New ID-card and its changes

What is meant by “new” and “old” ID-cards?

At the end of 2018, the manufacturer of ID-cards changed. Instead of the former manufacturer Gemalto, the Police and Border Guard Board started cooperating with IDEMIA. In relation to this, a number of changes were made to both the card supplied and the related software and services and updated standards were adopted in the course of changing the manufacturer.

It is important to remember that the ID-card ecosystem uses both new and old (issued before the end of 2018) ID-cards in parallel and we are in the middle of a 5-year transition period.

Testing new and old ID-cards:

Instructions for testing new ID-cards  
Identification with ID-cards and digi-IDs on websites  

Test authentication here:  

Test digital signing here:  

Estonia ID1 Chip/App 2018 Technical Description:  

  • Ordering test ID-cards

    Show Hide

    Ordering test cards

    General information on test cards:

    General information on test cards:

    https://www.skidsolutions.eu/en/services/testcard/

    Test cards issued by SK:

    • test ID-card (2018); 
    • test ID-card (ECC certificates, 2017 update); 
    • test e-resident’s digital ID (2018); 

    e-Seal on crypto-stick issued by SK

    NB! Keep in mind that:

    • test ID-cards can only be used in a test environment;  
    • test ID-card certificates cannot be updated
    Hide

Which services are affected by the changes?

All information systems that support the use of the electronic part of ID-cards issued in Estonia are affected. The main functions that are affected by the changes are:

  • Identification of users upon entering information systems (authentication). 
  • Identification of users upon logging in to Windows (domain). 
  • Document signing. 
  • Management of signed documents (the default format is asice). 
  • Encrypting documents to ID-cards. 
  • Use of ID-cards as loyalty cards. 
  • AIA-OCSP URL

    Show Hide

    AIA-OCSP URL with unrestricted access can usually be found in the certificate. Each CA branch has its own URL and certificate to sign OCSP responses.  

    Since 2019, a new OCSP response profile is valid for organisation certificates, which is also applied to CA certificates. With the new OCSP response, Archive Cutoff and Extended Revoked Definition solutions were taken into use Find additional information on the website of SK ID Solutions.  

    NB! Older certificates might not have this in the URL certificate, in which case the URL should be found from the following list: 

    Live chain service URLTest chain service URL
    http://aia.sk.ee/esteid2018 http://aia.demo.sk.ee/esteid2018 
    http://aia.sk.ee/esteid2011 http://aia.demo.sk.ee/esteid2011 
    http://aia.sk.ee/eid2011 http://aia.demo.sk.ee/eid2011 
    http://aia.sk.ee/klass3-2010 http://aia.demo.sk.ee/klass3-2010 
    http://aia.sk.ee/esteid2015 http://aia.demo.sk.ee/esteid2015 
    http://aia.sk.ee/eid2016 http://aia.demo.sk.ee/eid2016 
    http://aia.sk.ee/nq2016 http://aia.demo.sk.ee/nq2016 
    http://aia.sk.ee/klass3-2016 http://aia.demo.sk.ee/klass3-2016 

    Information agreed on the BDOC-TM (TimeMark) signature should not be used in the nonce field of AIA-OCSP with unrestricted access. 

    NB! The validity of the certificates used for signing the responses of AIA-OCSP with unrestricted access is brief. 

    Hide
  • Testing ID-cards: authentication in web services

    Show Hide

    Authentication in web services is mainly solved by creating an SSL/TLS/HTTPS connection between the user’s browser and the web service provider’s web server (based on ID-card authentication certificate).

    In order to check the user certificate it is possible to use the OCSP validity confirmation service or CRLs.

    Which tests should be made with ID-cards?

    For web authentication testing you need a test ID-card and the eID software set supporting the test card and must perform at least the following tests:

    1. Successful identification with the previous producer, i.e. the old ID-card, and the new eID software set. 
    2. Successful identification with the new ID-card and the new eID software set. 
    3. Authentication with the previous producer’s cancelled or suspended certificates with the old card.* 
    4. Authentication with the new producer’s cancelled or suspended certificates with the new card.* 

    It is recommended to perform successful authentication tests with all eID supported web browsers on at least one computer with Windows, macOS and Ubuntu operating system.

