 Let's get started. The first talk is by Walter Verhelst about using the Belgian EID card in Debian. Thank you. Finishing a few things, but I'll just do my bit here. You need to listen to me. Thank you. Belgian ID cards start with a short history about what it is. We've had ID cards actually since during the war. The Germans gave us ID cards and we just didn't throw them away. We kept them. Of course they weren't electronic all the time, but it's been done in Belgium for quite some time. Everyone starting from the age of 12 has an ID card in Belgium, but they're not required to have them at all times yet. That only is true from the age of 15. There is extensive privacy law in Belgium that prevents some abuse, such as the fact that only the police is allowed to require me to hand over my ID card. Everybody else can ask, but I can tell them to screw themselves. So that prevents some abuse and makes sure that my privacy isn't entirely compromised by the fact that I have an ID card. Electronic ID cards. We have those since 2004. I think 2004. The test phase before that a bit. There are smart cards. They are all based on open standards. It's not a totally open card, but the bits that matter are completely open. It contains all the data which was traditionally printed on ID cards. And there's some more stuff on that such as certificates and crypto stuff like that. But it has some new privacy issues of its own, and I'm personally not very happy with that, but okay. In the case, those privacy issues are not really what this talk is about. This is more about the technical things which are interesting from a package point of view and for a user. How you can actually use these cards with the avian. The card itself is some Java thing. I don't know what they exactly call it, but it uses some Java code on the smart card itself. And this Java code implements a subset of some standards, pkcs15 and pkcs11, which are standards on how you work with smart cards. I believe pkcs15 defines a file system and 11 defines cryptography, but I'm not entirely sure about that. In the case, these are relevant standards that are used on the card. I say a subset because, for instance, it's not possible to modify the data of your identity, which is fairly reasonable. It's also not possible to modify the certificates on the card, which is understandable, and given the background of the card also fairly reasonable. It has some semi-weird pin requirements. If you use the card and you want to sign something, you need to issue your pin right before that. Other cards are usually possible to log into the card and then you can sign several documents if you want. It is not possible with the EID card. The idea behind that was if you sign something with the card, this can be a legally binding signature. You don't want someone to trick you into believing you signed a payment and then also sign you a contract of a million euros or something. It's reasonable. That's why I call it semi-weird, but it's pretty weird in that not many software today understand this. Sometimes you can have issues with software which doesn't really know that pin requirement, and then if you do this too often they try to sign documents which doesn't work, try it again, doesn't work, and then eventually your cards will get blocked and you need to go to the city hall to get it unblocked again, which is something you need to look out for. There are two certificates as well, one for authentication and one for signatures. The idea is that you can sign with the signature certificates and not with the authentication certificate, and you can log on to systems with the authentication certificate, but not with the signature certificate. There is some software that doesn't look at the properties that are set on the certificates and you will just use the signature certificates to log on to a server or vice versa, which is not the idea, so there are some software which is confused. The identity data is just a regular file on the PKCS15 file system. You can read that with just PKCS15 calls and interpreted. The format of the file is specified in the specification of the card, but you don't need to do that. For the client-side software, there is some software provided with the cards, which you can download from the government website. The cryptographic parts are just implemented as a patch on OpenSEE. First of all, a patch because you need to have the... OpenSEE is Open Smart Cards framework. It's a free software framework, sorry. This is just regular OpenSEE. There is a Bellpick driver which is able to communicate with this specific card and because they have this drive, you can actually connect to it. The patch has been submitted to OpenSEE by the government themselves and most of it is accepted and is in there. Not everything, though. That's what I said. Not everything is accepted because of the weird PIN requirements. They want to have a callback from the library so that if you get at some situation where you need to enter an additional PIN, they don't want to leave that to the application which is using the library because if you do that, then the application might fake a PIN dialog and that's not the idea. The library itself, by use of QT, will show a PIN dialog and then you can enter a PIN code. This, of course, rules out any console use. You can only use it in REX, this library. There is a high-level API in LibBID for data retrieval. They used to call this LibEID which is a fairly reasonable name but then I suggest that maybe you should have some... space issues, you should perhaps call it BID and they like that ID so they change it. The server side is no special requirement, really. It's just all plain old SSL and if you want to set up a website using EID, to communicate with the ID, all you need to do is set up SSL certificate authentication which is fairly standard. The only problem is that since there are already 5 million of these cards issued, there are also some revocations, quite some revocations actually, I think about 2%. 