SSI EIDAS Legal Report
SSI eIDAS Legal ReportHow eIDAS can legally support digital identityand trustworthy DLT-based transactions in theDigital Single MarketDr. Ignacio Alamillo DomingoApril – 2020Blockchain / DLTTechnologies
EUROPEAN COMMISSIONEuropean CommissionB-1049 Brussels2020
SSI eIDAS Legal ReportHow eIDAS can legally support digital identity andtrustworthy DLT-based transactions in the DigitalSingle MarketINTERNAL IDENTIFICATIONSpecific contracts 003604 and 003491 under Framework Contract DI/07445-00 (STISIV)DISCLAIMERThis document has been prepared for the European Commission, however, it reflectsthe views only of the authors, and the Commission cannot be held responsible for anyuse, which may be made of the information contained therein.The work was co-funded by the ISA2 programme, as part of the Innovative PublicServices action, and the CEF Digital programme, in the context of the EuropeanBlockchain Services Infrastructure building block. The H2020 EU Project OLYMPUS,under Grant 786725, supported part of this work.The author is Dr. Ignacio Alamillo Domingo (Astrea La Infopista Jurídica), Lawyer,CISA, CISM, researcher at iDerTec (University of Murcia).More information on the European Union is available on the Internet(http://www.europa.eu).2020
2020
SSI eIDAS Legal Report1Table of contentsTABLE OF CONTENTS . 1TABLE OF FIGURES . 3GLOSSARY OF TERMS AND ACRONYMS . 4PART 1. AN INTRODUCTION TO SELF-SOVEREIGN IDENTITY . 81.THE TRANSFORMATION OF DIGITAL IDENTITY . 82.SELF-SOVEREIGN IDENTITY . 123.SSI AND TRUST GOVERNANCE . 21PART 2. THE EIDAS REGULATION. 234.THE LEGAL REGIME OF ELECTRONIC IDENTIFICATION MEANS FOR CROSS-BORDER TRANSACTIONS 254.1.4.2.4.3.4.4.5.LEGAL CONCEPT OF ELECTRONIC IDENTIFICATION (EID) .26THE SCOPE OF THE EIDAS REGULATION AND ITS RELATIONSHIP WITH NATIONAL LAW.30ELIGIBILITY CRITERIA FOR THE NOTIFICATION OF ELECTRONIC IDENTIFICATION SCHEMES.33THE LEGAL EFFECT OF NOTIFIED ELECTRONIC IDENTIFICATION MEANS .55THE LEGAL REGIME OF ELECTRONIC SIGNATURES AND ELECTRONIC SEALS . 605.1.5.2.5.3.5.4.6.ELECTRONIC SIGNATURES AND SEALS .60ADVANCED ELECTRONIC SIGNATURES AND SEALS .63QUALIFIED ELECTRONIC SIGNATURES AND SEALS .66THE LEGAL EFFECT OF ELECTRONIC SIGNATURES AND SEALS .71THE LEGAL REGIME OF TRUST SERVICES . 796.1.6.2.6.3.THE EIDAS CHARACTERISATION OF TRUST SERVICES.79THE EIDAS REGULATORY MODEL FOR TRUST SERVICES .84ISSUANCE OF ELECTRONIC SIGNATURE/SEAL/WEBSITE DIGITAL CERTIFICATES .86PART 3. LEGAL SCENARIOS RELATED TO SSI & EIDAS. 907.GENERAL LEGAL CONSIDERATIONS . 917.1.7.2.8.REGARDING THE LEGAL VALUE OF VERIFIABLE CREDENTIALS AND THEIR PRESENTATIONS .91LEGAL ASSESSMENT OF DIDS, DID DOCUMENTS AND DID CONTROL KEYS .93LEGAL ASSESSMENT OF VERY SHORT-TERM SCENARIOS . 958.1.8.2.8.3.9.USE OF NOTIFIED EIDAS EID MEANS AND QUALIFIED CERTIFICATES TO ISSUE VERIFIABLE CREDENTIALS.95EIDAS BRIDGE: INCREASING VERIFIABLE CREDENTIALS’ LEGAL VALUE AND CROSS-BORDER RECOGNITION.101USE CURRENT EID NODES TO ISSUE A SAML ASSERTION BASED IN VERIFIABLE CREDENTIALS/PRESENTATIONS .104LEGAL ASSESSMENT OF SHORT-TERM SCENARIOS . 1069.1.9.2.10.USE OF VERIFIABLE IDS AS EIDAS ELECTRONIC IDENTIFICATION MEANS .106ISSUANCE OF QUALIFIED CERTIFICATES BASED ON A SPECIFIC DID METHOD AND VERIFIABLE CREDENTIAL .112LEGAL ASSESSMENT OF MID- TO LONG-TERM SCENARIOS. 11810.1.EXTEND THE EIDAS NOTIFICATION MECHANISM TO VERIFIABLE ATTESTATIONS: ENHANCED TRUSTED ISSUERSMANAGEMENT .11810.2.REGULATE THE ISSUANCE OF VERIFIABLE ATTESTATIONS AS A TRUST SERVICE .12410.3.REGULATE THE ACTIVITY OF IDENTITY HUBS AS A TRUST SERVICE, IN SUPPORT OF SSI-BASED ONCE ONLY PRINCIPLE12610.4.REGULATE DELEGATED KEY MANAGEMENT AS AN INDEPENDENT TRUST SERVICE, IN SUPPORT OF REMOTE WALLETS13010.5.REGULATE A SPECIFIC TYPE OF DLT NODE AS A TRUST SERVICE .134
2SSI eIDAS Legal ReportREFERENCES . 138
SSI eIDAS Legal Report3Table of figuresFigure 1. Relationships between DID, DID document and subject (Reed & Sabadello, 2020).15Figure 2. Verifiable Credentials and Presentations conceptual map (Alamillo Domingo, 2019b). .16Figure 3. Self-Sovereign Identity Management Model in Blockchain (Bernal Bernabé et al, 2019) .17Figure 4. Identity management methods evolution over time, according to privacy preservation capabilities(Bernal Bernabé et al, 2019) .17Figure 5. Proposed taxonomy of crypto-assets (Arslanian & Fischer, 2019) .19Figure 6. Use cases and actors for identity management (Kuperberg, 2019) .20Figure 7. Compliance and liability criteria (Kuperberg, 2019).20Figure 8. SSI trust relationship (Mühle et al, 2018) .21Figure 9. Electronic identification conceptual map (Alamillo Domingo, 2016) .29Figure 10. Risk matrix considered in IDABC .38Figure 11. The need to define common authentication assurance levels in STORK .39Figure 12. Relevant factors for QAA levels in STORK .40Figure 13. Authentication assurance levels mapping in STORK .40Figure 14. eIDAS Regulatory model conceptual map (Alamillo Domingo, 2019a).85Figure 15. Use current eID nodes to issue a SAML assertion based in verifiable credentials/presentations .105Figure 16. Use of Verifiable IDs as eIDAS electronic identification means .107Figure 17. Choose your Bitcoin Wallet. .133Figure 18. DLT System roles and sub-roles (ISO/CD 23257.3).135Figure 19. System view of functional components of a DLT system (ISO/CD 23257.3) .136
4SSI eIDAS Legal ReportGlossary of terms and acronymsAuthoritativesourceAny source irrespective of its form that can be relied upon toprovide accurate data, information and/or evidence that can beused to prove identity (eIDAS Security Regulation).Consumer rightsDirectiveDirective 2011/83/EU of the European Parliament and of theCouncil of 25 October 2011 on consumer rights, amendingCouncil Directive 93/13/EEC and Directive 1999/44/EC of theEuropean Parliament and of the Council and repealing CouncilDirective 85/577/EEC and Directive 97/7/EC of the EuropeanParliament and of the Council (Text with EEA relevance).e-CommerceDirectiveDirective 2000/31/EC of the European Parliament and of theCouncil of 8 June 2000 on certain legal aspects of informationsociety services, in particular electronic commerce, in the InternalMarket.eIDElectronic identification means, as defined under eIDASRegulationeIDAS AdESFormats DecisionCommission Implementing Decision (EU) 2015/1506 of 8September 2015 laying down specifications relating to formats ofadvanced electronic signatures and advanced seals to berecognised by public sector bodies pursuant to Articles 27(5) and37(5) of Regulation (EU) No 910/2014 of the EuropeanParliament and of the Council on electronic identification andtrust services for electronic transactions in the internal market(Text with EEA relevance).eIDASCooperationDecisionCommission Implementing Decision (EU) 2015/296 of 24February 2015 establishing procedural arrangements forcooperation between Member States on electronic identificationpursuant to Article 12(7) of Regulation (EU) Nº 910/2014 of theEuropean Parliament and of the Council on electronicidentification and trust services for electronic transactions in theinternal market (Text with EEA n Implementing Regulation (EU) 2015/1501 of 8September 2015 on the interoperability framework pursuant toArticle 12(8) of Regulation (EU) Nº 910/2014 of the European
SSI eIDAS Legal ReportParliament and of the Council on electronic identification andtrust services for electronic transactions in the internal market(Text with EEA relevance).eIDASNotificationDecisionCommission Implementing Decision (EU) 2015/1984 of 3November 2015 defining the circumstances, formats andprocedures of notification pursuant to Article 9(5) of Regulation(EU) Nº 910/2014 of the European Parliament and of the Councilon electronic identification and trust services for electronictransactions in the internal market (notified under documentC(2015) 7369).eIDAS QSCDDecisionCommission Implementing Decision (EU) 2016/650 of 25 April2016 laying down standards for the security assessment ofqualified signature and seal creation devices pursuant to Articles30(3) and 39(2) of Regulation (EU) No 910/2014 of the EuropeanParliament and of the Council on electronic identification andtrust services for electronic transactions in the internal market(Text with EEA relevance).eIDAS RegulationRegulation (EU) Nº 910/2014 of the European Parliament and ofthe Council of 23 July 2014 on electronic identification and trustservices for electronic transactions in the internal market andrepealing Directive 1999/93/EC (Text with EEA relevance).eIDAS SecurityRegulationCommission Implementing Regulation (EU) 2015/1502 of 8September 2015 on setting out minimum technical specificationsand procedures for assurance levels for electronic identificationmeans pursuant to Article 8(3) of Regulation (EU) Nº 910/2014of the European Parliament and of the Council on electronicidentification and trust services for electronic transactions in theinternal market (Text with EEA relevance).eIDAS TLDecisionCommission Implementing Decision (EU) 2015/1505 of 8September 2015 laying down technical specifications and formatsrelating to trusted lists pursuant to Article 22(5) of Regulation(EU) No 910/2014 of the European Parliament and of the Councilon electronic identification and trust services for electronictransactions in the internal market (Text with EEA relevance).eIDAS TrustMark DecisionCommission Implementing Regulation (EU) 2015/806 of 22 May2015 laying down specifications relating to the form of the EUtrust mark for qualified trust services (Text with EEA relevance)5
