Approximately 12,500 ID-cards are used in Estonia that do not meet the security requirements. Their certificates will be declared invalid from 1 June.
ID-cards with invalid certificates can no longer be used electronically. To enter e-services or give digital signatures, the cardholder must either apply for a new card or use mobile-ID. The state will replace under warranty all ID-cards that do not meet the security requirements and are valid for longer than three months after submitting the application for a new document.
‘We will send a notification to all holders of ID-cards which do not meet the security requirements via the eesti.ee portal and provide information about the replacement of ID-cards personally,’ said Kaija Kirch, document expert at the Estonian Police and Border Guard Board.
The Police and Border Guard Board has filed a claim for violating the security requirements to the manufacturer of the ID-cards, who denies the violation. ‘The Police and Border Guard Board needs to be confident that the private keys of ID-card holders cannot be anywhere else but in the card chip. If the contractual partner has violated this security requirement, we must declare the certificates of the card invalid,’ said Kirch.
ID-cards and residence cards do not meet the security requirements if they were issued before October 2014 and renewed through the application of the card manufacturer at the service points of the Police and Border Guard Board.
Check whether your card meets the security requirements at the website www.eesti.ee.
The manufacturer of the ID-cards did not comply with all security requirements and generated the private keys of some ID-cards outside the chip. Generating keys outside the chips allows the generator of the key to use the ID-card without having the physical card and knowing the PIN. In order to hedge this risk, the Police and Border Guard Board will declare certificates of these cards invalid.
‘We are not aware of any cases of misuse. All transactions made and signatures given with the cards are legal and valid, including e-elections,’ said Margus Arm, Head of the eID field at the Information System Authority.
The violation of the security requirements was discovered during cooperation with a researcher at the University of Tartu and in the analysis by experts of AS Cybernetica, completed last week. ‘This breach clearly shows the importance of cooperation with researchers and experts in the field, with the help of whom we can make the digital world safer,’ said Arm.
The affected cards are:
ID-cards issued from 2011 to 16 October 2014 and residence cards issued from 2011 to 17 December 2014, which have been renewed at the service points of the Police and Border Guard Board from July 2012 to July 2017.
These cards totalled at over 74,000; today, about 12,500 such cards are valid.
The following cards are not affected:
- cards that were affected with the security risk discovered in 2017;
- cards that have been renewed from a home computer;
- cards that have not been renewed at all;
- cards that were issued after October 2014 (in the case of residence cards, later than 17 December 2014).
