A trust service provider (TSP) is a person or legal entity providing and preserving

digital certificate In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, informa ...

s to create and validate

electronic signature An electronic signature, or e-signature, is data that is logically associated with other data and which is used by the signatory to sign the associated data. This type of signature has the same legal standing as a handwritten signature as long as ...

s and to authenticate their signatories as well as websites in general. Trust service providers are qualified

certificate authorities In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...

required in the

European Union The European Union (EU) is a supranational union, supranational political union, political and economic union of Member state of the European Union, member states that are Geography of the European Union, located primarily in Europe. The u ...

and in Switzerland in the context of regulated electronic signing procedures.

History

The term ''trust service provider'' was coined by the

European Parliament The European Parliament (EP) is one of the two legislative bodies of the European Union and one of its seven institutions. Together with the Council of the European Union (known as the Council and informally as the Council of Ministers), it ...

and the

European Council The European Council (informally EUCO) is a collegiate body (directorial system) and a symbolic collective head of state, that defines the overall political direction and general priorities of the European Union (EU). It is composed of the he ...

as important and

relevant Relevant is something directly related, connected or pertinent to a topic; it may also mean something that is current. Relevant may also refer to: * Relevant operator, a concept in physics, see renormalization group * Relevant, Ain, a commune o ...

authority providing

non-repudiation In law, non-repudiation is a situation where a statement's author cannot successfully dispute its authorship or the validity of an associated contract. The term is often seen in a legal setting when the authenticity of a signature is being challeng ...

to a regulated electronic signing procedure. It was first brought up in the

Electronic Signatures Directive The Electronic Signatures Directive 1999/93/EC was a European Union directive (European Union), directive on the use of electronic signatures (e-signatures) in electronic contracts within the European Union (EU). It was repealed by the eIDAS r ...

1999/93/EC and was initially named ''certification-service provider.'' The directive was repealed by the

eIDAS The eIDAS Regulation (for "electronic IDentification, Authentication and trust Services") is an regulation (European Union), EU regulation with the stated purpose of governing "electronic identification and trust service provider, trust service ...

Regulation which became official on July 1, 2016. A

regulation Regulation is the management of complex systems according to a set of rules and trends. In systems theory, these types of rules exist in various fields of biology and society, but the term has slightly different meanings according to context. Fo ...

is a binding legislative act that requires all

EU member state The European Union (EU) is a political and economic union of 27 member states that are party to the EU's founding treaties, and thereby subject to the privileges and obligations of membership. They have agreed by the treaties to share their o ...

s to follow.

Description

The trust service provider has the responsibility to assure the integrity of electronic identification for signatories and services through strong mechanisms for

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...

s and

s. eIDAS defines the standards for how trust service providers are to perform their services of authentication and

. The regulation provides guidance to

EU member states The European Union (EU) is a supranational political and economic union of member states that are located primarily in Europe. The union has a total area of and an estimated population of over 449million as of 2024. The EU is often de ...

on how trust service providers shall be regulated and recognized. A trust service is defined as an electronic service that entails one of three possible actions. First it may concern the creation, the verification or the validation of electronic signatures, as well as

time stamp A timestamp is a sequence of characters or encoded information identifying when a certain event occurred, usually giving date and time of day, sometimes accurate to a small fraction of a second. Timestamps do not have to be based on some absolu ...

s or

seals Seals may refer to: * Pinniped, a diverse group of semi-aquatic marine mammals, many of which are commonly called seals, particularly: ** Earless seal, or "true seal" ** Fur seal * Seal (emblem), a device to impress an emblem, used as a means of a ...

, electronically registered delivery services and

certification Certification is part of testing, inspection and certification and the provision by an independent body of written assurance (a certificate) that the product, service or system in question meets specific requirements. It is the formal attestatio ...

s that are required with these services. The second action entails the creation, the verification as well as the validation of certificates that are used to authenticate websites. The third action is the preservation of these electronic signatures, the seals or the related certificates. To be elevated to the level of a qualified trust service, the service must meet the requirements set under the eIDAS Regulation. Trust services provide a trust framework that facilitates continued relations for electronic transactions that are conducted between participating EU member states and organizations.

Role of a qualified trust service provider

The qualified trust service provider plays an important role in the process of qualified electronic signing. The trust service providers must be given qualified status and permission for a supervisory government body to provide

qualified digital certificate In the context of Regulation (EU) No 910/2014 (eIDAS), a qualified digital certificate is a public key certificate issued by a trust service provider which has government-issued qualifications. The certificate is designed to ensure the authenticatio ...

s which can be used to create qualified electronic signatures. eIDAS requires that the EU will maintain an EU Trust List that lists the providers and services that have received qualified status. A trust service provider is not entitled to provide qualified trust services if they are not on the EU Trust List. Trust service providers that are on the EU Trust List are required to follow the strict guidelines established under eIDAS. They need to provide stamps valid in time and date, when creating certificates. Signatures that have expired certificates need to be revoked immediately. The EU obliges the trust service providers to deliver appropriate training for all personnel employed by the trust service provider. They shall further provide tools such as software and hardware that is trustworthy and capable of preventing forgeries of the certificates that are produced.

