KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Uba, many thanks for the kind words. Of course. Yeah. Now we jump into the wonderful world of standardization and of course it's a special chapter, it's a European standardization. I'm active in this field nearly since 25 years and by a quite good motivation because before I was working on German level for building trust service and it was so boring to do it in that strict way how we German are used to do this thing. So I really enjoyed to work on European and international level. Last week I went to Tokyo to the cloud consortium or I'm also with the C browser forum.
Sometimes not so loved by our browsers, more by the TSPs. But of course there's the main motivation is to get also global acceptance for European norms and standards. And this is the marketing picture for Etsy. Of course everybody use a mobile phone and of course a lot of the INTERABILITY is built on Etsy norms. So it doesn't matter that it's called European. Nobody has problems except NIST standards National. We have here European standards. Okay. And we have a lot of cooperation and I'm doing the task voluntary.
So it's, it's just an honor to, to do these things like that as a ET the easy vice chair. And yeah, let's see what we are doing with all we supporting the I system, not only on the level of interoperability, it's also on the level of trust. That means of course we have a level of protocols. Do we have to find the certificates? We have to define legal I identities or personal identities. But of course you have also to have something like a common policy, how to issue your certificates, how to build trust.
And it's not only about the trust, it's also about compliance, about GDPR or compliance about the handicap. People can get access and a lot of these requirements are stuffed into the Etsy norms. They're called policies. If you count it, it's 530 requirements. And this kind of security system using this kind of requirements is not based like an io 27,000. I have done a mistake.
Okay, let's do plan, check, act, check that it doesn't happen again. It's quite stricter. It's an audit based on IO 60 0 65. So it's a much more complex audit system that is behind. And so you can see on the bottom of the pyramid of course you can see that are the standards and of course the best practices. But of course there's also complete audit procedure defined how to produce qualified services. And of course up top of it you have a supervision system. This is done by national bodies, for example, Bunes nets, aura or other bodies in Europe.
And then of course you have this trusted list and it's this technology is based on still on X 509. So we have the CA certificates of the trustworthy trust service provider in this trusted list. And if somebody is compliant to it, he's allowed to get this wonderful trust law. That's the IDA system we have up and running since 2016. So the first IDAs was is to 2014 and since 2016, the most of the European just service provider if they're qualified work under this scheme.
Okay, we talked a lot about of IDAs. I think it's important to take into account that we have new services. Of course on the right side you have the service, we know already very well, but of course we have new service like attribute at the station, archiving service, electronic letters, that's important to account. And on the authentication area on the top of course you can see we have new online services that has to be accepted by the very large operators. So that means the authentication by the wallet has to be accepted by the very large operators.
And of course we have the EID in the wallet that we already discussed in many flavors today. Okay, let's see about the Etsy system and of the sense system. So that is looks like little like a puzzle. And that was a lessons learned when we had the European directive for electronic signatures, it was in year 2000, 2001. We had a directive on electronic signatures and all the national states implemented by their own. And that was really a puzzle without any picture on it.
So in 2010 when it was decided under the wise guidance from Andrea Vidia, he retired actually under the wise guidance of course he say, I want to have a big picture of how to put the things together. And this is the picture the European Standardization organizations at CEN are working under.
Okay, maybe it's a little bit too much to explain. The funny thing is just to say about somebody saying we are missing so many standards. Don't trust him. We have a lot of standards and policies and everything is fine with it, but of course it's, it's now of course it's 10, 15 years old. Some of there's a good evolution, but most of them based on the X 509 technology. So we'd have to do a technology shift for this kind of standards and put them into a new world, make maybe open ID for various credentials or maybe MOC or maybe other containers for trustworthy attestations.
But all the policies, the audit systems, we should be aware not to change too much. That's one of my, my takeaways and of course what we adopted also in the system, you can see it in the left upper corner of course we support PST two and of course we have an European norm that's also also already included the actual requirements from this two. So there's a complete set of policies we can use for it. Okay. This is a picture that a puzzle that we made for us how to deal with IDAs two. And of course we have this updated regulation.
And to be honest, of course it's it's, it's wrong to write IDAs two. Of course we have now a better legal correct wording for it, but it's easier to explain. And so we have this complete framework we already discussed as our architectural reference framework. And then of course you can see we take to account as the existing industry for building standards and takes them into account. So there's written recognized standards for mobile identities. That's all myd connect and of course recognized standards for mobile signatures.
That's of course cloud signature consortium we really want to cooperate with. And of course from their output of course then we want to build up new standards for trust service supporting the European digital identity wallet. And then of course my colleagues of SEN are doing also a lot of things, but it's on their own to present it.
Okay, here in the middle we have the picture as was done by Vicky I think. So we have the the European wallet with the yellow framework and the yellow PID. That means this is issued by the state and of course the other windows inside this nice smartphone. Of course there are attestation that can be issued by private providers. So we have the need for an authentic source. We have attribute attestation provider, we have a pit, we have electronic signature provider and a trust anchor provider. And on the other side, the relying party. Yeah.
And of course we cut our existing standards and of course specified new ones. I think it's a little bit too late to explain it in detail, but we are still as a procedure to update it. And of course for attribute attestation providers, we are quite convinced that we can have the correct policies and suggestions until the end of this year. So we can have within the next year a complete European norm to describe it. And you can find here the numbers, a lot of the documents are publicly available. Okay.
