By Stephen Davidson, Governance, Risk and Compliance at DigiCert and Chair of CA/Browser Forum S/MIME Certificate Working Group
The pandemic created a decisive shift to online transactions and remote working that has changed virtually every industry worldwide. Familiar tools, like web conferencing and online transactions, quickly took up the slack of routine tasks. However, the transition was more cautious in regulated sectors and high-value transactions, which historically have demanded face-to-face interaction, including online identity vetting.
Identity vetting is the process of verifying that the identity attributes of an applicant are accurately gathered, validated, and evidenced. In recent years, there has been a growing trend of online identity vetting — or moving the process of identity vetting from traditional, face-to-face methods to digital ones. But the pandemic forced it to the forefront as organizations transitioned to teleworking while still needing to authenticate people’s identities. However, what has been missing are universal standards for online identity vetting that provide the same assurance as face-to-face verification.
In late 2019, I gave a speech at ENISA’s CA Day encouraging the development of clearer standards for remote vetting, not knowing how an imminent pandemic would accelerate interest in this area. In short, COVID-19 restrictions moved the mark hard in favor of remote vetting with EU Trust Service Providers (TSPs) and instilled a sense of urgency among regulators and standards bodies to lay down consistent rules for checking ID and users’ identities online.
Under the European eIDAS regulation, the registering of users by TSPs for many Qualified services requires in-person identity proofing (or the use of methods that provide “equivalent assurance”). However, national standards varied in the technologies and methods allowed in the accreditation of equivalent assurance by remote alternatives to in-person identity proofing.
In part, the regulators’ caution was driven by the burgeoning technology alternatives available for remote vetting, the lack of a consistent international standard for assessing their risks and scarce data on their failure rates. Additionally, regulators debated the requirements for remote vetting to assert equivalence to long-proven standards and protocols for dealing with physical ID documents in person.
As it happens, the EU foresaw this change several years ago, making “trust in seamless electronic identification” one of its priority areas for ongoing development, and the ETSI Technical Committee on Electronic Signatures and Infrastructures (ESI) took up the task to develop additional standards to create consistent identity proofing.
In early 2020, ETSI assembled a specialist task force known as STF 588 to focus on identity proofing (both in real life and online). As a first step, the task force reviewed a wide variety of international technologies, legislations, specifications, guidelines and standards related to identity proofing. From this, the task force created a valuable compendium on identity proofing.
STF 588’s first work product, ETSI TS 119 460 (Survey of technologies and regulatory requirements for identity proofing for trust service subjects), analyzed close to 50 international standards and their respective approaches to the collection and validation of identity attributes, the binding of attributes to applicants and the appropriate retention of evidence.
The second influential work product from STF 588 is ETSI TS 119 461 (Policy and security requirements for trust service components providing identity proofing of trust service subjects), which is currently in draft and due to be published in July 2021.
Although designed for identity proofing for eIDAS trust services, such as TSP issuers of Qualified certificates, the standard will have immediate and broad relevance in electronic identity (eID) and know-your-customer (KYC/AML) processes in various industries worldwide.
To accommodate the wide variety of technologies and novel approaches being used for identity proofing, the new ETSI standard seeks to avoid prescriptive requirements for specific technical solutions while maintaining a consistent level of security across all potential methods. Importantly, the new standard offers consistent guidelines for both face-to-face and remote identification scenarios in terms of reliability and risk management.
Ultimately, the goal is that the new standard can be used for conformity assessment of a Qualified TSP that uses remote vetting or can be used to assess freestanding specialized providers of identity proofing.
The standard aims to be applicable at both the substantial and high levels identified in EU Regulation 2015/1502 (which sets out the minimum technical specifications for eID assurance levels related to eIDAS).
ETSI TS 119 461 will provide much-needed consistency of regulation of identity proofing by Qualified TSPs across Europe and set an important model for similar schemes worldwide. DigiCert is an active participant in ETSI, and we believe ETSI TS 119 461 is a forthright step to acknowledge that new tools and approaches will rapidly evolve for identity proofing and lays out a tech-neutral approach to bring them into the fold of trust services requirements.
More importantly, it will help democratize access for individuals and businesses to take advantage of high-assurance online services, by removing friction in enrolling and supporting consistent quality of validation across TSPs and supervisory regimes.