The German eID: Overengineered and Underperforming

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

The German eID: Overengineered and Underperforming

Anders Rundgren-2
http://www.gemalto.com/govt/inspired/eID-in-germany.html

I didn't got inspired at all :-(

Germans are known for making things "umständlish" and their take on eID certainly isn't an exception. Crippling technology and tons of lawyers seem like a true recipe for failure.

The BSI also managed destroying the TPM (Trusted Platform Module) and making biometrics in passports unusable except entirely locally.

Anders

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://www.hpccsystems.com
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: The German eID: Overengineered and Underperforming

Nikos Mavrogiannopoulos-2
On Mon, Jun 9, 2014 at 3:26 PM, Anders Rundgren
<[hidden email]> wrote:
> http://www.gemalto.com/govt/inspired/eID-in-germany.html
>
> I didn't got inspired at all :-(
> Germans are known for making things "umständlish" and their take on eID certainly isn't an exception. Crippling technology and tons of lawyers seem like a true recipe for failure.

I don't know what is the uninspiring part of it :) but I think the
main reason of success or failure of such ID cards are the
applications that are available for them. I was impressed by the
Belgian cards, which one could use them to login to the tax office
site and to quickly provide your information to doctors etc.

> The BSI also managed destroying the TPM (Trusted Platform Module)

Wouldn't that be a good thing? :)

> and making biometrics in passports unusable except entirely locally.

Not defending them, but as far as I remember from the IATA text they
were meant to be usable locally by the issuer. There are not many
reasons to provide all your biometric data to any foreign authority
that can read the passport.

regards,
Nikos

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://www.hpccsystems.com
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: The German eID: Overengineered and Underperforming

Frank Morgner
In reply to this post by Anders Rundgren-2
On Monday, June 09 at 03:26PM, Anders Rundgren wrote:
> http://www.gemalto.com/govt/inspired/eID-in-germany.html
>
> I didn't got inspired at all :-(
>
> Germans are known for making things "umständlish" and their take on eID certainly isn't an exception. Crippling technology and tons of lawyers seem like a true recipe for failure.

You take all this from a one-paper article? (Also have a look at who is
talking here: gemalto has a natural interest in an unsuccessful German
eID story as it produces competing eID solutions.)

> The BSI also managed destroying the TPM (Trusted Platform Module) and making biometrics in passports unusable except entirely locally.

Actually, the opposite is true... eID (or biometrics if you will) is
done remotely.

------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (985 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: The German eID: Overengineered and Underperforming

Anders Rundgren-2
On 2014-06-09 23:50, Frank Morgner wrote:

> On Monday, June 09 at 03:26PM, Anders Rundgren wrote:
>> http://www.gemalto.com/govt/inspired/eID-in-germany.html
>>
>> I didn't got inspired at all :-(
>>
>> Germans are known for making things "umständlish" and their take on eID certainly isn't an exception. Crippling technology and tons of lawyers seem like a true recipe for failure.
>
> You take all this from a one-paper article? (Also have a look at who is
> talking here: gemalto has a natural interest in an unsuccessful German
> eID story as it produces competing eID solutions.)

No, I did not take it from the article alone.  I'm pretty sure that Germany's
eID program will prove to be the least useful on the market.  Other people have
attested that as well but I don't want to hang them out here.

Germany's take on e-invoices (must be signed a person using QS) delayed
this market more than 10 years.  It has though been a veritable gold-mine
for security companies who are selling equipment holding 25 smart cards so
that a single person can sign multiple invoices in speedy way.  To me that
is such a ridiculously broken idea it almost makes me laugh.

>
>> The BSI also managed destroying the TPM (Trusted Platform Module) and making biometrics in passports unusable except entirely locally.
>
> Actually, the opposite is true... eID (or biometrics if you will) is
> done remotely.

Cross-border EAC is a nice theory.  As a practice it has proven to be [close to]
unimplementable not to mention setting up border controls relying on it..

Anders

>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: The German eID: Overengineered and Underperforming

helpcrypto helpcrypto
Spain's national ID its also a BIG fail. Million € spent on something that simply doesnt work.

IIRC, less than 10% of use.
And the reasons, IMHO, are well-known: Need of Reader (altough gov give-away tons of them), Drivers (I can count with one hand how many people didnt have any trouble installing it) and Java (For god-sake: WEBCRYPTO!!!)

Now they are planning a ressurection, ading it NFC.

News: governments are wasting our money!




On Tue, Jun 10, 2014 at 7:52 AM, Anders Rundgren <[hidden email]> wrote:
On 2014-06-09 23:50, Frank Morgner wrote:
> On Monday, June 09 at 03:26PM, Anders Rundgren wrote:
>> http://www.gemalto.com/govt/inspired/eID-in-germany.html
>>
>> I didn't got inspired at all :-(
>>
>> Germans are known for making things "umständlish" and their take on eID certainly isn't an exception. Crippling technology and tons of lawyers seem like a true recipe for failure.
>
> You take all this from a one-paper article? (Also have a look at who is
> talking here: gemalto has a natural interest in an unsuccessful German
> eID story as it produces competing eID solutions.)

