Remote identification component for EIDAS certificate issuance services

By #eIdAS, Auditoría, Certificados cualificados, Conformity Assessment, Electronic Trust Services, EN 319 411-1, EN 319 411-2, Remote identification, SEPBLAC, TS 119 461, Video onboarding No Comments

Identity proofing is not an eIDAS trusted service by itself, but a component of other trusted services. A remote identity proofing service component can be used by many different trust services.

Providers of remote identification services based on video and audio transmission systems from the applicant’s equipment can be audited according to ETSI EN 319 403-1 so that this audit can subsequently be used by a qualified certificate issuing service provider without this part of the service having to be audited again.

The standard used to assess providers of remote identification services is the recently published standard ETSI TS 119 461. This standard has been developed taking into account the following aspects:

  • It is based on ETSI EN 319 401 which contains common requirements for all trust services.
  • It includes specific requirements for the verification of the identity of natural persons.
  1.  It compiles best practice requirements on how to use certain means to implement the three tasks of “collection of attributes and electronic evidence”, “verification of electronic attributes and evidence’, and ‘binding the requested action (e.g. issuing a certificate) to the identity of the applicant’.
  2. It specifies how identity proofing processes can be constructed by combining means to achieve the basic desired outcome of the identity proofing process.
  • It links to the requirements of section 6.2 of EN 319 411-1 and EN 319 411-2 by indicating ways to fulfil these requirements by remote identification.
  • Although it lays down specific requirements for providing qualified trust services, e.g. issuing of qualified certificates of natural persons, the identity verification service is not a qualified service by itself.

The security requirements of ETSI TS 119 461 cover the most common risks, which fall into two main categories:

  • Forged evidence: An applicant falsely claims an identity using forged means of evidence.
  • Impersonation: An applicant uses valid means of evidence associated with another person.

Potential operational risks and social engineering risks are also taken into account.

A new ETSI standard for the JADES signature

By #eIdAS, Electronic Signatures, JSON Signatures One Comment

ETSI has just unveiled ETSI TS 119 182-1, a specification for JSON Web Electronic Signatures or Seals supported by PKI and public key certificates which authenticates the origin of transactions ensuring that are bound to their originator and access to sensitive resources can be controlled.

This standard is a major achievement for interoperability of digital signatures for a range of applications in today’s digital economy including the banking and financial world where so far, some 4,000 banks were using various private signing procedures for their APIs to secure their online transactions.

Called JAdES, ETSI TS 119 182-1 comes in support of secure communications fulfilling the requirements of the European Union eIDAS Regulation (No 910/2014) for advanced electronic signatures and seals and regulatory requirements for services such as open banking.

This JAdES digital signature specification is based on JSON Web Signature and contains the features already defined in the related ETSI standards for AdES (advanced electronic signature/seal) applied to other data formats including XML, PDF and binary. The standard was developed with contributions from a number of stakeholders including representatives from the banking sector who, through Open Banking Europe, have brought their operational requirements to align European APIs onto one security model.

Nick Pope, Vice-Chair of the ETSI technical committee on Electronic Signatures and Infrastructures (ESI) comments: “The ETSI JAdES standard builds on ETSI’s decades of experience in defining standards for applying digital signatures to a variety of document formats to provide evidence of their authenticity supported by European Regulations. Working with Open Banking Europe, ETSI has developed a solution which matches the requirements of Open Banking APIs whilst assuring the authenticity of financial transactions.”

ETSI TS 119 182-1 can be used for any transaction between an individual and a company, between two companies, between an individual and a governmental body, etc. applicable to any electronic communications. The technical features of the specification can therefore be applied to the use of PKI based digital signature technology and in both regulated and general commercial environments.

“As PSD2 and open banking move towards Open Finance standard, APIs are essential not just in Europe but globally. Open Banking Europe is proud to be part of the ETSI ongoing standardization work and bring its operational requirements to solve practical problems,” adds John Broxis, Managing Director, Open Banking Europe.

Electronic commerce has emerged as a frequent way of doing business between companies across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued development of electronic commerce. It is therefore important that companies using this electronic means of doing business have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect digital signatures are an important security component that can be used to protect information, provide trust in electronic business and prevent tampering.

With this new standard ETSI meets the general requirements of the international community to provide trust and confidence in electronic transactions.

Training of EIDAS specialists and certification of auditors

By Certificación de auditores EIDAS, EIDAS Auditor certification, Formación, Training 2 Comments

TCAB (Trust Conformity Assessment Body) is preparing a training event to be held in April 2021, aimed at training specialists in the world of electronic signatures and trust services.

The training will be online and in the afternoons (from 16:00 to 20:00 Spanish time, from 15:00 to 19:00 UTC), to encourage the participation of Latin American students.

