Identity proofing is not an eIDAS trusted service by itself, but a component of other trusted services. A remote identity proofing service component can be used by many different trust services.
Providers of remote identification services based on video and audio transmission systems from the applicant’s equipment can be audited according to ETSI EN 319 403-1 so that this audit can subsequently be used by a qualified certificate issuing service provider without this part of the service having to be audited again.
The standard used to assess providers of remote identification services is the recently published standard ETSI TS 119 461. This standard has been developed taking into account the following aspects:
- It is based on ETSI EN 319 401 which contains common requirements for all trust services.
- It includes specific requirements for the verification of the identity of natural persons.
- It compiles best practice requirements on how to use certain means to implement the three tasks of “collection of attributes and electronic evidence”, “verification of electronic attributes and evidence’, and ‘binding the requested action (e.g. issuing a certificate) to the identity of the applicant’.
- It specifies how identity proofing processes can be constructed by combining means to achieve the basic desired outcome of the identity proofing process.
- It links to the requirements of section 6.2 of EN 319 411-1 and EN 319 411-2 by indicating ways to fulfil these requirements by remote identification.
- Although it lays down specific requirements for providing qualified trust services, e.g. issuing of qualified certificates of natural persons, the identity verification service is not a qualified service by itself.
The security requirements of ETSI TS 119 461 cover the most common risks, which fall into two main categories:
- Forged evidence: An applicant falsely claims an identity using forged means of evidence.
- Impersonation: An applicant uses valid means of evidence associated with another person.
Potential operational risks and social engineering risks are also taken into account.