EU Digital Identity Ecosystem

From MgmtWiki
Jump to: navigation, search

Full Title and Meme

The European Digital Identity Framework and its ecosystem depends on a EU Trust framework that is controlled by each State in the EU.

Context

  • Each state in the EU has the ability is issue trust marks.
  • A Qualified Trust Service Provider (QTSP) in the European Union (EU) is an entity that provides "qualified" trust services, such as qualified electronic signatures, seals, or timestamps, under the EU's eIDAS regulation, ensuring high levels of security and legal validity[1]
  • QEAA = Qualified Electronic Attestation of Attributes for the EUid Wallet
    The virtual “European Digital Identity Wallet”, or EUid Wallet for short, is taking shape. QEAAs play a key role in the EUid Wallet ecosystem. For example, they are always used in e-government, online banking or even in digital education to provide credible proof of the characteristics of natural and legal persons at a qualified level.[2]

Problem

  • Many states will find it simpler to just pass their responsibility to organizations that are poorly regulated and untrustworthy.[3]
  • The problem with having a regulatory and technology driven approach is that User and Relying Party needs have been largely ignored, and business model sustainability hasn’t even been considered. The question is how much has now been built around the room without considering how to get the elephant out!

Solutions

Spain

Jesus Ruiz Alastria board member; Digital Identity Leader and Senior Advisor at IN2; technical leader of DOME (Distributed Open Marketplace for Europe)

Sorry, but I think that "The Payment Problem" does not exist. (see problems above.) For every (Q)EEA that I can think of, I see clearly how payments to the different actors providing services are managed and performed. Maybe because I am from Spain, the most advanced country in the EU in terms of number of QTSPs and digital signature adoption (Spain has 52 QTSPs, 16 Germany , 3 Sweden, 1 Finland, and so on).

Could you please put some concrete example of a (Q)EEA which shows that "elephant"? Not all attestations are the same. For example, let's take banking attestations, like a certificate of solvency. Those are today issued in the form of PDFs (even as signed PDFs). Each bank will make its decision on whether they subcontract a third-party for the issuance, or if they do it themselves (they can easily be a TSP). The economic model is very clear, because they will issue that (Q)EEA only to their customers, and they will charge or not, depending on the bank and the type of attestation (like today with PDFs). The cost of issuance for the bank is essentially the same as a signed PDF, so I expect the prices to be similar to the ones now.

I probably will start posting in detail about some use cases in Spain, but for the moment let me describe some examples, focusing on the businesses: - Many businesses interact with the public administrations using advanced or qualified signatures with a qualified certificate of representation (a certificate issued by a QTSP to a legal representative attesting the powers of representation). Verification of such documents is very efficient and with a high level of legal certainty, enjoying presumption of validity of the signature and non-repudiation. - The opposite is true. For example, any document I request from my local government (my city) is sealed with a qualified certificate issued by a QTSP to the local government. Transitioning to a PUB-EEA is very easy for them, as instead of signing a PDF they have to sign a JSON document with the same data (I oversimplify it, but you get the idea). - In the private sector, it is very common to sign any legally binding document using a qualified certificate. Once you have one, you realize the benefits in lowering the friction and litigation in B2B transactions.

  • Many public administrations (like my local government) already issue all documents requested by citizens and businesses as PDFs signed with a qualified certificate for seals. They have a button like "generate PDF". They only have to put another button "generate VC", which uses the same data and implements the OID4VCI protocol, and sign it properly.
  • Any private business that now generates PDFs signed/sealed with a qualified certificate (as I said before, there are many already), can easily generate an EAA (not a QEAA). Actually, generating a PDF from data in a DB is technically more difficult than generating a JSON document. By the way, in the private sector, an advanced signature (versus a qualified one) is more than enough for most business transactions, and I expect the same to happen with EAAs versus QEAAs.
  • For Verifiers (the businesses receiving the "document"), the EEA has many advantages, because in addition to the benefits of the digital signature, they can reduce the costs of backoffice: a PDF has to be read by a human, but an EAA can be fully verified by a machine in real-time. And this improves customer service, as the reply can be given in seconds.

In Spain, many public administrations are already preparing beyond just identification with the EUDIW. The real deal is issuing PUB-EAAs, and they are well prepared for that (I am not saying that it will be easy, only that it will be easier than in other countries).

For those PUB-EAAs, the economic model is the same as for the current attestations with digitally signed PDFs.

In the private sector, many EAAs will be issued with the same economic model as with the signed PDFs.

Of course, there will be many (Q)EAAs that will be new, and this is where new business opportunities lie for QTSPs. Depending on the specific (Q)EAA, funding for the issuance will be different, but I do not see any major problem or a need for some standard. For Spain, it is just "business as usual", and the only real change is the format: instead of PDF (like contracts) or XML (like invoices), is JSON.

References

  1. Becoming a (qualified) trust service provider https://eidas.ec.europa.eu/efda/discover/becoming-qtsp
  2. Bundesdruckerei QEAA Put Simply: Importance of Qualified Electronic Attestation of Attributes for the EUid Wallet 2023-11-28 https://www.bundesdruckerei.de/en/innovation-hub/qeaa-put-simply
  3. Jon Ølnes, The elephant in the European Digital Identity Wallet room – how can service providers get paid? Signicat 2025-03-06 https://www.signicat.com/blog/the-elephant-in-the-european-digital-identity-wallet-room-how-can-actors-get-paid
Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=EU_Digital_Identity_Ecosystem&oldid=23097"