Trustworthy PKI - the EU GDPR/eIDAS Game Changer
By Stephan Engberg on Onsdag, April 27 2022, 15:38 - Technology - Permalink
Trustworthy PKI enables Trustworthy Anonymity and Trustworthy Pseudonymity within standard PKI. With Trustworthy PKI a citizen can generate a new Qualified Signatures and sign with non-repudiation and accountability to a court without generating linkable personal data.
Details
Until recently, EU eIDAS and EU GDPR regulation have represented non-compability paradigms. GDPR is built on the principle of data minimization where as eIDAS makes all data inherently linkable and thus prevent data minimization. With Trustworthy PKI, citizen can create a signature, sign and pay without creating identified personal data or relying on a trusted party. But through creating an encrypted accountability proof, counter parties can get a proof with certification with a judge can decrypt to reveal the non-reputable link and thus enable accountability between action and root signatures issued to an identified citizen.
Upgrading PKI with Trustworthy PKI represent one of the most significant changes to security ever. Public Key Infrastructure based on asymmetric cryptography is in itself a remarkable achievement, but adding trustworthiness makes it compliance with fundamental rights and solve basic security problems such as Schrems II.
Trustworthy PKI operated within the exact same specifications and standards as PKI, e.g. ETSI PKI standardization providing the basic of EU eIDAS, but enables non-linkable Qualified Signatures without introducing new advanced technologies such as blinded cryptography. The difference is that certification keys are distributed to Qualified Signature Creation Devices and thus pseudonym Signatures can be created and certified in tamper-resistant space without depending on a trusted party.
Trustworthy PKI thereby eliminate the inherent conflict between human rights and anti-crime with a technological structure that is already standardized and regulated.
Since GDPR and anti-crime regulation is based on the principle of data minimization according to state-the-art (e.g. article 5.1-C, 25 and 32) and eIDAS build on GDPR, this principle will almost instantly turn into not an optional, but a mandatory requirement and basic Human Right.
Further it means that the identity infrastructure can become compliant with the eIDAS requirement of trustworthy services (e.g. article 24) as the Trust Services such as time-stamping, signing and archiving that would until recently create and thus collect identified personal, can now be upgraded to Trustworthy Services as required by eIDAS.
Trustworthy PKI also makes it possible to bring coherence to EU regulation and e.g. legalize EU Digital Wallet through upgrading to Trustworthy Anchors instead of Trusted Anchors. - thereby eliminating the inherent and thus illegal data retention structure the initially suggested framework would establish.