My biggest fear is the use of eID to basically "identify" yourself. From what I know, the eID is the highest form of "identification" you can have. From a scale from 1-4, an eID is the highest form of trust you can give (http://web.archive.org/web/20150915011249/http://www.itl.nist.gov/lab/bulletns/bltnaug04.htm). Using that just to authenticate yourself on websites to prevent fake online reviews is like shooting a fly with a shotgun.
Knowing a username + password already gives you a level 1 clearance, buying a product already gives level 2 clearance (proof that you have the object). Having a eID that can issue tokens for you gives you a level 3 clearance (that person is real, for sites like facebook), signing with the eID is level 4 (if you want to fill in tax forms). Revoking a key requires that the the revocation signatures are also stored online for everyone to see (in case of identity theft).
So, the question is: How much trust do you need to have in the other party? Amazon only needs to verify that you actually bought the goods before flagging you as a "verified purchaser", to prevent fake reviews. They don't need to know my real name, just me logging in + a receipt of the goods I bought. The case of actually using an "eID" is only valid when you want to verify the identity of that user, for example when you want to get a loan or when you need to be reasonably sure that the other party is really a client of yours (eg: a bank). Otherwise, I would not see any benefit of having some sort of "eID" for authentication.
On Sun, May 1, 2016 at 5:22 PM Nick Hilliard <
nick@inex.ie> wrote:
Patrik Fältström wrote:
> What is irritating with just that snippet on top of page 12 you
> reference is that they say in more or less the same sentence that it
> is important to decide who to trust, while one should be told to
> trust whatever eID Brussels decides on.
That snippet, and the paragraph before it, are very confused pieces of
thinking.
> In particular, online platforms need to accept credentials issued or
> recognised by national public authorities, such as electronic ID
> cards, citizen cards, bank cards or mobile IDs.
[...]
> Further, the Commission will draw up a plan to strengthen public
> authorities' capacity to process and analyse large-scale data to
> support the enforcement of EU single market policies and to ensure
> platform users are more aware of the data collected by platforms and
> how it is used.
The paper then mention fake online reviews as being an example that
deserves particular merit. In the long list of things which cause
erosion of trust, fake online reviews are pretty far down.
Apart from the concerns you mentioned, there is a complete lack of
understanding about the stupidity of using:
1. very widely or universally accepted access credentials. The more
widely accepted an access token is, the more damage you can do by
compromising the token.
2. irrevocable tokens (e.g. biometrics in national ID cards) as trust
credentials on the Internet. One of the centre-pieces of trust is that
it can be revoked. If something cannot be untrusted, it should not be
trusted in the first place.
In either case, it would be pretty catastrophic if trust databases of
this form were compromised. The more widely used a trust database is,
the more valuable it is and the more likely it is to be viewed as an
interesting target by threat actors, whether state or criminal.
Overall, while the intentions of this suggestion cannot be doubted, the
idea of mandating wide acceptance of eIDs seems to be an extremely
unwise plan of action.
Nick