then connect to federal sites like [http://minfin.fgov.be/taxonweb/ Tax-on-web] or the [https://mondossier.rrn.fgov.be RRN], being identified by your card & PIN.
 Note that it works only if I start Firefox after having the eID in place in the reader.
 Note that I didn't get much further, being redirected to e.g.
this nonexistent page but the title speaks for itself ;-) https://mondossier.rrn.fgov.be/CertificateRevoked.html

===Thunderbird security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

Try to sign a first mail:
 Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
 According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used, the other being reserved for legal signatures.
 UPDATE: Well now that I saw that Wouter could sign with the signature certificate I tried again and indeed it works.
 TODO: I still would like to understand what went wrong before, why only the "Authentication" certificate worked and not the "Signature" one.

One difficulty is that the certificate is not bound to an email address so the email client tells you sth like it's validly signed but no idea if the certificate owner corresponds to the sender email address.

===Signing with pkcs15-crypt===
From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:
fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported
Indeed signing with the signature certificate and without a GUI showing a warning about the legal implication is forbidden.

===Signing with GpgSM===
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html

apt-get install gpgsm dirmngr gnupg-agent pinentry-qt

~/.gnupg/gpg-agent.conf:
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
allow-mark-trusted

~/.bash_profile: (appending this stuff)
# preparing gpg-agent:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `gpg-agent --daemon`
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi

~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
disable-ccid
debug-level none

~/.gnupg/gpgsm.conf:
debug-level none

Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys
/home/phil/.gnupg/pubring.kbx
-----------------------------
Subject: /CN=Belgium Root CA/C=BE
[...]
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
[...]
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
[...]
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE
DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S

Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
[...]
gpgsm: signature created
I was prompted for my PIN during the process.

And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type
dirmngr[8994]: permanently loaded certificates: 0
dirmngr[8994]: runtime cached certificates: 0
dirmngr[8994]: command ISVALID failed: Certificat révoqué
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
gpgsm: certificate has been revoked
gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

===e-Signing plugin for Firefox===
* pure curiosity...
* cf http://www.certipost.be/dpsolutions/en/e-signing-faq.html
* the plugin is signed so you've to install the CA certificate of Certipost first and, cf above in my "funny facts", for Firefox, you've to download and... trust it. The certificate is apparently no longer (broken link) and I could not find it in their search tool, the only thing I could find is [http://64.233.183.104/search?q=cache:vzHK3UKTuiMJ:www.certipost.be/en/certificates/PrimaryNormalisedCA/certificate_pem.cer+PrimaryNormalisedCA&hl=fr&ct=clnk&cd=3&gl=fr a copy of the pem version in Google cache(!)] but that was good enough to be able to install the plugin.
* Moreover [https://connect.e-signing.be/app/en/create the form to sign] wants to directly execute some jar file but under an SSL connection signed by... the so-hard-to-get Certipost CA certificate, itself signed by GTE CyberTrust Global Root, an authority built-in in the browsers.
* You've [https://www.certipost.be/webshop/ to pay] to be able to sign with your eID non-repudiation signature to have a valid ''Qualified Electronic Signature with long term value''
* [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/technical_measures_en.pdf There are some explanations] of the additional services provided by CertiPost: ''The applied XAdES-X-L is an XML signature format according to the recognized XAdES standard (ETSI TS 101 903 standard) that implements measures to satisfy the legal requirements for advanced electronic signatures as defined in the European Directive (EC 1999/93: European Community (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES) and for long term non-repudiation. Next to the electronic signature itself, the XAdES-X-Lfile contains the certificate that was used during the signature, the information to proof whether the certificate was valid when signing, and a time stamp to proof that all information used for signing existed and not altered since. Moreover CertiPost keeps a copy of the signed information.
* Timestamps & storage look like additional features, not mandated by the law, so can I create a ''Qualified Electronic Signature with long term value'' out of the CertiPost context, so just a plain x509 signature?

===SSH===
Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
 Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):
Package: openssh-client-sc
Architecture: any
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...
 I recompile ssh with smartcard support.
apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot
Sending my public key to the ssh server:
pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'
Then logging, being prompted for my PIN:
ssh -I 0 user@host.com
===OpenID===
cf [[OpenID]] and [[OpenID-eID]] where I'm hacking phpMyID to make my own

===TODO: Login===
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards
but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
 Bad side: it conflicts with xlockmore :-(

openssh way:
 Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
 Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found
or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
 before I was even prompted for my PIN

opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

===TODO: SSL Auth===
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssl. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.

===TODO: Apache SSL Reverse Proxy===
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
===TODO: OpenGPG & x509===
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
 Sth to check: [http://www.imc.org/ietf-openpgp/mail-archive/msg09930.html OpenPGP Signatures Incorporating X.509 Certificates]
 The solution is apparently to extend OpenGPG to allow special signatures on UIDs with sub-packets containing the entire certificate, the UID being build from the DN fields of the certificate (CN, EMAIL,...)
 Apparently PGP supports it already?

===TODO: OpenVPN Auth===
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
 But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
===TODO: Other tools===
* [http://sourceforge.net/projects/opensignature OpenSignature] for Italia
* [http://openportalguard.sourceforge.net/ Open Portal Guard] for e.g. public administrations
* beidcrld: where are CRLs downloaded to?
* beidpcscd: how to test it?
* beidlib.jar: BEIDCard.html and Test.java
* Novell version in C#...
** I could compile but still runtime errors
** Support in OpenOffice? check the shell script

Belgian eID

2008-03-05T07:46:14Z

212.71.5.64: /* TODO: Other tools */

Belgian eID is part of the efforts of the government for [[Belgian eGov]]
==Officials==

* [http://eid.belgium.be Official eID portal]
* [http://repository.eid.belgium.be/FR/Index.htm Certificates]
* [http://status.eid.belgium.be/ eID services]
* [http://crl.eid.belgium.be/ Revocation lists] and [http://ocsp.eid.belgium.be/ OCSP server]
* [http://eid.belgium.be/fr/navigation/documents/37129.html Circulaires (fr) eID Home / Villes et communes / Quoi / Circulaires] Among others: 3) FORMULAIRE DE RENONCIATION AUX CERTIFICATS DE LA CARTE D’IDENTITE ELECTRONIQUE AU MOMENT DE LA DEMANDE DE LA CARTE 10) MODELE D’ATTESTATION D’ACTIVATION OU DE REVOCATION DES CERTIFICATS APRES ACTIVATION DE LA CARTE 11) MODELE D’ATTESTATION DE SUSPENSION ET DE REACTIVATION DES CERTIFICATS
* [http://www.certipost.be CertiPost], by Belgacom & La Poste/De Post
** [http://www.certipost.be/x500/X500.html Certipost E-Trust™ Public X500 Directory Search]

==Usage & Software==

* [http://www.belgium.be/zip/eid_datacapture_fr.html Middleware & developer's kit]
** There are also Debian packages, cf below my tests under Linux
** [http://developer.novell.com/wiki/index.php/EID-belgium eID configuration toolkit by Novell]
* [http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/WebHome Danny De Cock's page on eID] (same as http://www.godot.be)
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396900.aspx short intro]
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396901.aspx how to use the eID card within your .NET apps]

==Misc==
* http://www.foo.be/eID/ Official data, spec sheet etc (outdated)
* [http://belsec.skynetblogs.be/tag/1/E-ID Belsec blog entries] about the eID
* [http://www.uvcw.be/no_index/e-communes/dossier_eid/Belgian_eID_Run-time_Users_guide.pdf Belgian E-ID runtime guide windows/linux pdf]
* [http://www.porvoo8.rrn.fgov.be/porvoo8/doc13/09_porvoo8-bruegger18_Italy.pdf Open source interoperability and E-ID pdf]
* [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/belpic_eid_version_numbering_v1.5.2.pdf The versioning of E-ID pdf]
* [http://porvoo10.net/p10/10_porvoo10-bud-25.pdf The road to European E-ID interoperability pdf]
* [http://www.microsoft.com/belux/nl/eid/ Microsoft and the eID], just an old marketing buzz? (I wouldn't complain...)
* [http://samba.grep.be/~wouter/beid-screencast.ogg], BeID screencast of what should have been shown at Fosdem 2008, by Wouter. (still waiting for the video of the presentation...)
* [http://www.lalibre.be/societe/cyber/article/404626/la-carte-d-identite-electronique-permettra-de-s-enregistrer-sur-ebay.html] La carte d'identité électronique permettra de s'enregistrer sur eBay

==I revoked my certificates==
===Why?===
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring. I knew they were talking about two certificates without understanding their difference, so let's revoke both. Note that it doesn't mean my eID is not valid, eID card activation is mandatory. The eID card is a proof of identity and residence of a person in Belgium. eID certificates activation is a choice of the holder of the eID (opt-in), he/she can decide to activate or revoke the certificates. (cf [http://www.certipost.be/dpsolutions/en/eid-faq.html FAQ])
===How?===
It was quite epic.
 I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil servants :-)
 I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
* [Me] Good morning, I come for my eID and... I want to get rid of the certificates
* [Her] You what? Is it possible? Never heard about that
* [Me] Yes, yes, see (and I show her what's in her User Manual)
* ... (takes a while to digest the info)
* [Her] Ha ok, you've to fill Annex 3, (shouting behind her shoulder) JOSETTE, DO WE HAVE ANNEX 3???
* [Josette] ANNEX WHAT??
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/03_-_FORMULAIRE_RENONCIATION_CERTIFS.pdf Annex 3 (pdf)])
* ... (meanwhile she has no idea what to do on the eID to fulfill renouncement and I agree with her, the Manual was unclear so we went for activation+revocation)
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/10_-_Attestation_activ_Certificats(18-10)_27-07.pdf Annex 10 (pdf)])
* [Her] Can I take your copies before you fill them? I'll make copies for ourselves.
So today the official Annex 3&10 forms of this civil office are mine :-D Who knows, maybe I crafted the form... ;-)

It is "funny" to see that everywhere the activation of the certificates is presented as optional, the choice being left to the citizen, blablabla, but in reality most of the citizen just don't know about this possibility (and most of the civil servants, well I hope that since my story, things have evolved a bit) and the civil servants doesn't ask you the question.

===Some details about those certificates===
The eID contains 2 signature certificates, so you cannot encrypt with them, just sign.
* One labeled "Authentication" is for daily use
** To log in on SSL websites such as [http://minfin.fgov.be/taxonweb/ Tax-on-web] or [http://www.saferchat.be SaferChat] or even your bank e.g. [http://www.keytradebank.com/pdf/eID_en.pdf Keytrade has implemented it (pdf)] with CRL check
** For signing mails with S/MIME
** For your own purpose, to log on your SSH server, SSL server, VPN etc
* One labeled "Signature" is for special cases
** It has a equivalent legal value as a hand-written signature and is referred as non-repudiation signature.
** According to [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/applicability_en.pdf CertiPost applicability guidelines (pdf)], the electronic signature still cannot replace a hand-written signature in a number of cases
**It's automatically revoked for minors under 18 years as they cannot sign legally yet.
**From [http://www.certipost.be/dpsolutions/en/eid-faq.html Certipost FAQ]: ''Non-repudiation guarantees that one cannot deny having performed an act. E.g. any message signed using a person's digital signature can only have come from this person. The signing person can not claim that the message was not originated by him. In other words, non-repudiation means that information '''cannot be disclaimed''', similar to a '''witnessed''' handwritten signature on a paper document.'' ''to be checked in the law''
** Normal pkcs software doesn't seem to be able to use it (?)
** Should be used only through the Government software which prompts you with a special GUI and warnings about the legal power of this signature
* [http://www.certipost.be/dpsolutions/en/rem-overzicht.html CertiPost e-Registered mails] is using the non-repudiation signature
* [http://www.certipost.be/dpsolutions/en/e-signing-overview.html CertiPost e-Signing] is using the non-repudiation signature
* Both are protected by the same PIN which is typed on your (unsafe) PC

===What says the law===
Sorry, here are french version abstracts.
 '''9 JUILLET 2001. - Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification''', date de publication au Moniteur: 29 septembre 2001
 Morceaux choisis:
* Art. 4. § 1er. A défaut de dispositions légales contraires, nul ne peut être contraint de poser un acte juridique par voie électronique.
* § 4. Sans préjudice des articles 1323 et suivants du Code civil, une signature électronique avancée réalisée sur la base d'un certificat qualifié et conçue au moyen d'un dispositif sécurisé de création de signature électronique, est assimilée à une signature manuscrite, qu'elle soit réalisée par une personne physique ou morale.
* § 5. Une signature électronique ne peut être privée de son efficacité juridique et ne peut être refusée comme preuve en justice au seul motif :
** que la signature se présente sous forme électronique, ou
** qu'elle ne repose pas sur un certificat qualifié, ou
** qu'elle ne repose pas sur un certificat qualifié délivré par un prestataire accrédité de service de certification, ou
** qu'elle n'est pas créée par un dispositif sécurisé de création de signature.
* ''Wait a minute, ANY electronic signature NOT being based on a qualified certificate and NOT created in a secure environment CANNOT be refused as a legal proof??? Maybe it's me or the triple-negation sentences (lawyers, lawyers...) but it looks like § 5 goes much further than § 4''

===What do I think today?===
====Catastrophe scenario====
* Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
** you know, the kind of stuff that never happens, anyway it's now [http://eid.belgium.be/fr/navigation/documents/39814.html your problem] even if the official middleware [http://blog.didierstevens.com/2007/12/31/how-can-i-trust-the-beid-runtime/ is not signed]
**And apparently even some readers with integrated keypads are [http://belsec.skynetblogs.be/post/5426553/belgian-eid-nr-11--keyloggers-work-with-eid not safer :-(]
**And apparently even commercial standalone smatcard terminals are [http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf not safer :-( (pdf)]
**And, oh, I did a small test with [[Keyloggers|lkl, a userland keylogger]] and of course the PIN typed into the beid graphical prompt could be easily captured.
* He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
* Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
* The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.

====So what will I do next time?====
* I'll probably accept the Authentication certificate to be able to play around with it.
* For sure I'll revoke the Signature certificate unless they change their architecture.
** Not the same PIN than the other certificate.
** Better than 4 digits (& 3 attempts so 3 chances over 10000)
** Probably they limited themselves to one single small PIN in order to pass the [http://www.kafka.be Kafka test] ;-)
** Even then:
*** Then I could use it but only on trusted devices, that's another story...
*** You get the PIN & PUK by post if I remember well, this could be eavesdropped but you can change your PIN... So as the PUK can unlock the PIN 12 times, the attacker has 36 chances over 10000, one over 278, mmm... And who said humans can generate random PINs? ;-)

===Privacy and other security considerations===
* [http://idcorner.org/2005/07/04/the-belgian-eid-card-calamity/ Another] [http://www.idcorner.org/?p=121 consideration] I didn't talk about yet: PRIVACY
* Whoever sees your public certificate (which happens e.g. if you log to a SSL website with your card or '''if you simply send a signed email''') sees your [http://www.ibz.rrn.fgov.be/ RRN ("rijksregistratienummer")] BTW here is [http://fr.wikipedia.org/wiki/Num%C3%A9ro_de_registre_national how it's constructed]: It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for men, uneven for women) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, and you know how the control sum is done (97-JJMMDDXXX%97), you only miss two and a half numbers coming from a linear incremental counter (001, 003,...) to recompile his national register number. For mine it takes less than 40 attempts it you proceed logically...
* [http://minfin.fgov.be/taxonweb/ Tax-on-web] announce it but what about the others and your mail correspondants? ''Suite à l'utilisation de votre moyen d'authentification (carte d'identité électronique ou token citoyen), le SPF Finances a connaissance de votre numéro de registre national. Conformément à l'arrêté royal du 25/04/1986 autorisant certaines autorités du Ministère des Finances à utiliser le numéro d'identification du registre national des personnes physiques, votre numéro de registre national n'est utilisé dans ce contexte qu'à des fins d'identification pour l'accès aux applications du SPF Finances. La loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel s'applique à ce traitement d'identification dont le responsable est le SPF Finances, Boulevard Albert II, 33 à 1030 Bruxelles.''
* Other "funny" facts: Belgium government doesn't bother about cross-certification with any common Root CA so when you want to visit an official site supposedly secured such as https://ccff02.minfin.fgov.be/CCFF_Authentication/choseLoginMethod.do or https://mijndossier.rrn.fgov.be you're kindly asked to blindly trust the certificate, years after phishing was invented, sigh...
* And even "better": for Firefox, [http://www.certipost.be/dpsolutions/en/e-signing-faq.html CertiPost e-Signing] requires you to download and install their CA certificate and to trust it for identifying everything: web sites, mail users and software! Here the download of the CA certificate is done... on pure http, sigh...
* [https://www.cosic.esat.kuleuven.be/adapid/ ADAPID project] is a consortium of researchers and industry representatives in Flanders decided to take action in an attempt to help avoid a national privacy calamity. After a first (non-public) report, the ADAPID project won the financial support of IWT-Flanders. ADAPID officially started July 1st, 2005 and will run until June 30th, 2009.
* Normally the third and definitive version of the eID should have been rolled out begin of this year (2008) but I've no idea what are the changes.
* [http://www.cirb.irisnet.be/site/fr/eid/ethicalid/index_htm Ethical-ID] is a software which presents to the e.g. swimming pool employee the only relevant data e.g. the residence city.

