Spain does the same. With you ID card chip, you can:
- sign your emails digitally
- login to secure websites with your id card (bank, DMV, taxes, …). Sometimes you can only do it with the ID card
- they opened many of their tools, so you can design your website to allow login with Spain's ID cards (that was a fun project)
Were these cards affected? Were there any official notices from authorities?
Even if not affected, it would be nice to hear an official comment.
I was discussing this with someone from Belgium and we agreed that silence from the Belgian government meant only one thing: nobody used the service. (Specifically: Belgian cards are the older Gemalto generation, thus not affected, like the older Estonian IDs.)
We have a similar system in Austria and I got curious when ROCA was announced. Turns out the cards here generate ECDSA keys and are thus not affected. Naturally, there was no announcement of any kind, so this took quite a bit of sleuthing to figure out.
Slovakia invalidated them 3 days ago and is moving to 3072bit keys.
However, our minister of the interior "Robert Kalinak" announced that they should hack his if its real threat. The only thing which he didn't mention is that his public key isn't publicly available...
In the U.S. we also put all our eggs in one basket, but instead of that basket being a digital certificate/smartcard, it's a nine-digit number that we use as both userid and password.
Except all eggs aren't in one basket - ID card cert usage will be blocked but you can still use Mobile-ID to sign documents, log into govt websites and do everything else that you can do with your ID card.
More like 3 baskets. Estonians can also use a Mobile ID, where private keys, authentication and signature functions are stored on a special SIM card. More recently, an app based Smart ID was also introduced.
If you're on one of those services, the certificate revocation doesn't really affect you.
There is only one basket that is made to look that there are three baskets.
To get a Mobile-ID need to have an ID-card with valid certificates. If the certs are revoked you can't activate your Mobile-ID. Also you have to pay a monthly fee for Mobil-ID service.
Smart-ID requires that you have an ID-Card or Mobile-ID and more importantly it's practically useless as you can't use it for any government services.
So what's your actual threat model here? The Government decides to ban people from accessing Government services? Err... Or that some person might not be able to activate their Mobile ID for a short period of time while they sort out their ID cards?
Just like you need a valid e-mail to sign up somewhere. Except that here you won't need it afterwards (even if your ID is compromised, it can be blocked and the other systems provide secure identity.)
All of this is backed by the "single basket" of people actually showing up in the population registry office...
PS: I see, you have just joined HN to write these unsubstantiated comments.
Clarification: Smart ID does not (yet) have the same functionality as Mobile-ID or ID Card (you can log into some supported services with it but that's about it).
AFAIK they're working on it to get it to the same level so you could give official signatures and log into govt services etc using that as well.
- sign your emails digitally - login to secure websites with your id card (bank, DMV, taxes, …). Sometimes you can only do it with the ID card - they opened many of their tools, so you can design your website to allow login with Spain's ID cards (that was a fun project)