for the EUDI Wallet ecosystem
+November 2023 +v1.0.0
+This is a working document that holds no legal value and does not +reflect any common agreement or position of the co-legislators. It +presents a state-of-play of ongoing work of the eIDAS Expert Group. This +document is being continuously updated and should not be considered +final.
+This document is the Person Identification Data (PID) Rule Book. It +contains requirements specific to the PID use case within the EUDI +Wallet. These requirements hold in addition to the requirements in the +Architecture Reference Framework (ARF), see [ARF]. Requirements in the +ARF hold for all use cases in the EUDI Wallet.
+This PID Rule Book contains the following topics:
+Further topics will be added if and when they are identified.
+This document uses the capitalized key words 'SHALL', 'SHOULD' and 'MAY' +as specified in [RFC 2119], i.e., to indicate requirements, +recommendations and options specified in this document.
+In addition, 'must' (non-capitalized) is used to indicate an external +constraint, i.e., a requirement that is not mandated by this document, +but, for instance, by an external document such as [ARF]. The word +'can' indicates a capability, whereas other words, such as 'will', and +'is' or 'are' are intended as statements of fact.
+This document uses the terminology specified in [ARF].
+This chapter describes the structure, type, data element identifiers and +logical organisation of the mandatory and optional attributes of the PID +attestation within the EUDI Wallet, as well as the PID metadata:
+Section 2.2 specifies the document type and namespace(s) for a PID + attestation:
+Section 2.2.1 specifies the PID document type, as well as the + EU-wide PID namespace within which the PID data elements defined + in this document are specified.
+Section 2.2.2 describes how Member States can specify national + attributes by defining a domestic PID namespace.
+Section 2.3 specifies the set of data elements covering the PID + attributes specified in [ARF].
+Section 2.4 similarly specifies the set of data elements covering + the PID metadata.
+Section 2.5 specifies two different encodings for these data + elements. The first encoding uses Concise Binary Object + Representation (CBOR) and complies with ISO/IEC 18013-5:2021 + [ISO18013-5]. The second encoding uses JSON and complies with + [SD-JWT] and [OpenID4VP].
+The concepts of document type and namespace, and the way in which they +are used, are specified in ISO/IEC 18013-5. These concepts are used in +the same way in OpenID for Verifiable Presentations [OpenID4VP].
+PID Providers SHALL use the document type "eu.europa.ec.eudi.pid.1" for +PID attestations. This value follows the recommendation in ISO/IEC +18013-5 to use the general format [Reverse Domain].[Domain Specific +Extension]. Since the European Commission controls the domain +ec.europa.eu, this document type value will not collide with any +document type potentially defined by other organisations. The version +number "1" in this document type MAY be used to distinguish between the +first version of the ISO-compliant PID attribute (defined in this +document) and any future version.
+Similarly, PID Providers SHALL use the value "eu.europa.ec.eudi.pid.1" +for the namespace of the first version of the PID attributes and PID +metadata specified in sections 2.3 and 2.41. This namespace clearly +indicates that any data elements defined within it are Person +Identification Data specified in the context of the EUDI Wallet. Again, +the version number "1" allows for future extension(s) or change(s) of +the PID data elements defined the next section.
+PID Providers SHALL use this document type and namespace for the ISO/IEC +18013-5 compliant data element encoding specified in section 2.5.2 and +for the SD-JWT-compliant encoding in section 2.5.3.
+ISO/IEC 18013-5 specifies a mechanism called domestic namespaces, +allowing PID Providers to issue such national attributes to an EUDI +Wallet. To do so, a PID Provider SHALL define a domestic PID namespace. +Within that namespace, the PID Provider is free to define any attribute +it needs, for example, a national social security number or taxpayer +identification number (TIN).
+If a PID Provider chooses to define a domestic namespace, it SHALL +append the applicable ISO 3166-1 alpha-2 country code or the ISO 3166-2 +region code, separated by a period, to the EU-wide PID namespace, +excluding the version number. The PID Provider MAY include a version +number in the domestic namespace.
+EXAMPLE: The first domestic PID namespace for Germany could be +"eu.europa.ec.eudi.pid.de.1".
+PID Providers SHALL use the same domestic namespace for both ISO/IEC +18013-5-compliant PIDs and SD-JWT-compliant PIDs, see section 2.5.
+A PID Provider that defines a domestic namespace SHALL publish the +namespace, including all data element identifiers, their definition, +presence and encoding format, on a website that is publicly available. A +central registry for such domestic namespace definitions MAY be +established in the future.
+Data elements corresponding to the PID attributes specified in [ARF] +are defined in Table 1 in section 2.3.2. Data elements corresponding to +the PID metadata specified in [ARF] are defined in Table 2 in section +2.4.1.
+Note that the metadata data elements defined in section 2.4.1 are +handled by PID Providers, PID Users and Relying Parties in exactly the +same way as the data elements corresponding to the PID attributes in +Table 1. There is no technical difference between these data elements. +The only reason to distinguish between PID attributes and PID metadata +is because the ARF makes this distinction.
