Digital Signature Legality for Supervision in European Union

How to eSign a document: digital signature legality for Supervision in European Union

welcome to Sesame today we have with us not solemn a year from Spain he is one of the leading lawyers and legal experts and for digital identity and has become a big expert in the SSI space also in the last couple of years working very closely with the European Commission and many different community members and in Europe and globally also by society and we're very happy to be one of the venues chosen to and the report that he worked on for the European Commission which is about the ADA s bridge and he produced the legal report for this and this is very very important work because the European Union as a whole is betting big time on SSI because they recognize the importance of this especially in the times that they're running today this is quite important to make our life more digital and provide more digital digital transformation so I'm really happy that we have the opportunity to have natural I mean you're again with us we already had in a couple weeks ago telling us more about ADA's which is a governance framework for the European Union but really happy to have him with us today so we can summarize what as a sign meetup is about for those of you that don't know us yet in the next slide we and we are basically developing SSI meetup on three principles so the first principle is because you SS I'm ADA has been created to help people around the world and to use content that is relevant for them and and to be able to share with everyone so this is open to communities to associations to corporations to individuals all around the world and everything is shared with the Creative Commons by share alike license which basically means you can we use this material in any way you want and do your own community events or present it at your company the only thing you have to do just to credit back to the person sharing this material which today is not one of media and interests I meet up and this material I mean there's this webinar 56 we've done so many now and people have been using this all around the world and you can use it and there have been other events created like SSI meetup Korea and it has been really really successful so we really have either people are using this in an open-source way if you have any questions during the presentation please bring the bring them up using the crash control and and then I'll bring them questions are true not so during a presentation at the end of the presentation and yeah not so thank you so much for being with us today and welcome to a submitter again oh thanks Alex nice nice to share again the video with you it's really an honor and today is probably this is going to be probably the first public presentation of the work we've been doing the European Commission regarding the the EIS bridge project but moreover regarding the interplay between the EIS world and the SSI world so this is the what we call the society I that's legal report and the subtitle is how ëitís can legally support digital identity and thus positively based some sections in the digital single market with we talk about the digital single market because you know this is the European Union and typically speaking when the European Commission needs to act in a coordinated way typically they have to use a legal basis and we have strong legal basis when it comes to the digital single market because this is one of the big big big big objective squid we have which is to create a single market also in the digital space we we decided to take is this title because it is not only about digital identity but also about trustworthy transactions so we're going to discuss not only identity and identity sherry but also we're going to talk about transactions we're going to talk about digital signatures and as you will see we have analyzed the interplay also between a Aida's and the qualified certificate walls that means the PKR world because we think that there has come should try to some form the current regulation with reverse design for traditional PKI meaning central centrally controlled by a 40s into the new and exciting world of this secluded PGI which is part of the of the technical infrastructure we have any ideas of course I have to say that this legal report is only my responsibility so it is not an official product by the European Commission and it does not mean that the European Commission and those as any of its content in fact this is the typical way European Commission works when they confront experts so please do not consider this as an official architecture or an official way forward by the European Commission in the future all the technical works that have been done in the European blockchain services infrastructure project and especially in the use case known as as if which is the European so strongly that the framework will be published will be discussed by the with the community with the run best days and probably they will be converted in public policies today we we have a published report we we are inviting anyone in the community to be able to read the report to make any questions to make any critique to do to that report because it is food for thought it is reported to try to understand what at the type of changes we should be doing in our current legislation to be able to take this small market which is about 360 million people and try to use these new technologies with the old legislation you will see here in my presentation that we have identified different scenarios and there are rules that be implemented really quick which are called very short-term scenarios then we will see meet both short-term scenarios that do not require legal changes I don't know only legal interpretation or a small procedural changes and then finally we will see new exciting scenarios by modifying the regulation and therefore are not so quick but before that it is important to remember some of the key aspects of the EIT circulation for any anyone who is not really acquainted with it in fact I'm here reusing some slides from the epoch I was thank Stanfill for this because they are very very very clear so in fact in the ëitís or even if we talk about one revelation we have kind of two regulations we have one revelation which is included in chapter 2 of the ëitís which is about the mutual recognition of e identification means that means for instance that if I have a national ID card issued for instance by the Spanish government like my national ID card which is called the Denny electronical thanks to this revelation the I can use it when I am I need to be authenticated in a public transaction for instance in virtue so this is one part of the revelation which is very interesting and it is directly applicable to SSI space and then we have a second part which is about what they are what is good they are called coming to services these are services that might be provided in returning form by public come by public bodies or private sector companies and they provide trust tutor sections so for instance one of the most important in terms of service right now in the market is the issuance of qualified certificates for electronic signature for instance natural media with his electronic qualified certificate is entitled to sign to produce qualified signatures that are legally acceptable in the whole European Union substituting with signatures so this is one of the most important services the issuance of qualified certificates we will see that this is also important in the context of the EIU study because some type of brief our credentials could be considered as qualified certificates and we have a study the conditions for this to happen this is important because we have a really an existing market that could benefit of using these new SSI technology if we are able to prove that the Society of neurology meaning did that it document the peripheral potential you know all this all the stuff is able to be considered as a qualified certificate because we already have a legal recognition so some of the scenarios are then related to electronics