Re: National Identity Card

From: Ish Sookun <ish.sookun_at_lsldigital.mu>
Date: Sat, 19 Sep 2015 18:23:29 +0400

Hello SM,

On 09/19/2015 11:00 AM, S Moonesamy wrote:
>
> Should I be reassured when I read a statement by an anonymous person
> commenting about security? :-) I would like to read the opinion of that
> person about http://www.elandsys.com/~sm/incorrect-standard-cca.html
>

No. I will not pay attention to what an anonymous expert has to say. It
is not credible.


> I'll comment about the topic. What happens if a person's National
> Identity Card is lost or stolen? The ID card contains personal data.
> It becomes a problem for that person if that ID card is misused by
> another person. How would the person prove that he or she did not use
> the card for illegal purposes?
>

A lot of people think that if some "data" is encrypted it becomes
totally secure. Well, one might think that as security until the
decryption key does not leak. In the context of the National Identity
Card, we need to realise that once a person's biometric data have been
compromised and misused, it becomes complicated to prove who committed a
certain transaction using the biometric data.

Are our local teams ready and equipped to investigate such incidents
should they arise?

I quote from an article on orange.mu
(http://www.orange.mu/kinews/dossiers/societe/418048/les-donnees-biometriques-des-nouvelles-cartes-d-rsquo-identite-nationale-ne-seront-pas-stockees.html):

        "Il s’agit en fait un système de vérification (One to one)
contrairement à l’ancien système, (One to many)."

If I recall well, during the two cases against the ID Card in the
Supreme Court it was said that the card readers will not do any checks
on the centralized database. What should I understand with
"contrairement à l’ancien système, (One to many)"?

In the same article the following is mentioned:

        "Selon les techniciens travaillant pour le compte des centres
d’enregistrements, lorsque les empreintes digitales sont prises, cela
requiert un certain nombre de temps pour les convertir en des codes pour
être placés dans la nouvelle carte d’identité."

According to the technicians the conversion of fingerprint images into
minutiae requires a certain amount of time and that cannot be done on
the premises. As per the article the fingerprint images are then deleted
to conform with the Supreme Court judgment.

The photo of a person is "biometric data", yet they are stored in the
database. The fingerprint minutiae are "biometric data", yet they are
stored in the ID Card.

> The following is the Ministry of Information and Communication
> Technology's reply to an issue raised in a report of the Director of
> Audit [2]:
>
> "The use of DSCs was compromised due to policy decision of the change
> in the domain
> name from gov.mu to govmu.org."
>
> Does that policy decision also affect the National Identity Card? I
> don't know.
>

In my opinion yes, it affects. We were told the MNIC was a Certification
Authority and was responsible to issue digital certificates in the
National Identity Card project. We're now told that the National
Identity Card Centre (NICC) has replaced the MNIC. What about the
Certification Authority?

Regards,

-- 
Ish Sookun
Received on Sat Sep 19 2015 - 14:23:48 PST

This archive was generated by hypermail 2.3.0 : Sat Sep 19 2015 - 14:27:01 PST