[UPDATE] Calls to push back UPC sunrise period as 89% have not been able to obtain/authenticate security devices needed to access Case Management System

Last week the AmeriKat posted a survey
on the IPKat to check how many people have been able to obtain a security device that is necessary to access the Unified Patent Court's (UPC's) Case Management System (CMS) via strong authentication.  This was triggered by in-house counsel flagging to the AmeriKat the struggle of getting their paws on security devices needed for authentication and to sign documents being uploaded to the CMS.  As previously explained, the CMS is important in these pre-launch days because companies will be using the system to lodge their opt-outs (i.e. opting their classical European Patents out of the UPC's jurisdiction) at the start of the sunrise period on 1 January 2023 (some 33 days away). The UPC has brought in a strong authentication procedure for users to access the CMS, which requires two certificates - one for authentication to log in and one for electronically signing documents you want to upload.  The authentication certificate has to be stored on a physical security device (smart card or USB stick).  

The survey has been running for almost a week and garnered several comments and emails on the topic.  Here is the break down (as of the date of the post):

  • There were 134 respondents to the IPKat survey.  
  • 89.6% of respondents (120) have not been able to access the UPC CMS via the strong authentication process.
  • 8.2% of respondents (11) have been able to access the UPC CMS via the strong authentication process.
  • 3 respondents entered additional information in the "other box" which is detailed below. 
  • There were 24 comments on the IPKat post (and more by email).  

Now on to the comments. The AmeriKat has separated these between procedural (obtaining a security device, mechanisms for access, providers, etc) and substantive (what this means for the sunrise period and general system).  The IPKat, being a cat, has not tested the below providers himself but is merely reporting the experiences of readers below.  Merpel is taking a nap.

Procedural Issues

Here are the procedural headlines:

  • LuxTrust experience:  Claus Beckmann applied for a LuxTrust card and installed a LuxTrust app on his mobile.  His identity was checked by video link the same day (with no need to provide a notarized/legalized copy of his passport).  The card arrived a few days later, software installed and the card was able to be read on the same reader as his EPO Patent Attorney Card.  The test on the UPC authentication test page worked immediately (after virus protection was temporarily disabled, which he flags may be a stumbling block others encountered).  Claus does have a question on e-signature requirements (which was a recurring theme in the e-mails and comments - see below).  Check out his question in the comments (@Claus Beckmann on 28 November at 11:47).
  • Mixed success so far with UK providers:  @bloombsuryboy commented that they tried to use a UK based supplier who "had been assured they were doing the right thing by the UPC and have now found that their system is incompatible and they don't know when it might work. I have since tried Luxtrust and been through the online identification procedure but all has now gone silent. It seems that there are problems under the bonnet and this could delay the start of the Court if this is not sorted out soon."  The AmeriKat received an email from DigiCert stating that they are one of the companies "that the UPC has advised as having a viable certification" and they are "in the process of beta testing with several patent law firms in the UK and have been able to successfully authenticate".  
  • Switzerland:  It was reported that there was no Trust Service Provider offering a SmartCard being interoperable with the CMS in Switzerland (@Anonymous at 25 Nov at 8:32). That commenter also had difficulty in Germany, but Claus's experience above shows that it is possible.
  • Italian provider:  For Italy, a commenter said that InfoCert was the vendor that has been providing functional certificates (@Anonymous on 26 November at 11:33). 
  • Belgian success:  A survey respondent who successfully obtained a security device said that they used a Belgian ID card with authentication certificate contained on the card and smart card reader. No identification of the provider yet.  If that was you, please let us know in the comments below!
  • Even with access to a security device, there are still problems:   One anonymous commenter (25 Nov at 8:32) said they obtained a SmartCard from a Trust Service Provider in Luxembourg which allowed for successful access to the input page of the CMS, including with a signature that complied with the eIDAS Regulation from another Service Trust Provider from Austria.  However, there were still unsolvable problems being, the commenter explained,:  (1) No clear statements on the interpretation of Rule 4 Rules of Procedure in relation to signature requirements (there are IP Service Providers offering an application to opt out for EUR 20 or EUR 50 per patent and saying that they will take care of the signature or that a qualified signature compliant to the eIDAS Regulation is not required); (2) No practical information on an application programming interface (API) for handling hundreds of applications to opt out; (3) The response time from IT UPC being more than 4 weeks (if any response at all); (4) No updated FAQs or forms.
  • Beware of your browser/middleware and new EPO authentication solutions:  One supplier (no name) said that certificates that they propose will only work with Windows, Firefox and certain older versions of macOS.  They also conflict with the EPO smartcard certificates, so those have to be removed before declaring the UPC compatible one.  Thus, the commenter wrote, if you work in a Chromebook environment or Linux/Unix workstation other than macOS v11 or  v12, you may not be able to get this to work (@SurprisedNotReally on 23 Nov at 18:26).  @Anonymous on 27 Nov at 17:56 stated that they doubted there were conflicts between different certificates but "there may be conflicts between different middlewares (software required to use the smartcards) or card-reader drivers used by these middlewares. For instance, the EPO's middleware and LuxTrust's middleware have conflicting drivers. Since one only needs the EPO middleware to unlock the EPO smartcard, this is not a major issue. Also, the EPO plans to roll out a new authentication solution next years, which will replace the smart cards, so that problem is basically solved." @SuprisedNotReally responded that:  "The documentation provided by CertEurope for setting up the certificate in Firefox indicates that you have to unload any PKCS11 device that uses a Gemalto library prior to setting up and pointing to their own dynamic library and importing their certificate into the browser. CertEurope use the SafeNet authentication token management software produced by Thalès for managing system-wide integration of the cert into the OS."  Merpel is still taking a nap.  