It is structured in three levels:

  1. Advanced users of digital trust services (2 days: 12 and 14 April)
  2. Trusted digital service provider (2 days: 19 and 21 April)
  3. Digital Trusted Services Auditor (2 days: 26 and 28 April)

After the complete training, it is possible to opt for an examination that will give access to the professional certification of EIDAS Auditor and subsequently to carry out audits as a junior auditor, in the framework of the conformity assessments developed by TCAB.

There are additional prerequisites to become an auditor such as a security certification, such as CISA, CISM or ISO 27001 auditor.


  • Level 1 (2 day): 399 € +VAT
  • Level 1 + Level 2 (4 days): 997 € + VAT
  • Level 1 + Level 2 + Level 3 (6 days): 1.495 € + VAT

The examination fees for professional certification are as follows:

  • Level 1 professional certification “Digital Trust Services Specialist”: 150 € +VAT.
  • Level 2 professional certification “Digital Trust Services Business Professional”: 250 € +VAT. You must have passed or be pending assessment of the level 1 exam.
  • Level 3 professional certification “Digital Trust Services Assessor”: 250 € +VAT. You must have passed or be pending assessment of the level 2 exam.

Los derechos de examen para certificación profesional tienen el siguiente coste:

  • Certificación profesional de nivel 1 “Especialista en servicios de confianza digital“: 150 € +IVA
  • Certificación profesional de nivel 2 “Profesional de Empresas de servicios de confianza digital”: 250 € +IVA. Se tiene que haber superado o estar pendiente de evaluación el examen de nivel 1
  • Certificación profesional de nivel 3 “Evaluador de Empresas de servicios de confianza digital: 250 € +IVA. Se tiene que haber superado o estar pendiente de evaluación el examen de nivel 2

The tentative agenda is as follows:

Level 1. Training for developers, service companies and public sector employees.

It provides an introduction to electronic identification and signature systems.

The following topics are covered:

  • Concepts of electronic identification
  • Brief history of cryptography
  • Hash Algorithms
  • Symmetric key cryptography and asymmetric key cryptography
  • Elements of Public Key Infrastructures. RA, OCSP, CA, Root, Final Entity, CRL, Timestamping, digital custody. Trusted lists
  • Structure of the certificates. Standards X.509, X.520
  • SSL TSL. OCSP Stapling
  • Authentication through certificates
  • Electronic signature. Types of electronic signatures
  • Qualified certificates
  • Qualified Signature Creation Devices
  • Device drivers. MS-CAPI and PKCS#11 standards
  • Electronic signature regulations. EIDAS Regulations
  • Electronic signature in public administrations and in the field of justice. Considerations on Law 39/2015 and Law 18/2011.
  • Special advanced signatures. Biometric signatures
  • Server configuration for SSL. How to request certificates

Level 2. Training for Trusted Service Provider professionals

It describes the systems used by LDCPs, the documents to be produced and the security measures in the field of Digital Trust Service Providers and how to prepare for an EIDAS audit

The following topics are covered:

  • Regulations related to identity management. Regulation 1501/2015 and Regulation 1502/2015
  • General regulations for providers: EN 319 401:
    • Risk assessment,
    • Policies and Practices: Trusted Service Practice Statement, Terms and Conditions, Information Security Policy
    • Management and operation of Trusted Electronic Service Providers: Internal organisation (Reliability of the organisation, Segregation of duties), Human resources, Asset management (General requirements, Media management), Access control, Cryptographic controls, Physical and environmental security, Security of operations, Network security, Incident management, Collection of evidential information, Business continuity management, Termination of activities of Trusted Electronic Service Providers and termination plans, Legal compliance.
  • OID. How to apply for OID. How to design an organized structure of OID to facilitate the management of signature policies
  • Certificate profiles. Policy identification. Required OIDs according to CAB Forum, required OIDs according to ETSIT standards. EN 319 412 standards. PSD2 certificates
  • Necessary documentation to be checked when issuing certificates of natural persons, certificates of natural persons representing legal persons, certificates of natural persons employed by public authorities, certificates of legal persons.
  • Tools for parsing and checking the quality of certificates
  • Certificate transparency. Repositories and integration
  • Regulations concerning the issue of certificates: EN 319 411-1. Detailed overview of the content of a Trusted Services Statement of Practice
  • Regulations concerning the issue of qualified certificates within the framework of EIDAS: EN 319 411-2. Detailed tour of the contents of a Statement of Practice for Trusted Services. EIDAS certificates: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QCP-w.
  • Regulations concerning the issue of qualified time stamps within the framework of EIDAS: EN 319 421 and EN 319 422
  • Regulations concerning the provision of qualified services of electronic notifications and certified electronic mail (Qualified Service of Certified Electronic Delivery) in the framework of EIDAS: EN 319 521 and EN 319 531
  • Qualified service for the validation of qualified electronic signatures and qualified electronic seals within the framework of EIDAS: TS 119 101 and EN 319 102-1
  • Qualified electronic signature and qualified electronic seal storage service within the framework of EIDAS: TS 102 573 and EN 319 102-1
  • Civil liability insurance. Contractual and non-contractual liability.
  • Qualified signature creation devices. Application standards for the evaluation of devices: FIPS-140-2, CWA 14167-1, CWA 14167-2, CWA 14169, CWA 14170, EN 419 241-1, EN 419 241-2, EN 419 221-5.
  • Lists of signature creation devices: NIST, Common Criteria Portal, Article 31 List (Compilation of Member States notification on SSCDs and QSCDs). Special procedures of Art. 30-2-b. Validity of devices prior to EIDAS by art. 51.1
  • Aspects to be taken into account for the issuance of website certificates and signing of executable code in CAB Forum contexts: Baseline Requirements, Extended Validation (EV) Guidelines.
  • Criteria for verification of identity in RA activities according to article 24-1-b and 24-1-d Video identification criteria published by SEPBLAC in the framework of Law 10/2010.
  • TSL lists (Trusted Lists). Standard TS 119 612. Information reflected in the lists. Checking the validity of qualified certificates issued in the valid phase of providers whose qualification has been withdrawn.
  • Rules for the use of the European Qualification Mark EIDAS

