A secure democratic Net is a fundamental right

The whole discussion about the quality of the code in EID began with our famous video in the beginning of this year (but only made available to the public in May). There was something not right if that was so easy to do. Something would not have been thought through or tested. There were some ideas but we couldn't put our finger on it. Maybe we wished that the code was good and this was only an oversight.

The discussion continued when a professor wrote an article about the EID and had covered in it some comments about the quality of the code. We were even more convinced that there is more to it than we thought.

Than we saw a big strange discussion about standards and EID that broke out in IT-professional. The first shot was fired when the person responsable for the flemish egov projects said he expected Microsoft to do more with the EID than it has done so far. The new Microsoft CEO answered in an open letter and said more or less that Microsoft followed international standards and not necessarily the Belgian EID standards. In another article much later it became clear that Microsoft was pursuing an international route and that the Belgian EID would not be treated in any preferential way than any other product that wanted to be integrated in the windows environment. The question that wasn't answered was : why ? Nobody said so but there had to be a reason, because otherwise he wouldn't have persisted.

So we now have learned from consultants in Identitymanagement that it is according to Microsoft better to use EID with Vista and Windows2008 with the latest servicepacks rather than the other versions (xp and 2003). The reason is that Microsoft has rewritten herself some parts of the code of the EID so that it is as safe as is required nowadays by Microsoft for any product. The problem with the EID seems to be that it failed some tests of code security in a big way and rather than refusing the product (which would have made an enormous fuss) Microsoft engineers somewhere rewrote parts of the code.

So how big is the problem with the security and quality of the code of the EID ? And no we don't need the normal standards propaganda and publicity. If the code is secure it has passed all the security and qualitytests you can put code through.

Maybe it is time for someone to ask the right but hard questions. Everybody in Belgium will be walking around with that card and that card is being used and planned to be used for numerous applications.