[feldrim]

Well, in Estonia, they have a different approach.

1. If you are a citizen or a resident, you get an ID card to use for every public service. It's just a smart card with a government PKI.

2. The public services provide an email account that can only be used within the e-government services. The card is used for accessing those services.

3. The email service accepts either identity number or registry number of the recipient. So the recipient can be a legal entity.

4. You can and almost always do provide a forwarding address, so that you don't need to check.

5. You can't use it for other purposes. No RFC defined email address is shared with you. And it's just an internal system for official issues.

I've heard some countries issue mailboxes for citizens but I am not aware of the general use of these. Also, email services were designed to be decentralized but evolved into centralized systems, a current and unsolved problem. I am not sure about the privacy and security of government provided email services.

[EvanAnderson]

I still have a vague hope that the United States Postal Service could be "pivoted" into being a PKI provider and distribute physical tokens to citizens. They already have substantial procedures and infrastructure for verifying identity. There would be problems, to be sure, but I'd much rather get my ubiquitous PKI for citizens from the USPS than the banks or "tech giants".

[derbOac]

I'd like to see the USPS expanded to become a public / municipal ISP of sorts.

If you read about the history of the institution, this is really what was intended in its constitutional incorporation. It really wasn't about physical mail per se, and you can't hold the founders accountable to something that was outside the realm of imagination at the time.

There's all sorts of information-structural things that are in the bounds of the USPS per the intent of its creation.

[KennyBlanken]

My main reservation with the USPS becoming an ISP lies in its investigative powers and long history of politically driven, unconstitutional use of its police force. Namely suppressing socialist newsletters, pornography, and the like.

I'm guessing most Americans do not realize that going back more than a decade, the USPS has scanned and stored imagery and metadata for every single piece of mail that passes through their automated sorting machines.

Look closely at the images they email you of mail coming into your mailbox and you'll notice that very often, the scans reveal the nature of the documents inside even without messing with contrast/levels.

[derbOac]

That's a good point, and I share that concern to some extent. But in thinking about it I guess I'm of the impression this happens anyway with private ISPs and the government? Private courts, state privilege, etc. Maybe if it were through the USPS it would force some transparency as well due to it not being private.

Also, I would be concerned if all the private ISPs disappeared also. Ideally I'd like to see something like is the case with physical delivery, where you have the USPS, FexEx, UPS, DHL, etc. Having the USPS be an ISP of sorts would hopefully not kill private offerings, along the same lines. Especially so given that we're in a de facto monopoly situation at the level of specific geographic locations often now. Introducing competition where the market has failed to do so shouldn't be a problem, and if it is, there are larger issues.

If anything I could see this being selling point for private ISPs, "use us and don't worry about the government because we have everything locked down in X, Y, and Z manner."

[throwaway6734]

It's a real shame the USPS didn't jump on email at the start and become an email provider

[rtourn]

They still can. A government doesn't have the need for first mover advantage because they have the power to make the official version. Also, the technology is very mature and best practices are better known. The userbase has been trained. And it's cheaper for them to do it now.

Though an official united states citizen email address has its own pitfalls for abuse, scams, and fraud.

[jeffbee]

Nothing about their organization prepares them for doing this. Having 50000 branch offices and half a million employees is their superpower.

[aeternum]

This would be great for things like voting, but I think it could also be easily abused.

Many services would want to use your PKI token as identification, we would likely give up a lot of privacy because of its existence/ease-of-use.

[nyokodo]

> I still have a vague hope that the United States Postal Service could be "pivoted" into being a PKI provider

It’s going to be an uphill battle or impossible as PKIs are too obscure for the average citizen to understand the benefits and any whiff of a federal ID card will be treated like the mark of the communist coup beast.

[cycomanic]

I always discover how Estonia is really amazing for lots of technology things. AFAIK they are by quite a margin the most advanced country in Europe when in comes to egovernment services. Moreover my (admittedly outside) impression is that they often go for technologically sound solutions not the ones which some large lobby organisation pushed for. This is particularly remarkable considering how small the country is, and in stark contrast to the mess that is egovernment services in Germany the richest country in Europe.

