eIDthe open source perspective Martin Paljak (maintainer of) OpenSC Project www.opensc-project.org
Agenda• Brief history of eID in Estonia• History of OpenSC• Why open source matters• What’s up next for OpenSC ?
eID in Estonia• Preparations from 1997, actions from 1999/2000 to issue PKI smart cards to every citizen• First cards issued in January 2002• “Probably the best beer eID in the world”• 1.1 Million cards, around 30% electronic users• Problem: no client software procured by government at ﬁrst
eID software in Estonia• Plan A: proprietary free (as beer) software for Windows, created by the (commercial) CA• A-Team: creates necessary software as open source (OpenSC, OpenSC.tokend, installers etc)• Plan B: (5 years later) government tender to legalize (?) and re-use the open source software (#1 failed, #2 failed, #3 ongoing...)
Happy 10th birthday, OpenSC!• Two Finns, Juha and Antti, wanted to write an open source PKCS#11 driver for FINeID (PKCS#15) cards• 2001/2002 ﬁrst posts on the opensc-devel mailing list• 0.4.0 released on 2001-12-29, contains a single, read-only driver
OpenSC in 2011• 0.12.1 released on 17.05.2011• ~30 card drivers• A reasonable PKCS#11 module• Mac OS X integration (TokenD)• Windows integration coming (MiniDriver)• Binary installers (Windows, Mac OS X)• Synthesized (non-PKCS#15) formats• Card personalization support
2001 to 2011• Got interested around summer 2003• Germans project: “Got ~2005, things to do ...” leave the took over in better Founding Finns• Early adopter of understandingOpenSC because “lack Belgium ditches from project”• Basically announced “soon stagnated or dead, if not already” by maintainer• “MUSCLE” practically dead, except for pcsc- lite+CCID• Maintenance “back in Nordic” (Estonia) since April 2010
Why OpenSC “won”?• A. Driver framework to support different cards • Compare: Linux; Evolution prefers heterogenous systems• B. Thrive to integrate with the environment • Apple is as good standard as Microsoft or RSA. % & $• C. Dedication to core values • Open source, open attitude, community-driven• “If your work is stolen, it has value”
Why open source eID?• PKI - I as Infrastructure • 27 EU silos? Spanish Apache, “Spache”?• Transparency • eID affects almost everyone, trust in system is required for adoption
Neat reasons• eID often implemented as JavaCard applets • +1 for ﬁrst published on-card applet. • “Fake eID applet” for badly written library copy machines & “free” copying• “What about my Commodore64 or Atari?” • Or Android, embedded ARM, ... ?
Neat anti-reasons• Open source makes attacks easier • Re-using branding, planting malware inside• Closed source allows for more competition from companies / possible technology export
Trends• First iteration often fails (technical or political or licensing issues)• SETEC ASTRONOMY fails • Don’t let government become Sony• Second round will be OSS anyway • Help others avoid the ﬁrst mistake
Internationalcollaboration beneﬁts• Applications (Firefox, OpenSSH, XXXOfﬁce etc) all done elsewhere, by “foreigners”. • OpenSC as the grassroots EU interest body and lobby group of open source software smart card support (Mozilla, Apple etc)• Smart cards and crypto a niche sector, difﬁcult to ﬁnd motivated and competent fresh blood.• Homogeneous systems are doomed by evolution and limited by kind.
IAS-ECC, STORK, ...• US: PIV/CAC• EU: IAS-ECC • Standards are nice but real life matters too• Cross-border eID-enabledto test” (x27) “Install Elbonian software services:• Grassroots collaboration andbetter services interoperability could create resulting before policymakers.• Reference implementation beneﬁts everyone
What lies ahead• OpenSC is far from an optimal or perfect solution • Old cruft, missing driver authors, lack of documentation, lack of courageous decisions (“structural reforms”), suboptimal design etc• Still it seems to have properties other projects don’t
OpenSC 0.12.2• To be released on 2011.06.10• Hopefully most of OpenDNIe code merged • “driver framework” is important• Bugﬁxes, cleanups, improvements• Automated tests, fast build iterations, infrastructure changes to support gradual project reform
Future of OpenSC• More cards, less drivers• Commodity (infrastructure) vs expensive gadget• New algorithms (Elliptic Curves)• Contactless world• Beyond conventional PKI crypto• COLLABORATION!