I’m still talking about the same thing, but I understand the nature of our misunderstanding now. You see eID as something you download and can share (but what kind of security would that provide?). I mean an online ID service, similar to the Dutch DigiD. I assume the EU eID is also something similar, although I have no personal experience with that.
An electronic identification (“eID”) is a digital solution for proof of identity of citizens or organizations. They can be used to view to access benefits or services provided by government authorities, banks or other companies, for mobile payments, etc. Apart from online authentication and login, many electronic identity services also give users the option to sign electronic documents with a digital signature.
The online authentication is the important part. The article also talks about physical cards with a chip, but I honestly don’t quite understand how that’s different from a regular chip in a passport.
When I have to access any government service, I get redirected to digID to log in, then redirected to the site I want to visit. This is very similar to other online authorisation schemes, except it’s tied to me official legal identity.
My proposal is to use this not just to log in to government sites, but to use it to provide any legally required online identification, tailored to the highest amount of privacy possible in that situation. So if a site needs to confirm you’re 18+, let that site ask the eID service for just your age, or even just whether you’re 18+ or not, log into the eID system, and the eID system sends confirmation of your age back to the site.
Note that “authentication and login” does not necessarily require network communication with a government service. In fact in Europe the eIDs (eIDAS) are digital documents that use cryptography to authenticate without the need of spending resources in a government-funded public API that could be vulnerable to DDOS attacks and would be requiring reliable internet connections for all digital authentication (which might not always be an online operation). The chips are just a secure way to store the digital document and lock under hardware the actual key, making it much harder for it to be copied/replicated, but they don’t require internet connection for making government-certified digital signatures with them that can be used in authentication, this is the same whether the service itself you are login into is online or offline.
In any case, in your example where actual network communication is used, it would still be possible for the government to track you regardless of proxies, because then they can store a log of the data & messages exchanged in the authentication.
They can either ask the sites to authenticate previously with the government for the use of the API (which would make sense to prevent DDOS and other abuse, for example), which would let them know immediately which site you were asking login for (in a much more direct way than with “documents”), or simply provide a token to the site as result of the user authentication (which is a common practice anyway, most authentication systems work through tokens) and later at any given time in the future ask the sites to provide back which tokens are linked to each account on the site (just like I was saying before with the “documents” example) so the government can map each token with each individual person and know which users of that site correspond to which individuals.
I’m still talking about the same thing, but I understand the nature of our misunderstanding now. You see eID as something you download and can share (but what kind of security would that provide?). I mean an online ID service, similar to the Dutch DigiD. I assume the EU eID is also something similar, although I have no personal experience with that.
The first paragraph on Wikipedia contains a good description of what I’m talking about: https://en.wikipedia.org/wiki/Electronic_identification
The online authentication is the important part. The article also talks about physical cards with a chip, but I honestly don’t quite understand how that’s different from a regular chip in a passport.
When I have to access any government service, I get redirected to digID to log in, then redirected to the site I want to visit. This is very similar to other online authorisation schemes, except it’s tied to me official legal identity.
My proposal is to use this not just to log in to government sites, but to use it to provide any legally required online identification, tailored to the highest amount of privacy possible in that situation. So if a site needs to confirm you’re 18+, let that site ask the eID service for just your age, or even just whether you’re 18+ or not, log into the eID system, and the eID system sends confirmation of your age back to the site.
Oh, I see the misunderstadning.
Note that “authentication and login” does not necessarily require network communication with a government service. In fact in Europe the eIDs (eIDAS) are digital documents that use cryptography to authenticate without the need of spending resources in a government-funded public API that could be vulnerable to DDOS attacks and would be requiring reliable internet connections for all digital authentication (which might not always be an online operation). The chips are just a secure way to store the digital document and lock under hardware the actual key, making it much harder for it to be copied/replicated, but they don’t require internet connection for making government-certified digital signatures with them that can be used in authentication, this is the same whether the service itself you are login into is online or offline.
In any case, in your example where actual network communication is used, it would still be possible for the government to track you regardless of proxies, because then they can store a log of the data & messages exchanged in the authentication.
They can either ask the sites to authenticate previously with the government for the use of the API (which would make sense to prevent DDOS and other abuse, for example), which would let them know immediately which site you were asking login for (in a much more direct way than with “documents”), or simply provide a token to the site as result of the user authentication (which is a common practice anyway, most authentication systems work through tokens) and later at any given time in the future ask the sites to provide back which tokens are linked to each account on the site (just like I was saying before with the “documents” example) so the government can map each token with each individual person and know which users of that site correspond to which individuals.