Sightseeing the “eIDAS-Ecosystem”

The “Regulation (EU) No. 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC”, which is commonly known as the “eIDAS Regulation”, is expected to boost trust and efficiency for electronic transactions across Europe and beyond. In this post, we briefly recall what the eIDAS-Regulation is about, invite you to follow us and climb up to a “virtual viewpoint” from which the major parts and services of the “eIDAS-Ecosystem” and their interrelationship become visible, so that you can explore the currently available trust services using the interactive eIDAS-Map and see the overall potential and your individual benefits introduced by this regulation.

The “eIDAS-Ecosystem” at a glance

As shown in the figure, the “eIDAS-Ecosystem” is populated by “Users”, which use some kind of “eIDAS-based Transaction Services”. These Transaction Services in turn may use a variety of “eIDAS Services”, for which the trust is maintained by the “eIDAS Trust System”.

The “eIDAS Trust System”, which deserves a specific treatment in a forthcoming post because of its sophisticated structure, provides the trustworthy foundation for the entire “eIDAS-Ecosystem” by an appropriate combination of measures including accreditation, conformity assessment, supervision and incident handling.

While the realm of “eIDAS-based Transaction Services” is also sufficiently rich to be subject of additional posts, we will introduce and explain the set of “eIDAS Services” in the following, as these services provide the functional core of the “eIDAS-Ecosystem”.

The “eIDAS Services” comprise the “eID-Service” for electronic identification regulated by Chapter II and a variety of “Trust Services” according to Article 3 (16) and regulated by Chapter III of the eIDAS-Regulation. These services in particular comprise

  • the “Signature Generation & Sealing Service” (SigS),
  • the “Validation Service” (ValS),
  • the “Preservation Service” (PresS),
  • the “Electronic Delivery Service” (EDS) and the already widely implemented classical trust services, such as
  • the “Time Stamp Authority” (TSA) and last but not least
  • the “Certification Authority” (CA).

eID-Service

The “eID-Service” provides services for the secure electronic identification and authentication of Users and legal persons. The employed means and services for electronic identification and authentication comprise electronic identification schemes, which have been notified according to Article 9 as well as other schemes. As specified in Article 8 of the eIDAS-Regulation and the related implementing act CIR (EU) 2015/1502, the trustworthiness of an electronic identification scheme and the identification means deployed within, is reflected in its level of assurance. The specified assurance levels range from “low” over “substantial” to “high”. Notified eID schemes which provide at least a substantial level of assurance will be mutually recognized in cross-border transactions according to Article 6 of the eIDAS-Regulation.

Certification Authority (CA)

A Certification Authority (CA) generates electronic certificates and issues them to Users or other entities, commonly called the Subject of a certificate. This may happen directly, via the “eIDAS-based Transaction Service” or the “Signature & Seal Generation Service” (SigS). The SigS interacts with the CA-system, performs an appropriate identification of the Subject and validates the provided identity attributes, which are combined with a public key and are signed by the CA to create the certificate.

Time Stamping Authority (TSA)

Proving the existence of a given set of digital data at a given time is a fundamental requirement in many electronic transactions, which involve electronic signatures, aspects of digital rights management, electronic contracts or require accountability for example. For this purpose, a Time Stamping Authority (TSA) receives the data, which need to be time stamped, or a hash thereof, and returns a time stamp token, which is signed by the TSA.

Signature Generation & Sealing Service (SigS)

The Signature Generation & Sealing Service (SigS) allows to generate (qualified) electronic signatures according to Section 4 and (qualified) electronic seals according to Section 5 of the eIDAS-Regulation in technical formats such as CAdES, XAdES and PAdES for example.

Validation Service (ValS)

The (qualified) electronic signatures and seals generated with the SigS above can be validated with the Validation Service (ValS). The ValS uses the certificates contained in the Trusted Lists according to Article 22 of the eIDAS-Regulation, the corresponding implementing act CID (EU) 2015/1506 and ETSI TS 119 162(v2.1.1) as trust anchors and performs a signature validation according to EN 319 102-1 using an appropriate validation policy.

