(A.) Policy and legislation
(A.1) Policy objectives
This relates to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
(A.2) EC perspective and progress report
In the context of the e-signatures Directive, in January 2010, the Commission mandated the ESOs to rationalise the standards for e-signatures and related trust services to form a coherent and up-to-date framework (mandate M/460).
The eIDAS Regulation adopted on 23 July 2014 addresses in one comprehensive piece of legislation, electronic identification, electronic signatures, electronic seals, electronic time stamping, electronic registered delivery services, electronic documents and certificate services for website authentication as core instruments for electronic transactions. To support the implementation of this highly technical regulation, further standardisation work will be needed. In the case of trust services, the planned secondary legislation refers extensively to the availability of standards as possible means to meet the regulatory requirements. Existing standards should be checked to take account of the protection of individuals with regard to personal data processing and the free movement of such data. Specific privacy by design standards should be identified and where needed developed. The accessibility needs of persons with disabilities should also be taken into account.
- Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
- Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework
- Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means
- Commission Implementing Decision (EU) 2015/1984 of 3 November 2015 defining the circumstances, formats and procedures of notification
- Commission Implementing Regulation (EU) 2015/806 of May 2015 laying down specifications relating to the form of EU trust mark for qualified trust Services
- Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies
- Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists
- Commission Implementing Decision (EU) 2016/650 of 25 April 2016 laying down Standards for the security assessment of qualified signature on seal creation devices
(B.) Requested actions
Action 1 Build on the work done under Mandate M/460, in the following way: Support harmonisation of identity proofing, particularly in relation certificate issuance and remote signing. Define extended validation procedures that can be followed to determine if a signed document might be wrongly interpreted, even if the signed bytes have not changed.
Action 2 Take ongoing EU policy activities into account in standardisation, e.g. in ISO/IEC JTC 1/SC 27/WG 5 (identity management and privacy technologies) and other working groups of ISO/IEC JTC 1/SC 27. Furthermore, in order to promote the strengths of the European approach to electronic identification and trust services at global level and to foster mutual recognition of electronic identification and trust services with non-EU countries, European and international standards should be aligned wherever possible. The promotion and maintenance of related European approaches, which especially take into account data protection considerations, in international standards should be supported.
Action 3 Support and improve the development of interoperable standards by facilitating the organisation of plugtests (interoperability events) and developing and enhancing conformity testing tools. Such interoperability events may address CAdES, XAdES, PAdES, ASiC, use of trusted lists, signature validation, remote signature creation and validation, e-delivery services, preservation services, etc.
Action 4 Foster the development of standards supporting the implementation of the measures derived from the revision of the eIDAS regulation, aimed to improve its effectiveness, extend its benefits to the private sector and promote trusted digital identities for all Europeans.
(C.) Activities and additional information
(C.1) Related standardisation activities
CEN and CENELEC
CEN/TC 224 ‘Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment’ develops standards for strengthening the interoperability and security of personal identification and its related personal devices, systems, operations and privacy. CEN/TC 224 addresses sectors such as Government/Citizen, Transport, Banking, e-Health, as well as Consumers and providers from the supply side such as card manufacturers, security technology, conformity assessment body and software manufacturers.
CEN-CLC/JTC 19 ‘Blockchain and Distributed Ledger Technologies’ focuses on European requirements for Distributed Ledger Technologies and proceeds with the identification and possible adoption of standards already available or under development in other SDOs (especially ISO TC 307), which could support the EU Digital Single Market and/or EC Directives/Regulations. In the context of the revision of the rules on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation), CEN-CLC/JTC 19 will address the development of standards in support of electronic identification.
Under the standardisation mandate M/460 on e-signatures, ETSI TC ESI provided an initial set of upgraded and new standards within a rationalized framework. ETSI TC ESI provides standards for introducing the overall framework of standards, for trust service providers supporting digital signatures but also preservation services, edelivery services, for (remote) signature creation and validation, for cryptographic suites and for trust service status lists providers.
A summary of ETSI TC ESI publications and ongoing work can be found at https://portal.etsi.org/TBSiteMap/ESI/ESIActivities.aspx
The ISO Technical Committee, ISO/TC 154 Processes, data elements and documents in commerce, industry and administration, addresses standardisation and registration of business, and administration processes and supporting data used for information interchange between and within individual organizations and supports standardisation activities in the area of industrial data.
- Requirements and roles & responsibilities for fulfilling trusted e-communications in commerce, industry and administration
- Qualified trust services for long-term signature of kinds of electronic documents
- Validation of long-term signature
- Trusted (or qualified) electronic registered delivery services (or platform)
- Dematerialisation and proof of dematerialisation
- Requirements for providing trusted e-communications in the mobile environment
- Requirements for providing trusted e-communications in the cloud environment
Projects include the ISO 14533 series of standards for Processes, data elements and documents in commerce, industry and administration -- Long term signature profiles.
