Rant about smart cards and public administration (long and painful)

[Lucio Chiappetti]

This fits nicely in "off topic'
In Italy public administrations are dismissing all forms of login access (at least for residents) to their sites via dedicated usernames (I had one for the Regional Health Services, one for the pension organization INPS, one for Agenzia delle Entrate, AdE, (the tax office), one for the Municipal site, and was happy with all of them). Now there are three alternatives:

• SPID, which requires to be identified by a variety of providers, the most diffuse of which is the Post. The administration routes you to your provider, you enter username and password and a third code. This can come via SMS or via a smartphone app. Unfortunately the number of SMS has a three-monthly quota

• CNS, i.e. the "National Service Card", which is actually regional. It is a chip card which is used to access health services and at the same time certifies your fiscal code (a very important number for everybody)

• CIE, i.e. the Electronic Identify Card, the latest form(s) of identity document (we always had one, usually on paper)

So I did the following in order to override SPID:

• bought a smart card reader

• tried to get a PIN for my CNS ... this involves going in person to an office, except that during the pandemics the site say you do it online, but if you try that you get back a mail which says you have to go in person to an office but only by appointment, there is a site to get the appointment, with a queue of some weeks ... anyhow I got the appointment for last Friday

• in the meanwhile I tested the smart card reader with various linux commands, I found this site which says that contrary to what regional site say one does not need special drivers but OpenSC is enough

• actually the various commands in the package recognised my card, read my name, etc.

• anyhow the Lombardy regional site says to install a CNS utility (mainly to sign documents) and provides instructions for a single browser, firefox ! which say you require a driver library, different for each version of smart card

• The installer of the utility in fact auto-locates opensc-pkcs11.so, so I thought that was the thing to put in Pale Moon Preferences-> Advanced -> Certificates -> Security Devices ... and indeed it recognised the smart card reader and even my name

• ... but I could not do any other test as I had no PIN

• Yesterday finally I got my PIN (in the meanwhile I also got a new CNS since the old one is due to expire next month ... they gave me the PIN for the new card saying it should be already active

• But neither the CNS utility nor Pale Moon seemed to work

• With some difficulty I located a site at the Ministry of Finance which contains the deb packages for the drivers for the various versions of CNS, the one for AC2021 (the tiny version number in the corner of my newer card) contains a libbit4xpki.so

• With that library the CNS utility works (signed a test document)

• And Pale Moon works very nicely: it realizes when the card is inserted, and is logged in. Actually the login remains for multiple site even after site logout. The only minor comment is that Pale Moon asks for a "card master password" which left me unsure whether it was the PIN or the PUK (it is the PIN)

• So now my CRS works for the Region site and the INPS site. Not (yet ?) for the AdE site, I suspect the card is too new, I'll see when the old one expires.

• Unfortunately the Municipal site does not support CRS (only SPID and CIE)

• So I tried inserting my CIE issued in 2015 ... Pale Moon detects it ... as a CNS but no site works with it (I had a sealed sheet with the PIN since when I got it

• So I went to the CIE site, donwloaded another manual and another deb package, with an utility and a library libcie-pkcs11.so (which I added to the Pale Moon security devices

• ... but apparently all stuff on the CIE site is for CIE 3.0 (a NFC contactless card), not for my card which has a chip !

• ... so no site works with the CIE; Pale Moon "CNS" device 1 sees the CIE as a CNS, and even accepts its 5-digit PIN, device 2 says "not inserted"

• So I placed a ticket to the Ministry of Interior (responsible for CIE) ... will see what happens

[Pentium4User]

Why do you use it?
I don't use such government services in Germany. For me, there is no benefit.

[Lucio Chiappetti]

Because is or will become the only way ...
... printing medical prescriptions without going to the doctor's
... printing medical examination results without going to the hospital
... booking medical examination without going to the hospital
... submitting application for pension (well, done once, and with the old credentials, but worked very nicely)
... printing pay slip, yearly tax forms etc.
... submitting yearly tax declaration (works very nicely, done so far with the old credentials)
... checking the municipal garbage tax
... etc etc etc

[bgstack15]

Thank you for sharing that story! I'm sorry it's so frustrating. I think that the tech involved in PKI (certs and/or smart cards) sounds so cool, but it always seems to be a pain to be a user of it.

