The Estonian Information System Authority (RIA) coordinates the development and
administration of the state’s information system, organises activities related
to information security, and handles the security incidents that have occurred
in Estonian computer networks. RIA advises the providers of public services on
how to manage their information systems as per requirements and monitors them.
In addition, RIA is an implementing entity of the structural assistance of the
European Union.

RIA is a subdivision of the Estonian Ministry of Economic Affairs and
Communications.

My role is architect of the electronic identity (inside the cybersecurity R&D
department) and I'm responsible for "anything related to eID software and its
incarnations in Estonia". I've also been/try to be active in open source
software field in the smart card space, ranging from pinpad smart card readers
(libccid, pcsc-lite) to the defacto open source smart card middleware (OpenSC)
to JavaCard and GlobalPlatform components and libraries.

I got a late notice about the workshop from our development contractor and thus
don't have a detailed technical presentation to submit at this point of time
but to give a generic idea of what we are dealing with and what would be the
input from our side to the discussion, I have a short "memo":


Subject: Web-based digital signatures in Estonia: past, present and future.

Estonia, a country of ~1.3 million, has one of the longest-running national eID
programs in Europe, if not in the whole world. Started in 2002, there are
currently ~1.2 million active cards and in total ~167 million signatures and
several times more authentication transactions executed to date and the trend is
growing steadily. Beginning from next year also non-residents will have the
possibility to applying for a digital ID and make use of the services,
infrastructure and overall ecosystem available in Estonia and elsewhere in
Europe.

Majority of the signatures are created in web-based environments (document
portals, e-banking systems etc). To enable this, Estonia has developed a
middleware for the smart card based system, that among other components includes
necessary "plumbing" for interacting with smart cards from browsers.

The middleware is available for all common desktop platforms (Windows, OSX,
Linux/Unix) and supports most browsers (IE, Chrome, Safari, Firefox and
derivatives) through browser plugins. Due to the changing nature of the
environment (browsers evolving rapidly and non-desktop, mobile platforms
becoming widespread) and the overall move away from plugins due to security and
other reasons, we are actively investigating the efforts in developing
Javascript interfaces to platform and hardware token API-s, from W3C as well as
platform vendors.

Integrating the Estonian eID smart card with browsers and other software systems
we have currently been forced to reactively deal with changes and changing
restrictions in the ecosystem. But for a sustainable future we need to take a
more proactive stance.

Historically we have moved from Java+native based approach to native plugins
(for IE and NPAPI) and now as NPAPI is also phased out and plugins in general
are considered a threat rather than feature, we need to adjust our plans again.
Yet the global developments in this field (secure-element API, FIDO approach,
current web-crypto etc) do not fulfil our requirements in security, user
interface or other applicability cases.

If some of the requirements and issues we are facing might not be universal and
our solutions overly generic to be converted into a standard, they are certainly
not uncommon either. Similar issues exist in several other European countries
with similar eID schemes (Belgium, Spain, Portugal, Finland, Sweden, Latvia,
Lithuania, Germany to name a few) which has lead to signature-plugin
proliferation, created by countries as well as by any bigger organisation who
thinks that for matter of control, they need to create their own signature
plugin.

Our contribution is the set of philosophies and related requirements from the
case study of implementing cross-platform smart card interfacing plugins, its
API and relation to platform plugins.

We bring 10 years of hands-on knowledge of trying to bridge smart cards to the
world of web. If there was a standards-based, widely implemented solution that
would allow us to ditch the plugins, we would have done it already yesterday.


Some links:
http://id.ee/?lang=en&id=
https://www.ria.ee/en/?id=27307
https://www.eid-stork.eu/index.php?option=com_content&task=view&id=348&Itemid=69
http://www.economist.com/news/international/21605923-national-identity-scheme-goes-global-estonia-takes-plunge
https://github.com/open-eid/chrome-token-signing