Readers can use screen names but they know that they have given their details to us – that’s a real incentive to act in a reasonable way.
In other words, from now on, you can use the certificates of the Fábrica Nacional de Moneda y Timbre (FNMT, Spain’s National Mint) in Tractis without having to pay an extra cost for each validation.
With the coming into force of the eIDAS European Regulation, the FNMT is obliged to provide free validation of their certificates to the private sector. At Tractis we have decided to pass on these savings to our customers immediately.
A little bit of background
This change in pricing policy by the FNMT is an announcement of great significance in the history and evolution of electronic certification sector in Spain.
Those who know and follow us know that at Tractis we have been critical and belligerent with the FNMT marketing and pricing policy, as we thought it to be an aberration in the world of electronic certification. Tractis supports 33 Certification Authorities in 14 countries. All charge for issuing certificates but not for their use (validation). The FNMT was the only exception, doing just the opposite: issuing free certificates and, then, charging for their use by the private sector.
In our view, together with the difficulty in the use of the National Electronic ID (DNIe) and an accompanying lack of smart card readers, the mere existence of the FNMT and its pricing policies have been one of the main obstacles to the widespread adoption and use of electronic certification by the private sector in Spain.
The State against the State
In theory, Spain was excellently positioned to become one of the leading countries in the use electronic certificates. It had a large number of certification authorities, experts, projects and, ultimately, abundant know-how. Moreover, Spain was one of the first countries to issue an electronic ID on a massive scale among the general population: The National Electronic ID card (DNIe) issued by the Ministry of the Interior.
In practice, the FNMT, a public company under the Ministry of Finance and Public Administration, offered a competitor to DNIe, which was easier to use, as its software certificates did not require the use of a smart card reader.
How to shoot yourself in the foot
In theory, DNIe and FNMT certificates were different and not comparable products. The former allowed generating qualified electronic signatures of a universal nature, the most powerful available. The latter generated less powerful advanced electronic signatures and were valid only within the realm of Spain’s Treasury
In practice, given the difficult use of the DNIe and a paucity of readers, and given that the FNMT gave free validation of their certificates for the public sector, the Government went on extending the use of FNMT certificates beyond any advisable measure. FNMT certificates began to be used in situations outside the scope of the Treasury and in cases that should have been reserved for the DNIe (qualified signature).
Everybody’s business is nobody’s business
In practice both products competed for the same market. Notwithstanding this, neither DNIe nor FNMT certificates achieved success in the use of electronic certification by the private sector.
End users, unaware of the FNMT pricing policies, preferred FNMT certificates to DNIe in their dealings with public bodies, as they were less cumbersome (no reader required). From a users’ point of view, both could be used for virtually the same administrative procedures (widespread use of FNMT certificates for interactions with the Public Administration).
The private sector did neither go for the one -difficult to use DNIe- or the other -costly use of FNMT-.
The lost decade
Between theory and practice, time passed away.
Today, 10 years after the introduction of the DNIe and of FNMT pricing policy, and more than 50 million DNIe cards issued, use of the DNIe in the private sector is insignificant and that of FNMT certificates, very small.
DNIe awkward use, the lack of card readers and the FNMT pricing policy created a perfect storm whose result is truly a “lost decade” for the adoption of electronic certification by the private sector in Spain.
A gleam of hope or a train already gone?
The change in the FNMT pricing policy could be a second wind for FNMT certificates in the private sector and, perhaps, the final blow to the DNIe in this market. And this despite of the fact that the FNMT itself only made the change at the last moment and when forced to do so by a European Directive.
In a situation where FNMT certificates are used in practice outside of both the proper realm of the Treasury and that of advanced signatures, the free validation of FNMT certificates for the private sector reinforces the value proposition of the FNMT product, to the greater detriment of the DNIe.
It is also possible that this change comes too late. After 10 years, electronic certificates may have lost their chance for widespread use as a method of authentication and signing in the private sector in Spain in favor of alternative methods.
Over the last month we have completed the migration of the Tractis infrastructure to the cloud.
Until now, all services provided by Tractis run on our own machines at the Acens data processing center (DPC) in Barcelona. From now on, all Tractis services will be hosted on Amazon Web Services, the world leading provider of cloud computing services. The only exception to our migration to the cloud is the Tractis Time Stamping Authority (Tractis TSA), which will continue to run on our own Hardware Security Modules (HSM), now housed in one of Claranet data processing centers in Barcelona.
