Estonian identity card

The front and reverse of the current Estonian identity card

The Estonian identity card (Estonian: ID-kaart) is a mandatory identity document for citizens of Estonia. In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. Within Europe (except Belarus, Russia, Turkey, and Ukraine) [1] as well as French overseas territories and Georgia, the Estonian ID Card can be used by the citizens of Estonia as a travel document.

The mandatory identity document of a citizen of the European Union is also an identity card, also known as an ID card. The Estonian ID Card can be used to cross the Estonian border, however Estonian authorities cannot guarantee that other EU member states will accept the card as a travel document.[2]

In addition to regular identification of a person, an ID-card can also be used for establishing one's identity in electronic environment and for giving one's digital signature. With the Estonian ID-card the citizen will receive personal @eesti.ee e-mail address, which is used by the state to send important information. In order to use the @eesti.ee e-mail address, the citizen have to forward it to his personal e-mail address using the State Portal eesti.ee.

In August 2017, a potential security threat was discovered. This threat could affect 750,000 ID and e-residency cards issued between 16 October 2014 and 26 October 2017.[3]

The relevant Estonian organisations responsible for the ID card have since released a patch in the form of a certificate update, and published a detailed walkthrough on https://www.id.ee to check if an update is required, and how to perform it.[4] The update can also be performed in the service offices of the Estonian Police and Border Guard Board. Online updating can be performed until 31 March 2018 (incl.), after which the certificates of affected cards will be invalidated. Thereafter, a new e-residency or ID-card must be applied for in order to use it electronically.[5]

On 2 November 2017, the Estonian government announced, that online updating of vulnerable ID-cards would be suspended to all users for between 3–5 November 2017 in favour of the country's officials and the 35,000 doctors, who use their cards most actively.[6]

This temporary suspension of updates to all users has since been lifted, so that owners of ID cards and e-residency cards can now update their certificates.

The Police and Border Guard Board (PPA) on 25 September 2018 introduced the newest version of Estonia's ID card, featuring additional security elements and a contactless interface, which will begin to be rolled out no later than next year. The new cards also utilise Estonia's own font and elements of its brand. One new detail is the inclusion of a QR code, which will make it easier to check the validity of the ID card. The new design also features a color photo of its bearer, which doubles as a security element and is made up of lines; looking at the card at an angle, another photo appears. The new ID cards, however, have contactless functionality built in. The new chip has a higher capacity, allowing us to add new applications to it. [7]

Scope

The Estonian ID cards are used in health care, electronic banking, signing contracts, public transit, encrypting email and voting. Estonia offers over 600 e-services to citizens and 2400 to businesses.[8] The card's chip stores digitised data about the authorised user, most importantly: the user's full name, gender, national identification number, and cryptographic keys and public key certificates.

Categories of Estonian identity cards

Categories of Estonian identity cards since 3 September 2007
type front back
Estonian citizen
EU/EEA citizen
EU/EEA family permit holder
long-term residence permit holder
temporary residence permit holder

Cryptographic use

The card's chip stores a key pair, allowing users to cryptographically sign digital documents based on principles of public key cryptography using DigiDoc. While it is possible also to encrypt documents using the card-holder's public key, this is used only infrequently, as such documents would become unreadable if the card were lost or destroyed.

By 27 May 2014, 160,809,440 electronic signatures were given, thus averaging to 10 signatures per card user per year.[9]

Under Estonian law, since 15 December 2000 the cryptographic signature is legally equivalent to a manual signature.[10]

Uses for identification

The card's compatibility with standard X.509 infrastructure has made it a convenient means of identification for use of web-based government services in Estonia (see e-Government). All major banks, many financial and other web services support ID-card based authentication.

Web discussion forums

Web commentary columns of some Estonian newspapers, most notably Eesti Päevaleht, used to support ID-card based authentication for comments. This approach caused some controversy in the internet community.[11]

Public transport

Larger cities in Estonia, such as Tallinn and Tartu, have arrangements making it possible for residents to purchase "virtual" transportation tickets linked to their ID cards.

Period tickets can be bought online via electronic bank transfer, by SMS, or at public kiosks. This process usually takes less than a few minutes and the ticket is instantly active from the moment of purchase.

Customers also have the option of requesting e-mail or SMS notification alerting them when the ticket is about to expire, or of setting up automatic renewal through internet banking services.

To use the virtual ticket, customers must carry their ID card with them whenever they use public transport. During a routine ticket check, users are asked to present their ID card, which is then inserted into a special device. This device then confirms that the user holds a valid ticket, and also warns if the ticket is about to expire. The ticket check usually takes less than a second.

