Root Causes 366: What Is eIDAS?

Hosted by

Tim Callan

Chief Compliance Officer

Jason Soroko

Fellow

Original broadcast date

March 4, 2024

eIDAS 2.0 has been making headlines recently with its proposed expansion to the European digital identity ecosystem. But what is eIDAS? What does it do, and why does it exist? In this episode we give you the basics.

Podcast Transcript

Lightly edited for flow and brevity.

Tim CallanSo one of the things that we have been mentioning a lot recently, is eIDAS, which is e-I-D-A-S, and in particular eIDAS 2.0 and it occurred to us - this was your idea, suggestion, actually, Jason - that maybe we should go back and just explain and frame what eIDAS is, a little bit about its history and what it's for, and why it exists in the first place.

Jason SorokoYeah. Thanks, Tim. We're talking about - - It's an EU regulation. Electronic identification, authentication and trust services.

Right. And this is really about governing electronic identification of trust services for transactions, it was passed in 2014, came into effect 2016/2018 parts of that regulation. And, Tim, it's gone through some changes. We're going to have eIDAS 2.0 in the next little while, which is reason why we're podcasting on this now, but we wanted to just recover old ground in terms of what this is all about.

Now, I love trying to oversimplify something and then stumbling and failing, but at least attempting to do it. And, Tim, if you are a trade agreement amongst a whole lot of disparate countries in a in a trade block, my goodness, what you need. Like within a country, you can take advantage of the Federation of laws, within, you know, amongst two countries, you can take advantage of what's essentially a contract, right? A North American Free Trade Agreement. Those kinds of things.

But when you're dealing with something as diverse as all of Europe, you've got to have a legal framework that basically states all right, well, if you're gonna have identity rules, you have to have common agreement amongst all these countries about how do you provision? And what's the definition of a digital identity. You know, if you're going to use a certificate, what's the definition of it, and you all have to agree on these things, but you also have to have the legal framework of what is the legal implementation, the legal, the definition of what's the strength of some of these ID objects and artifacts, eIDAS covers all this stuff.

Tim CallanYeah. And you already hit a couple things there, Jay, that I want to just kind of pull out and flag. One of which is part of the point of eIDAS is that it needs to be Pan European. So if I have a digital identity, and I obtained that in Spain, I need to be able to use it in France. That's point number one. And so that means that there has to be a certain, like you said, commonality across all the European nations.

Another thing that you just called out there that's worth talking about is, this is a law that attempts to cover not only the legal consequences of digital signatures - How can they be used? What do they mean? What do they mean in terms of identity and nonrepudiation and things along those lines, but also, the technical requirements, so that we know that a digital - - that the actual certificate, the mechanism, the cryptographic mechanism behind the digital certificate is secure, and predictable and interoperable, and all of those things. So right there, you got some pretty vast scope because you're trying to do both of those things.

Jason SorokoYou've got that right, Tim. And so there's so much there. In fact, we have had previous podcasts, in fact that there was an interesting example of somebody who had used in an eIDAS-based electronic signature and was using this for some sort of railroad contract in Austria, but it didn't apply - -

Tim CallanYes. In Switzerland. So we wrote about this years ago, and I'd have to go look it up but the gist of it was that there were two companies involved and one of them was in Switzerland, and the other one was in Austria and that meant that one of them was in the EU and one of them was not, and that meant that their eIDAS certificate was insufficient for the enforceability of the contract. And this was a giant contract. It was worth billions of euros. And it was nullified by this fact of digital identity and how it works across those two borders. And because Switzerland is not part of the EU, right and people kind of forget about it. They think of it as a European country, and it is a European country, but it's not in the European Union. And that's how all of this came about.

Jason SorokoYes. And I think, Tim, when you think eIDAS, I think if you're from our industry, you're thinking about the various kinds of electronic signatures or QWAC certificates, and we'll talk about those in a moment, but I think that's what most people think about. What I wanted to do on this podcast, and I think we've just done it is to say, it's a legal framework for Pan European transactions and that's really what to think about eIDAS about.

