A Short Introduction to eID

Allikas: eid.eesti.ee

A Short Introduction to eID

Facilities for identification, authentication, and digital signing

In Estonia, the usage of eID is regulated by the Digital Signature Act[1] and the Identity Documents Act[2], on the basis of which the Estonian ID card is issued.[3]

ID card

The ID card (EstEID) is a mandatory document of personal identification that can be used for signing documents electronically (in the technical sense, giving a digital signature), for personal identification and for data encryption functions. There are two certificates in X.509 format saved on the ID card: 1) a certificate for digital personal identification and data signing and encryption; 2) a certificate for digital signing, enabling the cardholder to issue a digital signature.

An ID card issued before 1 January 2007 is valid for 10 years and the certificates on it are valid for 3 years. Upon expiration, certificates can be renewed without charge. On ID cards issued after 1 January 2007, the certificates are valid for as long as the card itself, i.e. 5 years, and there is no need to renew the certificates.[4]

There is also a personal data file on the card, which will be discussed in more detail in the Using the personal data file section. EstEID cards comply with the ISO/IEC 7816 standard. The latest EstEID standards, certificate profiles and specifications can be found on the id.ee webpage (in Estonian).

Digital certificate of identity

The digital certificate of identity or Digi-ID is a state digital document for personal identification in an electronic environment and for issuing a digital signature. Unlike the ID card, Digi-ID is not designed for visual personal identification; therefore, it does not carry a photo -– just the name, personal identification number and validity end date. Also, the personal data file is empty on a Digi-ID card, except for the document number field. Cryptographically, it is a smart card similar to the ID card. Therefore, when issuing a Digi-ID certificate, SK uses the same general principles, certification policy and certificate profile as with EstEID cards. For this reason, this guide also treats Digi-ID and the ID card as equal.

A digital certificate of identity and its certificates are issued for three years.[4]

While the issuing of an ID card can take up to a month, Digi-ID cards are issued within minutes from the service points of the Police and Border Guard Board.

Digital stamp

The digital stamp is a service that allows legal persons (e.g. companies) sign documents digitally. This confirms that the document comes from the company that has signed it (i.e. the digital document is confirmed by the institution, not an authorised physical person – people come and go; institutions remain) and that the document has not been changed in the interim. Signatures (also in large quantities) can be attached to invoices, payment orders, confirmations, certificates, bank statements (e.g. SEB bank offers an automatically digi-stamped bank statement), etc. When the service is ordered, SK will issue the company with a USB crypto-stick that has an X.509 certificate (the usage area will be determined by the name of the certificate) and, similarly to the digital signature, when the stamp is used, a container in DigiDOC format will be created that contains the signed data.

The issuing process and evidential value of the digital stamp are regulated by law (DSA[1]), certification policy (specific to the respective certification service, and more detailed) and more general certification principles.

Electronic residence card

An electronic residence card is issued in place of an ID card to foreigners residing in Estonia who are not citizens of the European Union, and it carries the data of the residence permit. In terms of available electronic services, the functionalities of the residence card and the ID card are the same. The residence card can also be used for digital personal identification and digital signing. The main difference is that the ID card issued to citizens of Estonia and the EU can be used as a travel document within the EU, while the residence card cannot be used for travelling outside of Estonia. Another difference is that the residence card also carries a contactless chip with the user's fingerprints and face image. An ID card does not have a contactless chip. As contactless chips are not used in this guide, the residence card and the ID card are treated as equal. A residence card is valid for up to 5 years, but not longer than the residence permit or right of residence issued to the person.

Mobile ID

Mobile ID is an electronic document of personal identification that can be used for electronic personal identification and digital signing with a mobile telephone, where the mobile phone with its SIM card functions simultaneously as the ID card and the card reader. For using a mobile ID, a special SIM card is required that enables the service, which can be obtained by signing a service contract with the mobile operator. The mobile ID will become usable after it has been activated in the electronic application environment of the Police and Border Guard Board, where the necessary certificates are requested. Unlike other documents, certificates of a mobile ID are not saved on the SIM card. Unlike the ID card, a mobile ID cannot be used for document encryption -- otherwise both DigiDocService and the mobile phone operator would see the decrypted data.[5]

A mobile ID issued after 1 February 2011 is a digital identification document that is issued according to the Identity Documents Act.[6]

The certificates of a mobile ID issued before 1 February 2011 are valid for 5 years. The certificates of a digital identity card in the form of a mobile ID that has been issued since 1 February 2011 are valid for 3 years. When the certificates expire, the SIM card has to be replaced.[4]

Security research conducted in 2008 showed that after the recommendations of the report have been fulfilled and additional risks are accepted, mobile ID can be used on an equal basis as an ID card.[7]

According to a formal analysis conducted in 2009, the protocol of mobile ID does have a few weak points and solutions have been offered that should be implemented quickly. However, the general conclusion is that the protocol is secure enough for continuous usage in the near future.[8]