2% of 5 million is quite a lot of numbers. So doing this with certificate revocation list is not manageable. There are lists, there are serials, but it's just not manageable. There is this other protocol called OCSB, online certificate status protocol, which is a protocol where you just connect to a server and say, I've got this signature, is this still fell up and the server we're replying with yes or no. So you don't need to get the CRLs and you don't need everything on your local hard disk. The only problem is that Multas are selling a patch that doesn't yet support OCSB. There is a patch but it's not being integrated. It will eventually be integrated but at the moment it's not integrated. But if you want to set up, you can actually download the CRLs and you can do some stuff there. But as I said, there's no special requirement so that's not really packaged because, yeah, well. I'll software to read the cards. This is very nice. I'll software to read the cards. That is these two libraries, some user space applications that they already provide. It's all free, all free software, all packages in Appian. So that's very good. However, there are some issues with it. For instance, the QT library uses some QT callbacks and then they wrote the application using WX widgets, which also pulls in GTK. So I've got build dependencies from here to Tokyo, which is not very nice. They sometimes hard code things where this is really not necessary, such as they have something like, if Dev Linux, then the configuration directory is user local EDC, which is totally unnecessary. They can do this better using build time specifications, something like that. We patched those all away, but then they're hard-coded somewhere else, of course, because I didn't reinvent the build system, especially not seeing how they use S-Cons as a build system. They used how to make, but they didn't like that and they switched to S-Cons, and I can tell you I really, really don't like S-Cons. The people who wrote the software, that's ZITES, which is a company which was contracted by the government. There are specialties, smart cards and stuff like that, so they are fair and all about the stuff, but not fair and all about developing open-source software, and it shows. So client-side requirements, of course, you need one of these smart card reader. Without a smart card reader, obviously you can't read smart cards. To be able to read a smart card from a reader, of course, you still need some software, some middleware, that can be either OpenSC or OpenCT. They are both middlewares to read smart cards. The government actually only supports PCSC, but OpenSC supports way more and they threw those all out. When they first did that, the problem was that this one uses OpenCT and because I can only test if there's only OpenCT in there, I just put it in again, but I didn't test everything, I didn't put all the other middleware drivers in again, so if you want to use the Belgian EID cards in WN, you need to have a smart card reader which is supported by either PCSC or OpenCT. Now, if you buy a smart card reader in Belgium, it's usually marketed as an EID card reader and they are an ACR, a 38U driver, so if you buy one from the government, you've got one of those chipsets that also requires an additional library to be installed so that PCSC can communicate with it, which is also packaged but not by me. Someone else has done that. BID, LibOpenSC2 has a suggestion for that specific library so that if you install it, you get the suggestion that you might need it. Then, yeah, it runs this daemon, the LPCSCD, and the idea of it is that if some application tries to access your smart card, spyware, whatever, then this might be a privacy leak so under Windows, they've got a system tree application and any time an application tries to access a smart card, you get a dialogue saying from that system tree application saying, hey, somebody's trying to access your smart card, do you want to allow that? They want to implement the same thing on Linux, but it's not entirely working because the problem is you cannot have a system tree application locking a smart card. So what they did is they run daemon, but of course a daemon can't access X, so they have the library access X once you call to talk to a daemon. But I've been thinking about it, then it doesn't really make sense to me because if you have a rogue library that just talks to the daemon and then says, yeah, I've shown a dialogue to the user and he says all is okay, while all is not okay, then you've totally bypassed the situation so it doesn't really work in my opinion. Anyway, and then of course, there's some useful software, there's a Firefox plugin, there's a GUI package to read the cards and print out the data on there and everything. So BID GUI, I'll give a demo in a few seconds, this is a graphical interface to the cards which allows you to read the data on the card and show it to users. And yeah, you can print it, you can also change your pin there, so I'm too fast. I'll just give you the demo now to put my card in first. BID GUI. It's saying that it can't open PCSE but that's all right. This is not all right. Okay, I need to add myself to the right group. Hang on. I hadn't tested that. No, that will not work. I'll show you in a minute why. Well, I should be in a group S-card to be able to read smart cards and Linux but that requires me to log off and all again I'm not going to do that right now. It should work. Let's try. Yeah, it is indeed saying this message but that's because they got a different idea about how localization works. As I said, they're not very comfortable with open source software and it really shows. I can use Dutch here or whatever but it also means that if you want to do additional translations it just won't work because they've got BID GUI underscore nl.mo and BID GUI underscore fr.mo so it really, really doesn't work the way it should. Anyway, reading a card is this way. Damn it. All right. I may have to restart the open CT because C-process is guilty. See what I mean? Well, it's supposed to work. It works better than stable really. There are some issues in stable as well because again one of the things is they try to, for the plug-in, they try to open the .so file rather than the .so. .so version file so that's not very good either. I'll just, while I'm talking I should have tested this. Sorry. I'll just log off because this will take a while. The other thing is they also have a Firefox plug-in which I'll demonstrate in a second as well which allows you to read the cards. You need to register the card first before you do that. I'll show you that as well. Then, for instance, log on to the government website and do your tax declaration there or go to the national registered website and get all sorts of very, very private things. For instance, in my case it