opensc: eid interoperability through open source software
TRANSCRIPT
eID interoperability through open source software
Martin PaljakOpenSC Projectwww.opensc-project.org
Quick background check
• Dealing with Estonian eID (1st generation) since 2003
• Involved with OpenID (“OpenID for Estonians, OpenID.ee”)
• Open source security/crypto/smart cards/identity software
• Maintainer/lead developer of OpenSC Project since 2010
• All opinions expressed are my own
Agenda
• What is OpenSC
• Problems observed from earth
• Why open source matters
• How OpenSC can help
OpenSC
OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to access cryptographic capabilities of smart cards
• Standards are published or defined by market
OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to access cryptographic capabilities of smart cards
• Standards are published or defined by market
• Cross platform (Windows, Mac OS X, Linux/Unix)
• PKCS#11, CryptoAPI (minidriver), Tokend/CDSA
OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to access cryptographic capabilities of smart cards
• Standards are published or defined by market
• Cross platform (Windows, Mac OS X, Linux/Unix)
• PKCS#11, CryptoAPI (minidriver), Tokend/CDSA
• PKCS#15 (ISO7816-15, IAS-ECC, PIV, EstEID, ...)
• Card personalization tools
OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to access cryptographic capabilities of smart cards
• Standards are published or defined by market
• Cross platform (Windows, Mac OS X, Linux/Unix)
• PKCS#11, CryptoAPI (minidriver), Tokend/CDSA
• PKCS#15 (ISO7816-15, IAS-ECC, PIV, EstEID, ...)
• Card personalization tools
• “OpenSC has become the defacto open source smartcard provider”
OpenSC enables applications!
OpenSC enables applications!
• Firefox - HTTPS authentication• Thunderbird - S/MIME signatures and encryption• Google Chrome - HTTPS authentication• E-voting - vote signing and authentication• OpenSSH - authentication • Safari - HTTPS authentication• Mail.app - S/MIME signatures and encryption• Outlook - S/MIME signatures and encryption• Open(Libre)Office - digital signatures• Internet Explorer - HTTPS authentication• Adobe Acrobat - digital signatures• OpenVPN - authentication• Putty - authentication• WinSCP - authentication
Real life applications, right now.
OpenSC supports*
• Estonian eID
• Finnish eID
• Spanish eID*
• Belgian eID
• Portuguese eID
• Italian eID
• IAS-ECC*
• PIV/CAC
• Latvian eID*
* - work in progress or other but-s or limitations
• Initiation & execution
• Trust
• Sustainability
• Interoperability
• Innovation
Problems with eID software projects
Regulators endorse execution, incl. open source.
Initiation & execution
Initiation & execution
• Reduced platform availability
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost
• Client software is complex and interweaved. Cost
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost
• Client software is complex and interweaved. Cost
• Keeping up with software changes is challenging
Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost
• Client software is complex and interweaved. Cost
• Keeping up with software changes is challenging
• 1st iteration tends to “fail”
Trust
Trust
• STOP ABUSING THIS WORD!
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption
• Does not always mean “cryptographically assured”
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption
• Does not always mean “cryptographically assured”
• Who will be the first to publish on-card application?
Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption
• Does not always mean “cryptographically assured”
• Who will be the first to publish on-card application?
• Ergo I’m no cloud believer
Sustainability Interoperability
Sustainability
Sustainability
• Silos
Sustainability
• Silos
• 27x same mistakes? Probably.
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5
• Niche market, requires specific skills
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5
• Niche market, requires specific skills
• Cost
Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5
• Niche market, requires specific skills
• Cost
• A plant only grows if you water it
Innovation
Innovation
• Commodity vs niche product
• Easily available, interchangeable
Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement
Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement
• Does open source lead the innovation or jog behind the cool guys?
Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement
• Does open source lead the innovation or jog behind the cool guys?
• Import vs export
Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement
• Does open source lead the innovation or jog behind the cool guys?
• Import vs export
• Fibonacci innovation?
How can OpenSC help?
• Grassroots community of specialists from different countries
• Share knowledge and experiences
• No politics. “Show me the solution that works”
• Joint lobby group to collaborate with other (open source) projects
• Make Firefox (close to 1/3 of the market) to fix their bugs
• A reference implementation
• Provide a common framework and platform for collaboration, interoperability and innovation
Thank you!
Questions?
opensc-project.org
@MartinPaljak.net