Note-to-self: public website/server certificate quick check.

Today my ESET Endpoint Security blocked my browser for what I know is (sorry, should be) a legitimate magazine website…

Using other browsers (Chrome, Firefox, Opera, Tor, …) on my machine, I had the same issue…

Microsoft Edge

“Website certificate revoked
The certificate used by this server has been marked as untrustworthy and the connection is not safe
Try connecting again later or from a different internet connection.
Access to it has been blocked.“

Tor

Using another pc or smartphone (not using ESET) … I was able to connect.

So what’s going on?

ESET protecting you…

Eset forums

When you look up the Eset message (“Website Certificate Revoked” eset), you’ll probably land on the ESET forums or knowledge base, … seems to be a pretty popular topic.
Like for example: https://forum.eset.com/topic/21531-eset-giving-website-certificate-revoked-message/

ESET knowledge base

https://support.eset.com/en/kb6258-website-certificate-is-revoked-is-displayed-when-visiting-legitimate-web-pages

ESET explains

“This warning is displayed when your ESET product detects that the security certificate for a website is revoked.
ESET cannot resolve the issue because only the owner of a domain can renew their security certificate. You cannot choose to continue to the site using the insecure certificate.”

How do you double check this information?

The ESET forums point to a very interesting and eays to use tool: SSLTest at SSLLabs.com

Open: https://www.ssllabs.com/ssltest/index.html

Then you can enter the URL of the website you want to visit or check…

Depending the status of the website (good…or bad), it will take a few seconds… to minutes… to scan the website and show the quality of the certificate.

In this case, it’s fairly clear why the website was blocked:

Just for your reference if you would check a website like: https://docs.microsoft.com, you’ll get A+ (that’s the other end of the scale..)

If you want to know more about the website rating, check the SSLLabs rating guide:

https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

The grading results in a score from A (top), (B) good, (C) average .. to (F) big fail lowest score …

So, it’s a very handy and free tool to check your website for issues.

Why are these websites not blocked by other tools or browsers?

First of all, check if you have an anti-virus or antimalware tool that checks the URL.

Because other browsers, apps or URL filters will not always check for the CRL (the certificate revocation list, containing certificates that are no longer valid…).

Or the CRL is not updated or and old CRL is cached. The ESET KB article mentioned, explains how to clear the CRL cache on your system.

Other interesting tools

The website (or mail) certificate is just one of the security indicators …
If you want to check the reputation of your URL, domain, website, mail system, DNS, … there are some more interesting tools you should have at hand, like https://mxtoolbox.com/NetworkTools.aspx.

Quite a while ago I posted an article on web and mail reputation, there is some more interesting free tools you can use to check the domain reputation.

See here: (TechNet Wiki) Hotmail/Outlook.com Solving Mass Mailing Delivery Issues

Conclusion

This situation show how easy it is to land on a website using revoked or unverified certificates…

Make sure to use a decent anti-malware and anti-virus tool. It’s worth to spend a small bit of money to protect your systems.

And if you combine it with some free tools to check the health of (your) websites and systems… you can achieve a decent level of security without spending a lot of money.

Thank you! And best wishes for 2021!

Thank you
… for supporting me
… for supporting us
… for not giving up
… for keeping a positive spirit
… for the constructive critics
… for the creative solutions
… finding and creating opportunities
… for making things possible
… for keeping us at the edge
… for being direct, open and honest

because that allows us to evolve, to develop, to grow, to learn and to become better

despite difficult times.

I wish each of you and your family the best for 2021,

with a lot of fun, joy and success, a lot of exciting new things…

And sometimes just a bit of luck.

Looking forward to work with you for another exciting year… And beyond.

Because your support keeps me sharp.

Looking forward to the first opportunity to meet, physically, in person and to catch up all the things we missed.

And of course, a good health.
Keep safe and secure!

Dank je wel! En beste wensen voor 2021! (NL)

Dank je
… om mij te steunen
… om ons te steunen
… om het niet op te geven
… om een positieve mindset te behouden
… voor de constructieve kritiek
… voor de creatieve oplossingen
… om kansen te vinden en te creëren
… om dingen mogelijk te maken
… om ons scherp en alert te houden
… omdat je direct, open en eerlijk bent

omdat dat ons in staat stelt om te evolueren, ons te ontwikkelen, te groeien, te leren en beter te worden

ondanks moeilijke tijden.