shows that I drove slightly too hard a few years ago and that I had to see a judge before I could get my license again. Stuff like that. Then there's also the development libraries. The EID development library is documented in a PDF on their website but it's really very simple. It only gives things like read the picture or read the name and address or give me certificate stuff like that. It's very, very high level and I believe there's only 10 calls of something in the library so it's not very complicated. Large font. I'll just give up. This was normal because I don't have a PCI-C card reader. If I do have PCI-C card reader I need to install these libraries. Yeah, yeah, yeah. That's a shame. I don't know the other reader. Anyway, so that's a real shame. There's also a BID CRLD CRLD here which will download CRLs if you allow it to. This is the last attempt. If this doesn't work it's over. I can still show some more things but I'm not going to waste time on this anymore. Okay. Because if it was right it would show that it has a smart card and this is just something OpenCT does. It gives you 5 empty smart card readers but they're not really connected. If this was actually connected it would find it. It works on my laptop. Anyway, so there's also as I said I can show that. There is a a plugin for maybe I show that first. There is a plugin for Firefox and similar web browsers which also works a nice weasel. Except for instance if you go to the text declaration website with iSweasel it will say you're not running Firefox or Internet Explorer but it's not really a big deal because you can actually still open it. You can still go to the website it just gives you a warning that it's not supported and stuff might break but stuff of course doesn't break. Yes, the card. This was not planned. Yeah? Well, this card reader doesn't work with PCSC. That's what I said earlier. That's why I included OpenCT in there rather than PCSC alone because I could buy a new one, of course. Yeah, maybe. Anyway, I've shown that. So there's a gecko plugin which is part of this package the actual OpenSC library. It doubles as a plugin really so it's got just the library and also the plugin bits. And then there's this file. If you open that in your browser it will run some JavaScript and enable the plugin. You get a warning, of course. It doesn't do this without your noticing and once you've done that you can actually access of course it doesn't work in iSDOF Thunderbird for those of you who don't use Debian but the module itself the library can actually be loaded there so you can also sign emails with the card, which is nice. Signing emails, authenticate the website. And then there's also OpenSC utilities. As I said parts of the library have been accepted into OpenSC Core and you can actually use it to sign text files from the command line with these command line utilities. Of course OpenSC as said doesn't know about the semi-weird PIN requirements so if you fuck up you may end up locking your card. But since these are command line based utilities they will assume there's no PIN anyway so the chances are pretty slim there. Other things, some people have used the cards to generate an SSH certificate public key and then you can actually use the card to login using SSH. I've never tried this myself but reportedly it's possible, I've heard of people who've done it. PAM is not yet possible but it would be nice. You can actually, there is some work on an OpenSC authentication module. It is possible on Solaris. There are actually PAM modules for Solaris with the AD card and people using Sun hardware often speak about how they forget their smart cards after logging in and then I've also heard reports of companies where they came back from using the cards as a login system because everybody forgot it. But it's possible on Solaris and I think that's about it. I can still show you how the module in Firefox works if you give me a few seconds. Internet The state in Edge is that it works easier with PCSC than with OpenCT. Sometimes OpenCT has this weird idea with this connection with the world. But in Unstable it's much better. I've put a lot of work there so for Lenny it will be much better and hopefully we will not have these issues anymore. And this machine runs Edge so that's why I see. If you go to advanced here we can go to encryption and then we have security devices. This will show us what security devices we have. There is none for the EID card here yet. But if I go to that page I'm not going to type everything there and I open this web page it gives me a warning. Are you sure you want to install the security module because that might be a problem and I'm saying yeah I want to do that and now it's running the JavaScript and that's all and then we get a nice message that it's been installed as well. So if you go to the same page again you will see that under security devices it's actually there. I wanted to go to a website that requires me to do a smart car authentication but of course not going to be possible. So we'll end here. Are there still any more questions or yeah? Yes, yeah, that's great. Unfortunately there are no cartridges with integrated paths that work on the Linux. So you can't use those anyway. If you use Windows it's the same codebase and the software and the Windows will detect you have a part one with a pin. So that will work properly. And once there is actually a cartridge which it's a spot on the list with a pin that you should not have a problem with because it's exactly the same codebase. But currently you can't use those anyway. Anything else? Some specific license it's not GPL or something but it is in the main so it's free software. But I can show you if you want if you're very interested. It's just there in four languages French, English, German and Dutch but it's something modified MIT I believe or something like that. It's not really it is GPL compatible, yeah. Anyone else? I still have to get a cartridge to play those things. Which one? There are these if they mention EID cartridge they are usually compatible. They are usually using the ACR 38U driver. Especially they say Zetis then they are definitely using the ACR 38U cartridge and those are really, really good. Oh I didn't know that. Do you have the website? Maybe I should try it on. Oh yeah, right. So it's it's not very hard in any case to find a cartridge that works. Anyone else? Okay, thank you for your attention then.