The ISO Technical Committee ISO/TC 321 Transaction Assurance in e-Commerce, addresses standardisation in the field of “transaction assurance in e- commerce related upstream/downstream processes”, including the following:
- Assurance of transaction process in e-commerce (including easier access to e-platforms and estores);
- Protection of online consumer rights including both prevention of online disputes and resolution process;
- Interoperability and admissibility of inspection result data on commodity quality in cross-border e-commerce;
- Assurance of e-commerce delivery to the final consumer. https://www.iso.org/committee/7145156.html
ISO/IEC JTC 1
ISO/IEC JTC 1/SC 37, Biometrics, is responsible for the standardisation of generic biometric technologies pertaining to human beings to support interoperability and data interchange among applications and systems. Generic human biometric standards include: common file frameworks, biometric application programming interfaces, biometric data interchange formats, related biometric profiles and other standards in support of technical implementation of biometric systems, evaluation criteria to biometric technologies, methodologies for performance testing and reporting, cross-jurisdictional and societal aspects of biometric implementation. The complete list of standards published or under development, can be found in on the SC 37 homepage:
Published standards and ongoing projects related to the topics include the series of biometric data interchange standards for different biometric modalities, biometric technical interfaces, related biometric profiles and other standards in support of technical implementation of biometric systems, and cross jurisdictional and societal aspects of biometric implementation. Representative projects include revisions to some of the ISO/IEC 19794 series for Biometric data interchange formats, ISO/IEC 29794 series for Biometric sample quality and ISO/IEC 39794 series for Extensible biometric data interchange formats. These projects include generic extensible data interchange formats for the representation of data, a tagged binary data format based on an extensible specification in ASN.1 and a textual data format based on an XML schema definition (both capable of holding the same information). The ISO/IEC 30107 series for Biometric presentation attack detection and ISO/IEC 24779 series for Cross-Jurisdictional and societal aspects of implementation of biometric technologies - pictograms, icons and symbols for use with biometric systems are multi-part standards of relevance.
ISO/IEC JTC 1/SC 27, Information security, cybersecurity and privacy protection, is responsible for international IT security. The most relevant standards to electronic identification and trust services are developed by SC 27/WG 5 Identity Management and Privacy Technologies. After completion of foundational frameworks, specifically, the ISO/IEC 24760 series A framework for identity management and ISO/IEC 29100 for Privacy framework, priorities for WG 5 are related standards and Standing Documents on supporting technologies, models, and methodologies. WG 5’s Projects include:
- A framework for identity management – Part 1: Terminology and concepts (ISO/IEC 24760-1, 2nd edition:2019)
- A framework for identity management – Part 2: Reference framework and requirements (ISO/IEC 24760-2, 1st edition:2015)
- A framework for identity management – Part 3: Reference framework and requirements (ISO/IEC 24760-3, 1st edition:2016)
- Privacy framework (ISO/IEC 29100, 1st edition:2011; Amendment 1:2018)
- Privacy architecture framework (ISO/IEC 29101, 2nd edition:2018)
- A framework for access management (ISO/IEC 29146, 1st edition:2016)
- Requirements for partially anonymous, partially unlinkable authentication (ISO/IEC 29191, 1st edition:2012)
- Privacy enhancing data de-identification terminology and classification of techniques (ISO/IEC 20889, 1st edition:2018)
- Privacy impact assessment – methodology (ISO/IEC 29134, 1st edition:2017)
- Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management – Requirements and guidelines (ISO/IEC 27701, 1st edition:2019)
- WG 5 Standing Document 2 – “Privacy references list”
- WG 5 Standing Document 4 – “Standards Privacy Assessment”
ISO/IEC JTC 1 SC 27 is working in close collaboration with CEN/CLC/JTC 13 ‘Cybersecurity and Data protection’ on eIDAS related standardisation activity.