We expect a number of benefits from this migration, including: minimal latency times for end users, greater speed of service delivery, easier management, high availability across all Tractis infrastructure components, better disaster recovery and extreme scalability in storage and processing. All of this while Tractis keeps on providing our services in strict compliance with Spanish and European data protection legislation. Our European customers can be confident that Tractis uses exclusively Amazon Web Services DPCs located in the European Economic Space.
The complexity of the infrastructure to migrate, the large number of services provided, the customers in production and the legal implications, have made this move a non-trivial task. This migration is the culmination of several months of work, thoughtful planning and careful execution. However, it is just another step in our goal to evolve the Tractis services infrastructure from various monolithic applications to micro-services.
Throughout the summer we plan to make several releases aimed at larger corporations.
Following the launch of unified multi-account billing, this week we announce real-time support. As the name suggests, this new feature allows you to contact directly and in real time, with the technical and business staff assigned to your Tractis account. All communications are made using Slack and Slackline.io.
If you do not know about Slack yet, you not know what you are missing. A powerful instant messaging tool, extremely easy to use, that allows group chats, file sharing, advanced search and integration with more de 80 third party services. A month ago, Slack announced 1.1 million daily active users. No exaggeration to say that they have burst into the world of business communications.
One day we will write a post explaining how Slack has transformed the Tractis team daily work and increased our productivity. For now, suffice to say that it has become our communications hub, integrated with all our internal work tools (task management, CRM, helpdesk, file sharing, monitoring, alerts, log management, code repositories, etc.)
Slackline.io allows you to share channels among different Slack teams. Even if your company has its Slack team and Tractis its own, both can share a communication channel.
In other words, while technically Tractis and yours are two different companys, in practice, thanks to Slackline, you have access to the Tractis team with the same full set of features as the rest of your project teammates. Directly from your internal communication center and in real time. Actually, it is as if Tractis was another member of your team – which is just what we want to become.
Live support is available in Beta, for now, and only for customers with a Tractis Enterprise monthly subscription plan.
Slack in standard form, as we use it in Tractis, is free, with additional functionalities for paid plans. If you want to give it a try, use this link to create a Slack Account and get a free $100 credit (only until September 30, 2015). If you finally decide to hire a paid plan, Tractis will receive another $ 100 credit. With or without the referral program, we would recommend Slack without hesitation.
Slackline.io is a service created by Blanca Alvarez and Ernesto Jimenez, former negonator extraordinaire. Some of their clients are Bloomberg, Dow Jones, Harvard … and now Tractis. With or without the shared past of Tractis with the Slackline founding team, the possibility of becoming a member of your clients teams seems a most intriguing proposition, worth a try.
Throughout the summer we plan to make several launches aimed at large companies.
We start with consolidated multi-account billing, a new feature that lets you redirect spending from several Tractis accounts to just one.
Here’s an example. Suppose you work in a large company and want to use some Tractis electronic certification services (identity verifications, electronic signatures, time stamping, preservation of evidences, etc.) at different departments, divisions, products or companies in the group. On one hand, you want to group all spending on a single bill and, on the other hand, you want to maintain separate individual account management so that each account continues having its own configuration, administrators, users, gateway management and logo and colors customizations.
The consolidated multi-account billing allows you to achieve exactly that.
You just have to tell us the main account for redirecting spending (Master Account) and the accounts (Slave Accounts) you want to make use of the credit in the Master Account. We will make all the necessary settings for you to enjoy the advantages:
- Simpler: A single bill for multiple accounts.
- Better prices: By combining the spending from several accounts into one, you can achieve higher transaction volume discounts.
- Increased customization: Each account is still run independently (configuration, users, customization, etc.).
- Greater control: Only the Master Account Administrators have access to transaction and spending reporting from Slave accounts.
We believe that this new feature will prove extremely useful for large companies, central purchasing departments and software subsidiaries that provide services to multiple divisions, departments, products and companies in the group.
Consolidated multi-account billing is available only to Tractis clients under a monthly Enterprise subscription plan.
