Category

#eIdAS

Trust services training

By #eIdAS, Acreditación, Auditoría, Certificación de auditores EIDAS, Conformity Assessment Body (CAB), eIDAS, EIDAS Auditor certification, Electronic Trust Service Providers, Evaluación de conformidad, Servicios de Confianza DigitalNo Comments

New dates for training on trust services:

  • Level 1 (2 days): Training for advanced users of electronic trust services (25 and 26 October 2022). Fee price: €1,000 +VAT.
  • Level 2 (2 days): Training for Trusted e-Services providers’ staff (15 and 17 November 2022). Fee: 1.000 € +VAT
  • Level 3 (2 days): Training for EIDAS Trusted e-Services Auditor candidates (29 November and 1 December 2022). Fee: 2.500 € +VAT. It includes accompaniment as a trainee auditor in 4 EIDAS audits.

Online training, held from 16:00 to 20:00 (Central European Time, UTC + 1h).
On this occasion, a special price has been defined to thank the people who have contacted us, following the announcement we made a few months ago: EIDAS specialist training and auditor certification.

  • Level 1 (2 days). Promotion: 450 € +VAT
  • Level 1 + Level 2 (4 days). Promotion: 1.000 € + VAT
  • Level 1 + Level 2 + Level 3 (6 days). Promotion: 2.500 € + VAT

In addition to the training, it is possible to obtain the associated professional certification by passing a level exam:

  • Professional certification “Trusted e-Services Specialist”. Level 1. Examination fees 200 € +VAT
  • Professional certification “Trusted e-Services Company Professional”. Level 2. Examination fees: 400 € +VAT. You must have passed or be pending assessment of the level 1 exam.
  • Professional certification “Evaluator of digital trust services companies”. Level 3. Examination fee: 600 € +VAT. Level 2 exam must be passed or pending evaluation. 4 EIDAS audits must be carried out as “trainee auditor” to become a fully qualified auditor.

Registration Form: Formulario_formacion-EIDAS-TCAB-2022

Download the full brochure: Brochure_training-EIDAS-TCAB-2022

Sunday September 4th, 2022

Remote identification component for EIDAS certificate issuance services

By #eIdAS, Auditoría, Certificados cualificados, Conformity Assessment, Electronic Trust Services, EN 319 411-1, EN 319 411-2, Remote identification, SEPBLAC, TS 119 461, Video onboardingNo Comments

Identity proofing is not an eIDAS trusted service by itself, but a component of other trusted services. A remote identity proofing service component can be used by many different trust services.

Providers of remote identification services based on video and audio transmission systems from the applicant’s equipment can be audited according to ETSI EN 319 403-1 so that this audit can subsequently be used by a qualified certificate issuing service provider without this part of the service having to be audited again.

The standard used to assess providers of remote identification services is the recently published standard ETSI TS 119 461. This standard has been developed taking into account the following aspects:

  • It is based on ETSI EN 319 401 which contains common requirements for all trust services.
  • It includes specific requirements for the verification of the identity of natural persons.
  1.  It compiles best practice requirements on how to use certain means to implement the three tasks of “collection of attributes and electronic evidence”, “verification of electronic attributes and evidence’, and ‘binding the requested action (e.g. issuing a certificate) to the identity of the applicant’.
  2. It specifies how identity proofing processes can be constructed by combining means to achieve the basic desired outcome of the identity proofing process.
  • It links to the requirements of section 6.2 of EN 319 411-1 and EN 319 411-2 by indicating ways to fulfil these requirements by remote identification.
  • Although it lays down specific requirements for providing qualified trust services, e.g. issuing of qualified certificates of natural persons, the identity verification service is not a qualified service by itself.

The security requirements of ETSI TS 119 461 cover the most common risks, which fall into two main categories:

  • Forged evidence: An applicant falsely claims an identity using forged means of evidence.
  • Impersonation: An applicant uses valid means of evidence associated with another person.

