European electronic identity and trust services

EU-identity, authentication, signature and trust services

A short youtube introduction (2014). As identity, authentication, signature and trust services are rolled out as part of the Connecting Europe Facility (CEF), relevant information can be found at the CEF wiki and at eIDAS Observatory.

EU legislation and political setting

EU legislation

All EU legislation is available from the EU Official Journal. Since 1 July 2013 the electronic edition of the OJ (e-OJ) is authentic and produces legal effects, pursuant to Regulation 216/2013. The e-OJ bears an advanced electronic signature to ensure its authenticity, integrity and in-alterability. This electronic signature can be verified using CheckLex.

An overview of key legislation in the field of identity and related trust services (both eIDAS and Schengen related) can be found here.

Political setting - DSM - the Digital Single Market

The EC Treaty puts freedom of establishment and freedom of provision of service forward. More particularly, the Services Directive (implemented by the end of 2009 – including remote aspects) promotes an EU where operating governmental or business functions is facilitated by the use of ICT.

eGovernment is instrumental in supporting the single market, and the Council Conclusions on eGovernment (20 Nov. 2003, 14671/03) underline the importance of interoperability as a political priority.

While there was an e-signature directive, there was no e-identity directive, because identity is considered by the Treaty as a Member State matter. Widely diverging approaches have been adopted across the member states for National e-Identity (NeID), and as a consequence the current NeID’s are not interoperable. Many organisations have today an identity solution in place, which is in the best case a stable foundation. However it will be requiring technical evolution to cope with the requirements of the single market. Legal interoperability and certainty was created by the EU 1999/93 eSignature Directive, replaced by EU 910/2014. Technical interoperability was established via STORK, STORK2 and eSENS.

Also, the EC supported other LSP (Large Scale Pilot) projects, often reliant upon electronic identity and signatures:

In 2012, the proposed regulation for electronic Trust Services (COM 2012 238) proposed a framework including notified identities. In 2013, e-SENS (“Electronic Simple European Networked Services” )was launched as a new LSP within the ICT Policy Support Programme (ICT PSP), under the Competitiveness and Innovation Framework Programme (CIP). e-SENS developed an infrastructure for interoperable public services in Europe.

Cooperation network

  • CEF eID community and cooperation network
  • CEF overview of cooperation network and documents
  • eIDAS

    In 2014, EU 910/2014 was accepted by Parliament and Council as the eIDAS regulation, entering into force in 2016. Under eIDAS, a Member State: In December 2016, Spain was the first country to complete CEF eID Conformity Testing. In February 2017, Germany was the first country to notify the EC they intended to offer eID cross-border services compliant to eIDAS.

    EU Citizens' perspective

    EU-wide identity and authentication has traditionally been addressed by the Member States. Some countries have a central national register of citizens and issue an ID-card, which in some countries contains electronic functionality. Such an electronic ID-card may include an electronic signature function. Some countries prefer to use the driving license as ID, complemented by a card for those that don't drive. An identity card typically serves the purpose of allowing the holder to demonstrate his/her identity, and it usually also acts as a travel document. As a travel document, it is not as widely accepted as a passport. The security of travel documents and passports issued by Member State is defined in Council Regulation 2252/2004 on the specifications on the standards for security features and biometrics in passports and travel documents issued by Member States. It has been amended by Commission Decision 18 June 2006. The PRADO website (Public Register of Authentication Documents On-line) from the European Consillium gives a good overview. FADO (FAlsified Documents Online) is similar but not in the public domain.

    e-Signature Directive

    In 1999, Directive EC/1999/93 introduced electronic signatures but did not make explicit specification on the signatory since identity was the competence of the Member States rather than of the Commission. The e-Signature Directive introduced legal equivalence between traditional and electronic signatures of natural persons, on the condition that certain requirements were met (advanced electronic signature/qualified certificate/secure signature creation device). CEN TC 224 defined technical standards for the ECC (European Citizen Card - CEN TS 15480) but its uptake was limited.

