Swiss E-ID law compared to EU ARF1.0 proposal

[romanzoun]

Hey

Michel Sahli (@adn-misa) and me analyzed the Swiss E-ID law and the ARF1.0 proposal to find out what are the gaps and if ARF1.0 is compatible with the current Swiss E-ID Law draft.

We analyzed the E-ID law and visualized the requirements in a diagram currently only in German (Goal is summarization and it is in a draft state, so if you see some mistakes or you have some positive feedback do not hesitate to comment :) )

Then we went through ARF1.0 and evaluate compatibility.

Here the Visualization of the E-ID infrastructure by the E-ID law proposal

Here the comparison of the EU ARF 1.0 proposal and the Swiss E-ID law draft

Requirement	Swiss E-ID Law	EU ARF 1.0
Revocation	yes	yes
Security measures for wallet	Holder responsible	holder responsible, PID credential not exportable
Backup of all credentials	yes	only type 2 credentials
Revokation without revealing data or holder	yes	not defined
Verification	yes	yes but chosen standards (SD-JWT und mDL ) can't guarantee the correlation protection. If two verifier A and B share data, they could correlate it to one person. E.g. Holder shows first name to A and last name to B, hence, they can correlate this two attributes, this is not privacy by design.
Issuer should not know where holder verifies his data	yes	No definition for decoupling of PID and EAA in ARF 1.0. Issuer can put his public key to central service and monitor it. Issuer would know which verifier verifies which type of credential
selective disclosure	yes	yes
Not transferability of credentials to other holder (natural person)	yes	yes
Transferability of credentials to other holder (legal entity)	not defined (Government can decide)	not defined
Usage of wallet without the E-ID	"Usage of wallet without the E-ID: The Swiss E-ID Law does not explicitly define this, but implicitly it is meant that a wallet can be used as wallet for any credential without E-ID. E-ID is just one kind of a verifiable credential, with the particularity to have a "sort of key-binding". There is neither a usage restriction nor a state concept as ARF foresees for the wallet." [https://github.com//discussions/44#discussioncomment-5289207]	yes, but in operational state, not trusted state
Trust Registry is mandatory for verifier	no	yes, but not clearly defined for which types of credentials. Maybe this is the reason why "verifier" is named "relying party".

So, overall there are some incompatibilities by comparing the requirements of the current draft of Swiss E-ID and the current proposal for the EU-ID. Especially the privacy by design aspects and Backup which need to be defined in a different way.

Sure both sides will change in the future, but we wanted to make a comparison now and monitor the next versions of both.

What do you think about the incompatibilities and how to solve it?

[christianheimann]

Usage of wallet without the E-ID: The Swiss E-ID Law does not explicitly define this, but implicitly it is meant that a wallet can be used as wallet for any credential without E-ID. E-ID is just one kind of a verifiable credential, with the particularity to have a "sort of key-binding". There is neither a usage restriction nor a state concept as ARF foresees for the wallet.

[romanzoun]

Thank you for the statement, I added it to the table with reference to this comment 👍

[damienbod]

But the E-ID can only be used with the swiss wallet? Or can any eidas conform wallet have a swiss E-ID VC?

[christianheimann]

The proposed law leaves the choice of the wallet to the holder itself. The E-ID can be received/stored/presented by every wallet that implements the technical conventions/standards that will be defined. Currently this definition is more liberal than the eIDAS proposal/ARF.

Only to do the online verification process for the E-ID, the holder will be asked to use the federal wallet because the implementation of the verification workflow needs a hardened mobile application. But at the end of the process, the future holder will have the choice to define the desired target-wallet for the E-ID transmission.