Preservation Service (PresS)

The long term retention of signed documents requires a form of safekeeping that ensures the legibility and conclusiveness regardless of the storage medium. In order to ensure the legal validity of electronic signatures and electronic seals over long periods of time one needs to apply appropriate preservation techniques as outlined in ETSI SR 019 510.

The preservation techniques realised by a Preservation Service (PresS) according to Article 34 may involve Evidence Records according to RFC 4998 or RFC 6283 or the continuous augmentation of signatures using archive time stamps according to CAdES or XAdES for example.

Electronic Delivery Service (EDS)

In a paper-based world, the only way to know that a letter indeed has reached the addressee is to send it by registered mail. This is a service offered by the mail service providers. The sender writes down his/her statements on a sheet and puts it into a closed envelope, which is marked with the coordinates of the addressee and sends it by mail. The accountability, confidentiality and integrity of the letter are primarily assured by the author, while the mail service providers primarily warrant availability and correct delivery.

According to Article 44 of the eIDAS-Regulation “qualified electronic registered delivery services shall meet the following requirements:

  • they are provided by one or more qualified trust service provider(s);
  • they ensure with a high level of confidence the identification of the sender;
  • they ensure the identification of the addressee before the delivery of the data;
  • the sending and receiving of data is secured by an advanced electronic signature or an advanced electronic seal of a qualified trust service provider in such a manner as to preclude the possibility of the data being changed undetectably;
  • any change of the data needed for the purpose of sending or receiving the data is clearly indicated to the sender and addressee of the data;
  • the date and time of sending, receiving and any change of data are indicated by a qualified electronic time stamp.”

Given these requirements it is obvious that the EDS needs to utilise a variety of other eIDAS Services such as the eID-Service, the SigS, the TSA, the ValS and the certificate status information provided by the CA.

Exploring the overall potential of eIDAS using the interactive eIDAS-Map

The EDS is a nice example that several basic “eIDAS Services” may be combined to form more comprehensive “eIDAS Services” or “eIDAS-based Transaction Services”, which address application-specific needs. A key aspect of the eIDAS-Regulation is that it harmonises the requirements for electronic identification and trust services across Europe and defines the EU-wide legal effect of notified electronic identification means (cf. Article 6), electronic signatures (cf. Article 25), electronic seals (cf. Article 35), time stamps (cf. Article 41), electronic delivery services (cf. Article 43) and last but not least electronic documents (cf. Article 46).

This means that providers and consumers of services may choose among the large number of qualified trust service providers, which are currently active in the European market as exposed by the interactive eIDAS-TSP-Map released today. This map provides an up-to-date overview of the currently existing trust service providers and trust services across Europe.

The individual benefits of the eIDAS-Regulation – What’s in for you?

What kind of benefits the eIDAS-Regulation provides for you depends on your specific role within the “eIDAS-Ecosystem”. The benefit for providers of “eIDAS Services” is that they now can provide and sell their services across Europe, which gives rise to interesting new market opportunities. The benefit for Users is that they may now use a variety of trust services, with well-defined trustworthiness and legal effect. The probably biggest potential benefit of the eIDAS-Regulation however exists for the emerging “eIDAS-based Transaction Services”, which will be subject of a forthcoming post.

Acknowledgement

We gratefully acknowledge that this post is based on contents developed in the FutureTrust project, which has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No. 700542.

Bavarian Innovation Award 2016 for SkIDentity as start of digitalization initiative “BayernID”

After numerous international awards last year and the successful completion of relevant certification procedures, ecsec GmbH was distinguished last night for “SkIDentity – Mobile eID as a Service” with the renowned Bavarian Innovation Award 2016. The award, which was handed over by the Bavarian Minister of Economic Affairs, Ilse Aigner, together with the President of the Bavarian Chamber of Industry and Commerce, Dr. Eberhard Sasse, and the President of the Bavarian Chamber of Crafts, Georg Schlagbauer, marks the start of the “BayernID” initiative – the digitization campaign of the Bavarian economy based on trustworthy identities.

