Tuesday, October 18th, 2022

Buggy Law 3: eIDAS Meets Engineering

Can legislation have bugs? That is, can it contain “errors or imperfections that reduce reliability, performance, or user experience” – just like bugs do in computer software? This is a series of posts where we examine eIDAS, the EU law that controls online identification and online signatures for the public sector in all EU states, and its consequences.

In these posts you get a bottom-up view of the mechanisms for online identification and for creating online signatures. It is a technician’s view. How do these things work, really?

In the previous post we found what seems to be design flaws in a type of online signature that eIDAS calls qualified electronic signatures. The main glitch is that signatures are created by a signature robot and need not contain the digital DNA of the person who is supposed to have signed, the signatory. Digital DNA is a very strong link based on encryption. Qualified signatures according to eIDAS use legacy “security by obscurity” rather than encryption to create a link to the signatory. The result is substandard security.

You might think that such an insight would cause a stir among professionals in the area. After all, qualified signatures are promoted as the most reliable in the eIDAS inventory. But no, don’t hold your breath waiting for an outcry. The reason is that eIDAS includes the following provision, Article 25, item 2:

  • A qualified electronic signature shall have the equivalent legal effect of a handwritten signature

It simply doesn’t matter if the mechanism works. And this is not a recommendation, it is law.

There are two major categories of actors in the ecosystem surrounding online signatures in the public sector: public sector agencies and software providers.

Public sector agencies really need online signatures to do their job efficiently. Being public sector, what can they do except abide by the letter of the law? Absolutely nothing. Most of them have limited capability for developing software systems. They do have considerable buying power, however, and thus create a market for the second type of actor.

Software providers offer systems for online signatures to public sector agencies and others. If you are in this business, what are your three main selling points? 1. Compliance. 2. Compliance. 3. Compliance.

We have to realise that this ecosystem is immune to objections. Compliance with eIDAS (and several other specifications) is all that matters. Why should we worry if the technology actually works when the law says it doesn’t matter? So, a revelation like this series of posts will hardly ruffle the waters.

And there is more. The next post will take a closer look at trust services.

Link to all posts in this series

Comments are closed due to the spam factor. You may respond by email to blog AT soderstrom DOT se

Comments are closed.