+Table 1 and Table 2 contain the following information:
+The first column of both tables lists all PID attributes and PID + metadata (respectively) specified in section 5.1.1.1 of [ARF].
+For each of these attributes and metadata, the second column + specifies the identifiers of one or more corresponding data + elements. In case more than one data element is specified for a + single PID attribute or metadata, the reasons for this are explained + in the subsection referenced in the first column. The data element + identifiers in the second column SHALL be used in requests and + responses according to [ISO18013-5] or [OpenID4VP], as + applicable. There SHALL be at most one data element with the same + data element identifier in each PID attribute.
+++NOTE: Data element values MAY be multi-value. If so, this is clearly +indicated.
+
The third column describes the meaning of the data element.
+The fourth column specifies whether the presence of the element in a + PID attribute is mandatory (M), or optional (O).
+++NOTE: If Table 1 or Table 2 indicates a data element as mandatory, +this solely means that the PID Provider SHALL ensure that this element +is present in the PID. It does not imply that a Relying Party is +required to request such a data element when interacting with the +Wallet Instance. Neither does it imply that the PID User cannot refuse +to release a mandatory data element if requested.
+
The fifth column indicates how the data elements SHALL be encoded, + using the CDDL representation types defined in [RFC 8610]. Section + 2.5. specifies how these representation types SHALL be serialized + into CBOR and JSON data structures, respectively. Note the + following:
+tstr, uint, bstr, bool and tdate are CDDL representation types
+ defined in [RFC 8610].
All data elements having encoding format tstr SHALL have a
+ maximum length of 150 characters.
This document specifies full-date as full-date = #6.1004(tstr),
+ where tag 1004 is specified in [RFC 8943].
In accordance with [RFC 8949], section 3.4.1, a tdate data
+ element shall contain a date-time string as specified in [RFC
+ 3339]. In accordance with [RFC 8943], a full-date data
+ element shall contain a full-date string as specified in [RFC
+ 3339].
The following requirements SHALL apply to the representation of + dates in data elements, unless otherwise indicated:
+Fractions of seconds SHALL NOT be used;
+A local offset from UTC SHALL NOT be used; the time-offset + defined in [RFC 3339] SHALL be to "Z".
+| PID attribute in [ARF] | +Corresponding data element identifier(s) | +Definition | +Presence | +Encoding format | +
|---|---|---|---|---|
| Current Family Name | ++ | + | + | + |
| + | family_name |
+Current last name(s) or surname(s) of the PID User. | +M | +tstr |
+
| Current First Names | ++ | + | + | + |
| + | given_name |
+Current first name(s), including middle name(s), of the PID User. | +M | +tstr |
+
| Date of Birth | ++ | + | + | + |
| (See section 2.3.3) | ++ | + | + | + |
| + | + | + | + | + |
| + | birth_date |
+Day, month, and year on which the PID User was born. | +M | +full-date |
+
| + | age_over_18 |
+Attesting whether the PID User is currently an adult (true) or a minor (false). | +O | +bool |
+
| + | age_over_NN |
+Additional current age attestations, NN <> 18. | +O | +bool |
+
| + | age_in_years |
+The current age of the PID User in years. | +O | +uint |
+
| + | age_birth_year |
+The year when the PID User was born. | +O | +uint |
+
| Family Name at Birth | ++ | + | + | + |
| + | family_name_birth |
+Last name(s) or surname(s) of the PID User at the time of birth. | +O | +tstr |
+
| First Names at Birth | ++ | + | + | + |
| + | given_name_birth |
+First name(s), including middle name(s), of the PID User at the time of birth. | +O | +tstr |
+
| Current Family Name | ++ | + | + | + |
| + | family_name |
+Current last name(s) or surname(s) of the PID User. | +M | +tstr |
+
| Place of Birth | ++ | + | + | + |
| (See section 2.3.4) | ++ | + | + | + |
| + | + | + | + | + |
| + | birth_place |
+The country, state, and city where the PID User was born. | +O | +tstr |
+
| + | birth_country |
+The country where the PID User was born, as an Alpha-2 country code as specified in ISO 3166-1. | +O | +tstr |
+
| + | birth_state |
+The state, province, district, or local area where the PID User was born. | +O | +tstr |
+
| + | birth_city |
+The municipality, city, town, or village where the PID User was born. | +O | +tstr |
+
| Current Address | ++ | + | + | + |
| (See section 2.3.5) | ++ | + | + | + |
| + | resident_address |
+The full address of the place where the PID User currently resides and/or can be contacted (street name, house number, city etc.). | +O | +tstr |
+
| + | resident_country |
+The country where the PID User currently resides, as an Alpha-2 country code as specified in ISO 3166-1. | +O | +tstr |
+
| + | resident_state |
+The state, province, district, or local area where the PID User currently resides. | +O | +tstr |
+
| + | resident_city |
+The municipality, city, town, or village where the PID User currently resides. | +O | +tstr |
+
| + | resident_postal_code |
+Postal code of the place where the PID User currently resides. | +O | +tstr |
+
| + | resident_street |
+The name of the street where the PID User currently resides. | +O | +tstr |
+
| + | resident_house_number |
+The house number where the PID User currently resides, including any affix or suffix. | +O | +tstr |
+
| Gender | ++ | + | + | + |
| + | gender |
+PID User’s gender, using a value as defined in ISO/IEC 5218. | +O | +uint | +
| Nationality / Citizenship | ++ | + | + | + |
| (See section 2.3.6) | ++ | + | + | + |
| + | nationality |
+Alpha-2 country code as specified in ISO 3166-1, representing the nationality of the PID User. | +O | +Nationality, see section 2.3.6 | +
Table 1 PID attributes and corresponding data elements
+[ARF] specifies 'Date of Birth' as a mandatory data element in a PID +attribute. This document defines the following data elements related to +this PID attribute:
+birth_date (mandatory)age_birth_year (optional)age_in_years (optional)age_over_18 (optional)age_over_NN, NN \<> 18 (optional)Having multiple data elements instead of a single one allows having +different levels of granularity for requests and responses, and thus +allows issuers and Relying Parties to practice data minimization. For +example, in some use cases, a Relying Party only needs to establish that +the PID User is not a minor. In that case, requesting age_over_18 +suffices. Releasing more specific information, such as the PID User's +age in years or birth year, would then constitute an unnecessary +infringement of the User's privacy.
