Trust service provider

Last updated

A trust service provider (TSP) is a person or legal entity providing and preserving digital certificates to create and validate electronic signatures and to authenticate their signatories as well as websites in general. [1] [2] Trust service providers are qualified certificate authorities required in the European Union and in Switzerland in the context of regulated electronic signing procedures. [3]

Contents

History

The term trust service provider was coined by the European Parliament and the European Council as important and relevant authority providing non-repudiation to a regulated electronic signing procedure. It was first brought up in the Electronic Signatures Directive 1999/93/EC and was initially named certification-service provider. The directive was repealed by the eIDAS Regulation which became official on July 1, 2016. [2] [4] A regulation is a binding legislative act that requires all EU member states to follow. [5]

Description

The trust service provider has the responsibility to assure the integrity of electronic identification for signatories and services through strong mechanisms for authentication, electronic signatures and digital certificates. eIDAS defines the standards for how trust service providers are to perform their services of authentication and non-repudiation. The regulation provides guidance to EU member states on how trust service providers shall be regulated and recognized.

A trust service is defined as an electronic service that entails one of three possible actions. First it may concern the creation, the verification or the validation of electronic signatures, as well as time stamps or seals, electronically registered delivery services and certifications that are required with these services. The second action entails the creation, the verification as well as the validation of certificates that are used to authenticate websites. The third action is the preservation of these electronic signatures, the seals or the related certificates.

To be elevated to the level of a qualified trust service, the service must meet the requirements set under the eIDAS Regulation. Trust services provide a trust framework that facilitates continued relations for electronic transactions that are conducted between participating EU member states and organizations. [1] [6]

Role of a qualified trust service provider

The qualified trust service provider plays an important role in the process of qualified electronic signing. The trust service providers must be given qualified status and permission for a supervisory government body to provide qualified digital certificates which can be used to create qualified electronic signatures. eIDAS requires that the EU will maintain an EU Trust List that lists the providers and services that have received qualified status. A trust service provider is not entitled to provide qualified trust services if they are not on the EU Trust List. [1] [7]

Trust service providers that are on the EU Trust List are required to follow the strict guidelines established under eIDAS. They need to provide stamps valid in time and date, when creating certificates. Signatures that have expired certificates need to be revoked immediately. The EU obliges the trust service providers to deliver appropriate training for all personnel employed by the trust service provider. They shall further provide tools such as software and hardware that is trustworthy and capable of preventing forgeries of the certificates that are produced. [1] [2]

Vision

One of the major intents of eIDAS was to facilitate both public and business services, especially those that are conducted between parties across EU Member state borders. These transactions can now be safely expedited through the means of electronic signing and the services that are provided by trust service providers in regards to ensuring the integrity of those signatures.

EU member states are required through eIDAS to establish “points of single contact” (PSCs) for trust services that ensure that electronic ID schemes can be used for cross-board public sector transactions, including the exchange and access of healthcare information across borders. [2] [8] [9]

While an advanced electronic signature is legally binding under eIDAS, a qualified electronic signature which has been created by a qualified trust service provider carries a higher probative value when used as evidence in court. Because the signature's authorship is considered non-repudiable, the authenticity of the signature cannot be easily challenged. EU member states are obligated to accept qualified electronic signatures that have been created with qualified certificate from other Member states as valid. According to the eIDAS Regulation, i.e. Article 24 (2), a signature created with a qualified certificate has the same legal value as a handwritten signature in court. [2] [3] [10]

The standards are evolving. Additional standards including policy definitions for trust service providers are under development by the European Telecommunication Standards Institute ETSI. [11]

Global perspective

The Swiss digital signing standard ZertES has defined a comparable concept of certificate service providers. Certificate service providers need to be audited by conformity assessment bodies that have been appointed by the Schweizerische Akkreditierungsstelle  [ de ]. [12] In the United States the NIST Digital Signature Standard (DSS) in its current release does not know anything comparable to a qualified trust service provider which would allow to enhance non-repudiation through the signatory's qualified certificate. However authors of the forthcoming review and commentators are publicly discussing an amendment similar to the eIDAS and ZertES approach of trusted service provision. [13] [14] To allow for stringent and non-repudiable global transactions and legal relevance, an international harmonization would be required.