Ik wens ieder van jullie en je gezin het beste voor 2021,

met veel plezier, vreugde en succes, veel spannende nieuwe dingen …

En soms gewoon een beetje geluk.

Ik kijk er naar uit om weer met je samen te werken voor nog een spannend jaar … en daarna.

Zonder jouw steun kan ik mijn ding niet doen… .

Ik kijk uit naar de eerste gelegenheid om elkaar fysiek en persoonlijk te ontmoeten en om alle dingen die we hebben gemist in te halen.

En natuurlijk een goede gezondheid.
Hou het veilig en goed beveiligd!

Extended mapping of CIS Controls to ISO27001 security controls

Introduction

The CIS (Center for Information Security) Controls list is a very well known list of security measures to protect your environment against cyberattacks.
The Center for Information Security provides a handy XLS sheet for download to assist in your exercise.

Here is the link: https://www.cisecurity.org/controls/cis-controls-list/

Many companies use this controls list already, but also require to map their CIS security controls to ISO27001, for various reasons.

Implementing security controls with regards to the NIS directive, is one of them, eg when you’re implementing OT…

ISO27001 controls mapping

For that purpose the CIS provided a XLS mapping between the CIS controls and ISO27001.

You can download the sheet from the CIS website: https://learn.cisecurity.org/controls-sub-controls-mapping-to-ISO-v1.1.a

Security note for the security freaks, apparently the document is hosted on the pardot(dot)com Salesforce website, which might be blocked by Adlist domain blockers as it’s used for marketing campaigns, you might need to unblock it, or use Tor browser…)

Alternatively, it’s available from the CIS Workbench community at: https://workbench.cisecurity.org/files/2329 (registration might be needed to access the download)

FYI, the previous version (2019, v1) of the mapping had quite some gaps. Therefor I’ve submitted a suggestion for an updated CIS-ISO27001 mapping.
And after review, a new version (1.1) with updates has been published on the CIS workbench.

Direct download for version 1.1 available at: https://workbench.cisecurity.org/files/2329/download/3615

Still some gaps

You’ll notice that the update (1.1) version has still some gaps. And I’ll leave to the discretion of the CIS review work group to argument these gaps.

But I’m convinced you can map the CIS controls for 100% to ISO27001, in one way or another, meaning use ALL ISO27001 controls in certain extent (sometimes a subset, equally or a superset of it, combining controls.)

But the license for use of the CIS controls mapping does not allow redistribution of modified materials…

Disclaimer (the small print)

Here’s the License from the mapping file:

Their work (quote) “is licensed under a Creative Commons Attribution-Non Commercial-No Derivatives 4.0 International Public License (the link can be found at https://creativecommons.org/licenses/by-nc-nd/4.0/legalcode

To further clarify the Creative Commons license related to the CIS ControlsTM content, you are authorized to copy and redistribute the content as a framework for use by you, within your organization and outside of your organization for non-commercial purposes only, provided that (i) appropriate credit is given to CIS, and (ii) a link to the license is provided. Additionally, if you remix, transform or build upon the CIS Controls, you may not distribute the modified materials. Users of the CIS Controls framework are also required to refer to (http://www.cisecurity.org/controls/) when referring to the CIS Controls in order to ensure that users are employing the most up-to-date guidance. Commercial use of the CIS Controls is subject to the prior approval of CIS® (Center for Internet Security, Inc.).”

So I CANNOT distribute the XLS as modified material (Why not?).

