Ensure Electronic Signature Legality for Affidavit of Identity in European Union

How to eSign a document: electronic signature legality for Affidavit of Identity in European Union

hello again everyone we're on to now day three of authenticate welcome everyone um so this morning our first uh presenter oh before i get started on that uh just a reminder that you have your cvent app and the cvent portal on the online that you can use to submit questions which you can do even in the room or you can do if you're remote so our first presenter this morning is sebastian ilfor he's the senior solutions architect from yubico and he's going to be talking about revised ei-das regulations and the eu digital wallet sebastian is remote so he'll be up on the screen in just a moment thank you everyone i work as a senior solutions architect at cubico and i'm going to present to you today the revised adas regulation and the eu digital wallet so first of all here's an overview of the aidas regulation and the eu standardization organizations that we have been interacting with first of all here's an overview of the adas regulation from 2014. so on the left hand side we have the electronic identification pillar it consists of three items the first item is cross-border access for citizens to public services in the eu and what that means essentially is that every eu citizen should have the possibility to access any public service in the eu and that is achieved by using so-called nodes and the adas nodes are based on a product called called summer version two there are low substantial and high reference levels low means essentially username password substantial is one time passwords typically while high represents dynamic cryptographic protocols and hardware authenticators so fido can be applied on the high assurance level notification of national eid schemes by the eu communication that means essentially that for every eu country that has a national eid scheme these schemes can be notified by the eu commission and then they can be used for this cross-border access on the right hand side we find the qualified travel service providers so-called qtsps and the one that matters the most for fido that is signature and steel creation in particular when it comes to remote signature and segregation and i will come back in a moment to what that means the eu standardization organizations that we have been working with and matters in in this context is on the left hand side etsy let's see that is the european telecommunications standards institutes and etsy plays a big role here they create the technical standards reports and policies for adas so they have created roughly 70 specifications on signatures time stamping certificate profiles trust service provider policies and so forth it's a very technical organization in the middle we have sen that means the european committee for standardization and there is one working group called sun technical committee 224 and that is the working group that works on the adas standards some they have developed in particular comic criteria profiles for qualified signature creation devices so called qscds policies for certification authorities and common criteria profiles for all of that on the right hand side we have elisa and that is the eu cyber security agency inisa is responsible for the eu cyber security act and implementing that in in the entire european union in esa they have created policies and guidelines for adas like analysis of trust service providers analysis of the id schemes curiosities and so forth so the final alliance has interacted with first of all the e-commission itself and all of these standardization organizations in 2020 prior to the a distribution and we have also worked with them um after the a distribution came out the purpose of all of this has been to promote fido as an authentication protocol for the alas services so how did we do that yeah first of all we have submitted feedback to the eu commission that was a so-called adas inception impact assessment and what we did there was we took the find alliance a lost white paper we packaged that and we wrote it a little bit and we sent it to to the european commission then when it comes to etsy we were invited to provide feedback to the etsy technical report 119460 and that report was about remote identity proofing and i will come back to you in a minute what the result became of that when it comes in esa we had a couple of meetings with anissa in particular to strengthen the case that fido can indeed be used as an adas eid scheme high protocol and we will also submit a defined alliance white paper to them so the result of all of this is in february 2021 etsy issued the technical report 119 for stick hero and that is all about identity proofing in the eu remote identity proofing i should say and we provide a feedback to that report both as the fire alliance itself and also a couple of memory companies and what happened is that the finalized adas white paper is now referenced in the etsy report which means that fido has become recognized for adas which is actually the first time that happens for etsy and at the bottom you can find a quote from the etsy report where they referred to the finalized white paper so they now recognize file to be used for eid level high second initial came out with a report in march 2021 and they also should report on the same subject remote identity proofing and they actually referred to the ads report in that document and as i mentioned before we gave them feedback in a meeting in 2020 and it gave results so fighters now also referenced as an eid scheme and the initial report and we have also described this in a blog post which is linked right here in the presentation and here you can