Interesting things to do with an electronic ID card and a cardreader
So, now that I finally feel that belpic in Debian is in working order (in unstable), let's talk about the interesting things one can do with it. You have an eID, run Debian, just bought yourself a cardreader, and feel "now what"? This is the blog post for you
Note that there are still some rough edges; but I still have time to fix those before etch releases, so that's not much of an issue.
First, you need some support packages. If you bought a cardreader
from Zetes or got one from the Government somehow, then you have an
ACR38 reader and you need a hardware support package to be able to use
it; the package in question is called libacr38u
.
Obviously you will also need the belpic packages. For now, just install all of them—there still appears to be a dependency issue which I will need to fix; I'll announce on this blog when that has been done. Just run
aptitude install $(apt-cache showsrc belpic|sed -e '/^Binary/!d;s/^Binary: //;s/,//g')
and you will install them. I uploaded these packages to backports.org, too, where they'll hopefully show up some time soon (the current packages are still at 2.3.13 for some weird reason). This will give you:
- beidgui
- a graphical application that will allow you to view the data on the card, and to change your PIN code (as long as you still know your current PIN code and don't need to unblock it with the PUK; for the latter, you need to go to your local town or city or district hall).
- beid-pkcs11-tool
- a command-line tool that will allow you to change your pin and do some other interesting things. Note that while this is a command-line tool, you still need a GUI environment to be able to run it; there are cases where the libbeidlibopensc2 library will open a dialog window to ask you for your pin, without going through the application.
- beid-tool
- a command-line tool with not much options; it doesn't allow for much more than to test whether your installation works.
- beidcrld
- a daemon that will update the CRLs (Certificate Revocation Lists) when there is a network connection, so that you can verify the validity of the card in your reader. If you have a permanent Internet connection, there is also OCSP (Online Certificate something Protocol) which will verify the validity of your certificates against an online server, and which the preferred way to do this. Future versions of the belpic packages will have a /etc/default/beid which will allow you to disable beidcrld.
- beidpcscd
- a daemon that is used if you need libpcsclite to talk to your cardreader. If you have an ACR38 cardreader, you need this. I personally have a different one, which uses openct, so I don't...
- a whole bunch of libraries
- However, only three are really interesting: libbeidlibopensc2, for low-level operations on the card (such as "read a file", "sign some data"; libbeid2, for high-level operations on the card (such as "read identity data", "read a picture"), and libbeidlibjni (JNI library, if you want to use the eID from Java). Libbeidlibopensc2 and libbeid2 are packaged separately; libbeidlibjni is packaged together with libbeid2 (though that might change in the future, not sure).
- Some files to support mozilla, firefox, and other browsers.
- The most interesting ones from a user point of view are /usr/share/beid/beid-pkcs11-register.html and /usr/share/beid/beid-pkcs11-unregister.html. Note that registering the module isn't enough to be able to use it; you will have to perform some additional steps which are outlined on eid.belgium.be, the government website about the eID.
Additionally, there is also OpenSC which you may want to install. The point there is that things like OpenSC's pkcs15-tool and pkcs15-crypt do not have a counterpart in the eID toolkit, so if you want that, you need to install it.
So, that's the software in the eID toolkit. But what can you do with it? There are a number of things. For starters, of course, there's the beidgui, which allows you to view, save, print out, and do other interesting things with data on a card. If you work on a place where you regularly need to work with eID data, this may just be the appliation for you.
If you have set up your browser to support the eID, you may want to go to mijndossier.rrn.fgov.be, a website set up so that everyone can view their own information in the Rijksregister. I'm sure there is a French version of that URL, but don't ask me—I don't know it.
You probably already know about tax-on-web, where you can do your tax application online.
It is possible to install a signing module into Mozilla Thunderbird, and to sign your emails using S/MIME and the eID card. This will give you a signed email which is legally binding; might be interesting for those of you out there interested in not having to use as much paper signatures. Details, again, on eid.belgium.be. The same is true for signing documents in OpenOffice.org. I haven't tried doing any of this myself yet, though.
Of course, you can sign any text file as well, using pkcs15-crypt from OpenSC, or extract the certificates on the card using pkcs15-tool. Just run them with the --help parameter to find out about their options.
And that's about it, I guess. More interesting links can be found on a a portal maintained by Danny 'godot' Decock on the eID.