[Survey] Have you been able to access the UPC's Case Management System via strong authentication?

The IPKat falling asleep at the word
"authentication procedure"....

The Unified Patent Court has been a long time coming.
So long that one might have thought every possible niggle may have been resolved. But like many lawyers, it takes an impending deadline to identify issues that need to be solved.  One of these issues relates to the authentication procedure to access the UPC Case Management System (CMS). The CMS is important in these pre-launch days because companies will be using the system to lodge their opt-outs (i.e. opting their classical European Patents out of the UPC's jurisdiction). The UPC has brought in a strong authentication procedure for users to access the CMS, which requires two certificates - one for authentication to log in and one for electrotonically signing documents you want to upload.  The authentication certificate has to be stored on a physical security device (smart card or USB stick).  They are supposed to be able to be acquired by EU citizens and non-EU citizens (more on that below).  

The AmeriKat has received reports from those responsible for in-house patent portfolio management in the UK that they have not been able to obtain a physical security device to access the UPC CMS test site ever since the strong authentication requirements have been in place. UK outside counsel say they are still waiting for their dongles/security devices to arrive. The AmeriKat also hears that some German outside counsel are also not having joy. 

So far, the IPKat only knows of three companies who are able to provide working certificates for the UPC CMS - one in Italy, one in France and LuxTrust. For Italy and France it seems that one has to be a citizen of these countries. According to its website, LuxTrust says that they allow authentication by video conference (if accompanied by a notarized/legalized copy of your passport). However, it is not clear if that process is up and running yet. 

So for some folks encountering the system at the moment, there seems to be no practical solution.  The "test my authentication device" page on the UPC CMS website states that "the implementation of the strong authentication mechanism is currently evolving."  Merpel, as cynical as ever, thinks this is code for "not quite working yet".  

Thus the IPKat is asking you, dear readers, whether you have had success in accessing the UPC CMS via the strong authentication process? Please complete the survey below. If you have been able to access it, in the empty box please complete the name of the device/certificate provider and where you are from in brackets (e.g. Provider Name (Germany)).  For bonus points and extra purrs, post a comment below or email theipkat@gmail.com with the subject line "UPC CMS" with your experience. We will collate and share the responses and results of the survey in a post.  

[Survey] Have you been able to access the UPC's Case Management System via strong authentication? [Survey] Have you been able to access the UPC's Case Management System via strong authentication? Reviewed by Annsley Merelle Ward on Wednesday, November 23, 2022 Rating: 5


  1. The UPC's way of communicating with users is becoming very characteristics (put key information somewhere hidden on the website), but glad to learn that they are " We are reviewing the security policies in order to allow more certificates to be accepted by the CMS." On a related note, is anyone politically responsible / accountable for this issue? Do we know who is taking the decisions on this matter?

    1. Somewhere hidden, you say?

      “But the plans were on display…”
      “On display? I eventually had to go down to the cellar to find them.”
      “That’s the display department.”
      “With a flashlight.”
      “Ah, well, the lights had probably gone.”
      “So had the stairs.”
      “But look, you found the notice, didn’t you?”
      “Yes,” said Arthur, “yes I did. It was on display in the bottom of a locked filing cabinet stuck in a disused lavatory with a sign on the door saying ‘Beware of the Leopard.”

      Let's just hope that the architects of the UPC don't get the urge to write poetry as well.

  2. It seems to me that strong authentication has not yet been implemented, and that it is still possible to access the CMS with just a username and a password.

    When strong authentication is (finally!) implemented, it will require a link to be set up between a user and a particular smart card. The UPC has not yet explained how this can be done ... even though their own implementation roadmap indicates that the “Sunrise CMS practice” period is supposed to start this week. This is supposed to be when we can all have a play / practice with a CMS that has “the same functions as from the start of the Sunrise”.

    It is strange that the UPC has said literally nothing about the latest delay to implementing strong authentication. It was originally supposed to happen in September, but was then postponed to "before the end of October". I am a bit hazy about that latter deadline, as all mention of it has been erased from the UPC's website. Still, I am certain that it was due to happen weeks ago. Perhaps the results of your survey will illustrate precisely why it has not happened yet.

    1. Thank you Proof of the pudding - always helpful! Yes, I think that is what in-house counsel is experiencing. They expected this to be sorted weeks ago and even getting the kit needed to do so when it is ready has been a battle. There needs to be clearer communication as to what is happening and by when. Otherwise, they should be thinking about pushing the deadlines back.