Vision

One of the major intents of eIDAS was to facilitate both public and business services, especially those that are conducted between parties across EU Member state borders. These transactions can now be safely expedited through the means of electronic signing and the services that are provided by trust service providers in regards to ensuring the integrity of those signatures. EU member states are required through eIDAS to establish “points of single contact” (PSCs) for trust services that ensure that electronic ID schemes can be used for cross-board public sector transactions, including the exchange and access of healthcare information across borders.

Legal perspective of electronic signatures created by trust service providers

While an

advanced electronic signature An advanced electronic signature (AES or AdES) is an electronic signature that has met the requirements set forth under EU Regulation No 910/2014 ( eIDAS-regulation) on electronic identification and trust services for electronic transactions in t ...

is legally binding under eIDAS, a

qualified electronic signature A qualified electronic signature is an electronic signature that is compliant with EU Regulation No 910/2014 (eIDAS Regulation) for electronic transactions within the internal European market. It enables to verify the authorship of a declaration i ...

which has been created by a qualified trust service provider carries a higher

probative value Relevance, in the common law of evidence, is the tendency of a given item of evidence to prove or disprove one of the legal elements of the case, or to have probative value to make one of the elements of the case likelier or not. Probative is a te ...

when used as evidence in court. Because the signature's authorship is considered non-repudiable, the authenticity of the signature cannot be easily challenged. EU member states are obligated to accept qualified electronic signatures that have been created with qualified certificate from other Member states as valid. According to the eIDAS Regulation, i.e. Article 24 (2), a signature created with a qualified certificate has the same legal value as a handwritten signature in court. The standards are evolving. Additional standards including policy definitions for trust service providers are under development by the European Telecommunication Standards Institute

ETSI The European Telecommunications Standards Institute (ETSI) is an independent, not-for-profit, standardization organization operating in the field of Information and communications technology, information and communications. ETSI supports the de ...

Global perspective

The Swiss digital signing standard

ZertES ZertES is a Swiss Federal law that regulates the conditions under which trust service providers may use certification services with electronic signatures. Additionally, this law provides a framework that outlines the provider’s obligations and ri ...

has defined a comparable concept of certificate service providers. Certificate service providers need to be audited by conformity assessment bodies that have been appointed by the . In the United States the NIST

Digital Signature Standard The Digital Signature Standard (DSS) is a Federal Information Processing Standard specifying a suite of algorithms that can be used to generate digital signatures established by the U.S. National Institute of Standards and Technology (NIST) in 19 ...

(DSS) in its current release does not know anything comparable to a qualified trust service provider which would allow to enhance

through the signatory's qualified certificate. However authors of the forthcoming review and commentators are publicly discussing an amendment similar to the eIDAS and ZertES approach of trusted service provision. To allow for stringent and non-repudiable global transactions and legal

relevance Relevance is the connection between topics that makes one useful for dealing with the other. Relevance is studied in many different fields, including cognitive science, logic, and library and information science. Epistemology studies it in gener ...

, an international harmonization would be required.

Controversy

Several research institutes and associations expressed their concern with respect to the establishment of a small group of centralized trust service providers per country which authenticate digital transactions. They state that this construct may have negative impact on privacy. Given the central role of trust service providers in many transactions, the Council of European Professional Informatics Societies (CEPIS) fears that trust service providers would gain and collect information of the distinguishing attributes of the citizens, which are subject of authentication. With regard to their requirement to preserve data and resulting expected efforts to keep evidence for potential liability requests on inaccurate ID, CEPIS sees the risk that trust service providers could create and store log entries of all authentication processes. The information gained allows for monitoring and for the profiling of the involved citizens. If the transaction counterpart also identifies himself, user interests and their communication behaviour will additionally sharpen the profiles gained.

Big data Big data primarily refers to data sets that are too large or complex to be dealt with by traditional data processing, data-processing application software, software. Data with many entries (rows) offer greater statistical power, while data with ...

analysis would allow for far-reaching insights into the citizens' privacy and relationships. The direct connection to the qualifying governmental bodies could allow those to gain access to the gained data and profiles. Another publication claims that to truly take advantage of the secure and seamless cross-border electronic transactions, assurance levels, definitions and technical deployment need to be specified more precisely. In 2021, relatively vague proposed updates to eIDAS would require browsers to pass on assurances from TSPs to their users. This would apparently involve the incorporation of government-specified TSPs in parallel with the existing multi-stakeholder processes used by browsers to establish trust in

Certificate authorities In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. Thi ...

. The

Internet Society The Internet Society (ISOC) is an American non-profit advocacy organization founded in 1992 with local chapters around the world. It has offices in Reston, Virginia, United States, and Geneva, Switzerland. Organization The Internet Society ...

and

Mozilla Mozilla is a free software community founded in 1998 by members of Netscape. The Mozilla community uses, develops, publishes and supports Mozilla products, thereby promoting free software and open standards. The community is supported institution ...

asserted a variety of issues with the proposals. In 2024, concerns were also raised about the fundamental security implications of entrusting private key custody to trust service providers, emphasizing that such delegation may undermine user autonomy by removing exclusive control over cryptographic keys.

References

{{reflist Authentication methods Signature Computer law Cryptography standards