After the improvements in privacy control in your Public Profile, we launch the certification of identity attributes in your Tractis Public Profile.
When we say “identity attributes” we refer to the various pieces of information in your Tractis Public Profile. Name, surname, sex, age, nationality, telephone …they are all identity attributes, i.e., attributes that define your identity. Perhaps we could call them simply “personal data“. However, your Tractis profile contains both personal and professional data. We believe that “identity attributes” is a more precise designation.
From “alleged” to “certified” identity attributes
Until now, all the identity attributes in your Tractis profile data were “alleged” by you. A third party had no way of knowing whether the information revealed (alleged) by you was true or not. This ignorance can lead to distrust in electronic commerce scenarios and in some cases prevent the transaction from being finalized.
Starting today, you can certify your identity attributes, so that third parties (e.g., a prospective buyer) may be confident that the information in your profile is true.
Certified identity attributes supported
We have begun by supporting the certification of the following attributes:
- Personal information: Name, surname and ID Number (e.g.: Spanish DNI).
- Professional information: Mobile phone number.
Certification methods for identity attributes
The certification method depends on the identity attribute you want to certify. In the case of:
- Name, surname and ID number: Certification is carried out using electronic certificates. You can use any of the 81 certificates from 14 countries supported in Tractis.
- Mobile phone: The certification is done by sending an SMS PIN to the alleged mobile number. You can use any of the more than 990 mobile phone networks from more than 220 countries supported in Tractis.
Just visit your profile, click on the “Verifications” tab, select the attribute to certify, click “Certify” and follow the instructions.
Certification freshness and re-certification
The certification date of an identity attribute is important. A potential buyer may trust your mobile number if it has been certified within the last two weeks but wary if the certification was made more than 6 months ago (you might no longer have that mobile number). For this reason, beside each certified identity attribute, we indicate the “Freshness” of such certification, i.e., the date it was made and, therefore, the time passed since.
Should you, or a third party, consider it has been too long since the certification was carried out, you can re-certify an identity attribute. Just press “Re-certify“, complete the certification process and your identity attribute will be certified dated today.
Certification assurance Level
Not all certification methods provide the same assurance level. In other words, the method used for certification has an effect on the strength of the electronic evidence generated and their eventual use in court. Tractis assigns a “Tractis Score” (assurance level) to each certification method. You can see the Tractis Score assigned to each certification made simply by looking at the colour of the certification button. To summarize:
- Grey: Identity attribute not certified.
- Red: Tractis Score 0. Zero assurance level.
- Orange: Tractis Score 1. Minimum assurance level.
- Yellow: Tractis Score 2. Low assurance level.
- Blue: Tractis Score 3. Substantial assurance level.
- Green: Tractis Score 4. High assurance level.
For more information, simply move your mouse cursor over the certification button.
Beta and next steps
This feature is in Beta. For the duration of the Beta, certifying identity attributes is free, so it may be a good time to improve the “quality” of your Tractis Profile
We want to start taking small steps, to learn and sort out the problems and smooth off the rough edges that can arise during the certification process, to receive your suggestions and keep on expanding gradually the functionalities available and the number of identity attributes that you can certify in your Tractis Profile.
Comments are welcome.
Each Tractis user has a Public Profile. Here is mine.
As the name suggests, the Public Profile is visible for everybody, whether they have a Tractis account or not, whether they are logged in or not.
So far, the main function of the Public Profile has been to provide information about you and your activity to other Tractis users. Just click on the name of another user (on a template, a comment or a contract) to see their Public Profile. Since all the information in the Profile was public, users not wishing to share some personal detail, simply did not add it to their profile.
We have a number of ideas to make of your Tractis Profile a more powerful tool. Some have been in the oven for quite some time. In preparation for the launch of these new features, starting today you can control separately the privacy of each and every one of the details in your personal and professional information (name, photo, address, company, position, etc.). Simply select whether you want some data to be “Public” or “Private” in your Profile. For example, you can choose to share only your name, or your name, photo and all your professional contact details or any other combination. It’s up to you.
In other words, you can now fill out your complete Tractis Public Profile without the fear of sharing too much information. Simply choose what data you want to share and which not. By default all your data is private and it is made public only if you so decide.