Controversy

Several research institutes and associations expressed their concern with respect to the establishment of a small group of centralized trust service providers per country which authenticate digital transactions. They state that this construct may have negative impact on privacy. Given the central role of trust service providers in many transactions, the Council of European Professional Informatics Societies (CEPIS) fears that trust service providers would gain and collect information of the distinguishing attributes of the citizens, which are subject of authentication. With regard to their requirement to preserve data and resulting expected efforts to keep evidence for potential liability requests on inaccurate ID, CEPIS sees the risk that trust service providers could create and store log entries of all authentication processes. The information gained allows for monitoring and for the profiling of the involved citizens. If the transaction counterpart also identifies himself, user interests and their communication behaviour will additionally sharpen the profiles gained. Big data analysis would allow for far-reaching insights into the citizens' privacy and relationships. The direct connection to the qualifying governmental bodies could allow those to gain access to the gained data and profiles. [15]

Another publication claims that to truly take advantage of the secure and seamless cross-border electronic transactions, assurance levels, definitions and technical deployment need to be specified more precisely. [16]

In 2021, relatively vague proposed updates to eIDAS would require browsers to pass on assurances from TSPs to their users. This would apparently involve the incorporation of government-specified TSPs in parallel with the existing multi-stakeholder processes used by browsers to establish trust in Certificate authorities. The Internet Society and Mozilla asserted a variety of issues with the proposals. [17] [18]

Related Research Articles

Digital signature Mathematical scheme for verifying the authenticity of digital documents

A digital signature is a mathematical scheme for verifying the authenticity of digital messages or documents. A valid digital signature, where the prerequisites are satisfied, gives a recipient very strong reason to believe that the message was created by a known sender (authenticity), and that the message was not altered in transit (integrity).

An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as it adheres to the requirements of the specific regulation under which it was created.

A mobile signature is a digital signature generated either on a mobile phone or on a SIM card on a mobile phone.

Electronic authentication is the process of establishing confidence in user identities electronically presented to an information system. Digital authentication, or e-authentication, may be used synonymously when referring to the authentication process that confirms or certifies a person's identity and works. When used in conjunction with an electronic signature, it can provide evidence of whether data received has been tampered with after being signed by its original sender. Electronic authentication can reduce the risk of fraud and identity theft by verifying that a person is who they say they are when performing transactions online.

XAdES is a set of extensions to XML-DSig recommendation making it suitable for advanced electronic signatures. W3C and ETSI maintain and update XAdES together.

Worldwide, legislation concerning the effect and validity of electronic signatures, including, but not limited to, cryptographic digital signatures, includes:

The Revised Payment Services Directive is an EU Directive, administered by the European Commission to regulate payment services and payment service providers throughout the European Union (EU) and European Economic Area (EEA). The PSD's purpose was to increase pan-European competition and participation in the payments industry also from non-banks, and to provide for a level playing field by harmonizing consumer protection and the rights and obligations for payment providers and users. The key objectives of the PSD2 directive are creating a more integrated European payments market, making payments more secure and protecting consumers.

CAdES is a set of extensions to Cryptographic Message Syntax (CMS) signed data making it suitable for advanced electronic signatures.

PAdES is a set of restrictions and extensions to PDF and ISO 32000-1 making it suitable for advanced electronic signatures. This is published by ETSI as EN 319 142.

Electronic signature allows users to electronically perform the actions for which they previously had to give a signature on paper. Estonia's digital signature system is the foundation for some of its most popular e-services including registering a company online, e-banks, the e-voting system and electronic tax filing – essentially any services that require signatures to prove their validity.

eIDAS electronic IDentification, Authentication and trust Services

eIDAS is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 of 23 July 2014 on electronic identification and repeals 1999/93/EC from 13 December 1999.

An advanced electronic signature (AdES) is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 (eIDAS-regulation) on electronic identification and trust services for electronic transactions in the European Single Market.

ZertES is a Swiss Federal law that regulates the conditions under which trust service providers may use certification services with electronic signatures. Additionally, this law provides a framework that outlines the provider’s obligations and rights as they apply to providing their certification services.

