Methics thoroughly went through Eurosmart’s position paper on needed Assurance levels for EUDI Wallets. Methics believes the points raised in this paper are very valid and must be considered by European decision makers. Below are the summary points from the paper.
In the position paper published in January 2023, Eurosmart’s lays our argumentation and reasoning to understand that there are two meanings of assurance level ‘high’. One from eIDAS regulations perspective, and one from European Cybersecurity act (CSA) perspective.
The eIDAS assurance levels refer to Article 8 of the eIDAS Regulation. Eurosmart identified two types of requirements for eIDAS LoA:
- Requirements that relate to procedures (e.g., procedure to enroll the applicant, procedures to revoke and renew the electronic identification means) and do not directly relate to the electronic identification means.
- Requirements that directly relate to the electronic identification means, in particular requirements on how the electronic identification means is managed and authentication.
Section 1: eIDAS assurance level ‘high’ and CSA assurance level ‘high’
Any potential overlap with the CSA can only concern the mentioned #2 point of requirements.
Precisely, it can be said in a simplified manner, the CSA assurance level belongs to the cybersecurity world and eIDAS assurance level belongs to the digital identity world.
For example, a manufacturer wants to demonstrate that a product complies with pre-defined cybersecurity requirements; this is when CSA defined assurance level come into play. When a Member State wants to notify an electronic notification means and needs to indicate the strength of the identity proofing, authentication mechanism etc. This is when the eIDAS assurance level comes into play.
However, looking at the requirements to fulfill the eIDAS level “high”, one notices a clear overlap with the CSA. Eurosmart states that it can be deduced that if an electronic identification means is certified at CSA assurance level “high” to demonstrate its resistance to “attackers with high attack potential”, it complies with one of the requirements for the eIDAS level “high” (cybersecurity requirement). Eurosmart argues that this is the most effective way of complying with the eIDAS requirement of cybersecurity.
To give few examples, Remote Signature* (according to eIDAS) requires a EUCC** scheme with a level of vulnerability assessment of AVA_VAN.5 on both HSM and SAM. Or if the chip of an electronic identity card is certified level “high” (CSA) using the EUCC* scheme with a level of vulnerability assessment of AVA_VAN.5, then it already demonstrates that it can resist “attackers with high attack potential”. Therefore, it fulfils one of the eIDAS level “high” requirement.
*Example by Methics **EUCC scheme is the first European cybersecurity certification scheme, prepared in the context of the CSA. It is based on the Common Criteria methodology for security evaluation
Section 2: eIDAS2 needs eIDAS assurance level ‘high’ and CSA assurance level ‘high’
Eurosmart believes that the Wallet should fulfill the requirements of the eIDAS assurance level “high” for the enrollment and on-boarding process. Currently eIDAS toolbox document states both ‘substantial’ and ‘high’ could be accepted for on-boarding. If on-boarding at the level of assurance “substantial” is allowed, it will lead to the situation where there would be two types of Wallets that could:
- On-boarding with LoA ‘substantial’ and can only be used up to the level of assurance “substantial”
- On-boarding with LoA ‘high’ that could be used up to the level of assurance “high” (including “substantial”)
This will fragment the Identity wallet market. Allowing level of assurance “substantial” for enrollment and on- boarding would hinder large-scale interoperability and impede Wallet uptake in Europe.To avoid fragmentation, Eurosmart favors a level of assurance “high” for the on-boarding of the European Digital Identity Wallet.
From a technical standpoint, Eurosmart strongly believes that meeting the eIDAS level “high” requires relying on the secure element of the smartphone or the user’s identity card. Secure elements provide the safest place for cryptographic keys.
Read Methics blog about using phone as QSCD/SSCD for EDUI Wallet here.
Moreover, Eurosmart calls for mandatory certification of the European Digital Identity Wallet:
- Pursuant to a CSA cybersecurity certification scheme level “high” and
- Demonstrating its resistance to “attackers with high attack potential” or, if such a scheme is unavailable, using a national scheme that provides an equivalent security level.
- In particular, when using EUCC scheme, the Wallet shall be security certified with a level of vulnerability assessment of AVA_VAN.5 pursuant to the Common Criteria, to ensure its resistance to “attackers with high attack potential.
It appears that the demonstration of compliance of electronic identification means – including the Wallet – with the requirements of eIDAS assurance level « high » could leverage cybersecurity certification at assurance level « high » under the CSA.
A harmonised security approach shall rely on dedicated « security profiles » to address the specific security features of each component of the system. Eurosmart recommends using the already existing Protection Profiles (PPs) for the required feature.
Lastly, Eurosmart recognizes, what Methics has been advocating since first reading the final outline version of ‘European Digital Identity Architecture and Reference Framework’. EUDI wallet should be able to produce Qualified Electronic Signature by using Secure Signature Creation Device. Below mentioned PPs can be considered:
- PP for a Secure Signature Creation Device – Part 2: Device with Key Generation
- PP for a Secure Signature Creation Device – Part 3: Device with key import
- PP for a Secure Signature Creation Device – Part 4: Extension for device with key generation and trusted communication with certificate generation application
- PP for a Secure Signature Creation Device – Part 5: Extension for device with key generation and trusted communication with signature creation application
- PP for a Secure Signature Creation Device – Part 6: Extension for device with key import and trusted communication with signature creation application
Methics’ comments
To summarize in short eIDAS regulation aims for high assurance level with a purpose to prevent misuse or alteration of the digital identity. This applies to two challenges. The first one is:
- How we manage identity life-cycle – including enroll, revoke, renew, activate, etc.
- How we use and protect the identity – authentication, signing, security measures, etc.
The second one brings us to the Cybersecurity world. So, if we have the need to protect the identity at eIDAS “high”, we need to comply with CSA assurance level “high”, too. Recommendations can be as following:
- Get the eID (whether its smartcard, app based signing, SIM/eSIM or secure element) means tested for vulnerability assessment of AVA_VAN.5 pursuant to the Common Criteria.
- Level of assurance “high” for the on-boarding of the European Digital Identity Wallet.
- Rely on secure and tested way to store cryptographic keys which qualify as “high”. For example using existing PP for SIM/eSIM or Remote Signature
- Wallet should act as a QSCD/SSCD. Read Methics blog about Wallet to act as QSCD here
This article is an extract from Eurosmart position paper, Paper published on 13 January 2023 with the title 'European Digital Identity Wallet: Why do we need level "high" (eIDAS) & level "high" (Cybersecurity Act)?' with few additional examples given by Methics and some comments.
Publish Date: 6 February 2023
Written and Edited by: Ammar Bukhari & Jarmo Miettinen