Substantive Issues

Here are the substantive headlines:

  • The UPC knows there are issues:  At the UPC Mock Trial held last Monday in Paris, Judge Klaus Grabinski (the UPC's Chief Judge) was reported as mentioning that the UPC is working on a "preferred supplier" list, as they were ware of the difficulties and that this list would be published as soon as possible. As of today, the AmeriKat has not seen such a list.  
  • Delay to the sunrise period is required:  There were reports that a suggested 2-3 week delay might be under consideration (as reported at the UPC Mock Trial in Paris last week).  But there has been no independent confirmation of that (see @Anonymous at 23 Nov 17:59).  However, what is clear from the comments received by the AmeriKat is that industry are welcoming (and some are demanding) a delay to the sunrise period in order to buy back the time needed to get to grips with CMS and iron out any technical issues before the sunrise period commences on 1 January 2023. With the majority of users responding to the IPKat survey having not been able to access the security devices and/or CMS to verify the security devices, the time between then (which is uncertain) and 1 January is only a matter of a few weeks.  The risk being that companies are sorting out these technical and procedural issues while the sunrise period's "opt out" countdown clock is running down.
  • Clearer communication and engagement needed:  From digesting all the comments over the last week, it is clear that the there is a significant need for urgent, updated, clear and frequent communication on the operation of the CMS, deadlines and interpretive questions for, e.g.,  over Rule 4 of the Rules of Procedure regarding signature requirements (which one commentator said "may be the hiding the next nightmare for those wanting to file opt-outs" and generated several questions, including in relation to e-signature requirements for opt-outs via API).  It would be useful if there was a User Guide to the CMS, FAQ and/or a video showing exactly how to lodge an opt out that is compliant with all of the procedural rules and requirements (and in what order) so that users do not get "undone" by issues that could be addressed now.  Even those who managed to get a security device and successfully test it on the CMS, supported this call for action (@Claus Beckmann on 28 Nov at 11:47).  As @Proof of the pudding on 27 Nov at 19:16 stated:
"The CMS is a completely new system that works in new and often slightly surprising ways. It is therefore self-evident that the court responsible for designing the CMS has a responsibility to explain how that CMS functions, and to provide step-by-step guides for navigating each type of submission (including a description of the ways in which qualified electronic signatures can be added to documents in order to meet the UPC's requirements).

The UPC's website was updated a few days ago to announce that the Sunrise Test Practice Period has commenced (as of yesterday) until 16 December.  However, the strong authentication is not going to be able to be tested until December 10.  So you have 6 days before the Sunrise Test Practice Period finishes to test strong authentication (assuming you have a security device and the authentication is working).  And then, 16 days later the sunrise period commences and the clock starts ticking on filing opt-outs.   So, to Merpel at least - who just woken up from her nap - it seems like a good idea that the sunrise period needs to be adjusted accordingly.  "Better to avoid the headlines of 'User outrage as IT meltdown hinders UPC on Day 1', when some additional time could resolve these issues", Merpel yawns before curling back to sleep. 

As always, post your experience, questions or concerns in the comments below or via e-mail at theipkat@gmail.com.  

[UPDATE] Calls to push back UPC sunrise period as 89% have not been able to obtain/authenticate security devices needed to access Case Management System [UPDATE]  Calls to push back UPC sunrise period as 89% have not been able to obtain/authenticate security devices needed to access Case Management System Reviewed by Annsley Merelle Ward on Tuesday, November 29, 2022 Rating: 5


  1. Super summary. Love the new word "electrotonically". Just need to work out where to use it. Likely, it will be used in my memoirs long before I have any idea how the UPC CMS works.

