Sightseeing the “eIDAS-Ecosystem”

The “Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC”, which is commonly known as the “eIDAS Regulation”, is expected to boost trust and efficiency for electronic transactions across Europe and beyond. In this post, we briefly recall what the eIDAS-Regulation is about, invite you to follow us and climb up to a “virtual viewpoint” from which the major parts and services of the “eIDAS-Ecosystem” and their interrelationship become visible, so that you can explore the currently available trust services using the interactive eIDAS-Map and see the overall potential and your individual benefits introduced by this regulation.

The “eIDAS-Ecosystem” at a glance

As shown in the figure, the “eIDAS-Ecosystem” is populated by “Users”, which use some kind of “eIDAS-based Transaction Services”. These Transaction Services in turn may use a variety of “eIDAS Services”, for which the trust is maintained by the “eIDAS Trust System”.

The “eIDAS Trust System”, which deserves a specific treatment in a forthcoming post because of its sophisticated structure, provides the trustworthy foundation for the entire “eIDAS-Ecosystem” by an appropriate combination of measures including accreditation, conformity assessment, supervision and incident handling.

While the realm of “eIDAS-based Transaction Services” is also sufficiently rich to be subject of additional posts, we will introduce and explain the set of “eIDAS Services” in the following, as these services provide the functional core of the “eIDAS-Ecosystem”.

The “eIDAS Services” comprise the “eID-Service” for electronic identification regulated by Chapter II and a variety of “Trust Services” according to Article 3 (16) and regulated by Chapter III of the eIDAS-Regulation. These services in particular comprise

  • the “Signature Generation & Sealing Service” (SigS),
  • the “Validation Service” (ValS),
  • the “Preservation Service” (PresS),
  • the “Electronic Delivery Service” (EDS) and the already widely implemented classical trust services, such as
  • the “Time Stamp Authority” (TSA) and last but not least
  • the “Certification Authority” (CA).

eID-Service

The “eID-Service” provides services for the secure electronic identification and authentication of Users and legal persons. The employed means and services for electronic identification and authentication comprise electronic identification schemes, which have been notified according to Article 9 as well as other schemes. As specified in Article 8 of the eIDAS-Regulation and the related implementing act CIR (EU) 2015/1502, the trustworthiness of an electronic identification scheme and the identification means deployed within, is reflected in its level of assurance. The specified assurance levels range from “low” over “substantial” to “high”. Notified eID schemes which provide at least a substantial level of assurance will be mutually recognized in cross-border transactions according to Article 6 of the eIDAS-Regulation.

Certification Authority (CA)

A Certification Authority (CA) generates electronic certificates and issues them to Users or other entities, commonly called the Subject of a certificate. This may happen directly, via the “eIDAS-based Transaction Service” or the “Signature & Seal Generation Service” (SigS). The SigS interacts with the CA-system, performs an appropriate identification of the Subject and validates the provided identity attributes, which are combined with a public key and are signed by the CA to create the certificate.

Time Stamping Authority (TSA)

Proving the existence of a given set of digital data at a given time is a fundamental requirement in many electronic transactions, which involve electronic signatures, aspects of digital rights management, electronic contracts or require accountability for example. For this purpose, a Time Stamping Authority (TSA) receives the data, which need to be time stamped, or a hash thereof, and returns a time stamp token, which is signed by the TSA.

Signature Generation & Sealing Service (SigS)

The Signature Generation & Sealing Service (SigS) allows to generate (qualified) electronic signatures according to Section 4 and (qualified) electronic seals according to Section 5 of the eIDAS-Regulation in technical formats such as CAdES, XAdES and PAdES for example.

Validation Service (ValS)

The (qualified) electronic signatures and seals generated with the SigS above can be validated with the Validation Service (ValS). The ValS uses the certificates contained in the Trusted Lists according to Article 22 of the eIDAS-Regulation, the corresponding implementing act CID (EU) 2015/1506 and ETSI TS 119 162(v2.1.1) as trust anchors and performs a signature validation according to EN 319 102-1 using an appropriate validation policy.

Preservation Service (PresS)

The long term retention of signed documents requires a form of safekeeping that ensures the legibility and conclusiveness regardless of the storage medium. In order to ensure the legal validity of electronic signatures and electronic seals over long periods of time one needs to apply appropriate preservation techniques as outlined in ETSI SR 019 510.