==My attempts under Linux==
I'm using the [[IDream ID-SMID01 SmartCard reader]], bought for 10€

Installing beidgui and dependencies:
apt-get install beidgui beid-tools
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

UPDATE: There is a version 2.6.0-3 available in unstable
apt-get install -t unstable beidgui beid-tools

There are 2 (optional) daemons provided with beid-tools:
* beidcrld Automatic CRL download
* beidpcscd The privacy filter monitors all commands sent to the card. When an application requests to read the identity data, address or photo from the eID card, the filter will display a message and ask the user's consent it's listening on port tcp 2500 and beidcrld, firefox-bin and icedove-bin are constantly speaking with it...

===Exploring===
pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2
# For a little demo...
beid-pkcs11-tool --slot 0 --login --test
There is also some java support but I couldn't try it yet.

===Firefox security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
 cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
 You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

You can then connect to federal sites like [http://minfin.fgov.be/taxonweb/ Tax-on-web] or the [https://mondossier.rrn.fgov.be RRN], being identified by your card & PIN.
 Note that it works only if I start Firefox after having the eID in place in the reader.
 Note that I didn't get much further, being redirected to e.g.
this nonexistent page but the title speaks for itself ;-) https://mondossier.rrn.fgov.be/CertificateRevoked.html

===Thunderbird security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

Try to sign a first mail:
 Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
 According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used, the other being reserved for legal signatures.
 UPDATE: Well now that I saw that Wouter could sign with the signature certificate I tried again and indeed it works.

One difficulty is that the certificate is not bound to an email address so the email client tells you sth like it's validly signed but no idea if the certificate owner corresponds to the sender email address.

===Signing with pkcs15-crypt===
From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:
fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported
Indeed signing with the signature certificate and without a GUI showing a warning about the legal implication is forbidden.

===Signing with GpgSM===
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html

apt-get install gpgsm dirmngr gnupg-agent pinentry-qt

~/.gnupg/gpg-agent.conf:
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
allow-mark-trusted

~/.bash_profile: (appending this stuff)
# preparing gpg-agent:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `gpg-agent --daemon`
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi

~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
disable-ccid
debug-level none

~/.gnupg/gpgsm.conf:
debug-level none

Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys
/home/phil/.gnupg/pubring.kbx
-----------------------------
Subject: /CN=Belgium Root CA/C=BE
[...]
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
[...]
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
[...]
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE
DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S

Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
[...]
gpgsm: signature created
I was prompted for my PIN during the process.

And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type
dirmngr[8994]: permanently loaded certificates: 0
dirmngr[8994]: runtime cached certificates: 0
dirmngr[8994]: command ISVALID failed: Certificat révoqué
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
gpgsm: certificate has been revoked
gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

===e-Signing plugin for Firefox===
* pure curiosity...
* cf http://www.certipost.be/dpsolutions/en/e-signing-faq.html
* the plugin is signed so you've to install the CA certificate of Certipost first and, cf above in my "funny facts", for Firefox, you've to download and... trust it. The certificate is apparently no longer (broken link) and I could not find it in their search tool, the only thing I could find is [http://64.233.183.104/search?q=cache:vzHK3UKTuiMJ:www.certipost.be/en/certificates/PrimaryNormalisedCA/certificate_pem.cer+PrimaryNormalisedCA&hl=fr&ct=clnk&cd=3&gl=fr a copy of the pem version in Google cache(!)] but that was good enough to be able to install the plugin.
* Moreover [https://connect.e-signing.be/app/en/create the form to sign] wants to directly execute some jar file but under an SSL connection signed by... the so-hard-to-get Certipost CA certificate, itself signed by GTE CyberTrust Global Root, an authority built-in in the browsers.
* You've [https://www.certipost.be/webshop/ to pay] to be able to sign with your eID non-repudiation signature to have a valid ''Qualified Electronic Signature with long term value''
* [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/technical_measures_en.pdf There are some explanations] of the additional services provided by CertiPost: ''The applied XAdES-X-L is an XML signature format according to the recognized XAdES standard (ETSI TS 101 903 standard) that implements measures to satisfy the legal requirements for advanced electronic signatures as defined in the European Directive (EC 1999/93: European Community (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES) and for long term non-repudiation. Next to the electronic signature itself, the XAdES-X-Lfile contains the certificate that was used during the signature, the information to proof whether the certificate was valid when signing, and a time stamp to proof that all information used for signing existed and not altered since. Moreover CertiPost keeps a copy of the signed information.
* Timestamps & storage look like additional features, not mandated by the law, so can I create a ''Qualified Electronic Signature with long term value'' out of the CertiPost context, so just a plain x509 signature?

===SSH===
Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
 Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):
Package: openssh-client-sc
Architecture: any
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...
 I recompile ssh with smartcard support.
apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot
Sending my public key to the ssh server:
pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'
Then logging, being prompted for my PIN:
ssh -I 0 user@host.com
===OpenID===
cf [[OpenID]] and [[OpenID-eID]] where I'm hacking phpMyID to make my own

===TODO: Login===
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards
but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
 Bad side: it conflicts with xlockmore :-(

openssh way:
 Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
 Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found
or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
 before I was even prompted for my PIN

opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

===TODO: SSL Auth===
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssl. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.

===TODO: Apache SSL Reverse Proxy===
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
===TODO: OpenGPG & x509===
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
 Sth to check: [http://www.imc.org/ietf-openpgp/mail-archive/msg09930.html OpenPGP Signatures Incorporating X.509 Certificates]
 The solution is apparently to extend OpenGPG to allow special signatures on UIDs with sub-packets containing the entire certificate, the UID being build from the DN fields of the certificate (CN, EMAIL,...)
 Apparently PGP supports it already?

===TODO: OpenVPN Auth===
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
 But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
===TODO: Other tools===
* [http://sourceforge.net/projects/opensignature OpenSignature] for Italia
* [http://openportalguard.sourceforge.net/ Open Portal Guard] for e.g. public administrations
* beidcrld: where are CRLs downloaded to?
* beidpcscd: how to test it?
* beidlib.jar: BEIDCard.html and Test.java
* Novell version in C#...
** I could compile but still runtime errors
** Support in OpenOffice? check the shell script

Belgian eID

2008-03-05T07:45:44Z

212.71.5.64: /* TODO: Other tools */

Belgian eID is part of the efforts of the government for [[Belgian eGov]]
==Officials==

* [http://eid.belgium.be Official eID portal]
* [http://repository.eid.belgium.be/FR/Index.htm Certificates]
* [http://status.eid.belgium.be/ eID services]
* [http://crl.eid.belgium.be/ Revocation lists] and [http://ocsp.eid.belgium.be/ OCSP server]
* [http://eid.belgium.be/fr/navigation/documents/37129.html Circulaires (fr) eID Home / Villes et communes / Quoi / Circulaires] Among others: 3) FORMULAIRE DE RENONCIATION AUX CERTIFICATS DE LA CARTE D’IDENTITE ELECTRONIQUE AU MOMENT DE LA DEMANDE DE LA CARTE 10) MODELE D’ATTESTATION D’ACTIVATION OU DE REVOCATION DES CERTIFICATS APRES ACTIVATION DE LA CARTE 11) MODELE D’ATTESTATION DE SUSPENSION ET DE REACTIVATION DES CERTIFICATS
* [http://www.certipost.be CertiPost], by Belgacom & La Poste/De Post
** [http://www.certipost.be/x500/X500.html Certipost E-Trust™ Public X500 Directory Search]

==Usage & Software==

* [http://www.belgium.be/zip/eid_datacapture_fr.html Middleware & developer's kit]
** There are also Debian packages, cf below my tests under Linux
** [http://developer.novell.com/wiki/index.php/EID-belgium eID configuration toolkit by Novell]
* [http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/WebHome Danny De Cock's page on eID] (same as http://www.godot.be)
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396900.aspx short intro]
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396901.aspx how to use the eID card within your .NET apps]

==Misc==
* http://www.foo.be/eID/ Official data, spec sheet etc (outdated)
* [http://belsec.skynetblogs.be/tag/1/E-ID Belsec blog entries] about the eID
* [http://www.uvcw.be/no_index/e-communes/dossier_eid/Belgian_eID_Run-time_Users_guide.pdf Belgian E-ID runtime guide windows/linux pdf]
* [http://www.porvoo8.rrn.fgov.be/porvoo8/doc13/09_porvoo8-bruegger18_Italy.pdf Open source interoperability and E-ID pdf]
* [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/belpic_eid_version_numbering_v1.5.2.pdf The versioning of E-ID pdf]
* [http://porvoo10.net/p10/10_porvoo10-bud-25.pdf The road to European E-ID interoperability pdf]
* [http://www.microsoft.com/belux/nl/eid/ Microsoft and the eID], just an old marketing buzz? (I wouldn't complain...)
* [http://samba.grep.be/~wouter/beid-screencast.ogg], BeID screencast of what should have been shown at Fosdem 2008, by Wouter. (still waiting for the video of the presentation...)
* [http://www.lalibre.be/societe/cyber/article/404626/la-carte-d-identite-electronique-permettra-de-s-enregistrer-sur-ebay.html] La carte d'identité électronique permettra de s'enregistrer sur eBay

==I revoked my certificates==
===Why?===
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring. I knew they were talking about two certificates without understanding their difference, so let's revoke both. Note that it doesn't mean my eID is not valid, eID card activation is mandatory. The eID card is a proof of identity and residence of a person in Belgium. eID certificates activation is a choice of the holder of the eID (opt-in), he/she can decide to activate or revoke the certificates. (cf [http://www.certipost.be/dpsolutions/en/eid-faq.html FAQ])
===How?===
It was quite epic.
 I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil servants :-)
 I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
* [Me] Good morning, I come for my eID and... I want to get rid of the certificates
* [Her] You what? Is it possible? Never heard about that
* [Me] Yes, yes, see (and I show her what's in her User Manual)
* ... (takes a while to digest the info)
* [Her] Ha ok, you've to fill Annex 3, (shouting behind her shoulder) JOSETTE, DO WE HAVE ANNEX 3???
* [Josette] ANNEX WHAT??
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/03_-_FORMULAIRE_RENONCIATION_CERTIFS.pdf Annex 3 (pdf)])
* ... (meanwhile she has no idea what to do on the eID to fulfill renouncement and I agree with her, the Manual was unclear so we went for activation+revocation)
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/10_-_Attestation_activ_Certificats(18-10)_27-07.pdf Annex 10 (pdf)])
* [Her] Can I take your copies before you fill them? I'll make copies for ourselves.
So today the official Annex 3&10 forms of this civil office are mine :-D Who knows, maybe I crafted the form... ;-)

It is "funny" to see that everywhere the activation of the certificates is presented as optional, the choice being left to the citizen, blablabla, but in reality most of the citizen just don't know about this possibility (and most of the civil servants, well I hope that since my story, things have evolved a bit) and the civil servants doesn't ask you the question.

===Some details about those certificates===
The eID contains 2 signature certificates, so you cannot encrypt with them, just sign.
* One labeled "Authentication" is for daily use
** To log in on SSL websites such as [http://minfin.fgov.be/taxonweb/ Tax-on-web] or [http://www.saferchat.be SaferChat] or even your bank e.g. [http://www.keytradebank.com/pdf/eID_en.pdf Keytrade has implemented it (pdf)] with CRL check
** For signing mails with S/MIME
** For your own purpose, to log on your SSH server, SSL server, VPN etc
* One labeled "Signature" is for special cases
** It has a equivalent legal value as a hand-written signature and is referred as non-repudiation signature.
** According to [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/applicability_en.pdf CertiPost applicability guidelines (pdf)], the electronic signature still cannot replace a hand-written signature in a number of cases
**It's automatically revoked for minors under 18 years as they cannot sign legally yet.
**From [http://www.certipost.be/dpsolutions/en/eid-faq.html Certipost FAQ]: ''Non-repudiation guarantees that one cannot deny having performed an act. E.g. any message signed using a person's digital signature can only have come from this person. The signing person can not claim that the message was not originated by him. In other words, non-repudiation means that information '''cannot be disclaimed''', similar to a '''witnessed''' handwritten signature on a paper document.'' ''to be checked in the law''
** Normal pkcs software doesn't seem to be able to use it (?)
** Should be used only through the Government software which prompts you with a special GUI and warnings about the legal power of this signature
* [http://www.certipost.be/dpsolutions/en/rem-overzicht.html CertiPost e-Registered mails] is using the non-repudiation signature
* [http://www.certipost.be/dpsolutions/en/e-signing-overview.html CertiPost e-Signing] is using the non-repudiation signature
* Both are protected by the same PIN which is typed on your (unsafe) PC

===What says the law===
Sorry, here are french version abstracts.
 '''9 JUILLET 2001. - Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification''', date de publication au Moniteur: 29 septembre 2001
 Morceaux choisis:
* Art. 4. § 1er. A défaut de dispositions légales contraires, nul ne peut être contraint de poser un acte juridique par voie électronique.
* § 4. Sans préjudice des articles 1323 et suivants du Code civil, une signature électronique avancée réalisée sur la base d'un certificat qualifié et conçue au moyen d'un dispositif sécurisé de création de signature électronique, est assimilée à une signature manuscrite, qu'elle soit réalisée par une personne physique ou morale.
* § 5. Une signature électronique ne peut être privée de son efficacité juridique et ne peut être refusée comme preuve en justice au seul motif :
** que la signature se présente sous forme électronique, ou
** qu'elle ne repose pas sur un certificat qualifié, ou
** qu'elle ne repose pas sur un certificat qualifié délivré par un prestataire accrédité de service de certification, ou
** qu'elle n'est pas créée par un dispositif sécurisé de création de signature.
* ''Wait a minute, ANY electronic signature NOT being based on a qualified certificate and NOT created in a secure environment CANNOT be refused as a legal proof??? Maybe it's me or the triple-negation sentences (lawyers, lawyers...) but it looks like § 5 goes much further than § 4''

===What do I think today?===
====Catastrophe scenario====
* Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
** you know, the kind of stuff that never happens, anyway it's now [http://eid.belgium.be/fr/navigation/documents/39814.html your problem] even if the official middleware [http://blog.didierstevens.com/2007/12/31/how-can-i-trust-the-beid-runtime/ is not signed]
**And apparently even some readers with integrated keypads are [http://belsec.skynetblogs.be/post/5426553/belgian-eid-nr-11--keyloggers-work-with-eid not safer :-(]
**And apparently even commercial standalone smatcard terminals are [http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf not safer :-( (pdf)]
**And, oh, I did a small test with [[Keyloggers|lkl, a userland keylogger]] and of course the PIN typed into the beid graphical prompt could be easily captured.
* He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
* Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
* The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.

====So what will I do next time?====
* I'll probably accept the Authentication certificate to be able to play around with it.
* For sure I'll revoke the Signature certificate unless they change their architecture.
** Not the same PIN than the other certificate.
** Better than 4 digits (& 3 attempts so 3 chances over 10000)
** Probably they limited themselves to one single small PIN in order to pass the [http://www.kafka.be Kafka test] ;-)
** Even then:
*** Then I could use it but only on trusted devices, that's another story...
*** You get the PIN & PUK by post if I remember well, this could be eavesdropped but you can change your PIN... So as the PUK can unlock the PIN 12 times, the attacker has 36 chances over 10000, one over 278, mmm... And who said humans can generate random PINs? ;-)

===Privacy and other security considerations===
* [http://idcorner.org/2005/07/04/the-belgian-eid-card-calamity/ Another] [http://www.idcorner.org/?p=121 consideration] I didn't talk about yet: PRIVACY
* Whoever sees your public certificate (which happens e.g. if you log to a SSL website with your card or '''if you simply send a signed email''') sees your [http://www.ibz.rrn.fgov.be/ RRN ("rijksregistratienummer")] BTW here is [http://fr.wikipedia.org/wiki/Num%C3%A9ro_de_registre_national how it's constructed]: It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for men, uneven for women) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, and you know how the control sum is done (97-JJMMDDXXX%97), you only miss two and a half numbers coming from a linear incremental counter (001, 003,...) to recompile his national register number. For mine it takes less than 40 attempts it you proceed logically...
* [http://minfin.fgov.be/taxonweb/ Tax-on-web] announce it but what about the others and your mail correspondants? ''Suite à l'utilisation de votre moyen d'authentification (carte d'identité électronique ou token citoyen), le SPF Finances a connaissance de votre numéro de registre national. Conformément à l'arrêté royal du 25/04/1986 autorisant certaines autorités du Ministère des Finances à utiliser le numéro d'identification du registre national des personnes physiques, votre numéro de registre national n'est utilisé dans ce contexte qu'à des fins d'identification pour l'accès aux applications du SPF Finances. La loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel s'applique à ce traitement d'identification dont le responsable est le SPF Finances, Boulevard Albert II, 33 à 1030 Bruxelles.''
* Other "funny" facts: Belgium government doesn't bother about cross-certification with any common Root CA so when you want to visit an official site supposedly secured such as https://ccff02.minfin.fgov.be/CCFF_Authentication/choseLoginMethod.do or https://mijndossier.rrn.fgov.be you're kindly asked to blindly trust the certificate, years after phishing was invented, sigh...
* And even "better": for Firefox, [http://www.certipost.be/dpsolutions/en/e-signing-faq.html CertiPost e-Signing] requires you to download and install their CA certificate and to trust it for identifying everything: web sites, mail users and software! Here the download of the CA certificate is done... on pure http, sigh...
* [https://www.cosic.esat.kuleuven.be/adapid/ ADAPID project] is a consortium of researchers and industry representatives in Flanders decided to take action in an attempt to help avoid a national privacy calamity. After a first (non-public) report, the ADAPID project won the financial support of IWT-Flanders. ADAPID officially started July 1st, 2005 and will run until June 30th, 2009.
* Normally the third and definitive version of the eID should have been rolled out begin of this year (2008) but I've no idea what are the changes.
* [http://www.cirb.irisnet.be/site/fr/eid/ethicalid/index_htm Ethical-ID] is a software which presents to the e.g. swimming pool employee the only relevant data e.g. the residence city.