+This document specifies age_over_18 and other age_over_NN data +elements as optional data elements. PID Providers are free to add more +age_over_NN data elements.
+The requirements in clause 7.2.5 of ISO/IEC 18013-5 SHALL be applicable +for the age_over_18 and age_over_NN data element in the PID set. +This document affirms that issuing more (rather than fewer) +age_over_NN data elements in a PID is beneficial for the PID User's +privacy. Note that the usage of the age_over_NN data element is more +complicated than it may look at first sight. The examples in ISO/IEC +18013-5 Annex D.2.2 will help to understand how the age_over_NN data +element is to be used and interpreted.
+[ARF] specifies 'Place of Birth' as an optional data element in a PID +attribute. This document defines the following data elements related to +this PID attribute:
+Having multiple data elements instead of a single one allows having +different levels of granularity for requests and responses, and thus +allows issuers and Relying Parties to practice data minimization.
+[ARF] specifies 'Current Address' as an optional data element in the +PID set. This document defines a number of current address-related data +elements:
+Having multiple data elements instead of a single one allows different +levels of granularity for requests and responses, and thus allows +issuers and Relying Parties to practice data minimisation. For example, +in some contexts a RP must verify only that the PID User is a resident +of a certain country. Releasing more specific address information such +as state, city or postal code would then constitute an unnecessary +infringement of the User's privacy.
+Note that in most cases requesting a PID User's resident street and +house number will not make sense without simultaneously requesting at +least the resident city, as there will be many duplicate street names +and house numbers in a given country. These data elements have been +added primarily to assist in, for example, automated form filling.
+The ARF specifies 'Nationality / Citizenship' as a possible additional +optional data element in the PID set and notes that this is potentially +a multi-valued attribute, because a citizen can have more than one +nationality.
+This document defines a data element nationality taking as its value a +single Alpha-2 country code. This implies that any additional +nationality of the PID User must be added by the respective Member State +as a domestic data element, see section 2.2.2. This possibility is also +recognized in [ARF].
+Section 5.1.1 of [ARF] says: "Metadata associated with the PID may +additionally detail the date of issuance and/or expiration, the issuing +authority and/or Member State, information necessary to perform holder +binding and/or proof of possession, the information or location of the +services that can be used to enquire about the validity status of and +potentially more information."
+The first column of Table 2 contains all the PID metadata identified in +the quote above. The meaning of the remaining columns is explained in +section 2.3.1.
+| PID metadata in [ARF] | +ISO-compliant data element identifier | +Definition | +Presence | +Encoding format | +
|---|---|---|---|---|
| Date of issuance | ++ | + | + | + |
| + | issuance_date | +Date (and possibly time) when the PID was issued. | +M | +tdate or full-date | +
| Date of expiration | ++ | + | + | + |
| + | expiry_date | +Date (and possibly time) when the PID will expire. | +M | +tdate or full-date | +
| Issuing authority | ++ | + | + | + |
| + | issuing_authority | +Name of the administrative authority that has issued this PID instance, or the ISO 3166 Alpha-2 country code of the respective Member State if there is no separate authority authorized to issue PIDs. | +M | +tstr | +
| + | document_number | +A number for the PID, assigned by the PID Provider. | +O | +tstr | +
| + | administrative_number | +A number assigned by the PID Provider for audit control or other purposes. | +O | +tstr | +
| Member State | ++ | + | + | + |
| + | issuing_country | +Alpha-2 country code, as defined in ISO 3166-1, of the PID Provider’s country or territory. | +M | +tstr | +
| + | issuing_jurisdiction | +Country subdivision code of the jurisdiction that issued the PID, as defined in ISO 3166-2:2020, Clause 8. The first part of the code SHALL be the same as the value for issuing_country. | +O | +tstr | +
| Validity status location information | ++ | To be decided | ++ | + |
Table 2 PID metadata and corresponding data elements
+++NOTE: PID revocation will be further detailed in a future version of +ARF. Probably validity status information will not be included in the +PID metadata, but rather in the cryptographic proof structures, i.e., +the MSO for ISO-compliant PIDSs and the SD-JWT for SD-JWT-compliant +PIDs.
