Welcome to the Future of Trust

Even before the Regulation (EU) No. 910/2014 on electronic identification (eID) and trusted services for electronic transactions in the internal market (eIDAS) became fully applicable on 1st of July 2016, a pan-European team of experts led by the Ruhr University Bochum and ecsec GmbH had joined forces in the EU-funded FutureTrust project to facilitate the provision and use of eID and trust services. In more than three years of intensive research and development, the FutureTrust project has produced numerous remarkable innovations, which are now being made available to the general public and outlined in the present blog post.

 

Overview of the FutureTrust System Architecture

Overview of the FutureTrust System Architecture

As shown in the above figure, the FutureTrust project addresses large parts of the eIDAS-Ecosystem and integrates various FutureTrust Services and FutureTrust Pilot Applications as well as the “Global Trust List”, which provides information related to trust service providers across the European Member States and beyond.

There are the following basic FutureTrust Service

  • Pan-European eID-Broker (eID-Broker, eID),
  • Signature Generation & Sealing Service (SigS),
  • Validation Service (ValS),
  • Preservation Service (PresS),

and the following FutureTrust Pilot Applications

  • a Portuguese service for electronic SEPA eMandates (eMandate),
  • an Austrian service for electronic invoices (eInvoice),
  • a Georgian service for electronic Apostilles (eApostille) and
  • the German eIDAS-Portal, which allows to enrol for certificates after an eID-based identification.

Background, Motivation and Problems – as well as solutions provided by FutureTrust!

As shown in the figure below, there are currently[1] around 200 Qualified Trust Service Providers (QTSP) in Europe issuing qualified certificates for electronic signatures, as well as around 100 providers of qualified time stamps.

 

Trust Service Providers

Hence, the eIDAS-Ecosystem is, with respect to these basic trust services, which already existed before the eIDAS-Regulation entered into force, fairly well developed. Similarly, there also exist a significant number of European providers of qualified certificates for issuing electronic seals (93) or website authentication (41). The development of the market seems to be on the right track here. On the other hand, there are very few providers of qualified validation (13), preservation (10 or 11) or electronic registered delivery service (15) so far. Furthermore the very promising option for issuing qualified certificates based on electronic identification (see Art. 24 (1) (b) of the eIDAS-Regulation) – especially in combination with remote signatures – does not yet seem to be practically implemented and available in the market.

Expecting this foreseeable development, the FutureTrust project has built upon experiences and previous work from pertinent projects (e.g. STORK, STORK 2.0, FutureID, e-SENS, SD-DSS, Open eCard, OpenPEPPOL and SkIDentity) in order to close the existing gaps as far as possible by adressing the following problems (P1-P6) and provide tailormade solutions (->):

  • No Open Source Validation Service -> The FutureTrust Validation Service (ValS)
  • No standardised Preservation Service -> The FutureTrust Preservation Service (PresS)
  • No eID-based certificate enrolment -> The eIDAS-Portal of the German Universities
  • No universal signature and seal creation service -> The FutureTrust Signature Generation & Sealing Service (SigS)
  • Cross-border and non-European transactions are challenging -> The pan-European eID-Broker
  • Demand for fundamental research in the area of security, trust and reliability

P1. No Open Source Validation Service -> The FutureTrust Validation Service (ValS)

Many currently available components for validating electronic signatures and seals are

  • limited to specific document and signature formats (e.g. the freely available Adobe Reader only supports the validation of electronic signatures and seals in the PAdES format according to ETSI EN 319 142),
  • have been shown to be vulnerable and / or
  • are proprietary components, for which the sources are not publicly available

and hence the trustworthiness of a specific validation result is very difficult to assess.

Furthermore, as shown in the figure above, there are currently very few qualified validation service for qualified electronic signatures or seals available in Europe.

Against this background, the FutureTrust project has developed a comprehensive Validation Service (ValS), which supports advanced electronic signatures and seals (AdES) as well as related signature objects including X.509 certificates or Evidence Records based on configurable “Signature Validation Policies” and returns the validation result in a machine-readable XML or JSON based validation report (cf. ETSI TS 119 102-2 and OASIS DSS v1.0 Comprehensive Multi-Signature Verification Report Profile).

