eID & Chrome OS / ChromeOS / Chromebook / Chromebox / Cloudready
1,520 views
Skip to first unread message
Joachim Geeraert
Jul 9, 2018, 2:20:41 AM7/9/18
to eID Middleware Dev
Am I correct that currently eID cannot be used in combination with Chromebooks / ChromeOS ?
These devices entered the market in 2011, so they are not too new to support and are quite popular because of their low cost and zero maintenance.
Because the OS is automatically updated and most malware doesn't even run on it, they are some of the most secure devices in use; so a good match for use with eID applications.
However, I've tried the different eID related Chrome Web Store extensions to no avail and there is no specific mention of Chrome OS on the eid.belgium.be site.
If Belgium decides to use eID for the safe use of certain websites, and eID is the only option to use these sites, shouldn't all popular operating systems be supported?
Frederik Vernelen
Jul 9, 2018, 2:22:53 AM7/9/18
to Joachim Geeraert, eID Middleware Dev
Hello Joachim,
It wasn't untill this year that Google provided an easy to implement interface to be used for smart card authentication.
We have been implementing this API, but ran into some issues. (we are resolving them with Google).
You can follow the bug report here:
Wkr,
Frederik
--
You received this message because you are subscribed to the Google Groups "eID Middleware Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-dev+unsub...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Frank Cornelis
Jul 9, 2018, 3:03:43 AM7/9/18
to Frederik Vernelen, Joachim Geeraert, eID Middleware Dev
Hi Frederik,
It wasn't untill this year that Google provided an easy to implement interface to be used for smart card authentication.
Which API are you talking about? Our eID Chrome OS application
already supports TLS from the beginning of 2016 (but of course
without the intermediate certificate chain building).
You can test it out via:
https://www.e-contract.be/eid-idp-sp/
Kind Regards,
Frank.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
-- Frank Cornelis e-Contract.be BVBA https://www.e-contract.be
Joachim Geeraert
Jul 9, 2018, 4:00:28 AM7/9/18
to eID Middleware Dev
Hey Frederik,
Would it be possible to mention this on the eid.belgium.be site as this is relevant for all Chrome OS users?
Will I be able to file my taxes online within the deadline this year, or should I buy another machine?
Which criteria are used to decice if an OS is supported for use with eID and is any deadline set for a "reasonable term" to support a new OS?
As (no) eID support can invalidate major purchases for Belgian families through exclusion of many critical government services, I would expect the support to be top-notch, unambiguous and regulated. I'm under the impression that the current support is ad hoc, with no transparency or ETAs given, and hurdled if there is "no easy to implement interface".
Could you please give some clarification on the processes involved?
Wouter Verhelst
Jul 9, 2018, 3:13:49 PM7/9/18
to eid-middl...@googlegroups.com
Hi Frank,
On 09-07-18 09:03, Frank Cornelis
wrote:
Hi Frederik,
It wasn't untill this year that Google provided an easy to implement interface to be used for smart card authentication.Which API are you talking about? Our eID Chrome OS application already supports TLS from the beginning of 2016 (but of course without the intermediate certificate chain building).
https://chrome.google.com/webstore/detail/eid-chrome-os/ahcjlglemcmnjpnkeahidjenglphjnam
The key bit in Frederik's email was "easy to implement". What you've
done is to implement a CCID driver in JavaScript if I understand
correctly, which is, well, possible I guess, but not quite so
straightforward.
Also, your application is a side channel hack, which works well enough for your purposes, but doesn't work for a TLS mutual authentication in a browser-only OS; I would think such a thing is crucial for any official middleware.
Also, your application is a side channel hack, which works well enough for your purposes, but doesn't work for a TLS mutual authentication in a browser-only OS; I would think such a thing is crucial for any official middleware.
Frank Cornelis
Jul 10, 2018, 2:35:40 AM7/10/18
to eid-middl...@googlegroups.com
Hi Wouter,
What you've done is to implement a CCID driver in JavaScript if I understand correctly, which is, well, possible I guess, but not quite so straightforward.
Unless you want to support Android via Apache Cordova in one go... why do you think I went through all that trouble, for fun?... :)
https://play.google.com/store/apps/details?id=be.e_contract.beid.android
but doesn't work for a TLS mutual authentication in a browser-only OS
Maybe try it out first before making such statement. Here is an example Apache HTTPD config that works for our testing purposes:
<VirtualHost _default_:443>
ServerName local.e-contract.be:443
Include conf.d/ssl.include
# test for eID Chrome OS certificate provider
SSLVerifyClient require
SSLVerifyDepth 2
SSLCACertificateFile conf.d/ca-bundle-client.pem
</VirtualHost>
The point is that the full certificate chain is not communicated
during the TLS handshake. Hence ca-bundle-client.pem also has to
contain the intermediate CA certificates. So this is more of a
server-side issue I guess...
Kind Regards,
Frank.
Wouter Verhelst
Jul 10, 2018, 5:15:53 AM7/10/18
to eid-middl...@googlegroups.com
Hi Joachim,
On 09-07-18 10:00, Joachim Geeraert
wrote:
Hey Frederik,Good to hear that there is some activity.
Would it be possible to mention this on the eid.belgium.be site as this is relevant for all Chrome OS users?
We could consider that.
Will I be able to file my taxes online within the deadline this year,
As things stand now, this is unlikely.
or should I buy another machine?Which criteria are used to decice if an OS is supported for use with eID
There are several criteria considered:
- Is the OS used by enough people to make the effort worth it? This is a subjective call, obviously, but clearly in this case we've made the decision that it's worth at least looking into what's possible.
- Does the OS provide an API to read data from smartcards, as well as an API to provide certificates to browsers? Without such things we cannot at all support the OS; e.g, lack of the latter is why we currently do not support mobile operating systems such as Android or iOS, even though it's technically possible to connect smartcard readers to such devices using an on-the-go USB port.
- Is there enough budget (in time and money) to support the additional workload that would be created by the extra operating system? In this particular case it might be, but the final call hasn't been made yet.
- Is the OS used by enough people to make the effort worth it? This is a subjective call, obviously, but clearly in this case we've made the decision that it's worth at least looking into what's possible.
- Does the OS provide an API to read data from smartcards, as well as an API to provide certificates to browsers? Without such things we cannot at all support the OS; e.g, lack of the latter is why we currently do not support mobile operating systems such as Android or iOS, even though it's technically possible to connect smartcard readers to such devices using an on-the-go USB port.
- Is there enough budget (in time and money) to support the additional workload that would be created by the extra operating system? In this particular case it might be, but the final call hasn't been made yet.
and is any deadline set for a "reasonable term" to support a new OS?
No, because there are many more things that are relevant other than
"some amount of time has passed".
As (no) eID support can invalidate major purchases for Belgian families through exclusion of many critical government services, I would expect the support to be top-notch, unambiguous and regulated.
I can understand why you might have that impression, but there are
more factors involved.
Given an infinite developmnt budget, we would be able to support every platform under the sun by, worst case, writing our own browser and smartcard reader drivers. We obviously do not have an infinite development budget however, and so therefore it is necessarily limted; to do otherwise would be a waste of taxpayer money (and nobody wants that).
We do keep an eye on new evolutions in the market, and re-evaluate our position towards new OSes as the required work for supporting them becomes feasible within our budget. This is why we have recently started work on a ChromeOS driver.
Given an infinite developmnt budget, we would be able to support every platform under the sun by, worst case, writing our own browser and smartcard reader drivers. We obviously do not have an infinite development budget however, and so therefore it is necessarily limted; to do otherwise would be a waste of taxpayer money (and nobody wants that).
We do keep an eye on new evolutions in the market, and re-evaluate our position towards new OSes as the required work for supporting them becomes feasible within our budget. This is why we have recently started work on a ChromeOS driver.
I'm under the impression that the current support is ad hoc, with no transparency or ETAs given, and hurdled if there is "no easy to implement interface".
It is indeed somewhat ad hoc, as our team is not of the size that
would require more formal methods. However, rest assured that we are
of the opinion that supporting more operating systems is better than
to support less, and that we do try to support as many operating
systems as we can reasonably do without conceding quality.
As for the case of ChromeOS, I am considering publishing at least some of the work I've spent on making it work, which might work with some handholding by experienced users. This would, however, not be usable for the average user, and therefore wouldn't be officially supported until the bug that Frederik pointed to is resolved by Google.
Regards,
As for the case of ChromeOS, I am considering publishing at least some of the work I've spent on making it work, which might work with some handholding by experienced users. This would, however, not be usable for the average user, and therefore wouldn't be officially supported until the bug that Frederik pointed to is resolved by Google.
Regards,
Joachim Geeraert
Jul 10, 2018, 7:18:09 AM7/10/18
to eID Middleware Dev
Hi Wouter,
Thank you for the detailed reply and efforts.
I look forward to your work being published and would be happy to give it a try when you do.
Sincerely,
Joachim
Cedric Devillers
Jul 11, 2018, 2:18:26 AM7/11/18
to eID Middleware Dev
Hello Joachim,
There is actually a way to do it if you have the right reader. I was able to do it after reading the bug report mentioned in this thread. Of course it's not officily supported by fedict (it's quite complicated and error prone), but you can give it a try if you're stubborn as me :)
- Make sure you have the Smart Card Connector installed : https://chrome.google.com/webstore/detail/smart-card-connector/khpfeaanjngmcnplbdlpegiifgpfgdco
- Install eid chrome os extension : https://chrome.google.com/webstore/detail/eid-chrome-os-extension/omnlepdmccckgbfjimmgniphhfjdgepl
- Install eid chrome os : https://chrome.google.com/webstore/detail/eid-chrome-os/ahcjlglemcmnjpnkeahidjenglphjnam
- Connect a CCID compatible eid reader.
- I have an old ACR38U : Does not work !
- I have another one "Dectel CI692" : works fine.
- Launch the "eID chrome os app" and click "Read eID card". It will prompt to choose a smart card reader. If nothing appears, try unplugging an re-plug the reader. If there is still nothing, then your reader is not compatible.
- If the reader is recognized, your informations will appear.
- Now, in the same window, click "eID Certificates" tab and "Read eID Card". The list of certificates will appear.
- Now click the "Citizen CA" folder and pay attention to the details. You should see "SERIALNUMBER" with a year and a number. Ex for me it was : 201721.
- Go to https://repository.eid.belgium.be/certificates.php?cert=Citizen&lang=en and download the certificate with the same name as the SERIALNUMBER.
- Now go to chrome os setting and search for "certif" and click the "manage certificates" option (ignore the prompt window)
- Choose "Authorities" and "Import" and select the certificate you just downloaded.
- Now you can go to tax on web and login via eID. You will be asked to choose the smart card reader. The chrome will propose to select the Citizen CA (the one you downloaded, there should be only one choice). And last you'll have to enter your pin code.
- You should now have access.
- If after selecting the smart card reader you get a "Error reading device" error, try to reboot. It seems that at some point chrome is not able to read.
Good luck.
Frank Cornelis
Jul 11, 2018, 2:27:34 AM7/11/18
to eid-middl...@googlegroups.com
Hi Cedric,
Make sure you have the Smart Card Connector installed : https://chrome.google.com/webstore/detail/smart-card-connector/khpfeaanjngmcnplbdlpegiifgpfgdco
This is normally not required.
I have an old ACR38U : Does not work !
Because it's not CCID.
Now go to chrome os setting and search for "certif" and click the "manage certificates" option (ignore the prompt window)
I'll see if we can add a button "Import Certificates" within the
eID Chrome OS application that does this thing automagically.
Kind Regards,
Frank.
--
You received this message because you are subscribed to the Google Groups "eID Middleware Dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to eid-middleware-...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Joachim Geeraert
Jul 11, 2018, 3:55:06 AM7/11/18
to eID Middleware Dev
Great, I ordered a CI692 card reader and will give this a go.
Thank you.
Reply all
Reply to author
Forward
0 new messages