Atrust service provider (TSP) is a person or legal entity providing and preservingdigital certificates to create and validateelectronic signatures and to authenticate their signatories as well as websites in general.[1][2] Trust service providers are qualifiedcertificate authorities required in theEuropean Union and in Switzerland in the context of regulatedelectronic signing procedures.[3]
The termtrust service provider was coined by theEuropean Parliament and theEuropean Council as important andrelevant authority providingnon-repudiation to a regulatedelectronic signing procedure. It was first brought up in theElectronic Signatures Directive 1999/93/EC and was initially namedcertification-service provider. The directive was repealed by theeIDAS Regulation which became official on July 1, 2016.[2][4] Aregulation is a binding legislative act that requires allEU member states to follow.[5]
The trust service provider has the responsibility to assure the integrity of electronic identification for signatories and services through strong mechanisms forauthentication,electronic signatures anddigital certificates. eIDAS defines the standards for how trust service providers are to perform their services of authentication andnon-repudiation. The regulation provides guidance toEU member states on how trust service providers shall be regulated and recognized.
A trust service is defined as an electronic service that entails one of three possible actions. First it may concern the creation, the verification or the validation of electronic signatures, as well astime stamps orseals, electronically registered delivery services andcertifications that are required with these services. The second action entails the creation, the verification as well as the validation of certificates that are used to authenticate websites. The third action is the preservation of these electronic signatures, the seals or the related certificates.
To be elevated to the level of a qualified trust service, the service must meet the requirements set under the eIDAS Regulation. Trust services provide a trust framework that facilitates continued relations for electronic transactions that are conducted between participating EU member states and organizations.[1][6]
The qualified trust service provider plays an important role in the process of qualified electronic signing. The trust service providers must be given qualified status and permission for a supervisory government body to providequalified digital certificates which can be used to create qualified electronic signatures. eIDAS requires that the EU will maintain an EU Trust List that lists the providers and services that have received qualified status. A trust service provider is not entitled to provide qualified trust services if they are not on the EU Trust List.[1][7]
Trust service providers that are on the EU Trust List are required to follow the strict guidelines established under eIDAS. They need to provide stamps valid in time and date, when creating certificates. Signatures that have expired certificates need to be revoked immediately. The EU obliges the trust service providers to deliver appropriate training for all personnel employed by the trust service provider. They shall further provide tools such as software and hardware that is trustworthy and capable of preventing forgeries of the certificates that are produced.[1][2]
One of the major intents of eIDAS was to facilitate both public and business services, especially those that are conducted between parties across EU Member state borders. These transactions can now be safely expedited through the means of electronic signing and the services that are provided by trust service providers in regards to ensuring the integrity of those signatures.
EU member states are required through eIDAS to establish “points of single contact” (PSCs) for trust services that ensure that electronic ID schemes can be used for cross-board public sector transactions, including the exchange and access of healthcare information across borders.[2][8][9]
While anadvanced electronic signature is legally binding under eIDAS, aqualified electronic signature which has been created by a qualified trust service provider carries a higherprobative value when used as evidence in court. Because the signature's authorship is considerednon-repudiable, the authenticity of the signature cannot be easily challenged. EU member states are obligated to accept qualified electronic signatures that have been created with qualified certificate from other Member states as valid. According to the eIDAS Regulation, i.e. Article 24 (2), a signature created with a qualified certificate has the same legal value as a handwritten signature in court.[2][3][10]
The standards are evolving. Additional standards including policy definitions for trust service providers are under development by the European Telecommunication Standards InstituteETSI.[11]
The Swiss digital signing standardZertES has defined a comparable concept of certificate service providers. Certificate service providers need to be audited by conformity assessment bodies that have been appointed by theSchweizerische Akkreditierungsstelle [de].[12]In the United States the NISTDigital Signature Standard (DSS) in its current release does not know anything comparable to a qualified trust service provider which would allow to enhancenon-repudiation through the signatory's qualified certificate. However authors of the forthcoming review and commentators are publicly discussing an amendment similar to the eIDAS and ZertES approach of trusted service provision.[13][14] To allow for stringent andnon-repudiable global transactions and legalrelevance, an international harmonization would be required.
Several research institutes and associations expressed their concern with respect to the establishment of a small group of centralized trust service providers per country which authenticate digital transactions. They state that this construct may have negative impact on privacy. Given the central role of trust service providers in many transactions, the Council of European Professional Informatics Societies (CEPIS) fears that trust service providers would gain and collect information of the distinguishing attributes of the citizens, which are subject of authentication. With regard to their requirement to preserve data and resulting expected efforts to keep evidence for potential liability requests on inaccurate ID, CEPIS sees the risk that trust service providers could create and store log entries of all authentication processes. The information gained allows for monitoring and for theprofiling of the involved citizens. If the transaction counterpart also identifies himself, user interests and their communication behaviour will additionally sharpen the profiles gained.Big data analysis would allow for far-reaching insights into the citizens' privacy and relationships. The direct connection to the qualifying governmental bodies could allow those to gain access to the gained data and profiles.[15]
Another publication claims that to truly take advantage of the secure and seamless cross-border electronic transactions, assurance levels, definitions and technical deployment need to be specified more precisely.[16]
In 2021, relatively vague proposed updates to eIDAS would require browsers to pass on assurances from TSPs to their users. This would apparently involve the incorporation of government-specified TSPs in parallel with the existing multi-stakeholder processes used by browsers to establish trust inCertificate authorities. TheInternet Society andMozilla asserted a variety of issues with the proposals.[17][18]