[PDF] SSI eIDAS Legal Report personality onto the web especially

View - Download SSI eIDAS Legal Report

Previous PDF

Next PDF

Dr. Ignacio Alamillo Domingo

April - 2020

Blockchain / DLT

Technologies

SSI eIDAS Legal Report

How eIDAS can legally support digital identity

and trustworthy DLT -based transactions in the

Digital Single Market

2020

EUROPEAN COMMISSION

European Commission

B-1049 Brussels

2020

SSI eIDAS Legal Report

How eIDAS can legally support digital identity and trustworthy DLT-based transactions in the Digital

Single Market

INTERNAL IDENTIFICATION

Specific contracts 003604 and 003491 under Framework Contract DI/07445-00 (STIS IV)

DISCLAIMER

This document has been prepared for the European Commission , however, it reflects the views only of the authors, and the Commission cannot be held responsible for any use, which may be made of the information contained therein.

The work was co

-funded by the ISA 2 programme, as part of the Innovative Public Services action, and the CEF Digital programme, in the context of the European Blockchain Services Infrastructure building block. The H2020 EU Project OLYMPUS, under Grant 786725, supported part of this work. The author is Dr. Ignacio Alamillo Domingo (Astrea La Infopista Jurídica), Lawyer, CISA, CISM, researcher at iDerTec (University of Murcia). More information on the European Union is available on the Internet (http://www.europa.eu). 2020

SSI eIDAS Legal Report 1

Table of contents

TABLE OF CONTENTS ................................................................................................................................... 1

TABLE OF FIGURES ...................................................................................................................................... 3

GLOSSARY OF TERMS AND ACRONYMS ...................................................................................................... 4

PART 1. AN INTRODUCTION TO SELF-SOVEREIGN IDENTITY ........................................................................ 8

1. THE TRANSFORMATION OF DIGITAL IDENTITY ................................................................................... 8

2. SELF-SOVEREIGN IDENTITY .............................................................................................................. 12

3. SSI AND TRUST GOVERNANCE ......................................................................................................... 21

PART 2. THE EIDAS RE

GULATION............................................................................................................... 23

4. THE LEGAL REGIME OF ELECTRONIC IDENTIFICATION MEANS FOR CROSS-BORDER TRANSACTIONS 25

4.1. LEGAL CONCEPT OF ELECTRONIC IDENTIFICATION (EID) .............................................................................. 26

4.2. THE SCOPE OF THE EIDAS REGULATION AND ITS RELATIONSHIP WITH NATIONAL LAW ....................................... 30

4.3. ELIGIBILITY CRITERIA FOR THE NOTIFICATION OF ELECTRONIC IDENTIFICATION SCHEMES ..................................... 33

4.4. THE LEGAL EFFECT OF NOTIFIED ELECTRONIC IDENTIFICATION MEANS ............................................................ 55

5. THE LEGAL REGIME OF ELECTRONIC SIGNATURES AND ELECTRONIC SEALS ..................................... 60

5.1. ELECTRONIC SIGNATURES AND SEALS ...................................................................................................... 60

5.2. ADVANCED ELECTRONIC SIGNATURES AND SEALS ....................................................................................... 63

5.3. QUALIFIED ELECTRONIC SIGNATURES AND SEALS ....................................................................................... 66

5.4. THE LEGAL EFFECT OF ELECTRONIC SIGNATURES AND SEALS ......................................................................... 71

6. THE LEGAL REGIME OF TRUST SERVICES .......................................................................................... 79

6.1. THE EIDAS CHARACTERISATION OF TRUST SERVICES................................................................................... 79

6.2. THE EIDAS REGULATORY MODEL FOR TRUST SERVICES ............................................................................... 84

6.3. ISSUANCE OF ELECTRONIC SIGNATURE/SEAL/WEBSITE DIGITAL CERTIFICATES ................................................... 86

PART 3. LEGAL SCENARIOS RELATED TO SSI & EIDAS................................................................................. 90

7. GENERAL LEGAL CONSIDERATIONS .................................................................................................. 91

7.1. REGARDING THE LEGAL VALUE OF VERIFIABLE CREDENTIALS AND THEIR PRESENTATIONS .................................... 91

7.2. LEGAL ASSESSMENT OF DIDS, DID DOCUMENTS AND DID CONTROL KEYS ..................................................... 93

8. LEGAL ASSESSMENT OF VERY SHORT-TERM SCENARIOS .................................................................. 95

8.1. USE OF NOTIFIED EIDAS EID MEANS AND QUALIFIED CERTIFICATES TO ISSUE VERIFIABLE CREDENTIALS ................. 95

8.2. EIDAS BRIDGE: INCREASING VERIFIABLE CREDENTIALS' LEGAL VALUE AND CROSS-BORDER RECOGNITION ............101

8.3. USE CURRENT EID NODES TO ISSUE A SAML ASSERTION BASED IN VERIFIABLE CREDENTIALS/PRESENTATIONS .....104

9. LEGAL ASSESSMENT OF SHORT-TERM SCENARIOS ......................................................................... 106