The preservation techniques realised by a Preservation Service (PresS) according to Article 34 may involve Evidence Records according to RFC 4998 or RFC 6283 or the continuous augmentation of signatures using archive time stamps according to CAdES or XAdES for example.

Electronic Delivery Service (EDS)

In a paper-based world, the only way to know that a letter indeed has reached the addressee is to send it by registered mail. This is a service offered by the mail service providers. The sender writes down his/her statements on a sheet and puts it into a closed envelope, which is marked with the coordinates of the addressee and sends it by mail. The accountability, confidentiality and integrity of the letter are primarily assured by the author, while the mail service providers primarily warrant availability and correct delivery.

According to Article 44 of the eIDAS-Regulation “qualified electronic registered delivery services shall meet the following requirements:

  • they are provided by one or more qualified trust service provider(s);
  • they ensure with a high level of confidence the identification of the sender;
  • they ensure the identification of the addressee before the delivery of the data;
  • the sending and receiving of data is secured by an advanced electronic signature or an advanced electronic seal of a qualified trust service provider in such a manner as to preclude the possibility of the data being changed undetectably;
  • any change of the data needed for the purpose of sending or receiving the data is clearly indicated to the sender and addressee of the data;
  • the date and time of sending, receiving and any change of data are indicated by a qualified electronic time stamp.”

Given these requirements it is obvious that the EDS needs to utilise a variety of other eIDAS Services such as the eID-Service, the SigS, the TSA, the ValS and the certificate status information provided by the CA.

Exploring the overall potential of eIDAS using the interactive eIDAS-Map

The EDS is a nice example that several basic “eIDAS Services” may be combined to form more comprehensive “eIDAS Services” or “eIDAS-based Transaction Services”, which address application-specific needs. A key aspect of the eIDAS-Regulation is that it harmonises the requirements for electronic identification and trust services across Europe and defines the EU-wide legal effect of notified electronic identification means (cf. Article 6), electronic signatures (cf. Article 25), electronic seals (cf. Article 35), time stamps (cf. Article 41), electronic delivery services (cf. Article 43) and last but not least electronic documents (cf. Article 46).

This means that providers and consumers of services may choose among the large number of qualified trust service providers, which are currently active in the European market as exposed by the interactive eIDAS-TSP-Map released today. This map provides an up-to-date overview of the currently existing trust service providers and trust services across Europe.

The individual benefits of the eIDAS-Regulation – What’s in for you?

What kind of benefits the eIDAS-Regulation provides for you depends on your specific role within the “eIDAS-Ecosystem”. The benefit for providers of “eIDAS Services” is that they now can provide and sell their services across Europe, which gives rise to interesting new market opportunities. The benefit for Users is that they may now use a variety of trust services, with well-defined trustworthiness and legal effect. The probably biggest potential benefit of the eIDAS-Regulation however exists for the emerging “eIDAS-based Transaction Services”, which will be subject of a forthcoming post.

Acknowledgement

We gratefully acknowledge that this post is based on contents developed in the FutureTrust project, which has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 700542.

Is your Identity Management ready for the General Data Protection Regulation?

“Data is the oil of the 21st century.” – is a common phrase when topics like Big Data or espionage are discussed. And indeed, the business model of many companies is now based on collecting and analysing user data or behaviour. Not only obvious actors like social networks and search engines, whose goal it is to create exact profiles of their individual users, but also large advertising networks are involved. Those networks use the aggregated profiles on top of their own to deliver – as accurately as possible – personalized advertising to the respective users.

It was thus all the more important to harmonize the general framework for data protection with the General Data Protection Regulation (GDPR) across Europe, in order to ensure an adequate level of data protection for all European citizens. The GDPR has been in force since 24 May 2016 and will be enforceable by the relevant supervisory authorities beginning 25 May 2018 (i.e. in about one year). On the basis of the GDPR, and with an eye on the ePrivacy regulation („Regulation on Privacy and Electronic Communication“), which is to be effective with the GDPR in May 2018, national data protection laws, such as the German “Bundesdatenschutzgesetz”, are revised with respect to the GDPR.

In particular, each data processor must be aware that Article 5 („Principles relating to processing of personal data“) contains explicit accountability, which forces the data controller to be able to prove compliance with the requirements of the GDPR, if necessary, to the supervisory authorities.