Extending the mapping

If you still want to build an extended version of the mapping on your own, you download the 1.1 version and add these items to the list:

CIS section	Coverage	ISO27001 Control
2.2	=	A.12.5.1
2.5	=	A.8.1.1
2.8	small subset	A.12.5.1
2.10	small superset	A.9.4.1/A.8.2
3.1	small subset	A.12.6.1
3.2	small subset	A.12.6.1
3.4	small subset	A.12.6.1
3.5	small subset	A.12.6.1
3.6	small subset	A.12.6.1
4.1	small superset	A.8.1.1/A.9.2.3
6.5	small subset	A.12.4.1
6.6	small subset	A.12.4.1
6.8	small subset	A.12.4.1
7.3	small subset	A.12.2.1
7.5	small superset	A.8./A.13.1.1
7.6	small subset	A.13.1.1
8.3	small subset	A12.2.1
9.5	small subset	A.13.1.1
10.2	small subset	A.12.3.1
10.5	=	A.12.3.1
11.1	small subset	A.13.1.1
11.2	small subset	A.13.1.1
11.6	small subset	A.13.1.1
12.1	small subset	A.13.1.1
12.5	small subset	A.13.1.1
12.10	small subset	A.13.1.1
13.2	small subset	A.11.2.5
14.7	small subset	A.8.2.3
16.2	small subset	A.9.3.1
16.3	small subset	A.9.3.1
16.9	small subset	A.9.2.1
16.10	small subset	A.9.2.1
16.12	=	A.12.4.1
16.13	=	A.12.4.1
17.1	=	Clause 7.2
18.3	=	A.12.5.1
18.4	=	A.12.5.1
18.7	=	A.14.2.9
18.10	small subset	A.14.2.5
18.11	small subset	A.14.2.5
19.3	small subset	A16.1.1
19.6	small subset	A16.1.2
19.7	small subset	A16.1.1
19.8	small subset	A16.1.4
20.1	small subset	A18.2.3
20.2	small subset	A18.2.3
20.3	small subset	A18.2.3
20.4	small subset	A18.2.3
20.5	small subset	A18.2.3
20.6	small subset	A18.2.3
20.7	small subset	A18.2.3
20.8	small subset	A18.2.3

Planning for ISO Certification using CIS Controls?

When you look at it from a different angle and you would like to build a plan to certify your ISO27001 implementation, we need to turn around the mapping, and look for the gaps in the ISO27001 security controls AND CLAUSES, when doing the CIS control mapping.

And then you’ll notice the explicit difference in approach between CIS controls and ISO27001 controls.
CIS controls are focusing on technical implementation to harden your cybersecurity, while ISO27001 is a management system that needs these controls, but requires a management layer to support these technical controls. CIS controls are lacking this management layer.
If you compare both systems in a table the story gets clear:

The “red” areas require extra work to make it ISO27001 compliant.

And as always, if you have suggestions of feedback to improve this article, let me know, I’ll fix it on the fly.

A quick walk-through of the new ISO29184 – Online Privacy notices and consent

Source and download: https://www.iso.org/standard/70331.html

With the publication of the GDPR in 2016, it quickly became clear that it would massively impact the direct marketing sector, simply because direct marketing runs on personal data.

On 25 may 2018, the GDPR came into force, changing the global mindset on data protection (and privacy by extension).

Anno 2020, 2 years after the publication, many enterprises, large and small still struggle to apply the data protection regulation and best practices.

And for the direct marketing companies, this is a particular difficult topic, after 4 years.

So, maybe, the newly (june 2020) published standard can provide a practical help to implement consent management. Please remind that the GDPR is a regulation/law… not a best practice with hints and tips.

For hints & tips and practical advice on GDPR, check the EDPB (previously known as WP29) website: https://edpb.europa.eu/our-work-tools/general-guidance_en (Check the Our Work & Tools menu).

While there has been a lot of guidance, communication & education on implementing a direct marketing that is compliant with GDPR and ePrivacy/eCommunication regulation and directives.

Even, for other markets than direct marketing where managing personal data is optional (meaning, not part of core business), you can use this guide to manage privacy or data protection notices for your newsletters and website.

Side note

The ISO 29184 is strictly and only about privacy notices and consent, it’s not an in depth guide for direct marketing, but it’s an essential part of it.

If you need more information on the EU ePrivacy/eCommunications directive , see here: https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058

ISO 29184 content walk through

Document structure

After the mandatory basic chapters (Foreword, 1. Scope), the document hints to ISO 29100 in chapter 2 (Normative References) and 3. (Terms and definitions.

