Cryptography Reference
In-Depth Information
Citizen CAs
. These CAs issue certificates to card holders and are responsible
for signing the eID card authentication and non-repudiation verification key
certificates. Citizen CAs have a 2048-bit RSA verification key signed by the
Belgium Root CA.
Card Admin CA
. This CA issues certificates to organisations carrying out
administrative operation of the eID card scheme, such as those managing
address changes and key pair generation. The Card Admin CA has a 2048-bit
RSA verification key signed by the Belgium Root CA.
Government CA
. This CA issues certificates to government organisations and web
servers, including the NR. The Government CA has a 2048-bit RSA verification
key signed by the Belgium Root CA.
Each eID card stores five certificates:
1. the Belgium Root CA certificate;
2. the Citizen CA certificate for the Citizen CA that issued the eID card's certificates;
3. the eID card authentication verification key certificate;
4. the eID card non-repudiation verification key certificate;
5. the NR certificate.
All eIDcard scheme certificates areX.509Version 3 certificates (see Section 11.1.2).
The card holder non-repudiation verification key certificate must, in addition, be
a
qualified certificate
, which means that it satisfies further conditions, including
that the precise identity of the certificate holder has been established. A certificate
is required under European law to be qualified if any digital signatures produced
using the corresponding signature key are to be legally binding.
eID CARD ISSUING PROCESS
The process of issuing an eID card is quite complex and involves several different
organisations. It serves as a good illustration of the intricacies of generating public-
key certificates, which we discussed in general terms in Section 11.2.2. The process
is indicated in Figure 12.14 and consists of the following steps:
1. Either after requesting, or being invited to apply for, an eID card, the eID
applicant attends a local government office. This office essentially acts as the
RA (see Section 11.2.2). The applicant presents a photograph to the RA, which
then verifies the personal details of the applicant and formally signs an
eID card
request
.
2. The eID card request is sent from the local government office to the
card
personaliser
(CP), and the NR is notified. The CP checks the eID card request.
For simplicity we will assume the existence of a single CP, who is responsible
for creating the physical aspects of the card and for inputting the relevant data
onto the chip on the card.
3. The CP creates a new eID card and generates the required key pairs on the card
itself. The CP then sends a request for certificates to the relevant Citizen CA via
the NR, who issues a certificate serial number for each certificate.