+
Requirement 6 in section 5.1.2 of the ARF specifies that PID attestation +must be issued in accordance with both the data model specified in +ISO/IEC 18013-5:2021 [ISO18013-5] and the W3C Verifiable Credentials +Data Model 1.1. Requirements 7 and 8 make clear that for the latter +encoding, Selective Disclosure JSON Web Tokens (SD-JWT), as specified in +[SD-JWT], must be used, and that consequently, data elements must be +encoded in JSON. For the former, data elements must be encoded in CBOR.
+This section therefore specifies two separate encodings for the PID data +model, an ISO/IEC 18013-5-compliant encoding in CBOR, and a +SD-JWT-compliant encoding in JSON.
+If data elements specified in in Table 1 or Table 2 are encoded with +CBOR, they SHALL be encoded as specified in [RFC 8949].
+The CDDL representation types used in Table 1 and Table 2 are specified +in section 2.3.1. Rules to encode CDDL representation types with CBOR +are specified [RFC 8610] and [RFC 8949].
+The value of all data elements (both PID attributes and PID metadata) +SHALL be valid at the value of the timestamp in the validFrom element in +the MSO from ISO/IEC 18013-5 clause 9.1.2.46.
+++NOTE: The value of the age_over_18, age_over_NN and age_in_years +data elements, if present, changes whenever the PID User has a +birthday. The value of many other data elements will also change over +time. It is up to the PID Provider to ensure that the above +requirement is complied with. This document does not require that an +issuer issues a new PID as soon as it becomes aware of a change in the +PID User's data.
+
The issue_date data element (Table 2) SHALL NOT be later than the +validFrom element in the MSO, as defined in clause 9.1.2.4 of ISO/IEC +18013-5.
+If the Relying Party retrieved the issuing_country data element (Table +2), it SHALL verify that the value of that element matches the +countryName element in the Subject field within the Document Signer +certificate; see ISO/IEC 18013-5 Annex B.
+If the Relying Party retrieved the issuing_jurisdiction data element +(Table 2), it SHALL verify that the value of that element matches the +stateOrProvinceName element, if it is present in the Subject field +within the Document Signer certificate; see ISO/IEC 18013-5 Annex B.
+Data elements in Table 1 and Table 2 SHALL be released only as Issuer +Signed Items, as specified in [ISO/IEC 18013-5]. This means that these +data elements SHALL be signed by the PID Provider, not by the Wallet +Instance.
+At the discretion of the PID Provider, domestic data elements (see +section 2.2.2) MAY be signed either by the PID Provider or by the Wallet +Instance.
+If data elements are encoded with JSON, they SHALL be encoded as +specified in [RFC 8259].
+The CDDL representation types used in Table 1 and Table 2 are specified +in section 2.3.1. Rules to encode CDDL representation types with JSON +are specified in [RFC 8949] section 6.1 Given the CDDL representation +types used in the current version of this document, the following rules +are relevant:
+Although not used in the current version of this document, the following +CDDL representation types are frequently used in general, and hence +rules to encode them with JSON may become relevant in future versions:
+If other CDDL representation types will be used in future versions of +this document, the corresponding rules for encoding them with JSON will +be added here.
+Data elements in Table 1 and Table 2 SHALL be released only in a VP +Token, as specified in [OpenID4VP]. This means that these data +elements SHALL be signed by the PID Provider, not by the Wallet +Instance.
+At the discretion of the PID Provider, domestic data elements (see +section 2.2.2) MAY be released in either a VP Token or an ID Token.
+++NOTE: the information in this chapter does not pertain to the PID +directly. It will be included in a separate Wallet Attestation +Rulebook, to be detailed in a future version of ARF.
+
The Trust Model [TrustModel] introduces the concept of a Wallet +Instance Attestation issued by the Wallet Provider for each Wallet +Instance.
+Like any other attestation, a Wallet Instance Attestation needs a +document type and a namespace. The document type +"eu.europa.ec.eudi.wallet-instance.1" SHALL be used for this purpose, +and the namespace "eu.europa.ec.eudi.wallet-instance.1" SHALL be used to +identify data elements in this Wallet Instance Attestation.
+Please note that there currently is no specification of a Wallet +Instance Attestation and the attributes in it, either within the context +of the EUDI Wallet or in an international standard or specification. +Once this is available, a corresponding data model will be added in this +section, comparable to the one for the PID in chapter 2.
+To trust a signature over a PID attestation, the RP needs a mechanism to +validate that the public key it uses to verify that signature is +trusted. Both ISO/IEC 18013-5 and OpenID4VP provide such mechanisms. +However, in both cases, additional details need to be specified to fully +specify these mechanisms for PID attestations within the EUDI Wallet +ecosystem.