    In 2009 under the Services Directive, a Decision set out measures to facilitate the use of electronic procedures through the ‘points of single contact’. To enhance cross-border use of electronic signatures this included the obligation for Member States to establish and publish their Trusted List of supervised/accredited certification service providers issuing qualified certificates to the public. However they can include also other certification service providers. To facilitate access to the trusted lists of all Member States, the EC publishes the 'list of trusted lists (LOTL)' with links to the national 'trusted lists'.

    IAS study for a successor to the e-Signature Directive

    The European Commission launched the Identification, Authentication and Signature (IAS) feasibility study in 2011. The project was executed by a Consortium in which I took part. Deliverables and background information are available on the IAS project website. The official deliverable is available since September 2013 on the digital agenda website. In parallel to the IAS study, many projects further advanced IAS, including STORK/STORK2, DSS and PEPPOL.

    Proposal for a successor to the e-Signature Directive

    In 2012 a new approach was formalised in the Commission's proposal EC COM 2012 238, which included two main pillars: identity/authentication and signatures/related services. While a European Citizen Card sounds promising from a technical perspective, the diverging approaches of the Member States led to a voluntary notification scheme in the proposal.

    eIDAS Regulation on electronic IDentity, Authentication, Signatures and related trust services

    In the context of the Digital Agenda, the proposal was further adapted and in August 2014, the eIDAS regulation was published in the OJ. It is referred to as "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". It can be found in the OJ L 257 of 28 Aug 2014. The regulation significantly expanded the scope of its predecessor, by introducing a formal pillar that addresses electronic identity/authentication. Furthermore electronic signatures for legal persons (e-seals) were introduced, and a range of trust services well beyond electronic signature. The 'list of trusted lists (LOTL)', as per the technical format defined in ETSI TS 102 231(replaced by ETSI TS 119 612 in 2013) is continued. It can be observed that while the objective of the trusted lists is supporting eSignature validation policies, they provide a degree of information on the signatory's identity.

    eIDAS as influencer

    eIDAS plays a role in a.o.

    eIDAS Token

    In April 2014, the eIDAS token specification was published by the German and French IT security agencies BSI and ANSSI, supported by European industry partners. It allows the development of token-based solutions for electronic identification, authentication and signatures that are directly interoperable, without the need of translation via proxies. Example implementations are the German ID card or the German Residence Permit.

    EU eID

    The EC launched a roadmap for the future of eIDAS. Public consultation, resulting in feedback.

    Electronic Identity and Authentication - STORK/STORK2/eSENS

    Basics

    The aim of the STORK (Secure idenTity acrOss boRders linKed) project is to establish a European eID Interoperability Platform to facilitate citizens'e-relations across borders, relying on their national eID. It should be seen against a background where many Member States have an established NeID solution, which are however not necessarily interoperable or technically compatible. STORK ran from 2008 until 2011. It included six pilots:

    The aim of STORK2 is to further enable the Digital Single Market, facilitate cross border eGovernment applications and reduce administrative burdens for companies and individuals wishing to perform services across borders. It ran from 2012 to 2015. After STORK2, the eSENS project continued the elaboration and deployment of eIDAS building blocks.

    STORK and STORK 2

    STORK aimed at demonstrating the possibility of an EU-wide interoperable e-identity and access mechanism. As such, STORK is the common ground for other EU pilots, such as PEPPOL (e-procurement).

    STORK was a 3 year project to develop and test common specifications for secure interoperability and mutual recognition of NeID between participating countries. Given the different solutions chosen by the MS when implementing their NeIDs, this is indeed a challenge.

    STORK proposed to combine trusted ‘proxy servers’ with ‘client and server middleware’, making use of current de-facto standard protocols such as SAML.

