Category

Trust Service Providers

New ETSI OIDs for signature validation services policies

By | #eIdAS, eIDAS, Electronic Signatures, OID, Qualified electronic signatures Validation, Servicios de Confianza Digital, Trust Electronic Services, Trust Service Providers | No Comments

New Draft ETSI TS 119 441 proposes new OIDs for Signature Validation Service Policy:

  • itu-t(0) identified-organization(4) etsi(0) VAL SERVICE-policies(9441) policy-identifiers(1) main (1)
  • itu-t(0) identified – organization(4) etsi(0) VAL SERVICE – policies( 9441) policy – identifiers(1) qualified (2)
That is
  • OID 0.4.0.9441.1.1 as the main policy OID for Validation Services, and
  • OID 0.4.0.9441.1.2 as the policy OID for Validation Services that identifies qualified validation services as defined in articles Articles 32 and 33 of the Regulation UE 910/2014 (EIDAS)

Article 32

Requirements for the validation of qualified electronic signatures

1.   The process for the validation of a qualified electronic signature shall confirm the validity of a qualified electronic signature provided that:

(a)

the certificate that supports the signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I;

(b)

the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing;

(c)

the signature validation data corresponds to the data provided to the relying party;

(d)

the unique set of data representing the signatory in the certificate is correctly provided to the relying party;

(e)

the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;

(f)

the electronic signature was created by a qualified electronic signature creation device;

(g)

the integrity of the signed data has not been compromised;

(h)

the requirements provided for in Article 26 were met at the time of signing.

2.   The system used for validating the qualified electronic signature shall provide to the relying party the correct result of the validation process and shall allow the relying party to detect any security relevant issues.

3.   The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 33

Qualified validation service for qualified electronic signatures

1.   A qualified validation service for qualified electronic signatures may only be provided by a qualified trust service provider who:

(a)

provides validation in compliance with Article 32(1); and

(b)

allows relying parties to receive the result of the validation process in an automated manner, which is reliable, efficient and bears the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service.

2.   The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation service for a qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Registered Electronic Trust Service Providers under #eIdAS

By | Trust Service Providers | No Comments

The name “Electronic Trust Service Providers”, created under the recently existing EU Regulation No. 910/2014, renders the previous designations obsolete:

New classification of Electronic Trust Service Providers

The new e-TSPs are classified in three levels:

  1. Qualified Electronic Trust Services, registered in the SETSI registry for TSPs (there cannot be qualified electronic services that are not registered).
  2. Not qualified Electronic Trust Services, services, registered in the SETSI TSPs registry.
  3. Not qualified Electronic Trust Services and not registered in the SETSI TSPs registry

Qualified Electronic Trust Service Providers are supervised by the Supervisory Bodies. In Spain, the Supervisory Body is the Ministry of Telecommunications and Information Society (SETSI), that belongs to the Ministry of Industry, Energy and Tourism (Minetur).

Qualified Electronic Trust Service Providers must be audited, at least every 24 months, by a Conformity Assessment Body. The purpose of the audit is to confirm that both the Electronic Trust Service Providers and the Electronic Trust Services fulfill the the requirements of Regulation (EU) 910/2014.

Qualified Trust Service Providers must submit the corresponding Conformity Assessment Report to the supervisory body within three working days upon receipt.

The Registered Electronic Trust Service Providers are a special category in terms of supervision of the services by the SETSI, since they provide either services that do not have the status of qualified service, or services that do not fit in the Trust Service definition according to Regulation (EU) 910/2014.

Due to the condition of Notified services to SETSI (and therefore included in the Trust Service Providers Registry), its information is published on the Ministry of Industry, Energy and Tourism website, although the Ministry of Industry, Energy and Tourism does not check the alignment of the services to the applicable legislation on trust services prior to publication.

Registered Providers can receive warnings and information requests from SETSI, if the latter receives any kind of complaint from the involved trust services users.

Some services, such as Certified Digitization, are not usually notified to SETSI, so they could be considered as Non-Registered, and therefore, outside the scope of action of the Supervisory Body.