Belgian identity management

Context, oversight and discussion

Belgium

Related

Belgian legislation

Belgian MyID

Functionality of the MyID app

OAuth authentication and DSS signature.

Belgian Belpic eID

For local info see BE - Belpic.

Functionality

Originally the implementation of the Belgian electronic identity card was referred to as Belpic. The card combines the features of a traditional identity card (identification of the citizen, travel document within the EU) with the possibilities originally created by the EC Directive 1999/93 for electronic signatures. This directive was later replaced by the eIDAS regulation (EC 910/2014).

The basic functionality of the card can be described as: There is no encryption/decryption capability offered.

There are three different instantiations of the BeID concept:

Applications

You can use the card for authentication in a web context, or you can use it to secure SSH sessions or similar. You can sign XML, MS-Word, Acrobat PDF or anything you'd like (assuming the format supports smart cards and electronic signatures).

The first application was Mijn Dossier from the National Register. This allows a citizen to retrieve a basic statement about himself on name, address, status etc in signed XML. Here's a copy of mine.

The my.belgium.be site gives an overview of public sector applications. There are countless applications, particularly in eHealth. This includes e.g. the administration of vaccinations.

For eGov purposes, a role management system has been set-up.

The IAM apps site 'Mijn digitale sleutels' binds it together.

Data visually present on the BeID card

The front of the eID card lists name (i.e. name, two first names, first letter of third name), title, nationality, birth place and date, gender, card number, card validity dates, picture and hand-written signature of the holder.

The back of the eID card lists place of delivery of the card, the National Register Number (NRN) of the citizen, hand-written signature of the civil servant delivering the card, and ICAO machine readable identification.

Data electronically present on the BeID card

Two applications can deliver data in electronic format:

Technical features of the card

The card originally selected was a Gemalto (started as Schlumberger, then Axalto, now Gemalto) Cryptoflex JavaCard 32K, equipped with a 16 bit microcontroller (Infineon SLE66CX322P) and an additional crypto processor (for RSA and DES computations). The card has ROM, EEPROM and RAM. The Belpic Java Applet handles all communications with the outside world.

On behalf of the Belgian government, Zetes delivers specific middleware intended to be used together with the card. From an application's perspective, there are four categories of functions available (high-level summary only):

Visual security mechanisms include rainbow and guilloche printing, CLI (Changeable Laser Image), OVI (Optical Variable Ink), Alphagram, relief and UV print, and laser engraving.

Timeline

Timeline - overall

The overall timeline can be approximated as:

Timeline - Belgium

The timeline can be approximated as:

Belpic ecosystem

An ecosystem evolved around the card, including:

Authentic sources

Federal

Applications

Federal government

Other

Technical foundation

Belgian Root

eID

Related

Development

BeID on Android

Resources

Cardreaders

Getting the card to work

Getting the card to work on Debian 11 Bullseye

Installation on Debian 11 Bullseye

Instructions are at https://eid.belgium.be/en/linux-eid-software-installation. States:

Background on Belpic for Debian 11 Bullseye

You find 15 packages:

Using the card with LibreOffice

Seems to depend on Firefox. Seems to need a path to certificates. In LibreOffice's Options, for security the path can be set e.g. to /home/marc/.pki/nssdb If you start the certificate manager in LibreOffice, GPA starts and fails to show Beid certs. However, if you open a pdf 'to sign external pdf', and just sign it, LibreOffice finds the card and lets you sign with Beid.

Using the card with sign.belgium.be

Info at
sudo apt install ./beidconnect-archive.deb
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
Note, selecting 'beidconnect-archive' instead of './beidconnect-archive.deb'
The following NEW packages will be installed:
  beidconnect-archive
0 upgraded, 1 newly installed, 0 to remove and 325 not upgraded.
Need to get 0 B/4,254 B of archives.
After this operation, 16.4 kB of additional disk space will be used.
Get:1 /home/marc/Downloads/beidconnect-archive.deb beidconnect-archive all 2022.1 [4,254 B]
Selecting previously unselected package beidconnect-archive.
(Reading database ... 632932 files and directories currently installed.)
Preparing to unpack .../beidconnect-archive.deb ...
Unpacking beidconnect-archive (2022.1) ...
Setting up beidconnect-archive (2022.1) ...

Creating config file /etc/apt/sources.list.d/beidconnect.list with new version
Repository enabled, keys installed. Please run "apt-get update" followed by
"apt-get install beidconnect" to install the BeIDConnect software.
So
sudo apt-get update
Hit:1 http://deb.debian.org/debian bullseye InRelease
Hit:2 http://security.debian.org/debian-security bullseye-security InRelease   
Hit:3 http://deb.debian.org/debian bullseye-updates InRelease                  
Hit:4 http://deb.debian.org/debian bullseye-backports InRelease                
Hit:5 http://packages.microsoft.com/repos/code stable InRelease                
Get:6 https://eid.static.bosa.fgov.be/debian bullseye InRelease [3,179 B]      
Hit:7 https://files.eid.belgium.be/debian bullseye InRelease                   
Get:8 https://packages.microsoft.com/repos/ms-teams stable InRelease [5,931 B]
Hit:9 https://dl.google.com/linux/chrome/deb stable InRelease
Get:10 https://eid.static.bosa.fgov.be/debian bullseye/main amd64 Packages [834 B]
Fetched 9,944 B in 1s (9,245 B/s)
Reading package lists... Done
Then
sudo apt-get install beidconnect
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  beidconnect
0 upgraded, 1 newly installed, 0 to remove and 325 not upgraded.
Need to get 122 kB of archives.
After this operation, 395 kB of additional disk space will be used.
Get:1 https://eid.static.bosa.fgov.be/debian bullseye/main amd64 beidconnect amd64 2.3.68.g2c200b6-0deb11-1 [122 kB]
Fetched 122 kB in 0s (683 kB/s)     
Selecting previously unselected package beidconnect.
(Reading database ... 632939 files and directories currently installed.)
Preparing to unpack .../beidconnect_2.3.68.g2c200b6-0deb11-1_amd64.deb ...
Unpacking beidconnect (2.3.68.g2c200b6-0deb11-1) ...
Setting up beidconnect (2.3.68.g2c200b6-0deb11-1) ...
Directory /etc/apt/trusted.gpg.d now contains an entry beidconnect-archive-released-builds.gpg .

But uploading a file to sign says 'No eid reader found'. Retry with other cardreader: ok.

Getting the card to work on Debian 10 Buster BlackTiger

https://eid.belgium.be/en/linux-eid-software-installation reads:

Follow these two steps to download the eID software on Linux:

Legacy - getting the card to work on Debian 8 Jessie

I went through the following steps to use the card on my Debian Jessie (Debian 8) with the ACR38 reader.

Legacy - getting the card to work on Ubuntu

I went through the following steps to use the card on my Lucid Lynx (Ubuntu 10.4) with the ACR38 reader.

Valid HTML 4.01 Frameset.