Friday, October 21st, 2022

Buggy Law 4: eIDAS and Trust Services

Can legislation have bugs? That is, can it contain “errors or imperfections that reduce reliability, performance, or user experience” – just like bugs do in computer software? This is a series of posts where we dissect eIDAS, the EU law that controls online identification and online signatures for the public sector in all EU states.

This time we will have a closer look at trust services according to eIDAS. A trust service is somewhat similar to a public key infrastructure, PKI. Their function is to produce the digital equivalent of id cards, more formally referred to as certificates. “Trust service” is a well chosen term because it is all about trust.

Trust is at the core of online identification and online signatures. Computers and sophisticated software can do many things, but they cannot create trust out of nothing. At some point the digital virtual world must connect to the physical real world. Enter trust services.

A trust service acts like a witness, saying, “I hereby attest that the person represented by certificate (digital id card) so-and-so is the real person mentioned in that certificate.”

Recall how a will is signed. The testator has to sign it, of course, but also two witnesses. It is relevant to compare a trust service to a witness, vouching for someone else’s identity and sanity.

Who can be a witness? The basic requirement is someone who is not involved in the transaction in any way. An unrelated person, as far as the will is concerned. Beneficiaries are counted out automatically.

eIDAS does not include such a condition in its stipulations on trust services. What we see in practice, at least in Sweden, is that relying parties (those who request digital signatures) routinely set up their own trust services. Such self-serving trust services should be automatically disqualified. It is not fitting for one party in a transaction to also act as a witness. Especially since the relying party usually is the one that can afford a team of lawyers and is able to use brute force to have their way, the very negation of trust. They need to learn to receive trust as a gift from an independent, unforced witness.

There is a category of eIDAS trust services called qualified trust services. This category of trust services is subject to stringent requirements. Setting up a qualified trust service is quite demanding. It is not something you prepare for a simple application.

However, no trust service should be used in transactions where its provider has a stake. A trust service should be an independent witness. This should go without saying, but reality has shown that it has to be made explicit by eIDAS. The omission plays out now on a big scale.

The next post will treat a misconceived idea in eIDAS that does not play out just yet.

Link to all posts in this series

Comments are closed due to the spam factor. You may respond by email to blog AT soderstrom DOT se

Comments are closed.