Format

Standard

Description

CAdES

ETSI EN 319 122

ASN.1-based digital signature based on the “Cryptographic Message Syntax

XAdES

ETSI EN 319 132

XML-based digital signature based on the “XML Digital signature

PAdES

ETSI EN 319 142

PDF document with embedded CAdES signature

JWS

RFC 7515

JSON-based digital signature for web applications, in the future also JAdES

X.509

X.509

Allows to check the status and trustworthiness of an X.509 certificate (see also RFC 5280) based on a suitable Trusted List.

ERS

RFC 4998

Evidence Records, which allow to produce efficient proofs of existence.

More details with respect to the FutureTrust Validation Service (ValS), which will soon be provided as Open Source, will be provided in a forthcoming blog post.

P2. No standardised Preservation Service -> The FutureTrust Preservation Service (PresS)

The well-known fact that signed objects lose their evidential value, if cryptographic algorithms become weak, induces major challenges for applications, which require maintaining the integrity and authenticity of signed data for long periods of time – or even for eternity. While the Technical Guideline BSI TR-03125 (TR-ESOR) had specified components for the preservation of evidence before the advent of FutureTrust, the corresponding ETSI standards for preservation services, such as ETSI TS 119 511 and ETSI TS 119 512 only appeared recently.

Against this background, selected experts from the FutureTrust team have been actively involved in the preservation-related standardisation work within OASIS DSS-X and ETSI ESI such that FutureTrust project has been able to provide a reference implementation of selected preservation schemes from the new preservation standards.

More details with respect to the FutureTrust Preservation Service (PresS) will be provided in a forthcoming blog post.

P3. No eID-based certificate enrolment -> The eIDAS-Portal of the German Universities

Before a qualified trust service provider can issue a qualified certificate to a natural or legal person, it is obliged (see Art. 24 (1) of the eIDAS-Regulation) to verify the identity and, if applicable, any specific attributes of the certificate subject. Furthermore, there are similar requirements for non-qualified certificates, which are issued within the Public-Key Infrastructure of the German Research Network (Deutsches Forschungsnetz, DFN-PKI), which is audited against ETSI EN 319 411-1, and which can be used for electronic signatures, email encryption, authentication or website authentication. In addition to the classical way to perform the identity verification while the subject is physically present (Art. 24 (1) a)), the eIDAS-Regulation also allows to perform the identification remotely using appropriate electronic identification (eID) means (Art. 24 (1) b)), by using qualified signatures or seals (Art. 24 (1) c)) or other identification methods recognised at national level (Art. 24 (1) d)), if they provide equivalent assurance. While the growing number of notified eID schemes and the availability of the pan-European eID-Broker infrastructures strongly suggest to use eID means for the identity verification during certificate enrolment, this option does not seem to be available in practice yet. Against this background, the FutureTrust project has designed and implemented a smart eID-based system for certificate enrolment, which allows to combine University-specific credentials with eID-based identity verification in order to end up with a completely electronic process for certificate enrolment within the DFN-PKI.

More details with respect to this novel certificate enrolment system, which is referred to as the “eIDAS-Portal” of the German Universities, which are participating in FutureTrust, will be subject of a forthcoming blog post.

P4. No universal signature creation service -> The FutureTrust Signature Generation & Sealing Service (SigS)

Even if certificates are already issued, this does not mean that these certificates can easily be used to create signatures or seals in web applications. A universal service for using arbitrary smart card- or remote signature-based certificates of different providers does not seem to exist so far. Through the development of the ChipGateway-protocol by ecsec GmbH and LuxTrust S.A. and the extension and adaptation of the protocol and architecture to support the special features of the German eID card, as well as the latest standards developed by OASIS DSS-X and ETSI ESI, the FutureTrust project has provided a solid corner stone for the envisioned universal signature creation service.

More details with respect to the FutureTrust Signature Generation & Sealing Service (SigS) as well as the related standards produced by OASIS and ETSI will subject of a forthcoming blog post.