Important note here is that the definition of “explicit consent” has been updated to match the GDPR requirement for unambiguous affirmative consent.

Chapter 5 contains the “general requirements and recommendations”.

A major requirement (and typical for ISO compliance like in ISO9001 and ISO27001) is that you need to document the implementation of each control in this standard.

The content is structured in 5 chapters (Level 2)

Overall objective
Notice
Contents of notice
Consent
Change of conditions

To read the full details, you know what to do,…

But it’s interesting to see the technical/operations controls required in this standard

General conditions on privacy notice

Provide information to all interested parties about your privacy practices, including
- the identity and registered address of the data controller, and
- contact points where the subject (in this standard the subject is called “PII principal”)
Provide clear and easy to understand information
- with regards the target audience,
- which are usually NOT lawyers or data protection specialists),
- taking care of the expected language of your audience
You must determine and document the appropriate time for providing notice
- Remember the Art. 13 and Art 14 definitions in GDPR
- By preference, you should notify the subject immediately before collecting PII (and/or consent)
You must provide notices in a appropriate way
- by preference in more than 1 way,
- to make sure the subject can find and consult the notices,
- digitally and in a easy accessible method
- also after initial contact
- As also defined in many GDPR guidelines, the consent standard refers to a multilayer approach (avoiding to provide too much information at the same time, but provide the details when needed)
Make sure that the privacy notice is accessible all the time.

Notice content

make sure you’re absolutely clear, honest and transparent about your personal data processing
Define, document and describe clearly
- the processing purpose
- each element of the processing (remember the processing definitions defined in Art. 4 of GDPR)
- the identification of the data controller
- the data collection details, incl
  - methods used
  - details of data collected
  - type of collection (direct, indirect, observation, inference…)
  - timing and location of collection
- use of data, including
  - direct use without data transformation
  - reprocessing data
  - combining, like enrichment
  - automated decision making
  - transfer of data to 3rd party
  - data retention (incl backup)
- data subject rights
  - access request
  - authentication to provide access
  - timelines
  - any fees that apply
  - how to revoke consent
  - how to file a compliant
  - how to submit a inquiry
- Evidence about consent provided (and changed) by the subject
- the legal basis for processing PII/personal data
- the risks related with the data and the plausible impact to the subject privacy

Consent management

Identify if whether consent is appropriate
- Remember that there are other purposes and reasons for processing data, which usually have a more stable, more solid background, like
  - contracts
  - compliance with legal obligations and regulations
  - vital interest,
  - public interest
  - (legitimate interest, which is usually way more difficult to enforce or to convince the subject)
- Informed and freely given consent
  - how do you guarantee that the subject is providing consent without any feeling of coercing, force, conditions, …
  - Independence from other processing or consent
    - Remember the GDPR guidelines where you CANNOT force consent as
- Inform the subject which account this processing is related to
  - provide a clear description of the identifier (userID, mail, login, …)

ISO29184 also introduces the consent lifecycle, meaning that is it’s not sufficient to provide notice at first contact with the subject, but you also need to maintain, to update and to renew it on a regular basis, taking into account that the conditions of consent might change (or might have changed after initial consent).

The last part of the ISO 29184 are annexes with interesting user interface examples.

The perfect document set

To make the online privacy and consent management work, this ISO/IEC 29184 will not do on itself as the standard links to the following documents:

(FREE, EN – FR) ISO 27000: ISMS vocabulary
(*) ISO27001: ISMS, Information Security Management Systems
(*) ISO27002: Code of practice for ISO 27001)
ISO27701: PIMS, Privacy Information Management System, the privacy or data protection extension of ISO27001
(FREE, EN – FR) ISO29100: Privacy framework
ISO29151: Code of Practices – Privacy Framework (the ISO27002 version of ISO29100)
ISO29134: PIA, Privacy Impact Assessment (foundation of the DPIA in GDPR)

References

Free downloads

ISO Public documents: https://ffwd2.me/FreeISO

If not available for free download, then you’ll need to purchase the ISO standards documents from the ISO e-shop or from the national standards organisation (like NBN for Belgium, NEN for Netherlands, …)

