eIDAS: Qualified Electronic Seals for the Internet of Everything

When we think of digital certificates and signatures, the first applications that come to mind involve financial transactions or other services requiring the signing of formal, legally binding contracts. However, the benefits that qualified electronic signatures/ seals provide under EU law are not at all restricted to only such digital service providers. Today, we explore a significantly different environment facing the same security and trust challenges.

One of the fastest-growing segments of the digital economy is the Internet of Things (IoT), or increasingly, the Internet of Everything (IoE), which has an even broader scope than IoT. Several billion devices utilize this in some way, ranging from internet routers and mobile phones to smart cars, smart TVs, and even utilities like power plants. Ensuring the security of all of these devices (IoT) and the data, processes, and digital identities associated with them (IoE), is of paramount importance.

Safeguarding for the Internet of Everything

Just like people need to prove their digital identities before initiating a transaction, the same principles apply to the billions of connected devices and applications that our society utilizes for its day-to-day operations. Additionally, these devices or applications must be able to authenticate themselves before to transmitting or receiving data or performing specific operations. Access management can then also be performed using these certificates. As per eIDAS, “an electronic seal refers to any data in an electronic form, which is attached to or logically associated with other electronic data to ensure the latter’s origin and integrity”. This provides the required certification of the data's provenance (the source is verified) as well as the integrity of that data (the content has not been tampered with).

Automation and Legal Status

Qualified Electronic Signatures require natural personnel to digitally sign. This meant that automation was not possible with that mechanism. However, this automation can be achieved with qualified electronic seals, and certificates, timestamps, and validation reports may be issued as and when required.

Legally, qualified electronic seals provide the same legal status as physical seals. An example of this might be a ticket-issuing machine. As long as it adheres to the Regulatory Technical Standards mandated under EU law, member states have to accord the appropriate legal status to those tickets.

Thinking Outside the Box

The potential applications of this reach far beyond the limited uses that we see currently, and the only limitation is our imagination. For example, we are already seeing smart and self-driving cars hitting the road, and concerns about their potential vulnerability to hackers are raised. Such risks can be reduced by using qualified electronic seals, which provide origin/ source verification and assure the integrity of the communicated message.

Another example would be commercial airliners, where a team on the ground can take control of an aircraft if the flight crew has been compromised, so preventing unpleasant situations such as the 2015 Germanwings flight or potential hijackings.

As one can imagine, the highest standards of assurance will be required for such applications, and that is where eIDAS-compliant qualified electronic seals come into the picture.

References and Further Reading

• Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more

• Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma

• Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma

• Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
• REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council

• Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more

• Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

• eIDAS webinar 1: Using electronic Identification, Authentication and trust Services for Business (2018), by the European Commission
• The European Interoperability Framework - Implementation Strategy (2017), by the European Commission
• Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission

• REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council

• Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council

• Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
• REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission

• DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council