    Validity confirmation service (SK ID Solutions):

    The service can be used if there is a respective contract with SK and the service is working with both old and new certificates.

    Upon checking certificate verification information from the SK validity confirmation service with access restriction, it must be considered that in the event of certificates issued under ESTEID2018, ocsp.sk.ee confirms the service’s responses with an SK OCSP RESPONDER 2011 certificate. SK OCSP RESPONDER 2011 is already in use with all other certificates.

    Validity confirmation service information:

    OCSP with access restriction:

    OCSP test address:

    Other changes related to the new ID-card:

    Apache web server setup instructions for authentication with ID-card are available at: 

    With the new ID-card, the web authentication service is influenced by the following changes:

    • Card drivers on all platforms. New card drivers will be added.
      • This change is covered by the Information System Authority’s software support and in the context of eID ecosystem testing, the risks associated with this change can be considered hedged.

    The new ESTEID2018 certificates do not include a CRL address. If necessary, the CRL address can be found from the revocation list of SK ID Solutions:
    https://www.skidsolutions.eu/en/repository/CRL/

    The format of the certificate SN (SerialNumber) field will change (the prefix ‘PNOEE-’ will be added).

    This may affect information systems and services using information on the certificate’s SN (SerialNumber) field to identify the personal identification code in the authentication process.

    The change is due to the standard: TS 119 412-1 p.5.1.3: http://www.etsi.org/deliver/etsi_ts/119400_119499/11941201/

    Also:

    • New ID-card drivers will be added to the computers of end users in all platforms.  
    • Additional AIA-OCSP service with unrestricted access was added for verifying the validity of certificates.
    Hide
  • Testing ID-cards: authentication in Windows domains and individual devices

    Show Hide

    Many organisations use centrally managed computer networks where an ID-card is used for user authentication. The most common is logging into Windows or an authentication server over RDP. In both cases, the user authentication certificate (protected with PIN1) is used to identify the user and associate them with the account.

    Which tests should be made with ID-cards?

    Presumably the changes related to the new ID-card have been considered by now, but for testing you should:

    • add the new as well as the old ID-card user to the system; 
    • try to transfer from the old card to the new; 
    • have a successful login/authentication with the old card; 
    • have a successful login/authentication with the new card; 
    • perform an authentication test with the new card’s cancelled or suspended certificates; 
    • perform an authentication test with the old card’s cancelled or suspended certificates. 

    Changes related to the new ID-card:

    • In connection with the new card added in 2018, the possible changes of the LDAP service address and response structure should be checked. 
      • Use the AIA-OCSP service instead of the LDAP service when checking certificate validity. 
    • OCSP and AIA-OCSP (see AIA-OCSP URL). 
    • Upon checking the validity information of certificates with CRL, you must consider that with the new CA ESTEID2018, CRL URL is no longer written in the certificate. The new CRL URL can be found from the revocation list:  
      https://www.skidsolutions.eu/en/repository/CRL/). 
    • The format of the certificate SN (SerialNumber) field will change (the prefix ‘PNOEE-’ will be added). 
    Hide
  • Testing ID-cards: encryption solutions

    Show Hide

    The Estonian ID-card authentication certificate also supports encrypting and decrypting data. Considering the limited validity time of the ID-card certificates (five years), encryption is definitely not a suitable method for long-term preservation of documents.

    Encrypting is meant for ensuring confidentiality of data during their mediation/forwarding and a decrypted document should be saved as soon as possible in another secure storage solution.

    Encrypting data in an ID-card certificate can be used in several ways:

    • document encryption using the eID Desktop Application  
    • encryption of information forwarded from the information system to a person  
    • encryption of e-mail messages in e-mail clients

    Encryption/decryption of eID desktop application(s) is covered by the Information System Authority’s software support and in the context of eID ecosystem testing, the risks associated with this change can be considered hedged. 