Tim CallanYeah. Yeah. Pan European electronic transactions. Now, of course, eIDAS, as with GDPR, or other things that are happening at a major level, like Europe, you don't have to be inside of the European Union to get an eIDAS certificate because you may want to use it to do business with Europeans.

Another implication of this and a real thing that's happening is these certificates do not need to be limited, right? This is something that's put in place by the government, but these certificates do not need to be limited to governmental functions. And in fact, the government wants them not to be, right. The government wants to encourage their use through private industry. They have a vision of Europeans just being able to have digital identities in all their various dealings and so that too means that you've got to be able to reach outside of the borders, not only of any European country but of the whole European Union. And so this becomes a thing with global consequences.

Jason SorokoIt is global. And Tim, you know, I'd like to get into the certificate types as well here and get you to really kind of lay down what the types are. But we also have had previous podcasts, specifically on eIDAS 2.0 and wallets. So if you think about it, what are some of the important artifacts around this? We're talking about electronic signatures, digital signatures. We're talking about, basically, web certificates, QWACs and we're now also talking about identity wallets as well, Tim. So let’s at least hit the certificate type so at least we - - let's cover it and then we can get on to the wallets as well.

Tim CallanAnd those are the two main ones, right. You can get a certificate for an individual. So I can get a certificate, and it's my certificate, and it is attributed to me, and I can use it for online interactions, and I am attributing that it is or you know, my certificate is attesting that it is really me as an individual who is doing these things. And so you can think about the way you'd use that. It would be things like document signing, right. I can go document sign. I can go sign a document with my eIDAS cert, and it's a doc signing certificate, right? The same as we might be able to buy one, you know, in the aftermarket, just globally.

The other thing, the other main one is what we call a QWAC and a QWAC which is bound QWAC, by the way, not like a duck, a QWAC is basically - - it's a server certificate. It's a surrogate for TLS certificate. And in fact, browsers and supporting operating systems, what we call certificate consumers, in the parlance of the public CA world, certificate consumers almost entirely, if not entirely, treat QWACs and TLS certificates in the exact same way. So I literally, I don't actually need to put a TLS certificate on my server in order to get the lock and to get encryption. I could use a QWAC. And a QWAC isn't a TLS cert, but it accomplishes the same goal from the perspective of how the software treats it. And so that's a thing that is available for people to use internally, you know, Europeans to use on their web servers. And those are the two main ones.

Now there's a whole ecosystem of things around this to make this work. So for instance, there's time stamping. You've gotta have time stamping services. And then there's a whole bunch of rules and regulations around time stamping, right. And Etsy is the organization that works out these standards goes and spends a lot of cycles on time stamping and what are our rules for time stamping and what do you have to do to be compliant?

Another big one is what you call a TSP, or a trusted service provider and a trusted service provider is essentially a CA right? They don't call it a CA. They call it a TSP but it's more or less the same thing. It's the company that is allowed to issue and maintain these certificates and is allowed to have a trusted root. And so TSPs need to get audited. Instead of getting a web trust audit, you get an Etsy audit. And so a lot of this stuff is parallel to existing systems that private industry invented, right. And if you take it back far enough, all of these things were inventions of private industry and pretty much came out of North America in their origins and they have been taken as schemes that are pretty well proven, reliable, robust schemes and they have been shaped by the European Parliament or by Etsy as its delegated standards creator to fit into the specifics of what they are looking for, for this certificate ecosystem within Europe.

Jason SorokoSo Tim, I love oversimplifying, as you know. I'll stumble and fall but here we are. Let's try it.

It really, it looks like the European Union wanted its own version of what was created from the commercial world in North America, in order to have recognition, legal recognition and legal transactional flow amongst all their trading partners in Europe.