==My attempts under Linux==
I'm using the [[IDream ID-SMID01 SmartCard reader]], bought for 10€

Installing beidgui and dependencies:
apt-get install beidgui beid-tools
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

UPDATE: There is a version 2.6.0-3 available in unstable
apt-get install -t unstable beidgui beid-tools

There are 2 (optional) daemons provided with beid-tools:
* beidcrld Automatic CRL download
* beidpcscd The privacy filter monitors all commands sent to the card. When an application requests to read the identity data, address or photo from the eID card, the filter will display a message and ask the user's consent it's listening on port tcp 2500 and beidcrld, firefox-bin and icedove-bin are constantly speaking with it...

===Exploring===
pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2
# For a little demo...
beid-pkcs11-tool --slot 0 --login --test
There is also some java support but I couldn't try it yet.

===Firefox security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
 cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
 You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

You can then connect to federal sites like [http://minfin.fgov.be/taxonweb/ Tax-on-web] or the [https://mondossier.rrn.fgov.be RRN], being identified by your card & PIN.
 Note that it works only if I start Firefox after having the eID in place in the reader.
 Note that I didn't get much further, being redirected to e.g.
this nonexistent page but the title speaks for itself ;-) https://mondossier.rrn.fgov.be/CertificateRevoked.html

===Thunderbird security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

Try to sign a first mail:
 Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
 According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used, the other being reserved for legal signatures.
 UPDATE: Well now that I saw that Wouter could sign with the signature certificate I tried again and indeed it works.

One difficulty is that the certificate is not bound to an email address so the email client tells you sth like it's validly signed but no idea if the certificate owner corresponds to the sender email address.

===Signing with pkcs15-crypt===
From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:
fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported
Indeed signing with the signature certificate and without a GUI showing a warning about the legal implication is forbidden.

===Signing with GpgSM===
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html

apt-get install gpgsm dirmngr gnupg-agent pinentry-qt

~/.gnupg/gpg-agent.conf:
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
allow-mark-trusted

~/.bash_profile: (appending this stuff)
# preparing gpg-agent:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `gpg-agent --daemon`
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi

~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
disable-ccid
debug-level none

~/.gnupg/gpgsm.conf:
debug-level none

Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys
/home/phil/.gnupg/pubring.kbx
-----------------------------
Subject: /CN=Belgium Root CA/C=BE
[...]
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
[...]
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
[...]
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE
DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S

Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
[...]
gpgsm: signature created
I was prompted for my PIN during the process.

And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type
dirmngr[8994]: permanently loaded certificates: 0
dirmngr[8994]: runtime cached certificates: 0
dirmngr[8994]: command ISVALID failed: Certificat révoqué
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
gpgsm: certificate has been revoked
gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

===e-Signing plugin for Firefox===
* pure curiosity...
* cf http://www.certipost.be/dpsolutions/en/e-signing-faq.html
* the plugin is signed so you've to install the CA certificate of Certipost first and, cf above in my "funny facts", for Firefox, you've to download and... trust it. The certificate is apparently no longer (broken link) and I could not find it in their search tool, the only thing I could find is [http://64.233.183.104/search?q=cache:vzHK3UKTuiMJ:www.certipost.be/en/certificates/PrimaryNormalisedCA/certificate_pem.cer+PrimaryNormalisedCA&hl=fr&ct=clnk&cd=3&gl=fr a copy of the pem version in Google cache(!)] but that was good enough to be able to install the plugin.
* Moreover [https://connect.e-signing.be/app/en/create the form to sign] wants to directly execute some jar file but under an SSL connection signed by... the so-hard-to-get Certipost CA certificate, itself signed by GTE CyberTrust Global Root, an authority built-in in the browsers.
* You've [https://www.certipost.be/webshop/ to pay] to be able to sign with your eID non-repudiation signature to have a valid ''Qualified Electronic Signature with long term value''
* [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/technical_measures_en.pdf There are some explanations] of the additional services provided by CertiPost: ''The applied XAdES-X-L is an XML signature format according to the recognized XAdES standard (ETSI TS 101 903 standard) that implements measures to satisfy the legal requirements for advanced electronic signatures as defined in the European Directive (EC 1999/93: European Community (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES) and for long term non-repudiation. Next to the electronic signature itself, the XAdES-X-Lfile contains the certificate that was used during the signature, the information to proof whether the certificate was valid when signing, and a time stamp to proof that all information used for signing existed and not altered since. Moreover CertiPost keeps a copy of the signed information.
* Timestamps & storage look like additional features, not mandated by the law, so can I create a ''Qualified Electronic Signature with long term value'' out of the CertiPost context, so just a plain x509 signature?

===SSH===
Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
 Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):
Package: openssh-client-sc
Architecture: any
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...
 I recompile ssh with smartcard support.
apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot
Sending my public key to the ssh server:
pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'
Then logging, being prompted for my PIN:
ssh -I 0 user@host.com
===OpenID===
cf [[OpenID]] and [[OpenID-eID]] where I'm hacking phpMyID to make my own

===TODO: Login===
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards
but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
 Bad side: it conflicts with xlockmore :-(

openssh way:
 Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
 Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found
or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
 before I was even prompted for my PIN

opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

===TODO: SSL Auth===
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssl. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.

===TODO: Apache SSL Reverse Proxy===
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
===TODO: OpenGPG & x509===
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
 Sth to check: [http://www.imc.org/ietf-openpgp/mail-archive/msg09930.html OpenPGP Signatures Incorporating X.509 Certificates]
 The solution is apparently to extend OpenGPG to allow special signatures on UIDs with sub-packets containing the entire certificate, the UID being build from the DN fields of the certificate (CN, EMAIL,...)
 Apparently PGP supports it already?

===TODO: OpenVPN Auth===
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
 But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
===TODO: Other tools===
* [http://sourceforge.net/projects/opensignature OpenSignature] for Italia
* [http://openportalguard.sourceforge.net/ Open Portal Guard] for e.g. public administrations
* beidcrld: where are CRLs downloaded to?
* beidpcscd: how to test it?
* beidlib.jar & java applet...
* Novell version in C#...
** I could compile but still runtime errors
** Support in OpenOffice? check the shell script

Belgian eID

2008-03-05T07:44:24Z

212.71.5.64: /* TODO: Other tools */

Belgian eID is part of the efforts of the government for [[Belgian eGov]]
==Officials==

* [http://eid.belgium.be Official eID portal]
* [http://repository.eid.belgium.be/FR/Index.htm Certificates]
* [http://status.eid.belgium.be/ eID services]
* [http://crl.eid.belgium.be/ Revocation lists] and [http://ocsp.eid.belgium.be/ OCSP server]
* [http://eid.belgium.be/fr/navigation/documents/37129.html Circulaires (fr) eID Home / Villes et communes / Quoi / Circulaires] Among others: 3) FORMULAIRE DE RENONCIATION AUX CERTIFICATS DE LA CARTE D’IDENTITE ELECTRONIQUE AU MOMENT DE LA DEMANDE DE LA CARTE 10) MODELE D’ATTESTATION D’ACTIVATION OU DE REVOCATION DES CERTIFICATS APRES ACTIVATION DE LA CARTE 11) MODELE D’ATTESTATION DE SUSPENSION ET DE REACTIVATION DES CERTIFICATS
* [http://www.certipost.be CertiPost], by Belgacom & La Poste/De Post
** [http://www.certipost.be/x500/X500.html Certipost E-Trust™ Public X500 Directory Search]

==Usage & Software==

* [http://www.belgium.be/zip/eid_datacapture_fr.html Middleware & developer's kit]
** There are also Debian packages, cf below my tests under Linux
** [http://developer.novell.com/wiki/index.php/EID-belgium eID configuration toolkit by Novell]
* [http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/WebHome Danny De Cock's page on eID] (same as http://www.godot.be)
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396900.aspx short intro]
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396901.aspx how to use the eID card within your .NET apps]

==Misc==
* http://www.foo.be/eID/ Official data, spec sheet etc (outdated)
* [http://belsec.skynetblogs.be/tag/1/E-ID Belsec blog entries] about the eID
* [http://www.uvcw.be/no_index/e-communes/dossier_eid/Belgian_eID_Run-time_Users_guide.pdf Belgian E-ID runtime guide windows/linux pdf]
* [http://www.porvoo8.rrn.fgov.be/porvoo8/doc13/09_porvoo8-bruegger18_Italy.pdf Open source interoperability and E-ID pdf]
* [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/belpic_eid_version_numbering_v1.5.2.pdf The versioning of E-ID pdf]
* [http://porvoo10.net/p10/10_porvoo10-bud-25.pdf The road to European E-ID interoperability pdf]
* [http://www.microsoft.com/belux/nl/eid/ Microsoft and the eID], just an old marketing buzz? (I wouldn't complain...)
* [http://samba.grep.be/~wouter/beid-screencast.ogg], BeID screencast of what should have been shown at Fosdem 2008, by Wouter. (still waiting for the video of the presentation...)
* [http://www.lalibre.be/societe/cyber/article/404626/la-carte-d-identite-electronique-permettra-de-s-enregistrer-sur-ebay.html] La carte d'identité électronique permettra de s'enregistrer sur eBay

==I revoked my certificates==
===Why?===
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring. I knew they were talking about two certificates without understanding their difference, so let's revoke both. Note that it doesn't mean my eID is not valid, eID card activation is mandatory. The eID card is a proof of identity and residence of a person in Belgium. eID certificates activation is a choice of the holder of the eID (opt-in), he/she can decide to activate or revoke the certificates. (cf [http://www.certipost.be/dpsolutions/en/eid-faq.html FAQ])
===How?===
It was quite epic.
 I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil servants :-)
 I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
* [Me] Good morning, I come for my eID and... I want to get rid of the certificates
* [Her] You what? Is it possible? Never heard about that
* [Me] Yes, yes, see (and I show her what's in her User Manual)
* ... (takes a while to digest the info)
* [Her] Ha ok, you've to fill Annex 3, (shouting behind her shoulder) JOSETTE, DO WE HAVE ANNEX 3???
* [Josette] ANNEX WHAT??
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/03_-_FORMULAIRE_RENONCIATION_CERTIFS.pdf Annex 3 (pdf)])
* ... (meanwhile she has no idea what to do on the eID to fulfill renouncement and I agree with her, the Manual was unclear so we went for activation+revocation)
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/10_-_Attestation_activ_Certificats(18-10)_27-07.pdf Annex 10 (pdf)])
* [Her] Can I take your copies before you fill them? I'll make copies for ourselves.
So today the official Annex 3&10 forms of this civil office are mine :-D Who knows, maybe I crafted the form... ;-)

It is "funny" to see that everywhere the activation of the certificates is presented as optional, the choice being left to the citizen, blablabla, but in reality most of the citizen just don't know about this possibility (and most of the civil servants, well I hope that since my story, things have evolved a bit) and the civil servants doesn't ask you the question.

===Some details about those certificates===
The eID contains 2 signature certificates, so you cannot encrypt with them, just sign.
* One labeled "Authentication" is for daily use
** To log in on SSL websites such as [http://minfin.fgov.be/taxonweb/ Tax-on-web] or [http://www.saferchat.be SaferChat] or even your bank e.g. [http://www.keytradebank.com/pdf/eID_en.pdf Keytrade has implemented it (pdf)] with CRL check
** For signing mails with S/MIME
** For your own purpose, to log on your SSH server, SSL server, VPN etc
* One labeled "Signature" is for special cases
** It has a equivalent legal value as a hand-written signature and is referred as non-repudiation signature.
** According to [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/applicability_en.pdf CertiPost applicability guidelines (pdf)], the electronic signature still cannot replace a hand-written signature in a number of cases
**It's automatically revoked for minors under 18 years as they cannot sign legally yet.
**From [http://www.certipost.be/dpsolutions/en/eid-faq.html Certipost FAQ]: ''Non-repudiation guarantees that one cannot deny having performed an act. E.g. any message signed using a person's digital signature can only have come from this person. The signing person can not claim that the message was not originated by him. In other words, non-repudiation means that information '''cannot be disclaimed''', similar to a '''witnessed''' handwritten signature on a paper document.'' ''to be checked in the law''
** Normal pkcs software doesn't seem to be able to use it (?)
** Should be used only through the Government software which prompts you with a special GUI and warnings about the legal power of this signature
* [http://www.certipost.be/dpsolutions/en/rem-overzicht.html CertiPost e-Registered mails] is using the non-repudiation signature
* [http://www.certipost.be/dpsolutions/en/e-signing-overview.html CertiPost e-Signing] is using the non-repudiation signature
* Both are protected by the same PIN which is typed on your (unsafe) PC

===What says the law===
Sorry, here are french version abstracts.
 '''9 JUILLET 2001. - Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification''', date de publication au Moniteur: 29 septembre 2001
 Morceaux choisis:
* Art. 4. § 1er. A défaut de dispositions légales contraires, nul ne peut être contraint de poser un acte juridique par voie électronique.
* § 4. Sans préjudice des articles 1323 et suivants du Code civil, une signature électronique avancée réalisée sur la base d'un certificat qualifié et conçue au moyen d'un dispositif sécurisé de création de signature électronique, est assimilée à une signature manuscrite, qu'elle soit réalisée par une personne physique ou morale.
* § 5. Une signature électronique ne peut être privée de son efficacité juridique et ne peut être refusée comme preuve en justice au seul motif :
** que la signature se présente sous forme électronique, ou
** qu'elle ne repose pas sur un certificat qualifié, ou
** qu'elle ne repose pas sur un certificat qualifié délivré par un prestataire accrédité de service de certification, ou
** qu'elle n'est pas créée par un dispositif sécurisé de création de signature.
* ''Wait a minute, ANY electronic signature NOT being based on a qualified certificate and NOT created in a secure environment CANNOT be refused as a legal proof??? Maybe it's me or the triple-negation sentences (lawyers, lawyers...) but it looks like § 5 goes much further than § 4''

===What do I think today?===
====Catastrophe scenario====
* Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
** you know, the kind of stuff that never happens, anyway it's now [http://eid.belgium.be/fr/navigation/documents/39814.html your problem] even if the official middleware [http://blog.didierstevens.com/2007/12/31/how-can-i-trust-the-beid-runtime/ is not signed]
**And apparently even some readers with integrated keypads are [http://belsec.skynetblogs.be/post/5426553/belgian-eid-nr-11--keyloggers-work-with-eid not safer :-(]
**And apparently even commercial standalone smatcard terminals are [http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf not safer :-( (pdf)]
**And, oh, I did a small test with [[Keyloggers|lkl, a userland keylogger]] and of course the PIN typed into the beid graphical prompt could be easily captured.
* He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
* Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
* The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.

====So what will I do next time?====
* I'll probably accept the Authentication certificate to be able to play around with it.
* For sure I'll revoke the Signature certificate unless they change their architecture.
** Not the same PIN than the other certificate.
** Better than 4 digits (& 3 attempts so 3 chances over 10000)
** Probably they limited themselves to one single small PIN in order to pass the [http://www.kafka.be Kafka test] ;-)
** Even then:
*** Then I could use it but only on trusted devices, that's another story...
*** You get the PIN & PUK by post if I remember well, this could be eavesdropped but you can change your PIN... So as the PUK can unlock the PIN 12 times, the attacker has 36 chances over 10000, one over 278, mmm... And who said humans can generate random PINs? ;-)

===Privacy and other security considerations===
* [http://idcorner.org/2005/07/04/the-belgian-eid-card-calamity/ Another] [http://www.idcorner.org/?p=121 consideration] I didn't talk about yet: PRIVACY
* Whoever sees your public certificate (which happens e.g. if you log to a SSL website with your card or '''if you simply send a signed email''') sees your [http://www.ibz.rrn.fgov.be/ RRN ("rijksregistratienummer")] BTW here is [http://fr.wikipedia.org/wiki/Num%C3%A9ro_de_registre_national how it's constructed]: It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for men, uneven for women) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, and you know how the control sum is done (97-JJMMDDXXX%97), you only miss two and a half numbers coming from a linear incremental counter (001, 003,...) to recompile his national register number. For mine it takes less than 40 attempts it you proceed logically...
* [http://minfin.fgov.be/taxonweb/ Tax-on-web] announce it but what about the others and your mail correspondants? ''Suite à l'utilisation de votre moyen d'authentification (carte d'identité électronique ou token citoyen), le SPF Finances a connaissance de votre numéro de registre national. Conformément à l'arrêté royal du 25/04/1986 autorisant certaines autorités du Ministère des Finances à utiliser le numéro d'identification du registre national des personnes physiques, votre numéro de registre national n'est utilisé dans ce contexte qu'à des fins d'identification pour l'accès aux applications du SPF Finances. La loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel s'applique à ce traitement d'identification dont le responsable est le SPF Finances, Boulevard Albert II, 33 à 1030 Bruxelles.''
* Other "funny" facts: Belgium government doesn't bother about cross-certification with any common Root CA so when you want to visit an official site supposedly secured such as https://ccff02.minfin.fgov.be/CCFF_Authentication/choseLoginMethod.do or https://mijndossier.rrn.fgov.be you're kindly asked to blindly trust the certificate, years after phishing was invented, sigh...
* And even "better": for Firefox, [http://www.certipost.be/dpsolutions/en/e-signing-faq.html CertiPost e-Signing] requires you to download and install their CA certificate and to trust it for identifying everything: web sites, mail users and software! Here the download of the CA certificate is done... on pure http, sigh...
* [https://www.cosic.esat.kuleuven.be/adapid/ ADAPID project] is a consortium of researchers and industry representatives in Flanders decided to take action in an attempt to help avoid a national privacy calamity. After a first (non-public) report, the ADAPID project won the financial support of IWT-Flanders. ADAPID officially started July 1st, 2005 and will run until June 30th, 2009.
* Normally the third and definitive version of the eID should have been rolled out begin of this year (2008) but I've no idea what are the changes.
* [http://www.cirb.irisnet.be/site/fr/eid/ethicalid/index_htm Ethical-ID] is a software which presents to the e.g. swimming pool employee the only relevant data e.g. the residence city.

