All Posts By


A new ETSI standard for the JADES signature

By #eIdAS, Electronic Signatures, JSON SignaturesNo Comments

ETSI has just unveiled ETSI TS 119 182-1, a specification for JSON Web Electronic Signatures or Seals supported by PKI and public key certificates which authenticates the origin of transactions ensuring that are bound to their originator and access to sensitive resources can be controlled.

This standard is a major achievement for interoperability of digital signatures for a range of applications in today’s digital economy including the banking and financial world where so far, some 4,000 banks were using various private signing procedures for their APIs to secure their online transactions.

Called JAdES, ETSI TS 119 182-1 comes in support of secure communications fulfilling the requirements of the European Union eIDAS Regulation (No 910/2014) for advanced electronic signatures and seals and regulatory requirements for services such as open banking.

This JAdES digital signature specification is based on JSON Web Signature and contains the features already defined in the related ETSI standards for AdES (advanced electronic signature/seal) applied to other data formats including XML, PDF and binary. The standard was developed with contributions from a number of stakeholders including representatives from the banking sector who, through Open Banking Europe, have brought their operational requirements to align European APIs onto one security model.

Nick Pope, Vice-Chair of the ETSI technical committee on Electronic Signatures and Infrastructures (ESI) comments: “The ETSI JAdES standard builds on ETSI’s decades of experience in defining standards for applying digital signatures to a variety of document formats to provide evidence of their authenticity supported by European Regulations. Working with Open Banking Europe, ETSI has developed a solution which matches the requirements of Open Banking APIs whilst assuring the authenticity of financial transactions.”

ETSI TS 119 182-1 can be used for any transaction between an individual and a company, between two companies, between an individual and a governmental body, etc. applicable to any electronic communications. The technical features of the specification can therefore be applied to the use of PKI based digital signature technology and in both regulated and general commercial environments.

“As PSD2 and open banking move towards Open Finance standard, APIs are essential not just in Europe but globally. Open Banking Europe is proud to be part of the ETSI ongoing standardization work and bring its operational requirements to solve practical problems,” adds John Broxis, Managing Director, Open Banking Europe.

Electronic commerce has emerged as a frequent way of doing business between companies across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued development of electronic commerce. It is therefore important that companies using this electronic means of doing business have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect digital signatures are an important security component that can be used to protect information, provide trust in electronic business and prevent tampering.

With this new standard ETSI meets the general requirements of the international community to provide trust and confidence in electronic transactions.

Training of EIDAS specialists and certification of auditors

By Certificación de auditores EIDAS, EIDAS Auditor certification, Formación, TrainingNo Comments

TCAB (Trust Conformity Assessment Body) is preparing a training event to be held in April 2021, aimed at training specialists in the world of electronic signatures and trust services.

The training will be online and in the afternoons (from 16:00 to 20:00 Spanish time, from 15:00 to 19:00 UTC), to encourage the participation of Latin American students.

It is structured in three levels:

  1. Advanced users of digital trust services (2 days: 12 and 14 April)
  2. Trusted digital service provider (2 days: 19 and 21 April)
  3. Digital Trusted Services Auditor (2 days: 26 and 28 April)

After the complete training, it is possible to opt for an examination that will give access to the professional certification of EIDAS Auditor and subsequently to carry out audits as a junior auditor, in the framework of the conformity assessments developed by TCAB.

There are additional prerequisites to become an auditor such as a security certification, such as CISA, CISM or ISO 27001 auditor.


  • Level 1 (2 day): 399 € +VAT
  • Level 1 + Level 2 (4 days): 997 € + VAT
  • Level 1 + Level 2 + Level 3 (6 days): 1.495 € + VAT

The examination fees for professional certification are as follows:

  • Level 1 professional certification “Digital Trust Services Specialist”: 150 € +VAT.
  • Level 2 professional certification “Digital Trust Services Business Professional”: 250 € +VAT. You must have passed or be pending assessment of the level 1 exam.
  • Level 3 professional certification “Digital Trust Services Assessor”: 250 € +VAT. You must have passed or be pending assessment of the level 2 exam.