+ISO/IEC 18013-5 specifies an X.509-based PKI for the purpose of trusting +public keys. This PKI has multiple roots; there is an independent +(self-signed) root certificate for every issuer. Annex B of the standard +specifies the formats of the X.509 certificates for all participants in +the ecosystem.
+These certificate formats are mDL-specific, but only because they use +the following Object Identifier (OID): id-mdl OBJECT IDENTIFIER ::= { +iso(1) standard(0) 18013 5 }8, as well as a number of child OIDs +('arcs') of this OID, see Annex B.1.1 of ISO/IEC 18013-5. All other +aspects of these certificate profiles can be used for any type of mobile +document complying with the security mechanisms defined in ISO/IEC +18013-5, including a PID attestation within the EUDI Wallet ecosystem.
+To make the certificate profiles applicable for PIDs in ISO/IEC +18013-5-compliant EUDI Wallets, this document specifies the following +OIDs (in ASN.1 notation):
+- -- arc for EUDI Wallets
+- - arc for ISO/IEC 18013-5-compliant EUDI Wallets9
+id-eudi-iso-pid OBJECT IDENTIFIER ::= {id-eudi-iso 0} -- arc for PID + attributes within ISO-compliant EUDI Wallets
+id-eudi-iso-pid-kp OBJECT IDENTIFIER ::= {id- eudi-iso-pid 1}
+- - arc for extended key purposes within certificates used for PID +attributes within ISO-compliant EUDI Wallets
+- - arc for document signer certificates, used by PID Providers
+- - arc for mdoc reader authentication certificates, used by Relying +Parties requesting PIDs10
+- - arc for IACA Link certificates, used by PID Providers
+-- - arc for IACA Root certificates, used by PID Providers
+These OIDs SHALL be used in certificates used for PID attributes within +the ISO-compliant EUDI Wallet ecosystem, in exactly the same way as the +corresponding OIDs specified in ISO/IEC 18103-5 are used within the +mobile driving license ecosystem.
+Notes:
+The numbers for the various extended key purposes are taken from + ISO/IEC 18013-5.
+These new OIDs will have to be officially registered.
+The OID european-commission is already registered: + european-commission ::= {iso(1) identified-organization(3) + european-commission(130)}. The respective Registration Authority for + this OID will have to be consulted to get approval for the proposed + addition of an arc for the EUDI Wallet.
+Section 4.2.2. of [TrustModel] describes the concept of a trusted list +of Issuers. This document specifies that for PID attestations, such a +trusted list SHALL be used. Relying Parties SHALL only trust PID issuers +that are included in a trusted list of PID Providers. Additionally, +there SHALL be only a single trusted list of PID Providers, which SHALL +be generated and maintained by a yet-to-be-determined party. This list +SHALL also contain the (root) certificate(s) of each PID Provider.
+Regarding the format of this trusted list, the format specified ETSI TS +119 612 v2.1.1 SHALL be used.
+++NOTE: Details on the trust infrastructure for SD-JWT and +OpenID4VP-compliant PIDs will be detailed in a future version of ARF.
+
| + | + |
|---|---|
| [ARF] | +The Common Union Toolbox for a Coordinated Approach Towards a European Digital Identity Framework – The European Digital Identity Wallet Architecture and Reference Framework, November 2023, Version 1.2.0 | +
| [ISO18013-5] | +ISO/IEC 18013-5, Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application, First edition, 2021-09 | +
| [SD-JWT] | +Selective Disclosure for JWTs (SD-JWT) | +
| + | draft-ietf-oauth-selective-disclosure-jwt-04, 11 April 2023 [1] | +
| + | Retrievable from https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ | +
| [OpenID4VP] | +OpenID for Verifiable Presentations – draft 18, 21 April 2023 [2] | +
| + | Retrievable from https://openid.net/specs/openid-4-verifiable-presentations-1_0.html | +
| [2015/1505] | +COMMISSION IMPLEMENTING DECISION (EU) 2015/1505 | +
| + | of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market | +
| [RFC 2119] | +RFC 2119 - Key words for use in RFCs to Indicate Requirement LevelsS. Bradner, March 1997 | +
| [RFC 3339] | +RFC 3339 - Date and Time on the Internet: Timestamps, G. Klyne et al., July 2002 | +
| [RFC 8259] | +RFC 8259 - The JavaScript Object Notation (JSON) Data Interchange Format, T. Bray, Ed., December 2017 | +
| [RFC 8610] | +RFC 8610 - Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures, H. Birkholz et al., June 2019 | +
| [RFC 8943] | +RFC 8943 -Concise Binary Object Representation (CBOR) Tags for Date, M. Jones et al., November 2020 | +
| [RFC 8949] | +RFC 8949 - Concise Binary Object Representation (CBOR), C. Bormann et al., December 2020 | +
| [TrustModel] | +Trust Model for the EUDI Wallet Ecosystem – generic for all use cases, version 0.8.1, 2023-05-25 | +
Note that the document type and namespace have the same value. +This is allowed according to ISO/IEC 18013-5. ↩
+Please note that the current specification does not yet foresee a +solution for the situation when the date of birth of the User is +incomplete or unknown. Work is ongoing to find a solution to this +scenario, in alignment with current implementation of eIDAS nodes. ↩
+See footnote 2. ↩
+Please note that the current specification does not yet foresee a +solution for the situation when the date of birth of the User is +incomplete or unknown. Work is ongoing to find a solution to this +scenario, in alignment with current implementation of eIDAS nodes. ↩