6SSI eIDAS Legal ReporteSign DirectiveDirective 1999/93/EC of the European Parliament and of theCouncil of 13 December 1999 on a Community framework forelectronic signatures.ESSIFArchitectureThe definition of ESSIF and all related actors and building blocksat functional level, at level of concepts, at level or resilience/trustrequirements, at level of interactions (including all correspondingtechnical and operational standards).ESSIFInfrastructureAll supporting capabilities/services which support the functioningof ESSIF and all its members and framework-abiding relyingparties, issuers and users.GDPRRegulation (EU) 2016/679 of the European Parliament and of theCouncil of 27 April 2016 on the protection of natural persons withregard to the processing of personal data and on the freemovement of such data, and repealing Directive 95/46/EC.IdPIdentity ProviderMDSMinimum Data Set, defined in the eIDAS InteroperabilityRegulation.QTSQualified Trust Service, as defined under eIDAS RegulationQTSPQualified Trust Service Provider, as defined under eIDASRegulationSSISelf-Sovereign IdentitySubjectAnything that is known to exist somewhere in the real world andto which one can concretely refer to: can be people, organisations,things/devices, resources (EBSI ESSIF).The legitimate natural or legal person that is, or to be, representedby the electronic identification means (Guidance for theapplication of the levels of assurance which support the eIDASRegulation).TLTrusted List
SSI eIDAS Legal ReportTSTrust service, as defined under eIDAS Regulation.TSPTrust Service Provider, as defined under eIDAS Regulation.7
8SSI eIDAS Legal ReportPart 1. An introduction to Self-Sovereign Identity1.THE TRANSFORMATION OF DIGITAL IDENTITYDigital personhood is understood as the projection of personality rights to the Internet space,through the creation and control of user agents (personal profiles, in some cases, avatars),which are used in interactions on the Internet, with frequent support in corporate or socialnetwork service providers, known as identity providers (IdP).It is a model characterised by direct personal agency in the network, as opposed to third partymanagement through passive user profiles, and its legal regime is configured as a result ofthree forces in permanent tension: identity, privacy and law enforcement (AlamilloDomingo, 2010b).Under the expression "digital identity", we refer to techniques that allow people andorganisations to identify themselves and act on networks, using more or less strongauthentication mechanisms.From a more technical perspective, digital identity is a form of identity resulting from thedigital codification of identifiers in a way that is suitable for processing and interpretationby computer systems (Jøsang, Fabre, Hay, Dalziel, & Pope, 2005). Moreover, followingthese authors, “a person’s or an organisation’s identity consists of the individualcharacteristics by which that person or organisation is recognised or known”, elements that“can be acquired, such as name, address, nationality, registration numbers and memberships,or can be inherent, such as with biometrics”.Different from digital identity is the concept of identifier. In fact, “any characteristic elementcan be called an identifier when it is used for identification purposes”. While “it is assumedthat identities are unique, i.e. no two human beings or organisations have the same identity”,on the contrary, “the same person or the same organisation can have different identities indifferent contexts, and each identity is reflected by a different set of identifiers·. Thus, “anidentifier is usually only unique within a given context [and] the different types of identifierscan be quite varied in their characteristics, and may be transient or permanent; inherent orapplied; self-selected or issued by an external authority; interpretable by humans, computers,or both, etc” (Jøsang, Fabre, Hay, Dalziel, & Pope, 2005).Digital identity has evolved significantly in the last 25 years, including hierarchical publickey infrastructures and federated, user-centric, delegated authentication.All these identities, are digital, because they are assigned, stored and managed electronically,in identity databases, which vary from identity silos completely disconnected from eachother to complex networks of interconnected identity data, in the financial or crime-fightingdomains. Furthermore, all these identities can be considered as “second- or third-partyidentities”, because they are provided to us by organisations or people different from us.They are second-party identities when they only serve to establish electronic relationships tothe organisation or person that has supplied them to us, and they are third-party identitieswhen they serve to establish relationships to organisations and people different from thosethat have provided them to us, as happens with qualified electronic signature certificates or
