It has taken me more than 6 hours to setup a computer to use successfully the IRISBox services – an electronic way for citizens to interact with the administration. Why? well, the setup required is not trivial and the only explanations provided by the administration target the average user leaving the technically savvy unable to debug correctly the failures (of which there are many).
In this post, I try to explain the basics and the way I finally managed to make it (partially) work in the hope that it will offer some time-saving advice to those embarking in the same adventure.
What is the Belgian eID and what can you do with it?
The Belgian electronic ID card is explained (and advertised) in the special site welcome-to-e-belgium.be. In essence, it is a smartcard which stores on the embedded chip:
- A certificate for SSL client authentication
- A certificate for (S/MIME) signature
- Personal Data including your photo
Provided you get hold of a USB smartcard reader and you set up your computer correctly, you have access to a number of useful services:
- Access your administrative dossier at the Registre National https://www.mondossier.rrn.fgov.be
- Interact with your commune via IRISBox http://irisbox.irisnet.be/.
You can request certificates, resident parking permits, etc.
- Digitally sign (Adobe-generated) PDF documents using Acrobat Reader
- Digitally sign documents via https://sign.belgium.be/
- Send S/MIME signed emails
- Access other services that use the eID SDK (see the page in french http://my.belgium.be/login.html?locale=fr
Most of the services rely on a client authentication SSL connection. That means that the certificates that are in your smartcard must be visible by the browser which is establishing the connection. This normally happens through the eID middleware which ensures that the certificates in your card are available to the browser and the private key can be accessed by the browser once you have used your PIN code to retrieve it.
Once a secure, mutually authenticated connection is established, the applications behind vary in technology. Some are basic, others rely on java and the SDK provided by eID to access your smartcard and perform their functions.
In essence, your computer needs to be set up to handle the PKI of the Belgian government. You should be able to use either a Mac, Windows or Linux box, but your mileage may vary. If you follow the instructions of at the various sites, you must be using old version of OS, Java and browsers.
Here is what is required to get you running (described from an IT perspective rather than an end-user perspective):
- A USB smartcard reader
- The eID quick install package which provides:
- A middleware to access the contents of the chip
- a software that exposes the certificates on the chip to the OS in question (e.g. for the Mac as a keychain, for Windows in the certificate manager)
- Installation of the Certification Authorities for the Belgian State
- a version of Java that is compatible with your OS and your browser so that an applet can be run from within the browser. This is not as trivial as it sounds following the security difficulties of Oracle Java on the Mac, the unavailability of a 32-bit version 7 to work with Chrome, etc.
- If you are using Firefox, the special Belgium eID add-on (available through Firefox, just look for “Belgian eID”)
Step 0: Smartcard reader
That is probably the easiest step. USB smartcard readers are available in most stores in Belgium with prices around 10-15 euro.
Step 1: eID Quick Install
That step is easy too. Just get the relevant package from the eid site (here is the french version: http://eid.belgium.be/fr/utiliser_votre_eid/installer_le_logiciel_eid/) choose the correct package for your OS and install. The package does what you expect and works in the few OSs that I tried. At the end, you can read the data on your card with the application which it installs: the eID Reader. After that, your browser should be able to establish a mutually authenticated SSL connection with their test site: http://test.eid.belgium.be/. If it doesn’t work you should continue with the next steps: the chances are your browser does not have access to your certificates on the smartcard.
Step 2: setup the PKI for your browser
Depending on your browser and OS you might have to tweak the system further to make it work. You should make sure that
- The root certification authorities for Belgium are understood by your system (and by every browser).
There are two authorities that you need, and here are the certificates:
You should normally not need to install the certificates as they are on your ID card and should be made available when the ID card is connected. But you need to install them for Firefox and make sure that the browser can trust those for all types of signature (web sites, email, software signing).
- You delete (if it exists in your Firefox browser) a root certificate for the Belgian CA2 under GlobalSign
- If your browser is Firefox, ensure that the eID add-on is installed
If all fails, you may also try the FAQ provided by the Belgian eID site. I was unable to make this step work on all browsers and OSs – but it gets worse.
Step 2: Prepare your browser
Once you have a browser that can pass the eid test above, you should now ensure that you can run java in that browser too. Try the java test page at http://www.java.com/en/download/testjava.jsp and see if the plugin works and reports that “Your Java is working”. If it doesn’t, you will not be able to access some of the eID services like IRISBox. Following the security issues with Java, this step has become rather tricky as Firefox for example needs authorisation to enable and execute the java applet add-on and any java applet.
Once java runs in your browser, try the test at the IRISBox site (here is the french version http://irisbox.irisnet.be/vip/portal/intro_fr.htm).
Using the system
Hopefully, by this time you have found at least on browser in one of your systems that will work. I have successfully ordered a “family composition” certificate from my Commune in Brussels and obtained the information from my dossier in the Registre National.
Following my adventure in the eID usage, I can report that I can access most of the services using Windows XP SP3, Firefox 18.0.1, Java 7. On the same system, IE 8 never sees my personal certificates (despite following the procedure to check the system process that provides that through the card as explained in the FAQ). And I cannot use correctly the document signing functions at https://sign.belgium.be/ (Firefox reports “Certificate type not approved for application. // (Error code: sec_error_inadequate_cert_type)”).
A quick google search indicates that are plenty of people having difficulties out there. If you are on Windows and want to try your luck in debugging, you may try this FEDICT reporting tool for clues http://eid-edt.googlecode.com/files/EDTool_47_signed.exe.
Don’t despair. Technology will mature. We’ll get there. Early adopters always pay the price.
In the meantime, feel free to comment and correct.