and finally the indie revelation you will see some some other content specifically regarding the facilitate facilitating the legal recognition of electronic documents this is important because very fun credential of any sort is considered under the European law as an electronic document and as such there is a little right to present this document into a code and have the possibility to to provide evidence to be recognized as a pallette proof the valid evidence in a judicial matter so probably the interplay of chapter two major recognition of Eid official means chapter 3 electronic of services and sat therefore is a sufficient legal basis for for us to use this technology in real transactions in fact neutral recognition is more about the the collaboration between public authorities so chapter 2 is just for public sector operations in the mandatory space and optionally they might be used if member states want to by private sector bodies but on the contrary the electronic throws services regulation is both for private sector of transactions and for public etcetera but by poly poly transactions so if we are able to define a special type of distributed PKI based verify credential as qualified certificate then the recognition is granted for the whole European Union and for the whole for any electronic accession we want to do and so it will be of paramount importance to understand if it's possible regarding electronic identification the the ìitís is as I was advancing based on the cooperation between member states it is based on a principle which is corporation proceeding so we did this means that if my national ID card is recognized by France the pain must also recognize the French electronic item means and this is done on a level of assurance basis so if sonic ID means it should be in France is substantial level it will be recognized for substantial level procedures in Spain but not for high insurance levels so we have defined the different levels of assurance and two of these level of assurance are under e of mandatory acceptance on the other the other one which is the low level it is not it's just based on the voluntary the buddha voluntary agreement by member states voluntary acceptance so probably it is important to be a man that an institution is aligned with these levels of assurance if we want that should be recognized ing the EEI dust of course that means that it will be used only only at least to access public services but probably the future some member states are willing to open the access of the eful for the recognition of these services also of the systems also for private sector bodies so right now we have a lot of notifying dat schemes so here you have just just a reference we have more than 50 electronic ID systems right now in place I did skip certify with different ID means of all that countries so we have a big infrastructure that is currently up and running and probably it is under underused probably it is not so used as it should be but it is already there so depending on the country you have a lot of systems that ending on the country you only have one system but it is that all these systems must be recognized by all the Member States so we are citizen of one of these countries you know you you know have the river right to use the is this the system provide for you if it has been notified with any transaction for with any public service in the European Union and in depending on the case depending on your Member State probably even to enter into the sections with private sector bodies here you have the list of benefits I am NOT going into full details for this because I mean it is not the interesting in the context today but this is a view of the European Commission the European Commission tends to think that an intolerable under the ID is a kind of public good so we should be able to open the usage of these electronic ID to all people to all parties because they are going to have cost savings we're going to have less fraught we're going to have more legal compliance we're going to have more more security place so this is important because we have of course the purely traditional AIG means the means name surname they took birth of this this type of attributes but in the view of the wide view of identity and the European Commission has studied in different projects the possibility of interchanging other type of attributes so for instance such as for instance people academically promise so this is something that was not possible with the current infrastructure it was a study that and the complexity was really high but we think that it will be possible with this new infrastructure because of the chemical capabilities and I will just repeat referring to the later on and just for your information the current interest the current di does electronic identification eye interoperability architecture is shown in this screen here you you have city member a which is the member that he is going to receive the data section so probably this is imagine that this is a Spain that is offering privacy a citizen of member B member state B to to in in Spain so a citizen of members DB needs to prove her identity and to file some documents to be able to initiate the the proper public procedures right so in this case the citizen of members they be has already an identity provided by member state B for instance Belgium so this Belgian guy she she's going to to connect to the service to the Spanish service provider the service provider will use a connector to resend this this person to us proxy service in example to the identity provider in member state B so the is going to be redirected to members to be in this case using using a portable okay the identity provider is going to authenticate the Belgium with any any identity that has been provided in Belgium and once the person has been identified there will be redirected again to the service provider in Spain with and they would there will be a connection between the service provider and the identity provider where a sam'l will be interchanged with the minimum data set of the Belgian citizen so the service provider is trusting the service provider in member state a is trusting the information provided by members VP in fact the authentication is delegated from the service provider in Spain to the identity provider in virtue so this is something that has been up and running during a number of years we are doing this with a sam'l profile which is really old technology because I was both in in the beginning of the of the protected projects of that gave birth to this infrastructure but in in 2005-2006 so we were creating this infrastructure so it's all technology you have something similar with new words and Rochin including the Open ID Connect world which is probably less less heavier it's lighter in terms of technology but that unity this is what what you can call it and delegate it authenticated framework so probably the service provider is using always an identity provider that means that proxy server can see all the intersections and probably this is going to create several problems one problem is the perception of less privacy than expected because the proxy service could be some government that is severely in the activity or an activity of the citizens of course I'm not saying that they do that and in fact it is prohibited by the legislation by the European legislation because they can't use this data for any other purpose but it could happen and probably if citizens are concerned with this they are not going to use the service so this is of course a social problem and then of course we have other problems imagine that we want to extend the systems to a bank acting as a service provider probably the bank with one some is some assurances and a specific service to the pal agreement provided by the proxy service and by the identity provider because they have lots of instructions so if this is the case probably we can face a problem with my bestie B because they can say okay I don't want availability or I don't want to pay for this so the other day there are lots of potential problems here that could be solved