SSI eIDAS Legal Report9with delegated authentication infrastructures, such as those currently adopted under theeIDAS Regulation.More recently, with the advent of Web 2.0, we users have begun to act as issuers orguarantors of our own identity, disclosing a set of personal data that allows third parties torecognise us. Specifically, on the social Web radically new examples of electronicrelationships appeared: social networks (Facebook, Google ), collaborative spaces (GoogleDocs, Box.com), social communication streams (Twitter), virtual worlds (especially in thegaming environment), or the Cloud, which were based on first-party identities; that is, selfgenerated and managed identities by the users themselves, under self-regulation criteria,such as convenience or pseudonymisation, in the process of acquiring and learning how touse their digital personhood.These systems constituted a new paradigm in identity management, based on the selfmanagement by the user of the entire life cycle of her identity, with greater control over thedisclosure of personal data. They were the so-called “first-party” or “user-centric” identities,and promised a new privacy model under true user control, but maintaining the dependencyof user with respect to the identity provider.The existence of all these systems, and their application in heterogeneous environments, ledto the emergence of a digital identity ecosystem, with an increase in complexity in themanagement of the data itself, and the appearance of new risks for the privacy of naturalpersons.From this initial perspective, it can already be indicated that the digital identity is a humanartefact, an electronic document with a series of information referring to a
30(3) and 39(2) of Regulation (EU ) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance). eIDAS Regulation Regulation (EU) Nº 910
eIDAS-Regulation Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC eIDAS provides: legal framework for cross-border
Revised SSI 57-53-I03K to combine SSI/DTR Forms and their requirements into one SSI/DTR Form to cover all aircraft and added #5 Inboard Flap Support to the title for clarification. Deleted SSI 57-53-I03L.1 and 57-53-I03L.2 as those requirements are now covered in SSI 57-53-I03L.
SSI Reporting and Surveillance Methods. SSI Reporting Requirements: Setting: Any inpatient facility and or/hospital outpatient procedure department where the . Table 2 Chapter 9 SSI Protocol Page 9-12. Denominator for Procedure Details. SSI - Surveillance Forms. Procedure denominator data are collected using this form. Procedure denominator .
Aug 09, 2015 · eIDAS Regulation (EU) 910/2014 "Website authentication services under eIDAS Regulation" . CA/Browser Forum . Istanbul 07 October 2015 . Andrea SERVIDA . D
within the SSI surveillance period to meet SSI criteria. The type of SSI (superficial incisional, deep incisional, or organ/space) reported and the date of event assigned must reflect the deepest tissue level where SSI criteria are met
10” (250mm) 1000-Watt subwoofer with SSI 12” (300mm) 1100-Watt subwoofer with SSI 12” (300mm) 1100-Watt subwoofer ported enclosure with SSI CLUB WS1200 12” (300mm) 1000-Watt subwoofer shallow mountwith SSI BASSPRO SL 8” (200mm) 125-Watt Powered sealed under-seat woofer enclosure RBC Opt
3. Provide the client with a DSHS 09-972 SSI Legal Representation form. NOTE: It is a conflict of interest for the SSI Facilitator to act as a legal representative for clients. Filing a Hearing Request The Hearing is the second l
The family of EMC Test Sites for the automotive industry and their suppliers of electric and electronic assemblies includes semi-anechoic chambers (SAC) for 1 m, 3 m, 5 m and10 m test distance. For20 years, the automotive industry has considered the semi-anechoic chamber as “state-of-the-art” for vehicle testing and the same has held true for component testing for the last decade. The .
