online check if creating valid signatures with an eID is possible

[GoogleCodeExporter]

hi

Please consider the use-case where a user wants to know if a specific eID card 
can be used to create a valid signature.
In more technical terms that could translate into checking if the signature 
certificate on the eID card has a valid status (e.g. not revoked).

A very convenient easy-status-check-scenario for the user would be like ...
(step 1) browse to some URL (which returns a page with an applet (eid-applet?))
(step 2) enter the eID card in the reader
(step 3) see some information on the certificate(s) status (after the applet 
has done revocation checking)

Such scenario seems to match what the project home page for eid-applet says:
"The eID Applet is a browser component to enable the use of the Belgian eID 
card within web applications in the most user friendly way possible today."

questions
- (q1) Should eid-applet be able to play a role in such a 
easy-status-check-scenario ((step 1) to (step 3))?
- (q2) If so, how?
- (q3) If not, any suggestions for alternatives (based on eid-applet code)?
- (q4) Does FedICT have such a URL allowing such an easy-status-check-scenario? 
If not, should it?

many thanks
Jan Vervecken

Original issue reported on code.google.com by verv...@gmail.com on 24 Nov 2010 at 2:33

[GoogleCodeExporter]

Besides the eID Applet, we're also developing a SOA-product that targets your 
needs for validation of certificates. This product is called eID Trust Service. 
The project site is available at: http://code.google.com/p/eid-trust-service/

An instance of the eID Trust Service can be found at: 
https://www.e-contract.be/eid-trust-service-portal/

Original comment by frank.co...@gmail.com on 2 Dec 2010 at 3:42

• Added labels: Type-Other
• Removed labels: Type-Defect

[GoogleCodeExporter]

Thanks for your reply Frank.

The instance you refer to at 
https://www.e-contract.be/eid-trust-service-portal/ seems to be a very close 
match to the easy-status-check-scenario ((step 1) to (step 3)) I describe.

See also these screencasts:
- valid certificates : http://screencast.com/t/Pb2GothZ
- revoked signature certificate : http://screencast.com/t/FL9paajTVhc

regards
Jan Vervecken

Original comment by verv...@gmail.com on 5 Dec 2010 at 9:44

[GoogleCodeExporter]

Hi Jan, the second screencast is kind of weird. The authentication certificate 
is valid, while the non-repudiation is invalid. How did you achieve this?

Original comment by frank.co...@gmail.com on 6 Dec 2010 at 4:30

[GoogleCodeExporter]

hi Frank

Yes the screencast at http://screencast.com/t/FL9paajTVhc does indeed show the 
authentication certificate as valid and the signature certificate as revoked.
That screencast was recorded using a KidsID and the certificate status result 
for both certificates is I expected.
We suspect a similar result (authentication certificate as valid and the 
signature certificate as revoked) for young people that are not yet 18 years 
old, that no longer have a KidsID but a real eID. Although I haven't had a 
chance to test this (mainly because I currently don't have access to such a 
specific eID card).
(Also, I have been told that once someone becomes 18 years old, a re-keying of 
the eID card is the current procedure to get a valid signature certificate.)

regards
Jan Vervecken

Original comment by verv...@gmail.com on 6 Dec 2010 at 7:51

[GoogleCodeExporter]

Original comment by frank.co...@gmail.com on 7 Dec 2010 at 6:02

• Changed state: Done