Interoperable Europe logo

Electronic identification and trust services including e-signatures(RP2020)

Archived

Policy and legislation

Policy objectives

This relates to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

EC perspective and progress report

In the context of the e-signatures Directive, in January 2010, the Commission mandated the ESOs to rationalise the standards for e-signatures and related trust services to form a coherent and up-to-date framework (mandate M/460).

The eIDAS Regulation adopted on 23 July 2014 addresses in one comprehensive piece of legislation, electronic identification, electronic signatures, electronic seals, time stamping, electronic delivery, electronic documents and website certificates as core instruments for electronic transactions. To support the implementation of this highly technical regulation, further standardisation work will be needed. In the case of  trust services, the planned secondary legislation refers extensively to the availability of standards as possible means to meet the regulatory requirements. Existing standards should be checked to take account of the protection of individuals with regard to personal data processing and the free movement of such data. Specific privacy by design standards should be identified and where needed developed. The accessibility needs of persons with disabilities should also be taken into account.

References

  • Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
  • Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework
  • Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means
  • Commission Implementing Decision (EU) 2015/1984 of 3 November 2015 defining the circumstances, formats and procedures of notification
  • Commission Implementing Regulation (EU) 2015/806 of May 2015 laying down specifications relating to the form of EU trust mark for qualified trust Services
  • Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies
  • Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists
  • Commission Implementing Decision (EU) 2016/650 of 25 April 2016 laying down Standards for the security assessment of qualified signature on seal creation devices

Requested actions

Action 1: Build on the work done under Mandate M/460, in the following way: address the trust service providers (TSP) providing signature creation services, the TSPs providing signature validation services, and standards for trust application service providers. Support harmonisation of identity proofing, particularly in relation certificate issuance and remote signing. 

Action 2: Take ongoing EU policy activities into account in standardisation, e.g. in ISO/IEC JTC 1/SC 27/WG 5 (identity management and privacy technologies) and other working groups of ISO/IEC JTC 1/SC 27. Furthermore, in order to promote the strengths of the European approach to electronic identification and trust services at global level and to foster mutual recognition of electronic identification and trust services with non-EU countries, European and international standards should be aligned wherever possible. The promotion and maintenance of related European approaches, which especially take into account data protection considerations, in international standards should be supported.

Action 3: Support and improve the development of interoperable standards by facilitating the organisation of plugtests (interoperability events) and developing and enhancing conformity testing tools. Such interoperability events may address CAdES, XAdES, PAdES, ASiC, use of trusted lists, signature validation, remote signature creation and validation, e-delivery services, preservation services, etc.

Activities and additional information 

Related standardisation activities

CEN 

CEN/TC 224 'Personal identification and related personal devices with secure element, systems, operations and privacy in a multi sectorial environment' develops standards for strengthening the interoperability and security of personal identification and its related personal devices, systems, operations and privacy. CEN/TC 224 addresses sectors such as Government/Citizen, Transport, Banking, e-Health, as well as Consumers and providers from the supply side such as card manufacturers, security technology, conformity assessment body and software manufacturers.

In 2018 and 2019, CEN has published the following standards:

  • EN 419 231:2019 'Protection profile for trustworthy systems supporting time stamping'
  • EN 419 241-1:2018 'Trustworthy Systems Supporting Server Signing - Part 1: General System Security Requirements'
  • EN 419 221-5:2018 'Protection Profile for Trust Service Provider Cryptographic modules - Part 5: Cryptographic module for trust services'

In 2020, CEN/TC 224 will finalize the development of:

  • a CEN/TS Personal identification - Secure and interoperable European Breeder Documents – Part 1: Framework overview
  • a CEN/TS Personal identification - European enrolment guide for biometric ID documents (EEG)
  • prEN 1332-3 'Identification card systems - User Interface - Part 3: Key pads'
ETSI

Under the standardisation mandate M/460 on e-signatures, ETSI TC ESI provided an initial set of upgraded and new standards within a rationalized framework. ETSI TC ESI provides standards for introducing the overall framework of standards, for trust service providers supporting digital signatures but also preservation services, edelivery services, for (remote) signature creation and validation, for cryptographic suites and for trust service status lists providers.