Potential operational risks and social engineering risks are also taken into account.

Saturday November 13th, 2021

A new ETSI standard for the JADES signature

By #eIdAS, Electronic Signatures, JSON SignaturesOne Comment

ETSI has just unveiled ETSI TS 119 182-1, a specification for JSON Web Electronic Signatures or Seals supported by PKI and public key certificates which authenticates the origin of transactions ensuring that are bound to their originator and access to sensitive resources can be controlled.

This standard is a major achievement for interoperability of digital signatures for a range of applications in today’s digital economy including the banking and financial world where so far, some 4,000 banks were using various private signing procedures for their APIs to secure their online transactions.

Called JAdES, ETSI TS 119 182-1 comes in support of secure communications fulfilling the requirements of the European Union eIDAS Regulation (No 910/2014) for advanced electronic signatures and seals and regulatory requirements for services such as open banking.

This JAdES digital signature specification is based on JSON Web Signature and contains the features already defined in the related ETSI standards for AdES (advanced electronic signature/seal) applied to other data formats including XML, PDF and binary. The standard was developed with contributions from a number of stakeholders including representatives from the banking sector who, through Open Banking Europe, have brought their operational requirements to align European APIs onto one security model.

Nick Pope, Vice-Chair of the ETSI technical committee on Electronic Signatures and Infrastructures (ESI) comments: “The ETSI JAdES standard builds on ETSI’s decades of experience in defining standards for applying digital signatures to a variety of document formats to provide evidence of their authenticity supported by European Regulations. Working with Open Banking Europe, ETSI has developed a solution which matches the requirements of Open Banking APIs whilst assuring the authenticity of financial transactions.”

ETSI TS 119 182-1 can be used for any transaction between an individual and a company, between two companies, between an individual and a governmental body, etc. applicable to any electronic communications. The technical features of the specification can therefore be applied to the use of PKI based digital signature technology and in both regulated and general commercial environments.

“As PSD2 and open banking move towards Open Finance standard, APIs are essential not just in Europe but globally. Open Banking Europe is proud to be part of the ETSI ongoing standardization work and bring its operational requirements to solve practical problems,” adds John Broxis, Managing Director, Open Banking Europe.

Electronic commerce has emerged as a frequent way of doing business between companies across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued development of electronic commerce. It is therefore important that companies using this electronic means of doing business have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect digital signatures are an important security component that can be used to protect information, provide trust in electronic business and prevent tampering.

With this new standard ETSI meets the general requirements of the international community to provide trust and confidence in electronic transactions.

Monday March 29th, 2021

Electronic notices and registered e-mail are essential in long-distance relationships.

By #eIdAS, Auditoría, Conformity Assessment, Conformity Assessment Body, electronic delivery, Electronic Trust Services, Entrega certificada, notificacionesNo Comments

As streets, businesses, and public buildings emptied, other places took center stage. Electronic notifications were already doing so, but they are another of the protagonists of this period of State of Alarm due to the COVID-19 pandemic.

An electronic system of notifications allows any type of natural or legal person to receive the different notices and documents that the Public Administrations have issued in digital format.

The Tax Agency, the Directorate General of Traffic, and the Social Security are the main issuing bodies of this type of notification that allow public entities to make significant savings in terms of messaging and users to save travel time as they no longer have to be present when the notification is delivered.

The private sector has also developed reliable notification systems, which can now be adapted to the requirements of EU Regulation 910/2014 (EIDAS) and can thus be converted into certified delivery systems. This is provided for in Articles 43 and 44 of the EIDAS Regulation:

Article 43 – Legal effect of an electronic registered delivery service

1.   Data sent and received using an electronic registered delivery service shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic registered delivery service.

2.   Data sent and received using a qualified electronic registered delivery service shall enjoy the presumption of the integrity of the data, the sending of that data by the identified sender, its receipt by the identified addressee and the accuracy of the date and time of sending and receipt indicated by the qualified electronic registered delivery service.

