Archives for posts with tag: identity cards

Ideally, a relying party that needs to verify certain attributes of a user would do so all by himself. However, in the new German eID system there are currently 7 so called eID service providers that handle this task on behalf of many relying parties. The Germans did this to allow service providers to quickly adopt the new eID system, because they can simply contract an eID service provider instead of implementing the functionality themselves. However, this creates a hotspot. For all users the eID service provider sees all attributes verified for all relying parties it services. The eID service provider is therefore in principle able to link a user to all the relying parties it visits, together with the relevant attributes. This appears to be a serious privacy risk. Or isn’t it?

Read the rest of this entry »

I recently learnt that the new German identity card (or nPA for neuer Personalausweis has security, privacy and usability problems. This was brought to my attention during a number of discussions with experts, as well as a recent publication by a group of researcher from Frauenhofer SIT. The findings have been verified against the official documentation. The issues concern the eID application on the card that is to be used for authentication on the Internet (and not the electronic passport functionality that is also present on the same card).

Read the rest of this entry »