eIDAS Ukraine’s progress and obstacles on the
journey to Mutual Recognition Agreement of Trust Services with the EU
The article aims to highlight pain points of the EU — Ukraine Trust Services Mutual Recognition process, increase awareness of existing issues and trigger expert-level discussion with the objective to overcome core obstacles in Mutual Recognition Agreement (MRA). The report authors are members of Digital Transformation Group — DTG is an informal non-governmental
group of technical experts involved for over a decade in academia, and regulatory environment concerning trust models.
Introduction
Table 1 contains short history of Ukrainian Qualified Public Key Infrastructure (QPKI) evolution over last two decades.
1 https://czo.gov.ua/trustedlist
2 https://zakon.rada.gov.ua/laws/show/z1309-18#Text
3 https://zakon.rada.gov.ua/laws/show/991-2020-%D0%BF?fbclid=IwAR33Qvr7VgFSKaobCb_Epq52WDsd
axjigYx9sduXhpjpFAdR_LzWw1Wbao0#Text
4 https://drive.google.com/drive/folders/1ogkf8g46DQcbOXDnmDQ62qahPBS7a5LO?fbclid=IwAR1zPUJfO
OoUHq5yAZIYZKmheyaOvFL9_4ejl88Yo7k5RPz7dIxksqq2EkM
5 https://czo.gov.ua/development
Government eService portal — https://sign.diia.gov.ua/verify and Root CA — Central certification Authority — https://czo.gov.ua/verify still don’t have the technical capability to verify ASiC-E with ECDSA. ASiC-E approved as government eDocument format in 2018. You can use this Estonia-Ukraine sample document to test the services.
As one may see from the overview, there are two co-existing yet often conflicting paradigms in building Ukrainian Trust infrastructure:
- Paradigm 1 — (>99% of the QTS) based on the domestic ECC cryptographical suite, with full technical dominance, protected by the local standards and well-established business model that sees no need or use in EU integration.
- Paradigm 2 — ( <1% of the QTS) technology agnostic (includes ECC) open to fair competition and transparency, based on international standards (ETSI and ISO) and open to International Conformity Assessment.
The comparison seems dramatic at a glance, with strong local opposition to any international agreements. It also may be seen in other jurisdictions with which the EU is discussing MRAs. External influence on Paradigm 1, in our view, is limited by vested domestic business interests mixed up with national security concerns. After all, national governments tend to gravitate towards solutions that suggest domestic control over standards and Conformity Assessment procedures.
Is there a way for Ukraine to gain MRA with the EU retaining the best of both paradigms?
Let’s have a closer look at Ukrainian progress in the context of MRA.
Mutual Recognition Agreement (MRA)
According to recently published the Mutual Recognition Agreement (MRA) cookbook third country that is willing to sign MRA with EU should pass the assessment by four pillars:
- legal context
- best practice
- trust representation
- supervision and auditing
Legal context
According to the GIZ commissioned report as of 2019, Ukraine had achieved progress in implementation of EU Regulation 910/2014 in local Law. The report also concluded that further work was required in harmonising the rules and legal principles for the use and cross-border recognition of trust services. UNCITRAL and eIDAS Regulation can be seen as recognised benchmarks. Barriers remain indifferent legal provisions of implementation decisions but those related to supervision and auditing pillar.
Technical standards
Ukrainian Government Decision № 992 sets the requirement for trust services to be guided by the ETSI and ISO standards, There are many commonly used international standards around PKI-based trust services and ambiguity may arise from many possible different interpretations, divergent implementations, different levels of details between, or sometimes within, these standards. It should be noted that for the purpose of meeting MRA ETSI possibly providing the best feet as those are internationally adopted standards that provide a globally applicable set of best practices.
Trust representation
In accordance with the MRA cookbook there are a number of ways to achieve Interoperability and means for representing trust (e.g. root stores, trusted lists, mixed & bridges). Third country PKI schemes aiming to achieve mutual recognition with the EU are encouraged to map their trust representation. Ukrainian Root CA is already meeting this requirement by publishing Trust List https://czo.gov.ua/trustedlist . Technological aspects of trust list operations enhancement and further integration may however be needed.
Supervision and audit
The main difference in the auditing TS framework practices between Ukraine and the EU countries rests in the set of standards that guide such conformity assessment. for the EU CAB, it is a combination of ISO 17065/21 and ETSI EN 319 403–1. For 3rd countries, however, MRA cook, quote “no standard is mandated, and no standard may be mandated, under the eIDAS Regulation, in relation to QTSPs or QTS to be granted a qualified status’. Ukrainian QTSPs are free to implement any standard, or they may choose to implement no standard at all, provided they can demonstrate that they and the QTS provided meet the requirements of the eIDAS Regulation. However, quote “ it is essential for concluding an Art.14 eIDAS MRA that the normative criteria against which the 3rd country TSP/TS will be assessed meet or even exceed the requirements of eIDAS applicable to EU QTSP/QTS”.
Figure 1 presents block visualization of a rather complex conformity assessment approach described in ETSI standards that accounts for issues such as impartiality, freedom from conflicts of interest, freedom from bias, freedom from prejudice, neutrality, presence of objectivity, certification scheme scope, also confirmed by conformity assessment Committee (CASCO).
So is it possible for 3rd countries to expand and finalise the EN 319 403-based scheme by the establishment of a national, harmonised, certification scheme? In principle it is possible, but in practical terms, domestic analogues of internationally recognized conformity assessment already in place and operational see (Figure 2) so for the purpose of MRA one may consider alternative usage of EU accredited and ISO 17065, ETSI EN 319 403 complaint CABs to attest those QTSP wish to comply with eIDAS Article14.
Communication and Information
The above logic raises the issues as follows :
Already established processes and procedures for the certification in a 3rd country may be under solo control of the Nation Supervisory Body, in case of Ukraine — State Service of Special Communication and Information, later is also likely to be set as CAB (Figure 2). Such Trust Services oversight and Conformity Assessment scheme is unlikely to meet requirements of ISO 17065 and ETSI EN 319 403.
The use of the EU CAB for conformity assessment of 3rd country QTSPs raises the question of market access reciprocity. If successful, in obtaining an EU MRA a 3rd country pledges to open its market to all EU based QTSP and QTS, at the same time only CAB attested local QTSP able to access the EU market. Assessing the fairness is not a subject of this review, however, it should be noted that this matter forms additional resistance to MRA with the EU from 3rd countries and not duly addressed yet.
Conclusions
Ukraine made progress in implementing requirements of the Mutual Recognition Agreement in areas of a) legal context, b) best practice and c) trust representation. On the matter of supervision and auditing, however, there are concerns that remain to be resolved.
Concerns are as follows:
- Conformity Assessment actions set in the EU-Ukraine Join Working Plan on Trust Services are poorly understood and at the implementation, the stage may represent a significant risk to the MRA process as a whole
- Discriminatory malfunctioning of government online e-signature validation services (https://sign.diia.gov.ua/verify and https://czo.gov.ua/verify) against qualified electronic signatures (QES) based on international standards (ETSI and ISO)
- Discriminatory exclusion and\or malfunctioning of international e-signatures and document formats (ASiC-E), and cryptography suites (like SHA256 with ECDSA) some 3 years after the issue was first flagged
- Systemic conformity assessment issues with acceptance of qualified signature (or seal) creation devices (QSCD) in Ukraine