Los derechos de examen para certificación profesional tienen el siguiente coste:

  • Certificación profesional de nivel 1 “Especialista en servicios de confianza digital“: 150 € +IVA
  • Certificación profesional de nivel 2 “Profesional de Empresas de servicios de confianza digital”: 250 € +IVA. Se tiene que haber superado o estar pendiente de evaluación el examen de nivel 1
  • Certificación profesional de nivel 3 “Evaluador de Empresas de servicios de confianza digital: 250 € +IVA. Se tiene que haber superado o estar pendiente de evaluación el examen de nivel 2

The tentative agenda is as follows:

Level 1. Training for developers, service companies and public sector employees.

It provides an introduction to electronic identification and signature systems.

The following topics are covered:

  • Concepts of electronic identification
  • Brief history of cryptography
  • Hash Algorithms
  • Symmetric key cryptography and asymmetric key cryptography
  • Elements of Public Key Infrastructures. RA, OCSP, CA, Root, Final Entity, CRL, Timestamping, digital custody. Trusted lists
  • Structure of the certificates. Standards X.509, X.520
  • SSL TSL. OCSP Stapling
  • Authentication through certificates
  • Electronic signature. Types of electronic signatures
  • Qualified certificates
  • Qualified Signature Creation Devices
  • Device drivers. MS-CAPI and PKCS#11 standards
  • Electronic signature regulations. EIDAS Regulations
  • Electronic signature in public administrations and in the field of justice. Considerations on Law 39/2015 and Law 18/2011.
  • Special advanced signatures. Biometric signatures
  • Server configuration for SSL. How to request certificates

Level 2. Training for Trusted Service Provider professionals

It describes the systems used by LDCPs, the documents to be produced and the security measures in the field of Digital Trust Service Providers and how to prepare for an EIDAS audit

The following topics are covered:

  • Regulations related to identity management. Regulation 1501/2015 and Regulation 1502/2015
  • General regulations for providers: EN 319 401:
    • Risk assessment,
    • Policies and Practices: Trusted Service Practice Statement, Terms and Conditions, Information Security Policy
    • Management and operation of Trusted Electronic Service Providers: Internal organisation (Reliability of the organisation, Segregation of duties), Human resources, Asset management (General requirements, Media management), Access control, Cryptographic controls, Physical and environmental security, Security of operations, Network security, Incident management, Collection of evidential information, Business continuity management, Termination of activities of Trusted Electronic Service Providers and termination plans, Legal compliance.
  • OID. How to apply for OID. How to design an organized structure of OID to facilitate the management of signature policies
  • Certificate profiles. Policy identification. Required OIDs according to CAB Forum, required OIDs according to ETSIT standards. EN 319 412 standards. PSD2 certificates
  • Necessary documentation to be checked when issuing certificates of natural persons, certificates of natural persons representing legal persons, certificates of natural persons employed by public authorities, certificates of legal persons.
  • Tools for parsing and checking the quality of certificates
  • Certificate transparency. Repositories and integration
  • Regulations concerning the issue of certificates: EN 319 411-1. Detailed overview of the content of a Trusted Services Statement of Practice
  • Regulations concerning the issue of qualified certificates within the framework of EIDAS: EN 319 411-2. Detailed tour of the contents of a Statement of Practice for Trusted Services. EIDAS certificates: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QCP-w.
  • Regulations concerning the issue of qualified time stamps within the framework of EIDAS: EN 319 421 and EN 319 422
  • Regulations concerning the provision of qualified services of electronic notifications and certified electronic mail (Qualified Service of Certified Electronic Delivery) in the framework of EIDAS: EN 319 521 and EN 319 531
  • Qualified service for the validation of qualified electronic signatures and qualified electronic seals within the framework of EIDAS: TS 119 101 and EN 319 102-1
  • Qualified electronic signature and qualified electronic seal storage service within the framework of EIDAS: TS 102 573 and EN 319 102-1
  • Civil liability insurance. Contractual and non-contractual liability.
  • Qualified signature creation devices. Application standards for the evaluation of devices: FIPS-140-2, CWA 14167-1, CWA 14167-2, CWA 14169, CWA 14170, EN 419 241-1, EN 419 241-2, EN 419 221-5.
  • Lists of signature creation devices: NIST, Common Criteria Portal, Article 31 List (Compilation of Member States notification on SSCDs and QSCDs). Special procedures of Art. 30-2-b. Validity of devices prior to EIDAS by art. 51.1
  • Aspects to be taken into account for the issuance of website certificates and signing of executable code in CAB Forum contexts: Baseline Requirements, Extended Validation (EV) Guidelines.
  • Criteria for verification of identity in RA activities according to article 24-1-b and 24-1-d Video identification criteria published by SEPBLAC in the framework of Law 10/2010.
  • TSL lists (Trusted Lists). Standard TS 119 612. Information reflected in the lists. Checking the validity of qualified certificates issued in the valid phase of providers whose qualification has been withdrawn.
  • Rules for the use of the European Qualification Mark EIDAS