No, I did not take it from the article alone.  I'm pretty sure that Germany's
eID program will prove to be the least useful on the market.  Other people have
attested that as well but I don't want to hang them out here.

Germany's take on e-invoices (must be signed a person using QS) delayed
this market more than 10 years.  It has though been a veritable gold-mine
for security companies who are selling equipment holding 25 smart cards so
that a single person can sign multiple invoices in speedy way.  To me that
is such a ridiculously broken idea it almost makes me laugh.

>
>> The BSI also managed destroying the TPM (Trusted Platform Module) and making biometrics in passports unusable except entirely locally.
>
> Actually, the opposite is true... eID (or biometrics if you will) is
> done remotely.

Cross-border EAC is a nice theory.  As a practice it has proven to be [close to]
unimplementable not to mention setting up border controls relying on it..

Anders

>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: The German eID: Overengineered and Underperforming

Andreas Schwier (ML)
Having worked on the project quite actively, I have to admit that
Germans tend to overengineer things - but hey that's the price you pay
if you do things first time and want to get it right from the beginning.

The point is that users at large don't care about security and thus are
not interested in privacy. In a post-privacy era you don't need strong
and privacy preserving authentication. The few of us who understand the
concept and are willing to take the burden of installing a piece of
hardware and software don't resemble the necessary critical mass.

Unfortunately it needs the big guys, noteably Google, Microsoft and
Apple, to get things of the ground. However they play at their own
agenda and don't really care about our privacy.

At least the mechanics of the German eID card and PKI are well crafted
and it may stay around long enough to become a success. And of course
there are other countries that plan or already introduced an eID based
on the German eID technology.

Those of you that want to understand the mechanics of it, I would
recommend to take a look at the open-sourced emulation available at [1].

Andreas


[1] http://www.openscdp.org/scripts/eID/index.html

On 06/10/2014 09:41 AM, helpcrypto helpcrypto wrote:

> Spain's national ID its also a BIG fail. Million € spent on something that
> simply doesnt work.
>
> IIRC, less than 10% of use.
> And the reasons, IMHO, are well-known: Need of Reader (altough gov
> give-away tons of them), Drivers (I can count with one hand how many people
> didnt have any trouble installing it) and Java (For god-sake: WEBCRYPTO!!!)
>
> Now they are planning a ressurection, ading it NFC.
>
> News: governments are wasting our money!
>
>
>
>
> On Tue, Jun 10, 2014 at 7:52 AM, Anders Rundgren <
> [hidden email]> wrote:
>
>> On 2014-06-09 23:50, Frank Morgner wrote:
>>> On Monday, June 09 at 03:26PM, Anders Rundgren wrote:
>>>> http://www.gemalto.com/govt/inspired/eID-in-germany.html
>>>>
>>>> I didn't got inspired at all :-(
>>>>
>>>> Germans are known for making things "umständlish" and their take on eID
>> certainly isn't an exception. Crippling technology and tons of lawyers seem
>> like a true recipe for failure.
>>>
>>> You take all this from a one-paper article? (Also have a look at who is
>>> talking here: gemalto has a natural interest in an unsuccessful German
>>> eID story as it produces competing eID solutions.)
>>
>> No, I did not take it from the article alone.  I'm pretty sure that
>> Germany's
>> eID program will prove to be the least useful on the market.  Other people
>> have
>> attested that as well but I don't want to hang them out here.
>>
>> Germany's take on e-invoices (must be signed a person using QS) delayed
>> this market more than 10 years.  It has though been a veritable gold-mine
>> for security companies who are selling equipment holding 25 smart cards so
>> that a single person can sign multiple invoices in speedy way.  To me that
>> is such a ridiculously broken idea it almost makes me laugh.
>>
>>>
>>>> The BSI also managed destroying the TPM (Trusted Platform Module) and
>> making biometrics in passports unusable except entirely locally.
>>>
>>> Actually, the opposite is true... eID (or biometrics if you will) is
>>> done remotely.
>>
>> Cross-border EAC is a nice theory.  As a practice it has proven to be
>> [close to]
>> unimplementable not to mention setting up border controls relying on it..
>>
>> Anders
>>
>>>
>>>
>>>
>>>
>> ------------------------------------------------------------------------------
>>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
>>> Find What Matters Most in Your Big Data with HPCC Systems
>>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
>>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>>> http://p.sf.net/sfu/hpccsystems
>>>
>>>
>>>
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
>> Find What Matters Most in Your Big Data with HPCC Systems
>> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
>> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
>> http://p.sf.net/sfu/hpccsystems
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
>
> ------------------------------------------------------------------------------
> HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
> Find What Matters Most in Your Big Data with HPCC Systems
> Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
> Leverages Graph Analysis for Fast Processing & Easy Data Exploration
> http://p.sf.net/sfu/hpccsystems
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
HPCC Systems Open Source Big Data Platform from LexisNexis Risk Solutions
Find What Matters Most in Your Big Data with HPCC Systems
Open Source. Fast. Scalable. Simple. Ideal for Dirty Data.
Leverages Graph Analysis for Fast Processing & Easy Data Exploration
http://p.sf.net/sfu/hpccsystems
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel