How to read eid data like name, address,... from an intranet application written in PHP
770 views
Skip to first unread message
Bruno Thieme
May 9, 2016, 10:36:44 AM5/9/16
to eID Middleware Dev
Hi everyone,
I'm facing a problem.
I need to read general info from eid card (name, address,...) from an intranet application written in PHP and I don't want to give access to the internet.
I read a lot of things and I'm lost.
Can someone tell me what I should do to reach this goal or give me a sample ?
One more point, I don't want my clients to enter the PIN code.
Thanks in advance
Bruno.
I'm facing a problem.
I need to read general info from eid card (name, address,...) from an intranet application written in PHP and I don't want to give access to the internet.
I read a lot of things and I'm lost.
Can someone tell me what I should do to reach this goal or give me a sample ?
One more point, I don't want my clients to enter the PIN code.
Thanks in advance
Bruno.
Wouter Verhelst
May 10, 2016, 4:48:55 AM5/10/16
to eid-middl...@googlegroups.com
Hi Bruno,
On 09-05-16 12:43, Bruno Thieme wrote:
> Hi everyone,
>
> I'm facing a problem.
> I need to read general info from eid card (name, address,...) from an
> intranet application written in PHP and I don't want to give access to
> the internet.
That's not possible as is. PHP is a server-side application, which (for
obvious reasons) cannot directly access the eID card. To be able to do
so, you need to have an application on the client side with the ability
to read the card.
There are currently two options for this:
- Install the eID applet and its server-side infrastructure. The
advantage of this is that it will verify that the data on the card is
correctly signed by the certificate of the national register (i.e., that
the data has not been forged or tampered with), so it can be used if the
correctness of the data is of paramount importance. The downsides of
this method are that setting up and maintaining the server side of the
eID applet requires a lot of work, and that it still relies on
client-side java applets, which is an issue with modern browsers.
- If the possibility of incorrect data is not a major issue, then you
can install the eID viewer on the client side, and initiate a
drag-and-drop operation (from the viewer's photo) onto a web page. There
is a proof-of-concept implementation of this available in the eID viewer
code repository at
<https://github.com/Fedict/eid-viewer/tree/master/xml>. The advantage of
this method is that it is very easy to use; the disadvantage is that it
does not provide a proof of identity, and that the data retrieved in
this manner can be trivially forged or tampered with by the end user.
[...]
code.
--
Wouter Verhelst
On 09-05-16 12:43, Bruno Thieme wrote:
> Hi everyone,
>
> I'm facing a problem.
> I need to read general info from eid card (name, address,...) from an
> intranet application written in PHP and I don't want to give access to
> the internet.
obvious reasons) cannot directly access the eID card. To be able to do
so, you need to have an application on the client side with the ability
to read the card.
There are currently two options for this:
- Install the eID applet and its server-side infrastructure. The
advantage of this is that it will verify that the data on the card is
correctly signed by the certificate of the national register (i.e., that
the data has not been forged or tampered with), so it can be used if the
correctness of the data is of paramount importance. The downsides of
this method are that setting up and maintaining the server side of the
eID applet requires a lot of work, and that it still relies on
client-side java applets, which is an issue with modern browsers.
- If the possibility of incorrect data is not a major issue, then you
can install the eID viewer on the client side, and initiate a
drag-and-drop operation (from the viewer's photo) onto a web page. There
is a proof-of-concept implementation of this available in the eID viewer
code repository at
<https://github.com/Fedict/eid-viewer/tree/master/xml>. The advantage of
this method is that it is very easy to use; the disadvantage is that it
does not provide a proof of identity, and that the data retrieved in
this manner can be trivially forged or tampered with by the end user.
[...]
> One more point, I don't want my clients to enter the PIN code.
Reading identity information never requires the user to enter their PIN
code.
--
Wouter Verhelst
Bruno Thieme
May 11, 2016, 4:21:20 AM5/11/16
to eID Middleware Dev
Hi Wouter,
Thank you for this clear answer.
Kind regards,
Bruno THIEME
Thank you for this clear answer.
Kind regards,
Bruno THIEME
Sander Van de Moortel
May 23, 2016, 10:12:41 AM5/23/16
to eID Middleware Dev
I'm writing a customer management application for a medical outfit. I guess it is unlikely that patients will attempt to tamper with the data, as it will be the medical professional dragging the data from the eID viewer into the application. So I will probably opt for method #2, too. I do think it stinks a bit in terms of security, but a bigger issue is that the operator now needs to have two windows open (one with the eID viewer and one with the application). Not a great User Experience.
Any changes on the way that I should bear in mind?
Any changes on the way that I should bear in mind?
Wouter Verhelst
May 24, 2016, 4:51:15 AM5/24/16
to eid-middl...@googlegroups.com
Hi Sander,
On 23-05-16 15:39, Sander Van de Moortel wrote:
> I'm writing a customer management application for a medical outfit. I
> guess it is unlikely that patients will attempt to tamper with the data,
> as it will be the medical professional dragging the data from the eID
> viewer into the application. So I will probably opt for method #2, too.
> I do think it stinks a bit in terms of security, but a bigger issue is
> that the operator now needs to have two windows open (one with the eID
> viewer and one with the application). Not a great User Experience.
I completely agree with that, even if it was my idea to add this
functionality to the viewer. This drag-and-drop functionality was only
added as a quick-and-dirty replacement of some applet functionality,
until a better solution is available.
Note that with only a few extra lines of javascript it's also possible
to just drag a file from an explorer window or some such onto the
browser window. The proof-of-concept in the viewer repository implements
this. However, that's even less user friendly, as it requires *three*
windows -- browser, eid viewer, file manager -- and an extra operation.
> Any changes on the way that I should bear in mind?
I understand that alternatives are being investigated currently (I'm not
involved with that), and that at some future point a better alternative
will become available. I have no idea about time frames or detailed
plans, however.
> --
> You received this message because you are subscribed to the Google
> Groups "eID Middleware Dev" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to eid-middleware-...@googlegroups.com
> <mailto:eid-middleware-...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
--
Wouter Verhelst
On 23-05-16 15:39, Sander Van de Moortel wrote:
> I'm writing a customer management application for a medical outfit. I
> guess it is unlikely that patients will attempt to tamper with the data,
> as it will be the medical professional dragging the data from the eID
> viewer into the application. So I will probably opt for method #2, too.
> I do think it stinks a bit in terms of security, but a bigger issue is
> that the operator now needs to have two windows open (one with the eID
> viewer and one with the application). Not a great User Experience.
functionality to the viewer. This drag-and-drop functionality was only
added as a quick-and-dirty replacement of some applet functionality,
until a better solution is available.
Note that with only a few extra lines of javascript it's also possible
to just drag a file from an explorer window or some such onto the
browser window. The proof-of-concept in the viewer repository implements
this. However, that's even less user friendly, as it requires *three*
windows -- browser, eid viewer, file manager -- and an extra operation.
> Any changes on the way that I should bear in mind?
involved with that), and that at some future point a better alternative
will become available. I have no idea about time frames or detailed
plans, however.
> You received this message because you are subscribed to the Google
> Groups "eID Middleware Dev" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to eid-middleware-...@googlegroups.com
> <mailto:eid-middleware-...@googlegroups.com>.
> For more options, visit https://groups.google.com/d/optout.
--
Wouter Verhelst
Reply all
Reply to author
Forward
0 new messages