Article 44 – Requirements for qualified electronic registered delivery services

1.   Qualified electronic registered delivery services shall meet the following requirements:

(a)

they are provided by one or more qualified trust service provider(s);

(b)

they ensure with a high level of confidence the identification of the sender;

(c)

they ensure the identification of the addressee before the delivery of the data;

(d)

the sending and receiving of data is secured by an advanced electronic signature or an advanced electronic seal of a qualified trust service provider in such a manner as to preclude the possibility of the data being changed undetectably;

(e)

any change of the data needed for the purpose of sending or receiving the data is clearly indicated to the sender and addressee of the data;

(f)

the date and time of sending, receiving and any change of data are indicated by a qualified electronic time stamp.

In the event of the data being transferred between two or more qualified trust service providers, the requirements in points (a) to (f) shall apply to all the qualified trust service providers.

2.   The Commission may, by means of implementing acts, establish reference numbers of standards for processes for sending and receiving data. Compliance with the requirements laid down in paragraph 1 shall be presumed where the process for sending and receiving data meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Although the Commission has not published standards that provide a presumption of compliance, ETSI has published the following evaluation standards:

  • EN 319 521 – Policy & security requirements for electronic registered delivery service providers
  • EN 319 531 – Policy & security requirements for registered electronic mail (REM) service providers

At TCAB, we are in a position to assess trustworthy registered electronic delivery service providers. according to EIDAS and ETS Standards. Call us at +34 91 388 0789 to clarify your doubts.

 

Tuesday May 19th, 2020

Electronic or digital signature and seal

By #eIdAS, Advanced Signature, Electronic Certificates, electronic delivery, EN 319 412, Firma cualificada, Qualified Seal, Qualified Signature, Secure Signature Creation Devices, Sello cualificadoNo Comments

Electronic signatures and electronic seals are cryptographic operations that associate a document (the signed or sealed document) with the identity of a natural or legal person.

Both operations are technically similar. Their main difference is that the electronic signature is associated with a natural person and the electronic seal is associated with a legal person.

When the electronic signature is carried out with an electronic certificate and its associated private key, there can be different variants:

  • Advanced Signature. There are no special requirements regarding the certificate.
  • Semi-qualified Signature. The certificate must be qualified. That is to say, it must contain the OID “id-etsi-qcs-QcCompliance” 0.4.0.1862.1.1 qcs-QcCompliance(1)
  • Qualified Signature. The certificate must be qualified and based on a qualified device. I.e. it must contain the OID “id-etsi-qcs-QcCompliance” 0.4.0.1862.1.1 qcs-QcCompliance(1) and the OID “id-etsi-qcs-QcSSCD” 0.4.0.1862.1.4 qcs-QcCompliance(4).

Similarly, when the electronic seal is performed with an electronic certificate and its associated private key, the same variants may occur:

  • Advanced Seal. There are no special requirements regarding the certificate.
  • Semi-qualified Seal. The certificate must be qualified. I.e. it must contain the OID “id-etsi-qcs-QcCompliance” 0.4.0.1862.1.1 qcs-QcCompliance(1)
  • Qualified Seal. The certificate must be qualified and based on a qualified device. i.e. it must contain the OID “id-etsi-qcs-QcCompliance” 0.4.0.1862.1.1 qcs-QcCompliance(1) and the OID “id-etsi-qcs-QcSSCD” 0.4.0.1862.1.4 qcs-QcCompliance(4)

Further technical details can be found in ETSI standard EN 319 412-5.

Tuesday May 12th, 2020

Spanish Official Gazette authorizes video identification to get Qualified Certificates

By #eIdAS, Conformity Assessment Body, Conformity Assessment Body (CAB), Video onboardingNo Comments

The Official Gazette of April 1, 2020 includes Royal Decree-Law 11/2020, of March 31, by which complementary urgent measures are taken in the social and economic field to deal with COVID-19.