    Integration of STORK solutions with existing IAM platforms demonstrated benefits for multiple categories, namely users, application owners and IT departments. STORK 2 is the successor to STORK, further elaborating the original ideas into pilots addressing:

    STORK architecture

    STORK defined an interoperability architecture that can be instantiated in two different ways: a centralised implementation with PEPS (Pan-European Proxy Servers), and a decentralised implementation with Middleware. A majority of countries selected the PEPS implementation, while Germany and Austria opted for the MW model. In the PEPS model, a user connects to a cross-border Service Provider (SP), which forwards the authentication query to a PEPS (since the user is registered in another country than the SP's country). However, Germany and Austria established a model where middleware, which has to reside on the citizen platform takes care of this forwarding. This created a common model with four architectural elements: Middleware may also be implemented on the server-side (then it's called SPWare), and marshalled to the citizen's platform at execution time. By implementing middleware on a PEPS-server, a V-IdP (virtual IdP) is created.

    Successor to the STORK architecture

    Under the CEF program, the eIDAS node software was created and published as Open Source, specified as a eIDAS node profile, consisting of: The eIDAS node must contain a connector, which is mandatory for mutual recognition. The connector provides access for local users towards notified eID schemes. The eIDAS node may optionally contain a proxy server, which provides access to the Member State's own eID services in case those were notified.

    From STORK/STORK2 to eSENS (Electronic Simple European Networked Services)

    The eSENS project is the continuation of the LSPs, and a.o. provides a migration path from STORK to eIDAS. It's coordinated by the Ministry of Justice NRW, Germany. At the University of Pireus there's a wiki about the implementation.

    CIR 2015/1501 was created as the technical specification for eIDAS interoperability. Within eSens an eIDAS profile has been defined, and a sample implementation of an eIDAS node was created as a CEF building block. The goal was to ensure cross border recognition and e-identification validation that meets the requirements set for eGovernment applications.

    The 'eIDAS-Network' consists of eIDAS-Nodes, which can either request (via an eIDAS-Connector) or provide (via an eIDAS-Service) a cross-border authentication. In the case of the eIDAS-Service Node, this may be operated in two different ways: Furthermore, eSENS created an adaptor to achieve interoperability of existing STORK/eSENS infrastructure with eIDAS nodes. This enables countries with STORK 2.0 infrastructure currently linked to eID services to connect to the eIDAS network. The connector consists of a regular eIDAS node and a plugin that is able to convert in both ways the authentication requests/responses from eIDAS format to STORK 2.0 format. The plugin also handles mappings of attributes between the STORK 2.0 SAML profile and the eIDAS node SAML profile.

    eIDAS Technical Specification

    In September 2015, version 0.9 of the specifications for the eIDAS node was published on Joinup. The specification has been developed through member state collaboration in a technical sub-committee of the eIDAS Expert Group. The role of the Commission was to facilitate and support this process and to provide a sample implementation of the technical specifications which member states are free to adopt as an "off the shelf" implementation should they wish to do so.

    eIDAS implementation

    Electronic identity in practice

    To appreciate the challenges of electronic identity, one can e.g. compare the following situations: Practical implementations are based upon SAML v2 'Holder of Key' Profile.

    Relevant information can be found at: The ESPOCS project builds upon STORK and PEPPOL. The state of notification of Member States and the status of eIDAS-Node implementation is available at the CEF wiki. An eIDAS test and simulation tool was launched in 2018.

    The SSI eIDAS bridge provides eIDAS functionality to SSI.

    Influencers

    While the political and organisational challenges surrounding eIDAS and STORK are impressive, there is also a long list of influencers from various angles. To mention just a few:

    European standards

    These standards are defined by the European Standards Organisations (ESO), CEN, CENELEC and ETSI. Each ESO has its specialisation, resulting from its history. ETSI is focused on telecommunication standards, while CEN is more focused on devices and smart cards.

    ETSI's Technical Committee ESI

    Its activities on electronic signatures are coordinated by Technical Committee (TC) Electronic Signatures and Infrastructures (ESI). The ESI TC ongoing and past activities are available, together with the drafts. In 2013, EU e-signature standardisation mandate m460 was given from the EC to CEN and ETSI to establish a rationalised framework for electronic signature standardisation.

