ELECTRONIC IDENTIFICATION AND TRUST SERVICES including e-signatures

(A.) Policy and legislation

(A.1) Policy objectives

This relates to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

(A.2) EC perspectiveand progress report

The eIDASRegulation adopted on 23July2014 addresses in one comprehensive piece of legislation, electronic identification, electronic signatures, electronic seals, electronic time stamping, electronic registered delivery services, electronic documents and certificate services for website authentication as core instruments for electronic transactions. On 3rd of June 2021 the Commission adopted a proposal to amend the eIDAS Regulation,It proposes a Digital identity framework with European Digital Identity Wallets offering secure and easy access to different services, both public and private. The wallet is required to support privacy by design allowing users full control over personal data including identity attributes that may be revealed through the wallet. Also, the wallet is to be certified to a high level of security.In addition, it creates a new qualified trust service for attestation of attributes concerning information related to identity, such as addresses, age, gender, civil status, family composition, nationality, educational and professional qualifications and titles, licenses, other permits and payment data, thatcan be offered, shared and exchanged across borders, in full security, data protection and with legal effect across borders.In addition, the proposed European Digital Identity Framework introduces also additional trust services for management of a remote electronic qualified signature creation device, electronic archiving and electronic ledgers.

The Commission will work with Member States and the privatesector to establish technical and operational specifications, and reference standards for the requirements of the proposed European Digital Identity framework. The requirements include issuance and exchange of selected attestation of attributes, the functionality and security of the European Digital Identity Wallets, the assurance of the European Digital Identity framework including certification of the wallet, identity proofing and governance. StandardisationBodieswill be consulted and existing international and European standards and technical specifications should be re-used where appropriate.

Forthe European Digital Identity Framework and also to support the remainder of the eIDAS regulation, further standardisation work will be needed, because the planned secondary legislation may refer to the availability of standards as possible means to meet the regulatory requirements.Existing standards that meet the requirements of the proposed framework should therefore be identified and new standards and guidelines are likely to have to be drafted to facilitate the implementation of the proposed new trust servicesof electronic archiving, attestation of attributes, the management of remote electronic signature and seal creation devices, and electronic ledgers.

(A.3) References

(B.) Requested actions

Action 1 Take ongoing EU policy activities into account in standardisation, e.g. in ISO/IEC JTC 1/SC 27/WG 5 (identity management and privacy technologies) and other working groups of ISO/IEC JTC 1/SC 27.Furthermore, in order to promote the strengths of the European approach to electronic identification and trust services at global level and to foster mutual recognition of electronic identification and trust services with non-EU countries, European and international standards should be aligned wherever possible. The promotion and maintenance of related European approaches, which especially take into account data protection considerations, in international standards should be supported.

Action 2 As required by the framework established under the proposed regulatory framework for European Digital Identities prepare standards for

  • interfaces between the European Digital Identity Wallet and trust services as well as services for signing by means of electronic signatures and seals
  • interfaces between the European Digital Identity Wallet and relying parties
  • security evaluation and certification of the European Digital Identity Wallet
  • Protocol and security standards for new trust services including electronic attestation of attributes , electronic archiving and electronic ledgers.
  • Supporting additional requirements for identity proofing and validation of attributes.
  • Adapting existing standards to take into account new provisions of eIDAS 2.0 including alignment with NIS2 and ensuring that the requirements of privacy by design are met.

Action 3 SDOs to cooperate and work in the areas of identifiers, vocabularies, semantics, taxonomies, ontologies for electronic attestations

(C.) Activities and additional information

(C.1) Related standardisation activities
CEN and CENELEC

CEN/TC 224 Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment’ develops standards for strengthening the interoperability and security of personal identification and its related personal devices, systems, operations and privacy. CEN/TC 224 addresses sectors such as Government/Citizen, Transport, Banking, e-Health, as well as Consumers and providers from the supply side such as card manufacturers, security technology, conformity assessment body and software manufacturers.

https://standards.cen.eu/dyn/www/f?p=204:7:0::::FSP_ORG_ID:6205&cs=1FB1CC5B5F03F85F0ECCECA7598551CFC

CEN-CLC/JTC 19Blockchain and Distributed Ledger Technologies’focuses on European requirements for Distributed Ledger Technologies and proceeds with the identification and possible adoption of standards already available or under development in other SDOs (especially ISO TC 307), which could support the EU Digital Single Market and/or EC Directives/Regulations.In the context of the revision of the rules on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation),CEN/CLC/JTC 19/WG 1 was establishedto address the development of standards in support ofdecentralized identity management.

https://standards.cen.eu/dyn/www/f?p=204:22:0::::FSP_ORG_ID,FSP_LANG_ID:2702172,25&cs=1C5DF4D2E1D80EA24F5896718E20EA6F3

ETSI

Under the standardisation mandate M/460 on e-signatures, ETSI TC ESI provided an initial set of upgraded and new standards within a rationalized framework. ETSI TC ESI provides standards for introducing the overall framework of standards, for trust service providers supporting digital signatures but also preservation services, edelivery services, for (remote) signature creation and validation, for cryptographic suites and for trust service status lists providers.

