eID Activation

In order to use the German eID card or similar eID cards for strong authentication on the internet, it is necessary to activate the „eID-Client” (e.g. the Open eCard App) from within the browser in order to establish a connection to the „eID-Server“ with which the actual authentication is performed with the Extended Access Control (EAC) protocol for example.

Until Version 1.1.1 of BSI-TR-03112 there was the following mechanism for eID-activation:


Here the Service returns in step (2) a specific <object> of type application/vnd.ecard-client, which is recognized by the browser extension (BE) in step (3) and actively pushed to the eID-Client.

As this mechanism requires browser-specific extensions, which are sometimes hard to maintain and which are not available on some mobile platforms, Version 1.1.2 of BSI-TR-03112 (see part 7, section 3.2.1), which was published on February 28th 2012, introduced an alternative mechanism for eID-activation, which is depicted in the following.


Instead of an <object> the Service now returns in step (2) a clickable link (<a href= …), which may be visualized by a picture and points to the eID-Client, which is running on localhost at Port 24727. As soon as the User clicks on the link, the eID-Client is activated and establishes a connection to the TCToken end point in order to retrieve the missing connection parameters (ServerAddress, SessionIdentifier, RefreshAddress etc.). The major advantage of this mechanism is that no browser-specific extension components are necessary.

The Open eCard App supports both activation mechanisms.