    2. Pushing back the start of the sunrise period would be very welcome. However, it is looking extremely unlikely that the UPC will push it back by any reasonable length of time (which, in the circumstances should be no less than 3 months or so).

      Regarding the CMS, there is an active discussion board on CIPA's website (which requires a login to access):

    3. @Proof, there's a suggestion here that a possible delay of "2-3 weeks" might be under consideration (as apparently reported at the UPC Mock Trial in Paris earlier this week) but I've not seen or heard any independent confirmation of that:


      I also personally heard a rumour last week from a colleague in DE that Germany might delay ratification by a month or so, but he didn't say where he'd heard that and again this is only hearsay; I have seen nothing anywhere that corroborates it. Certainly that rumour seems to be at odds with the increasingly frequent pronouncements from the EPO and major players in the UPC that we are on track for a 1 April launch.

  3. Was told today by one supplier that the certificates they propose only work with Windows, and certain, older versions of macOS because they have to play catch up with Apple. The certificates only also work in the Firefox browser, and they conflict with the EPO smartcard certificates, so you have to remove these first before declaring the UPC compatible one.
    If by any stroke of misfortune you work in a Chromebook environment, or on a Linux/Unix workstation other than macOS v12 or v11, then you are pretty much stuffed.

    1. I doubt there is any conflict between different certificates. There may be conflicts between different middlewares (software required to use the smartcards) or card-reader drivers used by these middlewares. For instance, the EPO's middleware and LuxTrust's middleware have conflicting drivers. Since one only needs the EPO middleware to unlock the EPO smartcard, this is not a major issue. Also, the EPO plans to roll out a new authentication solution next years, which will replace the smart cards, so that problem is basically solved.

    2. The documentation provided by CertEurope for setting up the certificate in Firefox indicates that you have to unload any PKCS11 device that uses a Gemalto library prior to setting up and pointing to their own dynamic library and importing their certificate into the browser. CertEurope use the SafeNet authentication token management software produced by Thalès for managing system-wide integration of the cert into the OS.

  4. To be fair, the UPC has come very quickly since it was first mooted, so the technology folks need tome to catch up. The requirement to opt-out rather than opt-in says everythinq about those behind this vanity project.

  5. A really useful post - thank you for getting this out into the open. I tried to use a UK based supplier who had been assured that they were doing the right thing by the UPC, and have now found that their system is incompatible and they don't know when it might work. I have since tried Luxtrust and been through the online identification procedure but all has now gone silent. It seems that there are problems under the bonnet and this could delay the start of the Court if this is not sorted out soon.

  6. For those in France and Italy, it would be helpful to know which companies provide functional certificates. Could you name them please?

  7. As a concerned User:
    Even with a SmartCard from a Trust Service Provider in LU, which SmartCards is allowing a successful access to the input page of the CMS, and even with a signature that complies with the eIDAS Regulation from another Service Trust Provider from AT, there are currently still unsolvable problems:
    – No forms available, except those dated March 2022.
    – No updated FAQs on the UPC homepage.
    – IT UPC response time: more than 4 weeks, if any response at all.
    – No clear statements on the interpretation of Rule 4 RoP in relation to signature requirements (there are IP Service Providers offering an application to opt out for EUR 20.00 or EUR 50.00 per patent and saying that they will take care of the signature or that a qualified signature compliant to the eIDAS Regulation is not required).
    – No practicable information on an API for handling hundreds of applications to opt out.
    – Neither in DE nor in CH there is a Trust Service Provider offering a SmartCard being interoperable with the CMS of the UPC.
    The suspicion remains that the rules of fair competition regarding Trust Service Providers AND regarding IP Service Providers have not been respected.

    1. The lack of information on how electronic signing will be performed may be hiding the next nightmare for those wanting to file opt-outs.

      The RoP require e-signing, but say next to nothing about how that should be done. RoP 4 arguably implies that documents should be signed before they are uploaded to the CMS. The 11 November 2022 update from the UPC also indicates that a QCert for ESig can be used "to sign any documents “before” the upload in CMS".

      Nevertheless, in the absence of detailed information, it is hard to know what order of events (for upload / signing / submission) the CMS will actually demand. However, there is one, potentially nightmare scenario that relates to mandates from the patent proprietor(s). That is, if those documents need to be uploaded in PDF-A format (ie machine-readable format), then there is a chance that the signature(s) on those mandates will need to be eIDAS-compliant electronic signatures.

