Repudiation of PID
Type: Technical
Summary: Fulfilment legal Non-repudiation requirements
Version and Section Version 1.3, Section Repudiation
Feedback / Questions
According to several law so e.g. §§ 11 ff. GWG in Banking, § 291 SGB V for electronic health record, OZG or VwVfG in E-Government (Prinzip der Aktenmäßigkeit) or § 172 TKG or Art. 24 Abs. 1 eIDAS 2.0 it`s required to identify the people accessing a service or requesting a service and to make evident who identified themselves against 3rd parties (so to keep the identification information for burden of proof reasons). Similar requirements needed for Relying Parties in other industries acc. HGB, AO, FDA, NIS2 or BGB or liability cases or to assert claims etc.
- A QES is not sufficient as a non-repudiated identification is elementary necessary just to get a qualified certificate from certain QTSP to sign (Art. 24 eIDAS + ETSI TS 119 461) and QTSP has to keep the identification information due to liability reasons (Art. 13 ff. eIDAS, ETSI EN 319 401, ETSI EN 319 411/412)
- A QES only makes evident who signed a document but not who submitted a document or an attestation or who identified for a certain service.
- QES only legally necessary in case of "handwritten signature" or evidence value acc. §§ 371a ff ZPO, but legal requirement on non-repudiated Identification and keeping the identity record exists independent from requirement on QES
- less useability if user needs QES for identification if a PID on notified eID Scheme is mandatory for Wallet.
- It´s contradiction to recital 7 and 10 of eIDAS 2.0 (approved version by European Parliament)
Burden of Proof is valid reason for collecation of PII acc. Art. 6 and 29 GDPR. Requirements on burden of proof: https://www.beuth.de/de/publikation/records-management-nach-iso-15489/270032872. Implementation with German eID: https://www.personalausweisportal.de/SharedDocs/downloads/Webs/PA/DE/informationsmaterial/weiterefuehrendes-material/Leitfaden_Online_Ausweisfunktion_in_Behoerden.pdf?__blob=publicationFile&v=5
The aim of identifiction and sense of LoA is to clearly identify somebody - otherwise the PID on notified eIDScheme not necessary .If repudiation required, no PID needed and anonymous authentication possible.
Should be changed: "In case when records need to be kept by law, a long-living, non-repudiable declaration of intent is required to be verified by some third party the PID data have to be submitted to the Relying Party. The Relying however has to make evident the specific requirements encountered by these use cases provable to 3rd parties and transparent for holder"
Repudiation subject shall be proved by lawyer and experts on burden of proof. Offer my support as Chairman of relevant DIN Tc and German Expert in relevant ISO Tc (Tc 46 Sc11)