by using a decent arise approach for instance moving the authentication from a single point of failure which is the proxy service to the this iteration network itself so on the end of the day this is a nice successful interpreter architecture but of course we do technology you have new possibilities and we it is our duty to explore all these possibilities so this is one the European Commission is doing in the FC Esav project - just two questions maybe that I think might be useful to trust right now and Luke he's asking and if there's a unique European ID number and the transaction present that present I think that's one of you slides and then the other question is are there plans to extend a IDs to identify an enterprise okay the first one it is no there is no unique now on the contrary in the minimum they said here you can see the data set this is an example for kyc here you can see that the minimum data set includes current family name current this name they took this and unique identifier this unique identifier it is not for the APM is assigned at the European Union level is assigned by your Member State for instance in my case in Spain if the unique identifier is the national identity number but in the but but in other countries such as Germany they create a third non unique identifier which is different from from the NPI number because they are not allowed to use the the national ID number a quartet sections and this as far as I have as I am aware this number is different for each member state so if you are authenticated from from Germany which by the way use the they don't they don't use the proxy model by the middleware approach which is more privacy granting in my opinion then you are having different numbers depending on the relationship with different countries and this is because they are they have have more straight approaches to data protection so we will depend on on on each member state policy and of course on constitutional law if you are going to receive a unique identifier and if you look at Austria it is a bit better they have different numbers per sector so probably they want to break through traceability that one notability but least ability they want to avoid leak ability so have different numbers even perspectives inside the country so at the end of the day yes this is one of the the the the province with with with encounter and it is generated some operational problems in the when when when it comes to the national level for instance in Spain it is difficult for us to do the aborting of the of a German citizen if because we returned to us for a falling number assigned in Spain to that citizen so now we have to accept that they are going to be awarded with a unique identifier a sign assigned there which is different for from any other number we've been using and this is one of the various for the extension of the usage of this technology and the the other question if I understood it well it is about the electronic identification of little persons in this case it is already covered but it is not really working so right now the only the only systems that have been notified as far as I am as I am aware but I am NOT I don't know by memory I don't remember all the details because they are 50 systems right now I I think that they have only notified majorly at least natural person systems but it is it is included in the regulation so it is possible to issue a national system to a legal person and it would be possible to notify and get recognition great ok here so what was the identity party the other part is the inter services part here you only have two horizontal principles of course the idea is that here we have we have a kind of privatized market for the production of legal evidences and this is quite the novelty in our system because right now when you want in the in the paper world when you want very strong evidence piece of evidence you have to go into into into a public authority or enjoy and Latin notary for instance so the electronic world we didn't have the possibility of creating very strong authentic electronic evidences that wasn't there except for electronic signature since the electron their signature directive back in 1999 which by the way has not work a lot so right now on the contrary we have market which is plenty of providers which are authorized to issue a set of services that includes qualified certificates assuring the identity of a natural person picking up an electronic signature or the identity of a legal person making up the seal of that the electronic seal order of that little person we also have time stamping services that assure that an object exists at the time which is asserted in the time stamp with even with with an evidence that reverses the burden of the proof in court which is really important we have the possibility of heavy of half copying electronic assisted delivery services which by the way could be pasted on on good uncor the their evidence in a blockchain why not and we have the website authentication certificates that are in fact mandatory in some in some cases for instance in the payment services directive to serve certain electronic Sheils inserting website applications qualified certificates are Monday mandated for assuring the identity of the payment actors in this market so the idea here is that we have a supervisory system so if a technologist was worth Lee we provide that in this technology with an admitted license to operate and then we allow this this companies to sell or these public bodies to sell these services in the market and these services have a presumption of authenticity somehow so this is really important because they create this is a kind of set of tools and if toolbox that allows us to provide with a higher initial value to a processes and just about qualified signals the types of signatures and seals we have different ones we have a concept which is a simple electronic signature which is not necessarily secure even if you are saying in the in the in the in this slide that in the in the axis which are about security a simple signature it is normally less secure than a qualified signature but it could not be the case so we have very secure simple signatures simple signature is anything that demonstrates the intent of the signer so if you want to sign making click in a button and you can do it and you have the legal right to go into court with this proof except if there is a legal requirement of phone this is important because the other two types of signatures which are called advanced unqualified signatures are just based in the same technology as we are using in the blockchain so generally speaking blockchain transactions are based on piece on you know private keys public keys and so on and that means that when we sign a blockchain transaction generally speaking of course we could be producing an advanced signature or we could in producing a qualified signature so this is important in the context of the prochain but it is of important but because if we use this technique to start to protect a briefing credential which is issued off chain we could get more little recognition for a peripheral credential and this is one of the case studies we've done so if a university wants to issue diploma of course they can do it using the proc chain and covering their identity they did in the in the blockchain and having a document that allows anyone to read and defy the issuer and understanding that if this issue is authorized to issue this kind of prefer credential but then the credential is not signed so the credential is not protected and here in fact you will find the ëitís bridge useful to the ëitís bridge but really is doing is trying to associate the possibility of applying qualified signatures advance for qualified signatures or advanced qualified seals to verify credentials to grant more legal effect for them in the European Union so this is one of the biggest cases we've been dealing with in the project and this is one of the eastern areas so the interplay here you can see the interplay between the itis with the ESI world both from the perspective of the atomic identification