They wanted also it to be, you know, bound by rules that are made by Europeans. In other words, things have to be GDPR, compliant, etc., and as well as other rules as well. In fact, Tim, I think there was a recent podcast where you and I talked about some of the verbiage that is buried deep within eIDAS 2.0, which also has some other really oddball and some controversial things that are put in there by the European Union. We will let you guys listen to that podcast separately but it's the European way of doing things that came naturally out of the commercial world in North America.

Tim CallanI think that's definitely right, Jason, is there was a recognition that, you know, this interconnected certificate-based/digital identity-based/PKI-based structure is fundamentally good. We need it. It's here to stay. If you don't do it, you're just gonna, you know, be a dinosaur and at the same time, it is, first of all, it's not necessarily consistent and codified. It's hard to put a lot of rule of law behind it if you don't feel like you can rely on it to be both legally and technically predictable and reliable. And also, at the same time, I think you're right in saying, there's a certain degree of suspicion of things that are being controlled outside of European borders.

And so when you put all of those factors together, you wind up with creating what is essentially a parallel, extraordinarily similar but not identical, parallel and separate PKI and digital identity ecosystem that sits alongside and tracks within copies what the global private industry is releasing and putting into the market, but then also tries to put certain European, what I want to say, spin on it, right, in terms of, you know, aggressive, very aggressive citizen protections, and an enforced Pan European consistency, and things along those lines.

Jason SorokoYou got it, Tim. And so therefore, I would say, you know, is this just another layer of bureaucracy and pain in the butt that doesn't add anything? Well, no, I think it's far better than that. If you're European, if you purchased an eIDAS-based digital signature, and you go through the provisioning process, I would say that you're taking advantage of all the terrific advantages that come with that Pan European legislation. You can now trade with a gigantic trade block, and sign documents and, you know, put your name down. Take advantage of all those things.

Tim CallanAs long as you’re not doing business in Switzerland. Yes.

Jason SorokoWell, hey, read the fine print when it comes to regulation. But I would say that it has far more pluses than it has negatives in the sense that if I was in Europe, I would definitely be acquiring these certificate types and utilizing them and taking advantage of it.

Tim CallanAnd it’s completely consistent with other trends we've seen in Europe with having a common currency, with having open borders, right? Like, it seems a little absurd if I can walk, drive back and forth between countries without being regulated in any way without having to have a passport. If I can, you know, spend the exact same euros in one country as I do in the next country over to able to not do that stuff digitally just feels luddite. And I think it would be and so in that sense, I think if you really want to have a unified Europe, and that's really what you what you want, you gotta deal with it digitally or you're not going to have that.

Jason SorokoTim, that's a perfect segue into eIDAS 2.0 because if you take those document types that you just talked about, right, any kind of signature type, or, or, you know, the equivalent of a TLS certificate and a QWAC, I would say, and all the ecosystem that goes with it, which maps to the way that we know it from the old days of document signing certificates, and SSL certificates, I would say eIDAS 2.0 really - again, this is oversimplifying, but I think it's important to understand it this way - If you actually wanted to carry around attributes about yourself as a European that you could use anywhere in Europe, well, it would be really handy to carry those attributes about yourself inside of, for lack of a better term, a wallet. You know, and one of those attributes about yourself might just be hey, you know, I passed my driver's exam in Latvia, and I want to be able to drive in France.

Tim CallanSure.

