December 2017

How do you explain LIGHTest?

Since meeting with the project team and some of its members in Graz, I found myself struggling with this. Not only at work, but also at some eIDAS-centric (electronic IDentification, Authentication and trust Services) meetings I attended, where people are talking about EU trusted services.


The main efforts of establishing a single digital market are directed at removing impediments for performing online cross-border transactions by qualifying e-ID, authentication, signatures and seals and find mechanisms such as eIDAS for accepting the qualifications.


Many people involved in this, think that eIDAS (and maybe also a project like FutureTrust) will generate all that is needed to achieve this - it facilitates qualified services and the only stuff needed to use it would be tooling for validation of these qualifiers. They’re trying to convince software vendors to incorporate these validation mechanisms into their applications (operating systems, web browsers, mail clients, document readers). Until full cooperation on this is gained, there’s work on plug-ins and standalone applications for performing these checks and validations. If stuff turns green or shows a picture of a pretty seal or lock, it would prove qualification and establish trust.


What does it mean when something turns green? It shows you how you can trust a transaction. It typically shows validation that a coherent and consistent set of data has been established. This could be, for example, a document (proven unchanged) signed with a valid signature, based upon an identity (with specific attributes), issued by a qualified or recognised service provider and bound by a specific policy.


Where’s the need for LIGHTest? What more would you possibly want? And please bear in mind that all this already is a huge amount of work to establish in itself.


What’s still needed is a mechanism to show why a transaction can be trusted. A valid signature by an asserted person or organisation isn’t enough. I’d really want to know whether I can trust both this asserted person and the entity or entities certifying the assertion and the signature. This sounds like highly personal preferences in trust, but in everyday business this mostly comes down to whether a person or organisation is qualified to make specific assertions. If the signature relates to a document, would the person or organisation signing that document be qualified to state whatever is in its content? And who vouches for this type of qualification?


Although this is almost inconceivable in the EU, not everyone will blindly trust eIDAS. Keep in mind that a person is not their e-ID and an organisation is not their certificate, however many qualifications you attach to them. The General Meeting in Graz was a great experience to engage in all the perspectives that LIGHTest touches upon - a lot of technical stuff, many legal issues and a good deal of communication. Although the heart of the project is about getting stuff functioning and building it to work, maybe the toughest part will be conveying the value of the results, both during the project and after finishing it. I believe the Advisory Board should keep a special focus on this.


So, my question to you all is: How do you explain LIGHTest?


Author: Esther Makaay,  Services Architect, SIDN, Netherlands