Such proof shall, for example, be provided for the conditions laid down in Article 6 (Lawfulness of processing). The central condition here is that the data subject has explicitly agreed to the processing of his or her data for one or more specific purposes. For companies that work with personal data, this means that at the moment of the very first interaction with a new user or customer, it must be ensured that consent to the processing of the data is requested in a manner that complies with the GDPR. Article 7 (Conditions for consent) specifies stricter requirements for consent than those common in current national data protection laws. As a result, companies will probably have to pay more attention than before to a vigorous documentation of the consent and the possibility to revoke a given consent; if the consent is ineffective, and thus the processing of the data of those affected turns out to be inadmissible, heavy fines might quickly be a consequence.

Article 83 (General conditions for imposing administrative fines) defines the amount of fines to be imposed which can reach painful heights quickly. Even with minor violations, if for example no appropriate security measures according to the technological state of the art are implemented, impending fines of up to EUR 10 million, or (for companies) up to 2% of the worldwide annual turnover are possible. In the case of infringements of the central principles of the regulation (in particular Articles 5, 6, 7 and 9) or of the rights of the data subject (Articles 12 to 22), the amount of the fine can be increased to up to EUR 20 million or in the case of companies to up to 4% of the worldwide annual turnover.

A central right for those affected is laid down in Article 17 („Right to be forgotten“). After a decision of the European Court of Justice, this right was a divisive point in discussions for some time, especially concerning search engines in particular and the internet as a whole. The GDPR guarantees this right in detail in its own article; whereas in the old EU Data Protection Directive, this law was merely part of an enumeration of several with several other rights. Service providers will now have to pay close attention to the requirements of the GDPR, as otherwise the above-mentioned sensitive fines of up to 4% of the worldwide annual turnover can be enforced.

Another challenge for service providers is the right of data subjects to data portability (Article 20). This article stipulates that service providers and data processors must be able to offer each data subject the opportunity to export the aggregated data in a machine-readable format within a reasonable period of time. This right only includes data that was provided by the data subject or generated by her direct actions. An obvious approach for the export of the affected data from the databases of the provider would be to use XML or JSON as machine readable data format.

Especially in historically grown application environments integrating different applications, databases and identities of a user in the context of Article 17 and 20 of the GDRP is a challenge that should not be addressed without support from appropriate experts in this field.

Article 25 is an important achievement of the new GDPR: the principle „Data protection by design and default“. Establishing this principle as one of the central points of the Regulation ensures on the one hand that the measures implemented to protect personal data are state of the art (defined additionally detailed in Article 32, but also on the other hand that the applied measures are proportionate to the level of assurance required to adequately protect the data. The protection need is solely determined by the risk posed to the data subject by processing relevant personal data. For the data processor, this means that he has to change the perspective when conducting a data protection specific risk analysis (compared the classical information security management (ISMS) approach). Therefore the mere reuse of the risk analysis that has already been done for an ISMS might not be sufficient in the context of the GDPR.

What „Data protection by design and default“ means in the area of identity management can be explained by the example of the innovative SkIDentity service: SkIDentity supports the management of digital identities through the introduction of a privacy friendly single sign-on for enterprises and authorities. By leveraging state-of-the-art technologies, users can create Cloud Identities (CloudIDs) from their identity tokens (such as national identity cards) or other identity sources. Through its CloudID, a user always retains full control of her identity data, as the CloudIDs are not stored centrally on a server, but in a decentral manner on a device of the user’s choice. A user can easily transfer a CloudID created on PC to other devices (for example a mobile phone) and thus also use it in a mobile environment. Due to the decentralized storage of the CloudIDs, the deletion and blocking of each CloudID is completely in the hands of the user and the risk of identity theft through successful attacks on a central infrastructure is significantly reduced.

Within SkIDentity, the principles of Privacy by Default and Privacy by Design have not only been taken into consideration, but have also been seen as essential design criteria and core themes of the service. Thus, Article 25, which is undoubtedly among the most important aspects of the new regulation, was already lived and implemented in SkIDentity even before the creation and publication of the GDPR.

This approach has not only been acknowledged with a number of international awards, but is also in particular reflected in the successful certification procedures based on the “Trusted Cloud Data Protection Profile” and ISO 27001 based on IT baseline protection (of the German Federal Office for Information Security, Bundesamt für Sicherheit in der Informationstechnik, BSI), which in turn complies with the requirements of Article 25 and 32, especially in the case of order data processing pursuant to Article 28.