[fredley]

Probably because they're so small they're overlooked by the salespeople and lobbyists from the big corps. I imagine that helps a lot. In the UK there are plenty of smart people in Government who can and would build things in a sensible way (and sometimes they do!), but there are also legions of smooth talking salespeople who usually bend the ministers' ears more easily.

[pydry]

The self developed UK government online services tend to be pretty good (sometimes very good!). It's the stuff they outsource to government contractors whose CEOs play golf with government ministers that are universally terrible.

[tarkin2]

This "playing golf with government minister" should be called out for what it is: a probable or possible bribe. It won't be money in a brown paper bag but the result will be the same. It's endemic. We like to think bribery and corruption happens to other countries but there's plenty of it in the UK: it's just higher up the totem pole and largely accepted.

[mcdonje]

Same thing in the US. I always laugh whenever I see a list of corrupt countries and the US isn't near the top. Codifying bribery into law as lobbying and superpacs doesn't make it not bribery.

[marcosdumay]

That's because the US has a low amount of corruption on the positions that face the public.

It's also because most of those lists are ordered by a "perception index", that is the kind of bullshit that increases if your government does an awareness program and if corruption fighting gets on the news.

[jrgaston]

Spot on: "Codifying bribery into law as lobbying and superpacs doesn't make it not bribery"

[signatoremo]

Ha, do you have any experience doing business with those countries top of the list to say so?

[wholinator2]

Agreed, though I've always had this thought: How do we know it's not money in a brown paper bag/briefcase. I mean, could they not transfer physical money as easily as they transfer words and secret deals. Golf courses are huge, golf carts can have large compartments and be loaded up directly from a car. I know the thought is, "well why would they do that, surely there's an easier alternative", but my point is that it's not would, it's could.

[toyg]

> How do we know it's not money in a brown paper bag/briefcase

One of the problems is that some of these checks can only be performed much later.

The most common currency of choice, for modern bribes, is the promise of a fat gig in the private sector when the political career ends. As the public demands younger and younger political classes, with lower and lower salaries, while maintaining an appetite for career-ending scandals and relatively short terms in office, it's inevitable that individuals will tend towards ensuring their future survival. Such promises need no paper trail, are trivial to keep, and are effectively invisible for years. When they're realized, it's typically too late to do anything about the original source of corruption, and the new guys in power have no incentive to cut that income source for them; in fact, they now know it works and are more likely to tap it for themselves.

[wholinator2]

And I guess my counterpoint is that could is a very very large potentially unusably large category of possible actions, and would is a much more tightly controlled set of realized actions we believe might happen again.

But then would has the potential of misdirection. Your believed set of would's might be entirely separate from the realized would's of the individual. Could is wider but has less room for interpretation or propagandizing. Exactly my point in the above post: why wouldn't they be able to transfer money. My set of would's include those deliberate obvious actions, especially if all kinds of other things happen on golf courses. Anyways, I'm rambling, have a nice day. :)

[toyg]

This is the right answer.

If I'm Fujitsu or Accenture and I lose $BigCountryContract, it's a Big Deal and somebody is not going to get his fat bonus. If I lose Estonia, "Whatever, it was pennies anyway". Smaller orgs also don't have the sort of complex bespoke requirements that allow consulting firms to really entrench themselves.

[pibechorro]

Decentralization is the way forward

[danlugo92]

Yep, we already have the most resilient, decentralized and safe public key infrastructure in place working in the real world for more than a decade now ;)

[jve]

Good for our neighbors (And Hi!). Latvia is also advanced in regards to eservices :)

We also get state issued ID card with PKI. We can access tons of services. Last I read I can buy a house, fully remotely. Including notary services via video call + all parties need to sign stuff with our ID card.

We get health results via email as an encrypted pdf, where password is given at the time when I submit samples.

Many business also use ID card to sign contracts between parties.

Bank transactions involve Smart-ID, 2FA app that I have to authorize via ID card for remote setup for any new device. (It involves generating new certificates) Smart-ID is developed by Estonia and is very convenient, secure way to authorize payments.