[Lucio Chiappetti]

In the meanwhile I got a response to my ticket via the Poligraphic Institute and State Mint (apparently that the entity in charge of CIE electronic identity cards).
In a nutshell my id card (RFID chip) is of the 2.0 "experimental" type, and they support only the 3.0 NFC model.
Maybe I'll try to check with my municipal authorities why they do not support CNS as third authentication way.
For CNS there a variety (more than half a dozen) of types of cards, and each one requires a different driver (they are provided, though somewhat hidden).

BTW It seems there is the possibility to change the CIE in advance (I hope not faking it had been stolen) of the expiry in 2026. The story of my card is also peculiar. My previous card was on paper. It was originally valid for 5 years, then the law changed, it was extended to 10 years via a stamp on the back. The card is also used for travel within Europe. In 2011 I had to do an hike in Switzerland, and suspected the Swiss may not like the stamp, so I tried to get a new card (still on paper, the electronic pre-experimental 1.0 was very rare and its extension was via a stamp ... on a piece of paper), but the clerk did not like my photos because he said there were reflections on my glasses ... despite the photographer was careful about that). So I mailed the Swiss Consulate and in 2 hours I got back an official regulation in Italian that the stamp on the back was OK - the one on paper not). I waited to get the new card on expiry and applied for the "experimental 2.0" ... it had the advantage that the clerk will do the photo (so I went there with an empty glass mount ... my face is not mine without the glasses I wear since I was 10) and deliver the card immediately, but the disadvantage it was issued only in one office, with a queue of several months (I remained for a few weeks with just the old expired one).
Now the procedure is different, for the 3.0 one you book a (faster) appointment, bring your own photograph, and then the card is mailed back via registered mail (so you have to delegate the doorman to receive it). My mother did it, but she is no longer here to use it.

[Lucio Chiappetti]

Maybe I'll try to check with my municipal authorities why they do not support CNS as third authentication way.

They do not support CNS, but they use SPID Level 1 (i.e. username and password but no OTK)

[Admin]

Maybe just go with a user name and a secure, long password then? I mean, most "2-factor" authentication is not really 2-factor anyway.

[MrMobodies]

In the meanwhile I got a response to my ticket via the Poligraphic Institute and State Mint (apparently that the entity in charge of CIE electronic identity cards).
In a nutshell my id card (RFID chip) is of the 2.0 "experimental" type, and they support only the 3.0 NFC model.

Taking of RFID, Dymo printer's seems to be doing it and DRMing their paper rolls with sensors on the printers and chips on the rolls that count after every print to prevent you'using compatibles and I was reading some reviews that they also seem to lock the user into using their own software with just plugins for office which isn't as good as their old one with the address book import/expert but instead they now appear to want to synchronize it directly to Google/Outlook email accounts according to their F&G which seemed a bit unclear about printing directly from other applications to the printer driver.

https://www.eff.org/deeplinks/2022/02/w ... -paper-now

The Worst Timeline: A Printer Company Is Putting DRM in Paper Now

Those people are going to be disappointed. Dymo’s latest generation of desktop label printers use RFID chips to authenticate the labels that Dymo’s customers put in their printers. This lets Dymo’s products distinguish between Dymo’s official labels and third-party consumables. That way, the printers can force their owners to conduct themselves in the ways that serve the interests of Dymo’s corporate owners - even when that is to the owners’ own detriment.

In future they could decide to stop making certain paper/roll types or whatever excuse making their stuff obsolescent but I hope if enough people boycott them they'll become obsolescent themselves too.

[Moonchild]

Dymo printer's seems to be doing it and DRMing their paper rolls

Not sure how that's relevant to this actual topic.

[MrMobodies]

I think I misinterpreted the whole thing. Quite embarrassed. I thought it was about locking people into things, where you need smart card to visit or doctors and to access services and then paper drm thing came to mind. I see it is about using it with Palemoon. My fault. Sorry about that.