9.1. USE OF VERIFIABLE IDS AS EIDAS ELECTRONIC IDENTIFICATION MEANS .......................................................106

9.2. ISSUANCE OF QUALIFIED CERTIFICATES BASED ON A SPECIFIC DID METHOD AND VERIFIABLE CREDENTIAL ............112

10. LEGAL ASSESSMENT OF MID- TO LONG-TERM SCENARIOS ............................................................. 118

10.1. EXTEND THE EIDAS NOTIFICATION MECHANISM TO VERIFIABLE ATTESTATIONS: ENHANCED TRUSTED ISSUERS

MANAGEMENT

10.2. REGULATE THE ISSUANCE OF VERIFIABLE ATTESTATIONS AS A TRUST SERVICE ................................................124

10.3. REGULATE THE ACTIVITY OF IDENTITY HUBS AS A TRUST SERVICE, IN SUPPORT OF SSI-BASED ONCE ONLY PRINCIPLE

126

10.4. REGULATE DELEGATED KEY MANAGEMENT AS AN INDEPENDENT TRUST SERVICE, IN SUPPORT OF REMOTE WALLETS

130

10.5. REGULATE A SPECIFIC TYPE OF DLT NODE AS A TRUST SERVICE ...................................................................134

2 SSI eIDAS Legal Report

REFERENCES ............................................................................................................................................ 138

SSI eIDAS Legal Report 3

Table of figures

Figure 1. Relationships between DID, DID document and subject (Reed & Sabadello, 2020) ........................ 15

Figure 2. Verifiable Credentials and Presentations conceptual map (Alamillo Domingo, 2019b). .................. 16

Figure 3. Self-Sovereign Identity Management Model in Blockchain (Bernal Bernabé et al, 2019) ............... 17

Figure 4. Identity management methods evolution over time, according to privacy preservation capabilities

(Bernal Bernabé et al, 2019) ................................................................................................................... 17

Figure 5. Proposed taxonomy of crypto

-assets (Arslanian & Fischer, 2019) ................................................... 19

Figure 6. Use cases and

actors for identity management (Kuperberg, 2019) ................................................... 20

Figure 7. Compliance and liability criteria (Kuperberg, 2019)......................................................................... 20

Figure 8. SSI trust relationship (Mühle et al, 2018) ......................................................................................... 21

Figure 9. Electronic identification conceptual map (Alamillo Domingo, 2016) .............................................. 29

Figure 10. Risk matrix considered in IDABC .................................................................................................. 38

Figure 11. The need to define common authentication assurance levels in STORK ........................................ 39

Figure 12. Relevant factors for QAA levels in STORK ................................................................................... 40

Figure 13. Authentication assurance levels mapping in STORK ..................................................................... 40

Figure 14. eIDAS Regulatory model conceptual map (Alamillo Domingo, 2019a)......................................... 85

Figure 15. Use current eID nodes to issue a SAML assertion based in verifiable credentials/presentations . 105

Figure 16. Use of Verifiable IDs as eIDAS electronic identification means .................................................. 107

Figure 17. Choose your Bitcoin

Wallet. ......................................................................................................... 133

Figure 18. DLT System roles and sub-roles (ISO/CD 23257.3) ..................................................................... 135

Figure 19. System view of functional components of a DLT system (ISO/CD 23257.3) .............................. 136

4 SSI eIDAS Legal Report

Glossary of terms and acronyms

Authoritative

source Any source irrespective of its form that can be relied upon to provide accurate data, information and/or evidence that can be used to prove identity (eIDAS Security Regulation).

Consumer rights

Directive

Directive 2011/83/EU of the European Parliament and of the Council of 25 October 2011 on consumer rights, amending Council Directive 93/13/EEC and Directive 1999/44/EC of the European Parliament and of the Council and repealing Council Directive 85/577/EEC and Directive 97/7/EC of the European Parliament and of the Council (Text with EEA relevance). e-Commerce

Directive

Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal

Market.

eID Electronic identification means, as defined under eIDAS

Regulation

eIDAS AdES

Formats Decision

Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and

37(5) of Regulation (EU) No 910/2014 of the European

Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance). eIDAS

Cooperation

Decision

Commission Implementing Decision (EU) 2015/296 of 24 February 2015 establishing procedural arrangements for cooperation between Member States on electronic identification pursuant to Article 12(7) of Regulation (EU) Nº 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance) eIDAS