ISO/JTC 1/SC 17 Cards and security devices for personal identification is responsible for standardisation and interface associated with their use in inter-industry applications and international interchange in the area of:
- Identification and related documents,
- Security devices and tokens
ITU-T SG3 is responsible, inter alia, for studying international telecommunication/ICT policy and economic issues and tariff and accounting matters (including costing principles and methodologies), with a view to informing the development of enabling regulatory models and frameworks. SG3 is also tasked with a study on the economic and regulatory impact of the Internet, convergence (services or infrastructure) and new services. SG3 is currently working on a guideline for digital identity under the new Question 9/3 - economic and policy aspects of big data and digital identity in international telecommunications services and networks. SG3 has a draft Recommendation on “Guidelines for digital identity” (D.DigID) under development. More info: http://itu.int/ITU-T/go/tsg3
ITU-T SG13 published three technical reports on trust provisioning for future ICT infrastructures and services and five Recommendations (ITU-T Y.3051-Y.3055). There are currently seven more work items under development covering areas such as Decentralized Trustworthy Network Infrastructure (Y.DNI-fr), trust index for ICT infrastructures and services (Y.trust-index) etc. SG13 is developing a Standardisation roadmap on Trustworthy Networking and Services including Quantum Enhanced Networks: https://www.itu.int/itu-t/workprog/wp_item.aspx?isn=16495
ITU-T SG13 also studies quantum technologies, in particular, quantum key distribution networks (QKDN) to increase the security of networks communication. It approved four Recommendations (ITU-T Y.3800-3804) and has seven open work items about QKDN. A flipbook “Trust in ICT” (2017) gives a snapshot of main concepts for Trust as applied to ICT and overview of standardisation efforts worldwide to date. https://www.itu.int/en/publications/Documents/tsb/2017-Trust-in-ICT-2017/index.html
More info: http://itu.int/ITU-T/go/tsg13
ITU-T SG17 is responsible for the study and coordinate the work on security and identity management. It has approved Recommendations ITU-T X.1058 “Information technology - Security techniques - Code of practice for Personally Identifiable Information protection”, ITU-T X.1148 “Framework of de-identification process for telecommunication service providers”, ITU-T X.1212 “Design considerations for improved end-user perception of trustworthiness indicators”, ITU-T X.1250 “Baseline capabilities for enhanced global identity management and interoperability”, ITU-T X.1252 “Baseline identity management terms and definitions”, ITU-T X.1403 “Security considerations for using distributed ledger technology data in identity management”, ITU-T X.1451 “Risk identification to optimize authentication”, ITU-T X.1363 “Technical framework of personally identifiable information (PII) handling system in IoT environment” and is developing six draft Recommendation in this domain: (X.5Gsec-t, X.sec-QKDN-tn, X.smsrc, X.scpa, X.sgos, X.rdda). More info: http://itu.int/ITU-T/go/tsg17
ITU-T SG20 is the lead study group for IoT identification. It studies what the identification systems are capable of in terms of fulfilling the requirements of IoT and SC&C including security, privacy and trust; how authentication technologies can work with identification systems; what options or measures are available for identification of IoT objects; how identification mechanisms can support interoperability in IoT and SC&C and mitigate risks, among others. It approved Recommendations ITU-T Y.4459 “Digital entity architecture framework for IoT interoperability”, ITU-T Y.4807 “Agility by design for Telecommunications/ICT Systems Security used in the Internet of Things”, ITU-T Y.4808 “Digital entity architecture framework to combat counterfeiting in IoT” etc. It is currently working on several draft Recommendations on the topic (Y.IoT-IoD-PT, Y.Data.Sec.IoT-Dev, Y.FW.IC.MDSC, Y.IoT-Ath-SC, Y.IoT-CSIADE-fw, Y.IoT-ITS-ID, Y.IoT-Smartcity-Risk , Y.oneM2M.SEC.SOL). More info: http://itu.int/ITU-T/go/tsg20
Under the Security, Infrastructure and Trust Working Group led by ITU under the Financial Inclusion Global Initiative (a joint programme of the ITU, World Bank and Bank for International Settlements and supported by the Gates Foundation), studies on strong authentication technologies applications for digital financial services are being undertaken. The studies describe several widely-adopted technical and policy standards that support strong authentication mechanisms. The examples of strong authentication and advanced authentication systems are categorized as either enrolment or authentication for the use of DFS. These two use case categories primarily impact users of DFS. The use of identity verification and authentication system based on DLT are also being studied. See Report: https://www.itu.int/en/ITU-T/extcoop/figisymposium/Documents/ITU_SIT_WG_Implementation%20of%20Secure%20Authentication%20Technologies%20for%20DFS.pd
The United Nations Economic Commission for Europe in its Recommendation 14 outlines base elements to take into account in the use of electronic authentication methods. It recommends that the authentication methods should be chosen in light of the nature of the electronic transaction and the relationship between the parties involved in the exchange. Not all electronic exchanges require the highest level of reliability.
See: (available also in French and Russian) http://www.unece.org/fileadmin/DAM/cefact/recommendations/rec14/ECE_TRADE_C_CEFACT_2014_6E_Rec14.pdf
Further work is being developed on this topic within UN/CEFACT. See:
The OASIS Security Services (SAML) TC maintains and extends the widely used Security Assertion Markup Language (SAML, also ITU-T Recommendation X.1141) standard. A profile of SAML is used for cross-border identification and authentication of citizens in the eIDAS nodes provided by the eID Building Block of the Connecting Europe Facility (CEF). SAML is also used at national level in Member States.