A summary of ETSI TC ESI publications and ongoing work can be found at https://portal.etsi.org/TBSiteMap/ESI/ESIActivities.aspx

ETSI has published the document SR 019 003 “Possible Standards for eIDAS 2.0” that identifies the potential impact on the framework of standards already published in relation to the proposal to amend the eIDAS Regulation and establish a framework for a European Digital Identity.
The document is available at:https://docbox.etsi.org/esi/open/latest_drafts/ESI-0019003v002%20Public%20review%20draft_SR_019_003_Possible_Standards_for_eIDAS_2_0.pdf

ISO

The ISO Technical Committee, ISO/TC 154 Processes, data elements and documents in commerce, industry and administration, addresses standardisation and registration of business, and administration processes and supporting data used for information interchange between and within individual organizations and supports standardisation activities in the area of industrial data.
https://www.iso.org/committee/53186.html

Ongoing work:

  • Requirements and roles & responsibilities for fulfilling trusted e-communications in commerce, industry and administration
  • Qualified trust services for long-term signature of kinds of electronic documents
  • Validation of long-term signature
  • Trusted (or qualified) electronic registered delivery services (or platform)
  • Dematerialisation and proof of dematerialisation
  • Requirements for providing trusted e-communications in the mobile environment
  • Requirements for providing trusted e-communications in the cloud environment

Projects include the ISO 14533 series of standards for Processes, data elements and documents in commerce, industry and administration -- Long term signature profiles.

The ISO Technical Committee ISO/TC 321 Transaction Assurance in e-Commerce, addresses standardisation in the field of “transaction assurance in e- commerce related upstream/downstream processes”, including the following:

  • Assurance of transaction process in e-commerce (including easier access to e-platforms and estores);
  • Protection of online consumer rights including both prevention of online disputes and resolution process;
  • Interoperability and admissibility of inspection result data on commodity quality in cross-border e-commerce;
  • Assurance of e-commerce delivery to the final consumer.
  • https://www.iso.org/committee/7145156.html

ISO/IEC JTC 1/SC 37, Biometrics, is responsible for the standardisation of generic biometric technologies pertaining to human beings to support interoperability and data interchange among applications and systems. Generic human biometric standards include: common file frameworks, biometric application programming interfaces, biometric data interchange formats, related biometric profiles and other standards in support of technical implementation of biometric systems, evaluation criteria to biometric technologies, methodologies for performance testing and reporting, cross-jurisdictional and societal aspects of biometric implementation. The complete list of standards published or under development, can be found in on the SC 37 homepage:

https://www.iso.org/committee/313770.html

Published standards and ongoing projects related to the topics include the series of biometric data interchange standards for different biometric modalities, biometric technical interfaces, related biometric profiles and other standards in support of technical implementation of biometric systems, and cross jurisdictional and societal aspects of biometric implementation. Representative projects include revisions to some of the ISO/IEC 19794 series for Biometric data interchange formats, ISO/IEC 29794 series for Biometric sample quality and ISO/IEC 39794 series forExtensible biometric data interchange formats. These projects include generic extensible data interchange formats for the representation of data, a tagged binary data format based on an extensible specification in ASN.1 and a textual data format based on an XML schema definition (both capable of holding the same information). The ISO/IEC 30107 series for Biometric presentation attack detection and ISO/IEC 24779 series for Cross-Jurisdictional and societal aspects of implementation of biometric technologies - pictograms, icons and symbols for use with biometric systems are multi-part standards of relevance.