Level 3. Training for Trusted Services Auditors and Conformity Assessors

It describes the conformity assessment framework, the accreditation bodies, the requirements for conformity assessment bodies and the requirements for auditors.

Students who have attended all 3 levels of training will be able to take a professional certification exam that will qualify them as EIDAS auditors in the Trust Conformity Assessment Body Scheme. Students who pass the exam will gain a level of professional qualification to participate as junior auditors in conformity assessment audits and will be eligible to accompany senior auditors in TCAB audits. After participating in 3 audits they will be qualified as a senior auditor.

In the training the third level  teachers will use English and Spanish as vehicle languages throughout the classes.

The following topics are covered:

  • Evolution of the conformity assessment framework for trusted services. Order of 21 February 2000 approving the Regulation on the accreditation of certification service providers and the certification of certain electronic signature products.
  • EIDAS supervision model. List of Member States’ supervisors.
  • EIDAS accreditation model. List of Member States’ accreditation bodies.
  • EIDAS evaluation model. List of evaluation bodies in the Member States.
  • Requirements for BACs to achieve accreditation. EN 319 403, ISO 17065, Criteria and specific accreditation process for the certification of trusted electronic services regulated by Regulation (EU) No 910/2014 (eIDAS) (ENAC RDE-16 Standard)
  • Recommendations for planning an audit: Documentary review phase, face-to-face phase, identification of evidence, information guidelines to be reflected in the Conformity Assessment Report (CAR).
  • Evaluation procedure. Review of the report, approval of the certification.
  • Monitoring of the entities evaluated. Extension of the scope of the evaluation.
  • General requirements for auditors and prior conditions for accreditation. Ethical principles for auditors. Independence and impartiality criteria.
  • Stakeholders and interaction guidelines.
  • Typical course of an audit project.
  • Recommendation for action and approach during audits.
  • Requirements and outline of evaluation reports.
  • CAR model for auditors
  • Conditions for the Issuance of the Certificate. Phases of the certification process.
  • Rules for the use of the European Qualification Mark EIDAS, and other marks associated with the evaluation, ENAC, CAB,…
  • General structure of certification approval. TCAB organization for the approval of certifications. Committee of interested parties.

For more information call TCAB at +34 91 3880789 or fill the form

Spanish Official Gazette authorizes video identification to get Qualified Certificates

By #eIdAS, Conformity Assessment Body, Conformity Assessment Body (CAB), Video onboardingNo Comments

The Official Gazette of April 1, 2020 includes Royal Decree-Law 11/2020, of March 31, by which complementary urgent measures are taken in the social and economic field to deal with COVID-19.

Its eleventh additional provision includes “Provisional measures for the issuance of qualified electronic certificates”.