Bavarian Innovation Award 2016 for “SkIDentity – Mobile eID as a Service”

Bavaria’s Minister of Economic Affairs, Ilse Aigner, together with the President of the Bavarian Chamber of Commerce and Industry, Dr. Eberhard Sasse, and the President of the Bavarian Chamber of Crafts Georg Schlagbauer, yesterday awarded the Bavarian Innovation Award 2016, in a solemn setting in the dignified hall of the German Museum in Munich. Among a total of 187 nominated companies, ecsec GmbH has been awarded for its “SkIDentity – Mobile eID as a Service” offering. “I congratulate the company ecsec GmbH on the award of the Bavarian Innovation Award 2016. By transforming electronic identity documents eID into secure and mobile ‘Cloud Identities’, which can easily be used in any cloud and web application for privacy friendly authentication, ecsec has made an important contribution to a secure and user-friendly networked world. It is also an essential prerequisite for a successful digitalization of the economy and society”, commented Ilse Aigner, Bavaria’s Minister of Economic Affairs.

Secure electronic identities for successful digitalization of the economy

The “Cyber Security Strategy for Germany 2016“, recently presented by the Federal Minister of the Interior, foresees the provision and use of secure electronic identities as an important basis for the sustained successful digitalization of the economy: “The electronic identification documents with online identification function are a key element with which the Federal German Government already provides a highly secure and privacy friendly identification option for the internet. The goal is to establish the online identity function, and the secure identities derived from it, as a standard identification tool for sensitive services, and to promote comparable secure solutions in the economy as well.”

The distinguished SkIDentity Service supports, among other identification means the German electronic identity card (Personalausweis), the Austrian social security card (e-card), the Estonian identity card and e-Residency ID, as well as various signature and banking cards for the secure implementation of electronic business processes. The certificate for the SkIDentity Service according to the “Trusted Cloud Data Protection Profile for Cloud Services” (TCDP) with the highest protection class III issued by the certification body of TÜV Informationstechnik GmbH (TÜViT) and the certification of the “Secure Cloud Infrastructure (SkIDentity)” according to ISO 27001 based on IT-Baseline Protection by the Federal Office for Information Security (BSI-IGZ-250), proof that even the highest standards with respect to privacy and data security are fulfilled within the SkIDentity Service.

„BayernID“ – the integrated digitalization initiative for the Bavarian economy

Theelectronic ID card has been successfully used in Bavaria for the digitization of administrative processes for quite some time now. Since 1st of July 2016, the eIDAS-regulation on electronic identification and trust services for electronic transactions in the European Single Market has been fully applicable. In addition, the Free State of Bavaria promotes the secure digitalization of business processes in small and medium-sized Bavarian companies with the “Digitalbonus.Bayern” program.

Against this background, leading Bavarian technology providers, consulting companies and digitalization experts from selected chambers of industry and commerce have joined forces in order to create the “BayernID” package (http://BayernID.de), which is an integrated service package for the intelligent digitalization of business processes in Bavarian companies. This package includes expert and non-committal advice on general digitalization measures and aspects of IT security, demonstrates the opportunities inherent in the eIDAS regulation and provides trusted identities, as well as other cloud and trust services, at preferential terms. In addition to ecsec GmbH, which has been awarded with the “Bavarian Innovation Award 2016”, the “BayernID” initiative is supported by the internationally leading technology group Giesecke & Devrient GmbH, the Fraunhofer Institute for Industrial Engineering (IAO), SiXFORM GmbH, Urospace GmbH, the buergerservice.org association, which is especially active in Bavaria to promote the use of the German eID card, the IT-Cluster association for Upper Franconia, the Institute of Information Systems at Hof University, the Munich-based provider of the iDGARD-Service Uniscon GmbH as well as the chambers for industry and commerce for Würzburg-Schweinfurt and Bayreuth. Furthermore the initiative is open for further partners who want to contribute to the digitalization of the Bavarian economy.