and the perspective of the electronic through services this is something which is quite important so going on on the details of the scenarios would be in working here you have of course my typical slide on why the island simulation is useful in the SSI space which is the justification for doing this study it is the fact that yeah that regulation is the main electronic trust framework and we have in the European Union the economic area of course in the in the in the area of the topic of electronic event ID but also fortress services so it is a really big piece of legislation that there is aiming to harmonize the way we do things in electronic space when we need trust so this is related to less two less identity not to commit the social based or reputational based identities it is based on coal burner or a bridge suite framework uber with with average Street governance based on cooperation by member states based on legal recognition of certain type of company with supervisor supervisory authorities really sweet audits and a bunch of governance rules that tend to provide that one aim to provide trust which means that if we are able to apply this to the blockchain we are inheriting this trust into developed into the transactions that are called on the blockchain apart from this it is a building block of the digital signal market I referred already to that and it can be extended to include the recognition of the IDs not only for poor etcetera but also for private sector users which is really important in the case of on the morning on the money laundering and cultivating in tourism permissions right now online platforms or why not in the context of the new directive for the online of the digital for the usage of digital tools in the in the company company law that includes provisions such as the possibility of constituting a new company cross-border without a physical presence and of course as the EIT simulation has rewritten in with a theological neutral approach that is perfect but is sufficiently satisfactory it is it's going to provide us with a real opportunity for the adoption of SSI systems but reusing this system instead of creating something from scratch and finally yeah that ovulation is having a strong influence in the International rotary space which is also important because we should try to build something which is recognized also in in other parts of the world so here I always side the ansi trial works on situation agency by from from the european united nations working with for the harmonization of international trade law they are working in a new project well new project that started four years ago decided to have a framework for the remission of electronic identification systems provided by governments in electronic commercial transactions so that it is also really important if we are able to get to succeed when aligning aligning ssi systems with the ID relation probably we are step ahead we are closer to the unsettle approach which is so interesting in terms of international policy so it's at this of course you have a 150 pages document which at the other day without unity only a Lisa P at least you will be literary 130 pages so the idea here is just to try to force today to pay the way for you to do that and of course I want to say again that we are happy to receive any comment any criticism of course this is a first approach it is something highly theoretical in some cases it is more practical in other cases which is important but it is food for thought it is just to stop the discussion and reinforce and the projects by the European Commission so from this perspective we have done a very extensive work we have done in general legal considerations which I'm going to share immediately and then we have set up a set of a scenarios to have a discussion in an orderly way so what whether in certain to do now is just to go through the visa scenarios and I'm just sharing the explanation of each scenario and the main recommendations we are doing the recommendations in some cases are really aligned they are really directed to get the thoughts for the application of the current legislation to current solutions which could be done so this is good news because we have done have to wait for the illness is later in my opinion to modify the regulation or to create a new relation we can do a lot of things right now with what we already have and or some other scenarios are designed just in having in mind that we the European Commission has already opened the process for the formal review of the ELA regulation so it could be interesting in terms of public policies so in some cases we are doing recommendations that could be or not could not be selected by the European Commission but that's fine because the aim of this table is not to solve all the problems in the world but just to provide some some guidance for for the future and we are happy because we have this code that it is not so difficult to put in place today without changing everything our real solution into production so this is good teams okay in any case of course I have to say that all the work has been done in the context of the fcsh project so we have not evaluated any other solutions so everything I am discussing is is based on the works of FCS if these words are not public in their maturity so probably it might be difficult for some of you to have access to all they talk about the documentation sorry for this but this is a constrain we have but it is it is easy to imagine how the system work because the the the FCS a project is similar to the alas 3 approach similar in some cases to to what the deef this interest identification is discussing so probably we are going to you're familiar with its with three matrices with key rotation in with with identity smart proxy contract with the universal resolver we have a big hug so this is the kind of stuff that has been discussed in in this in this project I'm perfectly aware there are quite different solutions out there for instance it could be it really interested interesting for me to be able to expand this analysis to the hyper ledger in the area schools approach which is quite different but of course this was out of a scope so please keep in mind what I told this is a study in the context of this project so it has of course some limitations and another of these limitations is that we are really to turn out to a person so we have not studied anything about little entities pick a person's identities we have not study any anything such as process identities or IOT the identities or all the things so I mean there is a lot of innovation out there to be studied it was not considered in the study because of obvious limitations which is which is that the FCS if has a scope and they have iterations and probably it was interesting also what to do yeah to be able to deliver something so here in this first part we have analyzed the with producer general lysis regarding the legal value very fun contentious as such not without considering a specialization of the of the content of a very far credential and with generally consistent of what the duties the document and the control keys and here the recommendations we are doing for for the future in this project this is for instance to extend the the use cases to little persons for instance it could be interesting because then we would have full others to the AI the subject to the scope or for it to define precise semantics for briefer credentials and presentations in support of natural persons acting on behalf of legal persons this is what the project the architect calls a peripheral mandate so he is in fact discovering natural persons identification little person identification and the identification of a natural person acting on behalf of a little person this is really interesting because for this we need precise semantics this is something that is being studied right now and it could be interesting to go into further details in the future and also of course it could be interesting to define at this trust at the peripheral plus level that means for anybody for potential all the legal properties and procedures