Its eleventh additional provision includes “Provisional measures for the issuance of qualified electronic certificates”.

The text of this provision is as follows:

While the state of alarm last, as was decreed by Royal Decree 463/2020, of March 14, the issuance of qualified electronic certificates will be allowed in accordance with the provisions of article 24.1.d) of Regulation (EU) 910/2014, of July 23, regarding electronic identification and trust services for electronic transactions in the internal market. To this end, the supervisory body will accept those methods of identification by videoconference based on the procedures authorized by the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC) or recognized for the issuance of qualified certificates by another Member State of the European Union. The equivalence in the security level will be certified by a conformity assessment body. The certificates thus issued will be revoked by the service provider at the end of the state of alarm, and their use will be limited exclusively to the relations between the holder and the public administrations.

TCAB, Trust Conformity Assessment Body has already carried out audits of this type for entities that provide video identification services. The first one was to Electronic Identification, S.L.

Contact us by calling +34 913 88 07 89 or by email at info at tcab.eu

Wednesday April 1st, 2020

New ETSI OIDs for signature validation services policies

By #eIdAS, eIDAS, Electronic Signatures, OID, Qualified electronic signatures Validation, Servicios de Confianza Digital, Trust Electronic Services, Trust Service ProvidersNo Comments

New Draft ETSI TS 119 441 proposes new OIDs for Signature Validation Service Policy:

  • itu-t(0) identified-organization(4) etsi(0) VAL SERVICE-policies(9441) policy-identifiers(1) main (1)
  • itu-t(0) identified – organization(4) etsi(0) VAL SERVICE – policies( 9441) policy – identifiers(1) qualified (2)
That is
  • OID 0.4.0.9441.1.1 as the main policy OID for Validation Services, and
  • OID 0.4.0.9441.1.2 as the policy OID for Validation Services that identifies qualified validation services as defined in articles Articles 32 and 33 of the Regulation UE 910/2014 (EIDAS)

Article 32

Requirements for the validation of qualified electronic signatures

1.   The process for the validation of a qualified electronic signature shall confirm the validity of a qualified electronic signature provided that:

(a)

the certificate that supports the signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I;

(b)

the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing;

(c)

the signature validation data corresponds to the data provided to the relying party;

(d)

the unique set of data representing the signatory in the certificate is correctly provided to the relying party;

(e)

the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;

(f)

the electronic signature was created by a qualified electronic signature creation device;

(g)

the integrity of the signed data has not been compromised;

(h)

the requirements provided for in Article 26 were met at the time of signing.

2.   The system used for validating the qualified electronic signature shall provide to the relying party the correct result of the validation process and shall allow the relying party to detect any security relevant issues.

3.   The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 33

Qualified validation service for qualified electronic signatures

1.   A qualified validation service for qualified electronic signatures may only be provided by a qualified trust service provider who:

(a)

provides validation in compliance with Article 32(1); and

(b)

allows relying parties to receive the result of the validation process in an automated manner, which is reliable, efficient and bears the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service.

2.   The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation service for a qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Friday March 30th, 2018

Degree of EIDAS implementation within the European Union

By #eIdASNo Comments

Regulation (EU) No. 910/2014 of the European Parliament and of the Council of July 23, 2014, on electronic identification and trust services in electronic transactions in the internal market (eIDAS), which entered into force on the 1st of July 2016, has experienced an uneven implementation in the different countries of the European Union.

We analyze below the degree of implementation of the eIDAS Regulation in the main countries of the EU:

 

  • France:

There is not a national law yet but there are different procedures and requirements based on ETSI regulations.

Supervisory Body: ANSSI (Agence nationale de la sécurité des systèmes d’information).

Link: www.ssi.gouv.fr

 

  • Germany:

There is not a national law yet either, but there are different procedures and requirements based on ETSI regulations.

Supervisory Body: BSI (Federal Office for Information Security).

Link: www.bsi.bund.de

 

  • Belgium:

The current national law is applied, without connection with the ETSI or CEN regulations.

