2. Quick background check
• Dealing with Estonian eID (1st generation) since 2003
• Involved with OpenID (“OpenID for Estonians, OpenID.ee”)
• Open source security/crypto/smart cards/identity software
• Maintainer/lead developer of OpenSC Project since 2010
• All opinions expressed are my own
3. Agenda
• What is OpenSC
• Problems observed from earth
• Why open source matters
• How OpenSC can help
5. OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
6. OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to
access cryptographic capabilities of smart cards
• Standards are published or defined by market
7. OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to
access cryptographic capabilities of smart cards
• Standards are published or defined by market
• Cross platform (Windows, Mac OS X, Linux/Unix)
• PKCS#11, CryptoAPI (minidriver), Tokend/CDSA
8. OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to
access cryptographic capabilities of smart cards
• Standards are published or defined by market
• Cross platform (Windows, Mac OS X, Linux/Unix)
• PKCS#11, CryptoAPI (minidriver), Tokend/CDSA
• PKCS#15 (ISO7816-15, IAS-ECC, PIV, EstEID, ...)
• Card personalization tools
9. OpenSC
• Open source software (middleware) for cryptographic smart cards
• Developed by independent team of international volunteers
• Provides standard interfaces for software developers and applications to
access cryptographic capabilities of smart cards
• Standards are published or defined by market
• Cross platform (Windows, Mac OS X, Linux/Unix)
• PKCS#11, CryptoAPI (minidriver), Tokend/CDSA
• PKCS#15 (ISO7816-15, IAS-ECC, PIV, EstEID, ...)
• Card personalization tools
• “OpenSC has become the defacto open source smartcard provider”
13. OpenSC supports*
• Estonian eID
• Finnish eID
• Spanish eID*
• Belgian eID
• Portuguese eID
• Italian eID
• IAS-ECC*
• PIV/CAC
• Latvian eID*
* - work in progress or other but-s or limitations
23. Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
24. Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
25. Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost
26. Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost
• Client software is complex and interweaved. Cost
27. Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost
• Client software is complex and interweaved. Cost
• Keeping up with software changes is challenging
28. Initiation & execution
• Reduced platform availability
• Linux (read: non-Windows)
• YourFavoriteStrangeLinuxDistroOnStrongARM. Or Amiga.
• Licensing (OpenSC LGPL)
• Belgium
• Spain
• Portugal
• Latvia
• Commercial vs public interest. Cost
• Client software is complex and interweaved. Cost
• Keeping up with software changes is challenging
• 1st iteration tends to “fail”
32. Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
33. Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption
34. Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption
• Does not always mean “cryptographically assured”
35. Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption
• Does not always mean “cryptographically assured”
• Who will be the first to publish on-card application?
36. Trust
• STOP ABUSING THIS WORD!
• Opaque systems call for tinfoil hats
• “How do I know that the software does not sign a transaction for 10000€?”
• Trust is essential for successful widespread adoption
• Does not always mean “cryptographically assured”
• Who will be the first to publish on-card application?
• Ergo I’m no cloud believer
41. Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
42. Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
43. Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5
44. Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5
• Niche market, requires specific skills
45. Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5
• Niche market, requires specific skills
• Cost
46. Sustainability
• Silos
• 27x same mistakes? Probably.
• eID is infrastructure. “Estache” (“Seto”) the Estonian Apache?
• University computer class = 27x “Elbonian card software”?
• (PKI smart cards) eID is no CSS or HTML5
• Niche market, requires specific skills
• Cost
• A plant only grows if you water it
49. Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
50. Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement
51. Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement
• Does open source lead the innovation or jog behind the cool guys?
52. Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement
• Does open source lead the innovation or jog behind the cool guys?
• Import vs export
53. Innovation
• Commodity vs niche product
• Easily available, interchangeable
• P2P vs platform
• SAML vs OpenID
• eID must be ubiquitous to succeed
• Make awkward uses easy to implement
• Does open source lead the innovation or jog behind the cool guys?
• Import vs export
• Fibonacci innovation?
54. How can OpenSC help?
• Grassroots community of specialists from different countries
• Share knowledge and experiences
• No politics. “Show me the solution that works”
• Joint lobby group to collaborate with other (open source) projects
• Make Firefox (close to 1/3 of the market) to fix their bugs
• A reference implementation
• Provide a common framework and platform for collaboration, interoperability
and innovation