If we want to know more about trust services and we take a look at the eIDAS regulation, we can see that it poses very high-level requirements – we get the main idea, but if we want to understand specific aspects of the topic, we need to look for them elsewhere. For additional legal provisions, we may check the specific member states’ legislation, and for the technical aspects, we have many European norms, standards and specifications. In Europe, one of the biggest standardization organizations is ETSI; its Electronic Signatures and Infrastructures (ESI) committee has standardized almost all important trust service aspects since eIDAS has come into force. However, there is one field that had been left unstandardized for a while, which is identity proofing, the process of verifying the identity of an applicant.

Identity proofing itself is not a trust service - since it is not defined as such by the eIDAS regulation – but a trust service component, which differs in a lot of ways among its providers’ practice. We have heard that certain providers even had security gaps in their processes due to the lack of published identity proofing security aspects. To achieve harmonization in Europe, there became a need to present a standard way to securely provide identity proofing.

For addressing this, an ETSI specialist task force, STF588 was set up in April 2020 to develop two documents about identity proofing: a Technical Report survey and a Technical Specification about policy and security requirements.

The first document was published in December 2020 by the name of ETSI TR 460 – Survey of technologies and regulatory requirements for identity proofing for trust service subjects, and it contains an overview of identity proofing-related technologies, legislations, specifications, guidelines and standards. If we want to get familiar with identity proofing, this might be our place to start.

The recently published second document, ETSI TS 119 461 - Policy and security requirements for trust service components providing identity proofing of trust service subjects, however contains specific recommendations about how to identify trust service subject-applicants in a secure manner. The specification was made in a way to cover all potential use cases’ relevant aspects in order to avoid imposters stealing an identity – these provisions contain, for example, requiring video streams and only allowing physical documents’ real-time, in-hand presentation during remote identity proofing, or requiring automated analysis and machine learning technology for validation. A comprehensive list of identity proofing-related threats is as well published in Annex B.

Summarized, ETSI has yet again done a great job with covering another eIDAS-related topic and enhancing European trust service security altogether. As all documents, this may as well need minor updates in the future, but the present form is a great way for trust service providers to assess their secure operations.

References:

ETSI TR 119 460: https://www.etsi.org/deliver/etsi_tr/119400_119499/119460/01.01.01_60/tr_119460v010101p.pdf

ETSI TS 119 461: https://www.etsi.org/deliver/etsi_ts/119400_119499/119461/01.01.01_60/ts_119461v010101p.pdf