1 August 2022

QTSP: Where Trust and Proof Meet?

In this article, Sergei Zamsharski, Head of Product Management at LeverID, answers the important question of what’s more important to you; trustsecurity, or proof, and also dives into the world of ‘Qualified Trust Service Providers' in the context of digital identity.

Regulation, eIDAS and Digital ID

In 2014, the new eIDAS regulation came into force. This regulates the electronic relationships between business, citizens and the state, making such relationships safer and more efficient for all.

By then, many member states within Europe had already introduced their own levels, standards and methods for securing the integrity of communication in electronic form.

However, eIDAS now offers all 27 EU member countries a framework, based on measuring against security criteria and within which to evaluate their electronic identification and trust services. This helps reduce bureaucracy and paperwork, enabling firms to reduce costs and to speed up processes by providing a transnational, cross-sector and easy-to-use network of trustworthy suppliers.

[Following Brexit, the UK absorbed the ISO terms on which eIDAS is based into law but UK providers of electronic digital identity services operating within the EU would still need to comply with eIDAS and there is no automatic reciprocal agreement. This could be a challenge for them!]

For electronic identification, signature verification and timestamping services, there are various ‘levels of assurance’ and their requirements, against which providers and their products are assessed. Here, for example you can see those which apply to identification and providers can choose which level they aim for - providing they pass the assessment criteria, of course!

Overall, it sounds ingeniously simple, doesn’t it? Let's dig into how it works and, vitally, understand what a qualified trust service provider is.

Who are Qualified Trust Service Providers (QTSPs)?

A ‘QTSP’ is “…a Trusted Service Provider that provides one or more qualified trusted services and has been granted a qualifying status by a national supervisory authority." [source]

So, it’s one thing to be a non-qualified provider of digital identity services [SP], and another to be a trusted one [TSP] - and eIDAS don’t differentiate between the two. But to be included in eIDAS' list, you need to be a “qualified” one - and you only get that when you’ve met eIDAS' qualifying criteria and are audited by a conformity assessment body.

In practice, achieving QTSP status according to eIDAS' qualifying criteria is a long and expensive process, due to the fact that a provider must comply with a high level of security and their decision to create certificates for citizens must be well protected [we'll talk about solutions below].

It was easier for companies that had already been a TSP in their country, before eIDAS, to have their services qualified, because the technology and the legal basis had already been built.

What do QTSPs do?

There are 6 services within the eIDAS framework:

  1. eID
  2. eSignature
  3. eTimeStamp
  4. eSeal
  5. Qualified Web Authentication Certificate
  6. Electronic Registered Delivery Service.

Today, each of the 27 EU member states has between 2-10 QTSPs. Depending on their specifics, firms qualified via only those services that they provide. Beyond that, many companies opened themselves up to the opportunity of providing their service throughout Europe, but not all of them took advantage of this.

That is when the next-level player entered the game - an intermediary, also known as a reseller or aggregator.

Resellers or aggregators use the API [Application Programming Interface] of an original QTSP, in order to resell the services it offers, be it logging in or signing documents or otherwise. However, simply reselling the service doesn’t magically mean the reseller becomes a QTSP! Caveat emptor applies…

A large number of such services have recently appeared, because there is no technological revolution or know-how behind them. The Internet is now full of services that use the technology of others and this is the normality of today's digital identity market.

What’s the problem?

I think each of us uses this or that resource knowing that the original service provider is another company, but due to some preferences such as speed of use, friendly interface or just habits, we use what we use.

If we consider the use of QTSP within a single state, then there is probably no such problem. A company that provides qualified services can continue to provide in the same format or those tools, as it did before eIDAS.

After all, eIDAS does not guarantee a single, simplified standard, rather it was a structure created for evaluating the electronic identification and signature tools used by TSPs & QTSPs.

But it still lacks the ability to make national transactions within certain countries, and transnational transactions across EU countries, due to the difference in systems.

And this means that we still do not have a unified system that would reduce entirely bureaucratic costs and facilitate electronic communications in the identification and signature context.

Why can QTSPs be trusted?

For the most part, QTSPs use a PKI [Public Key Infrastructure] structure in their solutions, employing various types of cryptography, mostly RSA, a method developed in the 1970s and still used by at least 80% of providers today. The use of HSM [Hardware Security module] has become a ‘must be’ factor. Thus, when generating certificates for users, methods that were originally considered ‘as safe as possible’ from hacking are used.

It would seem that everything is simple and such schemes have already been used many times. However, as we now well know, ‘safe’ is very subjective and it takes innovation to improve it!

That is why with LeverID, a different path is taken; by using modern cryptographic techniques such as EdDSA, and the proprietary key generation scheme [DualKey™], we have taken security, speed and scalability to an even higher level and, yes, we also use HSM in our solution.

Furthermore, within our Leversign system, we use a single-file standard, which supports batch signing of documents [BatchSig™], where one signature can sign many documents in separate files. More convenience and scalability for your required solution - saving you every resource that matters.

Where to next?

Considering that eIDAS was the first of its kind, this is now the quality standard that other non-EU countries try to match. Thus, for companies that offer trusted services based on eIDAS standards, the opportunity opens up to offer their services around the world.

LeverID sees this potential and we develop our products based on the potential of future markets, with innovation baked-in, to ensure we are future-ready by providing a service that can scale up to global level.

And yes, we are deep into the qualification compliance levels for eIDAS - to the highest one in fact. As soon as that comes through, you can be sure we’ll shout about it !

Because when it comes to the concepts of (and concerns around) trust, security and proof, LeverID meets all three. Precisely as we designed it to.”

Share this article: