[spinny]

A very similar system has been in place in Portugal for some time.

The Portuguese EU id card (probably like all other EU id cards) can be used access multiple government web services. There is also a mobile app to go along with it.

The card contains 2 tls certificates (rsa 2048 bits) and are pin protected (signing operations).

One is used for authentication (there is a public api available IIRC), the other is used for signing (that digital is considered a legally binding signature)

Not sure about the mobile app but i assume the same functionality without the inconvenience of owning a card reader

Vending machines that sell things for 18+ like smoking papers and lighter are required to have a card reader to verify the buyer age

[Avamander]

> for authentication (there is a public api available IIRC)

If it's anything like what Estonia has had for ~10 years, it's probably the usual mTLS for authentication.

You can also very likely use it anything that has smart card/PKCS#11 support - that includes SSH, logging in to your PC, and depending on the certificate S/MIME in Thunderbird or Outlook.

> rsa 2048 bits

Curious choice.

[spinny]

And the cert chain on those is valid. i took a peek when i got mine the certificates (at the time) were issued by a sub-ca which by the name seems to be a gov entity and issue id card certs only. don't remember which company owned the root cert of the signing chain (it was a one of the common root cert used by browsers)

The choice of rsa2048 is probably because of the card specs. it couldn't handle 4096 keys (this was maybe 10+ years ago) from what i've read at the time

[upofadown]

2048 bit RSA is probably the most conservative choice available at this point in time. For a thing like that you want conservative.

[sweden]

The Portuguese implementation of this is quite poor and widely unused. They started to improve it recently but nothing beats the implementation of BankID in Sweden, it is definitely a killer feature.