      How many patent proprietors will have to hand a QCert for ESig that they can add to an electronic document? Is this the next virtually impossible barrier that we may need to overcome in order to file a valid opt-out? I may be worrying about nothing here … but the problem is that the UPC has provided very little information on this point, with the consequence that it is now about 1 month to the start of the sunrise period and we still know next to nothing about the e-signing process.

    2. I think it’s clear from the CMS and the available information that documents need to be signed before submission. This is different from the EPO’s approach but certainly not unheard of. Some courts in EU countries use the same approach. For submitting via the API, this is the only alternative that makes sense. For batch opt-outs in large numbers you obviously need an electronic signing solution that allows you to sign multiple documents with a single PIN entry.

    3. The API is documented, even if not 100% accurate and complete. We have developed a tool which successfully does opt-outs towards the UPC. UPC IT is currently testing their CMS with selected large users, including test cases for massive opt-outs. The signature requirements are certainly confusing and annoying. Imagine a larger cooperation where an executive needs to sign PoAs (mandates). That means you need to roll out smartcards for QES beyond the patent department. Close to a nightmare.

  8. Thank you for this timely post @AmeriKat - this in-house IP Counsel is somewhat assured to see that 11% of respondents to your poll voted "yes" and am eager to hear which providers proved successful for them. We haven't dived in to try to obtain strong authentication yet and unlikely to until we're confident of the provider. On tenterhooks...

  9. It's ridiculous that they have chosen to base access on a system that is not readily and easily available/obtainable in every EU member state. There are many other technical solutions that could have been used...sadly doesn't bode well for the future if they can't get access right from the beginning.

  10. Surely this was discussed by those pushing the Unitary Patent through over the years? The big law firms that made the decision on behalf of the whole IP community that a unified patent was a great idea for business? The law firms that are already ahead of the game in business development activities as "experts in the UPC"?

    What about businesses with key patents that now risk being the subject of central attacks because the mechanics of this project are a s***show? More money for the founders of this project in helping these mugs navigate the process of putting the patents in the position they were in before the upc came into effect. More money to deal with the court actions with no standing because the patents were opted-out. Or believed to be opted-out.

    I manage a large portfolio of European patents and I will ensure I avoid the firms that engineered this mess, and we are educating our United States colleagues on those to blame also. If the traditional London and Munich firms believe they are going to do well out of this, think again.

  11. Upon reflection, it is obvious why we are all floundering around trying to figure out how the CMS will work in practice, and what steps we will need to take (including which hardware and software to have in place) in order to file valid opt-outs. The reason: there is no user's guide to the CMS!

    The CMS is a completely new system that works in new and often slightly surprising ways. It is therefore self-evident that the court responsible for designing the CMS has a responsibility to explain how that CMS functions, and to provide step-by-step guides for navigating each type of submission (including a description of the ways in which qualified electronic signatures can be added to documents in order to meet the UPC's requirements).

    I mean, we would be horrified if the EPO released completely new (and very different) online filing software, but then refused to explain either how that software works or the manner in which the EPO expected to receive documents via that software. But this is precisely what the UPC is doing, namely leaving it to us to figure everything out for ourselves.

    Oh, and the latest update from the UPC makes it clear that the IT Team will only be responding to questions that strictly relate to IT matters only. So any questions on either "non-technical" or legal matters will simply go unanswered!

  12. Here is my experience with the UPC authentication process:

    I applied for a LuxTrust card on November 14, 2022. My Identity was checked by video link on the same day (there was no need to provide a notarized/legalized copy of my passport, as suggested in the IPKat post above; all that needed to be done was to install a LuxTrust app on my mobile phone). The card arrived a few days later. The installation of the necessary software presented no problems. The card can be read with the same reader as my EPO Patent Attorney Card. The test on the UPC authentication test page worked immediately -- after the virus protection [Kaspersky] on my computer was temporally disabled -- could this be an issue that others have stumbled over?

    So for me, the experience was positive and hassle free.

    However, I, too, was disappointed that the UPC gave (and gives) no useful information on their website on any companies that actually provide working solutions. They only have a link to a very general EU list of service provides (“EU Trust Services Portal”), which is of no real help.