P5. Cross-border and non-European transactions are challenging -> The pan-European eID-Broker

Chapter II of the eIDAS-Regulation, which deals with eID systems, aims at creating a standardised interoperability framework with well-defined processes, security levels, minimum requirements and interfaces, but does not intend to harmonise the respective national eID systems. In doing so, the EU Member States can notify their national eID scheme, such that the corresponding eID means will be recognised across Europe for a certain level of assurance, after a careful assessment (“peer review”) has been conducted and the formal notification procedure has concluded with a publication in the Official Journal of the European Union (see 2019/C 150/06 for example). For the technical implementation of the eID interoperability framework, so-called „eIDAS-Nodes“ are provided, which take care about cross-border processes between the application services and the identification services. So far, the envisioned „eIDAS-Nodes“ are not completely available in production yet and the focus of the “eIDAS-Cooperation Network” is limited to EU Member States and countries in the European Economic Area.

Against this background, the FutureTrust project has built upon previous work from pertinent projects, such as FutureID and SkIDentity in order to develop a smart pan-European eID-Broker, which is protected by the European patents EP2439900 and EP2919145, supports a plenty of standards as well as notified eID means from Germany, Estonia, Luxembourg, Belgium and Portugal and is subject of a forthcoming blog post.

While cross-border identification within Europe is often not easy in practice, the electronic processing of transactions with non-European partners poses additional challenges related to data protection specifics in case of transferring personal data to third countries (cf. GDPR, chapter 5) and missing international agreements for mutual recognition of trust services according to Article 14 of the eIDAS-Regulation. Unfortunately, there is no global legislation comparable to the eIDAS-Regulation, which made it necessary in FutureTrust to conduct fundamental research in the area of legal, organisational and technical aspects, which are reflected in relevant academic publications and the prototype of a “Global Trust List” (gTSL). The gTSL is an Open Source component for the trusted management of trust lists according to ETSI TS 119 612, which can be deployed with the other FutureTrust services or as standalone service and which will be subject of a forthcoming blog post.

P6. Fundamental research demand in the area of security, trust and trustworthiness

Conducting security research regularly points out new security problems and vulnerabilities, and with respect to the central concepts of “Trust” and “Trustworthiness”, there does not even seem to be well-founded and generally accepted definitions – not to talk about globally accepted graded minimum requirements. Therefore, it was necessary to scientifically discuss and analyse these fundamental aspects of „Trust“ and „Trustworthiness“ within the FutureTrust project, before formal models were developed, which describe comprehensive “Trust Models”, which finally formed the basis for the objective comparison of trustworthiness of various identification and trust services.

Summary, Acknowledgement and Outlook

The present blog post provided a compact overview of the main problems addressed and solved within the FutureTrust project, which started on 1st of June 2016 and has received funding by the European Commission within the EU Framework Programme for Research and Innovation (Horizon 2020) under the Grant Agreement No. 700542.

As explained throughout this article, the FutureTrust project has conducted fundamental research with respect to the foundations of trust and trustworthiness, has actively supported the standardization process in relevant areas, and has developed numerous services, which ease the use of eID and electronic signature technology in real world applications by addressing the problems outlined above.

The practical applicability of the concepts and software components has been demonstrated in several pilot applications, such as a Portuguese service for electronic SEPA eMandates, an Austrian service for electronic invoices (eInvoice), a Georgian service for electronic Apostilles (eApostille) and last but not least the German eIDAS-Portal, which allows to enrol for certificates after an eID-based identification.

The FutureTrust Services and the FutureTrust Applications are now being made available to the general public step by step and interested parties are encouraged to get in touch with the FutureTrust experts to talk about tailormade solutions and individual needs.

[1] Comparing the current figures (July 2019) with the figures from a recent German article, which has appeared in DuD 2019/04, shows that the number of qualified trust service providers is slightly growing.

SkIDentity certified by BSI according to ISO 27001 and by TÜViT according to Trusted Cloud Privacy Profile

ecsec GmbH today has received the certificate according to the “Trusted Cloud Privacy Profile for Cloud Services” (TCDP), issued by the certification body of TÜV Informationstechnik GmbH (TÜViT), for the highest protection class III. Furthermore the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) has certified the “Secure Cloud Infrastructure (SkIDentity)” in accordance with ISO 27001 based on IT Baseline Protection (BSI-IGZ-250).

