Case study: Italy
Italy provides a well-known root CA list. The list is made mainly by banks or official professional associations.
The official list is maintained at this address (no English version found), official requirements in English listed here.
What the OP legitimately asks is if the government itself, or a trusted agency may release X.509 certificates for everyone for public use, e.g. sign your own email.
Talking about Italy and mainly other EU countries, this is mainly a cost/benefit choice. Central governments do not normally have large budgets.
Issuing a passport is something different than maintaining digital certificates. A passport is something governments are issuing to the majority of their people to allow international travels, considering modern passenger flows, email-signing certificates are used by a definitely small niche of the market.
Commercial companies as the ones listes above require money by people applying for a digital ID in order to support their complex and critical infrastructure. They will check your government-issue ID to bind a specific digital identity (public key) to a government-issued identity, which in simple words is you but then leads us in the field of philosophy: "Who are we? What is the relationship between an individual and his identity? Is it illegal to use a legal name?"
In Italy, again, something more specific for some kind of unified digital ID has been done and is called SPID (pron. speed, acronym Sistema Pubblico per l'Identità Digitale, Public System for Digital Identity) and is implemented using X.509 certificates and SAML tokens exchange. Those certificates can be used only to authenticate.
Unfortunately the entire expensive project will have a hard life.
##Shattered Italian digital IDs (pre-SPID era)
So far all government offices tried to implement their own digital ID system to allow people to use a lot of online services, but the absence of a single government-pushed digital ID standard let do fragmentation in the market.
The 20 regions implemented the "CRS" (Carta Regionale Servizi, Regional Health Card), which is basically your Health Card enhanced with a smart card token, of which Wikipedia shows no photo (but really, think about a chip on the same plastic tag you find now). It contains an SSL Client certificate valid only (gasp!) within your Region, so if you relocate you need to replace your card despite your Tax Code/Social Security Number does not change during your entire life.
Another implementation of officially-recognized IDs was digital signature. Yea, that's right! X.509-powered non-repudiation certificates stored in... uhm... that's the point!
Those signatures were originally developed to give legal value to PDF/TXT documents, such as notary or government acts, but also private contracts. They needed to be deployed to smart cards or USB/SIM tokens, but their difficulty of utilization (need a workstation with reader, drivers and software, with the OSS community angry) forced the powers-that-be to approve HSMs. Long story short they are used only within specific regulated environments where hand signature is now forbidden or non-practical.
The certified email system and the digital certaneity of the sender
And then certified email. Third disaster in the country under examination. What the OP asked is a digital certificate for his emails, right? Riiiiiiiight? Italian people are smart, so smart that they have reinvented their own SMTP with PEC (Posta Elettronica Certificata, Electronic Certified Mail). Quick lesson on PEC:
- PEC address space is separated from internet-mail (RFC822) space. They comply to the RFC and transit via SMTP (encrypted SMTP) but basically a PEC address, in the original form, did not accept mail from internet host and could send only to PEC address spaces. This has changed, as now the exception is that a PEC-to-email message is not fully certified
- ISPs provide proof of delivery that
can is required to be accepted in official acts and courts
- ISPs also provide binding of addresses to identities with a public registry
- Private keys are held by ISPs. You do not sign your message, they do with your signature. Scary!!!!
For example, if you want to officially inquire Mr. President Gentiloni, drop a message to presidenza@pec.governo.it they can't deny to have received.
Now to SPID. Under President Renzi government, Italy finally tried to define an "ID system that rules them all". SPID was meant to allow citizens to access all online public systems with a single ID. SPID is currently a username/password/OTP authentication issued by 4 companies only. Government agencies are mandated to support SPIDfor public-oriented services. In the near future, we expect SPID to be used for schooling, as you already sign up for your children's school offline or online with or without a SPID.
All the digital ID systems suffer one thing: people don't need them in their daily life and that is the reason they don't sign up for them even when they are free. Digital alphabetization in this country is quite low compared to other countries, and all services/offices except one, with obviously no English localization are available without a SPID digital ID.
The Digital Identity Card project
Italy can be proud to be the first European country to have developed (which must not be confused with deployed) an electronic identity card made of the same e-passport technology and with a X.509 certificate for every individual. Since 1994!!!! But since it was never deployed nation-wide, and citizens had to either obtain a paper ID (which EU successfully deprecated along Greek paper IDs by 2026 deadline) or relocate to Milan and Rome, the only cities issuing a plastic biometric ID, the SPID project came to rise and success.
Well... there was another practical reason for SPID. ID can be issued only to physical people, while SPIDs can be issued to enterprises (i.e. a company identity).
Finally, only in 2016 the CIE plastic biometric ID was deployed nation-wide. Not all documents are replaced, but the plastic one is the only legal choice for newly issued IDs.
This allowed the Accedi con CIE (enter with Digital ID) project to be developed. You can log in using the X.509 certificate embedded in the plastic ID. A number of digital services are available to review/pay taxes, access health and labour related information, etc.
Since 2016, then, the X.509 certificate in the CIE card is (one of) the digital identity of an Italian citizen.
International trust: cross-border identity
Attempts in the EU are being made to make digital signatures and digital IDs interoperable across countries. However, until a single list of trusted CAs will be made across all Europe, certificates issued in a certain country are not necessarily trusted in another.
This is being mitigated by the eIDAS directive. A lot of time will take for digital IDs to be usable across all EU countries, but the goal is to make a unique "trust market" along the current "unique [currency] market".
As of 2020, Italy, our case study, has joined the eIDAS project and you can use both SPID and CIE card to enter any eIDAS service. An example is Europass.
Offline vs online trust
Digital IDs has little to do with Microsoft and Mozilla trusted certificates. If you see a certain CA in your browser's trust list it does not mean that the CA has power to issue a certificate valid for signing Revenue Agency documents. No, it means that the CA can issue a certificate stating the machine can "officially" respond for requests directed to "https://www.example.org".
The strenght and at the same time complexity of the PKI system itself is the lack of a single, central, trust list. Such lack is the only means of democracy in Internet, but here we are again: a CA must be enlisted in all lists to become "operational".
As an example, I'd like to ask users from America, East Asia and Oceania if their computers trust the following certificate:
- Serial: 35 d9 75 94 d1 b6 75 4d b6 36 42 cb b5 ea cf cf
- Subject DN: SERIALNUMBER = 97103420580,SN = Sicurezza,G = Ufficio,O = ,DigitPA,C = IT
- Issued by DN: CN = Ufficio Sicurezza,O = DigitPA,C = IT
- Valid until: 2020-05-17
Hint: my Windows 10 says "no"
But that certificate is an official government-related certificate.
Conclusion
I provided an example in which a central government or a bank trusted by the government issues X.509 certificates to people. There is to me no real good reason for a government not to be a CA.
The OP should not confuse the legal validity of a "paper" ID with the commercial added-value of an interoperable "digital ID", which effectively is a commercial good worth money.
Disclosure: my company actively works in tax & compliance environment for a number of European legal entities, where our customers (financial operators) are mandated by law to obtain and properly use digital signatures. I work daily with digital IDs so I claim to be an "expert" in the subject.
