Step by Step - How to Become an identification service provider according to Section 21 b of the Act on Identity Cards and Electronic Identification
Article
You are an identification service provider if your service consists of
- for a third party
- a case-specific identification service
- using the eID function of the identity card or the electronic residence permit (Section 2 (3a) of the Act on Identity Cards and Electronic Identification).
It is important that this is an individual case related identification. Repeated identifications for one and the same client, as is the case, for example, in the context of login or account management, are excluded from this.
Before you offer your service, you must apply for an authorization at the Authority Awarding Authorization Certificates (VfB) of the Federal Office of Administration.
Here you will learn more about the necessary steps to take to become an identification service provider. It is also possible for you to get assistance from eID service providers for the entire process of the eID function. These providers help you get the required certificates and, if necessary, provide you with the complete infrastructure.
1. Designing the service
You define which data from the identity card or the electronic residence permit are necessary for the electronic identification based on the requirements of your clients, such as first name, last name and date of birth. The list of data stored on the chip can be found in Section 18 (3) of the Act on Identity Cards and Electronic Identification.
2. Setting up your own eID server or choosing an eID service provider
You can either operate your own eID server or choose an eID service provider. This decision is relevant for the necessary certification by the Federal Office for Information Security (see under 4.)
3. Connecting your service with the eID server
You can use the eID interface or the SAML connection to link up your service with the eID server. This depends on the relevant eID server. Service providers should ask their eID service provider which technical procedures are used for the eID connection and which software support is provided for which platforms.
4. Certification
As an identification service provider, you must prove compliance with the requirements of Section 29 (2) of the Personalausweisverordnung (PAuswV) by means of a certificate issued by the Federal Office for Information Security (BSI). In concrete terms, this means that you must undergo certification in accordance with the BSI's Technical Guideline TR-03128-2 (available in German). In the course of this certification, a conformity test based on the requirements defined in TR-03128-2 is carried out by a neutral body. These conformity tests can be performed by "Certified ISO 27001 auditors for audits based on IT-Grundschutz (audit team leader)".
Since the certification according to TR-03128-2 includes the self-operated or commissioned eID server, you should coordinate this with your eID service provider at an early stage in the latter case.
Important to know
You must have completed certification with the BSI before submitting your application to the VfB.
About the topic
- List of certified ISO 27001 auditors for audits based on IT-Grundschutz (audit team leader) (available in German)
- Website of the Certification Body of the Federal Office for Information Security (available in German)
5. Applying for an authorization
After successful completion of the certification according to TR-03128-2, you can apply for an authorization certificate at the VfB.
Pursuant to Section 21 (2) of the Act on Identity Cards you will be issued an authorization certificate if:
- you inform and prove the identity of the identification service provider to this authority,
- you briefly explain your organization’s interest in the use of the eID function,
- you have successfully completed the certification process according to TR-03128-2 (see above) and present an appropriate certificate,
- compliance with corporate data protection is ensured, and
- the authority has no indications that data will be misused.
You can submit your application for an authorization certificate by this issuing authority in writing. The forms of the VfB can be found in the download area on this page.
As soon as the VfB has issued the certificate, this information will be published in the list of all valid authorization certificates (available in German).
6. Choosing the provider of authorization certificates
Following the positive response by the VfB, you choose an authorization certificates provider to get the technical authorization certificate and make a contract with this provider.
Your eID server or eID service provider needs to support the connection with the chosen authorization certificates provider, since new authorization certificates and revocation lists are regularly updated online.
7. Operating your service
You have to ensure that authentication with the eID function works with the application “AusweisApp2”. Additional information on mutual authentication procedures between service providers and users can be obtained at “The electronic identfication technique”.