that are common to any peripheral credential subclass for this I am referring to the to the idea for instance of applying an electronic seal to a briefer credential I mean the literal meaning of sealing a credential is the same for any type of potential it does not change when the credential is used for identification or the commercial issues for transport accommodate or to assert that you have a diploma it is the same semantics so probably it could be interesting to work part of the project specifically from the perspective first initiation of the semantics a declare at the ADIZ class and generate class level and of course it could be interesting also to refine the legal semantics for the K usage in connection with anybody for credential because right now anyway it there is a few comprehension of what is the legal status of our did Kentucky so is it if probably with an example it is easier to understand for instance when I have a private key to control a deed and I sign things with that private key it is not affiliated with whether I am producing an electronic signature because it has to do with intent so probably using a private key for identification purposes is different as using the same key for electronic signature purposes and it is it is not clear that we have got clear legal semantics for that so probably it would depend on the on the purpose of the we want to use this any peripheral credential but of course that means that we must say something about it in our identity that our framework or in our peripheral credential through the framework depending on the use case and of course this is something which is really interesting we should define key management policies aligned with these legal semantics for instance if the key is going to be used for identification purposes this key has to comply with certain rules and and I'm talking about Bruce of course probably the key should be created in a specific space in a secure element and this equipment could be should be certified ing to certain potential profiles to be sure that it is first worth enough for this purpose so this is something we have already defined in the IRAs but we don't have this defined in the SSI world and even very very very mature initiatives such as the digital effect the decentralized key management system proposal which is really good tends to forget about some of the details they for instance they talked about the H agent that is the only place when you create your case and that it seems to be optional whether you have to you should be using a secure element or not so this kind of discussion should be should think based here and then it is not general matter general description when you are designing your SSI system so if we want our society to be a language EFS of course we have to take the the constraints and the legal requirements of a Ida's into consideration so the the scenarios because I want to take well just few minutes we with for this I think that the information is there so we have to as I said before we have to find ten different scenarios here you can see them group by type and the time frame is based on the name to make changes in relation or not for instance we have identified three very short-term scenarios that in our opinion require no changes at all in relation to be able to put into production and then we have two short term scenarios which is which means that they are based in a generous interpretation of the regulation like so and then we have me to learn the mission areas that require major changes in the regulation so the the five first the scenarios are something that we feel they can we can go into production with no change at all or a small change but for the Bitterroot there are scenarios unfortunately we think that we need to to modify the current regulation or at least to do major changes so probably it is more feasible to go for this for the third the five three the five scenarios then follow the second five okay filter scenario in this case what we want to do is to use notify deity means and qualify certificates to issue peripheral credentials this is the classic onboarding problem so here imagine that I have a national ID card issued by the Spanish government that is notifying the area in this case is to do an onboarding using my national ID ID card that of course grants that I am Not sure because it is a high level system to create a derive identity in this case what we are thinking is a kind of verifiable credential which is called a peripheral IV which is used for identification purposes or for any other purposes you want but that takes the information out from the the national ID card from nacho so in this case that Soha already has a did and with natural state he gets a barrelful credential with a naturist name and surname and date of birth and any any data based on an enrollment taking the data out from the national ID card so that means new identity because I have a new identity but the information in this new identity is based on the national ID card so here we are positioning from a centralized system which is the nationality card to a disinterest system which with the couples the the the system and allows me to reuse this information when I am entering into businesses with companies for instance so this is one one interesting use case and we think that this case in fact this case is more less implemented in the DFC Esav project because it is just to onboard someone by using an identification means that he or she already have deposit the other possibility of course could be to use a qualified certificate so for instance if I have a qualified certificate on the cloud which is something that is really accessible today I could in mind I could get a peripheral ID or patroller credential with my identification data by derivation from this qualified certificate this is of course a very small use kay is but it is interested interesting because it would allow the users to go quickly into the SSI space by receiving peripheral credentials with a substantial level of assurance which is quite good for commercial purposes and here are commutation trees of course to develop detailed guidance for remote impersonal identity proofing procedures for issuing peripheral credentials so this is important we if we have guidance then we we are we can enter into this space with more certainty of course if we are going to use this for trying identification of electronic signature which have have guidance for the conformity assessment bodies that do the periodic audits duty to the different providers the true service credits in this case and of course it will be important to have detailed guidance for collection of storage of identity perfume material for recognition purposes because at the end of the day if there is any any problem with with a credential we will need to know why why did you get better predecessor to your name and if it has been any problems so probably we should have something a five for a potential purposes in there so this is very very easy scenario actually implement it is quite possible to do that of course it is easier if you are doing everything so with the Spanish government issue in the national ID card is issuing also the peripheral credential it is easier because there there is no different parties and then therefore liability is contained it might be more difficult if the issuer of the peripheral credential is a different party because mmm of course this party is taking the risk so probably this is a little risk because you are proofing theydon't differential using the national ID card from natural but there is some risk so probably it is probably the most feasible scenario in the short term the second one is the the appropriately called a either switch which is about increasing peripheral credentials little value and cross-border recognition so when it comes to a very forward credential I already said that from a legal perspective this is an electronic document so anyone can issue an electronic document and all of us we have the legal right to bring this document into court and discuss about it but of course if you want this