==My attempts under Linux==
I'm using the [[IDream ID-SMID01 SmartCard reader]], bought for 10€

Installing beidgui and dependencies:
apt-get install beidgui beid-tools
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

UPDATE: There is a version 2.6.0-3 available in unstable
apt-get install -t unstable beidgui beid-tools

There are 2 (optional) daemons provided with beid-tools:
* beidcrld Automatic CRL download
* beidpcscd The privacy filter monitors all commands sent to the card. When an application requests to read the identity data, address or photo from the eID card, the filter will display a message and ask the user's consent it's listening on port tcp 2500 and beidcrld, firefox-bin and icedove-bin are constantly speaking with it...

===Exploring===
pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2
# For a little demo...
beid-pkcs11-tool --slot 0 --login --test
There is also some java support but I couldn't try it yet.

===Firefox security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
 cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
 You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

You can then connect to federal sites like [http://minfin.fgov.be/taxonweb/ Tax-on-web] or the [https://mondossier.rrn.fgov.be RRN], being identified by your card & PIN.
 Note that it works only if I start Firefox after having the eID in place in the reader.
 Note that I didn't get much further, being redirected to e.g.
this nonexistent page but the title speaks for itself ;-) https://mondossier.rrn.fgov.be/CertificateRevoked.html

===Thunderbird security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

Try to sign a first mail:
 Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
 According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used, the other being reserved for legal signatures.
 UPDATE: Well now that I saw that Wouter could sign with the signature certificate I tried again and indeed it works.

One difficulty is that the certificate is not bound to an email address so the email client tells you sth like it's validly signed but no idea if the certificate owner corresponds to the sender email address.

===Signing with pkcs15-crypt===
From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:
fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported
Indeed signing with the signature certificate and without a GUI showing a warning about the legal implication is forbidden.

===Signing with GpgSM===
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html

apt-get install gpgsm dirmngr gnupg-agent pinentry-qt

~/.gnupg/gpg-agent.conf:
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
allow-mark-trusted

~/.bash_profile: (appending this stuff)
# preparing gpg-agent:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `gpg-agent --daemon`
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi

~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
disable-ccid
debug-level none

~/.gnupg/gpgsm.conf:
debug-level none

Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys
/home/phil/.gnupg/pubring.kbx
-----------------------------
Subject: /CN=Belgium Root CA/C=BE
[...]
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
[...]
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
[...]
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE
DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S

Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
[...]
gpgsm: signature created
I was prompted for my PIN during the process.

And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type
dirmngr[8994]: permanently loaded certificates: 0
dirmngr[8994]: runtime cached certificates: 0
dirmngr[8994]: command ISVALID failed: Certificat révoqué
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
gpgsm: certificate has been revoked
gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

===e-Signing plugin for Firefox===
* pure curiosity...
* cf http://www.certipost.be/dpsolutions/en/e-signing-faq.html
* the plugin is signed so you've to install the CA certificate of Certipost first and, cf above in my "funny facts", for Firefox, you've to download and... trust it. The certificate is apparently no longer (broken link) and I could not find it in their search tool, the only thing I could find is [http://64.233.183.104/search?q=cache:vzHK3UKTuiMJ:www.certipost.be/en/certificates/PrimaryNormalisedCA/certificate_pem.cer+PrimaryNormalisedCA&hl=fr&ct=clnk&cd=3&gl=fr a copy of the pem version in Google cache(!)] but that was good enough to be able to install the plugin.
* Moreover [https://connect.e-signing.be/app/en/create the form to sign] wants to directly execute some jar file but under an SSL connection signed by... the so-hard-to-get Certipost CA certificate, itself signed by GTE CyberTrust Global Root, an authority built-in in the browsers.
* You've [https://www.certipost.be/webshop/ to pay] to be able to sign with your eID non-repudiation signature to have a valid ''Qualified Electronic Signature with long term value''
* [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/technical_measures_en.pdf There are some explanations] of the additional services provided by CertiPost: ''The applied XAdES-X-L is an XML signature format according to the recognized XAdES standard (ETSI TS 101 903 standard) that implements measures to satisfy the legal requirements for advanced electronic signatures as defined in the European Directive (EC 1999/93: European Community (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES) and for long term non-repudiation. Next to the electronic signature itself, the XAdES-X-Lfile contains the certificate that was used during the signature, the information to proof whether the certificate was valid when signing, and a time stamp to proof that all information used for signing existed and not altered since. Moreover CertiPost keeps a copy of the signed information.
* Timestamps & storage look like additional features, not mandated by the law, so can I create a ''Qualified Electronic Signature with long term value'' out of the CertiPost context, so just a plain x509 signature?

===SSH===
Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
 Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):
Package: openssh-client-sc
Architecture: any
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...
 I recompile ssh with smartcard support.
apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot
Sending my public key to the ssh server:
pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'
Then logging, being prompted for my PIN:
ssh -I 0 user@host.com
===OpenID===
cf [[OpenID]] and [[OpenID-eID]] where I'm hacking phpMyID to make my own

===TODO: Login===
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards
but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
 Bad side: it conflicts with xlockmore :-(

openssh way:
 Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
 Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found
or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
 before I was even prompted for my PIN

opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

===TODO: SSL Auth===
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssl. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.

===TODO: Apache SSL Reverse Proxy===
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
===TODO: OpenGPG & x509===
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
 Sth to check: [http://www.imc.org/ietf-openpgp/mail-archive/msg09930.html OpenPGP Signatures Incorporating X.509 Certificates]
 The solution is apparently to extend OpenGPG to allow special signatures on UIDs with sub-packets containing the entire certificate, the UID being build from the DN fields of the certificate (CN, EMAIL,...)
 Apparently PGP supports it already?

===TODO: OpenVPN Auth===
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
 But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
===TODO: Other tools===
* [http://sourceforge.net/projects/opensignature OpenSignature] for Italia
* [http://openportalguard.sourceforge.net/ Open Portal Guard] for e.g. public administrations
* beidcrld: where are CRLs downloaded to?
* beidpcscd: how to test it?
* beidlib.jar & java applet...
* Novell version in C#...
** I could compile but still runtime errors

Belgian eID

2008-03-05T07:42:56Z

212.71.5.64: /* TODO: Other tools */

Belgian eID is part of the efforts of the government for [[Belgian eGov]]
==Officials==

* [http://eid.belgium.be Official eID portal]
* [http://repository.eid.belgium.be/FR/Index.htm Certificates]
* [http://status.eid.belgium.be/ eID services]
* [http://crl.eid.belgium.be/ Revocation lists] and [http://ocsp.eid.belgium.be/ OCSP server]
* [http://eid.belgium.be/fr/navigation/documents/37129.html Circulaires (fr) eID Home / Villes et communes / Quoi / Circulaires] Among others: 3) FORMULAIRE DE RENONCIATION AUX CERTIFICATS DE LA CARTE D’IDENTITE ELECTRONIQUE AU MOMENT DE LA DEMANDE DE LA CARTE 10) MODELE D’ATTESTATION D’ACTIVATION OU DE REVOCATION DES CERTIFICATS APRES ACTIVATION DE LA CARTE 11) MODELE D’ATTESTATION DE SUSPENSION ET DE REACTIVATION DES CERTIFICATS
* [http://www.certipost.be CertiPost], by Belgacom & La Poste/De Post
** [http://www.certipost.be/x500/X500.html Certipost E-Trust™ Public X500 Directory Search]

==Usage & Software==

* [http://www.belgium.be/zip/eid_datacapture_fr.html Middleware & developer's kit]
** There are also Debian packages, cf below my tests under Linux
** [http://developer.novell.com/wiki/index.php/EID-belgium eID configuration toolkit by Novell]
* [http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/WebHome Danny De Cock's page on eID] (same as http://www.godot.be)
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396900.aspx short intro]
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396901.aspx how to use the eID card within your .NET apps]

==Misc==
* http://www.foo.be/eID/ Official data, spec sheet etc (outdated)
* [http://belsec.skynetblogs.be/tag/1/E-ID Belsec blog entries] about the eID
* [http://www.uvcw.be/no_index/e-communes/dossier_eid/Belgian_eID_Run-time_Users_guide.pdf Belgian E-ID runtime guide windows/linux pdf]
* [http://www.porvoo8.rrn.fgov.be/porvoo8/doc13/09_porvoo8-bruegger18_Italy.pdf Open source interoperability and E-ID pdf]
* [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/belpic_eid_version_numbering_v1.5.2.pdf The versioning of E-ID pdf]
* [http://porvoo10.net/p10/10_porvoo10-bud-25.pdf The road to European E-ID interoperability pdf]
* [http://www.microsoft.com/belux/nl/eid/ Microsoft and the eID], just an old marketing buzz? (I wouldn't complain...)
* [http://samba.grep.be/~wouter/beid-screencast.ogg], BeID screencast of what should have been shown at Fosdem 2008, by Wouter. (still waiting for the video of the presentation...)
* [http://www.lalibre.be/societe/cyber/article/404626/la-carte-d-identite-electronique-permettra-de-s-enregistrer-sur-ebay.html] La carte d'identité électronique permettra de s'enregistrer sur eBay

==I revoked my certificates==
===Why?===
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring. I knew they were talking about two certificates without understanding their difference, so let's revoke both. Note that it doesn't mean my eID is not valid, eID card activation is mandatory. The eID card is a proof of identity and residence of a person in Belgium. eID certificates activation is a choice of the holder of the eID (opt-in), he/she can decide to activate or revoke the certificates. (cf [http://www.certipost.be/dpsolutions/en/eid-faq.html FAQ])
===How?===
It was quite epic.
 I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil servants :-)
 I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
* [Me] Good morning, I come for my eID and... I want to get rid of the certificates
* [Her] You what? Is it possible? Never heard about that
* [Me] Yes, yes, see (and I show her what's in her User Manual)
* ... (takes a while to digest the info)
* [Her] Ha ok, you've to fill Annex 3, (shouting behind her shoulder) JOSETTE, DO WE HAVE ANNEX 3???
* [Josette] ANNEX WHAT??
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/03_-_FORMULAIRE_RENONCIATION_CERTIFS.pdf Annex 3 (pdf)])
* ... (meanwhile she has no idea what to do on the eID to fulfill renouncement and I agree with her, the Manual was unclear so we went for activation+revocation)
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/10_-_Attestation_activ_Certificats(18-10)_27-07.pdf Annex 10 (pdf)])
* [Her] Can I take your copies before you fill them? I'll make copies for ourselves.
So today the official Annex 3&10 forms of this civil office are mine :-D Who knows, maybe I crafted the form... ;-)

It is "funny" to see that everywhere the activation of the certificates is presented as optional, the choice being left to the citizen, blablabla, but in reality most of the citizen just don't know about this possibility (and most of the civil servants, well I hope that since my story, things have evolved a bit) and the civil servants doesn't ask you the question.

===Some details about those certificates===
The eID contains 2 signature certificates, so you cannot encrypt with them, just sign.
* One labeled "Authentication" is for daily use
** To log in on SSL websites such as [http://minfin.fgov.be/taxonweb/ Tax-on-web] or [http://www.saferchat.be SaferChat] or even your bank e.g. [http://www.keytradebank.com/pdf/eID_en.pdf Keytrade has implemented it (pdf)] with CRL check
** For signing mails with S/MIME
** For your own purpose, to log on your SSH server, SSL server, VPN etc
* One labeled "Signature" is for special cases
** It has a equivalent legal value as a hand-written signature and is referred as non-repudiation signature.
** According to [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/applicability_en.pdf CertiPost applicability guidelines (pdf)], the electronic signature still cannot replace a hand-written signature in a number of cases
**It's automatically revoked for minors under 18 years as they cannot sign legally yet.
**From [http://www.certipost.be/dpsolutions/en/eid-faq.html Certipost FAQ]: ''Non-repudiation guarantees that one cannot deny having performed an act. E.g. any message signed using a person's digital signature can only have come from this person. The signing person can not claim that the message was not originated by him. In other words, non-repudiation means that information '''cannot be disclaimed''', similar to a '''witnessed''' handwritten signature on a paper document.'' ''to be checked in the law''
** Normal pkcs software doesn't seem to be able to use it (?)
** Should be used only through the Government software which prompts you with a special GUI and warnings about the legal power of this signature
* [http://www.certipost.be/dpsolutions/en/rem-overzicht.html CertiPost e-Registered mails] is using the non-repudiation signature
* [http://www.certipost.be/dpsolutions/en/e-signing-overview.html CertiPost e-Signing] is using the non-repudiation signature
* Both are protected by the same PIN which is typed on your (unsafe) PC

===What says the law===
Sorry, here are french version abstracts.
 '''9 JUILLET 2001. - Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification''', date de publication au Moniteur: 29 septembre 2001
 Morceaux choisis:
* Art. 4. § 1er. A défaut de dispositions légales contraires, nul ne peut être contraint de poser un acte juridique par voie électronique.
* § 4. Sans préjudice des articles 1323 et suivants du Code civil, une signature électronique avancée réalisée sur la base d'un certificat qualifié et conçue au moyen d'un dispositif sécurisé de création de signature électronique, est assimilée à une signature manuscrite, qu'elle soit réalisée par une personne physique ou morale.
* § 5. Une signature électronique ne peut être privée de son efficacité juridique et ne peut être refusée comme preuve en justice au seul motif :
** que la signature se présente sous forme électronique, ou
** qu'elle ne repose pas sur un certificat qualifié, ou
** qu'elle ne repose pas sur un certificat qualifié délivré par un prestataire accrédité de service de certification, ou
** qu'elle n'est pas créée par un dispositif sécurisé de création de signature.
* ''Wait a minute, ANY electronic signature NOT being based on a qualified certificate and NOT created in a secure environment CANNOT be refused as a legal proof??? Maybe it's me or the triple-negation sentences (lawyers, lawyers...) but it looks like § 5 goes much further than § 4''

===What do I think today?===
====Catastrophe scenario====
* Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
** you know, the kind of stuff that never happens, anyway it's now [http://eid.belgium.be/fr/navigation/documents/39814.html your problem] even if the official middleware [http://blog.didierstevens.com/2007/12/31/how-can-i-trust-the-beid-runtime/ is not signed]
**And apparently even some readers with integrated keypads are [http://belsec.skynetblogs.be/post/5426553/belgian-eid-nr-11--keyloggers-work-with-eid not safer :-(]
**And apparently even commercial standalone smatcard terminals are [http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf not safer :-( (pdf)]
**And, oh, I did a small test with [[Keyloggers|lkl, a userland keylogger]] and of course the PIN typed into the beid graphical prompt could be easily captured.
* He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
* Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
* The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.

====So what will I do next time?====
* I'll probably accept the Authentication certificate to be able to play around with it.
* For sure I'll revoke the Signature certificate unless they change their architecture.
** Not the same PIN than the other certificate.
** Better than 4 digits (& 3 attempts so 3 chances over 10000)
** Probably they limited themselves to one single small PIN in order to pass the [http://www.kafka.be Kafka test] ;-)
** Even then:
*** Then I could use it but only on trusted devices, that's another story...
*** You get the PIN & PUK by post if I remember well, this could be eavesdropped but you can change your PIN... So as the PUK can unlock the PIN 12 times, the attacker has 36 chances over 10000, one over 278, mmm... And who said humans can generate random PINs? ;-)

===Privacy and other security considerations===
* [http://idcorner.org/2005/07/04/the-belgian-eid-card-calamity/ Another] [http://www.idcorner.org/?p=121 consideration] I didn't talk about yet: PRIVACY
* Whoever sees your public certificate (which happens e.g. if you log to a SSL website with your card or '''if you simply send a signed email''') sees your [http://www.ibz.rrn.fgov.be/ RRN ("rijksregistratienummer")] BTW here is [http://fr.wikipedia.org/wiki/Num%C3%A9ro_de_registre_national how it's constructed]: It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for men, uneven for women) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, and you know how the control sum is done (97-JJMMDDXXX%97), you only miss two and a half numbers coming from a linear incremental counter (001, 003,...) to recompile his national register number. For mine it takes less than 40 attempts it you proceed logically...
* [http://minfin.fgov.be/taxonweb/ Tax-on-web] announce it but what about the others and your mail correspondants? ''Suite à l'utilisation de votre moyen d'authentification (carte d'identité électronique ou token citoyen), le SPF Finances a connaissance de votre numéro de registre national. Conformément à l'arrêté royal du 25/04/1986 autorisant certaines autorités du Ministère des Finances à utiliser le numéro d'identification du registre national des personnes physiques, votre numéro de registre national n'est utilisé dans ce contexte qu'à des fins d'identification pour l'accès aux applications du SPF Finances. La loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel s'applique à ce traitement d'identification dont le responsable est le SPF Finances, Boulevard Albert II, 33 à 1030 Bruxelles.''
* Other "funny" facts: Belgium government doesn't bother about cross-certification with any common Root CA so when you want to visit an official site supposedly secured such as https://ccff02.minfin.fgov.be/CCFF_Authentication/choseLoginMethod.do or https://mijndossier.rrn.fgov.be you're kindly asked to blindly trust the certificate, years after phishing was invented, sigh...
* And even "better": for Firefox, [http://www.certipost.be/dpsolutions/en/e-signing-faq.html CertiPost e-Signing] requires you to download and install their CA certificate and to trust it for identifying everything: web sites, mail users and software! Here the download of the CA certificate is done... on pure http, sigh...
* [https://www.cosic.esat.kuleuven.be/adapid/ ADAPID project] is a consortium of researchers and industry representatives in Flanders decided to take action in an attempt to help avoid a national privacy calamity. After a first (non-public) report, the ADAPID project won the financial support of IWT-Flanders. ADAPID officially started July 1st, 2005 and will run until June 30th, 2009.
* Normally the third and definitive version of the eID should have been rolled out begin of this year (2008) but I've no idea what are the changes.
* [http://www.cirb.irisnet.be/site/fr/eid/ethicalid/index_htm Ethical-ID] is a software which presents to the e.g. swimming pool employee the only relevant data e.g. the residence city.