ISO/IEC JTC 1/SC 27, Information security, cybersecurity and privacy protection, is responsible for international IT security.The most relevant standards to electronic identification and trust services are developed by SC 27/WG 5 Identity Management and Privacy Technologies. After completion of foundational frameworks, specifically, the ISO/IEC 24760 series A framework for identity management and ISO/IEC 29100 for Privacy framework, priorities for WG 5 are related standards and Standing Documents on supporting technologies, models, and methodologies. WG 5’s Projects include:

  • A framework for identity management – Part 1: Terminology and concepts (ISO/IEC 24760-1, 2nd edition:2019)
  • A framework for identity management – Part 2: Reference framework and requirements (ISO/IEC 24760-2, 1st edition:2015)
  • A framework for identity management – Part 3: Reference framework and requirements (ISO/IEC 24760-3, 1st edition:2016)
  • Privacy framework (ISO/IEC 29100, 1st edition:2011; Amendment 1:2018)
  • Privacy architecture framework (ISO/IEC 29101, 2nd edition:2018)
  • A framework for access management (ISO/IEC 29146, 1st edition:2016)
  • Requirements for partially anonymous, partially unlinkable authentication (ISO/IEC 29191, 1st edition:2012)
  • Privacy enhancing data de-identification terminology and classification of techniques (ISO/IEC 20889, 1st edition:2018)
  • Privacy impact assessment – methodology (ISO/IEC 29134, 1st edition:2017)
  • Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management – Requirements and guidelines (ISO/IEC 27701, 1st edition:2019)
  • WG 5 Standing Document 2 – “Privacy references list”
  • WG 5 Standing Document 4 – “Standards Privacy Assessment”

ISO/IEC JTC 1 SC 27 is working in close collaboration with CEN/CLC/JTC 13 ‘Cybersecurity and Data protection’ on eIDAS related standardisation activity.

ISO/JTC 1/SC 17 Cards and security devices for personal identification is responsible for standardisation and interface associated with their use in inter-industry applications and international interchange in the area of:

ITU-T

ITU-T SG2is responsible for studies related to numbering, naming, addressing and identification, and resource assignment. SG2 is currently working on: updates to Recommendation ITU-T E.118, “The international telecommunication charge card” to reflect current and future use of Issuer Identifier Numbers (IINs); a new Recommendation ITU-T E.IoT-NNAI, “Internet of Things Naming Numbering Addressing and Identifiers”; and a new Technical Report TR.OTTnum, “Current use of E.164 numbers as identifiers for OTTs”. More info: http://itu.int/ITU-T/go/tsg2
ITU-T SG3is responsible,inter alia, for studying international telecommunication/ICT policy and economic issues and tariff and accounting matters (including costing principles and methodologies).SG3 has approved ITU-T D.1140/X.1261, “Policy framework including principles for digital identity infrastructure”.
More info:http://itu.int/ITU-T/go/tsg3

ITU-T SG17is responsible for the study and coordinate the work on ICT security and identity management. It has approved Recommendations ITU-T X.1058 “Information technology - Security techniques - Code of practice for Personally Identifiable Information protection”, ITU-T X.1087 “Technical and operational countermeasures for telebiometric applications using mobile devices”, ITU-T X.1148 “Framework of de-identification process for telecommunication service providers”, ITU-T X.1171 “Threats and requirements for protection of personally identifiable information in applications using tag-based identification”, ITU-T X.1212 “Design considerations for improved end-user perception of trustworthiness indicators”, ITU-T X.1250 “Baseline capabilities for enhanced global identity management and interoperability”, ITU-T X.1252 “Baseline identity management terms and definitions”, ITU-T X.1275 “Guidelines on protection of personally identifiable information in the application of RFID technology”, ITU-T X.1403 “Security considerations for using distributed ledger technology data in identity management”, ITU-T X.1451 “Risk identification to optimize authentication”, ITU-T X.1363 “Technical framework of personally identifiable information (PII) handling system in IoT environment”, ITU-T X.1770 “Technical guidelines for secure multi-party computation” and is developing many more draft Recommendation in this domain: (X.5Gsec-t, X.guide-cdd, X.sec-QKDN-tn, X.smsrc, X.scpa, X.sgos, X.rdda, X.vide, etc).
More info:http://itu.int/ITU-T/go/tsg17

Under theSecurity, Infrastructure and Trust Working Groupled by ITU under the Financial Inclusion Global Initiative (a joint programme of the ITU, World Bank and Bank for International Settlements and supported by the Gates Foundation), studies on strong authentication technologies applications for digital financial services are being undertaken. The use of identity verification and authentication system based on DLT are also being studied. See Report:

https://www.itu.int/en/ITU-T/extcoop/figisymposium/Documents/ITU_SIT_WG_Implementation%20of%20Secure%20Authentication%20Technologies%20for%20DFS.pdf

UNECE

The United Nations Economic Commission for Europe in its Recommendation 14 outlines base elements to take into account in the use of electronic authentication methods. It recommends that the authentication methods should be chosen in light of the nature of the electronic transaction and the relationship between the parties involved in the exchange. Not all electronic exchanges require the highest level of reliability.

