Sightseeing the “eIDAS-Ecosystem”

The “Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC”, which is commonly known as the “eIDAS Regulation”, is expected to boost trust and efficiency for electronic transactions across Europe and beyond. In this post, we briefly recall what the eIDAS-Regulation is about, invite you to follow us and climb up to a “virtual viewpoint” from which the major parts and services of the “eIDAS-Ecosystem” and their interrelationship become visible, so that you can explore the currently available trust services using the interactive eIDAS-Map and see the overall potential and your individual benefits introduced by this regulation.

The “eIDAS-Ecosystem” at a glance

As shown in the figure, the “eIDAS-Ecosystem” is populated by “Users”, which use some kind of “eIDAS-based Transaction Services”. These Transaction Services in turn may use a variety of “eIDAS Services”, for which the trust is maintained by the “eIDAS Trust System”.

The “eIDAS Trust System”, which deserves a specific treatment in a forthcoming post because of its sophisticated structure, provides the trustworthy foundation for the entire “eIDAS-Ecosystem” by an appropriate combination of measures including accreditation, conformity assessment, supervision and incident handling.

While the realm of “eIDAS-based Transaction Services” is also sufficiently rich to be subject of additional posts, we will introduce and explain the set of “eIDAS Services” in the following, as these services provide the functional core of the “eIDAS-Ecosystem”.

The “eIDAS Services” comprise the “eID-Service” for electronic identification regulated by Chapter II and a variety of “Trust Services” according to Article 3 (16) and regulated by Chapter III of the eIDAS-Regulation. These services in particular comprise

  • the “Signature Generation & Sealing Service” (SigS),
  • the “Validation Service” (ValS),
  • the “Preservation Service” (PresS),
  • the “Electronic Delivery Service” (EDS) and the already widely implemented classical trust services, such as
  • the “Time Stamp Authority” (TSA) and last but not least
  • the “Certification Authority” (CA).

eID-Service

The “eID-Service” provides services for the secure electronic identification and authentication of Users and legal persons. The employed means and services for electronic identification and authentication comprise electronic identification schemes, which have been notified according to Article 9 as well as other schemes. As specified in Article 8 of the eIDAS-Regulation and the related implementing act CIR (EU) 2015/1502, the trustworthiness of an electronic identification scheme and the identification means deployed within, is reflected in its level of assurance. The specified assurance levels range from “low” over “substantial” to “high”. Notified eID schemes which provide at least a substantial level of assurance will be mutually recognized in cross-border transactions according to Article 6 of the eIDAS-Regulation.

Certification Authority (CA)

A Certification Authority (CA) generates electronic certificates and issues them to Users or other entities, commonly called the Subject of a certificate. This may happen directly, via the “eIDAS-based Transaction Service” or the “Signature & Seal Generation Service” (SigS). The SigS interacts with the CA-system, performs an appropriate identification of the Subject and validates the provided identity attributes, which are combined with a public key and are signed by the CA to create the certificate.

Time Stamping Authority (TSA)

Proving the existence of a given set of digital data at a given time is a fundamental requirement in many electronic transactions, which involve electronic signatures, aspects of digital rights management, electronic contracts or require accountability for example. For this purpose, a Time Stamping Authority (TSA) receives the data, which need to be time stamped, or a hash thereof, and returns a time stamp token, which is signed by the TSA.

Signature Generation & Sealing Service (SigS)

The Signature Generation & Sealing Service (SigS) allows to generate (qualified) electronic signatures according to Section 4 and (qualified) electronic seals according to Section 5 of the eIDAS-Regulation in technical formats such as CAdES, XAdES and PAdES for example.

Validation Service (ValS)

The (qualified) electronic signatures and seals generated with the SigS above can be validated with the Validation Service (ValS). The ValS uses the certificates contained in the Trusted Lists according to Article 22 of the eIDAS-Regulation, the corresponding implementing act CID (EU) 2015/1506 and ETSI TS 119 162(v2.1.1) as trust anchors and performs a signature validation according to EN 319 102-1 using an appropriate validation policy.

Preservation Service (PresS)

The long term retention of signed documents requires a form of safekeeping that ensures the legibility and conclusiveness regardless of the storage medium. In order to ensure the legal validity of electronic signatures and electronic seals over long periods of time one needs to apply appropriate preservation techniques as outlined in ETSI SR 019 510.

The preservation techniques realised by a Preservation Service (PresS) according to Article 34 may involve Evidence Records according to RFC 4998 or RFC 6283 or the continuous augmentation of signatures using archive time stamps according to CAdES or XAdES for example.

Electronic Delivery Service (EDS)

In a paper-based world, the only way to know that a letter indeed has reached the addressee is to send it by registered mail. This is a service offered by the mail service providers. The sender writes down his/her statements on a sheet and puts it into a closed envelope, which is marked with the coordinates of the addressee and sends it by mail. The accountability, confidentiality and integrity of the letter are primarily assured by the author, while the mail service providers primarily warrant availability and correct delivery.

According to Article 44 of the eIDAS-Regulation “qualified electronic registered delivery services shall meet the following requirements:

  • they are provided by one or more qualified trust service provider(s);
  • they ensure with a high level of confidence the identification of the sender;
  • they ensure the identification of the addressee before the delivery of the data;
  • the sending and receiving of data is secured by an advanced electronic signature or an advanced electronic seal of a qualified trust service provider in such a manner as to preclude the possibility of the data being changed undetectably;
  • any change of the data needed for the purpose of sending or receiving the data is clearly indicated to the sender and addressee of the data;
  • the date and time of sending, receiving and any change of data are indicated by a qualified electronic time stamp.”

Given these requirements it is obvious that the EDS needs to utilise a variety of other eIDAS Services such as the eID-Service, the SigS, the TSA, the ValS and the certificate status information provided by the CA.

Exploring the overall potential of eIDAS using the interactive eIDAS-Map

The EDS is a nice example that several basic “eIDAS Services” may be combined to form more comprehensive “eIDAS Services” or “eIDAS-based Transaction Services”, which address application-specific needs. A key aspect of the eIDAS-Regulation is that it harmonises the requirements for electronic identification and trust services across Europe and defines the EU-wide legal effect of notified electronic identification means (cf. Article 6), electronic signatures (cf. Article 25), electronic seals (cf. Article 35), time stamps (cf. Article 41), electronic delivery services (cf. Article 43) and last but not least electronic documents (cf. Article 46).

This means that providers and consumers of services may choose among the large number of qualified trust service providers, which are currently active in the European market as exposed by the interactive eIDAS-TSP-Map released today. This map provides an up-to-date overview of the currently existing trust service providers and trust services across Europe.

The individual benefits of the eIDAS-Regulation – What’s in for you?

What kind of benefits the eIDAS-Regulation provides for you depends on your specific role within the “eIDAS-Ecosystem”. The benefit for providers of “eIDAS Services” is that they now can provide and sell their services across Europe, which gives rise to interesting new market opportunities. The benefit for Users is that they may now use a variety of trust services, with well-defined trustworthiness and legal effect. The probably biggest potential benefit of the eIDAS-Regulation however exists for the emerging “eIDAS-based Transaction Services”, which will be subject of a forthcoming post.

Acknowledgement

We gratefully acknowledge that this post is based on contents developed in the FutureTrust project, which has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 700542.