==My attempts under Linux==
I'm using the [[IDream ID-SMID01 SmartCard reader]], bought for 10€

Installing beidgui and dependencies:
apt-get install beidgui beid-tools
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

UPDATE: There is a version 2.6.0-3 available in unstable
apt-get install -t unstable beidgui beid-tools

There are 2 (optional) daemons provided with beid-tools:
* beidcrld Automatic CRL download
* beidpcscd The privacy filter monitors all commands sent to the card. When an application requests to read the identity data, address or photo from the eID card, the filter will display a message and ask the user's consent it's listening on port tcp 2500 and beidcrld, firefox-bin and icedove-bin are constantly speaking with it...

===Exploring===
pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2
# For a little demo...
beid-pkcs11-tool --slot 0 --login --test
There is also some java support but I couldn't try it yet.

===Firefox security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
 cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
 You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

You can then connect to federal sites like [http://minfin.fgov.be/taxonweb/ Tax-on-web] or the [https://mondossier.rrn.fgov.be RRN], being identified by your card & PIN.
 Note that it works only if I start Firefox after having the eID in place in the reader.
 Note that I didn't get much further, being redirected to e.g.
this nonexistent page but the title speaks for itself ;-) https://mondossier.rrn.fgov.be/CertificateRevoked.html

===Thunderbird security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

Try to sign a first mail:
 Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
 According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used, the other being reserved for legal signatures.
 UPDATE: Well now that I saw that Wouter could sign with the signature certificate I tried again and indeed it works.

One difficulty is that the certificate is not bound to an email address so the email client tells you sth like it's validly signed but no idea if the certificate owner corresponds to the sender email address.

===Signing with pkcs15-crypt===
From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:
fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported
Indeed signing with the signature certificate and without a GUI showing a warning about the legal implication is forbidden.

===Signing with GpgSM===
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html

apt-get install gpgsm dirmngr gnupg-agent pinentry-qt

~/.gnupg/gpg-agent.conf:
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
allow-mark-trusted

~/.bash_profile: (appending this stuff)
# preparing gpg-agent:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `gpg-agent --daemon`
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi

~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
disable-ccid
debug-level none

~/.gnupg/gpgsm.conf:
debug-level none

Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys
/home/phil/.gnupg/pubring.kbx
-----------------------------
Subject: /CN=Belgium Root CA/C=BE
[...]
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
[...]
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
[...]
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE
DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S

Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
[...]
gpgsm: signature created
I was prompted for my PIN during the process.

And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type
dirmngr[8994]: permanently loaded certificates: 0
dirmngr[8994]: runtime cached certificates: 0
dirmngr[8994]: command ISVALID failed: Certificat révoqué
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
gpgsm: certificate has been revoked
gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

===e-Signing plugin for Firefox===
* pure curiosity...
* cf http://www.certipost.be/dpsolutions/en/e-signing-faq.html
* the plugin is signed so you've to install the CA certificate of Certipost first and, cf above in my "funny facts", for Firefox, you've to download and... trust it. The certificate is apparently no longer (broken link) and I could not find it in their search tool, the only thing I could find is [http://64.233.183.104/search?q=cache:vzHK3UKTuiMJ:www.certipost.be/en/certificates/PrimaryNormalisedCA/certificate_pem.cer+PrimaryNormalisedCA&hl=fr&ct=clnk&cd=3&gl=fr a copy of the pem version in Google cache(!)] but that was good enough to be able to install the plugin.
* Moreover [https://connect.e-signing.be/app/en/create the form to sign] wants to directly execute some jar file but under an SSL connection signed by... the so-hard-to-get Certipost CA certificate, itself signed by GTE CyberTrust Global Root, an authority built-in in the browsers.
* You've [https://www.certipost.be/webshop/ to pay] to be able to sign with your eID non-repudiation signature to have a valid ''Qualified Electronic Signature with long term value''
* [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/technical_measures_en.pdf There are some explanations] of the additional services provided by CertiPost: ''The applied XAdES-X-L is an XML signature format according to the recognized XAdES standard (ETSI TS 101 903 standard) that implements measures to satisfy the legal requirements for advanced electronic signatures as defined in the European Directive (EC 1999/93: European Community (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES) and for long term non-repudiation. Next to the electronic signature itself, the XAdES-X-Lfile contains the certificate that was used during the signature, the information to proof whether the certificate was valid when signing, and a time stamp to proof that all information used for signing existed and not altered since. Moreover CertiPost keeps a copy of the signed information.
* Timestamps & storage look like additional features, not mandated by the law, so can I create a ''Qualified Electronic Signature with long term value'' out of the CertiPost context, so just a plain x509 signature?

===SSH===
Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
 Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):
Package: openssh-client-sc
Architecture: any
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...
 I recompile ssh with smartcard support.
apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot
Sending my public key to the ssh server:
pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'
Then logging, being prompted for my PIN:
ssh -I 0 user@host.com
===OpenID===
cf [[OpenID]] and [[OpenID-eID]] where I'm hacking phpMyID to make my own

===TODO: Login===
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards
but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
 Bad side: it conflicts with xlockmore :-(

openssh way:
 Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
 Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found
or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
 before I was even prompted for my PIN

opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

===TODO: SSL Auth===
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssl. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.

===TODO: Apache SSL Reverse Proxy===
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
===TODO: OpenGPG & x509===
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
 Sth to check: [http://www.imc.org/ietf-openpgp/mail-archive/msg09930.html OpenPGP Signatures Incorporating X.509 Certificates]
 The solution is apparently to extend OpenGPG to allow special signatures on UIDs with sub-packets containing the entire certificate, the UID being build from the DN fields of the certificate (CN, EMAIL,...)
 Apparently PGP supports it already?

===TODO: OpenVPN Auth===
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
 But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
===TODO: Other tools===
* [http://sourceforge.net/projects/opensignature OpenSignature] for Italia
* [http://openportalguard.sourceforge.net/ Open Portal Guard] for e.g. public administrations
* beidcrld: where are CRLs downloaded to?
* beidpcscd: how to test it?
* beidlib.jar & java applet...

Belgian eID

2008-03-05T07:41:23Z

212.71.5.64: /* My attempts under Linux */

Belgian eID is part of the efforts of the government for [[Belgian eGov]]
==Officials==

* [http://eid.belgium.be Official eID portal]
* [http://repository.eid.belgium.be/FR/Index.htm Certificates]
* [http://status.eid.belgium.be/ eID services]
* [http://crl.eid.belgium.be/ Revocation lists] and [http://ocsp.eid.belgium.be/ OCSP server]
* [http://eid.belgium.be/fr/navigation/documents/37129.html Circulaires (fr) eID Home / Villes et communes / Quoi / Circulaires] Among others: 3) FORMULAIRE DE RENONCIATION AUX CERTIFICATS DE LA CARTE D’IDENTITE ELECTRONIQUE AU MOMENT DE LA DEMANDE DE LA CARTE 10) MODELE D’ATTESTATION D’ACTIVATION OU DE REVOCATION DES CERTIFICATS APRES ACTIVATION DE LA CARTE 11) MODELE D’ATTESTATION DE SUSPENSION ET DE REACTIVATION DES CERTIFICATS
* [http://www.certipost.be CertiPost], by Belgacom & La Poste/De Post
** [http://www.certipost.be/x500/X500.html Certipost E-Trust™ Public X500 Directory Search]

==Usage & Software==

* [http://www.belgium.be/zip/eid_datacapture_fr.html Middleware & developer's kit]
** There are also Debian packages, cf below my tests under Linux
** [http://developer.novell.com/wiki/index.php/EID-belgium eID configuration toolkit by Novell]
* [http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/WebHome Danny De Cock's page on eID] (same as http://www.godot.be)
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396900.aspx short intro]
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396901.aspx how to use the eID card within your .NET apps]

==Misc==
* http://www.foo.be/eID/ Official data, spec sheet etc (outdated)
* [http://belsec.skynetblogs.be/tag/1/E-ID Belsec blog entries] about the eID
* [http://www.uvcw.be/no_index/e-communes/dossier_eid/Belgian_eID_Run-time_Users_guide.pdf Belgian E-ID runtime guide windows/linux pdf]
* [http://www.porvoo8.rrn.fgov.be/porvoo8/doc13/09_porvoo8-bruegger18_Italy.pdf Open source interoperability and E-ID pdf]
* [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/belpic_eid_version_numbering_v1.5.2.pdf The versioning of E-ID pdf]
* [http://porvoo10.net/p10/10_porvoo10-bud-25.pdf The road to European E-ID interoperability pdf]
* [http://www.microsoft.com/belux/nl/eid/ Microsoft and the eID], just an old marketing buzz? (I wouldn't complain...)
* [http://samba.grep.be/~wouter/beid-screencast.ogg], BeID screencast of what should have been shown at Fosdem 2008, by Wouter. (still waiting for the video of the presentation...)
* [http://www.lalibre.be/societe/cyber/article/404626/la-carte-d-identite-electronique-permettra-de-s-enregistrer-sur-ebay.html] La carte d'identité électronique permettra de s'enregistrer sur eBay

==I revoked my certificates==
===Why?===
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring. I knew they were talking about two certificates without understanding their difference, so let's revoke both. Note that it doesn't mean my eID is not valid, eID card activation is mandatory. The eID card is a proof of identity and residence of a person in Belgium. eID certificates activation is a choice of the holder of the eID (opt-in), he/she can decide to activate or revoke the certificates. (cf [http://www.certipost.be/dpsolutions/en/eid-faq.html FAQ])
===How?===
It was quite epic.
 I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil servants :-)
 I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
* [Me] Good morning, I come for my eID and... I want to get rid of the certificates
* [Her] You what? Is it possible? Never heard about that
* [Me] Yes, yes, see (and I show her what's in her User Manual)
* ... (takes a while to digest the info)
* [Her] Ha ok, you've to fill Annex 3, (shouting behind her shoulder) JOSETTE, DO WE HAVE ANNEX 3???
* [Josette] ANNEX WHAT??
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/03_-_FORMULAIRE_RENONCIATION_CERTIFS.pdf Annex 3 (pdf)])
* ... (meanwhile she has no idea what to do on the eID to fulfill renouncement and I agree with her, the Manual was unclear so we went for activation+revocation)
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/10_-_Attestation_activ_Certificats(18-10)_27-07.pdf Annex 10 (pdf)])
* [Her] Can I take your copies before you fill them? I'll make copies for ourselves.
So today the official Annex 3&10 forms of this civil office are mine :-D Who knows, maybe I crafted the form... ;-)

It is "funny" to see that everywhere the activation of the certificates is presented as optional, the choice being left to the citizen, blablabla, but in reality most of the citizen just don't know about this possibility (and most of the civil servants, well I hope that since my story, things have evolved a bit) and the civil servants doesn't ask you the question.

===Some details about those certificates===
The eID contains 2 signature certificates, so you cannot encrypt with them, just sign.
* One labeled "Authentication" is for daily use
** To log in on SSL websites such as [http://minfin.fgov.be/taxonweb/ Tax-on-web] or [http://www.saferchat.be SaferChat] or even your bank e.g. [http://www.keytradebank.com/pdf/eID_en.pdf Keytrade has implemented it (pdf)] with CRL check
** For signing mails with S/MIME
** For your own purpose, to log on your SSH server, SSL server, VPN etc
* One labeled "Signature" is for special cases
** It has a equivalent legal value as a hand-written signature and is referred as non-repudiation signature.
** According to [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/applicability_en.pdf CertiPost applicability guidelines (pdf)], the electronic signature still cannot replace a hand-written signature in a number of cases
**It's automatically revoked for minors under 18 years as they cannot sign legally yet.
**From [http://www.certipost.be/dpsolutions/en/eid-faq.html Certipost FAQ]: ''Non-repudiation guarantees that one cannot deny having performed an act. E.g. any message signed using a person's digital signature can only have come from this person. The signing person can not claim that the message was not originated by him. In other words, non-repudiation means that information '''cannot be disclaimed''', similar to a '''witnessed''' handwritten signature on a paper document.'' ''to be checked in the law''
** Normal pkcs software doesn't seem to be able to use it (?)
** Should be used only through the Government software which prompts you with a special GUI and warnings about the legal power of this signature
* [http://www.certipost.be/dpsolutions/en/rem-overzicht.html CertiPost e-Registered mails] is using the non-repudiation signature
* [http://www.certipost.be/dpsolutions/en/e-signing-overview.html CertiPost e-Signing] is using the non-repudiation signature
* Both are protected by the same PIN which is typed on your (unsafe) PC

===What says the law===
Sorry, here are french version abstracts.
 '''9 JUILLET 2001. - Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification''', date de publication au Moniteur: 29 septembre 2001
 Morceaux choisis:
* Art. 4. § 1er. A défaut de dispositions légales contraires, nul ne peut être contraint de poser un acte juridique par voie électronique.
* § 4. Sans préjudice des articles 1323 et suivants du Code civil, une signature électronique avancée réalisée sur la base d'un certificat qualifié et conçue au moyen d'un dispositif sécurisé de création de signature électronique, est assimilée à une signature manuscrite, qu'elle soit réalisée par une personne physique ou morale.
* § 5. Une signature électronique ne peut être privée de son efficacité juridique et ne peut être refusée comme preuve en justice au seul motif :
** que la signature se présente sous forme électronique, ou
** qu'elle ne repose pas sur un certificat qualifié, ou
** qu'elle ne repose pas sur un certificat qualifié délivré par un prestataire accrédité de service de certification, ou
** qu'elle n'est pas créée par un dispositif sécurisé de création de signature.
* ''Wait a minute, ANY electronic signature NOT being based on a qualified certificate and NOT created in a secure environment CANNOT be refused as a legal proof??? Maybe it's me or the triple-negation sentences (lawyers, lawyers...) but it looks like § 5 goes much further than § 4''

===What do I think today?===
====Catastrophe scenario====
* Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
** you know, the kind of stuff that never happens, anyway it's now [http://eid.belgium.be/fr/navigation/documents/39814.html your problem] even if the official middleware [http://blog.didierstevens.com/2007/12/31/how-can-i-trust-the-beid-runtime/ is not signed]
**And apparently even some readers with integrated keypads are [http://belsec.skynetblogs.be/post/5426553/belgian-eid-nr-11--keyloggers-work-with-eid not safer :-(]
**And apparently even commercial standalone smatcard terminals are [http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf not safer :-( (pdf)]
**And, oh, I did a small test with [[Keyloggers|lkl, a userland keylogger]] and of course the PIN typed into the beid graphical prompt could be easily captured.
* He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
* Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
* The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.