See: (available also in French and Russian)http://www.unece.org/fileadmin/DAM/cefact/recommendations/rec14/ECE_TRADE_C_CEFACT_2014_6E_Rec14.pdf

Further work is being developed on this topic within UN/CEFACT. See:

http://www.unece.org/fileadmin/DAM/cefact/cf_plenary/2018_plenary/ECE_TRADE_C_CEFACT_2018_7E.pdf

OASIS

The OASIS Security Services (SAML) TC maintains and extends the widely used Security Assertion Markup Language (SAML, also ITU-T Recommendation X.1141) standard. A profile of SAML is used for cross-border identification and authentication of citizens in the eIDAS nodes provided by the eID Building Block of the Connecting Europe Facility (CEF). SAML is also used at national level in Member States.

The OASIS Trust Elevation TC defines a set of standardized protocols that service providers may use to elevate the trust in an electronic identity credential presented to them for authentication.

The OASIS DSS-X TC defines standard Digital Signature Service Core Protocols, Elements, and Bindings. The latest version provides both JSON- and XML-based request/response protocols for signing and verifying, including updated timestamp formats, transport and security bindings and metadata discovery methods. This TC works in close liaison with the ETSI Electronic Signatures and Infrastructures (ESI) TC.

The OASIS ebXML Message TC maintains the OASIS ebMS3 (also ISO 15000-1) standard and the AS4 standard (also ISO 15000-2).AS4 is profiled as the message exchange protocol of the European Commission’seDelivery Building Block. Several dozens policy domains use eDelivery for cross-border secure and reliable exchange of documents and data. AS4 is also used in the EESSI system for digitalisation in social security coordination.

The OASIS Business Document Exchange TC provides complementary eDelivery specifications for service location and capability lookup.

The OASIS ebCore TChas deliveredversion ٣ of the CPPA specification. CPPA3 provides standard data definitions, and formats for electronic, XML-based protocol profiles and business collaboration agreements, as well as algorithms for formation, matching, discovery and registration. Version 3 is an evolution of work done in the joint ebXML project with UN/CEFACT. It complements other ebXML standards for messaging includingAS4.

OIDF

Set of standards and related certification profiles addressing identity transactions over the internet. Active working groups in this area include: the OpenID Connect WG, AccountChooser WG, Native Applications WG, Mobile operator Discovery, Registration and Authentication WG (MODRNA), Health Related Data Sharing WG (HEART), and Risk and Incident Sharing and Coordination WG (RISC)

http://openid.net/wg/

IETF

The Web Authorization Protocol (OAUTH) WG developed a protocol suite that allows a user to grant a third-party Website or application access to the user’s protected resources, without necessarily revealing their long-term credentials, or even their identity. It also developed security schemes for presenting authorisation tokens to access a protected resource.

The ongoing standardisation effort within the OAUTH Working Group is focusing on enhancing interoperability of OAUTH deployments.

The Public Notary Transparency (TRANS) WG develops a standards-track specification of the Certificate Transparency protocol (RFC6962) that allows detection of the mis-issuance of certificates issued by CAs or via ad-hoc mapping by maintaining cryptographically verifiable audit logs.

The Automated Certificate Management Environment (ACME) WG specifies conventions for automated X.509 certificate management, including validation of control over an identifier, certificate issuance, certificate renewal, and certificate revocation. The initial focus of the ACME WG is on domain name certificates (as used by web servers), but other uses of certificates can be considered as work progresses.

https://trac.ietf.org/trac/iab/wiki/Multi-Stake-Holder-Platform#eIdenti…

W3C

Verifiable Credentialsprovide a mechanism to express credentials, e.g. driving licenses,on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable. Currently, the following Specifications and Notes have already been issued:

Decentralized Identifiers (DIDs)are a new type of identifier that enables verifiable, decentralized digital identity. A DID refers to any subject (e.g., a person, organization, thing, data model, abstract entity, etc.) as determined by the controller of the DID. In contrast to typical, federated identifiers, DIDs have been designed so that they may be decoupled from centralized registries, identity providers, and certificate authorities:

Web Authenticationdefines an API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications, for the purpose of strongly authenticating users. The current work is onWeb Authentication: An API for accessing Public Key Credentials - Level ٣https://www.w٣.org/TR/webauthn-٣/

Web payments: An important goal of Secure Payment Confirmation (SPC) is to streamline strong customer authentication (SCA). One way to reduce friction is to allow many authentications for a given registration. In other words, ideally the user registers once and can then authenticate “everywhere” (consistent with the policies of the relying party; they have to opt-in). The following Specifications are relevant:

Work on Social Networking includes identity schemes that can play a role:

The Web Crypto APIdescribes a JavaScript API for performing basic cryptographic operations in web applications, such as hashing, signature generation and verification, and encryption and decryption:https://www.w٣.org/TR/WebCryptoAPI/See also the note on use cases:http://www.w٣.org/TR/webcrypto-usecases/narrowing the scope of the Web Crypto API.

