Not only did Gemalto fail to notify Estonia in good time about the ROCA flaw (the discoverers of which noticed that Estonia were still issuing vulnerable cards, so notified them themselves), some cards had their private keys generated outside of the card and then inserted, rather than on-card generation. I think Estonia is to be applaued here for handling all this in a sane manner.
They made everyone regenerate their private keys on the card recently during a short window, and those who missed it (like me) ended up with a fancy piece of paper with their name on it. Oh joy.
Just when I'd decided to use my e-Residency for something, it becomes worthless.
They're asking me to reapply for a new ID document and pay the fee all over again. I'd honestly do it, but then they can't hand it over to me in Pakistan and I'm not flying out of the country just to grab an e-Residency card when my previous one hasn't even expired yet.
That 'short window' was some period of months, I thought. It's not cool the problem happened but sounds like you didn't consider it high enough priority to get onto it.
I agree that they should reimburse because the flaw was not caused by you, but how did you manage to miss the massive publicity and uproar and not update your card?
Nothing to do with Snowden revelations, but with RSA prime number generation. Because of a bug on the chip, primes were generated starting from numbers divisble by ten, which are way rarer than those divisble by two (pardon the extreme simplification.)
That's a hardware design error. The claim is that Gemalto failed to fullfil the contractual clauses about quickly informing the customer (the Estonian state) of the security breach, not the existance of the security breach itself.
The article stipulates that the contract dates back until 2002, about 11 years before the Snowden allegations came to light. So while they could have switched afterwards, the contract may have had a longer contract period, locking them in for a while. You also can’t just switch the identity provider for your national ID system, such a move would need at least some lead time.
Exactly, this crazy to think you can keep you sovereignty while giving to a foreign (French), NSA/CIA infiltrated (In-Q-Tel/Snowden) company the keys to all your citizens ID, moreover with internet voting. While ahead of its time, maximum caution must be taken, and the balance must be made between convenience and independence.
That's a statement that applies to everything, including classic paper voting. It's never a question of whether there's absolute security, because nothing has it. It's about comparing the security and other benefits of different systems.
[+] [-] amaccuish|7 years ago|reply
Not only did Gemalto fail to notify Estonia in good time about the ROCA flaw (the discoverers of which noticed that Estonia were still issuing vulnerable cards, so notified them themselves), some cards had their private keys generated outside of the card and then inserted, rather than on-card generation. I think Estonia is to be applaued here for handling all this in a sane manner.
[0] https://dan.enigmabridge.com/estonia-hits-gemalto-again-inse...
[+] [-] amingilani|7 years ago|reply
Just when I'd decided to use my e-Residency for something, it becomes worthless.
They're asking me to reapply for a new ID document and pay the fee all over again. I'd honestly do it, but then they can't hand it over to me in Pakistan and I'm not flying out of the country just to grab an e-Residency card when my previous one hasn't even expired yet.
I guess I'm still a bit sour over this.
[+] [-] mb_72|7 years ago|reply
[+] [-] Avamander|7 years ago|reply
[+] [-] sccxy|7 years ago|reply
Problem was that Gemalto did not tell Estonia that there is security flaw.
That led to rush security fix which could have been worked on for months before not do it in weeks.
[+] [-] willsr|7 years ago|reply
[+] [-] dullgiulio|7 years ago|reply
That's a hardware design error. The claim is that Gemalto failed to fullfil the contractual clauses about quickly informing the customer (the Estonian state) of the security breach, not the existance of the security breach itself.
[+] [-] Xylakant|7 years ago|reply
[+] [-] y04nn|7 years ago|reply
[+] [-] pisipisipisi|7 years ago|reply
[+] [-] TazeTSchnitzel|7 years ago|reply
[+] [-] the_clarence|7 years ago|reply
[+] [-] hkai|7 years ago|reply
[+] [-] Strom|7 years ago|reply
[+] [-] bozho|7 years ago|reply
[+] [-] spuz|7 years ago|reply
[+] [-] thisisit|7 years ago|reply
[+] [-] ivoras|7 years ago|reply
[+] [-] the_clarence|7 years ago|reply