Estonian E-Residency and its Compatibility with the eIDAS Program in an Austrian View

Estonia provides a so-called "e-residency" to a majority of the worlds population. The e-residency enables you to use some Estonian services, foremost to create an Estonian bank account and the possibility to start an Estonian company. Since Estonia is inside the European Union, this might be interesting for a lot of people.

For authentication, Estonia issues a smartcard with a personal PIN. This card could be used to authenticate online and for signing and verifying documents. But let's wait and see what is possible with it in general.

Laws and Regulations

Let's start at the beginning. Estonia is, as already mentioned, a member state of the European Union. Therefore, it needs to comply to European regulations like the eIDAS Regulation 910/2014. Roughly summarised, this regulation states how member states need to provide digital services, let citizens authenticate themselves to the state, and be interoperable in the European Union. If interested, I wrote a thesis (in German) about the regulation and its implementation in Austria.

As this kind of authentication always means cryptographically signing and verifying, this law regulates the ecosystem of certificates and signatures in the European Union.

Signing and Encrypting - Default Tools of Estonia

Estonia offers and recommends a variety of tools that work with their smartcard solution and are maintained by the state or a third party. The only tool being able to signs documents offline (incl. PDF documents), saves it as the vastly (at least in Austria) unknown .asice container format. I have a feeling, that .asice may be known by Estonian authorities, but the colleagues that I have talked to have no idea about that format.

This .asice file contains the original document and a separate signature file. The signature also has a qualified time stamp, provided by the Estonian state time stamp service (the computer needs to have a working internet connection for that purpose).

DigiDoc, this official offline software, is available for Linux (officially supported is the Ubuntu based Linux; I tried LMDE, a Debian derivate, as well and it worked - although it needed minimal adjustments to the install script; see blog entry), MacOS (prefers the App Store installation), and Windows. This software is available as Open-Source. Also, the browser add-ons are there for Firefox, Chrome, Safari, and Edge.

There are online services as well that let you create signed PDF documents (a PDF with the signature within; e.g.: Dokobit), but these are online-services and require you to upload the PDF. This might be a problem with confidential information.

Online Authentication

The Estonian e-residency smartcard is vastly used for online authentication against any services the Estonian government offers to run your business (e.g.: taxes, bank account, notary, etc.). This works, with the original Software being installed, respectively a browser addon needs to be installed: Web eID. The browser calls the software, which accesses the smartcard. You need to enter a PIN, and the smartcard creates a signed token, that authenticates you to a service. You always authenticate to the Estonian ID authority which, in its role as IdP guarantees your identity to the service.

Interoperability

Since the e-residency card has the same underlying system as the Estonian eID card, the e-residency card is fully eIDAS compatible.
This mainly means two things:

• Online Authentication to authorities of other member states works fine.
• Signed documents are valid and accepted in all member states of the EU.

In practice, for example in Austria, this means when logging in to the Austrian taxation service:

1. Visit the Austrian SP (e.g.: taxation service) and log in.
2. Getting redirected to the Austrian eIDAS node (ministry of internal affairs), to get authenticated.
3. The Austrian eIDAS node asks for identification and asks about your state of authentication.
4. Select the "eIDAS Login", not the "ID Austria", and select "Estonia".
5. A redirection to the Estonian eIDAS node (RIA, information system authority) follows.
6. Identify yourself with the smartcard and your PIN and sign a token which you send to the Estonian eIDAS node.
7. The Estonian eIDAS node authenticates yourself and tells your identity to the Austrian eIDAS node.
8. Only when first time authentication in Austria:
   1. The Austrian eIDAS node asks you to either provide an Austrian ID, another European ID that has been connected with the Austrian dataset (therefore has already been logged in Austria), or to provide your latest home address in Austria, that the authorities are aware of.
   2. The dataset of the Estonian eIDAS node gets connected to the existing Austrian dataset.
9. The Austrian eIDAS node tells your identity to the SP (e.g.: taxation service) and the service provider authorises you.
10. You are now logged in.

If you submitted no previously notified home address, or no Austrian ID, I do not know how to log into these services. Also, the process of connecting the person via the lastest known home address bears some risks. I had the possibility to submit a personal national identifier when applying to the e-residency program. I entered the Austrian social security number. It may be possible, that this number plays a part when connecting to an Austrian dataset. At least it should be. If it is, there is no need of entering additional information, as the social security number is unique. When applying to the e-residency, I only submitted one givenname, the Austrian government has a dataset of multiple givennames. Therefore, the names do not match exactly. How does this dataset matching work? Also, if I know another person with my name and his current home, could I assign my Estonian card to his dataset and, therefore, act as him?

Signing documents works via the offline application or some online services. The official offline application creates .asice files, which are not known outside of Estonia. The online services create .pdf files which can be read by any document reader. Estonian signatures could be verified with the official Austrian service. The Austrian applications like PDF-Over do not work in combination with the Estonian smartcards, as the smartcard OS are not standardised in Europe and most of them differ to each other. Only the results are standarised, therefore, the resulting signature.

Summary

The Estonian e-residency system is fully eIDAS compatible. You can create signed documents, encrypt data using the card and verify signatures. Signing and encrypting currently only works via Estonian applications because of the OS incompatibility. Verifying works with any verification application. Also, online authentication works across Europe, but the national identity connection mechanisms may have a security problem.

The e-residency grants you rights and priviledges, that you, as an European citizen, already have. Although, as this program targets citizen of the world, it enables everyone to get an European bank account and create a company in Europe. Also, due to the eIDAS compatibility, it enables everybody to interact with any European authority while being authenticated.

Read more

• Official Website
• Official Software
• eIDAS Regulation
• Thesis about eIDAS in general (in German): Anforderungen für den Aufbau eines eIDAS konformen Vertrauensdiensteanbieters: Voraussetzungen einer qualifizierten CA in der EU am Beispiel Österreich
• Identification vs. Authentification vs. Authorisation

Previous Blog EntryNext Blog Entry

---

Last update: 2024-12-29