====So what will I do next time?====
* I'll probably accept the Authentication certificate to be able to play around with it.
* For sure I'll revoke the Signature certificate unless they change their architecture.
** Not the same PIN than the other certificate.
** Better than 4 digits (& 3 attempts so 3 chances over 10000)
** Probably they limited themselves to one single small PIN in order to pass the [http://www.kafka.be Kafka test] ;-)
** Even then:
*** Then I could use it but only on trusted devices, that's another story...
*** You get the PIN & PUK by post if I remember well, this could be eavesdropped but you can change your PIN... So as the PUK can unlock the PIN 12 times, the attacker has 36 chances over 10000, one over 278, mmm... And who said humans can generate random PINs? ;-)

===Privacy and other security considerations===
* [http://idcorner.org/2005/07/04/the-belgian-eid-card-calamity/ Another] [http://www.idcorner.org/?p=121 consideration] I didn't talk about yet: PRIVACY
* Whoever sees your public certificate (which happens e.g. if you log to a SSL website with your card or '''if you simply send a signed email''') sees your [http://www.ibz.rrn.fgov.be/ RRN ("rijksregistratienummer")] BTW here is [http://fr.wikipedia.org/wiki/Num%C3%A9ro_de_registre_national how it's constructed]: It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for men, uneven for women) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, and you know how the control sum is done (97-JJMMDDXXX%97), you only miss two and a half numbers coming from a linear incremental counter (001, 003,...) to recompile his national register number. For mine it takes less than 40 attempts it you proceed logically...
* [http://minfin.fgov.be/taxonweb/ Tax-on-web] announce it but what about the others and your mail correspondants? ''Suite à l'utilisation de votre moyen d'authentification (carte d'identité électronique ou token citoyen), le SPF Finances a connaissance de votre numéro de registre national. Conformément à l'arrêté royal du 25/04/1986 autorisant certaines autorités du Ministère des Finances à utiliser le numéro d'identification du registre national des personnes physiques, votre numéro de registre national n'est utilisé dans ce contexte qu'à des fins d'identification pour l'accès aux applications du SPF Finances. La loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel s'applique à ce traitement d'identification dont le responsable est le SPF Finances, Boulevard Albert II, 33 à 1030 Bruxelles.''
* Other "funny" facts: Belgium government doesn't bother about cross-certification with any common Root CA so when you want to visit an official site supposedly secured such as https://ccff02.minfin.fgov.be/CCFF_Authentication/choseLoginMethod.do or https://mijndossier.rrn.fgov.be you're kindly asked to blindly trust the certificate, years after phishing was invented, sigh...
* And even "better": for Firefox, [http://www.certipost.be/dpsolutions/en/e-signing-faq.html CertiPost e-Signing] requires you to download and install their CA certificate and to trust it for identifying everything: web sites, mail users and software! Here the download of the CA certificate is done... on pure http, sigh...
* [https://www.cosic.esat.kuleuven.be/adapid/ ADAPID project] is a consortium of researchers and industry representatives in Flanders decided to take action in an attempt to help avoid a national privacy calamity. After a first (non-public) report, the ADAPID project won the financial support of IWT-Flanders. ADAPID officially started July 1st, 2005 and will run until June 30th, 2009.
* Normally the third and definitive version of the eID should have been rolled out begin of this year (2008) but I've no idea what are the changes.
* [http://www.cirb.irisnet.be/site/fr/eid/ethicalid/index_htm Ethical-ID] is a software which presents to the e.g. swimming pool employee the only relevant data e.g. the residence city.

==My attempts under Linux==
I'm using the [[IDream ID-SMID01 SmartCard reader]], bought for 10€

Installing beidgui and dependencies:
apt-get install beidgui beid-tools
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

UPDATE: There is a version 2.6.0-3 available in unstable
apt-get install -t unstable beidgui beid-tools

There are 2 (optional) daemons provided with beid-tools:
* beidcrld Automatic CRL download
* beidpcscd The privacy filter monitors all commands sent to the card. When an application requests to read the identity data, address or photo from the eID card, the filter will display a message and ask the user's consent it's listening on port tcp 2500 and beidcrld, firefox-bin and icedove-bin are constantly speaking with it...

===Exploring===
pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2
# For a little demo...
beid-pkcs11-tool --slot 0 --login --test
There is also some java support but I couldn't try it yet.

===Firefox security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
 cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
 You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

You can then connect to federal sites like [http://minfin.fgov.be/taxonweb/ Tax-on-web] or the [https://mondossier.rrn.fgov.be RRN], being identified by your card & PIN.
 Note that it works only if I start Firefox after having the eID in place in the reader.
 Note that I didn't get much further, being redirected to e.g.
this nonexistent page but the title speaks for itself ;-) https://mondossier.rrn.fgov.be/CertificateRevoked.html

===Thunderbird security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

Try to sign a first mail:
 Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
 According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used, the other being reserved for legal signatures.
 UPDATE: Well now that I saw that Wouter could sign with the signature certificate I tried again and indeed it works.

One difficulty is that the certificate is not bound to an email address so the email client tells you sth like it's validly signed but no idea if the certificate owner corresponds to the sender email address.

===Signing with pkcs15-crypt===
From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:
fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported
Indeed signing with the signature certificate and without a GUI showing a warning about the legal implication is forbidden.

===Signing with GpgSM===
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html

apt-get install gpgsm dirmngr gnupg-agent pinentry-qt

~/.gnupg/gpg-agent.conf:
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
allow-mark-trusted

~/.bash_profile: (appending this stuff)
# preparing gpg-agent:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `gpg-agent --daemon`
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi

~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
disable-ccid
debug-level none

~/.gnupg/gpgsm.conf:
debug-level none

Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys
/home/phil/.gnupg/pubring.kbx
-----------------------------
Subject: /CN=Belgium Root CA/C=BE
[...]
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
[...]
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
[...]
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE
DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S

Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
[...]
gpgsm: signature created
I was prompted for my PIN during the process.

And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type
dirmngr[8994]: permanently loaded certificates: 0
dirmngr[8994]: runtime cached certificates: 0
dirmngr[8994]: command ISVALID failed: Certificat révoqué
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
gpgsm: certificate has been revoked
gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

===e-Signing plugin for Firefox===
* pure curiosity...
* cf http://www.certipost.be/dpsolutions/en/e-signing-faq.html
* the plugin is signed so you've to install the CA certificate of Certipost first and, cf above in my "funny facts", for Firefox, you've to download and... trust it. The certificate is apparently no longer (broken link) and I could not find it in their search tool, the only thing I could find is [http://64.233.183.104/search?q=cache:vzHK3UKTuiMJ:www.certipost.be/en/certificates/PrimaryNormalisedCA/certificate_pem.cer+PrimaryNormalisedCA&hl=fr&ct=clnk&cd=3&gl=fr a copy of the pem version in Google cache(!)] but that was good enough to be able to install the plugin.
* Moreover [https://connect.e-signing.be/app/en/create the form to sign] wants to directly execute some jar file but under an SSL connection signed by... the so-hard-to-get Certipost CA certificate, itself signed by GTE CyberTrust Global Root, an authority built-in in the browsers.
* You've [https://www.certipost.be/webshop/ to pay] to be able to sign with your eID non-repudiation signature to have a valid ''Qualified Electronic Signature with long term value''
* [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/technical_measures_en.pdf There are some explanations] of the additional services provided by CertiPost: ''The applied XAdES-X-L is an XML signature format according to the recognized XAdES standard (ETSI TS 101 903 standard) that implements measures to satisfy the legal requirements for advanced electronic signatures as defined in the European Directive (EC 1999/93: European Community (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES) and for long term non-repudiation. Next to the electronic signature itself, the XAdES-X-Lfile contains the certificate that was used during the signature, the information to proof whether the certificate was valid when signing, and a time stamp to proof that all information used for signing existed and not altered since. Moreover CertiPost keeps a copy of the signed information.
* Timestamps & storage look like additional features, not mandated by the law, so can I create a ''Qualified Electronic Signature with long term value'' out of the CertiPost context, so just a plain x509 signature?

===SSH===
Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
 Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):
Package: openssh-client-sc
Architecture: any
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...
 I recompile ssh with smartcard support.
apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot
Sending my public key to the ssh server:
pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'
Then logging, being prompted for my PIN:
ssh -I 0 user@host.com
===OpenID===
cf [[OpenID]] and [[OpenID-eID]] where I'm hacking phpMyID to make my own

===TODO: Login===
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards
but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
 Bad side: it conflicts with xlockmore :-(

openssh way:
 Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
 Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found
or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
 before I was even prompted for my PIN

opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

===TODO: SSL Auth===
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssl. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.

===TODO: Apache SSL Reverse Proxy===
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
===TODO: OpenGPG & x509===
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
 Sth to check: [http://www.imc.org/ietf-openpgp/mail-archive/msg09930.html OpenPGP Signatures Incorporating X.509 Certificates]
 The solution is apparently to extend OpenGPG to allow special signatures on UIDs with sub-packets containing the entire certificate, the UID being build from the DN fields of the certificate (CN, EMAIL,...)
 Apparently PGP supports it already?

===TODO: OpenVPN Auth===
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
 But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
===TODO: Other tools===
* [http://sourceforge.net/projects/opensignature OpenSignature] for Italia
* [http://openportalguard.sourceforge.net/ Open Portal Guard] for e.g. public administrations

Belgian eID

2008-03-04T23:20:01Z

212.71.5.64: /* Exploring */

Belgian eID is part of the efforts of the government for [[Belgian eGov]]
==Officials==

* [http://eid.belgium.be Official eID portal]
* [http://repository.eid.belgium.be/FR/Index.htm Certificates]
* [http://status.eid.belgium.be/ eID services]
* [http://crl.eid.belgium.be/ Revocation lists] and [http://ocsp.eid.belgium.be/ OCSP server]
* [http://eid.belgium.be/fr/navigation/documents/37129.html Circulaires (fr) eID Home / Villes et communes / Quoi / Circulaires] Among others: 3) FORMULAIRE DE RENONCIATION AUX CERTIFICATS DE LA CARTE D’IDENTITE ELECTRONIQUE AU MOMENT DE LA DEMANDE DE LA CARTE 10) MODELE D’ATTESTATION D’ACTIVATION OU DE REVOCATION DES CERTIFICATS APRES ACTIVATION DE LA CARTE 11) MODELE D’ATTESTATION DE SUSPENSION ET DE REACTIVATION DES CERTIFICATS
* [http://www.certipost.be CertiPost], by Belgacom & La Poste/De Post
** [http://www.certipost.be/x500/X500.html Certipost E-Trust™ Public X500 Directory Search]

==Usage & Software==

* [http://www.belgium.be/zip/eid_datacapture_fr.html Middleware & developer's kit]
** There are also Debian packages, cf below my tests under Linux
** [http://developer.novell.com/wiki/index.php/EID-belgium eID configuration toolkit by Novell]
* [http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/WebHome Danny De Cock's page on eID] (same as http://www.godot.be)
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396900.aspx short intro]
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396901.aspx how to use the eID card within your .NET apps]

==Misc==
* http://www.foo.be/eID/ Official data, spec sheet etc (outdated)
* [http://belsec.skynetblogs.be/tag/1/E-ID Belsec blog entries] about the eID
* [http://www.uvcw.be/no_index/e-communes/dossier_eid/Belgian_eID_Run-time_Users_guide.pdf Belgian E-ID runtime guide windows/linux pdf]
* [http://www.porvoo8.rrn.fgov.be/porvoo8/doc13/09_porvoo8-bruegger18_Italy.pdf Open source interoperability and E-ID pdf]
* [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/belpic_eid_version_numbering_v1.5.2.pdf The versioning of E-ID pdf]
* [http://porvoo10.net/p10/10_porvoo10-bud-25.pdf The road to European E-ID interoperability pdf]
* [http://www.microsoft.com/belux/nl/eid/ Microsoft and the eID], just an old marketing buzz? (I wouldn't complain...)
* [http://samba.grep.be/~wouter/beid-screencast.ogg], BeID screencast of what should have been shown at Fosdem 2008, by Wouter. (still waiting for the video of the presentation...)
* [http://www.lalibre.be/societe/cyber/article/404626/la-carte-d-identite-electronique-permettra-de-s-enregistrer-sur-ebay.html] La carte d'identité électronique permettra de s'enregistrer sur eBay

==I revoked my certificates==
===Why?===
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring. I knew they were talking about two certificates without understanding their difference, so let's revoke both. Note that it doesn't mean my eID is not valid, eID card activation is mandatory. The eID card is a proof of identity and residence of a person in Belgium. eID certificates activation is a choice of the holder of the eID (opt-in), he/she can decide to activate or revoke the certificates. (cf [http://www.certipost.be/dpsolutions/en/eid-faq.html FAQ])
===How?===
It was quite epic.
 I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil servants :-)
 I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
* [Me] Good morning, I come for my eID and... I want to get rid of the certificates
* [Her] You what? Is it possible? Never heard about that
* [Me] Yes, yes, see (and I show her what's in her User Manual)
* ... (takes a while to digest the info)
* [Her] Ha ok, you've to fill Annex 3, (shouting behind her shoulder) JOSETTE, DO WE HAVE ANNEX 3???
* [Josette] ANNEX WHAT??
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/03_-_FORMULAIRE_RENONCIATION_CERTIFS.pdf Annex 3 (pdf)])
* ... (meanwhile she has no idea what to do on the eID to fulfill renouncement and I agree with her, the Manual was unclear so we went for activation+revocation)
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/10_-_Attestation_activ_Certificats(18-10)_27-07.pdf Annex 10 (pdf)])
* [Her] Can I take your copies before you fill them? I'll make copies for ourselves.
So today the official Annex 3&10 forms of this civil office are mine :-D Who knows, maybe I crafted the form... ;-)

It is "funny" to see that everywhere the activation of the certificates is presented as optional, the choice being left to the citizen, blablabla, but in reality most of the citizen just don't know about this possibility (and most of the civil servants, well I hope that since my story, things have evolved a bit) and the civil servants doesn't ask you the question.

===Some details about those certificates===
The eID contains 2 signature certificates, so you cannot encrypt with them, just sign.
* One labeled "Authentication" is for daily use
** To log in on SSL websites such as [http://minfin.fgov.be/taxonweb/ Tax-on-web] or [http://www.saferchat.be SaferChat] or even your bank e.g. [http://www.keytradebank.com/pdf/eID_en.pdf Keytrade has implemented it (pdf)] with CRL check
** For signing mails with S/MIME
** For your own purpose, to log on your SSH server, SSL server, VPN etc
* One labeled "Signature" is for special cases
** It has a equivalent legal value as a hand-written signature and is referred as non-repudiation signature.
** According to [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/applicability_en.pdf CertiPost applicability guidelines (pdf)], the electronic signature still cannot replace a hand-written signature in a number of cases
**It's automatically revoked for minors under 18 years as they cannot sign legally yet.
**From [http://www.certipost.be/dpsolutions/en/eid-faq.html Certipost FAQ]: ''Non-repudiation guarantees that one cannot deny having performed an act. E.g. any message signed using a person's digital signature can only have come from this person. The signing person can not claim that the message was not originated by him. In other words, non-repudiation means that information '''cannot be disclaimed''', similar to a '''witnessed''' handwritten signature on a paper document.'' ''to be checked in the law''
** Normal pkcs software doesn't seem to be able to use it (?)
** Should be used only through the Government software which prompts you with a special GUI and warnings about the legal power of this signature
* [http://www.certipost.be/dpsolutions/en/rem-overzicht.html CertiPost e-Registered mails] is using the non-repudiation signature
* [http://www.certipost.be/dpsolutions/en/e-signing-overview.html CertiPost e-Signing] is using the non-repudiation signature
* Both are protected by the same PIN which is typed on your (unsafe) PC

===What says the law===
Sorry, here are french version abstracts.
 '''9 JUILLET 2001. - Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification''', date de publication au Moniteur: 29 septembre 2001
 Morceaux choisis:
* Art. 4. § 1er. A défaut de dispositions légales contraires, nul ne peut être contraint de poser un acte juridique par voie électronique.
* § 4. Sans préjudice des articles 1323 et suivants du Code civil, une signature électronique avancée réalisée sur la base d'un certificat qualifié et conçue au moyen d'un dispositif sécurisé de création de signature électronique, est assimilée à une signature manuscrite, qu'elle soit réalisée par une personne physique ou morale.
* § 5. Une signature électronique ne peut être privée de son efficacité juridique et ne peut être refusée comme preuve en justice au seul motif :
** que la signature se présente sous forme électronique, ou
** qu'elle ne repose pas sur un certificat qualifié, ou
** qu'elle ne repose pas sur un certificat qualifié délivré par un prestataire accrédité de service de certification, ou
** qu'elle n'est pas créée par un dispositif sécurisé de création de signature.
* ''Wait a minute, ANY electronic signature NOT being based on a qualified certificate and NOT created in a secure environment CANNOT be refused as a legal proof??? Maybe it's me or the triple-negation sentences (lawyers, lawyers...) but it looks like § 5 goes much further than § 4''

===What do I think today?===
====Catastrophe scenario====
* Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
** you know, the kind of stuff that never happens, anyway it's now [http://eid.belgium.be/fr/navigation/documents/39814.html your problem] even if the official middleware [http://blog.didierstevens.com/2007/12/31/how-can-i-trust-the-beid-runtime/ is not signed]
**And apparently even some readers with integrated keypads are [http://belsec.skynetblogs.be/post/5426553/belgian-eid-nr-11--keyloggers-work-with-eid not safer :-(]
**And apparently even commercial standalone smatcard terminals are [http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf not safer :-( (pdf)]
**And, oh, I did a small test with [[Keyloggers|lkl, a userland keylogger]] and of course the PIN typed into the beid graphical prompt could be easily captured.
* He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
* Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
* The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.