The Conformity Assessment Bodies are accredited according to ISO / IEC 17065 + ETSI EN 319 403.

Supervisory Body: Service Publique fédéral Economie, PME, Moyennes Classes and Energie.

Link: economie.fgov.be/fr

 

  • Spain:

Current National Law 39/2015 applies. There are no specific procedures for Trust Service Providers.

Supervisory Body: Ministry of Energy, Tourism and Digital Agenda (MINETUR).

Link: https://sede.minetur.gob.es/

 

  • Italy:

There is no national law yet, but this country has a national accreditation system, based on EN 319 403, administered by ACCREDIA (2 CAB accredited – VERITAS and CSQA).

Supervisory Body: Agenzia per l’Italia Digitale.

Link: www.agid.gov.it/

 

  • Netherlands

There is no national law yet, but they have national procedures for notifications of non-compliance and accreditation of the CAB.

Supervisory Body: Authority for Consumers and Markets and Agentschap Telecom.

Links: https://www.acm.nl/en and https://www.agentschaptelecom.nl/

 

  • United Kingdom:

The national law for the eIDAS application defines the applicable procedures for each type of trust service in the UK.

Supervisory body: The Information Commissioner.

Link: https://ico.org.uk/

 

Please, click here to view the full chart.

Tuesday November 7th, 2017

EIDAS celebrates its first anniversary

By #eIdASNo Comments

eIDAS first anniversary deserves a brief review on how this Regulation has changed in many aspects the outlook of the trust services in the European Union.

We analyze the main keys of eIDAS first anniversary:

 

  • The main novelty of this new Regulation is the harmonization of the requirements for the mutual recognition of electronic identification at EU level. Therefore, it repeals the previous Directive 1999/93/EC and the respective national laws.

 

  • The Regulation has created the “EU trust mark”, which clearly distinguishes qualified trust services from other trusted services.

 

  • The Regulation has also introduced the concept of Qualified Trust Services Providers and Electronic Trust Services.

In particular, it has created the following qualified services (those that meet the requirements applicable in Regulation (EU) No 910/2014): electronic signatures and electronic stamps. Electronic signatures are intended for individuals and electronic stamps to legal entities. In addition, it regulates other trusted services such as electronic time stamps, electronic documents, electronic delivery services and website authentication.

Qualified Trusted Service Providers obtain this status through a Conformity Assessment Report and a Supervisory Body must audit them at least every 24 months.

 

  • It specifies new levels of electronic identification, low and substantial. They improve identification mechanisms, such as handwritten signatures on mobile devices or cloud signature solutions.

 

  • The Regulation has introduced the concept of Electronic Signature in three different levels:

Electronic Signature: The definition  remains the same under eIDAS. The electronic signature has legal effects and is admissible as evidence in legal proceedings.

Advanced Electronic Signature: It allows the unique identification and authentication of the signer of a document and allows checking the integrity of the signed document. The issuance of a digital certificate by a Certification Authority (CA) allows the authentication.

Qualified Electronic Signature: They are the electronic equivalent of handwritten signatures. Qualified certificates are their foundation. These are the only signatures that ensure the mutual recognition of their validity by all EU Member States.

 

  • Recognition of electronic signatures as evidence at trial within the EU.

Article 25 of eIDAS reflects this concept.It provides that legal effects and admissibility as evidence in court proceedings are not denied to an electronic signature by the fact of being an electronic signature or because it does not meet the requirements. In fact, a qualified electronic signature has a legal effect equivalent to that of a handwritten signature.

 

  • The regulation recognizes admissibility as evidence in a trial and its legal effect for electronic signatures.

 

  • The Regulation creates the EU Trusted Lists. They reflect the Qualified Electronic Trust Services Providers and the services they offer. The TSPs and its services will be qualified if they appear on these lists.

