Re: National Identity Card

From: S Moonesamy <sm+mu_at_elandsys.com>
Date: Sat, 19 Sep 2015 16:38:58 -0700

Hi Ish, Ajay,
At 07:23 19-09-2015, Ish Sookun wrote:
>A lot of people think that if some "data" is
>encrypted it becomes totally secure. Well, one
>might think that as security until the
>decryption key does not leak. In the context of
>the National Identity Card, we need to realise
>that once a person's biometric data have been
>compromised and misused, it becomes complicated
>to prove who committed a certain transaction using the biometric data.
>
>Are our local teams ready and equipped to
>investigate such incidents should they arise?

I have heard people (outside Mauritius) with a
strong interest in privacy saying that encrypting
data makes it secure. You mentioned the issue of
the "key" being leaked in the above. There are
also other possible issues. There are several
angles to the comment which you made in the last
part of the first paragraph; it is not about software or hardware only.

I don't know whether those local teams can
investigate such incidents. If the incidents
affects me, I would have to hire people with
legal expertise about the topic. I would have to
look for people who understand the technology to
explain it to the legal people. I would have to pay for all that.

>If I recall well, during the two cases against
>the ID Card in the Supreme Court it was said
>that the card readers will not do any checks on
>the centralized database. What should I
>understand with "contrairement à l’ancien système, (One to many)"?

I see a few issues. First of all, the government
has not published any information about the "one
to many". There isn't even a web site to find
answers to some simple questions. There isn't
any technical information about the ID cards or
the card readers. What I understood from the two
cases is that it opens several issues which affects technology.

>According to the technicians the conversion of
>fingerprint images into minutiae requires a
>certain amount of time and that cannot be done
>on the premises. As per the article the
>fingerprint images are then deleted to conform with the Supreme Court judgment.

That sounds like the ink used to take
fingerprints have to be left to dry. :-) The
above answer may be good enough for people who
are not conversant with the technology.

>The photo of a person is "biometric data", yet
>they are stored in the database. The fingerprint
>minutiae are "biometric data", yet they are stored in the ID Card.

It seems that nobody was aware of the photograph
issue or else the focus was solely on the
fingerprint issue as that issue had wide press coverage.

>In my opinion yes, it affects. We were told the
>MNIC was a Certification Authority and was
>responsible to issue digital certificates in the
>National Identity Card project. We're now told
>that the National Identity Card Centre (NICC)
>has replaced the MNIC. What about the Certification Authority?

There isn't any information about the so-called
Certification Authority. It is incomprehensible
how people expect those digital certificates to
be used if there isn't any information about it.

At 14:59 19-09-2015, Ajay R Ramjatan wrote:
>I'll add to this. We still do not know whether
>MNIS was authorised by the CCA to act as a
>certification authority. As far as I recall, all
>our emails to the CCA asking to clarify whether
>MNIS CA was recognised to operate as a CA were not answered.

Ish received an answer about the MNIS from the
Controller of Certification Authorities on 12
February. The reason given was that
authorization is not needed as the digital
certifications are issued to hardware
devices. Is it possible to use digital
certificates for a manual transaction? I do not think so.

Regards,
S. Moonesamy
Received on Sat Sep 19 2015 - 23:39:24 PST

This archive was generated by hypermail 2.3.0 : Sat Sep 19 2015 - 23:45:02 PST