[Avamander]

> for authentication (there is a public api available IIRC)

If it's anything like what Estonia has had for ~10 years, it's probably the usual mTLS for authentication.

You can also very likely use it anything that has smart card/PKCS#11 support - that includes SSH, logging in to your PC, and depending on the certificate S/MIME in Thunderbird or Outlook.

> rsa 2048 bits

Curious choice.

[spinny]

And the cert chain on those is valid. i took a peek when i got mine the certificates (at the time) were issued by a sub-ca which by the name seems to be a gov entity and issue id card certs only. don't remember which company owned the root cert of the signing chain (it was a one of the common root cert used by browsers)

The choice of rsa2048 is probably because of the card specs. it couldn't handle 4096 keys (this was maybe 10+ years ago) from what i've read at the time

[upofadown]

2048 bit RSA is probably the most conservative choice available at this point in time. For a thing like that you want conservative.