State-of-the-art protection (Article 32) is a widely interpreted concept, in particular taking account of the existing international standards and regulation for example from the BSI. Through deep knowledge of the relevant international standards and the active creation and maintenance of various technical guidelines on behalf of the BSI, ecsec GmbH is your competent partner for questions about the current state of the art and efficient implementation of effective security solutions. For a secure login to Cloud and Web applications, the BSI published the recommendations „Security Recommendations for Cloud Computing Providers“ and „Cloud Computing Compliance Controls Catalogue (C5)”, which recommend the use of strong authentication mechanisms with at least two factors.

Galactic praise for the German electronic Identity Card (“Personalausweis”)

In order to discuss the draft of a „Law for the Promotion of Electronic Identification“ (BT-Drs. 18/11279) on Monday, April 24, 2017, an apparently widely perceived¹ hearing of the Committee for Internal affairs of the German parliament (“Bundestag”) took place. Everybody who was not able to be in Berlin on this memorable day, can see the recording of the expert hearing in the media library of the Bundestag. For those who do not wish to view the entire meeting, we have provided the most interesting section here:

Dr. Constanze Kurz, the spokeswoman of the Chaos Computer Club explains the following about the German electronic ID card:

„The basic concept of its technical nature is complex and certainly difficult to understand for the ordinary citizen who now gets this activated chip, but of course very well designed and a good solution.“

We always knew it! There is nothing more to say. It is an open question whether the eID function of the ID card still needs legal support after this most likely largest possible galactic² praise.

¹ As explained in the FAQ, the Chaos Computer Club „is a galactic community of creatures, regardless of age, gender and descent, as well as social status“.

² See e.g. ZEIT, Focus, NETZPOLITIK, Berliner Zeitung, Frankfurter Rundschau, Heise, Kommune21, eGovernment-Computing, Computer Base

Bavarian Innovation Award 2016 for SkIDentity as start of digitalization initiative “BayernID”

After numerous international awards last year and the successful completion of relevant certification procedures, ecsec GmbH was distinguished last night for „SkIDentity – Mobile eID as a Service“ with the renowned Bavarian Innovation Award 2016. The award, which was handed over by the Bavarian Minister of Economic Affairs, Ilse Aigner, together with the President of the Bavarian Chamber of Industry and Commerce, Dr. Eberhard Sasse, and the President of the Bavarian Chamber of Crafts, Georg Schlagbauer, marks the start of the „BayernID“ initiative – the digitization campaign of the Bavarian economy based on trustworthy identities.

Bavarian Innovation Award 2016 for “SkIDentity – Mobile eID as a Service”

Bavaria’s Minister of Economic Affairs, Ilse Aigner, together with the President of the Bavarian Chamber of Commerce and Industry, Dr. Eberhard Sasse, and the President of the Bavarian Chamber of Crafts Georg Schlagbauer, yesterday awarded the Bavarian Innovation Award 2016, in a solemn setting in the dignified hall of the German Museum in Munich. Among a total of 187 nominated companies, ecsec GmbH has been awarded for its „SkIDentity – Mobile eID as a Service“ offering. „I congratulate the company ecsec GmbH on the award of the Bavarian Innovation Award 2016. By transforming electronic identity documents eID into secure and mobile ‘Cloud Identities’, which can easily be used in any cloud and web application for privacy friendly authentication, ecsec has made an important contribution to a secure and user-friendly networked world. It is also an essential prerequisite for a successful digitalization of the economy and society”, commented Ilse Aigner, Bavaria’s Minister of Economic Affairs.

