My biggest fear is the use of eID to basically "identify" yourself. From what I know, the eID is the highest form of "identification" you can have. >From a scale from 1-4, an eID is the highest form of trust you can give ( http://web.archive.org/web/20150915011249/http://www.itl.nist.gov/lab/bulletns/bltnaug04.htm). Using that just to authenticate yourself on websites to prevent fake online reviews is like shooting a fly with a shotgun.
Knowing a username + password already gives you a level 1 clearance, buying a product already gives level 2 clearance (proof that you have the object). Having a eID that can issue tokens for you gives you a level 3 clearance (that person is real, for sites like facebook), signing with the eID is level 4 (if you want to fill in tax forms). Revoking a key requires that the the revocation signatures are also stored online for everyone to see (in case of identity theft). So, the question is: How much trust do you need to have in the other party? Amazon only needs to verify that you actually bought the goods before flagging you as a "verified purchaser", to prevent fake reviews. They don't need to know my real name, just me logging in + a receipt of the goods I bought. The case of actually using an "eID" is only valid when you want to verify the identity of that user, for example when you want to get a loan or when you need to be reasonably sure that the other party is really a client of yours (eg: a bank). Otherwise, I would not see any benefit of having some sort of "eID" for authentication. On Sun, May 1, 2016 at 5:22 PM Nick Hilliard <[email protected]> wrote: > Patrik Fältström wrote: > > What is irritating with just that snippet on top of page 12 you > > reference is that they say in more or less the same sentence that it > > is important to decide who to trust, while one should be told to > > trust whatever eID Brussels decides on. > > That snippet, and the paragraph before it, are very confused pieces of > thinking. > > > In particular, online platforms need to accept credentials issued or > > recognised by national public authorities, such as electronic ID > > cards, citizen cards, bank cards or mobile IDs. > [...] > > Further, the Commission will draw up a plan to strengthen public > > authorities' capacity to process and analyse large-scale data to > > support the enforcement of EU single market policies and to ensure > > platform users are more aware of the data collected by platforms and > > how it is used. > > The paper then mention fake online reviews as being an example that > deserves particular merit. In the long list of things which cause > erosion of trust, fake online reviews are pretty far down. > > Apart from the concerns you mentioned, there is a complete lack of > understanding about the stupidity of using: > > 1. very widely or universally accepted access credentials. The more > widely accepted an access token is, the more damage you can do by > compromising the token. > > 2. irrevocable tokens (e.g. biometrics in national ID cards) as trust > credentials on the Internet. One of the centre-pieces of trust is that > it can be revoked. If something cannot be untrusted, it should not be > trusted in the first place. > > In either case, it would be pretty catastrophic if trust databases of > this form were compromised. The more widely used a trust database is, > the more valuable it is and the more likely it is to be viewed as an > interesting target by threat actors, whether state or criminal. > > Overall, while the intentions of this suggestion cannot be doubted, the > idea of mandating wide acceptance of eIDs seems to be an extremely > unwise plan of action. > > Nick > > >
