Open Design Platform

Permission-free access to open-source silicon design tools, authenticated with your Italian electronic identity card (CIE). No registration, no account to create, no password — your card is your key.

How it works. You prove your identity by signing a one-time challenge with your CIE. The server verifies the signature and that your card certificate was issued by the Italian Ministry of the Interior, then gives you an isolated account with time-boxed SSH access. Your identity is verified against Italy's own certificate authority; we keep only an encrypted accountability record, never a copy you cannot see.

What you need

  1. Your Italian CIE (the 2016+ card with the contactless chip) and its PIN.
  2. A contactless (NFC) smart-card reader with the card on it.
  3. The official CIE middleware installed, which provides the libcie-pkcs11.so module. On Linux: github.com/italia/cie-middleware-linux — install the .deb, then run the CIE app once and enter your PIN to enrol the card on this machine.
  4. Python 3, plus ssh-keygen and the pkcs11-tool utility (Debian/Ubuntu: sudo apt install opensc).

Step 1 — Download the login helper

The helper is a small Python script. We encourage you to read it before running it — it talks to your ID card, so you should trust it.

wget https://odp.f-si.org/cie-login.py
# verify the checksum (compare with the value published below):
sha256sum cie-login.py

Expected SHA-256: 0e472671e19db686dd58b065f537c4cd5293e43e1893fb7311343fca1e434812

Canonical source (review the history, report issues, or clone): codeberg.org/fsi/reproduceables.

Step 2 — Log in with your card

Place your CIE on the reader and run:

python3 cie-login.py --username YOUR_CHOSEN_NAME

You will be asked for your CIE PIN. The script signs the server's challenge with your card, sends your card certificate, and — on success — saves a short-lived SSH certificate next to a freshly-generated key and prints the exact command to log in.

Your chosen username is bound to your card the first time and reused afterwards (your real account name becomes cie_ + your chosen name). On later logins you can omit --username.

Step 3 — Connect

The helper prints a ready-to-run command, of the form:

ssh -p 2345 -i ~/.ssh/odp_cie \
    -o CertificateFile=~/.ssh/odp_cie-cert.pub \
    cie_YOURNAME@odp.f-si.org

That logs you into your isolated account. Your access is time-boxed; when the certificate expires, simply run the helper again to obtain a new one.

Your data, your tools. Each account is fully isolated (home directory 0700); you may upload proprietary PDKs. The server's signing authority is deliberately ephemeral — if the machine is rebuilt, everyone simply re-authenticates with their card.

Other electronic IDs

The identity check is keyed on a country-agnostic anchor derived from the card's public key, so support for other EU eID cards can be added without changing how accounts work. Today the verified card authority is the Italian CIE.

Operated by the Free Silicon Foundation (F-Si). Source and configuration: codeberg.org/fsi/reproduceables. This is an experimental service.