What is an Identity Proofing Service Provider for QTSPs and CAs?

What is an Identity Proofing Service Provider for QTSPs and CAs?

An Identity Proofing Service Provider ‘(IPSP’), also called a Registration Authority (RA), is the entity to which a TSP delegates verification of trust service subjects in order to issue document signing certificates. The relevant regulation is found in Specification ETSI TS 119 461 (Policy and security requirements for trust service components providing identity proofing of trust service subjects, which) defines the IPSP acting as a subcontractor to the TSP.  Everything that applies to IPSP applies also to TSP if it identifies people in house.

Why Identity Proofing Matters

Verifying the identity  of the signer is the most expensive and complex part of the document signing certificate lifecycle. 

An accessible low friction and low cost document signing solution is a prerequisite for high rates of adoption of AdES and QES. is. For this reason, we are seeing a lot of demand for IPSP services because without identity proofing TSPs cannot conduct business. The better identity proofing that a TSP has, the more business they can generate.

eIDAS Article 24: Identity Proofing for Qualified Certificates

Validation requirements of identity proofing subjects for qualified certificates are described in eIDAS regulations in Article 24 as follows:

The information referred to in the first subparagraph shall be verified by the qualified trust service provider either directly or by relying on a third party in accordance with national law:

1. by the physical presence of the natural person or of an authorised representative of the legal person; or
2. remotely, using electronic identification means, for which prior to the issuance of the qualified certificate, a physical presence of the natural person or of an authorised representative of the legal person was ensured and which meets the requirements set out in Article 8 with regard to the assurance levels ‘substantial’ or ‘high’; or
3. by means of a certificate of a qualified electronic signature or of a qualified electronic seal issued in compliance with point (a) or (b); or
4. by using other identification methods recognised at national level which provide equivalent assurance in terms of reliability to physical presence. The equivalent assurance shall be confirmed by a conformity assessment body

To clarify these requirements, ETSI has issued technical specification ETSI TS 119 461.

Use cases of identity proofing as described in ETSI TS 119 461 include:

1. Article 9.2.1 Use cases with physical presence of the applicant
   • Most expensive as requires travel and meeting in person
2. Article 9.2.2 Use cases for attended remote identity proofing
   • Expensive because it includes video operator salary cost
3. Article 9.2.3 Use cases for unattended remote identity proofing
   • High friction as high quality document capture is required and also manual validation might be needed after the process.
4. Article 9.2.4 Use case for identity proofing by authentication using eID means
   • Availability of eID means are high and the adoption is increasing. Cost and friction are low.
5. Article 9.2.5 Use case for identity proofing using digital signature with certificate
   • Is a bit redundant as existing certificates could be used to sign documents already. However there are some use cases where it makes sense.

What needs to be done to be an IPSP with eID means?

In the context of eIDAS, the rules in Article 24 must be followed.  As the TSP bears the risk of errors in the process, then they might mandate specific requirements, in which case  ETSI TS 119 461 is a good starting point to  reduce the risk of errors and ensure the entire process is compliant. 

ETSI TS 119 461 also specifies that general operational processes and security must be mostly on the same level as QTSP as described in ETSI EN 319 401 (General Policy Requirements for Trust Service Providers). The scope of compliance with ETSI TS 119 461 is determined by each TSP and its risk appetite.

The lowest risk for the QTSP is if the IPSP has been externally audited  for compliance with the ETSI TS 119 461 specification.

For each identity proofing, evidence must be collected, validated and proof must be issued. For each of these processes, we can find specific points in the specification.

In case of eIDs, each eID Schema validation context must be described separately. This makes the work extra difficult as there are thousands of different eID schemas out there with very different levels of security.

With globalization and extremely fast digital signature uptake around the world, it is getting increasingly important to be able to sign documents in accordance with every regulation in each country. There are around 200 countries in the world and the best IPSP partner can offer trusted eID IPSP services in any country. This way, business applications can use whatever secure eID app that the signer is using and request QES from any regulation needed.

eID Easy’s Vision: Low-Friction, High-Quality eSignatures

At eID Easy, we believe that qualified eSignatures should be accessible to everyone with minimal friction and at a reasonable cost. Our goal is to ensure that if a signer doesn’t yet have a digital certificate, we will find the best and most compliant way to issue one.
Ready to simplify identity proofing and document signing for your TSP? Let’s explore how eID Easy can streamline your processes with our cutting-edge APIs. Book a demo call today or get in touch to discuss how we can help your business grow through seamless identity verification. Click the chat window at the bottom of our website or schedule a time to talk to our team directly!