Guide: Digital Transformation for Authentic Sources 

How to become an eIDAS high Qualified Electronic Attestation of Attributes Provider

Under new regulation, EU citizens have the right to digitally interact with their governments. This means that all EU governments need to transition their (analog) attributes to a digital counterpart. This applies for PID providers, like IDs, driving licenses and so on. But also for all other governmental authentic sources, like the Land Registry, the Social Service and so on. So what do this parties need to do to become compliant?

What is a (Q)EAA Provider?

A (Qualified) Electronic Attestation of Attributes Provider is an issuer of digital proof of governmental documents. For example, the proof that you own the land your house is built upon. Or the proof that you have a parking permit for your car. This (analog) registration needs to be made digitally available for citizens, so they can view, take and show it, using a digital wallet. 

Governments thus need to make this available to their citizens. This means they need to start to become a QEAA Provider and start issuing digital certificates that citizens can use to proof their attributes. 

What does a government need to do to become a QEAA Provider?

A government needs to take the following steps to become a QEAA:

  1. Organizational: Your organization needs to become a trustworthy organization. Read our guide on becoming a trustworthy organization. 
  1. Technological: In essence you need to do the following things:
    1. Issue a certificate of the relevant attribute
    2. Be able to manage the issued certificate. So make sure you can revoke it. I.e. a driving license that has been revoked. 
    3. Being able to handle and verify requests from wallets. So how do you know for sure it is the right person asking for the right certificate? Read our guide on managing wallet requests.

To be compliant you need the following modules implemented and certified:

  1. Qualified attestation of Attributes Authority

Module is responsible for the workflow of the creation, issuance, renewal, and revocation of digital certificates and verifiable credentials. It manages the workflow and ensures all relevant modules are activated as required by the work order for the relevant issuer/wallet interaction. 

  1. Verifiable Credential Issuer Module(CA):
    Verifiable Credential Issuer Module is responsible for the creation, issuance, renewal, and revocation of digital certificates and verifiable credentials. It manages the entire lifecycle of certificates and credentials incl revocation and publishing to VA, ensuring that they are issued securely and in compliance with relevant standards.
  1. Registration Authority (RA) Module:

The RA Module works in conjunction with the Verifiable Credential Issuer to verify the identity of credential applicants before the issuance of certificates. It acts as an intermediary, collecting and authenticating user information before forwarding it to the CA for certificate creation.

  1. Validation Authority Module

Guards the validity of issued certificates. Enables OCSP responses and CRL downloads for certificates and relevant status for MDL and open ID VC 4VP.

  1. Subject device provisioning Module

Ensure the proper issuance of QSCD’s and wallet and the interaction to enable the creation of credentials in certified QSCD’s and wallet by issuers.

  1. Remote secure element and electronic signature and seal creation devices module

Ensure the operation of the HSM components of the  QSCD’s, wallet and QES in compliance with relevant standards.

  1. Qualified electronic registered delivery services module

Ensure the operation the combination of the above module enable eRDS.

Supplemental services for the above modules

  1. Time-Stamping Authority (TSA) Module
    In some cases, an Issuer may provide timestamping services. The TSA Module issues trusted timestamps, indicating the precise time when a particular event or action occurred. This can be crucial for applications such as digital signatures.
  1. Open ID connect and oAuth2 module

For Verifiers and for issuers and internal service to enable using Access token based on previous presentation to facilitate secure and efficient operation after validations.

  1. Audience management module

Some data and verifiable credential content needs to be protected for confidentiality and not only integrity, this module facilitates Audience management and ensure compliance and assurance at the same level as the integrity.

  1. Preservation service

Some data and verifiable credential content needs to be protected for confidentiality and not only integrity, this module facilitates Audience management and ensure compliance and assurance at the same level as the integrity.

  1. Audit and Logging Module:

The Audit and Logging Module records events and activities related to certificate issuance and management. It supports auditing processes and helps in identifying security incidents or policy violations.

Guide: What is a QTSP?

In this article we will explain what a Qualified Trust Service Provider is. The official eIDAS high definition outlines a qualified trust service provider (QTSP) as either a natural person or a legal entity offering one or more qualified trust services.

The primary objective of the eIDAS Regulation is to establish a comprehensive framework for secure, reliable, and straightforward cross-border electronic transactions. Qualified trust services play a crucial role in achieving this objective, given their recognized legal validity at the European level.

To attain the status of a QTSP, an entity must undergo an independent conformity assessment and audit conducted by an accredited institution (recognized by the national accreditation body) under the EU eIDAS regulation. This assessment covers aspects such as security, trust level, and service quality. These regulations aim to foster trust among consumers and businesses, encouraging the utilization of certified trust services.

