As a Belgian citizen, the federal government issued me an electronic ID (eID). It’s essentially a smart card with personal data, my picture (jpeg) and a couple of X.509 certificates for authentication and digital signing.
One of its applications is authentication on web sites. And this is already possible now, provided I’ve a smart card reader and I install the necessary software provided by the federal government.
Now take a look at the properties of the Windows setup file for the eID client software:
Now I expect to see something here, but it’s missing. Do you miss it too? Here’s a hint:
That’s right, the installation program is not digitally signed (AuthentiCode). Neither are any of the executables installed by the installation program.
I’m surprised that the government invests in a PKI to issue IDs to all its citizens, yet it doesn’t deem it necessary to invest in a delivery mechanism that certifies the origin and integrity of the client software.
Didier Stevens 