A summary of ETSI TC ESI publications and ongoing work can be found at https://portal.etsi.org/TBSiteMap/ESI/ESIActivities.aspx 

ISO

ISO/TC 154 'Processes, data elements and documents in commerce, industry and administration'

http://www.iso.org/iso/iso_technical_committee%3Fcommid%3D53186

Ongoing work:

  • Requirements and roles & responsibilities for fulfilling trusted e-communications in commerce, industry and administration
  • Qualified trust services for long-term signature of kinds of electronic documents
  • Validation of long-term signature
  • Trusted (or qualified) electronic registered delivery services (or platform)
  • Dematerialisation and proof of dematerialisation
  • Requirements for providing trusted e-communications in the mobile environment
  • Requirements for providing trusted e-communications in the cloud environment

Projects include:

  • ISO 14533-1:2014 — Processes, data elements and documents in commerce, industry and administration -- Long term signature profiles -- Part 1: Long term signature profiles for CMS Advanced Electronic Signatures (CAdES)
  • ISO 14533-2:2012 — Processes, data elements and documents in commerce, industry and administration -- Long term signature profiles -- Part 2: Long term signature profiles for XML Advanced Electronic Signatures (XAdES)
  • ISO/DIS 14533-3 — Processes, data elements and documents in commerce, industry and administration -- Long term signature profiles -- Part 3: Long term signature profiles for PDF Advanced Electronic Signatures (PAdES)
  • ISO JTC1 SC27 is responsible for international IT security standards and therefore one of the primary stakeholders affected.
  • ISO/TC 312 'Transaction Assurance in e-Commerce' 

https://www.iso.org/committee/7145156.html 

ISO/IEC JTC 1 

ISO/IEC JTC 1 SC 37 is responsible for the standardisation of generic biometric technologies pertaining to human beings to support interoperability and data interchange among applications and systems. Generic human biometric standards include: common file frameworks, biometric application programming interfaces, biometric data interchange formats, related biometric profiles and other standards in support of technical implementation of biometric systems, evaluation criteria to biometric technologies, methodologies for performance testing and reporting, cross-jurisdictional and societal aspects of biometric implementation. SC 37 Biometrics home page: http://www.iso.org/iso/home/standards_development/list_of_iso_technical_committees/jtc1_home/jtc1_sc37_home.htm. The complete list of standards published or under development can be found in ISO Standards Catalogue of ISO/IEC JTC 1/SC 37 — Biometrics

Published standards and ongoing projects related to the topics include the series of biometric data interchange standards for different biometric modalities, biometric technical interfaces, related biometric profiles and other standards in support of technical implementation of biometric systems, and cross jurisdictional and societal aspects of biometric implementation. Representative projects: amendments of ISO/IEC 19794-x: 2011/Amd. 2:2015 data format standards specifying XML encoding, extensible biometric data interchange formats ISO/IEC 39794-x. e.g., generic extensible data interchange formats for the representation of data: a tagged binary data format based on an extensible specification in ASN.1 and a textual data format based on an XML schema definition (both capable of holding the same information), ISO/IEC 30107-x Biometric presentation attack detection multi-part standard and ISO/IEC 24779-x — Cross-Jurisdictional and societal aspects of implementation of biometric technologies — pictograms, icons and symbols for use with biometric systems multi-part standard.

ISO/IEC JTC 1 SC 27 is responsible for international IT security. The most relevant standards to electronic identification and trust services are developed by SC 27/WG 5 “Identity Management and Privacy Technologies”. After completion of foundational frameworks (especially ISO/IEC 24760 “A framework for identity management” and ISO/IEC 29100 “Privacy framework”) priorities for WG 5 are related standards and Standing Documents on supporting technologies, models, and methodologies. WG 5’s Projects include:

  • A framework for identity management – Part 1: Terminology and concepts (ISO/IEC 24760-1, 2nd edition:2019)
  • A framework for identity management – Part 2: Reference framework and requirements (ISO/IEC 24760-2, 1st edition:2015)
  • A framework for identity management – Part 3: Reference framework and requirements (ISO/IEC 24760-3, 1st edition:2016)
  • Privacy framework (ISO/IEC 29100, 1st edition:2011; Amendment 1:2018)
  • Privacy architecture framework (ISO/IEC 29101, 2nd edition:2018)
  • A framework for access management (ISO/IEC 29146, 1st edition:2016)
  • Requirements for partially anonymous, partially unlinkable authentication (ISO/IEC 29191, 1st edition:2012)
  • Privacy enhancing data de-identification terminology and classification of techniques (ISO/IEC 20889, 1st edition:2018)
  • Privacy impact assessment – methodology (ISO/IEC 29134, 1st edition:2017)
  • Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy management – Requirements and guidelines (ISO/IEC 27701, 1st edition:2019)
  • WG 5 Standing Document 2 – “Privacy references list”
  • WG 5 Standing Document 4 – “Standards Privacy Assessment”

ISO/IEC JTC 1 SC 27 is working in close collaboration with CEN-CLC/JTC 13 'Cybersecurity and Data protection' on eIDAS related standardisation activity. 

