 Even in Sweden there are three different systems that we use, so they are incompatible with each other and Europe is even worse, they are even more incompatibility and also unfortunately in Sweden all of them are provider and absolutely nothing more important than, for example, 64 bits platforms. We have three different EI systems in Sweden, FreeVin which is a free software project that involves the bank ID systems and solves these problems as well. This is a lot of exhaustive, there are much more differences in Europe, many of them are provider. We have a lot of work to do we could say. Okay, third bank ID, it can be a soft token and it can be a smart card. Unlike most other systems, most people don't use soft tokens for any kind of ID, we don't know that actually. There is also some work to use cell phones for authentication or use a SIM card that can work as an ID store. Okay, so FreeVin as the official software is provider, FreeVin is rewatching in Europe. It's been one year since the public release, quite unstable and alpha almost features are there but for example enrollment is not implemented yet. You can see soft tokens and smart cards and smart cards are worked down through an SD card that you can actually use anything as you can see it's allowable. Take the call information, FreeVin, we can see if that's something really special about that. We use security library, crypto library, we use OpenSSL, in the beginning we used NSS actually but we found that was too centric. It had a database oriented model where it's hard to use tokens that are separate from databases for example they are on a file or on a USB stick or something. So we designed it to work for OpenSSL instead. Of course we can see for what kind of support, what people thought. We also used FreeVin, it's a browser plugin, it may be used as a Netscape plugin, it's a really old API from Netscape. It works in pretty much all browser except in the store. So the way you get a signature from the Bankide software is really simple. So you send the account to here, you send a note value and from text you want to design it to the plugin and then you call the function on it and type confirmation window where you can see the message you want to find. And you can also get a password, you can select your token to use as well. So when this is done, you have an XML signature, you can see how this data here is going through. Also you have some extra information here about the domain name Manaiipadras, which is probably there. How does this work? I don't know, the domain name is probably there. I understand that I'm looking at attribution as well. Otherwise it's a difficult XML signature. So it gets chain and the biggest signature. Okay, and the output protocol, it's a bit more complicated, it's not that hard. Also based on standards, it's in its name, it says 10 and 7. So the difficult of standard wallbox, the protocol is itself called standardized. It gives some extensions to these protocols, they are not the true standard and that doesn't make it like the harder to implement in open S7 as well. So we need to create an ASM, it is quite technical, but we need to create an ASM, one object, special data. So the few difficulties. Of course it's a secret, proven call, we're watching it here. Of course, it still uses a lot of standards. You can see XML, PCG, V2T standard, usually standard PCS7 and so on. One problem here is that the server side software is not completely available. So testing your software and there are also, to make it even harder, there are also different implementations. So you'd better be completely, regenerate completely the same outputs and make everything 100% compatible. Also, of course, as we deal with legally binding signals, the only way to test things is to actually sign things that makes debugging fantastic a bit harder. Sometimes it's okay, there was a bug on the page when you register a new business and okay, that's obviously something that's hard to test yourself because you need to register by business. Oh, very business, that's what we have now. Also, as I told you, we use MSS initially. I don't know if we should be interrupting you, but I don't know. We say secret protocol, who controls that protocol? So this is, it's like a cooperation of the Swedish banks. They form an organization that goes and creates their own. I don't tell you? No. Even if you sign an MD? I don't know, I don't think so. They have their own clients, so they mostly control everything. Oh, yeah. Another very minor annoyance, this protocol is blocking JavaScript calls. That's a design in the protocol, and that means that when this sign dialogue appears, when you enter your PIM, your crossing window is frozen. That is a real ugly hack for that. This is something you really can't do anything about. If you're a future plugin developer, don't use blocking calls. Okay. We've talked about traffic security in general, traffic security software in general, how we should make it, what we should think about, and so on. Also, we might not just want to use it for electronic finance, because there are many other places. I mean, the technology you use in the bottom is, I mean, that's public technology. You generate signatures and so on, and that kind of work is used for other things. For example, an alternative to passwords, alternative to session IDs, which revamp things like bookie stealing, stolen password database of popular passwords. You generate actually things and so on. Of course, if this is just what you want, you can use TLS. If you use both authentication, you can use TLS as a cell saving. But then you don't get signatures. And why do we want to see the future? Probably you don't really know, but for example, you may want to store the signature. You want to prove to someone a third party that his agreement has been made. There's also a question of, could you see what you're assigning? So this is something that actually all EID protocols don't do. And I think all of them actually rely on the software and the computer, where the software displays a message. And that means that if the computer gets compromised, then it will change the message. It will replace the U2 string and just sign something else. And that is something that's really hard to do something about. But if you just display the message of U2 signing, we can probably just prevent some kinds of attacks, like in middle name and so on, probably to use as a cell in this case. It's still additional security because you don't have to deal with security holes in as a cell implementation as well. There's one more thing that you need is time stamping. This is because the signatures you have, they need to last for a very long time, typically it can be 10 years or it's typically mandated by some law somewhere. There are two. Time stamping means that you typically hash everything you're signing and it's your time stamping. And this means that if the crypto algorithm is behind the signature, if that is broken somehow, time later, then hash will prove that the signature was made when the crypto system was still not broken. It means that you can use your crypto and you can rely on your signature for a longer time. And there are two different approaches. One is more centralized one where you use the trust and trust party. You can also use something publishing your fascist essentially because it's in some place where you can verify that. And another problem that's not specific to signature generation is that it's a problem of a cell. There's no standard for doing enrollment. The generating key pair system is not analyzed at all. There are some vendor-specific approaches like key and tag in bypass and I think that from some JavaScript object or something that you can use to generate a key pair in a browser that is mostly or it's also analyzed in different approaches for each browser. This is something that is usually, of course, I think most of the AI systems actually have their own solution too. You also have the question of how do you protect privacy? In some cases you might not want to reveal your identity but you still want to be able to again turn outside. For example, you book something and then you want to maybe play around with it. In this case, you, of course, don't want to use normal AI. I don't have a good solution to this. But, okay, I know one that's a good solution. I think the solution is, again, different key pair each time. You have to use a sort of token. The hard part is you can't allow so many different tokens. What you would also want to be alone, if you created some new standard, you would want to only implement a layer between the website and the TPCS 11 interface. You don't want to use the TPCS 11. And that doesn't mean you can use software as well. Seeking a few formats are more than they are actually standardized. I think pretty much all of these, I'm not sure all of them, most of the ENTIs use XRs. Park ID is an exception. XLDC, on the other hand, XLDC is a successor to XRs. Okay, so here are some different existing software and also standard specifications that are in progress and they don't have implementations yet. For example, we have different EIDs, pre-built SVID software. We also have the WOS project, which is a better way to implement it yet. There is an implementation. Anders, do you have any comments? Anders, do you have any comments on the WOS project? On the WOS? Yes. It's something I started a few years ago. It's a suggestion for a signature in browse. Okay. A lot of signature in browser specification. There are some, just for reference, SSL here. So it's also a project called DPE, that's authentication only, but that's DPE. These can be used for finding as well if you'd examine it. And probably this is not exhaustive. So I think we were actually finished before time. I don't know. Pretty well. That's good, okay. So I made a tiny URL, this is a link to the free-threaded wiki. So links to different standards and different prod games and different related things. Okay. Okay. Thank you.