Identity for WebRTC ١.٠ defines a set of ECMAScript APIs in WebIDL to allow and application using WebRTC to assert an identity, and to mark media streams as only viewable by another identity. This specification is being developed in conjunction with a protocol specification developed by the IETF RTCWEB group.https://www.w3.org/TR/webrtc-identity/

IEEE

IEEE has standards and pre-standards activities relevant to Electronic Identification and Trust Services, including dealing with blockchain technology, authentication, and biometric identification. More information can be found at:

IEEE P2049.3-Standard for Human Augmentation: Identity,
IEEE 2410-2019, IEEE Standard for Biometric Open Protocol,
IEEE P2733, Standard for Clinical Internet of Things (IoT) Data and Device Interoperability with TIPPSS - Trust, Identity, Privacy, Protection, Safety, Security,
IEEE P2790, Standard for Biometric Liveness Detection,
IEEE P2799, Standard for Confirming and Conveying Identity Over the Internet,
IEEE P2989–Standard for Authentication in Multi-Server Environment, and
IEEE P3210 - Standard for Blockchain-based Digital Identity System Framework.

There are also several pre-standards activities looking at digital identity, including guidelines for the provision and use of digital identities for digital resilience.

For more information, see:https://ieeesa.io/rp-eidentification.

(C.2) Other activities related to standardisation

Related important projects ordered by date:

  • 2023-08-23OntoChain https://ontochain.ngi.eu
    OntoChain aims to enable trustworthy transactions of services and contents. The project defines innovative decentralised reputation models that reveal the hidden quality/types of services and credibility of data sources, keeping a balance between privacy and trust.
  • 2022-10-31eSSIF-Lab https://essif-lab.eu
    Self-sovereign identity (SSI) supports identity management in a safe and reliable internet allowing secure transactions and eliminating logins. SSI aims to empowerEU organisations to make secure and innovate transactions with stakeholders saving billions of euro on administrative expenses.
  • 2020-12-31AMBER https://www.amber-biometrics.eu
    AMBER addresses issues facing biometric solutions on mobile devices and develop solutions and theory to ensure secure, ubiquitous and efficient authentication whilst protecting privacy of citizen.
  • 2020-08-31SMOWL https://smowl.net/en/
    SMOWL is a practical and reliable solution for online user identification and monitoring. It consists in a new cyber-security service covering the need for acontinuous, automatic and scalable authentication of online user’s identity and monitoring.
  • 2020-03-31Smart-Trust https://web.archive.org/web/20201230011033/https://smart-trust.eu/
    Smart-Trust introduces a new technological enabler for Mobile ID which drastically increases the reliability and trust levels of identity verification at European borders, thus increasing the security of member states.
  • 2019-12-31 DECODE https://decodeproject.eu
    DECODE provides tools that put individuals in control of whether they keep their personal information private or share it for the public good.
  • 2019-02-28 ARIES - A ReliAble euRopean Identity EcoSystemhttps://www.aries-project.eu/
    ARIES aims to set up a reliable identity ecosystem combining mature technologies for high level of assurance, such as biometrics or use of secure elements, with innovative credential derivation mechanisms.
  • 2018-12-31SAFEcrypto https://www.safecrypto.eu
    SAFEcrypto will provide a new generation of practical, robust and physically securepost quantum cryptographic solutions that ensure long-term security for future ICT systems, services and applications. Novel public-key cryptographic schemes (digital signatures, authentication, public-key encryption, identity-based encryption) will be developed using lattice problems as the source of computational hardness.
  • 2018-09-30 CREDENTIAL - Secure Cloud Identity Wallet https://credential.eu
    The goal of CREDENTIAL is to develop, test and showcase innovative cloud based services for storing, managing, and sharing digital identity information and other critical personal data.
  • 2018-04-30ReCRED http://www.recred.eu
    ReCRED’s ultimate goal is to promote the user’s personal mobile device to the role of a unified authentication and authorization proxy towards the digital world.