    1. Ha! Thank you - have corrected, but was tempted to leave it to add a new level of confusion to this saga.

    2. Ditto "virions of macOS"! Obviously written by a Windows user... ;-)

  2. From a talk given by a well-known individual that has been intimately involved with the UPC for many years, my understanding is that the UPC's judges will receive 2 weeks of intensive training on the new CMS. This is apparently required because of the complexities of the CMS and its unusual ways of operating.

    For attorneys that will need to use the CMS during the sunrise period, my understanding is that, as things currently stand, there are no plans to offer any kind of in-depth training whatsoever.

    The UPC is therefore taking steps to ensure that its well-remunerated judges are well looked after ... but those of us who want to look after our clients' interests by keeping their patents away from the court can all apparently go forth and multiply. Scandalous, simply scandalous.

    1. Would this by any chance have been in the context of a talk at one of this week’s life sciences conferences? I hear that the audience was not as reassured by his remarks on various aspects of the rules as he might have wanted.

      Purely by coincidence, I’m sure, his firm has published an article today saying that getting hold of the necessary authentication devices is quite simple and as far as they are concerned there is no need for any delay. As I said, a coincidence, I’m sure.

  3. In an interview on Kluwer Patent Blog the acting chair of the Administrative Committee of the EPO admitted that they were some problems with the CMS and the former London Section, but he was optimistic that the court will open its doors in April 2023 as planned. All problems would solved very soon!
    Self suggestion helps avoiding looking at the reality.

  4. Please be informed that epi has started a forum on this topic (see https://patentepi.org/en/epi/forum/335) where the experiences can be shared. It also includes a list of all the trusted suppliers (per country) and even some non-trusted suppliers and this list is filling with experiences provided by the European patent attorneys that have obtained smart cards or other tokens from these suppliers. So, when you have positive or negative experiences with one or more of teh providers, please also bring them to this forum.

    1. Concerned user
      The list published in the forum of epi (the forum is not public!) is interesting and might be helpfull. The list was sent to an epi-Member and shows clearly, that the UPC has no communication rules: This list must be published on the UPC-Website and may not distributed to indiviual persons (The concerned user is also an epi-Member).

  5. On the question re "Belgian success": I assume the certificate used was simply the one integrated by default in the Belgian eID. I wish I could test and confirm, but I have ran into another issue with the CMS: I created an account when the beta was initially released (yesteryear...). Lo and behold, I forgot my password. I have been trying for two days to reset the password with the "reset password link". But when I click the reset link e-mailed to my account by the system, the CMS informs me that the password reset link is "no longer valid". Have any other users (or should I say hopefuls?) had this issue?

    1. To my knowledge, the certificates (authentication certificate and qualified signature) on BE eID cards are issued by Certipost.

  6. We need a guide to the CMS, and I recommend it takes some hints from a previous well know guide book

    “The Hitchhiker's Guide has already supplanted the great Encyclopaedia Galactica as the standard repository of all knowledge and wisdom, for though it has many omissions . . . it scores over the older, more pedestrian work in two important respects. First, it is slightly cheaper; and secondly it has the words DON'T PANIC inscribed in large friendly letters on its cover.”

    1. "O freddled gruntbuggly / Thy micturitions are to me / As CMS gabbleblotchits of the UPC..."


  7. So quite a few folks (though not all) seem to have had success in receiving a smartcard from LuxTrust, BUT their middleware does not appear to be compatible with EITHER of the latest version of Windows (Windows 11) OR the latest version of macOS (version13/Ventura) according to the LuxTrust website. Has anyone managed to get it to work with either of these newer (more secure!) OS versions?

  8. I had thought that this was all down to the UPC requiring the newest and most secure authentication systems, but there is some suggestion on the epi forum that these physical smartcard tokens are viewed as obsolete by the providers. The system is outdated before it has even started!

    This is fast approaching the level of farce. Never mind a delay of a couple of months as suggested by Mr Mooney earlier this week: the whole thing needs to be deferred until the CMS is fully operational even that takes another year.

  9. Incredibly that you get a list of trustcenters, but nearly all of them does not work.
    Anyone has deeper information, why some are not working like missing key extension?


All comments must be moderated by a member of the IPKat team before they appear on the blog. Comments will not be allowed if the contravene the IPKat policy that readers' comments should not be obscene or defamatory; they should not consist of ad hominem attacks on members of the blog team or other comment-posters and they should make a constructive contribution to the discussion of the post on which they purport to comment.

It is also the IPKat policy that comments should not be made completely anonymously, and users should use a consistent name or pseudonym (which should not itself be defamatory or obscene, or that of another real person), either in the "identity" field, or at the beginning of the comment. Current practice is to, however, allow a limited number of comments that contravene this policy, provided that the comment has a high degree of relevance and the comment chain does not become too difficult to follow.

Learn more here: http://ipkitten.blogspot.com/p/want-to-complain.html

Powered by Blogger.