> If you are a citizen or a resident, you get an ID card to use for every public service. It's just a smart card with a government PKI.
This is the biggest flaw in the design. Tying the ID card to a single identity.
If you're using it with a bank, it needs to be tied to your bank account. If you're using it for physical access control at your company's building, it needs to be tied to your employee account. These are different things, and should be different things, for security.
You don't want a single system for everything. It makes the incentive to break it stronger, so it gets broken more often. It makes the consequences of it getting broken larger, so the damage when it happens multiplies. And it gets integrated into everything, so the amount of time it takes to roll out fixes increases. It's a security nightmare, and it gets polynomially worse the bigger the country is that tries to do it that way. (For reference, the GDP of Estonia is less than one third the revenue of Costco.)
No, it's solid design. It's a very simple safe primitive. You can build endless infrastructure on top of it. Similar to subkeys.
For example a lot of businesses use Smart-ID on top of that. You need to tie the smartid stuff to your PKI identity. But after that you can just use that as identity.
The flaw right now is that you guys believe that all online identity needs to be decoupled from the online identity. There are a couple things you guys dismiss or don't think about:
1. Contrary to systems such as the German one this identity system actually has a working upgrade and revokation path. The German one was is assuming that it's safe by design and the identity being fixed. The German ID keys don't have a revokation system and they don't expire either.
2. The baltic system has expiry's on these private keys. They are authenticated against your physical government issued ID with background checks being done by the current existing police/interpol infrastructure.
These private keys are not isolated from your identity. You receive them from government institutions that use the exist physical identity infrastructure.
The problem with people here is that they want the digital identity to be completely self contained. I get that sentiment and I don't disagree with it, but it's a completely different goal from what is being solved here.
This solves - in a much better fashion - what a lot of "crypto" fanatics want governments to use.
> Contrary to systems such as the German one this identity system actually has a working upgrade and revokation path.
Systems without this are even more broken, but this is hardly the main problem.
The problem is that with a system like this, if you can compromise one person, you can compromise them totally. You compromise every part of their life that uses this system instead of just one when it's isolated from the others.
And if you can compromise that system itself, even temporarily, you can compromise everyone that comprehensively at once. Everyone's health records, stolen. Bank accounts drained. Trade secrets published or sold to foreign competitors.
Canceling their credentials after the fact doesn't undo all the damage.
> These private keys are not isolated from your identity. You receive them from government institutions that use the exist physical identity infrastructure.
In most cases this is a liability rather than an asset. It's only useful if you for some reason need to prove your physical government identity, e.g. so you can vote. But those few things can use the same process you use to bootstrap into this identity system to begin with.
If all you want to do is sign into a website or acquire a book or a contraceptive or travel, having that tied to your government identity is bad.
By public services, I meant the public services provided by the state. For instance, health insurance, family doctor application, taxes, etc.
Banks require your ID whether it's smart or not. But it's not for payment purposes but for authentication. And they are not state bodies, but private commercial entities. They are not part of the PKI ecosystem of the state.
> By public services, I meant the public services provided by the state. For instance, health insurance, family doctor application, taxes, etc.
It's not clear why any of these things should be tied together even when they're all provided by the government.
You may have to identify yourself to your employer for taxes, but why should they get the identity used for your healthcare when it isn't any of their business? All it does is create the potential for that to leak. Or vice versa. Your tax returns are none of the business of the doctor you asked out, so these things should not be tied together in any way.
And the only reason the bank wants your government identification is that they're required to by law. Otherwise banks would widely offer numbered accounts. Even then this should only require the identity used for taxes and not the one used for healthcare or military service or professional licensing, none of which is any business of the bank.
This is the biggest flaw in the design. Tying the ID card to a single identity.
If you're using it with a bank, it needs to be tied to your bank account. If you're using it for physical access control at your company's building, it needs to be tied to your employee account. These are different things, and should be different things, for security.
You don't want a single system for everything. It makes the incentive to break it stronger, so it gets broken more often. It makes the consequences of it getting broken larger, so the damage when it happens multiplies. And it gets integrated into everything, so the amount of time it takes to roll out fixes increases. It's a security nightmare, and it gets polynomially worse the bigger the country is that tries to do it that way. (For reference, the GDP of Estonia is less than one third the revenue of Costco.)