It is a bit more complex tham that.
Logius is the company that actually owns and manages the DigiD stack, it's just that they hired Solvinity for their expertise. AFAIK Solvinity can't access the data.
I can't find it right now, but on Tweakers there was a long comment by someone on the inside that explained Logius basically had almost no know-how of how the current stack works, and there's lots of bespoke stuff. Basically classic vendor lock-in. The government (rather, Logius) now really wants to transition away from Solvinity, but that will likely be a 5+ year process.
I also feel like this is another thing that the "fast ring" of the EU should do together. Take Estonia's stack as a base, and then countries like Sweden, Denmark, Finland, The Netherlands adopt it and co- develop it. Make it extensible for the bespoke things the countries need, and every few years check which bespoke extensions can actually be generalized and modularized. Would lead to a much better product. A man can dream :)
> I also feel like this is another thing that the "fast ring" of the EU should do together. Take Estonia's stack as a base, and then countries like Sweden, Denmark, Finland, The Netherlands adopt it and co- develop it. Make it extensible for the bespoke things the countries need, and every few years check which bespoke extensions can actually be generalized and modularized.
Argentina's ministry of education did something like this with university software. The one used by students to sign up and by teachers to track grades, etc. There's a single open source modularised, customisable system made country-wide, and public universities customise it to their needs.
Before this initiative, every university was implementing their own software from scratch. In many cases, different faculties (e.g.: Engineering, Natural Sciences, Humanities, etc) each had their own software development teams developing their own independent software stack.
> Argentina's ministry of education did something like this with university software. The one used by students to sign up and by teachers to track grades, etc.
For what it's worth, this seems roughly equivalent to Moodle, which is open-source (GPL) and used globally, apparently especially popular in some of western Europe, the US, etc. [1] School systems can and do of course customise it as needed.
[1] https://stats.moodle.org/
> AFAIK Solvinity can't access the data.
Solvinity is the hoster. It can fully access the stack.
It's even more complicated: the datacenter and the servers are owned and operated by the government, and the DigiD app itself is owned and operated by government-owned Logius.
From what I have been able to deduce, Solvinity is contracted for some kind of sysadmin services - so basically Kubernetes babysitting?
Are you suggesting sysadmin access isn't sufficient to access data?
How can you be sure that Solvinity can't access the data if Logius doesn't know how the current stack works? 5+ years to migrate sounds really bad.
Honestly they have good separation of concerns in the Dutch government. And running the stack doesn't automatically mean hosting the services, there's enough local expertise in the Netherlands to run that.
A few years ago I had the mispleasure of working for the island government of Bonaire, and they kinda run the same systems as they do in the mainland, being a sort of municipality.
Since all gemeentes in the Netherlands are basically independently run but have to communicate with each other for DigiD but also the GBA (ID system) and loads of other stuff, they invented a standard. It's a SOAP based monstrosity called StUF, and you better spell it like that.
I can't find much about StUF in English, but there is this about the succesor where they lament on how engrained StUF still is.
https://www.conduction.nl/commonground/
It wouldn't surprise me that migration to common ground is what they are refering too. StUF knowledge is not widespread due to the level of vendor lock in. There's not many vendors and outside GovIT nobody cares about StUF.
Estonia's tech was cool maybe 20 years ago. From what I understand it's a bit too hard on fetishization of PKI and Ukraine goes too hard on apps. Netherlands actually gets it really well with DigId that is doing bare minimum needed to actually perform eidas stuff without getting into the woods with legally blessed asn1 schemas and oid [0].
I'm not sure what bespoke stuff they invented to get their sweet vendor lock in eurobucks, but the whole thing is nothing more than an OAuth provider for 19 million people. I guess NFC integration in the app that reads physical ids is on a fancier side, but I suspect on that side it's vendor locked by card vendor and their SDK.
[0] https://zakon.rada.gov.ua/laws/show/z1398-12#Text
Can you elaborate on what you find problematic about the Estonian ID stack?
