Category

eIDAS

New ETSI OIDs for signature validation services policies

By | #eIdAS, eIDAS, Electronic Signatures, OID, Qualified electronic signatures Validation, Servicios de Confianza Digital, Trust Electronic Services, Trust Service Providers | No Comments

New Draft ETSI TS 119 441 proposes new OIDs for Signature Validation Service Policy:

  • itu-t(0) identified-organization(4) etsi(0) VAL SERVICE-policies(9441) policy-identifiers(1) main (1)
  • itu-t(0) identified – organization(4) etsi(0) VAL SERVICE – policies( 9441) policy – identifiers(1) qualified (2)
That is
  • OID 0.4.0.9441.1.1 as the main policy OID for Validation Services, and
  • OID 0.4.0.9441.1.2 as the policy OID for Validation Services that identifies qualified validation services as defined in articles Articles 32 and 33 of the Regulation UE 910/2014 (EIDAS)

Article 32

Requirements for the validation of qualified electronic signatures

1.   The process for the validation of a qualified electronic signature shall confirm the validity of a qualified electronic signature provided that:

(a)

the certificate that supports the signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I;

(b)

the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing;

(c)

the signature validation data corresponds to the data provided to the relying party;

(d)

the unique set of data representing the signatory in the certificate is correctly provided to the relying party;

(e)

the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;

(f)

the electronic signature was created by a qualified electronic signature creation device;

(g)

the integrity of the signed data has not been compromised;

(h)

the requirements provided for in Article 26 were met at the time of signing.

2.   The system used for validating the qualified electronic signature shall provide to the relying party the correct result of the validation process and shall allow the relying party to detect any security relevant issues.

3.   The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 33

Qualified validation service for qualified electronic signatures

1.   A qualified validation service for qualified electronic signatures may only be provided by a qualified trust service provider who:

(a)

provides validation in compliance with Article 32(1); and

(b)

allows relying parties to receive the result of the validation process in an automated manner, which is reliable, efficient and bears the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service.

2.   The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation service for a qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Key issues of EU 910/2014 eIDAS Regulation

By | eIDAS | No Comments

EU Regulation 910/2014 eIDAS – Electronic Identity, Authentication and Signature – has the delicate task of facilitating and stimulating the creation of a single technical and legal framework, which shall be consistent and interoperable at a European level, regarding the Electronic Trust Services. Services, where trust is crucial: electronic signatures, electronic seals, electronic time marking, electronic documents and certification services for Web authentication.

These services are supervised and controlled by the Member States, in order to guarantee the security and confidence in the European electronic market.

First, the Regulation lays down the conditions under which the Member States must recognize the electronic identification means of individuals in another Member State.

While preserving the autonomy of the Member States to decide which electronic identification systems are used in their territory to allow access to online services, it establishes the obligation to ensure the mutual recognition of electronic means of identification adopted in another state, provided that such identification systems have been notified by the country which prompts it to the Commission and are published on a special list of ” notified electronic identification schemes ” (under Article 9), and that they comply with the conditions relating to the levels of guarantee required in each online service.

In this way, once the notification procedure has been carried out, in a cross-border transaction, it will fall on the state that notifies responsibility for the damage caused intentionally or negligently to any person or entity, if there is a breach of its obligations ( letters d and f of Article 7 of the Regulation).

Chapter III deals with trusted services and establishes a common legal platform for electronic signature, electronic stamp, electronic time marking, electronic transmission services and website authentication services.

It accurately establishes the conditions to start a qualified trust service and the requirements that must be fulfilled by the Providers in order to be able to issue qualified certificates and to provide other services of digital trust and even the security requirements that must be fulfilled by the providers of these services.

Finally, it is determined that Member States should establish a supervisory body with the task of supervising qualified and not qualified service providers.

Among other interesting aspects included in the eIDAS Regulation, it is worth stressing the forecasts for the issuance and maintenance of trusted lists and the possibility of using a EU trustmark for qualified trust services.

The European legislator requires the establishment, in each Member State, of a trust list which lists all the Trust Service Providers for whom the “qualified” status is verified and guaranteed from the time of the application ( the qualified status must be maintained by the provider through biennial conformity assessments and other subsequent monitoring activities).

Once included in the trust list, a Trust Electronic Services Provider may use the EU trustmark, including a link to that list, to present the services it offers in a simple and recognizable way.

This confirms the willingness of the EU legislator to promote a high level of transparency in the market and to increase the confidence in online services and their viability for the benefit of all users.

The fact that the legal status corresponds to a Regulation implies that it is a legislative measure with general scope, binding in its entirety and directly applicable in each Member State, without the need for transposition into its legal framework.

Although it has already come into force in its definitions and some aspects, the Regulation will be fully implemented from 1 July 2016, in order to allow time for Member States to get prepared for the new Regulation. Certain forecasts require additional legislative developments and others, such as the requirement to accept notified identification systems, will apply from 2018.

In Spain, the [email protected] system is a good example of an identity accreditation system that could be developed to meet EIDAS requirements with greater alignment with ISO 29115.

[email protected] is a system oriented to unify and simplify the electronic access of citizens to public services. Its main objective is for the citizen to be able to identify himself / herself at the Public Administration through agreed codes (user and password), without having to remember different keys to access the different services.

[email protected] complements the access systems through e-ID and electronic certificate, and offers the possibility of signing in the cloud with personal certificates preserved in remote servers.

It was formalized by Order PRE/1838/2014, of October 8, which publishes the Council of Ministers Agreement, dated September 19, 2014, which approves [email protected], the common platform of the Public Sector State Administration for the identification, authentication and electronic signature through the use of concerted keys.