The text of this provision is as follows:

While the state of alarm last, as was decreed by Royal Decree 463/2020, of March 14, the issuance of qualified electronic certificates will be allowed in accordance with the provisions of article 24.1.d) of Regulation (EU) 910/2014, of July 23, regarding electronic identification and trust services for electronic transactions in the internal market. To this end, the supervisory body will accept those methods of identification by videoconference based on the procedures authorized by the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC) or recognized for the issuance of qualified certificates by another Member State of the European Union. The equivalence in the security level will be certified by a conformity assessment body. The certificates thus issued will be revoked by the service provider at the end of the state of alarm, and their use will be limited exclusively to the relations between the holder and the public administrations.

TCAB, Trust Conformity Assessment Body has already carried out audits of this type for entities that provide video identification services. The first one was to Electronic Identification, S.L.

Contact us by calling +34 913 88 07 89 or by email at info at

Electronic voting systems assessment

By Elecciones, Elections, Electronic Vote, Voto electrónicoNo Comments

Spanish Order ICT / 140/2019, of 14 February, which regulates the conditions for the exercise of electronic voting in the electoral process for the renewal of the plenary sessions of the Official Chambers of Commerce, Industry, Services and Navigation provides guidance for the deployment of electronic voting systems that must be auditable and audited.

In its article 9 (Audit of the electronic voting system) It indicates:

1. The electronic voting system shall have an audit and verification regime totally independent that allows to examine the processes used to gather and  count the votes and recount them, in order to confirm the accuracy  From the results.

2. The external audit system should, at a minimum, allow:

  • That the independent observers can supervise the elections without disclosing the possible result or final count.
  • Detect electoral fraud.
  • Give assurance that all votes counted are authentic and maintain the anonymity of the voter at all times.

3. This audit must assist both the testing phase of the system as a whole to the voting phase, counting and dissemination.

TCAB is a pioneer compliance assessment entity in providing audit services of electronic voting platforms.

Contact TCAB to request preliminary audits of electronic voting platforms and to support in the electoral processes that make use of this type of platforms.

TCAB is an expert in certificates and electronic signature and can assess compliance with all aspects required by the regulations.

Contact by calling 91 388 0789

TCAB participates in the event on the Cybersecurity Regulation organized by AMETIC

By Acreditación, AMETIC, Auditoría, Centro Criptológico Nacional, Cyber-security, Cybersecurity, ENISA, EU CybersecurityNo Comments

AMETIC, the Spanish ICT Business Association has organized an informative event on the new European regulation “Cybersecurity Act”, which from June 2019 will regulate the implementation of a common European framework for the certification of “Cybersecure” ICT products and services to promote cybersecurity of online services and consumer devices.

This European regulation not only seeks to increase the confidence of users in relation to the use of connected devices, but also to strengthen the European cybersecurity industry and the European Single Market, positioning it as a reference worldwide, in line with other markets such as the United States or China. The European Union Agency for Network and Information Security (ENISA), which through this regulation will be named as the new European Agency for Cybersecurity, will coordinate and harmonize policies at European level, and will support Member States in the implementation of plans and national strategies in the fight against threats and cybersecurity attacks.

Antonio Cimorra, director of Information Technologies and Digital Agenda of AMETIC, highlighted during the opening of the session the advances that the digital transformation has introduced in society, as well as the importance of ensuring cybersecurity. He also commented on the measures that, from AMETIC, and particularly from the Cybersecurity Commission where important suppliers of this technology meet, are being developed in this field. Cimorra also highlighted the association’s support for the new European initiative.

Later, Ignacio Pina, Technical Director of the National Accreditation Entity (ENAC), explained that, “although the regulation will not be mandatory at the beginning, as far as certification is concerned, it is spected that the market will regulate itself fostering its adoption “. Pina added that “certification in itself does not generate security, but rather seeks to build trust among consumers”. In this regard, he commented that “the transition between current national certification schemes in force and the new common European framework will be gradual”. On the other hand, he stressed that “the role of the industry in defining the certification schemes that derive from this regulation, is essential for them to be aligned with market needs.”

Implications of “Cybersecurity Act”

Next, Cybersecutity focused round table was held witht the motto “How does the Cybersecurity Act impact on companies in the digital sector ?”.