document to be more recognized a good idea is to put an electronic signature or a link to an electronic seal on top of it so probably the same way you sign invoices to get more recognition or you seal invoices to get more recognition in other countries it could be a good idea to seal the referral credential you are issuing to the h-word so again in this case the the use case in FC is a the issuance of a diploma if a university was to issue a diploma it is easier if this verifiable credential is sealed by the university because anyone in Europe recognizes the value of the seal apart from it we are going to have confirmation of identity so it is not anymore the credential with a deep associated to an issuer but it is also a way to know that this D pertains to a specific issue so I know that this was issued by a specific University so this is interesting of course it is somewhat the transitory scenario because in many cessations it is the same it is a letter management and the government rules from the letter Coburn or who provides this information and we have also studied this but this is very very quick quick win to be in the market really really really in a short term and it is possible it is feasible and it has been implemented so it is really nice the only problem is that it does not provide confirmation of authority to issue a particular claim so we still need to understand if this issuer the this university is legally authorized to issue this kind of credentials so for this scenario we have provided for recommendations of course the idea would be to try to regulate the usage of electronic sales for the issuance of peripheral credentials because otherwise it depends on the international situation alternatively it could be to create the rule in the European level mandatory for member states to allow using electronic seal for any little act that requires intervention of our representative because then it is year who use a qualified seal or an advanced seal also to extend this concept to natural persons or of using seals to avoid privacy problems for instance or considering us authorizing the European level the use of advanced sicknesses and seals basically for certificates for the verification of peripheral credentials to facilitate early adoption so these are very technical recommendations that are aligned are able to facilitate the adoption of this scenario and of course they they might be implemented if Member States want to and it could actually work so probably the system also with very very very feasible scenario and then finally the third finish ultimate scenario is to use the current Vig notes to issue a summary section based on verified credentials that means basically to continue issue using the currently existing infrastructure remember the the architecture diagram but implementing a society in the in the Member State P so in this case I would be alpha ice to use my SSI system to authenticate in in Belgium because my span the spanish government would be accepting ssi between us so the at the end of the day the belgian government is going to receive a sam'l assertion but I'm going to affect the gate by using us and SSI this is interesting because as a it--is framework is about interoperability and it constitutes an identity meta system it would really allow for this so if any me understand wants to start using as a sign for public sector transactions it is perfectly feasible to extend the legal effect of this authentication for the relationship with any other member state so it is really really feasible to do that and they probably the only the only thing we have to do is to produce a specific additional guidance for the assessment of how notified electronically fixture means using a very fallible credential and the representation must must be must be treated but it could be done directly today without changing any legislation of course we have to do a small small adjustments but at least it is not something that implies creating a new law which might mean many months in Europe short term a scenarios not very short but short term scenarios include the use of very fabric ease as iris identification means this is the say the next step so this is not using anymore sam'l s to as a way to interpret between us but use directly the SSI protocol in place to be able to authenticate in any other country so in this case following example if I have an SSI system recognized by the Spanish government I should be allowed to do a presentation directly to the Belgium service provider without issuing any without any intermediary issuing any sam'l assertion so this is the next step if this scenario is implemented we don't need the formal scenario so we don't need any more of a similar scenario so this is a more difficult we don't need to to change the law but we need to approve new technical specifications because now we have a sam'l based that profile that's so now we should create a an SSI profile aligned with the ìitís specification and of course that would mean also to produce a specific additional guidance for the assessment of these modified systems and to standard efficient procedure to include the trusted issues led self-management because then we should be registering the issue as directly on the ledger or at this part of the information and probably even to consider the design of a peripheral presentation for a Ida's authentication that means that if we want to align with the true spirit of SSI we should issue not one big credential with all the information but a set of credentials that can be combined in a very full presentation with all the information required by the ëitís regulation of course this is the technical discussion I'm not saying that we have agreed inside the project that this is the best way and there are lots of ways to do that but it of course if we are going to implement this technology and we are not the society also have a problem at least in my opinion so probably it would be interesting to design this kind of peripheral presentation and to expand the privacy enhancements of SSI and reuse them in the in EE I guess world and the other one is very one experimental someone experience somehow experimental things which is the issue of qualified certificates based on a specific did method if they are not very for credential in this case we take the revelation and say okay is it possible to have a dick method I did and I did method with some information in the document so information in a very far credential and consider it a qualified certificate is this possible we think that it is and we have described how to do that so in this case if this is if this was possible and we think it is then we could offer the possibility to trust service providers to issuing this kind of instrument in support of identification when admitted and in support of electronic signature or electronic sale transactions so the image would be of an evolution then of the ìitís bridge and if the certificate contains this new certificate that contains all the information required by the eyelas minimum data set then it could qualify it also to be admitted for Barry as a verifiable identification means as a very for Riley so this approach would allow us to transition from PKI to TPI and SSI systems one maintaining the market we already have so probably he is a very very very feasible approach we don't need really to change the registration in my opinion of course you will hear different opinions on that let's be clear in my opinion it is possible to do it with an interpretation if we are able to promote a common interpretation of the definition of a certificate in the sense of doing a wide interpretation of the term manifestation and if we are able to provide guidance of how to create this kind of a specific method and how to implement all the information currently required by the EIT regulation for each type of certificate then probably it is feasible to issue what if ID certificates based on disabled API which is something that would be really really really interesting the rest of the scenarios are servers that require yeah the change of the regulation and they are very