Typically, the higher cost associated with qualified services stems from the reversed burden of proof in any disputes. Hence, QTSPs are obligated to verify the accuracy of the services they provide.

A trust service encompasses:

  • Creating, verifying, and validating electronic signatures, electronic timestamps, and certificates related to these services, all in compliance with the requirements set by the eIDAS Regulation.

However, a QTSP, having obtained qualification from a supervisory body, can offer ‘qualified’ versions of these services, which include:

  • A Qualified Electronic Signature: An advanced electronic signature created by a qualified electronic signature creation device based on a qualified electronic signature certificate. It adheres to the same definition as an Advanced Electronic Signature and involves specific requirements such as the issuance of the user’s digital certificate by a trusted Qualified Certificate Authority and the management of the user’s signing key within a trusted Qualified Signature Creation Device (QSCD).
  • A Qualified Timestamp: Provides certainty about the existence of specific electronic data at a particular moment, such as evidence of document submission or invoice issuance.
  • A Qualified Electronic Seal: An advanced electronic seal created by a qualified electronic seal creation device, allowing legal persons and corporations to authenticate automated administrative actions, like mass signing of official documents.

Engaging the services of a Qualified Trust Service Provider offers several advantages to an organization, including:

  • Substantially reducing the risk associated with electronic transactions.
  • High insurance against disputes, resulting in decreased liability for the company.
  • Assurance that transactions are legally binding across EU borders.
  • Receiving a higher quality of services.

One of the key goals of the ‘qualified’ status is to achieve cross-border interoperability and recognition of electronic products and trust services across all EU Member States. Hence, a qualified product from a QTSP based in any Member State is considered qualified in every Member State.

Ubiqu provides technology to multiple QTSPs in order for them to provide electronic signature and seal validation, timestamping services, and certification for validity, ensuring adherence to the highest standards of confidence and trustworthiness, and compliance with the eIDAS regulatory requirements for qualified trust services. We also offer a Qualified Signature Creation Device that meets the certification requirements outlined in Annex II of the eIDAS Regulation for qualified signature and seal creation devices.

Guide: How to onboard and collect PID information using EUDI Wallet

What you need to know to get your digital identity

Introduction

Under new regulation, EU citizens have the right to digitally interact with their governments. This means that all EU governments need to transition their (analog) attributes to a digital counterpart. This applies for PID providers, like IDs, driving licenses and so on. But also for all other governmental authentic sources, like the Land Registry, the Social Service and so on. 

All EU Citizens will have the right to EUDI Wallet. So how do you get onboarded?

Step 1: Get an ID physical ID card or passport from your local government. 

Step 2: Scan your ID with your phone: All newly issued ID documents contain a chip which you can be read with your phone. 

Step 3: Scan your face with your phone and match this with the information in your ID. This way it is proven it is really you.

Step 4: Connect this match with the Personal ID database of your government. This way it is proven that your ID is genuine and not expired or revoked. 

Step 5: Make it portable. Now you have proven it is really you, you want to store this information securely and use it whenever you want. Otherwise, you would have to do step 1-4 every time you login at your government, bank or other service. Read our guide on making an ID portable.

Guide: How to make your digital identity portable?

Introduction

Under new regulation, EU citizens have the right to digitally interact with their governments. This means that all EU governments need to transition their (analog) attributes to a digital counterpart. This applies for Personal ID providers, like IDs, driving licenses and so on. But also for all other governmental authentic sources, like the Land Registry, the Social Service and so on. 

All EU Citizens will have the right to EUDI Wallet. But how do you make sure that after onboarding, you can stay logged in, without compromising your safety and privacy?

There are a couple of options:

  1. Software token: You can store your private information in a software token. The problem is that it is not really secure and can be compromised. Therefore it will not be certified on the highest level, and thus you cannot login at your government in the near future.
  2. Hardware token: This is the safest option. By storing your information in an encrypted physical token you enjoy the highest security. But you need to carry it with you all the time which is a hassle, plus you could lose it. 
  3. Internal phone chip: This could be an option, except it misses the right certification. The second problem is that as it is in your phone, in case it gets compromised, all phones of the same type are not safe anymore. 

So the most ideal solution would be a hardware token that is always accessible but you do not have to take it with you. That is why ubiqu introduced the Remote Secure Element. You can upload your personal data to this element and access it any time you want. This way you can conduct notary worthy actions, with the simplicity of a PIN code.