 

  • Regulation of Qualified signature creation devices. They must meet the requirements listed in Annex II of Regulation (EU) 910/2014. The European Commission shall establish, publish and maintain a list of qualified electronic signature/stamp devices with the information provided by the Member States.

 

  • Acceptance of remote identification for electronic signatures. Therefore, the on-site identification is no longer needed. To ensure the safety of the process,you can use other identification means. These can be prior on-site identification, qualified electronic seals or qualified electronic signature certificates.

 

  • The Regulation establishes thatConformity Assessment Bodies must audit TSPs every 24 months.
    The purpose of the audit is to confirm that both Qualified TSPs and the electronic trust services they provide meet the requirements of eIDAS.

 

Main benefits of the introduction of eIDAS

The introduction of the eIDAS Regulation was a necessity at EU level. Prior to its entry into force the identity documents of citizens from one Member State were not valid in other EU Member States.

Therefore, eIDAS facilitates the provision of cross-border services and allows companies to operate outside their borders. Ultimately, it benefits citizens, businesses and Public Administration.

The main services where citizens can benefit from eIDAS  are the following: paying taxes, public tenders, signing online contracts, economic transactions through electronic banking and online health services, among others.

 

Source: European Commission

 

Wednesday October 25th, 2017

Some keys to Regulation No 910/2014 (EIDAS)

By #eIdASNo Comments

We analyze the main keys to Regulation 910 2014 (eIDAS):

I.- Use of cross-border identification and signature systems in eIDAS

The transposition of Directive 1999/93 was uneven and it has never seemed clear enough that electronic signature and identification certificates issued by Certification Service Providers in one Member State had to be accepted by the rest of the Member States.

Since July 1st 2016, the direct application of EU Regulation 910/2014 definitely clarifies this concept.

II.-CSPs (Certification Services Providers) will be called ETSPs (Electronic Trust Services Providers) in eIDAS

From now on, they are Trust Services Providers (TSPs). And they can issue qualified certificates (equivalent to recognized certificates of Law 59/2003) or non-qualified certificates.

The issuance of natural person certificates is an specific type of trust service and, among them, there are qualified certificates (in the aforementioned law they were called “recognized”). In order to issue this kind of certificates, the Conformity Assessment Body (in Spain, Entidad Nacional de Acreditación (ENAC)) shall submit a notification of its intention together with a Conformity Assessment Report to the Supervisory Body (in Spain, the State Secretariat for Telecommunications and Information Society).

If it has the possibility of issuing qualified certificates, it will be placed in a trusted list (which each Member State publishes with information of all qualified providers of Trust Services) and may use the trust tag “EU” to indicate the services it provides.

It should be noted that the control mechanisms on all service providers are increased (whether they issue qualified certificates or not), which will be audited every 24 months to confirm that they comply with the provisions of the Regulation.

III.- Liability of Service Providers

They remain liable for the damages caused deliberately or negligently to any person due to any breach of the obligations established in the Regulation. However, the limitations on the liability of Article 23 of Law 59/2003 no longer exist, being the burden of proof (i) of the person claiming the damage, when the Provider issues non-qualified certificates, or (ii) a service provider issuing qualified certificates, who must prove that the damages occurred without intention or negligence on his part.

IV.- Legal Person Certificates

The Regulation does not foresee the issuance of electronic signature certificates in favor of legal persons or entities without legal personality. This type of entities only have electronic stamps, which allow to prove the authenticity of the origin and the integrity of the sealed document.

V.- New regulated services

Apart from the electronic signature (defined in Law 59/2003, in 3 types, electronic signature, advanced and qualified), the Regulation also regulates the electronic seal (there are also 3 kinds), electronic timestamp, certified electronic delivery service, electronic document and website authentication. Recital 55 of the Regulation also opens the possibility of generating qualified electronic signatures such as the mobile signature or the cloud signature, which can greatly boost the market for electronic signatures.

 

Click here to read Regulation 910/2014 (eIDAS).

Tuesday October 17th, 2017