Resources
Identity Use Cases & Scenarios.- FIDIS Deliverables.
- Identity of Identity.
- Interoperability.
- Profiling.
- Forensic Implications.
- HighTechID.
- D3.1: Overview on IMS.
- D3.2: A study on PKI and biometrics.
- D3.3: Study on Mobile Identity Management.
- D3.5: Workshop on ID-Documents.
- D3.6: Study on ID Documents.
- D3.7: A Structured Collection on RFID Literature.
- D3.8: Study on protocols with respect to identity and identification – an insight on network protocols and privacy-aware communication.
- D3.9: Study on the Impact of Trusted Computing on Identity and Identity Management.
- D3.10: Biometrics in identity management.
- D3.11: Report on the Maintenance of the IMS Database.
- D3.15: Report on the Maintenance of the ISM Database.
- D3.17: Identity Management Systems – recent developments.
- D12.1: Integrated Workshop on Emerging AmI Technologies.
- D12.2: Study on Emerging AmI Technologies.
- D12.3: A Holistic Privacy Framework for RFID Applications.
- D12.4: Integrated Workshop on Emerging AmI.
- D12.5: Use cases and scenarios of emerging technologies.
- D12.6: A Study on ICT Implants.
- D12.7: Identity-related Crime in Europe – Big Problem or Big Hype?.
- D12.10: Normality Mining: Results from a Tracking Study.
- Privacy and legal-social content.
- Mobility and Identity.
- Other.
- IDIS Journal.
- FIDIS Interactive.
- Press & Events.
- In-House Journal.
- Booklets
- Identity in a Networked World.
- Identity R/Evolution.
D3.6: Study on ID Documents
 |
Title: A REGULATORY FRAMEWORK FOR ENTITY AUTHENTICATION AND PAN-EUROPEAN EIDS? |
 |
A Regulatory Framework for Entity Authentication and Pan-European eIDs?
Introduction
The Porvoo Group is an international cooperative network whose primary goal is to promote a trans-national, interoperable electronic identity, based on PKI technology (Public Key Infrastructure) and electronic ID cards, in order to help ensure secure public and private sector e-transactions in Europe.
At the Porvoo 7 seminar, held in Reykjavik in May 2005, among the topics discussed was a discussion paper by Thomas Myhr entitled “Regulating a European eID. A preliminary study on a regulatory framework for entity authentication and a pan European ID”.
Hereafter we briefly summarise this study, as well as the comments on the report, some of which were presented at Porvoo 8 in Brussels in October 2005.
Context of the Study
Myhr contributed in the eAuthentication workshop organised by CEN/ISSS in December 2004, which aimed at developing a strategic vision towards an electronic ID for the European Citizen.
Regarding legal aspects, their main observation was that, despite an architectural model, standards and technical specifications, there is European regulation missing in the field of electronic (entity) authentication. This term, which is further explained below, is often used as a synonym for identification.
The advice of CEN/ISSS was to rely as much as possible on existing regulation. In addition, they pointed out a number of topics, which in their opinion should be regulated within a so-called European eAuthentication framework.
The Myhr study, which is discussed here, has clearly been inspired by the discussions with CEN/ISSS (same topics, same conclusions). It was prepared for and accepted by the Porvoo Group.
At Porvoo 8, the group decided that the report should be included in the Porvoo eID requirements.
This leads us to the key question of the report: what suggestions do Myhr, Porvoo and CEN/ISSS make in regard to a regulatory framework for entity authentication and a pan European eID?
Using the Existing Regulation as far as Possible
Their first proposition is that the existing regulation should be used as far as possible. The report verifies whereas the e-Signature Directive can be applied to the context of (electronic) identification.
Before we explain Myhr’s opinion in this regard, we should first say something about the two central concepts of the report: signatures and identification.
Technicians use the term signatures as a synonym for digital signatures. They understand it as a cryptographic primitive, which is fundamental in authentication, authorisation and non-repudiation. In a technical context, the purpose of a (digital) signature is to provide a means for an entity to bind its identity to a piece of information. The process of signing entails transforming the message and some secret information held by the entity into a tag called “signature” (Menezes, Van Oorschot, Vanstone 1997).
Depending on the usage of the signature, the signed message can be used for authentication. Authentication is typically subdivided into two separate classes:
data authentication, to corroborate the origin and the integrity of data (e.g. a contract) and
entity authentication, to corroborate the partial identity of an entity and a set of its observed attributes. This process is referred to as “identification”.
With regards to digital security, non-repudiation means that it can be verified that the sender and the recipient were, in fact, the parties who claimed to send or receive the message, respectively. In other words, non-repudiation of origin proves that data has been sent, and non-repudiation of delivery proves it has been received.
Lawyers have a different conception of a signature. For them a signature is in the first place (there are exceptions) a handwritten depiction of someone’s name (or some other identifying mark) that the person writes on data – typically documents – as a proof of identity and will.
Dr. Patrick Van Eecke’s doctoral thesis on this topic came to the conclusion that there are a limited number of universal reasons why signatures are used in a legal context, namely:
to identify a person (identification),
to provide certainty as to the personal involvement of that person in the act of signing (non-repudiation)
to associate that person with the content of a document (expression of one’s will ) (Eecke 2004).
The e-Signature Directive does deal with the (legal or technical) usage of signatures. It explicitly states that it does not intend to cover the question of legal recognition of electronic signatures, or to cover aspects related to the usage of electronic signatures.
The directive defines the term electronic signature as follows: “data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication” (Art. 2,1 of the directive).
The central question in the Myhr report is whether the e-Signature Directive only covers electronic data authentication signatures, or also electronic entity authentication signatures?
Myhr is convinced that entity authentication signatures should not be excluded from the application field of the Directive, because of the broad definition given to electronic signature.
He underpins his theory, by stating that the ETSI standard which supports the Directive (X.509 v3) also includes the usage of the X.509 certificate for entity authentication alone.
We will not go in detail into the discussion, but only mention that there are divergent opinions. Also, even if Myhr would be right, this thesis seems not to have very much practical relevance, because the key provisions of the directive (as discussed in the report) are principally relevant in a data authentication context.
Article 5.2 is a non-discrimination principle regarding the legal effect and admissibility of electronic signatures in legal proceedings and
Article 5.1 guarantees legal equivalence to paper-based signatures to a specific kind of electronic signatures (“qualified electronic signatures”).
Myhr verified what should be regulated when someone disagrees with his thesis, and concluded that the answer is a legal rule for the electronic equivalence of (offline) identification. He believes that the closest one can get to such an electronic equivalence, is to ensure that it is not disqualified only due to the fact that it is in an electronic form.
In addition to such a rule, Myhr considers that there are other issues that need to be addressed in some way or the other, to achieve a functional legal framework for entity authentication and the use of a pan European eID. These issues are briefly summarised hereafter.
Key Issues When Drafting a Directive on Authentication
| |
   |
|
| Denis Royer | 25 / 56 |