    It is important to pay attention to information systems encrypting data on ID-card certificates to ensure safer exchange of information between ID-card holders.

    It is also important to keep in mind the ID-card holders who use message encryption and decryption directly in the mail client.

    Which tests should be made with ID-cards?

    Install the latest ID-software version in the computer and test:

    • data encryption and decryption with the new and old ID-card type (issued before 2018); 
    • data encryption to a recipient with the new and old card;  
    • data forwarding to a recipient with the old and new card as an encrypted e-mail and e-mail encryption with the e-mail client, if the information system uses encryption based on mail clients.

    Upon encrypting e-mail messages with an ID-card certificate, attention must be paid to the fact that the mail address format of the new ID-card changed: personal identification code is used instead of the person’s name. For encryption/decryption to keep working in a mail client, the e-mails must be sent to the e-mail address containing the personal identification code.

    It is recommended to do all the tests with mail clients supporting decryption of e-mails encrypted on an ID-card in at least one computer with Windows, macOS and Ubuntu operating systems.

    Changes related to the new ID-card:

    • The LDAP address will change and there will be possible changes to the response structure. For LDAP, there is a change to the LDAP server address.  The new address will be ldaps://esteid.ldap.sk.ee.   
      The catalogue is served over a more secure LDAPS (Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL)/Transport Layer Security (TLS)) protocol. 
    • The format of the certificate SN (SerialNumber) field will change (the prefix ‘PNOEE-’ will be added). 
    • The format of the e-mail address on the certificate will change. The new format is ‘12345678901@eesti.ee’. 
    Hide
  • Testing ID-cards: signing and signature validity confirmation

    Show Hide

    In Estonia, digital signing with an ID-card or mobile-ID is used internally, i.e. within organisations, as well as publicly, i.e. in the public eID ecosystem. It is important that the systems used publicly are compatible with other parts of the eID ecosystem and earlier container formats.  

    Which tests should be made with ID-cards? 

    • Creating a BDOC container and signing it with the new and old ID-card, and: 
      • validating the created containers with eID final user software; 
      • validating the created containers with eID SIVA service. 
    • Creating an ASiC-E container and signing it with the new and old ID-card, and: 
      • validating the created containers with eID final user software; 
      • validating the created containers with eID SIVA service. 
    • We recommend checking earlier BDOC-s, where only TM signatures are used as well as BDOC-s, where TS signatures are used. 

    During testing it should be observed that the systems in the tests with test cards are configured to recognise test certificates. Upon testing with test certificates, SIVA test address should be used with SIVA:  https://siva-arendus.eesti.ee/V2test/ 

    If the information system has been built so that the base library of eID software communicates directly through the driver with the ID-card in the user’s device (not using signing via browser plugin), it is recommended to test all operation systems supported by the system. 

    In order to make sure that the software installed on the computer works with the new ID-card, it is possible to test signing in the browser on the GitHub hwcrypto page.

    Changes related to the new ID-card in 2018: 

    • now the default file format in the basic software of eID is .ASICE and only timestamp (TS) signatures are created. This means that files in different formats (e.g. .BDOC files with TS signatures) can be simultaneously used. Information systems using the outdated JDIGIDOC library may have difficulties with processing .ASICE envelopes.
    • OCSP – for more information on OCSP certificate control, view AIA-OCSP. Upon creating signatures it must be ensured that the service of AIA-OCSP URL with unrestricted access can only be used for timestamp (TS) signatures.  
      Timemark (TM) signatures are not permitted with this service. 
    • The format of the certificate SN (SerialNumber) field will change (the prefix ‘PNOEE-’ will be added). 
      • It may impact the information systems that uses personal identification code information and reads it from the serial no. field of the certificate. 
    • Transition to the ASICE format in eID software – this affects the information systems using the older Java library (Jdigidoc) without the support of the respective format.  
      now the default file format in the basic software of eID is .ASICE and only timestamp (TS) signatures are created. This means that files in different formats (e.g. .BDOC files with TS signatures) can be simultaneously used. Information systems using the outdated JDIGIDOC library may have difficulties with processing .ASICE envelopes. 
    Hide
  • Testing ID-cards: loyalty card solutions

    Show Hide

    Information systems using the ID-card only for obtaining identification data (personal identification code), where the users do not have to identify themselves with PIN1, are used as loyalty card systems. This includes both commercial establishments, access control systems as well as ticket purchasing systems.