ITU-T

ITU-T SG3 is responsible, inter alia, for studying international telecommunication/ICT policy and economic issues and tariff and accounting matters (including costing principles and methodologies), with a view to informing the development of enabling regulatory models and frameworks. SG3 is also tasked with a study on the economic and regulatory impact of the Internet, convergence (services or infrastructure) and new services. SG3 is currently working on a guideline for digital identity under the new Question 9/3 - economic and policy aspects of big data and digital identity in international telecommunications services and networks. SG3 has a draft Recommendation on “Guidelines for digital identity” (D.DigID) under development.
More info: http://itu.int/ITU-T/go/tsg3

ITU-T SG13 published three technical reports on trust provisioning for future ICT infrastructures and services and two Recommendations ITU-T Y.3051 “The basic principles of trusted environment in information and communication technology infrastructure” and Y.3052 “Overview of trust provisioning for information and communication technology infrastructures and services”. There are currently three more work items under development covering areas such as trustworthy networking, trust-based media services and trust index for ICT infrastructures and services. These studies will contribute to the development of more reliable techniques to cope with the risks of knowledge sharing thus moving towards a knowledge society. To complement this work from the infrastructure perspective, SG13 approved Recommendation ITU-T Y.3514 “Cloud computing - trusted inter-cloud computing framework and requirements” and is working on overview of inter-cloud trust management.
More info: http://itu.int/ITU-T/go/tsg13

ITU-T SG17 is responsible for the study of the appropriate core questions on identity management. Additionally, in consultation with other relevant study groups and in collaboration, where appropriate, with other standards bodies, SG17 has the responsibility to define and maintain the overall framework and to coordinate, assign (recognising the mandates of other study groups) and prioritise the studies to be carried out by the study groups, and to ensure the preparation of consistent, complete and timely recommendations.
SG17 are developing seven standards in this domain including “Security framework based on trust relationship in 5G ecosystem” (X.5Gsec-t) “Security requirements for quantum key distribution networks - trusted node” (X.sec-QKDN-tn), “Security considerations for using distributed ledger technology data in identity management” (X.dlt-sec) “Framework of de-identification process for telecommunication service providers” (X.fdip) and “Requirements for data de-identification assurance” (X.rdda), among others.
More info: http://itu.int/ITU-T/go/tsg17

ITU-T SG 20 is the lead study group for IoT identification. SG20 is studying what the identification systems are capable of in terms of fulfilling the requirements of IoT and SC&C including security, privacy and trust; how authentication technologies can work with identification systems; what options or measures are available for identification of IoT objects; how identification mechanisms can support interoperability in IoT and SC&C and mitigate risks, among others. ITU-T SG20 is currently working on draft Recommendation ITU-T Y.IoT-IoD-PT “Identity of IoT devices based on secure procedures to enhance trust on IoT system”.

More info: http://itu.int/ITU-T/go/tsg20

UNECE

The United Nations Economic Commission for Europe in its Recommendation 14 outlines base elements to take into account in the use of electronic authentication methods. It recommends that the authentication methods should be chosen in light of the nature of the electronic transaction and the relationship between the parties involved in the exchange. Not all electronic exchanges require the highest level of reliability.

See: (available also in French and Russian)

 http://www.unece.org/fileadmin/DAM/cefact/recommendations/rec14/ECE_TRADE_C_CEFACT_2014_6E_Rec14.pdf

Further work is being developed on this topic within UN/CEFACT. See:

http://www.unece.org/fileadmin/DAM/cefact/cf_plenary/2018_plenary/ECE_TRADE_C_CEFACT_2018_7E.pdf

OASIS

Projects for e-signature management and functionality, including standards for Digital Signature Services (DSS) and the Key Management Interoperability Protocol (KMIP). 

Identity management and access control functions include standards for the eXtensible Access Control Markup Language (XACML, also approved as ITU-T Recommendation X.1144);  the Security Assertion Markup Language (SAML, also ITU-T Recommendation X.1141);  cross-enterprise security and privacy authorisation (XSPA); the Authentication Step-Up Protocol and Metadata (Trust Elevation) for identity trust level elevation, and the extensible resource identifier (XRI) and XRI data interchange (XDI) standards, as well as a suite of web services specifications including Web Services Federation (WS-Fed); Web Services Trust (WS-Trust) and Web Services Secure Exchange (WS-SX). 

