<div dir="ltr">My biggest fear is the use of eID to basically "identify" yourself. From what I know, the eID is the highest form of "identification" you can have. From a scale from 1-4, an eID is the highest form of trust you can give (<a href="http://web.archive.org/web/20150915011249/http://www.itl.nist.gov/lab/bulletns/bltnaug04.htm">http://web.archive.org/web/20150915011249/http://www.itl.nist.gov/lab/bulletns/bltnaug04.htm</a>). Using that just to authenticate yourself on websites to prevent fake online reviews is like shooting a fly with a shotgun.<div><br></div><div>Knowing a username + password already gives you a level 1 clearance, buying a product already gives level 2 clearance (proof that you have the object). Having a eID that can issue tokens for you gives you a level 3 clearance (that person is real, for sites like facebook), signing with the eID is level 4 (if you want to fill in tax forms). Revoking a key requires that the the revocation signatures are also stored online for everyone to see (in case of identity theft).</div><div><br></div><div>So, the question is: How much trust do you need to have in the other party? Amazon only needs to verify that you actually bought the goods before flagging you as a "verified purchaser", to prevent fake reviews. They don't need to know my real name, just me logging in + a receipt of the goods I bought. The case of actually using an "eID" is only valid when you want to verify the identity of that user, for example when you want to get a loan or when you need to be reasonably sure that the other party is really a client of yours (eg: a bank). Otherwise, I would not see any benefit of having some sort of "eID" for authentication.</div><div><br></div><div><div><div class="gmail_quote"><div dir="ltr">On Sun, May 1, 2016 at 5:22 PM Nick Hilliard <<a href="mailto:nick@inex.ie">nick@inex.ie</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Patrik Fältström wrote:<br>
> What is irritating with just that snippet on top of page 12 you<br>
> reference is that they say in more or less the same sentence that it<br>
> is important to decide who to trust, while one should be told to<br>
> trust whatever eID Brussels decides on.<br>
<br>
That snippet, and the paragraph before it, are very confused pieces of<br>
thinking.<br>
<br>
> In particular, online platforms need to accept credentials issued or<br>
> recognised by national public authorities, such as electronic ID<br>
> cards, citizen cards, bank cards or mobile IDs.<br>
[...]<br>
> Further, the Commission will draw up a plan to strengthen public<br>
> authorities' capacity to process and analyse large-scale data to<br>
> support the enforcement of EU single market policies and to ensure<br>
> platform users are more aware of the data collected by platforms and<br>
> how it is used.<br>
<br>
The paper then mention fake online reviews as being an example that<br>
deserves particular merit. In the long list of things which cause<br>
erosion of trust, fake online reviews are pretty far down.<br>
<br>
Apart from the concerns you mentioned, there is a complete lack of<br>
understanding about the stupidity of using:<br>
<br>
1. very widely or universally accepted access credentials. The more<br>
widely accepted an access token is, the more damage you can do by<br>
compromising the token.<br>
<br>
2. irrevocable tokens (e.g. biometrics in national ID cards) as trust<br>
credentials on the Internet. One of the centre-pieces of trust is that<br>
it can be revoked. If something cannot be untrusted, it should not be<br>
trusted in the first place.<br>
<br>
In either case, it would be pretty catastrophic if trust databases of<br>
this form were compromised. The more widely used a trust database is,<br>
the more valuable it is and the more likely it is to be viewed as an<br>
interesting target by threat actors, whether state or criminal.<br>
<br>
Overall, while the intentions of this suggestion cannot be doubted, the<br>
idea of mandating wide acceptance of eIDs seems to be an extremely<br>
unwise plan of action.<br>
<br>
Nick<br>
<br>
<br>
</blockquote></div></div></div></div>