    ETSI's ESI deals with electronic signatures (signature format, certificates, CSPs, trusted list) and ancillary services (Registered email, Time-Stamping, Long-term document preservation). This includes signature creation and verification based on advanced electronic signatures such as CAdES (CMS Advanced Electronic Signatures), XAdES (XML Advanced Electronic Signatures), PAdES (PDF Advanced Electronic Signatures), and ASiC (Associated Signature Container). ESI also deals with cryptographic suites, trust service providers supporting e-signatures (e.g. certification authorities, time-stamping authorities), trust application providers (e.g. Registered Emails (REM) providers, Information preservation providers), and Trust-service Status List (TSL). TSL is defined to enhance the confidence of parties relying on certificates or other services related to electronic signatures since they have access to information that will allow them to know whether a given Trust Service Provider was operating under the approval of any recognized scheme at the time of providing their services and of any dependent transaction that took place. Information for TSPs and CABs can be found at the ESI TSP page

    Under m460, various ETSI Special Task Forces (STF) were established. An overview is provided in ETSI TR 119 000. Furthermore, ETSI defines URIs in different fields, including for Trusted Lists. ETSI also makes a signature conformance checker available.

    CEN

    The European Committee for Standardisation CEN collaborates with ETSI in m460. Within CEN, various TC's cover different topics. Particularly, within TC 224 (Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment), Work Groups adress following topics: The status of CEN standards can be retrieved on their standards website.

    ETSI and CEN naming convention for electronic signature standards

    Standard names are structured as DD L19 xxx-z, where 19 indicates the series of standardisation documents related to eSignatures. DD indicates the deliverable type in the standardisation process (SR, TS, TR and EN). L when set to 4: identifies a CEN deliverable. When set to 0, 1, 2, or 3: identifies an ETSI deliverable and the type of deliverable in the standardisation process:

    Remark

    IDABC's European Electronic Signature Standardisation Initiative (EESSI) can be considered as one of the predecessors of the formal ETSI TC ESI. It is finished now. Also, the EU eSignature standards website (an initiative of DG CNECT - ESO) provides a good introduction to the topic.

    Electronic Identity and Authentication - ePassports

    Third Country Nationals visiting Europe

    Access to Europe for Third Country Nationals (TCNs) may require a valid passport and visa. Most if not all countries issue passports as per the ICAO standards. Many passports support electronic identification and authentication of the bearer. However, they do not offer electronic signature capability.

    In 2006, the EU established the Schengen zone to manage TCNs travel to Europe. Access is regulated according to the Schengen Border Code (SBC). Europe established the Schengen Information System (SIS) and Visa Information System (VIS) for the purpose of enforcing the SBC. The Smart Borders initiative from DG HOME aims to faciliate TCNs entry and exit to the Schengen zone. I participated in the technical study in 2014, leading up to the 2015 pilot. Also available are the study's executive summary and the cost study.

    TCNs that desire to reside in Europe for a longer period may apply for a residence permit. A uniform European format for residence permits was defined in 2002. Such a residence permit may include electronic signature capability. In 2008 the requirement was added to use a photograph and two fingerprints taken flat and digitally captured.

    ICAO

    The interoperability of ePassports (an implementation of electronic machine readable travel documents) is facilitated through the International Civil Aviation Authority (ICAO), particularly their set of ICAO 9303 documents.

    Generations of ePassports

    Currently their are three generations of ePassports:

    Regulatory and related

    European Council

    Cooperation network

    Identity, trust and interoperability

    LOTL - List of Trusted Lists

    Trust anchors and trust lists emerged from IETF work, including

    SIS, VIS, EuroDac

    Projects

    EC LSPs (Large Scale Pilots)

    Other

    CEF Building Blocks and related Components

    eID - Identity

    Trust Services

    Dashboard and Toolbox March 2021

    DSS

    Digital Signature Server capability has originally been started by DG ENTR, and later integrated in Joinup and CEF. DSS (Digital Signature Services) is an open-source software library for electronic signature creation and validation. DSS supports the creation and verification of interoperable and secure electronic signatures in line with European legislation. In particular, DSS aims to follow the eIDAS Regulation and related standards closely . DSS can be re-used in an IT solution for electronic signatures to ensure that signatures are created and verified in line with European legislation and standards. DSS allows re-use in a variety of different ways: in an applet, in a stand-alone application or in a server application. DSS can also be used as a reference implementation for IT solutions which do not directly re-use it.

