- sign your emails digitally - login to secure websites with your id card (bank, DMV, taxes, …). Sometimes you can only do it with the ID card - they opened many of their tools, so you can design your website to allow login with Spain's ID cards (that was a fun project)
Even if not affected, it would be nice to hear an official comment.
I was discussing this with someone from Belgium and we agreed that silence from the Belgian government meant only one thing: nobody used the service. (Specifically: Belgian cards are the older Gemalto generation, thus not affected, like the older Estonian IDs.)
And can't find any information about security breach in Gemalto's website...
However, our minister of the interior "Robert Kalinak" announced that they should hack his if its real threat. The only thing which he didn't mention is that his public key isn't publicly available...
>760,000 ID cards will be blocked
>in country of 1.3 million
>I have no idea how I can declare monthly VAT numbers
It is bad but could be worse. People are signing up for MobileID and there is still possible to update ID cards via going to the office.
But poor people abroad. Basically they will be cut off from all the services.
Although people are unhappy and annoyed, I think it is right decision to close the ID cards. This can be recovered from. If they were compromised, the trust would be gone.
Pricing is here: https://www.sk.ee/en/services/pricelist/certificate-validati...
So it's not quite as simple as Google or Facebook oAuth. But the government does support the idea that if you want then add this as a login option to your forum for dogs or an e-store for sweaters.
The main value is still in the fact that the authentication gives you the ability to create legally binding contracts that get signed online.
Even if you don't sign-up and whitelist your service you can sign documents or verify other people documents signatures (both online or with a desktop client). There are usage quotas, though.
Validating the certificate the same way servers validate client certificates should be enough to verify it as a date/time-valid Estonian ID.
"Information System Authority (RIA) Director General Taimar Peterkop likewise confirmed that the threat assessment had changed after the research published by the Czech researchers on Monday revealed that the security flaw affecting Estonian ID cards is easier to exploit than previously believed."
is what you are reffering to "the research published by the Czech researchers"?
One interesting thing. As Gemalto was the first frontier, the stock market reacted quickly to them (-25%). However, the Infineon stock went to the other direction (+27%) since the vulnerability was discovered. Ok, they are also 9 times larger and digital security is not their main market.
It was claimed that software for cracking the private keys has entered the black market, so they had to block the sertificates earlier than expected.
The Estonian government is legally bound to applying such countermeasures as soon as there is reasonable doubt about the security of the system. It's pretty important that such things are encoded in law and are not up to whim.
Anyone with good programming skill can make the exploit in matter of hours => it surely is somewhere on black market.
Estonian ID card uses 2048 byte keys which means generating a private key from a public key takes 140.8 CPU years which is quite fast/trivial/cheap using a distributed approach (botnet, your already existing HW that you use for mining etc).. considering the implications.
https://www.schneier.com/blog/archives/2017/09/security_flaw...
To clarify, 2048 bit RSA keys are fine. But the smartcard that generates these used a too predictable algorithm for generating the keys.
I have been trying every day to do so but constantly getting “server is overloaded” errors.