The “Video Ident Service” from Giesecke & Devrient, which can be used to open a bank account, activate a prepaid SIM card, or identify an insured person in the health care system without a card reader, is a component of “BayernID”. In the same way, the check of the driving license, which is necessary for car-sharing systems, can now be carried out online. “We are pleased to be able to contribute to the successful digitalization of the Bavarian economy with our user-friendly security technologies within the ‘BayernID’ initiative,” commented Frank Nordmann, responsible for Public Sector at Giesecke & Devrient. “The verification of the identity and the associated document is optionally carried out in the browser or even mobile in a smartphone app, whereby an electronic check of the various security features integrated into the identification document and a matching of the user information always takes place.”

The Munich-based non-profit association buergerservice.org e.V. supports the “BayernID” initiative with the SID-Box (Secure Identity-Box) developed by the association. With the aid of the SID-Box, a citizen terminal (digital service point) can be produced with the least effort, for the direct use of the online ID function of the German eID. Companies, institutions and authorities are thus in a position to provide access to the German eID card to all persons in their environment (employees, customers, members, etc.) in a very simple way. The first digital service points are currently being set up in co-operation between municipalities, chambers of industry and commerce and the buergerservice.org association in the city of Ansbach and in the district of Würzburg.

SkIDentity certified by BSI according to ISO 27001 and by TÜViT according to Trusted Cloud Privacy Profile

ecsec GmbH today has received the certificate according to the “Trusted Cloud Privacy Profile for Cloud Services” (TCDP), issued by the certification body of TÜV Informationstechnik GmbH (TÜViT), for the highest protection class III. Furthermore the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI) has certified the “Secure Cloud Infrastructure (SkIDentity)” in accordance with ISO 27001 based on IT Baseline Protection (BSI-IGZ-250).

Privacy and data security as foundation for successful digital transformation

At today’s closing ceremony of the pilot project “Data Protection Certification for Cloud Services” not only the remarkable project results including the catalogue of evaluation criteria based on ISO/IEC 27002 and ISO/IEC 27018 were presented, but also the certificate for SkIDentity according to the “Trusted Cloud Privacy Profile for Cloud Services” issued by the certification body of TÜV Informationstechnik GmbH (TÜViT) has awarded to ecsec GmbH. As it has been demonstrated within the evaluation and certification procedure, the SkIDentity Service fulfils the demanding requirements for the highest protection class III and hence it may be used for processing particularly sensitive data in a legally compliant manner.

SkIDentity technology is now not only distinguished, but also certified

The multiple award-winning¹ SkIDentity Service (https://skidentity.com) was developed in the scope of the “Trusted Cloud” initiative supported by the German government. Using SkIDentity, electronic identity documents (eID), such as the German electronic identity card “Personalausweis”, can be easily used in cloud and web applications. SkIDentity in particular allows to derive cryptographically protected “Cloud Identities” from any eID document, which can be transmitted to any smartphone and used there for the strong pseudonymous authentication or a self-determined identity proofing in the cloud. Thanks to SkIDentity, no passwords need to be stored in web applications and therefore there is no risk that they could be stolen or misused.

As shown in the certificate (BSI-IGZ-250) issued by the Federal Office for Information Security, the scope of the security assessment and certification according to ISO 27001 based on IT Baseline Protection did not only comprise the identity management service of SkIDentity, but the full blown “Secure Cloud Infrastructure (SkIDentity)”, which can be used for highly reliable operation of other cloud and web applications. “The processing of sensitive data in cloud services requires high security standards. A transparent proof of the correct implementation of an appropriate security concept can only be provided within an independent certification procedure,” adds Bernd Kowalski, Head of Department in the Federal Office for Information Security. “Within the certification of SkIDentity it was shown that even the demanding requirements associated with the use of the German electronic identity card in cloud services, can be proved to be satisfied via an ISO 27001 certification based on IT Baseline Protection.”

¹ See https://www.skidentity.com/en/awards/ .