also find a quote in the initial report furthermore we have proposed that fido can be used for secure access to a remote sign in qtsp so what is all of that so yes on the right hand side you find the qualified trust service provider which can be used for signing documents centrally no in the cloud that is so the user on the left hand side has the document to be assigned and the file authenticator so the user can use fido 2 in order to authenticate to the web of fan relying party here in the cloud in the qtsp by using this 502 authentication the ssa which means the signature server application can connect to the hsm the hardware security module whereby the final authentication session can be used by the signature activation module in the hsm and that can in turn be used for unlocking the private key in the qrcd meaning that the document that was originally submitted from the user here can be sent all the way to the qcd where it's hashed and created with a qualified electronic signature the final can be used for this secure authentication process moving on a bit so the findings and the results of the alas revision was published in june 2021 after two years of public service and expert committees and the fine alliance has participated both in the public service and also in the expert committees to some extent so the findings are the following first of all there were a couple of issues with the eid schemes there are quite a few member states that have recognized the eid schemes on eu level it's 19 member states at the moment which is not as much as the eu has hoped for it's very low cross-border interoperability in fact it's only about 50 000 transactions per year in the entire european union that are cross-border which is a very low number of course there was a couple of privacy issues with the eids meaning that if you have an x-519 certificate the entire certificate will be exposed if you authenticate or identify yourself to service so all of those issues should be addressed there are also a couple of gaps when it comes to trust service providers in particular when it comes to authenticate securely and the reason is that when the cucumber cd was created for adas in 2014 it was only a local qcd that was specified so the remote qcd that is something that should be created and defined in ada's version 2. there's also need to harmonize with the eu changing legal landscape so first of all we have the eu cyber security act that came out in 2019 so there's an interest to harmonize the ada's regulation with with this act of course there's also a new directive called the eu needs directive and there is also a nice two director coming out and that directive means that if a qualified trust service provider needs to report data they can do so under the knees directive instead furthermore we have the eosing digital gateway regulation that will also create a push for digital identification on the internet and that will come in force in 2023 24 so that could also be a way to push for identification and finally there are a couple of technical standards that have emerged since ada's came out 2014 in particular we have of course the the web of fan style that we have 502 there's also the openid connect standard so there are quite a few very good robust technical standards that have been implemented in in many many operating system that adas could take into account so the improvements in the revised data's regulation are the following first of all we have the eu digital identity wallet that is the major breakthrough i should say in adas version 2. the e-digital identity wallet will be mandatory for all eu member states to provide identity wallets previously it was voluntarily to issue an eid on the national level now it will become mandatory there is a common tool box that will standardize this eu digital identity wallet and there is an adas expert group that is currently working on that standards are not yet defined but uh in the a-los reports that were produced in june there are also indications that w3c verifiable credentials could be used for the digits of wallets there are also they also mentioned the european blockchain service infrastructure called ebci where you can put the credentials that have been issued under w3c standard and there is also european self-service self-sovering identity framework and so forth so there are quite a few standards out there that can be reused in order to develop these digital identity wallet finally there are a couple of privacy issues to be addressed as i mentioned before and one solution to that will be if you only want to present a couple of attributes for example your age that could be possible to expose only so you don't have to reveal the entire id the authentication to remote signature services will also be improved so there are a number of some standards that have been created and they will now formally regulate and also legally in the a dos version two regulation how authentication to remote qcd can function and that's where the signature activation module comes to play finally we have harmonization with other e-regulations so the eunice directive is it's a very good candidate to be used for this harmonization there's also a new certification scheme coming out eucc it's an eu coming criteria certification scheme that can be used also for uh you need to identity wall nuts and such products and finally the eu signal digital gateway regulation can also create a push for a dos version 2. the e-digital wallet ecosystem looks like this in the middle we have the ear wallet itself it is a national eid and it contains attributes such as age gender owner of driving license can be your profession if you're an engineer your tax residency and so forth and in order to get