+See footnote 2. ↩
+As explained in [TrustModel], server retrieval, as specified in +ISO/IEC 18013-5, SHALL NOT be used for EUDI Wallets. ↩
+Note that JSON requires escaping certain characters ( ): quotation +mark (U+0022), reverse solidus (U+005C), and the \"C0 control +characters\" (U+0000 through U+001F). All other characters are +copied unchanged into the JSON UTF-8 string. ↩
+Note that this notation is incorrect. The http://oid-info.com/ +website officially registers this OID as {iso(1) standard(0) +driving-licence(18013) part-5(5)}. This does not impact the value of +the OID. ↩
+The presence of this arc allows SD-JWT-compliant implementations +of the EUDI Wallet to have their own arc 'next' to this one, if +necessary. ↩
+Note that the use of this PID-specific OID implies that an mdoc +reader authentication certificate containing this OID cannot be used +to perform Relying Party authentication for any other type of +attestation within the EUDI Wallet. This is by design, as it seems +good for security to separate reader authentication per attestation +type. However, decisions regarding Relying Party authentication will +be detailed in a future version of ARF. ↩
+The exact version to be referenced is to be determined. [ARF] +references v0.2 of 30 December 2022. v0.4 is the latest version +available at the time of writing of this document. The level of +interoperability between these versions is not known. As [SD-JWT] +is still under development, presumably later versions will become +available over time. ↩
+The exact version to be referenced is to be determined. [ARF] +references v0.14 of 30 December 2022. Draft 18 is the latest version +available at the time of writing of this document. The level of +interoperability between these versions is not known. As +[OpenID4VP] is still under development, presumably later versions +will become available over time. ↩
+The exact version to be referenced is to be determined. [ARF] +references v0.2 of 30 December 2022. v0.4 is the latest version +available at the time of writing of this document. The level of +interoperability between these versions is not known. As [SD-JWT] +is still under development, presumably later versions will become +available over time. ↩
+The exact version to be referenced is to be determined. [ARF] +references v0.14 of 30 December 2022. Draft 18 is the latest version +available at the time of writing of this document. The level of +interoperability between these versions is not known. As +[OpenID4VP] is still under development, presumably later versions +will become available over time. ↩
+for the EUDI Wallet ecosystem
+November 2023 +v1.0.0
+This is a working document that holds no legal value and does not +reflect any common agreement or position of the co-legislators. It +presents a state-of-play of ongoing work of the eIDAS Expert Group. This +document is being continuously updated and should not be considered +final.
+This document is the mobile driving license (mDL) Rule Book. It contains +requirements specific to the mDL use case within the EUDI Wallet. These +requirements hold in addition to the requirements in the Architecture +Reference Framework (ARF), see [ARF]. Requirements in the ARF hold for +all use cases in the EUDI Wallel.
+This mDL Rule Book contains the following topics:
+Chapter 0 specifies the mDL attribute schema. This describes the + structure, the type, the entity identifiers, and the logical + organisation of the mandatory and optional attributes of the mDL. It + also describes how Member States can specify any possible national + attributes.
+Chapter 3 specifies details about the trust infrastructure necessary + for mDL attestations. This information may be moved to another + document in the future.
+Further topics will be added if and when they are identified.
+This document describes the structure, type, data element identifiers, +and logical organisation of the mandatory and optional attributes of the +mobile driving license (mDL) attestation within the EUDI Wallet. It also +describes how Member States can specify any possible national +attributes.
+Requirement 7 in section 5.2.1 of the ARF specifies that (Q)EAAs must be +issued in accordance with one of the data models specified in ISO/IEC +18013-5:2021 or in the W3C Verifiable Credentials Data Model 1.1. +Requirements 8 and 10 make clear that for the latter encoding, Selective +Disclosure JSON Web Tokens (SD-JWT) must be used, and that consequently, +data elements must be encoded in JSON. For the former, data elements +must be encoded in CBOR.
+However, mobile driving licenses are legally specified in the proposed +EC Regulation 2023_127 (4^th^ Driving License Regulation). This +Regulation specifies that mDLs shall comply with the ISO/IEC 18013-5 +standard. It does not mention any other standards, in particular not +[SD JWT]. Consequently, mDLs issued to a EUDI Wallet instance shall +not be implemented as [SD JWT]-compliant document. This document +therefore specified only an ISO/IEC 18013-5 compliant encoding.
+A data model for ISO/IEC 18013-5-encoded mDLs is fully specified in +ISO/IEC 18013-5. No changes need to be made to this data model for an +mDL attestation within the EUDI Wallet.