Ticket information is stored in a central database, not on the ID card itself. Thus, to order a ticket, it is not necessary to have an ID-card reader. Ticket controllers have access to a local archive of the master database. If the ticket was purchased after the local archive was updated, the ticket device is able to confirm the ticket from the master database over GSM data link.

Electronic voting

The Estonian ID card is also used for authentication in Estonia's ambitious Internet-based voting programme.

In February 2007, Estonia was the first country in the world to institute electronic voting for parliamentary elections. Over 30,000 voters participated in the country's e-election.[12] In the Parliamentary election of 2011 140,846 votes were cast electronically representing 24% of total votes.[13]

The software used in this process is available for Microsoft Windows, Mac OS X and Linux.

Use as a travel document

Since Estonia's accession to the European Union (EU) in 2004, Estonian citizens who possess an Estonian identity card have been able to use it as an international travel document, in lieu of a passport, for travel within Europe (except Belarus, Kosovo, Russia, and Ukraine) as well as French overseas territories, Georgia and Turkey.

However, non-Estonian citizens resident in Estonia are unable to use their Estonian identity cards as an international travel document, except that EU/EEA citizens can use cards issued since 3 September 2007 for traveling inside the Schengen Area.

Security issues

Weak key vulnerability

In October 2017, it was reported that a code library developed by Infineon, which had been in widespread use in security products such as smartcards and TPMs, had a flaw (later dubbed the ROCA vulnerability) that allowed private keys to be inferred from public keys.[14] As a result, all systems depending upon the privacy of such keys were vulnerable to compromise, such as identity theft or spoofing.[14] Affected systems include 750,000 Estonian national ID cards,[14] and Estonian e-residency cards.

On 2 November 2017 the Estonian prime minister Jüri Ratas announced, that due to 'imminent risk' of attack, the authorities are to temporarily disable the certificates of affected ID cards at 00:00, 4 November 2017. According to government officials, the existing infrastructure is incapable of updating the certificates of this large amount of affected cards before the deadline. Priority updates are to be supplied between 3–5 November to government employees and 35,000 medical staff.[15]

See also

References

  1. "Validity of ID Card". North Cyprus.
  2. "Estonian ID Card Information by Estonian Police and Border Guard Board". Police_and_Border_Guard_Board.
  3. "Possible security risk affects 750,000 Estonian ID-cards". Estonian World. Retrieved 2017-09-17.
  4. "Check whether your document certificates need to be updated". Renewal of Certificates. PPA. Retrieved 2017-11-02.
  5. Pulver, Andres (2017-11-01). "ID-kaardi sertifikaatide uuendaja peab arvestama järjekorraga" [The renewer of ID-card certificates must take queueing into account]. Virumaa Teataja (in Estonian). Postimees. Retrieved 2017-11-02.
  6. Olup, Nele-Mai; Pau, Aivar (2017-11-02). "Blogi ja fotod: valitsus otsustas e-riigist välja lõigata enam kui pooled ID-kaardid" [The government decided to cut off more than half of ID-cards from the e-state] (in Estonian). Postimees. Retrieved 2017-11-03.
  7. "New Estonian ID Card 2019". ERR. Retrieved 2018-10-01.
  8. Economist Magazine, Estonia takes the plung https://www.economist.com/news/international/21605923-national-identity-scheme-goes-global-estonia-takes-plunge
  9. Estonian ID-card
  10. Elektrooniline Riigi Teataja: Digitaalallkirja seadus (this version valid from 8 January 2004 up to 31 December 2007)
  11. PRIIT HÕBEMÄGI: Anonüümsete kommentaaride lõpetamise kommentaarid
  12. "Archived copy". Archived from the original on 2012-03-01. Retrieved 2012-12-09. idBlog - The number of electronic voters tripled
  13. http://www.vvk.ee/riigikogu-valimised-2011/statistika-2011/e-haaletamise-statistika/
  14. 1 2 3 Goodin, Dan (16 October 2017). "Millions of high-security crypto keys crippled by newly discovered flaw". Ars Technica. Retrieved 16 October 2017.
  15. Jõevere, Kristjan; Helme, Kristi (2 November 2017). "BLOGI ja FOTOD: Turvariskiga ID-kaartide sertifikaadid peatatakse alates homme õhtust" [The certificates of vulnerable ID-cards will be stopped from tomorrow evening]. Delfi.ee (in Estonian). Ekspress Grupp. Retrieved 3 November 2017.
This article is issued from Wikipedia. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.