For one, they had a a major f-up with eIDs in 2017: https://ria.ee/en/news/estonia-resolves-its-id-card-crisis
And they are just good at marketing. Belgium had eIDs earlier never messed up so much as Estonians.
Yeah, but it was the vendor who fucked up, not them. One can argue that using long-term certificates is bad practice in itself, but that's arguable.
Disclaimer: I have more exposure to Ukrainian variation of this setup (see jkurwa) than to actual Estonian and extrapolate a bit from what I heard from people. Half of this may be outdated or wrong, but I believe that the general vibe is correct.
From what I know about Estonian eID stack, they use traditional PKI to the full extent -- LDAP, PKI, OCSP, all the standard designs from the 90ies and then internally (for use by the government itself) they have a sort of a document exchange system on top of that where everything is done through CMS (PKCS). I believe this is why eIDAS and trust services directive talk about trust lists, qualified certificate authorities and all that.
So you get a physical id card that is a smart card for X509 certificate and then sign, encrypt and do all the stuff you do with keys once you figured out key management. Since the key can't leave the card you need to deal either with a special Estonian keyboard that doubles as a keyreader (in Ukrainian flavor we get a mobile app that can generate a key and get x509 issued remotely, maybe Estonia has that too nowdays or we get a file-based key from a trusted provider, like a bank) or get an actual keyreader or a phone. On the provider side you also have to deal with trust lists, because Estonia and Lithuania don't use the same root of course.
The first gotcha is -- if you have LDAP, CSP and OCSP and can query those, that's a bit of a privacy risk (AFAIK, primary key is based on the date of birth, because reasons). Second gotcha -- key rotation is not practical, so certificates are long lived. Certificates that I saw had demographic identifier of the person as a serial, which is not great for privacy, but convenient for deployment I guess (for comparison, Ukrainian flavor only allows CSP through subject key and has the number deep in the directory lookup extension)
I don't think the stack is bad, but I think it's an overkill for the basic feature of logging into the government website and blessing some bytes with your legal persona. It does help when the user signs a legal document and then tries to walk it back (for example because the document is now an exhibit A in a VAT fraud case, yes real story). I think this particular problem can be solved by non-technical means. More specifically, PKI solves the problem of verifying the identity of the user and then allowing to prove to a third party that it happened.
What is actually needed from the ID stack is allowing a first party in a closed system to match the token presented by a second party to their legal identity. I don't believe cryptographic signing or key derivation is really necessary, as the system that produces the key and the system that verifies the signed artifact are the same entity in most threat models.
I think DigID does the right thing by being a glorified OTP generator with more or less nice UX that solves just that. The actual problem is key provisioning anyways, but once you have done that, it isn't necessary to go full PKI.
To make my point even more ahm pointy, we don't use client X509 to log into github or google. We use passwords, HOTP and fidokeys, because x509 has bad UX and bad security too (in practice)
Add: downvotes for explaining why PKI is an overkill? okay, I will not survive that
Logius is actually not a company but a part of the dutch (national) goverment.
It's a state owned enterprise as far as I remember. So technically they don't wear civil service uniforms in the office, but still get the usual government office hours.
No I checked this. They aren't.
The Dutch civil service wears a uniform?
blue jeans with an embroidered logo and 3 liters of hair gel.
No
Except for the military.
I once interviewed for a job at what I think was a civil service branch that developed software for the military. But they were out of budget for this, while the military did have budget, so if I was hired, I'd have to wear a military uniform to the office. A very stylish one, they claimed.
In that case we can indeed safely assume they have no technical knowledge.
The German eID stack does also work well, just as the Austrian one does.
Tbh I like the German one even better because you need your physical Identity Card and can use your phone as the reader
Maybe better, but less useful. I don't carry my Identity Card at all, unless I cross the border within EU where it is used. All other functions I have in our country app. To which I can log in using physical card, but I have other options that are online.
In the Netherlands it is mandatory to carry your ID card or passport at all times.
Germany as well