+To trust a signature over an mDL attestation, the RP needs a mechanism +to validate that the public key it uses to verify that signature is +trusted. ISO/IEC 18013-5 provides such mechanisms. However, additional +details need to be specified to fully specify these mechanisms for mDL +attestations within the EUDI Wallet ecosystem.
+Section 5.3.2.2. of [ARF] describes the concept of a trusted list of +Issuers. This document specifies that for mDL attestations, such a +trusted list SHALL be used. Relying Parties SHALL only trust mDL issuers +that are included in a trusted list of mDL issuers. Additionally, there +SHALL be only a single trusted list of mDL issuers, which SHALL be +generated and maintained by a yet-to-be-determined party. This list +SHALL also contain the (root) certificate(s) of each mDL issuer. +Regarding the format of this trusted list, the format specified in Annex +C of ISO/IEC 18013-5 SHALL be used.
+| + | + |
|---|---|
| [ARF] | +The Common Union Toolbox for a Coordinated Approach Towards a European Digital Identity Framework - The European Digital Identity Wallet Architecture and Reference Framework, January 2023, Version 1.0.0 | +
| [ISO] | +ISO/IEC 18013-5, Personal identification — ISO-compliant driving licence — Part 5: Mobile driving licence (mDL) application, First edition, 2021-09 | +
| [2015/1505] | +COMMISSION IMPLEMENTING DECISION (EU) 2015/1505 | +
| + | of 8 September 2015 | +
| + | laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market | +
| [SD-JWT] | +Selective Disclosure for JWTs (SD-JWT) | +
| + | draft-ietf-oauth-selective-disclosure-jwt-04, 11 April 2023 [1] | +
The exact version to be referenced is to be determined. [ARF] +references v0.2. v0.4 is the latest version available at the time of +writing of this document. The level of interoperability between +these versions is not known. As [SD-JWT] is still under +development, presumably later versions will become available over +time. ↩
+The exact version to be referenced is to be determined. [ARF] +references v0.2. v0.4 is the latest version available at the time of +writing of this document. The level of interoperability between +these versions is not known. As [SD-JWT] is still under +development, presumably later versions will become available over +time. ↩
+for the EUDI Wallet ecosystem
+November 2023 +v1.0.0
+This is a working document that holds no legal value and does not +reflect any common agreement or position of the co-legislators. It +presents a state-of-play of ongoing work of the eIDAS Expert Group. This +document is being continuously updated and should not be considered +final.
+Figure 1: Document Management example 6
+Figure 2: Interactive Elements example 6
+Figure 3: Document Presentation example 7
+ + +Figure 6: Undo & Redo example 9
+Figure 7: Confirmation Dialogs example 10
+Figure 8: Flexible Inputs example 10
+Figure 9: iOS 3d touch example 11
+Figure 10: Bookmarks example 12
+Figure 11: Quick Proofs example 13
+Figure 12: Error Messages examples 14
+ + +This design guide outlines the principles, guidelines, and best +practices for creating consistent and effective design solutions for the +EUDI wallet. The purpose of a design guide is to ensure that all design +work produced by a team or across different teams is consistent, +coherent, adheres to certain standards and aligns with the overall goals +and values of the project.
+As many sections will be subject to national implementation this +document includes guidelines to assist in creating a user interface that +is useful, usable, and enjoyable to use. It also provides specific +instructions and tips for creating accessible and inclusive designs.
+It shall be highlighted that this design guide does not aim to provide +detailed design elements to be adopted by national EUDI Wallet +implementations. Overall, the objective of the EUDI Wallet Design Guide +is to:
+Identify key design principles and provide guidelines against these + design principles;
+Identify specific areas of the EUDI Wallet for which design + principles are considered important and expand on those in future + iterations of the EUDI Wallet Design Guide.
+The design guidelines listed in this document shall not be considered as +mandatory towards the implementations of the EUDI Wallet, but rather +stand as recommendations to ensure a common user experience across the +different national implementations.
+UI (User Interface) consistency is important because it provides a +better user experience and helps users navigate a mobile application +more easily. When elements such as icons, colours, and fonts are +consistent throughout an application, users can quickly learn how to use +it and understand the application's intention.
+Familiarity:
+Consistent UI elements give users a sense of familiarity and they can +feel more comfortable using the application. If the user interface +changes too often, it can cause confusion and frustration.
+Efficiency:
+Consistency in the user interface can make navigation easier and more +efficient. Users will know where to find the features they need, and +they reduce cognitive load.
+Accessibility:
+Consistent UI elements make it easier for users with disabilities to +navigate the application. Users with visual impairments, for example, +can more easily use screen readers when consistent UI elements are used.
+Overall, UI consistency is an essential aspect of good user interface +design. It makes the application more user-friendly, efficient, and +accessible.