    Incidentally, I have a question in connection with opt-outs via the API and the electronic signature requirement (which has been alluded to in comments above). I am not sure this is the right place to ask it, but I will ask it anyway:

    When opt-outs are filed via the API, we still need to submit an application, i.e. a separate document that contains the actual “application to opt-out” pursuant to Rule 5 RoP and, crucially, identifies the applicants/proprietors in whose name the application is made.

    My question is: Does this document need to be electronically signed (or could it be a simple PDF without any electronic signature)? Rule 4 RoP says that “Written pleadings and other documents shall be signed and lodged at the Registry or relevant sub-registry in electronic form.” I see no reason why the opt-out applications if submitted via the API should be exempt from that rule. But the need for a signature would make the automatic opt-out process via API more complex.

    Arguably the user-specific API key to be used in the process could be seen to amount to an electronic signature, but this seems far from certain. As far as I can see, the Rules of Procedure contain no provisions that apply specifically to the opt-out via API and would support the theory that use of the API Key amounts to an electronic signature.

    Any comment or information that anyone may have on this issue would be much appreciated.

    1. @Claus, I would argue that RoP 4 applies to API opt-outs, as the applications to opt-out clearly are "other documents". The phrasing of RoP 4 is a bit funny as "Written pleadings and other documents" basically means the same as "all documents". But, I also heard rumors that some of the firms offering batch opt-outs argue that these would not need to be signed, I would be interested to understand the rationale.
      The API key cannot replace a qualified electronic signature, as the latter can be verified if you have access to the signed document and it can also be verified if the document has changed since the signature was applied. The API key is merely a user identifier, nothing more.
      In one of its earlier communications on the new authentication scheme, the UPC has made the general statement that "No other type of authentication nor signature will be recognized and accepted.". Of course, these communications are no legal basis, and I would be curious to know which body took the decision that qualified electronic signatures are required. After all, a simple text-string signature on applications to opt-out would have been much easier. Applying a qualified electronic signature to each application to opt-out makes the batch opt-out process increasingly more complex.

    2. Till, I agree that, in the absence of any specific provision applying to opt-outs filed via API, Rule 4 RoP can apparently only be interpreted to mean that the opt-out application documents submitted by this route must indeed be “signed in electronic form”. However, it could still be asked whether “signed in electronic form” necessarily requires a “qualified electronic signature”. (Rule 4 only says “signed ... in electronic form”.)

      Regarding the API key, I would observe that you get this only after you have had access to the CMS, which requires “strong authentication”. So I think it could be argued that the API key is “a substitute” for the authorization that gave you access to the CMS. But whether, in the eyes of the UPC, this then fulfills the “signed in electronic form” requirement can only be guessed.

      Also, I note that the sample JSON data included in the documentation of the opt-out API suggests that the opt-out application document could be a simple plain text file, which could obviously not contain a qualified electronic signature. Of course, this only reflects the idea of the IT development team that created the documentation and does not replace a definitive legal provision.

      Given the fact that, via the API, each case must be opted out separately, and further considering that the owner of a qualified electronic signature certificate is supposed to keep the PIN related thereto to themselves, if qualified electronic signatures were indeed needed for each opt-out application document, this would make the process significantly more burdensome.

      Thus, I think that official clarification on the electronic signature requirement for opt-outs via API is lacking and urgently needed.

  13. Very Nice Post......Thanks for Sharing This Useful Information......
    With ConnectvithMe you can create a virtual business card in minutes. Just enter your personal and professional details, contact information and more, and your card will be created instantly. You can then share it with the world via email, social media or even print it out to take with you on the go. Whether you're looking to make a good impression at a business meeting or simply want an easy way to keep your contact information handy, a virtual business card is the perfect solution. And best of all, there's no need to fumble around with a stack of paper cards - everything is stored securely online so you can access it anytime, anywhere.

    Digital Business Cards
    Virtual Business Card
    NFC Visiting Card
    Electronic Business Cards
    NFC Visiting Card

  14. The system is up and tested in a Gamma - Version by German users. It changes permanently and does not work with all browsers said to be working. i have been lucky to get a good help by d-trust, who helped me through the not self explainatory procedure to become an authenticated user and then to open CMS with Edge. No other browser worked. Today it is only Chrome that works satisfactorily. And I still get errors when trying to lodge documents ( I am working with a Mandate). I think it would be nice to send UPC an invoice for the work we have to make it work. We need a stable system and not a developing program. I checked this with other German European Patent ATtorneys - they are all very disappointed.


All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here: http://ipkitten.blogspot.com/p/want-to-complain.html

Powered by Blogger.