Secure electronic identities for successful digitalization of the economy

The „Cyber Security Strategy for Germany 2016„, recently presented by the Federal Minister of the Interior, foresees the provision and use of secure electronic identities as an important basis for the sustained successful digitalization of the economy: „The electronic identification documents with online identification function are a key element with which the Federal German Government already provides a highly secure and privacy friendly identification option for the internet. The goal is to establish the online identity function, and the secure identities derived from it, as a standard identification tool for sensitive services, and to promote comparable secure solutions in the economy as well.“

The distinguished SkIDentity Service supports, among other identification means the German electronic identity card (Personalausweis), the Austrian social security card (e-card), the Estonian identity card and e-Residency ID, as well as various signature and banking cards for the secure implementation of electronic business processes. The certificate for the SkIDentity Service according to the „Trusted Cloud Data Protection Profile for Cloud Services“ (TCDP) with the highest protection class III issued by the certification body of TÜV Informationstechnik GmbH (TÜViT) and the certification of the „Secure Cloud Infrastructure (SkIDentity)” according to ISO 27001 based on IT-Baseline Protection by the Federal Office for Information Security (BSI-IGZ-250), proof that even the highest standards with respect to privacy and data security are fulfilled within the SkIDentity Service.

„BayernID“ – the integrated digitalization initiative for the Bavarian economy

Theelectronic ID card has been successfully used in Bavaria for the digitization of administrative processes for quite some time now. Since 1st of July 2016, the eIDAS-regulation on electronic identification and trust services for electronic transactions in the European Single Market has been fully applicable. In addition, the Free State of Bavaria promotes the secure digitalization of business processes in small and medium-sized Bavarian companies with the „Digitalbonus.Bayern“ program.

Against this background, leading Bavarian technology providers, consulting companies and digitalization experts from selected chambers of industry and commerce have joined forces in order to create the „BayernID“ package (http://BayernID.de), which is an integrated service package for the intelligent digitalization of business processes in Bavarian companies. This package includes expert and non-committal advice on general digitalization measures and aspects of IT security, demonstrates the opportunities inherent in the eIDAS regulation and provides trusted identities, as well as other cloud and trust services, at preferential terms. In addition to ecsec GmbH, which has been awarded with the „Bavarian Innovation Award 2016“, the „BayernID“ initiative is supported by the internationally leading technology group Giesecke & Devrient GmbH, the Fraunhofer Institute for Industrial Engineering (IAO), SiXFORM GmbH, Urospace GmbH, the buergerservice.org association, which is especially active in Bavaria to promote the use of the German eID card, the IT-Cluster association for Upper Franconia, the Institute of Information Systems at Hof University, the Munich-based provider of the iDGARD-Service Uniscon GmbH as well as the chambers for industry and commerce for Würzburg-Schweinfurt and Bayreuth. Furthermore the initiative is open for further partners who want to contribute to the digitalization of the Bavarian economy.

The „Video Ident Service“ from Giesecke & Devrient, which can be used to open a bank account, activate a prepaid SIM card, or identify an insured person in the health care system without a card reader, is a component of „BayernID“. In the same way, the check of the driving license, which is necessary for car-sharing systems, can now be carried out online. „We are pleased to be able to contribute to the successful digitalization of the Bavarian economy with our user-friendly security technologies within the ‘BayernID’ initiative,“ commented Frank Nordmann, responsible for Public Sector at Giesecke & Devrient. „The verification of the identity and the associated document is optionally carried out in the browser or even mobile in a smartphone app, whereby an electronic check of the various security features integrated into the identification document and a matching of the user information always takes place.“

The Munich-based non-profit association buergerservice.org e.V. supports the „BayernID“ initiative with the SID-Box (Secure Identity-Box) developed by the association. With the aid of the SID-Box, a citizen terminal (digital service point) can be produced with the least effort, for the direct use of the online ID function of the German eID. Companies, institutions and authorities are thus in a position to provide access to the German eID card to all persons in their environment (employees, customers, members, etc.) in a very simple way. The first digital service points are currently being set up in co-operation between municipalities, chambers of industry and commerce and the buergerservice.org association in the city of Ansbach and in the district of Würzburg.

SkIDentity certified by BSI according to ISO 27001 and by TÜViT according to Trusted Cloud Privacy Profile

ecsec GmbH today has received the certificate according to the „Trusted Cloud Privacy Profile for Cloud Services“ (TCDP), issued by the certification body of TÜV Informationstechnik GmbH (TÜViT), for the highest protection class III. Furthermore the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) has certified the „Secure Cloud Infrastructure (SkIDentity)“ in accordance with ISO 27001 based on IT Baseline Protection (BSI-IGZ-250).

