Wednesday, January 11th, 2023

Buggy Law 9: eIDAS at the Crossroads Between Law and Technology

In a series of posts we have examined eIDAS with a lingering question: Can legislation have bugs? That is, can it contain “errors or imperfections that reduce reliability, performance, or user experience” – like bugs in computer software? eIDAS is the EU law that controls online identification and online signatures for the public sector in all EU states. The time has arrived for a summary.

Law and Technology

Law and technology are distinct but mutually dependent. EU politicians should have been warned by previous mistakes to overstep the boundary between them. There is, for example, the ruling about satellite dishes from 2001 (COM/2001/0351). Long after all tv channels became available on the internet this ruling is still in effect. It states that mounting a satellite dish, even on a historic building, is a human right in the EU, superseding any national law. A specific technology – soon to be outdated – was turned into law that is very difficult to change.

Technology keeps changing on short notice while legislation must be durable. Law, therefore, should define generic requirements and boundaries for technology without committing to specifics.

As for our main topic, online signatures, eIDAS ignored the warnings and stepped into the trap. Qualified signatures according to eIDAS is a specific technology which is also law. It is supposed to be the most secure digital signature in the eIDAS inventory.

Technology As Law By eIDAS

Let us examine the technology specified by EU lawmakers in eIDAS. We find the following phrase in recital item 52. (The recital is a collection of short texts containing background information for the law.)

… the electronic signature creation environment is managed by a trust service provider on behalf of the signatory… (the entire text is printed at the bottom of this post)

A signatory is a person who signs something with an online signature. It could be you. Here it says that, when you sign a document online, a trust service (whatever it is) does something on your behalf, that is, in your place. Did you know that?

“On Your Behalf” In Practice

To understand this mechanism we have to use another technical term: certificate. A certificate is the digital equivalent to an id card. Among other things it contains a secret encryption key. Only you can unlock the encryption key by your passphrase or PIN code. The secret key is not known to anyone, not even the authority that issued your certificate. It is never shared and thus very reliable.

A qualified signature is created by a qualified electronic signature creation device assisted by a qualified trust service. (I suspect these awkward terms were invented to keep nosy people at a distance.) It generates a new certificate, presumably “on your behalf” (even if you never told it to). The signature that ultimately is attached to the document to be signed is created with the new certificate. Your own reliable certificate is not used. You are given exactly zero control over the new certificate. You are not even informed about its existence. This goes against, among other things, recital item 51 (also printed at the bottom of the post).

The result? The encrypted chain linking the signature to you is broken. The signature no longer depends entirely on encryption, the cornerstone of contemporary computer security.

Additional Quirks

There are other aspects. The new certificate is treated as if it has a high assurance level. However, to obtain an e-id on the highest assurance level you must show up in person, initially and at renewal. In a qualified signature the relying party (the entity that asked for the signature) acts as your proxy towards the trust service that issues the certificate. I’m not sure an e-id obtained through a proxy merits any assurance level at all.

There is more. You, the signatory, are not told that this happens. Creating and using credentials for someone else without their knowledge has a distinguished name: forgery. Oops, oversight by the legal department. Credible justification is urgently needed. What we find is item 3 of eIDAS Annex II.

3. Generating or managing electronic signature creation data on behalf of the signatory may only be done by a qualified trust service provider.

Forgery is thus lawful for certain implicitly trusted providers and their equipment. Again, contemporary computer security thinking says, nobody and nothing should be implicitly trusted.

Instead of an unbroken encrypted chain from the signature to the signatory we now see a chain containing no less than two implicitly trusted intermediaries, the relying party and the trust service. The relying party, the entity that asked for a signature, is implicitly trusted to forward correct information to the qualified trust service. The qualified trust service provider is implicitly trusted to generate new certificates. Accountability towards the signatory is zero.

As already stated, from a computer security perspective, any implicit trust is an abomination. The only trustworthy technology is encrypted chains. Implicit trust has no place in modern security thinking. Promoting it as law does not make it more adequate. It is just regrettable abuse of legislation power.

If you bear with me, there is still more: validating online signatures. Validation means checking that a signature is genuine and valid. Article 32 of eIDAS deals specifically with validation of qualified signatures. It is all about the relying party. A signatory may definitely have a legitimate need to validate signatures, but it is completely ignored. This is a general feature of eIDAS: keeping aloof from users, the general public. EU citizens are treated like ignorant cattle that may be shoved around without explanation.

Conclusion

In the crossroads between law and technology eIDAS has overstepped the boundary and cemented broken technology as law. It does so with arrogance towards EU citizens, forgetting about decency and transparency – setting aside commendable precedents like GDPR and the ePrivacy Directive.

Link to all posts in this series

Comments are closed due to the spam factor. You may respond by email to blog AT soderstrom DOT se

The full text of eIDAS recital items 51 and 52 follows.

(51) It should be possible for the signatory to entrust qualified electronic signature creation devices to the care of a third party, provided that appropriate mechanisms and procedures are implemented to ensure that the signatory has sole control over the use of his electronic signature creation data, and the qualified electronic signature requirements are met by the use of the device.

(52) The creation of remote electronic signatures, where the electronic signature creation environment is managed by a trust service provider on behalf of the signatory, is set to increase in the light of its multiple economic benefits. However, in order to ensure that such electronic signatures receive the same legal recognition as electronic signatures created in an entirely user-managed environment, remote electronic signature service providers should apply specific management and administrative security procedures and use trustworthy systems and products, including secure electronic communication channels, in order to guarantee that the electronic signature creation environment is reliable and is used under the sole control of the signatory. Where a qualified electronic signature has been created using a remote electronic signature creation device, the requirements applicable to qualified trust service providers set out in this Regulation should apply.

Comments are closed.