As of communication, no state issued email. However we usually get email notifications, for example from state tax service, that we should log in and read whatever we have to.

[feldrim]

The application allows Latvian ID card to be used in the Settings tab. So I learnt that it's applicable to your country too. I recently moved to Tallinn and just became a resident. The thing is they are capable of doing lots of things. And still, there are many things that can be improved.

[FuriouslyAdrift]

Estonia is the founding member of the NATO Cooperative Cyber Defence Centre of Excellence... they've been at the forefront for a long time. https://ccdcoe.org/

[jamespwilliams]

It’s partially the result of the 2007 cyberattacks they endured. After that, they started taking cybersecurity very seriously.

https://www.bbc.com/news/39655415

[zigman1]

Their development of IT public infrastructure is a bit more complex. The first thing was the political situation in the 90's during the transition. As they wanted to go as far away from communism as possible, they sliced away all the political tradition and old politicians. A lot of young people got a chance in politics and public policy making. They somehow understood that investing in technology is the way to go. But the real starter was the Progertiger program, which brought computers to public schools. By 1999, almost all the schools were connected to the internet (about 98% of them and you have to understand that Estonia has a lot of countryside and forrests).

[0] https://www.tandfonline.com/doi/abs/10.1080/09523987.2020.17...

[pydry]

Their e voting system source code looked pretty bad.

Quite apart from that, if they really took cyberattacks seriously theyd be voting with pen and paper.

[feldrim]

I haven't seen the code nor read about it. But I'll have a look at it after this comment. Thanks.

The e-vote thing seems like an issue of reputation now. I don't think any politician would dare to change this. It would be possible only if a huge campaign involving a foreign interference becomes successful among the voters.

[anticodon]

Size of the country is also something to consider. Population of the whole Estonia is fewer than population of a single city in other country. Area of the Estonia is also minuscule.

What works for a tiny state isn't always appropriate for a big state.

[simongray]

If we are to believe the EU, they are #1 in digital public services and have a respectable place in overall digitalisation of society: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_...

[vnorilo]

Yep - Here in Finland, just over the bay in the north, the Estonian e-prescription system is often quoted as much leaner, meaner and more functional than our own borked attempt, at a fraction of the cost.

[laurent92]

But Estonia has vote by internet, which guarantees that it’s possible to forge an election. Just this item brings them back to pre-democracy times.

[101008]

Estonia is the one that also provided digital citizenship, right?

[feldrim]

Not citizenship but residency, hence e-residency[1]. It actually means you can start a business here and pay your taxes here but you can be anywhere else in the world.

[1] https://www.e-resident.gov.ee/

[smokeyfish]

Yes

[01acheru]

In Italy we have a worse version of what you described.

1. An ID card you can use to access some services (carta di identità digitale)

2. Another card you can use to access healthcare related services and some other services (carta nazionale servizi)

3. SPID: your digital ID to access yet some other services, and also some of the above services. It is not released by the government but by other authorized entities such as banks, the national mail service and others. You need to pay a small fee for the verification, and sometimes an annual fee. There are different SPID levels but no one actually knows the difference between them.

4. PEC (posta elettronica certificata): a digitally signed email box you can use to send/receive documents, invoices, etc. or simply messages. Those are legally attributed to you and you can use it to talk to government agencies instead of sending registered paper mail. As SPID it is issued by an authorized third party.

We also have some smartphone apps that work as a combination of the above, and need some of the above to work.

As you can see it is a mess, a waste of tax money and we will need to waste more money in the future to make this mess work.

Nice :)

Edit: and by the way when you need something really important all the above are useless: you either need to start hopping from a public office to another (we have a lot of them) and/or go to a notary (a kind of medieval bureaucrat you pay a lot of money to sign and stamp sheets of paper)

[teekert]

In the Netherlands we do have an inbox from the government ("Berichteninbox" which is optional, the alternative is snailmail), it's coupled to the Digital ID system (DigiD), both are apps and webservices. You can use DigiD to access information on your pension, or healthcare insurance etc. The inbox can be (optionally) coupled to many government organizations and you receive information on taxes for example. I like the way it works, it works best if you have an Android or iOS system, but you can use it without (fully on the web).