The OASIS Trust Elevation TC defines a set of standardized protocols that service providers may use to elevate the trust in an electronic identity credential presented to them for authentication.
The OASIS DSS-X TC defines standard Digital Signature Service Core Protocols, Elements, and Bindings. The latest version provides both JSON- and XML-based request/response protocols for signing and verifying, including updated timestamp formats, transport and security bindings and metadata discovery methods. This TC works in close liaison with the ETSI Electronic Signatures and Infrastructures (ESI) TC.
The OASIS ebXML Message TC maintains the OASIS ebMS3 (also ISO 15000-1) standard and the AS4 standard (also ISO 15000-2). AS4 is profiled as the message exchange protocol of the eDelivery Building Block of the Connecting Europe Facility. Several dozens policy domains use eDelivery for cross-border secure and reliable exchange of documents and data. AS4 is also used in the EESSI system for digitalisation in social security coordination.
The OASIS Business Document Exchange TC provides complementary eDelivery specifications for service location and capability lookup.
Set of standards and related certification profiles addressing identity transactions over the internet. Active working groups in this area include: the OpenID Connect WG, AccountChooser WG, Native Applications WG, Mobile operator Discovery, Registration and Authentication WG (MODRNA), Health Related Data Sharing WG (HEART), and Risk and Incident Sharing and Coordination WG (RISC) http://openid.net/wg/
The Web Authorization Protocol (OAUTH) WG developed a protocol suite that allows a user to grant a third-party Website or application access to the user’s protected resources, without necessarily revealing their long-term credentials, or even their identity. It also developed security schemes for presenting authorisation tokens to access a protected resource.
The ongoing standardisation effort within the OAUTH Working Group is focusing on enhancing interoperability of OAUTH deployments.
The Public Notary Transparency (TRANS) WG develops a standards-track specification of the Certificate Transparency protocol (RFC6962) that allows detection of the miss-issuance of certificates issued by CAs or via ad-hoc mapping by maintaining cryptographically verifiable audit logs.
The Automated Certificate Management Environment (ACME) WG specifies conventions for automated X.509 certificate management, including validation of control over an identifier, certificate issuance, certificate renewal, and certificate revocation. The initial focus of the ACME WG is on domain name certificates (as used by web servers), but other uses of certificates can be considered as work progresses.
The W3C Credentials Community Group discusses credential storage and exchange systems for the web. Some of their ideas are being discussed in the Web Payments Interest Group via the Verifiable Claims Task Force (as of January 2016).
The Verifiable Claims Working Group specifies ways to make expressing, exchanging, and verifying claims easier and more secure on the Web. It released the Verifiable Credentials Data Model 1.0 Proposed Recommendation on 05 September 2019. This specification provides a mechanism to express these sorts of credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable. The W3C Note of 24 September 2019 is a collection of use cases for the Verifiable Credentials Data Model 1.0 and helps to better understand that Specification.
The IEEE has standards and pre-standards activities relevant to Electronic Identification and Trust Services, including dealing with blockchain technology and biometric identification. More information can be found at: https://ieeesa.io/rp-eidentification
Other activities related to standardisation
e-SENS (Electronic Simple European Networked Services) is a large-scale pilot launched within the ICT policy support programme (ICT PSP), under the competitiveness and innovation framework programme (CIP). The aim of the project is to develop an infrastructure for interoperable public services in Europe. It builds upon and consolidates building blocks such as eID, e-Documents, e-Delivery, and e-Signature etc. from previous pilot projects and integrates them into a European digital platform for cross-sector, interoperable eGovernment services.
EU co-funded project to establish a European eID interoperability platform that will allow citizens to establish new e-relations across-borders, just by presenting their national eID.
The STORK 2.0 project was the continuation of STORK and has worked on extending the specification to roles and mandates.
In the context of the eIDAS Regulation and the implementing act on the interoperability framework for eID technical specifications are being developed for the eIDAS nodes. These technical specifications will provide further details on technical requirements as set out in the Regulation. The specifications for the eIDAS were developed through Member State collaboration in a technical sub-committee of the eIDAS Expert Group.
Scoping the single European digital identity community –SSEDIC https://joinup.ec.europa.eu/collection/eidentity-and-esignature/document/ssedic-scoping-single-european-digital-identity-community-ssedic
Future of identity in the information society — FIDIS http://www.fidis.net
Privacy and identity management for Europe — PRIME https://www.prime-project.eu