OASIS' Biometric Services TC also hosts specifications for standardized biometric device service calls compatible with standard media types and the biometric data formats of ISO/IEC 19785 and 19794.

An updated DSS Core Protocols, Elements and Bindings V2.0, and new DSS Metadata V1.0, issued in 2019 provided JSON- and XML-based request/response protocols for signing and verifying, including updated timestamp formats, transport and security bindings and metadata discovery methods.
https://lists.oasis-open.org/archives/tc-announce/201907/msg00008.html 

OIDF

Set of standards and related certification profiles addressing identity transactions over the internet. Active working groups in this area include: the OpenID Connect WG, AccountChooser WG, Native Applications WG, Mobile operator Discovery, Registration and Authentication WG (MODRNA), Health Related Data Sharing WG (HEART), and Risk and Incident Sharing and Coordination WG (RISC) http://openid.net/wg/

IETF

The following IETF Working Groups are active in this area:

The Web Authorization Protocol (OAUTH) WG developed a protocol suite that allows a user to grant a third-party Web site or application access to the user's protected resources, without necessarily revealing their long-term credentials, or even their identity. It also developed security schemes for presenting authorisation tokens to access a protected resource.

The ongoing standardisation effort within the OAUTH working group is focusing on enhancing interoperability of OAUTH deployments.

The Public Notary Transparency (TRANS) WG develops a standards-track specification of the Certificate Transparency protocol (RFC6962) that allows detection of the mis-issuance of certificates issued by CAs or via ad-hoc mapping by maintaining cryptographically verifiable audit logs.

The Automated Certificate Management Environment (ACME) WG specifies conventions for automated X.509 certificate management, including validation of control over an identifier, certificate issuance, certificate renewal, and certificate revocation. The initial focus of the ACME WG is on domain name certificates (as used by web servers), but other uses of certificates can be considered as work progresses.

https://trac.ietf.org/trac/iab/wiki/Multi-Stake-Holder-Platform#eIdentity

W3C

The W3C Credentials Community Group discusses credential storage and exchange systems for the web. Some of their ideas are being discussed in the Web Payments Interest Group via the Verifiable Claims Task Force (as of January 2016).

The Verifiable Claims Working Group specifies ways to make expressing, exchanging, and verifying claims easier and more secure on the Web. It released the Verifiable Credentials Data Model 1.0 Proposed Recommendation on 05 September 2019. This specification provides a mechanism to express these sorts of credentials on the Web in a way that is cryptographically secure, privacy respecting, and machine-verifiable. The W3C Note of 24 September 2019 is a collection of use cases for the Verifiable Credentials Data Model 1.0 and helps to better understand that Specification.

IEEE

The IEEE has standards and pre-standards activities relevant to Electronic Identification and Trust Services, including dealing with blockchain technology and biometric identification. More information can be found at: https://ieeesa.io/rp-eidentification

(C.2) Other activities related to standardisation
 e-SENS

e-SENS (Electronic Simple European Networked Services) is a large-scale pilot launched within the ICT policy support programme (ICT PSP), under the competitiveness and innovation framework programme (CIP). The aim of the project is to develop an infrastructure for interoperable public services in Europe. It builds upon and consolidates building blocks such as eID, e-Documents, e-Delivery, and e-Signature etc. from previous pilot projects and integrates them into a European digital platform for cross-sector, interoperable eGovernment services. 

http://www.esens.eu/home.html

STORK

EU co-funded project to establish a European eID interoperability platform that will allow citizens to establish new e-relations across-borders, just by presenting their national eID.

The STORK 2.0 project was the continuation of STORK and has worked on extending the specification to roles and mandates.

In the context of the eIDAS Regulation and the implementing act on the interoperability framework for eID technical specifications are being developed for the eIDAS nodes. These technical specifications will provide further details on technical requirements as set out in the Regulation. The specifications for the eIDAS were developed through Member State collaboration in a technical sub-committee of the eIDAS Expert Group. https://www.eid-stork2.eu/.

SSEDIC

Scoping the single European digital identity community –SSEDIC http://www.eid-ssedic.eu

FIDIS

Future of identity in the information society — FIDIS http://www.fidis.net

PRIME

Privacy and identity management for Europe — PRIME https://www.prime-project.eu

Report abusive content Share