Round table was presented by David González, president of the AMETIC Cybersecurity Commission and Head of Sales for Europe and North Africa of G & D. The participants were Mariano José Benito, CISO of GMV; Jesús María Alonso, Head of Consulting Spain of ATOS; Ainhoa ​​Inza, CEO of TCAB (Trust Conformity Assessment Body), and Miguel Bañón, CEO of EPOCHE & ESPRI.

They discussed the implications of the certification regulation for the activity of companies in the digital sector, and the following steps to address in this new scenario.

In general, the participants commented that it is a very positive initiative since, despite being a voluntary regulation for the time being, it is expected that its impact on the market will increase the number of certified secure ICT products in a significant way. They also highlighted that, for Spain, it is an opportunity for consolidation at the European level in terms of cybersecurity, taking advantage of the fact that the Spanish certification ecosystem is among the best considered in Europe.

On the other hand, it has been highlighted that, since there is no penalties framework within the regulation, it is important for companies to detect the benefit of certification, such as the impact on the consumer in terms of trustworthiness. They have also commented that the objective of this initiative is that consumers “get used” to verify that those ICT products or services that they buy or consume, carry the seal of safety certification.

Finally, the presentation by the expert representative of the National Cryptological Center (CCN), an entity that currently coordinates the work of certification in cybersecurity at the national level, addressed how the new Scheme will be adopted in Spain. CCN has coincided with other speakers in the great opportunity that “Cybersecurity Act” supposes for the European and Spanish cybersecurity industry when it comes to positioning Europe in line with other markets.

AMETIC Elections

By AMETIC, Elecciones, ElectionsNo Comments

AMETIC celebrates its Electoral General Assembly, on November 7, 2018 in the CEOE´s Sala José María Cuevas  C/Diego de León, 50 CP. 28006 Madrid.

Trust Conformity Assessment Body presents its candidacy to represent the segment of SMEs and micro-SMEs in the AMETIC board of Directors.

Trust Conformity Assessment Body is an innovative SME security specialist that audits electronic signature systems, blockchain and security and interoperability schemes and is accredited by ENAC to evaluate qualified electronic trust service providers  in the framework of the EIDAS (Regulation UE 910/2014).

The wide knowledge of technical standards and legal environment that we possess is usually useful for our clients and we think  it can also be for the board of Directors of our association.

Being an SME, we know the challenges and difficulties of companies of this size, and we think that we can help to sensitize the management bodies of the association andother stakeholders on the importance of SMEs in the productive fabric of the country and on the Policies necessary for these companies to be able to develop and grow in a profitable way.

This is our first video as candidate:

TCAB candidacy in AMETIC elections

Security audits for projects with Blockchain and SmartContracts

By Auditoría, Blockchain, Conformity AssessmentNo Comments

According to some estimates, blockchain technology companies can expect business volumes of 6 billion euros by 2020. However, they must first deal with blockchain security vulnerabilities, which, despite their relevance, continue to be underestimated when It deals with the so-called “distributed accounting” technology (or DLT).

A comment here, to clarify the “distributed ledger” (DLT) widespread term that in my opinion should be renamed as “distributed accounting”, or better, “RJT Replicated Journal Technology” since it really registers entries in the log as they are produced, not reflecting the accounting itself.

Security vulnerabilities in block chains

Some aspects of security have to do with the use of cryptography, and given that cryptography is used intensively in blockchain contexts, there is a widespread belief that blockchain systems are inherently safe.

However, in complex systems, different attack vectors appear that must be identified and remedied, so that excessive confidence in the technology can be dangerous.

In fact, the technology called DLT is subject to a series of problems that centralized databases do not have.

The security risks of Blockchain exist, and must be recognized and mitigated so that Blockchain fulfills its promise to transform the way in which data is stored and how it affects the projects that use it.

As more government, industrial and commercial sectors adopt technology, the need to address these problems sooner rather than later becomes paramount.

Blockchain Vulnerabilities

Vulnerabilities of the interface system

One of the most likely vulnerabilities with DLT originates outside of the blockchain itself.