Interoperability

Regulation

Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the interoperability framework pursuant to Article 12(8) of Regulation (EU) Nº 910/2014 of the European

SSI eIDAS Legal Report 5

Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance). eIDAS

Notification

Decision

Commission Implementing Decision (EU) 2015/1984 of 3 November 2015 defining the circumstances, formats and procedures of notification pursuant to Article 9(5) of Regulation (EU) Nº 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (notified under document

C(2015) 7369).

eIDAS QSCD

Decision

Commission Implementing Decision (EU) 2016/650 of 25 April

2016 laying down standards for the security assessment of

qualified signature and seal creation devices pursuant to Articles

30(3) and 39(2) of Regulation (EU) No 910/2014 of the European

Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance). eIDAS Regulation Regulation (EU) Nº 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (Text with EEA relevance). eIDAS Security

Regulation

Commission Implementing Regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) Nº 910/2014 of the European Parliament and o f the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance). eIDAS TL

Decision

Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text wi th EEA relevance). eIDAS Trust

Mark Decision

Commission Implementing Regulation (EU) 2015/806 of 22 May

2015 laying down specifications relating to the form of the EU

trust mark for qualified trust services (Text with EEA relevance)

6 SSI eIDAS Legal Report

eSign Directive Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures. ESSIF

Architecture

The definition of ESSIF and all related actors and building blocks at functional level, at level of concepts, at level or resilience/trust requirements, at level of interactions (including all corresponding technical and operational standards). ESSIF

Infrastructure

All supporting capabilities/services which support the functioning of ESSIF and all its members and framework-abiding relying parties, issuers and users. GDPR Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

IdP Identity Provider

MDS Minimum Data Set, defined in the eIDAS Interoperability

Regulation.

QTS Qualified Trust Service, as defined under eIDAS Regulation QTSP Qualified Trust Service Provider, as defined under eIDAS

Regulation

SSI Self-Sovereign Identity

Subject Anything that is known to exist somewhere in the real world and to which one can concretely refer to: can be people, organisations, things/devices, resources (EBSI ESSIF). The legitimate natural or legal person that is, or to be, represented by the electronic identification means (Guidance for the application of the levels of assurance which support the eIDAS

Regulation).

TL Trusted List

SSI eIDAS Legal Report 7

TS Trust service, as defined under eIDAS Regulation. TSP Trust Service Provider, as defined under eIDAS Regulation.

8 SSI eIDAS Legal Report

Part 1.

An introduction to Self-Sovereign Identity

1.

THE TRANSFORMATION OF DIGITAL IDENTITY

Digital personhood is understood as the projection of personality rights to the Internet space, through the creation and control of user agents (personal profiles, in some cases, avatars), which are used in interactions on the Internet, with frequent support in corporate or social network service providers, known as identity providers (IdP). It is a model characterised by direct personal agency in the network, as opposed to third party management through passive user profiles, and its legal regime is configured as a result of three forces in permanent tension: identity, privacy and law enforcement (Alamillo

Domingo, 2010b).

Under the expression "digital identity",

we refer toquotesdbs_dbs32.pdfusesText_38

[PDF] Gestion de projets. Microsoft Project. Fonctions avancées

[PDF] Audit du conseil d administration. Partie A Profil général, connaissances, compétences et expertises

[PDF] PROJECT. Guide pratique pour les chefs de projet APPLICATIONS MÉTIERS. Vincent Capitaine

[PDF] Le Projet des architectes de l APEC

[PDF] REFERENTIEL DU CQPM. TITRE DU CQPM : Technicien en machines tournantes sous pression (installation - exploitation

[PDF] COMMUNIQUER EN SITUATION DE CRISE

[PDF] Design & web marketing. saut! Faites le Bienvenue dans le web nouvelle tendance.

[PDF] PIBA. Projets et Ingénierie du Bâtiment & Aménagement

[PDF] Bon appétit! Mr Lapin

[PDF] Internet reste un support il ne pourra pas remplacer tout le travail marketing et stratégique en amont.

[PDF] DOSSIER DE PRESSE. Nouvel EHPAD de THUIR Vivre &n confiance dans un environnement privilégié

[PDF] Appel à projets. Référencement de l offre de formation pour la formation continue dans les TPME APPEL À PROJETS

[PDF] Ont participé à une réflexion sur le thème de la Violence dans le sport.

[PDF] Légende: Source: Copyright: URL: Date de dernière mise à jour:

[PDF] 8. LES ACTIONS ÉDUCATIVES COMPLÉMENTAIRES AU SEIN DE L ÉTABLISSEMENT BRIQUES DU PARCOURS CITOYEN «La conduite d'actions éducatives peuvent prolonger