Privacy and data security as foundation for successful digital transformation

At today’s closing ceremony of the pilot project “Data Protection Certification for Cloud Services” not only the remarkable project results including the catalogue of evaluation criteria based on ISO/IEC 27002 and ISO/IEC 27018 were presented, but also the certificate for SkIDentity according to the “Trusted Cloud Privacy Profile for Cloud Services” issued by the certification body of TÜV Informationstechnik GmbH (TÜViT) has awarded to ecsec GmbH. As it has been demonstrated within the evaluation and certification procedure, the SkIDentity Service fulfils the demanding requirements for the highest protection class III and hence it may be used for processing particularly sensitive data in a legally compliant manner.

SkIDentity technology is now not only distinguished, but also certified

The multiple award-winning¹ SkIDentity Service (https://skidentity.com) was developed in the scope of the “Trusted Cloud” initiative supported by the German government. Using SkIDentity, electronic identity documents (eID), such as the German electronic identity card “Personalausweis”, can be easily used in cloud and web applications. SkIDentity in particular allows to derive cryptographically protected “Cloud Identities” from any eID document, which can be transmitted to any smartphone and used there for the strong pseudonymous authentication or a self-determined identity proofing in the cloud. Thanks to SkIDentity, no passwords need to be stored in web applications and therefore there is no risk that they could be stolen or misused.

As shown in the certificate (BSI-IGZ-250) issued by the Federal Office for Information Security, the scope of the security assessment and certification according to ISO 27001 based on IT Baseline Protection did not only comprise the identity management service of SkIDentity, but the full blown “Secure Cloud Infrastructure (SkIDentity)”, which can be used for highly reliable operation of other cloud and web applications. “The processing of sensitive data in cloud services requires high security standards. A transparent proof of the correct implementation of an appropriate security concept can only be provided within an independent certification procedure,” adds Bernd Kowalski, Head of Department in the Federal Office for Information Security. “Within the certification of SkIDentity it was shown that even the demanding requirements associated with the use of the German electronic identity card in cloud services, can be proved to be satisfied via an ISO 27001 certification based on IT Baseline Protection.”

¹ See https://www.skidentity.com/en/awards/ .

SkIDentity uses certified Open eCard App

[Michelau, January 12th 2016] SkIDentity uses the new version of the Open eCard App, which has recently be certified by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) according to its technical guideline BSI TR-03124 (eID-Client). The certificate, which has been awarded the very first time to an Open Source component and without any failures in the conformity report, is valid until December 8th 2020 and enables the trustworthy use of electronic identity (eID) cards and other smart cards in SkIDentity with Linux, Mac OS and Windows.

Platform-independent and lightweight eID-Client for SkIDentity

Thanks to the constructive cooperation of industrial and academic experts within the Open eCard project, a lightweight and platform-independent Open Source implementation of the “eCard-API-Framework” according to BSI TR-03112 was created, which supports various smart cards for electronic identity, health, signatures and banking from Germany, Austria, Estonia and Belgium for example. Based on this framework a user-friendly eID-Client according to BSI TR-03124 – also known as the “Open eCard App” – was created, which now has been certified by the BSI. Because of the modular architecture based on the international standard ISO/IEC 24727, the Open eCard App can easily be extended and smoothly integrated into modern web applications such as SkIDentity.

With continuous improvement and strict Quality Management to the BSI TR-03124 certificate without conformity failures

To ensure the conformity to the relevant technical specifications of the BSI and a high level of quality, the Bavarian State Ministry of Finance started the certification process according to BSI TR-03124 for the Open eCard App in 2014. Thanks to continuous improvement and a strict Quality Management system based on international standards such as ISO/IEC 9001 and ISO/IEC 90003 and utilizing the Open Source eID-Client-Testbed of the BSI, the current version 1.2 of the Open eCard App now has been formally certified by the BSI. Note, that it is the first time ever that an Open Source eID-Client received a certificate according to
BSI TR-03124. „We are particularly proud of the fact, that the test report shows that there are no conformity failures, „Open eCard Project Maintainer“ Tobias Wich complements. „On the one hand this underlines the high quality of the Open eCard software and on the other hand it creates further trust and confidence for the German eID card and similar smart cards.“

„As shown by the example of ‚SkIDentity‘, the secure, extensible and user-friendly Open eCard App has already several times formed the basis of distinguished and awarded systems solutions“, replenished Dr. Detlef Hühnlein, CEO of ecsec GmbH and head of the SkIDentity project. „We are delighted, that a first result of our work now is not only awarded, but also certified.“