Authenticating to the UPC's CMS

Authenticating to the Case Management System of the UPC

French lawyers’ security tokens OK, but EPO smartcards NOK

?

This is a technical and informal note on questions relating to the authentication mechanism required for connecting to the UPC case management system (“CMS”). The CMS will be the interface between representatives of the parties and the Unified Patent Court (“UPC”) when the UPC goes live, probably during the first half of 2023.

Needless to say, if you can’t authenticate, you cannot act before the UPC…

I’m tasked with reporting on the CMS to the French chapter of the AIPPI (of which I’m a member). But this note is more specifically prompted by a relatively recent announcement (dated August 25, 2022) on the UPC website (https://www.unified-patent-court.org/news/case-management-system-new-authentication-and-electronic-signature). Namely, as of September 2022, it wouldn’t be possible to log to the UPC case management without an electronic identification certificate (compliant with EU Regulation No. 910/2014). While one week could be considered a relatively short notice for such a change (at least in a live system), I think that this move is welcome, so long as the tool works fine.

If time allows, I’ll write a more detailed note to explain how “strong authentication” works internally, why it’s useful, and some caveats.

As of today, only 58 persons seem to have created a UPC CMS account and attempted to register as representatives before the UPC. Considering that the UPC CMS has been available for years and that there are 24 signatory States to the UPC agreement (excluding the UK), this might suggest that practitioners have not yet massively rushed to test the CMS and prepare for the launch of the UPC.

?

1)?????Background and history

I created my UPC CMS account almost 6 years ago (November 3rd, 2016).

The CMS still being a test environment, I’ve lost data on several occasions over the last few years. I didn’t really expect it, but I wasn’t surprised since the current CMS is only meant to play around (I suppose that information was erased by the UPC IT team while updating the CMS at some point).

Since then, and up to the UPC announcement less than a month ago, I’ve always had to authenticate with a regular username and password.

I had heard that in the final CMS, username and password would be replaced by some form of cellphone-based authentication (you’d have received a code in an SMS or something like that).

I was a bit surprised, since from an IT security engineer standpoint this seemed to be an inferior solution, but many organizations don’t take security very seriously (despite what they claim) so this wouldn’t have been an exception.

I could write pages on why relying on a security token (as has now been decided) is much more secure, although dependent on users and firms using their security tokens properly (which is not always the case, sometimes with amazing "creativity"). I will keep this for another time and focus on what works and what doesn’t as of today – and try to explain the situation.

?

2)?????EPO Smart Cards

European patent attorneys, who have a scientific background, and who are more numerous than attorneys at law specializing in patent cases, seem to have been faster than the latter in testing the CMS.

I’ve read posts complaining about the CMS no longer being accessible with mere username and password, and EPO smart cards not being recognized.

I can still personally connect without any difficulty with my username and password (tested on September 7th and today, September 16th). I don’t understand why my account still works if it doesn’t for other people. This might have to do with the fact that it was created (long) before the change in authentication rules.

In any case, I wanted to check and see if I can also authenticate with my European patent attorney smartcard. As others have observed, this doesn’t work. I get the following error:

This is not surprising, considering that certificates issued by the EPO are for “internal” use, i.e. they are used by European patent attorneys to interact with the EPO, in a closed environment defined by the EPO (filing of patent applications, responses to office actions, etc.). This is not what the UPC expects. Accordingly, although my EPO smart card is recognized and read by the CMS, the certificate that is extracted from the EPO smart card is rejected as non-compliant with the new requirements of August 25th.

?

3)?????French lawyers’ security tokens

I also happen to be an attorney at law before the court of Paris. To communicate with French courts electronically, French lawyers use a security token (USB form factor). This is essentially the same as an EPO smartcard, except that the communication interface is USB instead of ISO 7816 (internally, the security tokens most likely embed a smartcard chip and some USB smartcard reader hardware).

However, a lawyer’s security token is used not only for communicating with courts but also for transacting with other parties. For example, I typically have my clients sign my engagement letters electronically and I sign my part with my security token (at least my electronic signature is then equivalent to a handwritten signature under French law). French lawyers can also sign certain contracts between third parties (meaning that the lawyer is not a party to the contract) with their security token to “notarize” them.

I suppose that this must be the reason why the lawyers’ security tokens had to comply with the EU regulation on electronic signatures, while the EPO smartcard could (so far) dispense with the requirement.

In any case, when I try to authenticate to the UPC CMS with my security token, it is accepted:

Unfortunately, the CMS crashes afterwards. This is only mildly problematic in my case since (contrary to other persons, apparently) I can still login with my username and password.

I assume that the “crash” (it loops forever without returning an error message) must be due to the fact that UPC CMS has no way to link my French court certificate to my CMS account. The only reliable link would likely be the e-mail address included in the certificate. However the e-mail included in the certificate stored in my security token is not the same as the one I used to create my UPC CMS account. I guess that updating my e-mail address (in the UPC CMS) might address the issue. But I didn’t test yet since I don’t want to break anything and lose my access.

?

4)?????Screenshots for nerds like me

I went back to various screenshots of my CMS account over the past years to see if I could find anything relevant to the question of authentication. There was nothing worth mentioning, but I find it amusing to see the evolution (of course it has largely to do with the screen resolution and the browsers and OSes being updated).

November 3, 2016:

March 6, 2018:

December 6, 2021 (less than two months before we knew the UPC would actually come into existence):

And earlier today, September 16th 2022 (the menu is now horizontal):

?

About Lukasz Wlodarczyk

Lawyer; bar admissions: Paris (France) and California.

Founder of INFIN IP, providing patent prosecution and patent litigation services, with a focus on IT security inventions (but dealing more generally with software, telecoms, electronics and mechanics).

French ingénieur (MSc in electronics, major in telecoms), CISSP certified.

19 years of experience with patents. Patent offices admissions:

EPO (2007)

USPTO (2010, not currently registered)

INPI (2009, currently acting as a French lawyer)

?

#CMS #CaseManagementSystem #UPC #UnifiedPatentCourt #EPO #smartcard #PKI #certificate #signature #authentication