Italian CNS and CIE

The patch in ticket #177 adds support for the Italian CNS and CIE through the itacns card driver and PKCS#15 emulator.

The patch is under development and testing; you can grab the latest version with Mercurial at http://itacns.corp.it/hg/itacns/ or download (tar.bz2) it directly.

CNS stands for Carta Nazionale dei Servizi (National Service Card); CIE stands for Carta d'Identità Elettronica (Electronic Identity Card). From the viewpoint of the software there is not much difference between them: the basic filesystem layout is very similar and the Functional Specifications detailing the APDU commands are almost identical. The two cards exist because:

The filesystem layout is flexible. A lot of different administrations issue CNS cards; each administration personalizes the card with its own "service installation" public key. Authentication with the matching private key provides the ability to add support for custom additional objects after the card has been issued. Some Regions have prepared their cards to store medical data in accordance to the NETLINK standard; Chambers of Commerce issue CNS cards with additional signature keys. Third parties can register with the CNIPA government agency and obtain the allocation of file IDs for their applications; then the CNS issuer may install the files.

All CNS/CIE cards carry one X.509 certificate with its public and private keys, mostly used for on-line authentication via SSL. Encryption, decryption, signature with this certificate is the basic functionality currently supported by the itacns driver.

References

CNS tech specs:

CIE specs: (leave the search box empty and hit "Inizia la ricerca" to get a full listing of the documents)]: