Hello! My name is Qi Leung. I am a student of the Moscow State University, the Faculty of Computational Mathematics and Cybernetics, the Department of Information Systems Security, the third year. The topic of my team's scientific report at the upcoming local conference of my faculty is the use of the EDS mechanism in different countries.
My task is to learn about this mechanism in Kazakhstan (why not China, you'd ask ).
I read a lot of articles and user guides, but some things remain unclear to me, so I have to ask for your help.

1. I did not look long and could not find exactly in which year the authentication system using EDS was implemented in mass use. Is there a place where I could find statistics showing how many people store authentication keys on KazToken, how many on the card, and how many directly in the file system (and etc.)? Desirable in percentage.
2. Is it necessary to be a citizen of Kazakhstan in order to use this authentication mechanism?
3. Just a subject of my interest. The guide to obtaining a certificate indicates that the keystore with the lowest security is the file system. Is this related to the algorithm for processing this data with the help of the client program, or is the reason specifically that several people can access the file system?
4. If you could tell me more about how to check the signed XML on the server? Is NCALayer on the server side for this?
5. In the process of developing and testing the NCALayer, are there any dummy valid certificates that were used for this purpose, the EDS of which was checked on the checking server? Since the audience will be mainly students, we would like to make the report more interesting, using interactivity, so that the listeners do not fall asleep from strict information. I would like to show them the process of authorization for example at egov.kz with the help of EDS. This is a priority issue for my team.

Cincerely, Q.Z.Leung.

Hello. We need to clear up some of the details before we can answer all of your questions. We'll post an answer soon if you don't mind waiting.

1. The National Certificate Authority of the Republic of Kazakhstan (NCA) went into production on 29 October 2008. You can find most of the statistics on the front page of our website www.pki.gov.kz/index.php/en/. Unfortunately they don’t publish statistics about KazToken there, so I’ll just post some numbers here:
From the 1st of January to the 3rd of May 2018 668 351 EDS were issued on ID cards, 39 450 EDS on secure tokens (KazToken, eToken, Jacarta), and 1 941 270 on the file system. Overall 2 653 202 EDS were issued so far since the start of the year.

2. You don’t have to be a citizen of Kazakhstan to get EDS. Although you have to get your Individual Identification Number (ИИН), which is required when applying for EDS. Non-residents can acquire IIN only when they arrive to Kazakhstan. You can find some more information here www.pki.gov.kz/index.php/en/nerezidentam-rk?id=27 and here www.pki.gov.kz/index.php/en/dokumentatsiya

3. You're right, the file system is considered less secure because it can be easily accessed and keys can be duplicated or stolen. Security tokens (like KazToken and others) prevent this because they restrict the access to the keys.

4. NCALayer is made purely for client side operations. You have to write your own server side application. To help with that NCA provides an SDK with a custom cryptographic provider, which is used for all the operations with EDS.

5. The SDK provided by NCA contains test keys. However due to legal limitations the SDK can only be provided to developers residing in Kazakhstan.