The interface system is the equipment that a user uses to access services based on blockchain.

In this system credentials are introduced, enough reason to attract attackers who exploit vulnerabilities. Other times, manipulating the “clipboard” the memory area used for copy and paste functions can allow an attacker to change the destination account of a transaction.

Malware detection is a desirable feature in tools that anticipate minimizing attacks on the interface system.

Security of public key cryptography

Those who propose transactions to form part of the chain (for example, value transfers in the case of crypto-assets and cryptocurrencies) sign them with a private key and give information about their public key. The private key is filed with the portfolio or equivalent mechanism. The protection of the equipment is again essential. But there are certain risks (for example, based on quantum computing) that in the future could allow obtaining the private key from the public one. To minimize risk, there are techniques associated with single-use portfolios that can be adopted.

Key backups should not be kept on the system that is used daily. And even less without encrypting.

Third party platforms

As cyber-currencies and applications using related technologies (such as DLT) become popular, the third-party solutions market will experience growth. Some possible services to be offered by third parties are:

  • Blockchain integration platforms
  • Payment processors
  • Wallets
  • Fintech entities
  • Cryptocurrency payment platforms
  • Smart contracts

These platforms use different vulnerable technologies, in addition to blockchain-specific ones. They are true Providers of Digital Trust Services and should comply with the standard EN 319 401 that the EIDAS Regulation imposes on Qualified Providers.

Control of  deployment

When a project starts or evolves within it, exhaustive tests must be carried out to detect vulnerabilities in the code before it passes to the final execution environment. This is especially relevant in smartcontracts. In the smarcontracts languages ​​such as Solidity are frequently used, with “defects” similar to those of Javascript. A case of special relevance may be to include the addresses of the portfolios in quotes. If not, the addresses are truncated and the amounts remitted can end up in an irrecoverable limbo.

Size of the block chain

Depending on the type of cryptoactive and how its transaction management system has been designed for its annotation in the block chain, it may be necessary to preserve the entire chain of blocks from its origins. Some variants allow converting the transaction history into a “status photo” from which the previous history can be discarded. Be that as it may, the more transactions are made, the more the chain grows, which can create sizing problems in the equipment in which they are managed.

51% attacks

Some cryptoactive systems with different block confirmation philosophies (PoW, Proof of Work, PoS, Proof of Stake, …) could be attacked by groups that exceed the 51% participation in the consensus mechanism. Therefore, it would be advisable to anticipate the need for reversion mechanisms and the responsibility for the execution of such mechanisms.

There have been real cases of this type of attack on Pow mechanism (theoretical until recently) that is understood knowing that a large number of mining equipment accumulation centers are built in countries where electricity is cheap and supervision is scarce

Lack of maturity of blockchain technology

In all technologies, essential lessons are learned as they are adopted and generalized. Problems are discovered and reselled. Blockchain technology is still in the early stages of development and all risks and their effects are not understood.

Risks due to insufficient standardization

Many of the blockchain systems are deployed with a “Whitepaper” and source code of the project available on Github. Although it is an exercise in transparency, it is often revealed that the promoters of such projects have little interest in knowing the standards or adopting them.

It is particularly striking in the field of electronic signature, whose main market has matured over the years giving rise to various laws and technical standards that create legal presumptions for those who adopt technology and that define the standards that facilitate their interoperability.

In contrast, the use of electronic signature technology in blockchain projects seems to come from undergraduate students who have read the basics of electronic signature theory and who ignore the advance of the standards. They look like academic exercises, instead of responding to market demands that require systems to interoperate and that their developers know the laws and standards.

Fortunately UNE and ISO (among other standardization bodies) are beginning to propose standards for the blockchain world, which should not ignore the advances made in common technologies with a certain level of maturity.

It should be remembered that standardization, against what its critics affirm, does not limit innovation but opens up new possibilities for it. And leaves solved problems that were undertaken in the past minimizing the risk of reinventing the wheel each time.