Jason SorokoRight. So therefore, we come from a world where, you know, your paper driver's license in your wallet is what we've all had for decades, and if not more, and we're now seeing in North America, hey, there are some states in United States, which you will use Apple wallet to put your, you know, Utah driver's license, and I forget which states actually have this, and, they're utilizing big US tech to be able to do that. And I think Europe looked at this and said, oh boy, we cannot stomach the idea of big US tech, actually having our European credentials, and attributes of our citizens within their technologies. We want to be able to have a solution that is not only recognized in a Pan European way, but also codified within their specific set of laws. And some of that is the right to be forgotten, right. Something that you don't see too much in North America. The right to be able to have complete control over whether that attribute exists or not in the wild, and who gets to see it and who doesn't get to see it. You know, big US Tech - I don't think I trust them to be able to have that kind of law. Europe does, though. They want that. And as well, they want to obviously spur European commercial technologies to be able to engage in these wallets and be able to provide technology for them and all the surrounding provisioning technologies around human beings flourishing in Europe because of the fact that eIDAS 2.0 coming, and it's just going to have this gigantic ecosystem around identity attributes contained within wallets.

And so Tim, I think that's, you know, it's an entire topic unto itself and eIDAS 2.0 in itself deals with some of the rigidity of the first eIDAS legislation with respect to, you know, some of the things that just weren't codified well, to deal with identity wallets. They were perfectly fine for digital signatures and QWACs but when you had a wallet, you actually needed to rewrite certain parts of the legislation and I think that's another important part of understanding what eIDAS 2.0 is. That's why some of the laws have rewritten.

Tim CallanBut also, if you go back in time 10 years, like, yeah, we weren't ready for a digital wallet anyway. So no legislation that was created in 2014 could be adequate to a 2024 digital wallet anyway. Right?

Jason SorokoOh, you got it, Tim. So things change, right. And you and I have said many times on all these podcasts, legislation has a hard time keeping up the technology. eIDAS 2.0 was a refresh.

Tim CallanYep. Yep. It was a refresh. And on the one hand, it feels like every 10 years feels like too long. Like in the tech space 10 years ago was enormous, right? So every 10 years feels like it's not frequent enough. On the other hand, if you're talking about doing something this sweeping and comprehensive, and getting it through the whole European Parliament, faster than that is probably not realistic. And so that's also part of the conundrum you have with trying to do this kind of legislation, which is one of the reasons I continue to remain skeptical of governments who think that they're the ones who can determine how these things will get done.

Jason SorokoYeah. And we talked about that in our previous podcast.

Tim CallanWe talk about it all the damn time.

Jason SorokoYeah. So Tim, I also want to say this is - - eIDAS 2.0 as well, I gotta tell you, this is really big for European businesses. So my goodness, you know, so much stuff in the EU is about the relationship between the citizen and the EU governments. And I think what you're seeing now with eIDAS 2.0 is eIDAS 1.0 really wasn't terribly well put together for the private sector. But I gotta tell you, I think eIDAS 2.0 is finally - - this legislation is going to take identity wallets and say, hey, if you're in Europe, and you're not taking advantage of eIDAS, you know, all the technology surrounding it in your big business, small business, I think you're missing out because your ability now to do business, not just with citizens of your own country, but citizens of the entire EU, talk about, Tim, think about the implication of having a mass provisioned population.

Tim CallanYeah. Absolutely. So, if you’re a European business, if you're a bank, or a phone company, or an e-commerce site, you want to support this, right? Because it just makes it easier. It’s the same reason that somebody would choose to support Passkey, right? It just makes it easier for the people that you want to do business with you. It's a competitive advantage, right? It's a commerce enabler. Now, if I'm a global company, or if I’m somebody outside of the borders of Europe, but I want to deal with European citizens, like, say, an e-commerce site, I'm also motivated to support these wallets. Because if I want you to buy from me, and you have to do something different and you can't just use your automatic digital signature in your digital wallet but instead, you're stuck doing something the old fashioned way, you're typing in a credit card, and you're all leery and concerned and worried, then that becomes an e-commerce inhibitor as well. And so you can start to see how that much of a population being supported by that one platform gives it legs to extend beyond that, the same way that people use LEIs outside of Europe. The same way that we all have had to change our behavior because of GDPR. Or even you take it a step further, and you could see others taking a lesson from Europe and doing the same thing. And in this case, I look for CCPA, right, the California Consumer Privacy Act or Protection Act is inspired by GDPR. It's not a clone of GDPR but it definitely was inspired by. And so you can see things going in that direction too where other jurisdictions put their own things in place.

And then one of the differences between the CCPA and GDPR thing and the digital wallet is you want these things all to be interoperable. So yes, you could see, just by virtue of the degree of the platform, the number of citizens that fall under its control that this could be the critical mass you need to extend some kind of comprehensive digital wallet scheme that can grow beyond those borders, and perhaps eventually be a global thing.

Jason SorokoYou got it, Tim. And I think I think it will become, you know, you're going to have these kinds of technology sets globally in the future. It's just the way things are going to go, and I think businesses will demand it. I think governments have to step in and write legislation around it and control it.

I think Tim, there's just one other piece to eIDAS 2.0 that I want to touch on. We haven't yet but I think it's important. You know, it's a bit of an elephant in the room and that is blockchain.

And I want to talk about what the identity wallets. What they're prescribing is the usage of a self-sovereign identity.

Now, that gives you a lot of important things. And I'll call out one of the most important ones which is, let's say you are exposing an attribute about yourself to a bank or to a telecom company or to who knows - a florist down the street. And you know, with a lot of crude technologies, you might have to expose a lot of information about yourself, you know, your address, where you went to school, your full name, etc. And I think what's interesting about self-sovereign identities is that one of the things about them that's great it within a wallet context is you can minimize the amount of information you expose about yourself to the minimum that is needed for the transaction.

Tim CallanGot it. Right.

Jason SorokoAnd there's a lot of other things about SSI or self-sovereign identities. And in fact, Tim, that could probably be a whole podcast on itself.

Tim CallanYeah. Let’s do that.

Jason SorokoYeah. There are at least 10 principles of SSI that are important to note. And they are really, really closely tied with the concept of digital identifiers or DIDs. We've talked about DIDs previously on this podcast, but I think it's worth talking about SSI and DIDs down the road because if you really want to understand to eIDAS 2.0 in the wallets and the way in which they're constructed, the ecosystem in which that they will live, it's those things but the elephant behind all this stuff - it's blockchain.

Tim CallanYeah. Okay. Okay. So once again, blockchain. Blockchain and PKI are not the same thing and you've argued in the past that they're opposites, but they are intertwined. And they're destined to always be intertwined.

Jason SorokoAnd they are absolutely intertwined. And I think that eIDAS 2.0 and the identity wallets, you know, Tim, it's just like the same way in which cryptocurrencies have an intertwining of an address that is a PKI based concept, right. It's essentially a key pair and the address itself is the public portion of the key. And the rest of the record keeping is blockchain based, right. So you have your gate, you have your identity, and then you have your ledger. And I find it fascinating that identity wallets have a similar spin on those ideas. And I don't think we've ever, Tim, on this podcast, ever put it all together about this intertwining because I think it's taken blockchain an awfully long time to, you know, to get beyond the cryptocurrency world and I think with eIDAS 2.0, we're going to start to see it more. It's worth talking about how PKI and blockchain intertwine.

Tim CallanAll right. So as we do so often in these conversations, we cover a topic, and we wind up with two more topics we want to talk about. It’s a hydra and it's being a hydra again. So I think that's probably maybe a good place to leave it for now, but I think we'll be returning to this. Don't you think, Jay?

Jason SorokoOh, we absolutely are, but there's a primer on eIDAS 2.0, where it's going and, you know, an introduction to stay tuned, because there's plenty more here.

Tim CallanAll right. Plenty more. That's good news because we love doing this and we love talking about this stuff. So thank you, Jason.

Jason SorokoThank you, Tim.

Tim CallanThank you listeners. This has been Root Causes.

Stay informed with expert insights

Subscribe to Root Causes for engaging discussions on PKI, digital security, and best practices for protecting your organization's critical assets. Don’t miss an episode!