We at Wesentra have delivered SSL/TLS certificates and document signing solutions for our European customers. Now we are also starting to get requests from governmental organizations for SSL/TLS certificates compliant to eIDAS regulation. Typically the request would say ”A non-qualified solution is acceptable”. What does this mean? It is obviously time to dig into eIDAS and try to understand how we can serve our customers better also in this area. Please feel free to join my journey 🙂
To start with site Connecting Europe seems sensible.
Here I find a link to an article to my liking: promising concrete stuff and not more legal text. Let’s try this.
Hey – here is a ”a video explaining eIDAS in under 3 minutes”. This is for me 🙂
I particularly like this part of the video (screen shot below): ”Website Authentication Certificates, WACs, are electronic certificates that prove to your customers that your web site is trustworthy and reliable.” There is a hot debate in the SSL/TLS certificate market if it is important for the user to see the identity of the web site producer. Or is it enough just to have the encryption. At least I like to be sure that I am not at some phishing site and I like to see that a reliable third party (CA, Certificate Authority) has checked the producer of the web site. To me at least at this phase it seems that eIDAS shares my view.
From the same site I find also a link to eIDAS Toolkit for SMEs and here is a useful text:
What is eIDAS?
eIDAS stands for electronic Identification (eID), Authentication and Trust Services. The eIDAS Regulation established the framework to ensure that electronic interactions between businesses are safer, faster and more efficient, no matter the European country they take place in. eIDAS is a European Regulation that creates one single framework for eID and trust services, making it more straightforward to deliver services across the European Union.
and later in the same text:
Electronic identification
Electronic Identification (eID) allows businesses and consumers to prove electronically that they are who they say they are and gain access to services or carry out business transactions online.
eID can be used in both business-to-business and business-to-consumer transactions. eID provides business with the opportunity to carry out stronger checks on the identity of customers and other businesses. …
The use of national eID systems in cross-border business transactions between EU countries depends on the stage of notification by each individual EU Member State. …
Under the eIDAS Regulation, all EU countries will have to recognise foreign eID schemes that have been notified to the European Commission and many are already in the process of implementing their solutions. …
OK. This is interesting. What is the status of Finland? Let us see – the texts has a link to Find out if an eID system has been notified in your country. And here I find for example:
Hmm, does not look very impressive for us Finns. Let us study further. On the list of ”Pre-notified and notified eID Schemes under eIDAS” there are 12 EU countries but no mention of Finland? Well – around here we are used to comparing us with our neighboring Nordic countries and Sweden and Denmark are also missing from the list. Phew.
And then there is a list of ”Other eID schemes” (screen shot below). These are obviously national eID systems which have been adopted to use earlier and have not and perhaps cannot be notified to eIDAS. And this seems good. We have been using our national eID system for a long time. It is obviously time to get a system compatible with eIDAS.
All right. Our first leg is complete. It is time to tack (already dreaming here about sailing 🙂 ). On the next leg I would like to understand more about the requirements for SSL/TLS certificates and perhaps also about the solutions being developed by the EU countries.
Thank you for your interest.
More information: info@wesentra.com or https://www.wesentra.com/en