Subtle vulnerabilities

There are vulnerabilities difficult to detect that are visible after incidents of a certain magnitude. It is advisable to provide for reversion mechanisms before deployment in order to manage problems that have not been previously identified.

An example is shown by the case of “The DAO”

A “DAO” (Distributed Autonomous Organization) is a Decentralized Autonomous Organization built on some types of blockchain, with code execution functionality for intelligent contracts associated with investments in the capital of markedly digital companies. You could say that a DAO is a crowdsourcing venture capital fund that is managed on the basis of embedded smartcontracts in a chain of blocks. There are many DAOs, each created to host and execute smart contracts for specific organizations.

One of those DAO, known as “The DAO”, was founded in 2016 by members of the Ethereum team. During its creation period, The DAO made history in the field of crowdfunding by raising 150 million dollars. Shortly after, The DAO made history, once again, by being the first DAO to be pirated.

During the crowdsale, many members of the Ethereum community expressed concern that the DAO code could be attacked. Subsequently, a member of the DAO team found a “recursive error” but erroneously believed that there were no DAO funds at risk. A hacker proved he was wrong.

The attack occurred when the attacker exploited two vulnerabilities in the DAO code. The hacker knew that the code was designed to allow both a split and a transfer of tokens between accounts. The hacker also realized that the code would not update account balances fast enough to prevent the transfer of the same tokens more than once.

The hacker executed a spinoff function, creating a “child DAO” account and made repeated transfer requests from his first account in quick succession. Since the code did not decrease the original account balances after each transfer, there was nothing to prevent the same tokens being repeated about 40 times each, without destroying the original tokens.

After transferring $ 55 million in Ether, the hacker terminated the attack and some additional events happened, so I invite you to investigate this issue from which great lessons are drawn.

Call us if you need us

When serious blockchain projects are proposed, their promoters invest in technology developments that help define transaction types, identity management models, block confirmation mechanisms, block production rates and transaction limits. per block. There are many aspects that make each project different.

One that should begin to be taken into account is that of the project audit. Maybe he does not detect all the problems, but he will discover the main ones. We must begin to value what is already known and avoid making mistakes that have already been committed.

Contact the Trust Conformity Assessment Body (TCAB) if you need to audit a blockchain project.

New ETSI OIDs for signature validation services policies

By #eIdAS, eIDAS, Electronic Signatures, OID, Qualified electronic signatures Validation, Servicios de Confianza Digital, Trust Electronic Services, Trust Service ProvidersNo Comments

New Draft ETSI TS 119 441 proposes new OIDs for Signature Validation Service Policy:

  • itu-t(0) identified-organization(4) etsi(0) VAL SERVICE-policies(9441) policy-identifiers(1) main (1)
  • itu-t(0) identified – organization(4) etsi(0) VAL SERVICE – policies( 9441) policy – identifiers(1) qualified (2)
That is
  • OID as the main policy OID for Validation Services, and
  • OID as the policy OID for Validation Services that identifies qualified validation services as defined in articles Articles 32 and 33 of the Regulation UE 910/2014 (EIDAS)

Article 32

Requirements for the validation of qualified electronic signatures

1.   The process for the validation of a qualified electronic signature shall confirm the validity of a qualified electronic signature provided that:


the certificate that supports the signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I;


the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing;


the signature validation data corresponds to the data provided to the relying party;


the unique set of data representing the signatory in the certificate is correctly provided to the relying party;


the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;


the electronic signature was created by a qualified electronic signature creation device;


the integrity of the signed data has not been compromised;


the requirements provided for in Article 26 were met at the time of signing.

2.   The system used for validating the qualified electronic signature shall provide to the relying party the correct result of the validation process and shall allow the relying party to detect any security relevant issues.

3.   The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 33

Qualified validation service for qualified electronic signatures

1.   A qualified validation service for qualified electronic signatures may only be provided by a qualified trust service provider who:


provides validation in compliance with Article 32(1); and


allows relying parties to receive the result of the validation process in an automated manner, which is reliable, efficient and bears the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service.

2.   The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation service for a qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).