We had a group discussion today afternoon. This is the summery of outcomes.
Discussion Topics:
- Information is contained in the eID card
- Problems identified
- Lost cards
- Forget passkeys
- What next?
eID will be based on Public Key Infrastructure (PKI) and certificates. In addition to any technical data, the card will contain the Certification Authority certificates and the card-holder’s identification(public) and signature(private) certificates.
One option about personal data that would be included in the card-holder’s certificates are first name, family name and a unique electronic identifier. The electronic identifier is a serial number that does not tell anything about its holder, unlike the identity card number. If the card-holder has notified that his or her e-mail address is to be inserted in the certificate when filing the card application, it could also be a part of the information content of the certificate.
On the other hand, as we are having a physical/printed interface on the card, there is the question why not we store the holder’s personal information like identity card number, home address, date of birth or other similar information on the card. But we have to decide on this as how secure this could be and how this could be used in different modes of operations.
Also we thought of two key based security to secure the data in the card. One is the PIN code which could be used to decrypt the encrypted portion of data on the card, which could include private key and any other information with similar privacy requirement. Then we could have another PUK code, which would be the pass phrase that is needed for signing with the private key. But again we have a problem of complexity where remembering two keys might be difficult.
One more problem we identified at todays discussion was about the problems on lost eID cards. The only option in that case would be to revoke the certificate pairs and to reissue with new ones. But this had a problem as we might not be able to recover any data that is already encrypted using the lost keys. The same also applies to forgetting the pass codes. We also have to think of a way to handle this problem.
We also have to submit the design document by next week, so we need to complete the design diagrams we have so far and need to formulate all in the correct format. We will be meeting tomorrow also as today and will be working on the preparation of the design document.
List of things we need to do:
- Find solutions to problems identified
- Think more on offline mode of operation, as I think we are not that sure on that
- Prepare design document