====So what will I do next time?====
* I'll probably accept the Authentication certificate to be able to play around with it.
* For sure I'll revoke the Signature certificate unless they change their architecture.
** Not the same PIN than the other certificate.
** Better than 4 digits (& 3 attempts so 3 chances over 10000)
** Probably they limited themselves to one single small PIN in order to pass the [http://www.kafka.be Kafka test] ;-)
** Even then:
*** Then I could use it but only on trusted devices, that's another story...
*** You get the PIN & PUK by post if I remember well, this could be eavesdropped but you can change your PIN... So as the PUK can unlock the PIN 12 times, the attacker has 36 chances over 10000, one over 278, mmm... And who said humans can generate random PINs? ;-)

===Privacy and other security considerations===
* [http://idcorner.org/2005/07/04/the-belgian-eid-card-calamity/ Another] [http://www.idcorner.org/?p=121 consideration] I didn't talk about yet: PRIVACY
* Whoever sees your public certificate (which happens e.g. if you log to a SSL website with your card or '''if you simply send a signed email''') sees your [http://www.ibz.rrn.fgov.be/ RRN ("rijksregistratienummer")] BTW here is [http://fr.wikipedia.org/wiki/Num%C3%A9ro_de_registre_national how it's constructed]: It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for men, uneven for women) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, and you know how the control sum is done (97-JJMMDDXXX%97), you only miss two and a half numbers coming from a linear incremental counter (001, 003,...) to recompile his national register number. For mine it takes less than 40 attempts it you proceed logically...
* [http://minfin.fgov.be/taxonweb/ Tax-on-web] announce it but what about the others and your mail correspondants? ''Suite à l'utilisation de votre moyen d'authentification (carte d'identité électronique ou token citoyen), le SPF Finances a connaissance de votre numéro de registre national. Conformément à l'arrêté royal du 25/04/1986 autorisant certaines autorités du Ministère des Finances à utiliser le numéro d'identification du registre national des personnes physiques, votre numéro de registre national n'est utilisé dans ce contexte qu'à des fins d'identification pour l'accès aux applications du SPF Finances. La loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel s'applique à ce traitement d'identification dont le responsable est le SPF Finances, Boulevard Albert II, 33 à 1030 Bruxelles.''
* Other "funny" facts: Belgium government doesn't bother about cross-certification with any common Root CA so when you want to visit an official site supposedly secured such as https://ccff02.minfin.fgov.be/CCFF_Authentication/choseLoginMethod.do or https://mijndossier.rrn.fgov.be you're kindly asked to blindly trust the certificate, years after phishing was invented, sigh...
* And even "better": for Firefox, [http://www.certipost.be/dpsolutions/en/e-signing-faq.html CertiPost e-Signing] requires you to download and install their CA certificate and to trust it for identifying everything: web sites, mail users and software! Here the download of the CA certificate is done... on pure http, sigh...
* [https://www.cosic.esat.kuleuven.be/adapid/ ADAPID project] is a consortium of researchers and industry representatives in Flanders decided to take action in an attempt to help avoid a national privacy calamity. After a first (non-public) report, the ADAPID project won the financial support of IWT-Flanders. ADAPID officially started July 1st, 2005 and will run until June 30th, 2009.
* Normally the third and definitive version of the eID should have been rolled out begin of this year (2008) but I've no idea what are the changes.
* [http://www.cirb.irisnet.be/site/fr/eid/ethicalid/index_htm Ethical-ID] is a software which presents to the e.g. swimming pool employee the only relevant data e.g. the residence city.

==My attempts under Linux==
I'm using the [[IDream ID-SMID01 SmartCard reader]], bought for 10€

Installing beidgui and dependencies:
apt-get install beidgui beid-tools
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

UPDATE: There is a version 2.6.0-3 available in unstable
apt-get install -t unstable beidgui beid-tools

There are 2 daemons provided with beid-tools:
* beidcrld Automatic CRL download
* beidpcscd The privacy filter monitors all commands sent to the card. When an application requests to read the identity data, address or photo from the eID card, the filter will display a message and ask the user's consent

===Exploring===
pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2
# For a little demo...
beid-pkcs11-tool --slot 0 --login --test
There are 2 daemons but their usage is still unclear to me as everythingn works (or not) with or without those daemons.
* beidcrld, about keeping CRLs up-to-date?
* beidpcscd, ?, it's listening on port tcp 2500 and beidcrld, firefox-bin and icedove-bin are constantly speaking with it...
There is also some java support but I couldn't try it yet.

===Firefox security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
 cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
 You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

You can then connect to federal sites like [http://minfin.fgov.be/taxonweb/ Tax-on-web] or the [https://mondossier.rrn.fgov.be RRN], being identified by your card & PIN.
 Note that it works only if I start Firefox after having the eID in place in the reader.
 Note that I didn't get much further, being redirected to e.g.
this nonexistent page but the title speaks for itself ;-) https://mondossier.rrn.fgov.be/CertificateRevoked.html

===Thunderbird security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

Try to sign a first mail:
 Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
 According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used, the other being reserved for legal signatures.
 UPDATE: Well now that I saw that Wouter could sign with the signature certificate I tried again and indeed it works.

One difficulty is that the certificate is not bound to an email address so the email client tells you sth like it's validly signed but no idea if the certificate owner corresponds to the sender email address.

===Signing with pkcs15-crypt===
From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:
fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported
Indeed signing with the signature certificate and without a GUI showing a warning about the legal implication is forbidden.

===Signing with GpgSM===
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html

apt-get install gpgsm dirmngr gnupg-agent pinentry-qt

~/.gnupg/gpg-agent.conf:
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
allow-mark-trusted

~/.bash_profile: (appending this stuff)
# preparing gpg-agent:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `gpg-agent --daemon`
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi

~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
disable-ccid
debug-level none

~/.gnupg/gpgsm.conf:
debug-level none

Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys
/home/phil/.gnupg/pubring.kbx
-----------------------------
Subject: /CN=Belgium Root CA/C=BE
[...]
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
[...]
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
[...]
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE
DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S

Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
[...]
gpgsm: signature created
I was prompted for my PIN during the process.

And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type
dirmngr[8994]: permanently loaded certificates: 0
dirmngr[8994]: runtime cached certificates: 0
dirmngr[8994]: command ISVALID failed: Certificat révoqué
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
gpgsm: certificate has been revoked
gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

===e-Signing plugin for Firefox===
* pure curiosity...
* cf http://www.certipost.be/dpsolutions/en/e-signing-faq.html
* the plugin is signed so you've to install the CA certificate of Certipost first and, cf above in my "funny facts", for Firefox, you've to download and... trust it. The certificate is apparently no longer (broken link) and I could not find it in their search tool, the only thing I could find is [http://64.233.183.104/search?q=cache:vzHK3UKTuiMJ:www.certipost.be/en/certificates/PrimaryNormalisedCA/certificate_pem.cer+PrimaryNormalisedCA&hl=fr&ct=clnk&cd=3&gl=fr a copy of the pem version in Google cache(!)] but that was good enough to be able to install the plugin.
* Moreover [https://connect.e-signing.be/app/en/create the form to sign] wants to directly execute some jar file but under an SSL connection signed by... the so-hard-to-get Certipost CA certificate, itself signed by GTE CyberTrust Global Root, an authority built-in in the browsers.
* You've [https://www.certipost.be/webshop/ to pay] to be able to sign with your eID non-repudiation signature to have a valid ''Qualified Electronic Signature with long term value''
* [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/technical_measures_en.pdf There are some explanations] of the additional services provided by CertiPost: ''The applied XAdES-X-L is an XML signature format according to the recognized XAdES standard (ETSI TS 101 903 standard) that implements measures to satisfy the legal requirements for advanced electronic signatures as defined in the European Directive (EC 1999/93: European Community (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES) and for long term non-repudiation. Next to the electronic signature itself, the XAdES-X-Lfile contains the certificate that was used during the signature, the information to proof whether the certificate was valid when signing, and a time stamp to proof that all information used for signing existed and not altered since. Moreover CertiPost keeps a copy of the signed information.
* Timestamps & storage look like additional features, not mandated by the law, so can I create a ''Qualified Electronic Signature with long term value'' out of the CertiPost context, so just a plain x509 signature?

===SSH===
Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
 Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):
Package: openssh-client-sc
Architecture: any
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...
 I recompile ssh with smartcard support.
apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot
Sending my public key to the ssh server:
pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'
Then logging, being prompted for my PIN:
ssh -I 0 user@host.com
===OpenID===
cf [[OpenID]] and [[OpenID-eID]] where I'm hacking phpMyID to make my own

===TODO: Login===
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards
but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
 Bad side: it conflicts with xlockmore :-(

openssh way:
 Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
 Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found
or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
 before I was even prompted for my PIN

opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

===TODO: SSL Auth===
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssl. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.

===TODO: Apache SSL Reverse Proxy===
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
===TODO: OpenGPG & x509===
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
 Sth to check: [http://www.imc.org/ietf-openpgp/mail-archive/msg09930.html OpenPGP Signatures Incorporating X.509 Certificates]
 The solution is apparently to extend OpenGPG to allow special signatures on UIDs with sub-packets containing the entire certificate, the UID being build from the DN fields of the certificate (CN, EMAIL,...)
 Apparently PGP supports it already?

===TODO: OpenVPN Auth===
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
 But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
===TODO: Other tools===
* [http://sourceforge.net/projects/opensignature OpenSignature] for Italia
* [http://openportalguard.sourceforge.net/ Open Portal Guard] for e.g. public administrations

Belgian eID

2008-03-04T22:40:12Z

212.71.5.64: /* My attempts under Linux */

Belgian eID is part of the efforts of the government for [[Belgian eGov]]
==Officials==

* [http://eid.belgium.be Official eID portal]
* [http://repository.eid.belgium.be/FR/Index.htm Certificates]
* [http://status.eid.belgium.be/ eID services]
* [http://crl.eid.belgium.be/ Revocation lists] and [http://ocsp.eid.belgium.be/ OCSP server]
* [http://eid.belgium.be/fr/navigation/documents/37129.html Circulaires (fr) eID Home / Villes et communes / Quoi / Circulaires] Among others: 3) FORMULAIRE DE RENONCIATION AUX CERTIFICATS DE LA CARTE D’IDENTITE ELECTRONIQUE AU MOMENT DE LA DEMANDE DE LA CARTE 10) MODELE D’ATTESTATION D’ACTIVATION OU DE REVOCATION DES CERTIFICATS APRES ACTIVATION DE LA CARTE 11) MODELE D’ATTESTATION DE SUSPENSION ET DE REACTIVATION DES CERTIFICATS
* [http://www.certipost.be CertiPost], by Belgacom & La Poste/De Post
** [http://www.certipost.be/x500/X500.html Certipost E-Trust™ Public X500 Directory Search]

==Usage & Software==

* [http://www.belgium.be/zip/eid_datacapture_fr.html Middleware & developer's kit]
** There are also Debian packages, cf below my tests under Linux
** [http://developer.novell.com/wiki/index.php/EID-belgium eID configuration toolkit by Novell]
* [http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/WebHome Danny De Cock's page on eID] (same as http://www.godot.be)
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396900.aspx short intro]
* [http://weblogs.asp.net/cumpsd/archive/2005/04/03/396901.aspx how to use the eID card within your .NET apps]

==Misc==
* http://www.foo.be/eID/ Official data, spec sheet etc (outdated)
* [http://belsec.skynetblogs.be/tag/1/E-ID Belsec blog entries] about the eID
* [http://www.uvcw.be/no_index/e-communes/dossier_eid/Belgian_eID_Run-time_Users_guide.pdf Belgian E-ID runtime guide windows/linux pdf]
* [http://www.porvoo8.rrn.fgov.be/porvoo8/doc13/09_porvoo8-bruegger18_Italy.pdf Open source interoperability and E-ID pdf]
* [http://www.ibz.rrn.fgov.be/fileadmin/user_upload/CI/eID/5%20aspects%20techniques/fr/belpic_eid_version_numbering_v1.5.2.pdf The versioning of E-ID pdf]
* [http://porvoo10.net/p10/10_porvoo10-bud-25.pdf The road to European E-ID interoperability pdf]
* [http://www.microsoft.com/belux/nl/eid/ Microsoft and the eID], just an old marketing buzz? (I wouldn't complain...)
* [http://samba.grep.be/~wouter/beid-screencast.ogg], BeID screencast of what should have been shown at Fosdem 2008, by Wouter. (still waiting for the video of the presentation...)
* [http://www.lalibre.be/societe/cyber/article/404626/la-carte-d-identite-electronique-permettra-de-s-enregistrer-sur-ebay.html] La carte d'identité électronique permettra de s'enregistrer sur eBay

==I revoked my certificates==
===Why?===
Because at that time I knew too few on the details of the eID architecture and too much about how a new security architecture can have flaws, so better to stay away for a while, especially given the legal implications that the eID can bring. I knew they were talking about two certificates without understanding their difference, so let's revoke both. Note that it doesn't mean my eID is not valid, eID card activation is mandatory. The eID card is a proof of identity and residence of a person in Belgium. eID certificates activation is a choice of the holder of the eID (opt-in), he/she can decide to activate or revoke the certificates. (cf [http://www.certipost.be/dpsolutions/en/eid-faq.html FAQ])
===How?===
It was quite epic.
 I was still a bit prepared, hopefully, so I had printed the Annexes 3 & 10, the legal forms to ask either to renounce to have the certificates or to revoke them just after activation, as well as the relevant parts of the User Manual for the civil servants :-)
 I printed both as for me it was not clear from the User Manual how to renounce for the certificates.
* [Me] Good morning, I come for my eID and... I want to get rid of the certificates
* [Her] You what? Is it possible? Never heard about that
* [Me] Yes, yes, see (and I show her what's in her User Manual)
* ... (takes a while to digest the info)
* [Her] Ha ok, you've to fill Annex 3, (shouting behind her shoulder) JOSETTE, DO WE HAVE ANNEX 3???
* [Josette] ANNEX WHAT??
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/03_-_FORMULAIRE_RENONCIATION_CERTIFS.pdf Annex 3 (pdf)])
* ... (meanwhile she has no idea what to do on the eID to fulfill renouncement and I agree with her, the Manual was unclear so we went for activation+revocation)
* [Me] No prob, look (and I pull out my own copy of [http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/10_-_Attestation_activ_Certificats(18-10)_27-07.pdf Annex 10 (pdf)])
* [Her] Can I take your copies before you fill them? I'll make copies for ourselves.
So today the official Annex 3&10 forms of this civil office are mine :-D Who knows, maybe I crafted the form... ;-)

It is "funny" to see that everywhere the activation of the certificates is presented as optional, the choice being left to the citizen, blablabla, but in reality most of the citizen just don't know about this possibility (and most of the civil servants, well I hope that since my story, things have evolved a bit) and the civil servants doesn't ask you the question.

===Some details about those certificates===
The eID contains 2 signature certificates, so you cannot encrypt with them, just sign.
* One labeled "Authentication" is for daily use
** To log in on SSL websites such as [http://minfin.fgov.be/taxonweb/ Tax-on-web] or [http://www.saferchat.be SaferChat] or even your bank e.g. [http://www.keytradebank.com/pdf/eID_en.pdf Keytrade has implemented it (pdf)] with CRL check
** For signing mails with S/MIME
** For your own purpose, to log on your SSH server, SSL server, VPN etc
* One labeled "Signature" is for special cases
** It has a equivalent legal value as a hand-written signature and is referred as non-repudiation signature.
** According to [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/applicability_en.pdf CertiPost applicability guidelines (pdf)], the electronic signature still cannot replace a hand-written signature in a number of cases
**It's automatically revoked for minors under 18 years as they cannot sign legally yet.
**From [http://www.certipost.be/dpsolutions/en/eid-faq.html Certipost FAQ]: ''Non-repudiation guarantees that one cannot deny having performed an act. E.g. any message signed using a person's digital signature can only have come from this person. The signing person can not claim that the message was not originated by him. In other words, non-repudiation means that information '''cannot be disclaimed''', similar to a '''witnessed''' handwritten signature on a paper document.'' ''to be checked in the law''
** Normal pkcs software doesn't seem to be able to use it (?)
** Should be used only through the Government software which prompts you with a special GUI and warnings about the legal power of this signature
* [http://www.certipost.be/dpsolutions/en/rem-overzicht.html CertiPost e-Registered mails] is using the non-repudiation signature
* [http://www.certipost.be/dpsolutions/en/e-signing-overview.html CertiPost e-Signing] is using the non-repudiation signature
* Both are protected by the same PIN which is typed on your (unsafe) PC

===What says the law===
Sorry, here are french version abstracts.
 '''9 JUILLET 2001. - Loi fixant certaines règles relatives au cadre juridique pour les signatures électroniques et les services de certification''', date de publication au Moniteur: 29 septembre 2001
 Morceaux choisis:
* Art. 4. § 1er. A défaut de dispositions légales contraires, nul ne peut être contraint de poser un acte juridique par voie électronique.
* § 4. Sans préjudice des articles 1323 et suivants du Code civil, une signature électronique avancée réalisée sur la base d'un certificat qualifié et conçue au moyen d'un dispositif sécurisé de création de signature électronique, est assimilée à une signature manuscrite, qu'elle soit réalisée par une personne physique ou morale.
* § 5. Une signature électronique ne peut être privée de son efficacité juridique et ne peut être refusée comme preuve en justice au seul motif :
** que la signature se présente sous forme électronique, ou
** qu'elle ne repose pas sur un certificat qualifié, ou
** qu'elle ne repose pas sur un certificat qualifié délivré par un prestataire accrédité de service de certification, ou
** qu'elle n'est pas créée par un dispositif sécurisé de création de signature.
* ''Wait a minute, ANY electronic signature NOT being based on a qualified certificate and NOT created in a secure environment CANNOT be refused as a legal proof??? Maybe it's me or the triple-negation sentences (lawyers, lawyers...) but it looks like § 5 goes much further than § 4''

===What do I think today?===
====Catastrophe scenario====
* Someone captures your PIN while you're using it for "just authentication" via e.g. malware, virus, trojan, worm on the PC
** you know, the kind of stuff that never happens, anyway it's now [http://eid.belgium.be/fr/navigation/documents/39814.html your problem] even if the official middleware [http://blog.didierstevens.com/2007/12/31/how-can-i-trust-the-beid-runtime/ is not signed]
**And apparently even some readers with integrated keypads are [http://belsec.skynetblogs.be/post/5426553/belgian-eid-nr-11--keyloggers-work-with-eid not safer :-(]
**And apparently even commercial standalone smatcard terminals are [http://www.cl.cam.ac.uk/techreports/UCAM-CL-TR-711.pdf not safer :-( (pdf)]
**And, oh, I did a small test with [[Keyloggers|lkl, a userland keylogger]] and of course the PIN typed into the beid graphical prompt could be easily captured.
* He gets physical access to your eID, even briefly if he has e.g. a PDA with Internet & smartcard reader.
* Now he can sign with your legal signature anything you can imagine... and you cannot repudiate what he does.
* The fact that maybe legal signatures have to be crafted through CertiPost (cf e-signing below) doesn't change anything to this risk.