Free (ISC)² Exams flash cards all in one place (*)

(*) with respect for your privacy, no login, nor mail required for

CISSP

CSSLP

CCSP

Chapter 1: Cloud Concepts, Architecture, and Design
- https://www.isc2.org/training/self-study-resources/flashcards/ccsp/chapter-1
Chapter 2: Cloud Governance – Legal Risk, and Compliance
- https://www.isc2.org/training/self-study-resources/flashcards/ccsp/chapter-2
Chapter 3: Cloud Data Security Domain
- https://www.isc2.org/training/self-study-resources/flashcards/ccsp/chapter-3
Chapter 4: Cloud Platform and Infrastructure Security
- https://www.isc2.org/Training/Self-Study Resources/Flashcards/CCSP/chapter-4
Chapter 5: Cloud Application Security
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/CCSP/chapter-5
Chapter 6: Cloud Security Operations
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/CCSP/chapter-6

SSCP

Chapter 1: Introducing Security and Aligning Asset Management to Risk Management
- https://www.isc2.org/training/self-study-resources/flashcards/sscp/chapter-1
Chapter 2: Understand Risk Management Options and the use of Access Controls to protect Assets
- https://www.isc2.org/training/self-study-resources/flashcards/sscp/chapter-2
Chapter 3: Cryptography
- https://www.isc2.org/training/self-study-resources/flashcards/sscp/chapter-3
Chapter 4: Securing Software, Using Security Protocols and Securing Remote Users
- https://www.isc2.org/training/self-study-resources/flashcards/sscp/chapter-4
Chapter 5: Networking and Role of the Hypervisor
- https://www.isc2.org/training/self-study-resources/flashcards/sscp/chapter-5
Chapter 6: Wireless Networking, Telecoms, Cloud Configuration, Monitoring Systems and Endpoint Security
- https://www.isc2.org/training/self-study-resources/flashcards/sscp/chapter-6
Chapter 7: Security Testing and Incident Handling
- https://www.isc2.org/training/self-study-resources/flashcards/sscp/chapter-7
Chapter 8: Physical Security Managing Change and Personnel Training
- https://www.isc2.org/training/self-study-resources/flashcards/sscp/chapter-8

CAP

Domain 1: Information Security Risk Management Program
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/CAP/Domain-1
Domain 2: Categorization of Information Systems (IS)
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/CAP/domain-2
Domain 3: Selection of Security Controls
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/CAP/Domain-3
Domain 4: Implementation of Security Controls
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/CAP/Domain-4
Domain 5: Assessment of Security Controls
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/CAP/Domain-5
Domain 6: Authorization of Information Systems (IS)
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/CAP/Domain-6
Domain 7: Continuous Monitoring
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/CAP/Domain-7

HCISSP

Chapter 1: Risk Management and Risk Assessment Domain
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/HCISPP/chapter-1
Chapter 2: Regulatory and Standards Environment Domain
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/HCISPP/chapter-2
Chapter 3: Third-Part Risk Management Domain
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/HCISPP/chapter-3
Chapter 4: Healthcare Industry Domain
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/HCISPP/chapter-4
Chapter 5: Information Governance: Legal, Risk and Compliance Domain
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/HCISPP/chapter-5
Chapter 6: Information Technologies in Healthcare Domain
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/HCISPP/chapter-6
Chapter 7: Privacy and Security in Healthcare Domain
- https://www.isc2.org/Training/Self-Study-Resources/Flashcards/HCISPP/chapter-7

Sorry, (free) registration still required for:

CISSP-ISSAP:https://enroll.isc2.org/product?catalog=CISSP-ISSAP-FC

CISSP-ISSEP: https://enroll.isc2.org/product?catalog=CISSP-ISSEP-FC

CISSP-ISSMP:https://enroll.isc2.org/product?catalog=ISSMP-FC-2019

Signing a PDF with Belgian eID – step-by-step for beginners (a bit more then what they tell you on the official page)

On the website for the Belgian eID, you can find some basic hints & tips to sign PDF documents with the Belgian identity card and the Acrobat reader application….

