January 10, 2019

Blog postGovernmentTimestampingTrust Service Provider

Digitalization is based on security and open standards

country signing certificate authority

Digitalization

Digitalization is something that affects us all, mostly in positive ways. Usually digitalization means that transactions we make in our daily lives can, and are in a majority of cases, done over the Internet, using computers or mobile devices. In a digital society many services are offered over the Internet, such as government services, banking, stock market, and even voting in some cases although that is probably not for everyone yet in decades to come. Digitalizing government services and banking frees up time and travel and makes the system more efficient. Everything you can imagine, from starting a business, applying for permits, tax reporting, unemployment reporting, health care, payments, opening bank accounts and applying for loans, can be done digitally from any location you happen to be at. Digitalization is not without dangers, nothing is. Making things available conveniently over the Internet means that it is also conveniently availably for criminals. Fishing and fraud to steal money are common issues and being able to get an ID on-line in someone elses name can cause a lot of trouble for the victim. Large scale fraud attempts against citizen are now possible from anywhere in the world, which also makes it harder to catch criminals and to recover stolen funds. With this in mind, to be able to offer these services over the Internet, a solid security infrastructure is needed. There is lots of practical lessons to learn from various countries who have implemented a digital society in different ways.

EU and eIDAS

EU is currently at the forefront of digitalization, to large extent driven by the eIDAS regulation. High Internet penetration and the high cost structure in EU makes it attractive to save costs and increase efficiency at large. Some countries have pushed it very far like Estonia and Sweden, while some are a bit slower, but the trend is moving fast everywhere. Most transactions within EU are still local for each country, and some transactions are only relevant locally, but the goal is to make EU a more open and efficient common market. This is in large thought to be achieved with a goal called the Digital Single Market. Since EU consist of states that are to a large extent independent, it is achieved through the EU wide regulation eIDAS, which each member state must implement and abide to. Some effects of the eIDAS regulation is that it is harder to make local rules that hinder competition from other countries, business transactions becomes cheaper and more efficient between member states and citizen have efficient processes needed in their daily life even if they live abroad from their home country. To support digitalization, in a secure way, eIDAS defines a set of Trust Services that are needed.

Trust Services PKI Infrastructure

eIDAS defines providers of needed trust services as Trust Service Providers, TSPs for short. TSPs are regulated by the government and EU, but not controlled by the government, so there is a competitive market for TSPs.  A typical TSP offer PKI security services, i.e. issuance of digital certificates, time stamp services and document signatures. None of these types of services are new in itself, but the way it is implemented as a consistent infrastructure to support digital services is. An example PKI infrastructure for TSPs is seen in the figure below

 

Example Trust Service PKI Infrastructure

Of course, it is not only sufficient to build technical infrastructures. It is also important that legislation supports the trust services and digitalization efficiently, securely and without barriers, and this is where the heaviest part of eIDAS comes in, as legislation is harmonized between countries.

Reusing the Trust Services Infrastructure

An important aspect of building up a trust service infrastructure is that once built up, which is time consuming and costly, it can be re-used for new purposes. By building up new services step by step, using the established, robust, trust services, digitalization can progress in an increasing pace. One example of this is how the new payment services directive, PSD2, in EU re-uses the eIDAS trust service PKI infrastructure to open up banking to be more efficient with less lock-in effects.

Open Standards

For any large scale initiative to gain wide-spread traction, using open standards is imperative. Different actors must be able to provide implementations and services on the same conditions, avoiding lock-in effect and costly proprietary solutions. For trust services this is achieved by using open security standards such as X.509 certificates, RFC 3160 time stamps, SAML and other open standard for authentication and information exchange. Participation in defining and using these standards should be open to all parties who can contribute. This can form a healthy ecosystem with participants from all parts of society, something which is needed to fulfill the vision of a digital society. Luckily there is no lack of open standards in the area of PKI.

Long Term Vision

It is not done overnight to create a thriving, innovative, digital ecosystem. Often you run into the chicken or the egg dilemma, meaning that before enough attractive services are available on-line there are no users willing to adopt, and it is not attractive for services to invest in going on-line until there are enough users. Some recommendations are:

  • keep a long term vision, don’t give up
  • build a reusable infrastructure, PKI can be used for many purposes
  • encourage open ecosystems, let innovation thrive
  • use open standards, avoid vendor lock-in
  • focus on user benefit, citizen will not be forced into something that doesn’t make sense
  • adapt to local circumstances, not everything can be copied (but a lot can be)
  • adapt legislation to the digital world

Let innovation thrive with secure digital services in all aspects of users’ lives.


Want to know more about our view on eIDAS?

Driving transparence, interoperability and innovation across the European Union with eIDAS. PrimeKey on eIDAS  

TomasPrimeKey

Author

Tomas Gustavsson

Tomas is the co-founder and CTO of PrimeKey. He has been implementing PKI systems since 1994. As founder and developer of the open source enterprise PKI project, EJBCA, contributor to numerous open source projects, and member of the board of Open Source Sweden, Tomas is passionate about helping users worldwide to find the best possible PKI and digital signing solutions.