    Information can be found at CEF DSS, Joinup and source code at github.

    eArchiving

    eArchiving technical specifications describe in detail the interoperable and open formats for packaging data and metadata for transfer to archival repositories (E-ARK SIP), for the preservation over extended periods (E-ARK AIP) and the reuse of archived content (E-ARK DIP). The most common principles and requirements are presented separately within the E-ARK Common Specification for Information Packages. Further details about eArchiving specifications are available at http://www.dilcis.eu.

    RODA repository

    Other

    Fora

    Country overview (subjective and incomplete)

    See also local files:

    Austria

    Belgium

    See also local files:

    Croatia

    eIDAS notification

    Czech Republic

    eIDAS notification

    Czechia’s national eID scheme allows Czech citizens to digitally prove their identity online and access eGovernment and private sector services in two ways. As of July 2018, they can use eID cards, or alternatively with a combination of username, password, and one-time codes received on their mobile phone via SMS. The Czech scheme has been notified with a LOA of High.

    Actors

    Denmark

    Estonia

    Finland

    France

    Germany

    The ePA (Elektronischer Personalausweis) was initiated by the Federal Cabinet on July 23, 2008, and introduced by the BMI (Bundesministerium des Innern) in 2010. The ePA introduced the eCard-API (BSI TR-03112) for interfacing. It was the first European eID with contactless chip, and with mutual authentication card/terminal. It featured cryptographic privacy enhanced protocols (BSI TR3110).

    The government funded security kits containg a free eID client (AusweisApp) for computers, and a free (or discounted) card reader. The AusweisApp was to support all major platforms, interfaces and smart cards as per the eCard API framework.

    As a consequence of some limitations of the AusweisApp in practice, alternatives were developed. These include proprietary eID clients (cf. by Ageto and bos) as well as the Open Source Open eCard App. This was certified according to BSI TR-03124 in 2019 as the world's first Open Source eID kernel. It is used e.g. by the German Post as PostIdent.

    Background: Other eGovernment components include: There is also:

    Greece

    Italy

    eIDAS notification

    Italy’s Carta di Identità elettronica (CIE) allows Italian citizens to prove their identity online and access services. It has been notified with a LOA of High. The CIE is available for both Italian citizens and official residents. It's an RFID card. On a computer authentication is with card-reader and PIN, on a NFC-enabled device, the card must be presented and the PIN entered.

    Actors

    Malta

    The Netherlands

    eIDAS notification: first for business (not for citizens)

    The Netherlands’ 'Trust Framework for Electronic Identification' is a set of standards, agreements and provisions for authorised access to digital services. It has a citizen domain Idensys and a business domain eHerkenning.

    In September 2019, eHerkenning became the first ever notified scheme for legal persons under eIDAS. It has been notified at LOAs Substantial and High. Representatives of business or public services that received a specific authorisation use it to access online services on behalf of their organisation and manage their transactions with the government. They can use a login token, previously acquired from a number of accredited service providers. Tokens can take the form of a name/password, texting, phone, one time password, or certificate. The scheme is a public-private partnership between the Ministry of the Interior and a series of accredited suppliers in charge of mean issuance, authentication provision, authorisation registration and eRecognition brokering:

    The domain for citizens, known as Idensys, is not part of the notification.

    Actors

    Identity

    Two stelsels (frameworks): eherkenning (legal persons) & idensys (citizens)

    Stelsel eherkenning (legal persons)
    Stelsel idensys (citizens)

    Access

    Polymorph pseudonyms

    Transactiemonitoring - fraude herkenning

    Sundry

    Latvia

    Luxembourg

    Norway

    Poland

    Portugal

    Romania

    Slovenia

    Spain

    Sweden

    Switzerland (non-EU)

    United Kingdom

    Home Office

    A ministerial department, leads on immigration and passports, drugs policy, crime policy, counter-terrorism, and policing

    Cabinet Office

    A ministerial department supporting the Prime Minister tScheme Other

    Signature and validation

    Trusted Repositories - Archiving