A qualified electronic signature is an electronic signature that is compliant with EU Regulation No 910/2014 for electronic transactions within the internal European market. It enables to verify the authorship of a declaration in electronic data exchange over long periods of time. Qualified electronic signatures can be considered as a digital equivalent to handwritten signatures.

In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a trust service provider which has government-issued qualifications. The certificate is designed to ensure the authenticity and data integrity of an electronic signature and its accompanying message and/or attached data.

A secure signature creation device (SSCD) is a specific type of computer hardware or software that is used in creating an electronic signature. To be put into service as a secure signature creation device, the device must meet the rigorous requirements laid out under Annex II of Regulation (EU) No 910/2014 (eIDAS), where it is referred to as a qualified (electronic) signature creation device (QSCD). Using secure signature creation devices helps in facilitating online business processes that save time and money with transactions made within the public and private sectors.

Banking as a service

Banking as a service (BaaS) is an end-to-end process ensuring the overall execution of a financial service provided over the web. Such a digital banking service is available on-demand and operates within a set time-frame.

Associated Signature Containers (ASiC) specifies the use of container structures to bind together one or more signed objects with either advanced electronic signatures or timestamp tokens into one single digital container.

Qualified website authentication certificate

A qualified website authentication certificate is a qualified digital certificate under the trust services defined in the European Union eIDAS Regulation.

An electronic seal is a piece of data attached to an electronic document or other data, which ensures data origin and integrity. The term is used in the EU Regulation No 910/2014 for electronic transactions within the internal European market.

References

  1. 1 2 3 4 Turner, Dawn M. "Trust Service Providers according to eIDAS". Cryptomathic. Retrieved 22 June 2016.
  2. 1 2 3 4 5 "REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC". EUR-Lex. THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION. Retrieved 18 March 2016.
  3. 1 2 Turner, Dawn. "Understanding eIDAS". Cryptomathic. Retrieved 12 April 2016.
  4. "Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures". Official Journal of the European Parliament. Retrieved 22 June 2016.
  5. Turner, Dawn M. "eIDAS from Directive to Regulation". Cryptomathic. Retrieved 29 June 2016.
  6. Bender, Jens. "eIDAS Regulation: EID - Opportunities and Risks" (PDF). Bunde.de. Fraunhofer-Gesellschaft. Retrieved 18 March 2016.
  7. "Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service Providers" (PDF). European Telecommunications Standards Institute. Retrieved 22 June 2016.
  8. Turner, Dawn M. "Advanced Electronic Signatures for eIDAS". Cryptomathic. Retrieved 22 June 2016.
  9. Kerikmäe, Tanel; Rull, Addi (2016). The Future of Law and eTechnologies. Springer. pp. 63–64. ISBN   978-3-319-26894-1.
  10. "Regulations, Directives and other acts". Europa.eu. The European Union. Archived from the original on 12 December 2013. Retrieved 18 March 2016.
  11. "Certification Authorities and other Trust Service Providers". European Telecommunication Standards Institute. Retrieved 22 June 2016.
  12. Der Schweizerische Bundesrat. "Verordnung über Zertifizierungsdienste im Bereich der elektronischen Signatur (Verordnung über die elektronische Signatur, VZertES)" . Retrieved 12 May 2016.
  13. "FIPS PUB 186-4 - FEDERAL INFORMATION PROCESSING STANDARDS PUBLICATION: Digital Signature Standard (DSS)" (PDF). National Institute of Standards and Technology. Retrieved 22 June 2016.
  14. Turner, Dawn. "Is the NIST Digital Signature Standard DSS Legally Binding?". Cryptomathic. Retrieved 22 June 2016.
  15. Hölbl, Marko. "Position on the Electronic identification and trust services (eIDAS)" (PDF). Council of European Professional Informatics Societies (CEPIS). Retrieved 24 June 2016.
  16. van Zijp, Jacques. "Is the EU ready for eIDAS?". Secure Identity Alliance. Archived from the original on 22 November 2016. Retrieved 24 June 2016.
  17. "Internet Impact Brief: Mandated Browser Root Certificates in the European Union's eIDAS Regulation on the Internet". Internet Society. 2021-11-08. Retrieved 2022-03-06.
  18. "Experts urge EU not to force insecure certificates in web browsers". BleepingComputer. Retrieved 2022-03-06.