Level 3. Training for Trusted Services Auditors and Conformity Assessors

It describes the conformity assessment framework, the accreditation bodies, the requirements for conformity assessment bodies and the requirements for auditors.

Students who have attended all 3 levels of training will be able to take a professional certification exam that will qualify them as EIDAS auditors in the Trust Conformity Assessment Body Scheme. Students who pass the exam will gain a level of professional qualification to participate as junior auditors in conformity assessment audits and will be eligible to accompany senior auditors in TCAB audits. After participating in 3 audits they will be qualified as a senior auditor.

In the training the third level  teachers will use English and Spanish as vehicle languages throughout the classes.

The following topics are covered:

  • Evolution of the conformity assessment framework for trusted services. Order of 21 February 2000 approving the Regulation on the accreditation of certification service providers and the certification of certain electronic signature products.
  • EIDAS supervision model. List of Member States’ supervisors.
  • EIDAS accreditation model. List of Member States’ accreditation bodies.
  • EIDAS evaluation model. List of evaluation bodies in the Member States.
  • Requirements for BACs to achieve accreditation. EN 319 403, ISO 17065, Criteria and specific accreditation process for the certification of trusted electronic services regulated by Regulation (EU) No 910/2014 (eIDAS) (ENAC RDE-16 Standard)
  • Recommendations for planning an audit: Documentary review phase, face-to-face phase, identification of evidence, information guidelines to be reflected in the Conformity Assessment Report (CAR).
  • Evaluation procedure. Review of the report, approval of the certification.
  • Monitoring of the entities evaluated. Extension of the scope of the evaluation.
  • General requirements for auditors and prior conditions for accreditation. Ethical principles for auditors. Independence and impartiality criteria.
  • Stakeholders and interaction guidelines.
  • Typical course of an audit project.
  • Recommendation for action and approach during audits.
  • Requirements and outline of evaluation reports.
  • CAR model for auditors
  • Conditions for the Issuance of the Certificate. Phases of the certification process.
  • Rules for the use of the European Qualification Mark EIDAS, and other marks associated with the evaluation, ENAC, CAB,…
  • General structure of certification approval. TCAB organization for the approval of certifications. Committee of interested parties.

For more information call TCAB at +34 91 3880789 or fill the form

Blockchain keeps growing in Spain

By AMETIC, Blockchain No Comments

As stated in a recent study published by AMETIC, blockchain and related investments in Spain will reach 2020 a volume near 103,5 million dollars, and that trend will be maintained through 2023, growing at a rate of 53% until it will amount to 378 million dollars.

The financial sector will be the leader investing in blockchain projects, while the industrial sector will be where the major players, playing a major role in applying the technology.

According to the study, nowadays in Spain, one of every ten companies uses blockchain in some of their projects or products, and the best-regarded features of the technology are the security in the transactions (when correctly used and maintain) and the possibility to use it in strong digital identity verification.

Finally, 41% of the companies not using blockchain technology in any project nor product states that they do not know how blockchain technology can make any difference in their activity. Another 32% states that even knowing the technology, implementing it would clash with their current operations.