    There are several options for obtaining a personal identification code from an ID-card: reading the information from the personal data file or from the certificate.

    Which tests should be made with ID-cards?

    As the new producer’s cards did not replace the existing cards, but were added to them, it is important to keep in mind while testing that both the new and old cards would work correctly at the same time and the systems would know how to choose the right method for obtaining personal data (certificate or personal data file).

    More detailed testing instructions are difficult to define as the systems are very different. You should definitely try the main positive applications and most common possible error situations with the new as well as the old card.

    Changes related to the new ID-card:

    The ID-card updated in 2018 includes some changes in comparison with the earlier one as to using the data.

    • The structure of personal data and commands to obtain personal data from the card have changed. 
      • This affects systems which use the personal data file on the ID-card to obtain information. 
    • The format of the certificate SN (SerialNumber) field will change (the prefix ‘PNOEE-’ will be added). 
      • This may affect systems which use the personal identification code information on the certificate’s ‘serial no.’ field to obtain the personal identification code. 
    • The format of the e-mail address on the certificate will change. The new format is 12345678901@eesti.ee​. 
      • This may affect systems which also read e-mail addresses.
    Hide

How do I know if my system is affected by the changes?

The quickest and simplest solution is to apply for a new test ID-card and read the testing instructions.  When testing, make sure to use a test system that supports test circuits.

Quickest tests:

  • Create an ASICE file with test signatures in DigiDoc4 software and try to upload it in your system similarly to other digitally signed files. 
  • We also recommend signing a BDOC with several signatures and confirming the validity of signatures of such a file. The file should be created so that includes both BDOC-TM (TimeMark) and BDOC-TS (TimeStamp) signatures. 
  • Read the descriptions of changes in this article.  
  • New ID-card: changes in physical cards

    Show Hide

    Major changes in the card (chip and chip applications): 

    • New chip: NXP secure microcontroller SmartMX2 CPU – P60D145. Memory ROM (kB) 512/586. More technical details are available on the home page of the manufacturer (P60D145_SDS https://www.nxp.com/docs/en/data-sheet/P60D145_SDS.pdf). 
    • The chip has an ID-One™ Cosmo v8.1 platform, certified at level CC EAL5+. 
    • Cosmo meets the latest international standards:  
      • JavaCard™ 3.0.4 Classic Edition 
      • Global Platform v2.2.1 (ID Configuration v1.0) 
      • ISO/IEC 7816 parts 1, 2, 3, 4, 5, 6, 8 and 9 
      • ISO/IEC 14443 Type A 
    • ISD (​Issuer Security Domain​)has authentication and signing applications that meet IAS-ECC standards. The applications meet IAS-ECC standards. 
      • ​CEN/TS 15480-1:2012 Identification card systems – European Citizen Card – Part 1: Physical, electrical and transport protocol characteristics 
      • CEN/TS 15480-2:2012 Identification card systems – European Citizen Card – Part 2: Logical data structures and security services 
      • ​CEN/TS 15480-3:2014 Identification card systems – European Citizen Card – Part 3: European Citizen Card Interoperability using an application interface 
      • CEN/TS 15480-4:2012 Identification card systems – European Citizen Card – Part 4: Recommendations for European Citizen Card issuance, operation and use 
      • CEN/TS 15480-5:2013 Identification card systems – European Citizen Card – Part 5: General Introduction 
    • Commands for reading data from the personal data file (application protocol data unit – APDU) and the format for returned information.   

    More information on the chip, applications, APDU examples and the format of data included on the card is available here (Estonia ID1 Chip/App 2018 Technical Description). 

    Hide

For recognising new ID-cards in web servers upon authentication

For web servers to recognise new ID-cards, you must add the CA root and intermediate certificate of the new card.