Then of course for the electronic signature, and that is one that is really under time pressure because we have an implementing act to define how the European digital identity wallet can be used for qualified electronic signatures. And this is of course here that we want to do an IDAs update and also to have a cloud signature consortium update to put their input into. And of course we have to define something like the TSP interface to the wallet, but the good news is the group of experts around 40, 50 people at ET c easy. So most of them have more than 10 years experience how to deal with it.
So that's nothing new for us. Okay. Then we have the discussion about trust anchors and of course we have the trust list. The trust list was invented in the year 2001 in the UK at a meeting at the Department of Trade and Industry where we had the discussion about who will own the European route. And we agreed about we will never have a route for national states in Brussels. So we discussed what are the alternative in 2001. And the alternative is of course something like a trust list. Bridge is another alternative. But we decided to have a trust list. But that has really to be updated.
But there is a caveat with a trust list. It's inside ML data and the number of entries of course is limited. It's not something you can w work with like certificate transparency where you have maybe a hundred thousand or millions of entries. The XML data here is limited. So maybe an TSL is working good with 300, 500 entries, but it's not suitable for 1000 or something like that. Okay. Then of course how to deal with the relying party. And of course we have heard before in the lecture we have maybe 3 million companies relying parties or maybe 30 million in Europe.
And of course how to identify them and how give them the authority and the access to the data of the wallet. And that's still an open issue. We have a quite good approaches in the RF 1.4, but I think it isn't the final solution. Let's see how we deal with it. What's the expert group produce in the near future? And of course important for it is also the qualified website authentication. We discussed it, it's a browser war.
This discussion about do the people in Europe trust GLO more globally to maybe Google that their encryption is more trustworthy or is it a trust service provider that is certified or qualified by a supervisory body and a certification audit body? So where does the trust comes from? And that's really a tricky discussion and there's no simple answer. Okay? So you don't have to read it. The good news is, so we will produce until the end of this year, 10 new documents to cover the requirements of IDAs two. And of course in the next year we do some updates.
So we think we are quite good way to put into practice, but of course always take in account it's not about the protocols. That's a simple task. It's of course, and yesterday was a wonderful lecture from A to F about the quality of the protocols, but of course it's also about the quality of the policies. And we have also here trust over IP doing this kind of of policies how to conduct the business. But the difficult question is really of course, who's doing the auditor and who's qualifying the auditor to do an audit? And we hopefully covered with it. This is an old picture.
I jump over it because it's a new rf, it's more actualized. So let's see. So we have a quite strict schedule. The first task is already done. So on the 1st of June we had to have the InUp phase. That means no national body opposed against the update of this European norm 3 19 4 0 1. That is the basic requirements for issuing IDAs services. And we now incorporated the N two requirements. That means there's a special chapter about the value chain and soft bill of materials and disaster recovery, all the things we didn't have incorporated before.
Then of course we got the commitment from the commission go that way forward. That was end of December, but we didn't get any foundings or things like that. So there's still to be some discussion with the commission about to get something like a mandate for it. So just to remember, look back in the year 2014, CEN and Etsy got a mandate from the European Commission mandate 400 sixties. So there was a joint cooperation, the clear procedure, how to produce the new documents. We would be happy if there would be a new mandate for it. Then of course this is an invitation for you.
We have will Meghan workshop in Sophia Oli that's near NICE at the Etsy headquarter together with SEN and discuss this standardization issues in detail. So if you're really keen to understand what will change in the policy or what are the requirements for qualified signature done remotely by European digital identity wallet, we will discuss it in this two and a half days from 10th to 12th of September. And of course, so we have to specification ready in the first quarter. And of course the proof of the putting is the eating. We do also plaque tests.
That means really to have an M to end interability and check how does it works together. So just a final slide. That's also something we have done here in Germany, here in Berlin, but all over Germany, you can see it was a showcase program for secure digital identities. And that was really a three years program that will end of this year. And we really tried to deal with self serving identities of course, and also with approaches to issue identities non on national level. Maybe just ask your manageability for for identities to in that way. And we learned a lot.
And one of the most important is use existing roads. So if somebody wants to reinvent the wheel again, it's an issue. And the second one I skipped the others, is public private partnership. So it's not good if the public sector really tries to do everything by its own. We have this thing with the German EID system. It's up and running since 2010. It's really secure, but the promotion is completely missing. And to promote service like that, that is of course a good thing for a private partnership.
Okay, thank you very much. See you in Nice. If you're interested in, it's free of charge, but it's only really for people who are interested in complete complex technical things. Thank you very much. Thank you. Thank you. So we've heard a lot about very complex things. First of all, legal texts and of course the European legislation is sort of referencing each other and annexes and you never know which version and amendments. That's very complex to navigate for a company. But also standards are, I saw your slide, which was mentioning a lot of standards.
If you combine the two, you have a very complex landscape. Yeah. How should any business start getting their head around this? I as a sort of half knowledgeable person, couldn't. So Maybe how would they do it?
As you, as a lawyer, it's important to have the teleological approach, not theological teleological approach. What does the lawyer, the guys who made the law, what was their intention? And that's always important to know. And that helps also to put it into, to the norms. In my understanding, the user of the digital wallet should, it shouldn't care about the law or shouldn't care about the norms. It should just work. And also the implementers, it should be quite easy. So this complexity should be reduced in between the standardization. Quite often standardization raises the complexity.
I really hope we can reduce it. Yeah.
So people, we need a lot of people like you who are helping us to Simplify. We do our very best. Okay. Thank you so much. Thank you. It was a pleasure. Thank you.