Btw, a nice insight into email is also that it is one of the very few systems that decouples protocol from provider (Matrix and xmpp do that too, not widely adopted sadly) AND also has critical adoption (which Whatsapp also has in my country, sadly we are stuck with Meta there). We should never give up email because we will likely never get an open and free system like that back without some kind of government intervention. (Even though we all know email is a sub-optimal pile of hacks.)

[Freak_NL]

Using Berichtenbox is a liability. Once you activate the thing, all sorts of (semi-)government communication goes there, but you can't forward it or download it via an open API. You have to use their smartphone app or webapp.

The notifications you can set up to a normal email address invariably only say that institution X sent you a message, but never specify the topic. That means you have to login to see if it is actually important and actionable or just something you already knew or a confirmation of something you submitted.

Even worse is this common scenario:

* Get notification that X sent something to Berichtenbox

* Login to Berichtenbox (first get mobile phone for required 2FA)

* Message says new information is available in X's web portal

* Login to X's web portal (mijn.somethingsomething.nl)

* Read totally pointless message that could even have been sent in plain email

Compare this to the postal flow:

* Get letter, read it

I think these days you can deactivate Berichtenbox and receive important information via post again, but this was not an option in the first year or so, so even experimenting with it was risky.

[m4rtink]

The Czech similar system (Datová Schránka) is similar and even worse:

* email notifications are unreliable * messages are considered delivered a week after landing in your data box, regardless of you reading them * old messages are automatically deleted after 90 days (!!!) unless you pay for an expensive and cumbersome archive addon service

Especially point number three makes the whole thing quite dangerous, not just liability - you might get an important message/request from the state while on long vacation/loose the notification and it will self erase - mission impossible style! And you will only find out when you re in trouble for not doing something important later...

Unless you plan to work with the data box daily and manually check the messages its really dangerous to use it.

[teekert]

Yeah, it does seem pretty bad indeed, especially for older or less tech inclined people. What would be a better solution? Perhaps Estonia's system. I guess many countries are starting their own experiments, in 10 years we may know what works well and what doesn't.

[Vinnl]

Importantly, though, that inbox is not an email inbox. This is what the process might look like (i.e. I've been through this):

1. You can an email in your regular email stating that there is a new message in your Berichteninbox. (No clickable link, presumably to avoid phishing.)

2. You go to mijn.overheid.nl to access your Berichteninbox. You sign in with DigID.

3. You open the mentioned message, which says a PDF with the actual letter is attached.

4. You open the PDF.

5. The PDF says you'll be able to file your tax returns a month from now.

[teekert]

Yes, that is the process, it's pretty involved indeed, biometric auth and apps opening other apps on mobile makes it bearable. But indeed, if you look at the number of successive actions in such a seemingly simple thing, it's quite a lot.

BTW, if said PDF contains an iDeal payment link, you can switch to yet another app (your banking app) and back (probably via website in between) and immediately pay things. Which is nice, but again watching over the shoulder of someone going through these actions it may seem that the phone is going crazy switching between apps :)

[nottorp]

Serious question. Does this government smart card work on anything but Windows? Or you need to buy a windows machine to go with your free smart card?

[feldrim]

Well, their website[1] has downloads for Linux, Android and iOS. But personally, I did not use any of them.

[1] https://www.id.ee/en/article/install-id-software/

[EvanAnderson]

I can't rightly say that I am able to navigate the maze of standards and acronyms associated with smart cards, but the OpenSC tools on Linux have worked for me with a couple different smart cards (Nitrokey HSM and Taglio PIVKey). There are quirks. The Taglio PIVKey can't load certificates using OpenSC, but I've always generated the certificates on the device anyway.

[nottorp]

Just because there is smart card software for Linux it doesn't mean it will work with $SOME_GOVERNMENT's interfaces.