We recently updated the “Tractis Identity Verifications Plugin for WordPress” to ensure proper operation with the latest version of WordPress (4.2.2.).
Once installed, this plugin provides users of your WordPress site the option to accredit their real identity by means of electronic certificates. Thus, making possible to know the real identity of the author of each comment.
From the user point of view, it works as follows:
- The user clicks on the identity verification button to start the verification process.
- Then, the user completes the identity verification process on the Tractis gateway.
- Next, the user makes a comment, which will appear accompanied by an identity verification banner.
- When other users click on the banner, they will be redirected to the identity verification test that will let them check the real identity of the author of the comment.
In this video you can see the entire process:
The plugin is completely free and all the verifications are made at no cost. The use of the plugin is subject to the Tractis Reasonable Use Policy.
Currently, the plugin supports 79 digital certificates from 33 Certification Authorities in 14 countries. If you use an electronic certificate that we do not yet support and would like us to include it, write us to email@example.com.
The plugin is available in the following languages: English, Spanish, Catalan and Italian. If you would like to help us translate it into other languages, write us to firstname.lastname@example.org.
You can find additional information in the plugin page in WordPress and in our help section. For any questions or comments, please, send an email to email@example.com and we will respond as soon as possible.
Which FNMT certificates does Tractis support?
Tractis provides full validation of all certificate profiles issued by the FNMT:
- Certificate of “Natural Person”.
- Certificate of “Legal Entity”.
- Certificate of “Public Administration” civil servant.
How much does it cost to use FNMT certificates in Tractis?
At the time of writing, Tractis provides full validation of 77 certificate profiles from 33 Certification Authorities in 14 countries. Under Prepay Fees the cost of using an electronic certificate in Tractis is:
- Authentication or using any certificate (except FNMT): € 0.00.
- Authentication using an FNMT certificate: € 0.36.
- Signature using any certificate (except FNMT): € 1.00.
- Signature using an FNMT certificate: € 1.36.
- Validation using any certificate (except FNMT): € 0.08.
- Validation using an FNMT certificate: € 0.44.
Why using FNMT certificates is more expensive than using other certificates?
Almost all Certification Authorities worldwide charge for issuing certificates but allow to validate them for free. However, the FNMT follows the opposite pattern: Issues certificates for free and then charges for validating them. Depending on who performs the validation:
- If the person performing the validation belongs in the public sector (e.g.: a Public Administration) the FNMT offers free validation.
- If the person doing the validation is from the private sector (e.g.: a company), the FNMT charges for each validation performed.
Since Tractis is a private corporation, the FNMT charges us for each validation made and we pass this cost on to our users.
- Tractis Verifications: The cost of € 0.36 per authentication using an FNMT certificate includes the € 0.00 Tractis Authentication Fee and the € 0.36 FNMT Validation Fee.
- Tractis Contracts: The cost of € 1.36 per signature using an FNMT certificate includes the € 1.00 Tractis Signature Fee and the € 0.36 FNMT Validation Fee.
- Tractis SVA: The cost of € 0.44 per validation using an FNMT certificate includes the € 0.08 Tractis Validation Fee and the € 0.36 FNMT Validation Fee.
Why has Tractis not offered FNMT support before?
Tractis started business in 2005 and has not offered support of FNMT certificates until today. The certificates issued by the FNMT are the ones most used in Spain, well above the Spanish electronic National Identity (“DNI electrónico” or “DNIe”) card issued by the Police General Directorate (“Dirección General de la Policía” or “DGP”). For example, of all electronic transactions with Public Administration bodies using electronic certificates in 2013:
- FNMT: 3.9 million certificates issued as of November 2014 and 99,31% of the transactions in 2013.
- DGP: 38 million electronic identity cards issued as of November 2014 and 0.7% of the transactions in 2013.
In other words, although there are almost 10 times more DNIe than FNMT certificates (38,000,000/3,900,000), in actual use FNMT wins by a landslide. The usage of FNMT certificates is 143 times larger than that of DNIe (10,104,585/70,528). Moreover, taking into account the difference in issued bases, the use per FNMT certificate is some 1,400 times that of a DNIe (9.7 x 143).