interested because now we are going to move into new fees for instance one scenario is dealing with the possibility of interchanging digital identity attributes but not for identification but in the sense of a diploma again so in this case we think that the instead of creating different trust frameworks for interchanging peripheral credentials based on sectoral legislation we are defending that we could extend the chapter 2 of the regulation to schemes for the self-managed sharing of other identity attributes so in this case the idea is like in sovereign right so if you are receiving a credentialism because there has been a Oberlin's framework that tends to assure that there is a trusted issuer in there so we have that studied something similar and it could be interesting to create a kind of trusted issuer management scheme to have this information on the ledger so probably this would be a way forward to facilitate the recognition of brief our credentials without the need to understand all the issuer's which are authorized to issue all the different type of potentials in the European Union which which are a lot and we have studied in this use case the DOMA case probably sectoral legislation so we think in that in this case there are some proposals for the modification of the of the other relation and the creation of our new legal rule based on equivalence principle for authorizing the users of verifiable at the station when whenever a little no request the presentation of a document certifying an identity attributes so instead of presenting my academic type diploma in paper I should be able to legally be able to present a brief already station that would be really important to expand the the you see the use usage of these technologies in your map and then scenario seven is again the expanding this a bit more because typically speaking the peripheral stations are issued by by public sector bodies but also by private sector bodies so we think that the possibility would be to create a neutral service-oriented to the issuance of brief evidences with identity attributes but enhance under the responsibility and the liability of service providers so the same way they self defined the identity for identification purposes meaning my name and my surname and my ID card number and these sort of things we think that it could be possible for that happen to certified also other legal attributes they can have enrollment processes on verification checks and these sort of things so this could be interesting because it would increase the market and it would create a new any wider market but with assurances so you could be this it could be a way to introduce the the identity ters framework for a for now from a general perspective for all identity of the buttes and not only for a certification oddly oops so a scenario eight in this case this is very specific one we understand that in many cases you don't want to have faulty information in your hands in many cases what you want is to have this information in the cloud let's say so but in a space control only by you this is the idea of data if you had has been proposed in the in the diff and we have a study the possibility of regulating this identity hubs because at the end of the day they are kind of your repository and but they are under the management of a third party so it would be interesting to expanse the the ones on the principal to have a kind of you know cloud-based space kind of lock place where you control who has access to your data this is something that has already been happening in some European Member States France for instance they have a very interesting revelation for for this and it is another way to deal with identity better Prudential instead of sending the credentials and indicating yourself your credentials you can just give access to the credential in this is based but that means that the man's permissions they produce information with label with little prevalence and they have the flow data enter both a matter manner so we think that it could be interesting to relate this activity so that means yes something that might create I don't think that this is going to necessarily to reintroduce civilization but it could promote public confidence in the usage of these third-party providers services so we have done we are doing some recommendations in the sense and then we have an scenario 9 which is quite weird I have to recognize which is the possibility of reusing the delegated in management relation we already have the European Union so now we have something in the European Union which is an advanced electronic signature with that grants that you must have the exclusive control of your private key and then we have providers that are authorized by using very technical and legal rules to handle your key so they can create at the can generate and they can manage your key but assuring that you still have exclusive control so sorry but in in my opinion it quite quite resembles the idea of having cloud wallets and in fact we have some experiences with called bullets where we don't know who has the control and therefore we have some excited discussions from the legal a legal sense and then we are talking about policies and key recovery and these sort of things so here people it to put the possibilities to study the idea of extending this little concept of a specific control with all the technical is it relation we have behind of it so the to foster the adoption of cloud wallets of course I am perfectly aware that typical speaking the key manasvi management is only happening in your wallet which is in your edge agent so in your phone but probably in the European Union it could be it could make sense in some cases to go for these alternatives so in this case we think that it could be interesting to regulate key management as any in the then through service and here this could be interesting if we align this with the center like a case management technique so probably this doesn't mean that we revealed in the interview centralization but a way to have someone liable for providing you with a decentralized key management service of course this is something so new that we can only propose to do proper study between the traffic alignment between this digital scheme an essential service and the new custodian water provider legislation which is something that is emerging in the que aqui y suspect and finally and that's all for my part today we have a final proposal which is the most pol mega one which is the idea of relating a specific type of DLT node itself as a service so why we are probably pro-pro proposing this well the idea is that the law the legal logic behind behind the either regulation is about generating trust by the by regulating the activity or the technical activity of a provider doing something so in this case in fact we have providers doing something we have companies or with individuals or we have public bodies running nodes with a specific technical configuration for a specific purpose they take they make decisions because they decide with which is which would be the the consensus ing to views they decide the topology of the network they by creating the governance framework and launching the Genesis block they decide from the rule that then who is going to work and at the end of the day they collectively work in the generation of turning evidences so we think that one possibility to generate trust specifically specifically to help the the people in the higher in the using this network for instance their issuers of peripheral credentials could be to regulate the network itself so of course I am NOT saying that this should be the only possibility of course I think that they we should have meant worse with no regulation at all but one possibility which could be good work in the good feet well in the regulation from the perspective of services could be yes to say if you are not providing these services and the services are about providing electronic evidence in support of transactions than you are to service and then you should comply with some rules so this could be a baseline service on top of which of the services could be reliably deployed so the idea if is is to to have a kind of yeah set of nodes which are previously authorized to operate because they have proof that they are applying a set of rules a set of trustworthy rules such as algorithms and these sort of things to then offer a specific little effect and in this case these specific legal effect has to be defined but it is important to understand that it might be connected to the 2d to the privacy legislation so probably the idea the the question remains if this network is designed to provide electronic evidence shouldn't we limit some PII rights such as modification and erasure and the answer might be yes why not if a network is specifically used for providing some type of evidence we should not allow people to exercise an irrational right elusively and this is provided for in the legislation so this now the moment where privacy advocates are going to kill me and I'm sorry all the privacy rights have limits so probably if we design specifically a kind of network to produce a specific electronica businesses then we should limit these rights but for this we need a legislation so probably the only way to these limits is by regulating the net disservice itself so here what we are proposing it just might analyze the possibility of modifying chapter 3 to be listening to service and in this case I have consumers in mind of course because the consumers of the the parties that must be protected and they don't have the the possibility of assessing if the network is running properly and if it is really decentralized and in this if it is really secure and these sort of things and then consider then imposing balanced limitations of previous rights when using these qualifying D of the systems attending to the public interest in electronic evidence supporting legal certainty so of course this is going to require a lot of study I I I'm not I'm also considering that it is a proposal that could be just discarded why not I mean probably it is the most political one but I'm convinced that it is fully aligned with the aim and the spirit and the and the and the the reason we created DTI does especially going to be the services part and probably that means that I am going to to die heat defending it so that's that's awful for my part for today thanks a lot for your time it was a pleasure and so now if you have any other question I missed it here awesome thank you so much not so yeah we have plenty of questions so let us get started here Mohammed is asking how would you explain the difference between European as a side framework and SSI with the Ida's bridge well the latest bridge is really enough change technique of course so because it is of changes something we put off change just as the peripheral credential it is of chain the different speed with all without the other Street is that without the ATIS bridge the peripheral credential is a document that might be questioned into into into the contrary if you put a qualified seal owned by the issuer of the peripheral credential on the Prudential automatically this document must be accepted in all by other European Member States so and if you will get a presumption of authenticity regarding the origin of this peripheral potential in the sense that it was produced by this issuer and you will have a presumption of integrity of this credential and furthermore as you have a qualified certificate associated with the identity of the issuer there is no doubt that this was produced by this issuer and anyone else so in fact the IDIS bridge it is I know of course it is a bridge so it is reducing the all-big high technology probe in the future we we should think how to get rid of it and this is a of the celerity about creating qualified certificates by you see America credentials but us until we don't have this believe me from a legal perspective the value of a sealed briefer credential is much higher okay and then the next question is coming from blass plus is saying why do we need blockchain right now we can sign diplomas we presented with a verifiable credential using Eid they qualified electronic signature okay well that's a good question well it depends so for instance in fact this is a I mean an interesting discussion when when when deeds appeared they were supposed to be on court always in a in a decentralized network whereas a blockchain or any other V scintillation network because they are supposed to support the the self the self management part of the story and I agree so the the important thing for me the important difference between the current systems and the new system the new versus a system is about control in the SSI space it respectively of any of this any solution you take I I have the control I get the credentials I can go the credential and I decide with whom I with who I shared this credential of course you will say that the Diploma issued in PDF provides exactly the same functionality because I can share the PDF with whoever I want and that's true but there are there are lots of differences for instance in the SSI space I am super I I can have a specific syntax to mix up different credentials from different providers to produce a specific presentations I can therefore implement selective disclosure which is interesting I can implement the possibility of well the possibility of sharing not just parts of piece of this information but even zeros proof of this information without any dependence of a third party and at the end of the day even if from a functional perspective there are some some similarities in terms of not depending on anyone the system is really really different of course it will depend on how you design the system if you design a brief or credential to be the same as a PDF you are not gaining much that's true this is why we think that syntax of the attributes normalization of attributes specific semantics for the processing of the attributes the ability of trust trusting directly a referral credential because it has been issued by an issuer who is resistant or Ledger without depending on anyone our key differences excellent I will just add to discussion because I think it's something that that that a lot of people are maybe not aware of that I think the SSI movement if you take it as starkly has been kind of born between 2015 and 16 and it really started in the internet identity workshop and we brewing web of trust the events that take place twice a year and these guys ended and I stood on entity Community Day they kind of got inspired by the blockchain concept because for them it was kind of okay this is the kind of decentralized root of trust that will allow us to to create these dissenters these identity systems and I think this has evolved so much now that what is left of bar chain as part of SSI is really small and it's still needed as a root of trust on for specific use cases but if you check out for example the PD ID presentation which we did I don't know maybe couple of month ago with I think was Daniel Hardman who did it and a lot of different use cases where you might just be able to use peer D IDs and you don't even need source of truth or anything like that or blockchain or ledge or anything like this and it added to that I think there are a lot of questions also about philosophy and ideology and and privacy which will influence how you design that system sort of hard core decentralization privacy privacy loving people will tend to be closer to wanting those independent sources of truth the more a better and and then people who say hey I can trust certain institutions more they will move to another direction so I think this is a big discussion for the future so just wanted to share that quickly not so next question I think this one is brief the you mentioned the United Nations Commission on international trade law the project from them and Peter he's asking what is the name of the project that that you mentioned that was related to identity we need to check out the visitor it is in the in the electronic commerce commission they have I don't know it is quite similar I don't remember the exact name sorry it is a it is a low