Ofc in this case feldrim above pointed us to the mac/linux/etc downloads so the estonian government has actually heard there are other platforms besides Windows.

[EvanAnderson]

Presumably you'll be using it with a browser. I'm sorry that I didn't clarify that assumption in my first response.

I don't know about Estonia in particular but I'm guessing "$SOME_GOVERNMENT's interfaces" for most places is going to be HTTPS.

So, with that in mind, I've used a Nitrokey HSM and a Taglio PIVKey with Firefox on Linux using the OpenSC tools PKCS 11 module. I would suspect any smart card supported by OpenSC will work fine in Firefox.

From my reading, OpenSC is being distributed by the government of Estonia, so I suspect using it in a browser that supports PKCS 11 modules compatible with OpenSC on a Linux PC would work fine.

[amaccuish]

Yes, I use the eID software on Linux all the time. It is based on OpenSC and the main stuff in the browser is all standardised. OpenSC is loaded as a plugin to say Firefox, and most of the authentication is standard TLS client cert stuff.

The app is used for changing PINs and there's another one for signing documents.

Signing in the browser uses a extension, code here https://github.com/open-eid/chrome-token-signing

[feldrim]

Exactly. They have also a Github organization for the e-ID software repos. https://github.com/open-eid

[mrweasel]

A question about number 4. By forwarding address, do you mean to a real email address? Denmark has a similar solution, but it can only be accessed via the website or a mobile application. The idea is that the content will almost always contain person information, so it shouldn't be allowed to be transmitted via an unencrypted channel.

Side note: Denmark has a one time pad instead of a smartcard. A smart phone app has since been added, and the one time pad will be discontinued in about a year, sadly.

[feldrim]

I have been in Estonia for a few months and get my TRP recently. It's new to me. But I heard that it's the same. It's just a notification probably. Yet, the term "forwarding address" makes me think it can be something else. I did not get any email from there yet, so I don't know actually.

The PKI thing includes a physical ID card, a software solution called Smart-ID and a mobile solutions called Mobile ID. The software solutions are just authenticator apps that you've matched with your ID.

[AnthonyMouse]

> If you are a citizen or a resident, you get an ID card to use for every public service. It's just a smart card with a government PKI.

This is the biggest flaw in the design. Tying the ID card to a single identity.

If you're using it with a bank, it needs to be tied to your bank account. If you're using it for physical access control at your company's building, it needs to be tied to your employee account. These are different things, and should be different things, for security.

You don't want a single system for everything. It makes the incentive to break it stronger, so it gets broken more often. It makes the consequences of it getting broken larger, so the damage when it happens multiplies. And it gets integrated into everything, so the amount of time it takes to roll out fixes increases. It's a security nightmare, and it gets polynomially worse the bigger the country is that tries to do it that way. (For reference, the GDP of Estonia is less than one third the revenue of Costco.)

[rjzzleep]

> This is the biggest flaw in the design

No, it's solid design. It's a very simple safe primitive. You can build endless infrastructure on top of it. Similar to subkeys.

For example a lot of businesses use Smart-ID on top of that. You need to tie the smartid stuff to your PKI identity. But after that you can just use that as identity.

https://www.smart-id.com/

[AnthonyMouse]

> It's a very simple safe primitive. You can build endless infrastructure on top of it.

It has nothing to do with the primitive. Someone will find a flaw in the implementation, or human flaws in the bureaucracy that administers it.

And building infrastructure on top of it is the flaw. These things should all be independent of one another.

[rjzzleep]

The flaw right now is that you guys believe that all online identity needs to be decoupled from the online identity. There are a couple things you guys dismiss or don't think about:

1. Contrary to systems such as the German one this identity system actually has a working upgrade and revokation path. The German one was is assuming that it's safe by design and the identity being fixed. The German ID keys don't have a revokation system and they don't expire either.

2. The baltic system has expiry's on these private keys. They are authenticated against your physical government issued ID with background checks being done by the current existing police/interpol infrastructure.