Since Tractis was born in Spain, it is legitimate to ask why it took us nine years to support FNMT certificates. Our response has changed over time:
Pre-2011: Resale forbidden
Until 2011, the FNMT not only charged private sector businesses for validation but also prohibited that third party multi-validators (e.g.: Tractis), willing to pay for the validations, could resell these to their final customers. The FNMT required instead that this third party (Tractis) submitted their clients to the FNMT so that FNMT could enter into a direct contract with the client, whereby that client had to pay a minimum of € 18,000 to the FNMT to begin to validate their certificates. Hardly acceptable conditions both for Tractis (prohibition of resale, need to give the client to the FNMT) and for potential clients (high cost).
Post-2011: High cost
In 2011 a complaint against the FNMT for these practices was lodged before Spain’s National Competition Commission (“Comisión Nacional de la Competencia” or “CNC”). The CNC mandated the FNMT to:
- Open up their validation services to third party multi-validators, and
- Offer different prices for wholesalers (third party multi-validators) and for the retail market (final clients).
|FNMT – Price range||Wholesale||Retail||Differential|
|Annual fee (includes 1,000 queries)||€ 5,100||€ 6,000||17.6 %|
|From 1,000 to 25,000 queries||€ 0.36||€ 0.40||11.1 %|
|From 25,000 to 50,000 queries||€ 0.23||€ 0.25||8.7 %|
|From 50,000 to 100,000 queries||€ 0.17||€ 0.21||23.5 %|
|From 100,000 to 250,000 queries||€ 0.15||€ 0.18||20.0%|
|From 250,000 to 1,000,000 queries||€ 0.13||€ 0.15||15.4 %|
|Over 1,000,000 queries||€ 0.12||€ 0.15||25.0 %|
In theory, the resale prohibition was gone. In practice, the cost of validation remained so high, even for the wholesale segment (€ 5.1 per validation for each one of the first 1,000 validations), that no client was willing to commit to this startup costs.
Why is Tractis supporting FNMT certificates now?
We found a client willing to take the annual fee required by FNMT.
Since the annual fee has been paid by the first customer, other Tractis customers can start enjoying FNMT support without having to pay annual fees to the FNMT, each separately and on their own.
Why is it better to get FNMT certificate validation from Tractis that directly with the FNMT?
Currently, Tractis is the only private sector oriented platform for identity verification and electronic signature, providing you with full FNMT certificate validation “out-of-the-box”, from the first minute, without the need for contracts, set-ups, annual fees or startup costs. Moreover, now that Tractis has become an FNMT wholesaler, contracting FNMT validation with Tractis lets you enjoy better economic terms than if you dealt directly with the FNMT:
- No annual fees: With Tractis you do not have to pay annual fees. If you contract directly with the FNMT, you must pay a fee of € 6,000 per year.
- Strict pay per use: With Tractis you do not have to buy a minimum number of validations per year. If you contract directly with the FNMT, you must purchase a minimum of 1,000 validations year, whether you use them or not.
- Better FNMT Rates today: Currently, in Tractis you pay € 0.36 for your first FNMT validation. If you contract directly with the FNMT, you will have to pay € 6 for every one of your first 1,000 validations.
- Better FNMT Rates tomorrow: For two reasons:
- Wholesale rates: At Tractis, we commit ourselves to apply, at all times, the FNMT wholesale market rates (our actual cost, without any markup) to the retail market. In other words, whatever your volume of FNMT validations, the price Tractis will give you will be always less than the price FNMT offers you directly.
- Cumulative total volume: Furthermore, Tractis prices will go down as our “total cumulative volume of FNMT validations for all Tractis clients” grows. In other words, you do not just get the Tractis wholesale price (not the FNMT retail price, see above), but also, when calculating the applicable FNMT Rate, we will consider the cumulative total volume reached by all Tractis customers (not just your individual volume). For example, if our cumulative total volume reached the upper price range (over 1 million queries per year), you would pay € 0.12 for your first FNMT validation, i.e., 3 times less than our current price, a 98 % discount on the FNMT starting price for the retail market (€ 6). If you deal directly with the FNMT, you will have to pay € 6 for every one of your first 1,000 validations.
We hope it was worth the wait.
The question isn’t who is going to let me; it’s who is going to stop me.
- Ayn Rand.
The question is not when’s he gonna stop, but who is gonna stop him.
- Vanishing Point (1971).