====So what will I do next time?====
* I'll probably accept the Authentication certificate to be able to play around with it.
* For sure I'll revoke the Signature certificate unless they change their architecture.
** Not the same PIN than the other certificate.
** Better than 4 digits (& 3 attempts so 3 chances over 10000)
** Probably they limited themselves to one single small PIN in order to pass the [http://www.kafka.be Kafka test] ;-)
** Even then:
*** Then I could use it but only on trusted devices, that's another story...
*** You get the PIN & PUK by post if I remember well, this could be eavesdropped but you can change your PIN... So as the PUK can unlock the PIN 12 times, the attacker has 36 chances over 10000, one over 278, mmm... And who said humans can generate random PINs? ;-)

===Privacy and other security considerations===
* [http://idcorner.org/2005/07/04/the-belgian-eid-card-calamity/ Another] [http://www.idcorner.org/?p=121 consideration] I didn't talk about yet: PRIVACY
* Whoever sees your public certificate (which happens e.g. if you log to a SSL website with your card or '''if you simply send a signed email''') sees your [http://www.ibz.rrn.fgov.be/ RRN ("rijksregistratienummer")] BTW here is [http://fr.wikipedia.org/wiki/Num%C3%A9ro_de_registre_national how it's constructed]: It is a total of 11 numbers of which the first 6 are your birthdate JJMMDD followed by three numbers to distinguish the people that were born on the same day (even for men, uneven for women) and the last two numbers are a control number. So if you know the birthdate and the sex of the person, and you know how the control sum is done (97-JJMMDDXXX%97), you only miss two and a half numbers coming from a linear incremental counter (001, 003,...) to recompile his national register number. For mine it takes less than 40 attempts it you proceed logically...
* [http://minfin.fgov.be/taxonweb/ Tax-on-web] announce it but what about the others and your mail correspondants? ''Suite à l'utilisation de votre moyen d'authentification (carte d'identité électronique ou token citoyen), le SPF Finances a connaissance de votre numéro de registre national. Conformément à l'arrêté royal du 25/04/1986 autorisant certaines autorités du Ministère des Finances à utiliser le numéro d'identification du registre national des personnes physiques, votre numéro de registre national n'est utilisé dans ce contexte qu'à des fins d'identification pour l'accès aux applications du SPF Finances. La loi du 8 décembre 1992 relative à la protection de la vie privée à l'égard des traitements de données à caractère personnel s'applique à ce traitement d'identification dont le responsable est le SPF Finances, Boulevard Albert II, 33 à 1030 Bruxelles.''
* Other "funny" facts: Belgium government doesn't bother about cross-certification with any common Root CA so when you want to visit an official site supposedly secured such as https://ccff02.minfin.fgov.be/CCFF_Authentication/choseLoginMethod.do or https://mijndossier.rrn.fgov.be you're kindly asked to blindly trust the certificate, years after phishing was invented, sigh...
* And even "better": for Firefox, [http://www.certipost.be/dpsolutions/en/e-signing-faq.html CertiPost e-Signing] requires you to download and install their CA certificate and to trust it for identifying everything: web sites, mail users and software! Here the download of the CA certificate is done... on pure http, sigh...
* [https://www.cosic.esat.kuleuven.be/adapid/ ADAPID project] is a consortium of researchers and industry representatives in Flanders decided to take action in an attempt to help avoid a national privacy calamity. After a first (non-public) report, the ADAPID project won the financial support of IWT-Flanders. ADAPID officially started July 1st, 2005 and will run until June 30th, 2009.
* Normally the third and definitive version of the eID should have been rolled out begin of this year (2008) but I've no idea what are the changes.
* [http://www.cirb.irisnet.be/site/fr/eid/ethicalid/index_htm Ethical-ID] is a software which presents to the e.g. swimming pool employee the only relevant data e.g. the residence city.

==My attempts under Linux==
I'm using the [[IDream ID-SMID01 SmartCard reader]], bought for 10€

Installing beidgui and dependencies:
apt-get install beidgui beid-tools
=> libopenct1 libpcsclite1 libbeidlibopensc2 libbeid2 beid-tools beidgui libccid pcscd
less /usr/share/doc/libbeidlibopensc2/README.Debian

The GUI application works well, including OCSP communication, showing me that my eID certificates are revoked, excellent!

UPDATE: There is a version 2.6.0-3 available in unstable
apt-get install -t unstable beidgui beid-tools

There are 2 daemons provided with beid-tools:
* beidcrld Automatic CRL download
* beidpcscd The privacy filter monitors all commands sent to the card. When an application requests to read the identity data, address or photo from the eID card, the filter will display a message and ask the user's consent

===Exploring===
pkcs15-tool --dump
pkcs15-tool --read-certificate 02 > my_auth.crt
pkcs15-tool --read-certificate 03 > my_sign.crt
pkcs15-tool --read-certificate 04 > belgium.crt
pkcs15-tool --read-certificate 06 >> belgium.crt
openssl x509 -in my_auth.crt -text
pkcs15-tool --read-ssh-key 2
# For a little demo...
beid-pkcs11-tool --slot 0 --login --test
There are 2 daemons but their usage is still unclear to me as everythingn works (or not) with or without those daemons.
* beidcrld, about keeping CRLs up-to-date?
* beidpcscd, ?, it's listening on port tcp 2500 and beidcrld, firefox-bin and icedove-bin are constantly speaking with it...

===Firefox security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Visit file:///usr/share/beid/beid-pkcs11-register.html to install the service

Now what?...
 cf http://eid.belgium.be/fr_BE/fed_ict/imported_content_eid/pdf/eID-FR-Firefox.pdf
 You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

You can then connect to federal sites like [http://minfin.fgov.be/taxonweb/ Tax-on-web] or the [https://mondossier.rrn.fgov.be RRN], being identified by your card & PIN.
 Note that it works only if I start Firefox after having the eID in place in the reader.
 Note that I didn't get much further, being redirected to e.g.
this nonexistent page but the title speaks for itself ;-) https://mondossier.rrn.fgov.be/CertificateRevoked.html

===Thunderbird security module===
To add the security module to Firefox:
apt-get install libbeid2-dev libbeidlibopensc2-dev
Menu preferences->advanced->certificates->security devices->load
Module name: Belgium Identity Card PKCS#11
Module filename: /usr/lib/libbeidpkcs11.so

You can see your certificate in Preferences -> Advanced -> Encryption -> View Certificates and you can trust the Belgium Root CA under the "Authorities" tab for e.g. "identifying mail users"

Try to sign a first mail:
 Menu S-MIME -> Digitally sign this message -> setup certificate -> digital signing -> select your BELPIC auth certif

I could successfully sign (with my PIN) and verify an email but only with the Authentication certificate, not the Signature certificate
 According to the snapshots of the official guide of the eID for Outlook, it's ok, the Authentication certificate must be used, the other being reserved for legal signatures.
 UPDATE: Well now that I saw that Wouter could sign with the signature certificate I tried again and indeed it works.

One difficulty is that the certificate is not bound to an email address so the email client tells you sth like it's validly signed but no idea if the certificate owner corresponds to the sender email address.

===Signing with pkcs15-crypt===
From https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#using_opensc_smartcards_to_sign

Signing text and extracting the public certificate:
fortune > data.txt
openssl sha1 -binary data.txt > data.sha1
pkcs15-crypt --key 2 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
pkcs15-tool --read-certificate 02 > my_auth.crt

Verifying the signature:
openssl x509 -in my_auth.crt -pubkey -noout > my_auth.pem
openssl dgst -sha1 -verify my_auth.pem -signature data.auth.sig data.txt

I tried to do the same with the signature certificate instead of the authentication certificate but I get an error:
pkcs15-crypt --key 3 --sign --pkcs1 --sha-1 --input data.sha1 --output data.auth.sig
[pkcs15-crypt] sec.c:67:sc_set_security_env: returning with: Not supported
[pkcs15-crypt] pkcs15-sec.c:267:sc_pkcs15_compute_signature: sc_set_security_env() failed: Not supported
Compute signature failed: Not supported
Indeed signing with the signature certificate and without a GUI showing a warning about the legal implication is forbidden.

===Signing with GpgSM===
GpgSM is to X.509 what GnuPG is to OpenPGP, cf http://gnupg.org/aegypten/tech.en.html

apt-get install gpgsm dirmngr gnupg-agent pinentry-qt

~/.gnupg/gpg-agent.conf:
no-grab
default-cache-ttl 1800
ignore-cache-for-signing
allow-mark-trusted

~/.bash_profile: (appending this stuff)
# preparing gpg-agent:
if test -f $HOME/.gpg-agent-info && kill -0 `cut -d: -f 2 $HOME/.gpg-agent-info` 2>/dev/null; then
GPG_AGENT_INFO=`cat $HOME/.gpg-agent-info`
export GPG_AGENT_INFO
else
eval `gpg-agent --daemon`
echo $GPG_AGENT_INFO >$HOME/.gpg-agent-info
fi

~/.gnupg/scdaemon.conf: (we disable internal CCID support as only libccid supports more or less my crappy reader)
disable-ccid
debug-level none

~/.gnupg/gpgsm.conf:
debug-level none

Acquiring the certificates:
$ gpgsm --learn-card
Actually I had to run it several times, the first time only the Belgium CA was extracted, then the Citizen CA and finally the 2 personal certificates. And the behavior is not really reproductible so you've to run it till you've the 4 certificates:
$ gpgsm --list-keys
/home/phil/.gnupg/pubring.kbx
-----------------------------
Subject: /CN=Belgium Root CA/C=BE
[...]
Subject: /CN=Citizen CA/C=BE/SerialNumber=200507
[...]
Subject: /CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...
[...]
Subject: /CN=Philippe Teuwen (Signature)/C=BE/SerialNumber=...
To sign sth:
$ gpgsm --sign mail.txt
Then I get prompted to trust Belgium CA and gpgsm fails "error creating signature: Certificat révoqué <GpgSM>", normal.
 During trusting the Belgium CA, it created automatically a .gnupg/trustlist.txt with
# CN=Belgium Root CA,C=BE
DF:DF:AC:89:47:BD:F7:52:64:A9:23:3A:C1:0E:E3:D1:28:33:DA:CC S

Ok let's try again without the CRLs check:
$ gpgsm --disable-crl-checks --armor --sign --output mail.txt.smime mail.txt
[...]
gpgsm: signature created
I was prompted for my PIN during the process.

And trying to verify, with CRLs:
$ gpgsm --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: note: non-critical certificate policy not allowed
dirmngr[8994]: error opening `/home/phil/.gnupg/dirmngr_ldapservers.conf': Aucun fichier ou répertoire de ce type
dirmngr[8994]: permanently loaded certificates: 0
dirmngr[8994]: runtime cached certificates: 0
dirmngr[8994]: command ISVALID failed: Certificat révoqué
gpgsm: certificate #100000000000E144CBC42E9BB2453EE4/2.5.4.5=#323030353037,CN=Citizen CA,C=BE
gpgsm: certificate has been revoked
gpgsm: invalid certification chain: Certificat révoqué
And without CRLs:
$ gpgsm --disable-crl-checks --verify --output mail.txt mail.txt.smime
gpgsm: Signature made 2008-02-06 21:42:40 using certificate ID 0x80211056
gpgsm: CRLs not checked due to --disable-crl-checks option
gpgsm: Good signature from "/CN=Philippe Teuwen (Authentication)/C=BE/SerialNumber=...

===e-Signing plugin for Firefox===
* pure curiosity...
* cf http://www.certipost.be/dpsolutions/en/e-signing-faq.html
* the plugin is signed so you've to install the CA certificate of Certipost first and, cf above in my "funny facts", for Firefox, you've to download and... trust it. The certificate is apparently no longer (broken link) and I could not find it in their search tool, the only thing I could find is [http://64.233.183.104/search?q=cache:vzHK3UKTuiMJ:www.certipost.be/en/certificates/PrimaryNormalisedCA/certificate_pem.cer+PrimaryNormalisedCA&hl=fr&ct=clnk&cd=3&gl=fr a copy of the pem version in Google cache(!)] but that was good enough to be able to install the plugin.
* Moreover [https://connect.e-signing.be/app/en/create the form to sign] wants to directly execute some jar file but under an SSL connection signed by... the so-hard-to-get Certipost CA certificate, itself signed by GTE CyberTrust Global Root, an authority built-in in the browsers.
* You've [https://www.certipost.be/webshop/ to pay] to be able to sign with your eID non-repudiation signature to have a valid ''Qualified Electronic Signature with long term value''
* [http://www.certipost.be/dpsolutions/images/stories/e-signing/right/technical_measures_en.pdf There are some explanations] of the additional services provided by CertiPost: ''The applied XAdES-X-L is an XML signature format according to the recognized XAdES standard (ETSI TS 101 903 standard) that implements measures to satisfy the legal requirements for advanced electronic signatures as defined in the European Directive (EC 1999/93: European Community (EC) DIRECTIVE 1999/93/EC OF THE EUROPEAN PARLIAMENT AND COUNCIL ON A COMMUNITY FRAMEWORK FOR ELECTRONIC SIGNATURES) and for long term non-repudiation. Next to the electronic signature itself, the XAdES-X-Lfile contains the certificate that was used during the signature, the information to proof whether the certificate was valid when signing, and a time stamp to proof that all information used for signing existed and not altered since. Moreover CertiPost keeps a copy of the signed information.
* Timestamps & storage look like additional features, not mandated by the law, so can I create a ''Qualified Electronic Signature with long term value'' out of the CertiPost context, so just a plain x509 signature?

===SSH===
Inspired from http://simi.be/?page_id=9

Getting the patch from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=355274 and porting it to v4.7p1
 Some rejs easy to solve from v4.2 to v4.7 and one less obvious change in debian/control: fix the debconf dependancies (was ${debconf:Depends} I think):
Package: openssh-client-sc
Architecture: any
Depends: ${shlibs:Depends}, debconf (>= 1.2.0) | debconf-2.0,...
 I recompile ssh with smartcard support.
apt-get source openssh-client
cd openssh-4.7p1
patch -p1 < ../mypatch
dpkg-buildpackage -uc -us -rfakeroot
Sending my public key to the ssh server:
pkcs15-tool --read-ssh-key 2 |tail -n1|ssh user@host 'cat - >> ~/.ssh/authorized_keys'
Then logging, being prompted for my PIN:
ssh -I 0 user@host.com
===OpenID===
cf [[OpenID]] and [[OpenID-eID]] where I'm hacking phpMyID to make my own

===TODO: Login===
I tried https://securehomes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi/Main/UsingOpenscTOC#logging_in_with_smartcards
but with the eID.
apt-get install libpam-p11
See file:///usr/share/doc/libpam-p11/QuickStart.html
 Bad side: it conflicts with xlockmore :-(

openssh way:
 Preparing the account with .ssh/authorized_keys, cf SSH auth on this page
 Edit /etc/pam.d/login and add before "@include common-auth" sth like:
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so
/var/log/auth.log tells: no certificates found
or
auth sufficient pam_p11_openssh.so /usr/lib/libbeidpkcs11.so
/var/log/auth.log tells: fatal: pkcs11_sign failed
 before I was even prompted for my PIN

opensc way: same results
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth sufficient pam_p11_opensc.so /usr/lib/libbeidpkcs11.so
preparing the account:
mkdir ~/.eid
chmod 0755 ~/.eid
pkcs15-tool -r 2 > ~/.eid/authorized_certificates
chmod 0644 ~/.eid/authorized_certificates

So I still couldn't find a way.

===TODO: SSL Auth===
http://blog.eikke.com/index.php/ikke/2007/10/29/using_your_belgian_eid_for_ssl_authentic

apt-get install libengine-pkcs11-openssl

To generate a request, open a console and launch openssl. Once at the OpenSSL prompt, issue these 2 commands:
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
Adjust paths if necessary, of course. This loads the pkcs11 engine inside OpenSSL.
req -engine pkcs11 -new -days 100 -key id_02 -keyform engine -out myrequest.csr -subj "/C=BE/ST=O-VL/O=My Organisation/CN=My Name/emailAddress=my@email.tld"
Adjust the days, out and subj parameters, at least. The key ID can be found using
pkcs15-tool -c
Use the ID of the Authentication X509 certificate.

===TODO: Apache SSL Reverse Proxy===
cf http://www.belgium.be/zip/eid_authentication_proxy_fr.html
===TODO: OpenGPG & x509===
Old dream is to sign an OpenPGP key with the eID, but even if technically possible, it probably breaks the validation chain as what Citizen CA signed was the entire certificate, not just the key/uid.
 Sth to check: [http://www.imc.org/ietf-openpgp/mail-archive/msg09930.html OpenPGP Signatures Incorporating X.509 Certificates]
 The solution is apparently to extend OpenGPG to allow special signatures on UIDs with sub-packets containing the entire certificate, the UID being build from the DN fields of the certificate (CN, EMAIL,...)
 Apparently PGP supports it already?

===TODO: OpenVPN Auth===
http://christophe.vandeplas.com/2008/02/03/openvpn-belgian-eid
 But Debian openvpn 2.1_cr4 doesn't support yet --show-pkcs11-ids
===TODO: Other tools===
* [http://sourceforge.net/projects/opensignature OpenSignature] for Italia
* [http://openportalguard.sourceforge.net/ Open Portal Guard] for e.g. public administrations