These private keys are not isolated from your identity. You receive them from government institutions that use the exist physical identity infrastructure.

The problem with people here is that they want the digital identity to be completely self contained. I get that sentiment and I don't disagree with it, but it's a completely different goal from what is being solved here.

This solves - in a much better fashion - what a lot of "crypto" fanatics want governments to use.

[AnthonyMouse]

> Contrary to systems such as the German one this identity system actually has a working upgrade and revokation path.

Systems without this are even more broken, but this is hardly the main problem.

The problem is that with a system like this, if you can compromise one person, you can compromise them totally. You compromise every part of their life that uses this system instead of just one when it's isolated from the others.

And if you can compromise that system itself, even temporarily, you can compromise everyone that comprehensively at once. Everyone's health records, stolen. Bank accounts drained. Trade secrets published or sold to foreign competitors.

Canceling their credentials after the fact doesn't undo all the damage.

> These private keys are not isolated from your identity. You receive them from government institutions that use the exist physical identity infrastructure.

In most cases this is a liability rather than an asset. It's only useful if you for some reason need to prove your physical government identity, e.g. so you can vote. But those few things can use the same process you use to bootstrap into this identity system to begin with.

If all you want to do is sign into a website or acquire a book or a contraceptive or travel, having that tied to your government identity is bad.

[feldrim]

By public services, I meant the public services provided by the state. For instance, health insurance, family doctor application, taxes, etc.

Banks require your ID whether it's smart or not. But it's not for payment purposes but for authentication. And they are not state bodies, but private commercial entities. They are not part of the PKI ecosystem of the state.

[AnthonyMouse]

> By public services, I meant the public services provided by the state. For instance, health insurance, family doctor application, taxes, etc.

It's not clear why any of these things should be tied together even when they're all provided by the government.

You may have to identify yourself to your employer for taxes, but why should they get the identity used for your healthcare when it isn't any of their business? All it does is create the potential for that to leak. Or vice versa. Your tax returns are none of the business of the doctor you asked out, so these things should not be tied together in any way.

And the only reason the bank wants your government identification is that they're required to by law. Otherwise banks would widely offer numbered accounts. Even then this should only require the identity used for taxes and not the one used for healthcare or military service or professional licensing, none of which is any business of the bank.

[cesarb]

That still has the same issue mentioned in the article: it works fine inside an organization (the organization being, in this case, the whole country), but not between different organizations. For instance, how would I, a Brazilian, send a message to someone using that system?

[iofiiiiiiiii]

> that can only be used within the e-government services

> You can't use it for other purposes. No RFC defined email address is shared with you

This is not entirely true. You get both:

* idcode@eesti.ee can only be used by government senders.

* you also get first.last.uniqueid@eesti.ee which works as a regular email address.

[feldrim]

Oh, I didn't know that. That's new to me.

[GuB-42]

But is it really email as we know it? It looks more like a private message system like you find in forums and social networks.

In France, we are not as advanced as Estonia when it comes to e-government services, but we have an official identification system called "France connect", and government services have private messaging systems to communicate with them. And I think many countries have similar systems. The only difference seems to be that it is better integrated in Estonia.

[JohnWhigham]

I could only wish the US had something like that. Very few Congresspeople could even succinctly describe email to you, let alone express the need for a system like this. And even if they could introduce a bill, Big Tech lobbyists would instantly swoop in and proclaim the idea as a threat to national democracy, and instead try to steer the legislator to just hosting entire thing on their platform instead. I fucking hate our federal government.

[feldrim]

There are a few issues. First, Estonia is a small country and it's relatively easier. Second, there's no legacy solution to comply with when a new feature is developed. US has both federal and local government systems, and many agencies with their own services. That creates an overhead for a new and standard[1] solution.

[1] https://xkcd.com/927/

[thejosh]

In Australia we have mygov, which is a bit of a mess.

[hestefisk]

Adding to that, even worse, each state are also implementing their own identity solutions. Take Service NSW which is an expensive front-end built on Salesforce, with its digital drivers license. Each platform has its own digital identity system, which is just waste of taxpayer money.