Specialist Task Force 588:
Identity Proofing for Trust Service Subjects
Who we are:
- Ms Rayissa Armata, IDnow GmbH, firstname.lastname@example.org
- Mr Armin Bauer, IDnow GmBH, email@example.com
- Mrs Paloma Llenaza, Certicar, firstname.lastname@example.org
- Mr Stephane Mouy, SGM Consulting Services, email@example.com
- Mr Jon Ølnes, Signicat AS, firstname.lastname@example.org
What we do
The STF working area is identity proofing, which is the process of initial and recurring verification of a person’s identity .
This frames within the EU Commission’s Communication on ICT Standardisation Priorities for the Digital Single Market that has cybersecurity as one of five prioritised areas, including “trust in seamless electronic identification”. This is further reflected in the 2019 edition of the Annual Union Work Programme for standardisation (AUWP) and the 2019 version of the EC Rolling Plan for ICT Standardisation (ICT RP). In particular, the STF’s work aims to respond to the policy area “Electronic identification and trust services including e-signatures” of the “Key enablers and security” cluster of the ICT RP. Action 2 of this policy area calls for European standardisation organisations to update existing standards and to develop additional ones in order to address the requirements of the eIDAS regulation(*). The actions of the STF are fitting within the scope of additional standards.
Indeed, identity proofing, ensuring that a person’s digital identity represents the correct person, is crucial for trust in all digital services that require identification of a natural or legal person.
The scope of the STF mission is to produce specification on identity proofing for trust services as defined by eIDAS, in particular for issuers of qualified and non-qualified certificates supporting electronic signatures, electronic seals or website certificates. It needs to be aligned with, and to further support the ETSI EN 319 411 parts 1 and 2 providing policy requirements for Trust Service Providers (TSP) issuing such certificates.
The results of the STF’s work may however be applicable also in other areas such as issuing of electronic identity (eID) and know-your-customer (KYC) processes in various industries.
(*) Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
For more details, see our Identity Proofing for Trust Service Subjects Terms of Reference
Why we do it
The current European standards published by ETSI on trust services specify identity proofing only by generic requirements like “physical presence” or “means which provide equivalent assurance as physical presence”. Physical presence as a benchmark is not well-defined as no requirements are posed neither for the quality of physical identity documents nor for the competence or procedures to be carried out by the person performing the check. What constitutes equivalent assurance as physical presence is up to subjective judgement. Consequently, practices for identity proofing for trust services vary a lot across the EU Member States, hampering provision of trust services in the internal market. In particular, guidelines for remote identity proofing are needed to avoid cumbersome and expensive physical presence procedures when possible.
Also, the eIDAS Regulation establishes a common internal market for (qualified) trust services but still leaves identity proofing largely to “being recognised at national level”. This hampers the market situation greatly since a trust service provider may need to adhere to different requirements for different markets. Furthermore, acceptance of remote identity proofing is not guaranteed in all EU member states; some may still insist on physical appearance as the only means, unless the subject is already in possession of a strong eID or qualified signature/seal means.
While standards are not mandatory under eIDAS or any other legal environment, the existence of standards will provide a reference against which national regulations can be measured and even challenged. In the absence of national rules, a situation that exists e.g. in quite some EU Member States, standards can be used to establish acceptance criteria for conformity assessment bodies and supervisory authorities..
How we do it
During a first phase, the STF will gather information from different sources, including national agencies developing requirements, product and service vendors, research and academic environments, and relevant existing specifications. Physical meetings are not expected to be carried out; digital means including online meetings will be sufficient.
A lot of information is already known about entities that have published or are working on specifications in the identity proofing area. The survey done in this phase will identify yet more. E.g. the EC has established a Commission expert group on Electronic identification and remote Know-Your-Customer processes (E03571). A liaison with this group will be sought. At EU level, also ENISA will be consulted.
National authorities, supervisory authorities for trust service providers, security authorities and possibly other authorities will be consulted and kept informed. Several countries have national specifications developed by national authorities.
Vendors of products and services for identity proofing will be consulted.
Conformity assessment bodies (CAB) have experience in assessing existing practices for trust service providers. Some CABs are actively participating in TC ESI, but also other CABs will be consulted.
The results of the technology survey of phase 1 will be included in a technical report. The draft version of the technical specification to be produced in phase 2 will be made publicly available for public comments.
During a second phase, the results of the survey will be compiled into the technical specification ETSI TS 119 461 specifying policy and security requirements for the operation of identity proofing systems. The stable draft of this document will be provided for public review in order to collect feedback from stakeholders in the market. The comments will be addressed to produce the final version pf the policies.
Co-ordination with TC ESI will be sought regarding global applicability of the STF results. The STF reports to the ETSI TC ESI (Technical Committee Electronic Signatures and Infrastructures), according to the planned TC ESI meeting agenda and additional dates agreed by the TC ESI chairman.
TC ESI will play an active role in steering and contributing to this work. A steering group composed of interested TC ESI members is foreseen to supervise the work.
The E_SIGNATURES_NEWS mailing list of ETSI will be used to disseminate information to stakeholders. Some particularly important stakeholders may be informed by direct contact if needed, both for consultation and at specific milestones of the STF work.
The STF shall produce one Technical Report (TR) and one Technical Specification (TS). The proposal is to schedule the work in two phases, the first phase surveying regulatory requirements and technologies (TR production) and the second phase producing the TS.
Phase 1: Perform a survey of technologies and regulatory requirements for identity proofing for trust service subjects, summing up the results in the technical report ETSI TR 119 460 Electronic Signature and Infrastructures (ESI); Survey of technologies and regulatory requirements for identity proofing for trust service subjects. This document will survey the technologies, legislations, specifications, guidelines and standards related to or used for identity proofing. Stakeholders will be identified and categorized. Information will then be gathered from sources such as national agencies developing requirements, product and service vendors, research and academic environments, and relevant existing specifications.
Phase 2: Produce the technical specification ETSI TS 119 461 Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects. This document is aimed to cater for as wide as possible approaches to identity proofing avoiding requirements for specific technical solutions whilst maintaining a consistent level of security. This can be used for conformity assessment of a trust service provider which includes this service component as part of its service or can be used for conformity assessment of a specialized provider of identity proofing supporting other trust service providers. The document specifies best practices for security supporting different technological approaches, and possibly for different assurance levels.
The expected time scale for the production of the deliverables is 18 months, including the following (intermediate) milestones:
|Task / Milestone / Deliverable
|| Target date
|Start date for the STF
||06 April 2020
|TR Identity proofing survey stable draft
|| 31 July 2020
|TR Identity proofing survey approval by TC ESI
||05 November 2020
|TR Identity proofing survey publication
||18 December 2020
|TS policy requirements for identity proofing stable draft (available for public review)
||18 December 2020
|TS policy requirements for identity proofing approval by TC ESI
||31 May 2021
|TS policy requirements for identity proofing publication
||31 July 2021
For further information or question, do not hesitate to contact us, using the eMail addresses provided above ( Who we are)