Privacy and data security as foundation for successful digital transformation

At today’s closing ceremony of the pilot project „Data Protection Certification for Cloud Services“ not only the remarkable project results including the catalogue of evaluation criteria based on ISO/IEC 27002 and ISO/IEC 27018 were presented, but also the certificate for SkIDentity according to the „Trusted Cloud Privacy Profile for Cloud Services” issued by the certification body of TÜV Informationstechnik GmbH (TÜViT) has awarded to ecsec GmbH. As it has been demonstrated within the evaluation and certification procedure, the SkIDentity Service fulfils the demanding requirements for the highest protection class III and hence it may be used for processing particularly sensitive data in a legally compliant manner.

SkIDentity technology is now not only distinguished, but also certified

The multiple award-winning¹ SkIDentity Service (https://skidentity.com) was developed in the scope of the “Trusted Cloud” initiative supported by the German government. Using SkIDentity, electronic identity documents (eID), such as the German electronic identity card “Personalausweis”, can be easily used in cloud and web applications. SkIDentity in particular allows to derive cryptographically protected „Cloud Identities“ from any eID document, which can be transmitted to any smartphone and used there for the strong pseudonymous authentication or a self-determined identity proofing in the cloud. Thanks to SkIDentity, no passwords need to be stored in web applications and therefore there is no risk that they could be stolen or misused.

As shown in the certificate (BSI-IGZ-250) issued by the Federal Office for Information Security, the scope of the security assessment and certification according to ISO 27001 based on IT Baseline Protection did not only comprise the identity management service of SkIDentity, but the full blown „Secure Cloud Infrastructure (SkIDentity)“, which can be used for highly reliable operation of other cloud and web applications. „The processing of sensitive data in cloud services requires high security standards. A transparent proof of the correct implementation of an appropriate security concept can only be provided within an independent certification procedure,“ adds Bernd Kowalski, Head of Department in the Federal Office for Information Security. “Within the certification of SkIDentity it was shown that even the demanding requirements associated with the use of the German electronic identity card in cloud services, can be proved to be satisfied via an ISO 27001 certification based on IT Baseline Protection.“

¹ See https://www.skidentity.com/en/awards/ .

SkIDentity uses certified Open eCard App

[Michelau, January 12th 2016] SkIDentity uses the new version of the Open eCard App, which has recently be certified by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) according to its technical guideline BSI TR-03124 (eID-Client). The certificate, which has been awarded the very first time to an Open Source component and without any failures in the conformity report, is valid until December 8th 2020 and enables the trustworthy use of electronic identity (eID) cards and other smart cards in SkIDentity with Linux, Mac OS and Windows.

Platform-independent and lightweight eID-Client for SkIDentity

Thanks to the constructive cooperation of industrial and academic experts within the Open eCard project, a lightweight and platform-independent Open Source implementation of the “eCard-API-Framework” according to BSI TR-03112 was created, which supports various smart cards for electronic identity, health, signatures and banking from Germany, Austria, Estonia and Belgium for example. Based on this framework a user-friendly eID-Client according to BSI TR-03124 – also known as the “Open eCard App” – was created, which now has been certified by the BSI. Because of the modular architecture based on the international standard ISO/IEC 24727, the Open eCard App can easily be extended and smoothly integrated into modern web applications such as SkIDentity.

With continuous improvement and strict Quality Management to the BSI TR-03124 certificate without conformity failures

To ensure the conformity to the relevant technical specifications of the BSI and a high level of quality, the Bavarian State Ministry of Finance started the certification process according to BSI TR-03124 for the Open eCard App in 2014. Thanks to continuous improvement and a strict Quality Management system based on international standards such as ISO/IEC 9001 and ISO/IEC 90003 and utilizing the Open Source eID-Client-Testbed of the BSI, the current version 1.2 of the Open eCard App now has been formally certified by the BSI. Note, that it is the first time ever that an Open Source eID-Client received a certificate according to
BSI TR-03124. „We are particularly proud of the fact, that the test report shows that there are no conformity failures, „Open eCard Project Maintainer“ Tobias Wich complements. „On the one hand this underlines the high quality of the Open eCard software and on the other hand it creates further trust and confidence for the German eID card and similar smart cards.“

„As shown by the example of ‚SkIDentity‘, the secure, extensible and user-friendly Open eCard App has already several times formed the basis of distinguished and awarded systems solutions“, replenished Dr. Detlef Hühnlein, CEO of ecsec GmbH and head of the SkIDentity project. „We are delighted, that a first result of our work now is not only awarded, but also certified.“