But there are other PDF applications than Acrobat Reader DC and the guide on the eID signing doesn’t detail the prerequisites in the signing manual to make it work.

Technical tip: the tech prerequisites and how to validate them are explained in the technical manual (over here: https://eid.belgium.be/nl/technische-documentatie#7389)

Acrobat Reader DC may be the most prominent PDF reader, it’s certainly not the only one and certainly not the most performant one.

Furthermore, the document signing in Acrobat Reader is pretty confusing as you must select the “Certificates” module and NOT “Fill & Sign”.

Difference between Authentication & Signing

When you, as verified user, want to put a digital signature on documents, this is called “signing”, confirming the document content.

In this circumstances, the “authentication” part is not relevant. Authentication is used to prove your identity.

For your information: the Belgian eID is NOT designed to provide encryption (which is the 3rd option to use a certificate). So you cannot use the BE eID for encryption of documents, sadly enough.

More info (NL, also EN version available): https://eid.belgium.be/nl/aanmelden-met-eid#7559 (EN, https://eid.belgium.be/en/log-eid#7559)

Prerequisites

Certificates in user certificate store

You need to have the user certificates installed on your user account on the local pc (actually the personal user certificate store) to make the document signing work in the applications.

If you haven’t used the eID certificates before, or in the case of a new computer, you’ll need to install the user certificates on your computer.
The easiest and official way to install them, is using the eID viewer application.

eID Software

Note on Language

The eID website is supporting NL, FR, DE and EN as language, I’ll only refer to NL and EN as main languages but FR and DE are supported too.

Download

Download and install the eID software from this source: https://eid.belgium.be/nl (for NL. Also available: EN, FR and DE).
It includes the eID middleware and the eID viewer we’ll use to read and install the eID certificaties on your computer (actually your user account).

Install

The manual to install the eID software is here:

(NL) https://eid.belgium.be/nl/hoe-installeer-ik-de-eid-software

(EN) https://eid.belgium.be/en/technical-documentation

Verifying the presence of the user certificates (Signing)

When you use the certificates and/or the eID software, the certificates should be installed in the user certificates store automatically, but that is not always the case, depending the configuration and security of your computer.

Technical hint: there is a “Certificate Propagation Service” troubleshooting article on the eID website that helps you: https://eid.belgium.be/nl/technische-documentatie#7256

To sign PDF documents with a certificate, most PDF readers will check for certificates in the user certificate store on the local computer, not directly from the card reader.

Steps

1. MMC

Via the Windows button, run the mmc (Microsoft Management Console), you’ll need to run it in elevated mode (so consent the UAC popup)

2. Add snap in : Certificates

Via menu “File”, “Add/Remove Snap-in”, add the “Certificates” snap in.
Choose “My User Account” (as the eID certificates are injected in your user account, not your computer or service account)

Finish and click ok.

3. Open the personal certificate store

In the “certificates – current user” > Personal > Certificates, check the list of certificates available.

You should see something like:

If ok, then you’re ready to sign documents, using eID.

If NOT, then you’ll need to add the certificates manually.

Manual installation of the eID certs

1. Insert your eID

Attach a supported card reader and insert your eID smart card.

2. open the eID viewer > Certificates tab

Right click the “Signature” certificate (you can do the same for the Authentication certificate. Select “Detailed Information”.

Then, click the “install certificate…” button:

Then run the default option steps: click next, next next … next… finish.

Import the certificate to the current user certificate store

Click Finish and you should be set to go for signing documents.

Signing PDF docs

Adobe Acrobat DC

This is explained on the eID website:

(NL) https://eid.belgium.be/nl/digitale-handtekeningen#7261

(EN) https://eid.belgium.be/en/digital-signatures#7261

IMPORTANT

Select the “Certificates” module and NOT “Fill & Sign”.

The “Fill and Sign” is used for graphical signatures, replacing the manual signing of paper copies, and eliminates the need of rescanning.

eID is a “qualified” and legally support signature.

If your counterpart (the other signing party) doesn’t require a qualified signature, this is a good alternative for eID (as there is some sensitive data like social security number, incl birthday and gender mentioned in the eID signature)