these attributes and credentials there are a number of trusted sources here could be national eid issuer tax register a professional company and so forth and all of them can of course issue credentials and attributes to this wallet that will be gathered here the use cases are on the other hand you can access e-cab and e-health applications could be access to different platforms could be private platforms and public platforms uh could be access to financial services and many many more use cases the timeline for aida's rollout is estimated as follows so it was adapted in june 2021 so the past three months there has been agreement on process and working procedures and that's where etsy in these esi sun and eu commission where they have agreed how to move this forward the work that's going on currently from september to december is agreement on technical architecture outline and etsy had a workshop last week where the file alliance participated and we presented a file it can be used in such an ecosystem so we're making pretty good progress on that front then the three months after that there will be identification of specific technical architecture standards and so forth so then the standards will be written so speak then the coming 12 months there will be pilots and the robot will happen in 2023 to 2024. this time is of course tentative but if this is the estimate that we have at the moment so how do we interact with the eu right now so we have created an ada's task force to interact with etsy the eu commission and nisa that is a task force that sorts under the fine alliance european working group and the purpose here is of course the primo mode file as a protocol for the eu digital wallet ecosystem and for other services in alas version 2. so the potential standards that we are considering is first of all of course fido and web of fan that's what we're coming from it's quite likely that w3c verifiable credentials and presentations will be part of the eu digital wallets and we are also looking to the selfish openid connect sciop protocol and the reason for that is that the iso mobile driving license will also rely upon a psyop so in order to get the interoperability with the mobile driving license system this is a pretty good candidate to work with so here's an overview of how to register with fido for for the e-wallet by using sciop w3c and fido so first of all the holder identified himself or herself to the qtsp up here the qtsp can host a wallet the so-called sas wallet or the wallet can also be present on the device so the enrollment can either take place centrally here to qtsp or locally at the device file can be used as part of the enrollment meaning that you use fido in order to download the w3c credentials to their local wallet final can also be used for remote online identification as well the verifiable credentials are put on a blockchain and then in step 3 we can use open id in order to register either the qtsp with the e-wallet or the device with a wallet to a relying party the other scenario that we have considered is online file authentication for you wallet and in this case we are considering a hosted sas e-wallet at the issuer so what happens basically is that the user the holder tries to use a device use online access to the rely priority the reliable party will then return an id2 can request in an open id siob format file will be used in step 3 for the authentication from the device and in step 4 there is the identification step with pin or biometrics meaning that the credentials will now be released up here in the hosted wallet and finally the id response will be submitted back as a verifiable presentation to the relying party where it will be validated in conjunction with a verifiable credential from the blockchain finally we have the offline authentication this is the last slide so first of all the user uses an out-of-bound authentication for authentication to use file. in order to retrieve the attributes in w3c format the pin code or bio is used here as well for the identification in step three there is an offline access request that can be done over nfc or bluetooth for example and here in step four open id can be used in order to get the id request and since we now have downloaded the credentials the id response can be submitted with a verifiable presentation to the reader where it's verified in step 5b with a credential that was my last slide so i think we can open up the floor for questions sebastian do we have any yes we have one question here from the audience hi this is daryl goyce can you speak to apple and google wallet versus eu wallet are they different is it a public option is that by design or will they be working together the google and the apple wallets they are mainly intended for financial transactions while the eu digital wallet will have a much broader scope um so it could be that there will be a cooperation on particular on the financial side but the eu digital wallet will also contain more information in particular by the quts peace around the european union no hey sebastian mathias here um which did method are you suggesting using with fireball credentials you're using your own blockchain or european blockchain i think that is software discussion in the adas expert group so there will be a blockchain of course it could be the ebsi which is the european union blockchain system that is quite likely that is what is referred to in the adas report that came out in june but it remains to be seen the standardization work is progressing as we speak so we will see what come out of that standardization work thank you do we have any other questions no i think we're done so sebastian thank you very much um great presentation thank you thanks for having me