+Twelve design criteria have been selected which we go over in details in +'Section 2'. The first 10 are the usability heuristics from the Nielsen +Norman +group1. +They are called \"heuristics\" because they are broad rules of thumb and +not specific usability guidelines. These are used to evaluate a User +Interface, so it is good to have them as guiding principles during the +design phase as well. These 10 principles are:
+Visibility of system status
+Match between system and the real world
+User control and freedom
+Consistency and standards
+Error prevention
+Recognition rather than recall
+Flexibility and efficiency of use
+Aesthetic and minimalist design
+Help users recognize, diagnose, and recover from errors
+Help and documentation
+An additional 2 were added to address these important areas:
+Accessibility
+Writing
+++Disclaimer: The design guidelines listed in this document shall not be +considered as mandatory towards the implementations of the EUDI Wallet, +but rather stand as recommendations to ensure a common user experience +across the different national implementations. Any design elements +included in the following chapter are indicative and are only used to +better illustrate the corresponding design criteria.
+
++The design should always keep users informed about what is going on +through appropriate feedback within a reasonable amount of time
+
Document management
+When adding or removing a document the application should let the user +know whether the process was completed successfully of not.
+
+Figure 1: Document Management example
Interactive elements
+Interactive elements such as buttons must have a pressed and focused +state.
+
+Figure 2: Interactive Elements example
++The design should speak the users\' language. Use words, phrases, and concepts familiar to the user, rather than internal jargon. Follow real-world conventions, making information appear in a natural and logical order.
+
Document representation
+Documents should be (where possible) represented in the UI by what is +familiar to the user instead of generic / ambiguous icons.
+
+Figure 3: Document Presentation example
Labels
+Stay away from technical terms and jargon. Use labels that people use in +their everyday life.
+
+Figure 4: Labels example
Icons
+People spend most of their time in other apps/websites. Use icons that +are familiar and clear to them instead on ambiguous ones.
+
+Figure 5: Icons example
++Users often perform actions by mistake. They need a clearly marked +\"emergency exit\" to leave the unwanted action without having to go +through an extended process.
+
Undo & Redo
+The third principle talks about giving the freedom to the user to +navigate and perform actions - for instance, the freedom to undo or redo +any accidental moves
+
+Figure 6: Undo & Redo example
++Users should not have to wonder whether different words, situations, or +actions mean the same thing. Follow platform and industry conventions.
+
App should follow interface standards and platform conventions. +Conventions have been established that users are familiar with. This +knowledge should be capitalised upon to make the app have a higher level +of intuitiveness.
+E.g. Position of menu, Navigation bar, Search location
+++Good error messages are important, but the best designs carefully +prevent problems from occurring in the first place. Either eliminate +error-prone conditions or check for them and present users with a +confirmation option before they commit to the action.
+
Confirmation dialogs
+For accidental actions such as miss-clicks
+
+Figure 7: Confirmation Dialogs example
Flexible inputs
+Flexible inputs allow people to answer questions the way they want +instead of the way a database requires them to. But these input fields +come with a promise to users: \"whatever format you choose, we\'ll take +it.\" For example, a phone number can be entered in various ways by +different people. The field can either format it accordingly on each own +or provide a hint of the expected format instead of producing in-line +errors or result in guesswork.
+
+Figure 8: Flexible Inputs example
++Minimize the user\'s memory load by making elements, actions, and +options visible. The user should not have to remember information from +one part of the interface to another. Information required to use the +design (e.g. field labels or menu items) should be visible or easily +retrievable when needed.
+
++Offer shortcuts---quick ways to get one or more tasks done with your +apps. They should speed up the interaction with an app for the expert +user
+
It's possible to improve the efficiency of interaction with an app for +experienced users with ways that will allow them to complete frequent +actions faster.
+iOS 3d touch
+Shortcuts for quick proofs through iOS 3d touch
+
+Figure 9: iOS 3d touch example
Bookmarked or Recently used documents on homepage
+Users can customise their home screens with the documents most relevant +for them
+
+Figure 10: Bookmarks example
Quick proofs within the app
+Quick proofs can give quick access to specific information serving both +convenience and privacy
+
+Figure 11: Quick Proofs example
++Interfaces should not contain information which is irrelevant or rarely +needed. Every extra unit of information in an interface competes with +the relevant units of information and diminishes their relative +visibility. Use whitespace in harmony with your content.
+
++Error messages should be expressed in plain language (no error codes), +precisely indicate the problem, and constructively suggest a solution.
+
+Figure 12: Error Messages examples
++It\'s best if the system doesn\'t need any additional explanation. +However, it may be necessary to provide documentation to help users +understand how to complete their tasks.
+
This can come in the form of App-onboarding, tutorials, F.A.Q.s or a +Help section.
+An estimated 100 million people in the EU have some form of disability, +and so represent an important segment of its population and a large user +group.
+With Europe's aging population this number is only going to rise. +Keeping this in mind, it is important to distinguish accessibility from +disabilities. Accessibility in this case, refers to making a website +accessible to users who due to their temporary or permanent condition, +their age, or their situation may face issues with accessing website +content. For example, individuals with reduced manual dexterity due to +injury or neurological conditions (permanent), or with an injured arm +(temporary), or a new parent holding a baby (situational) all experience +difficulties that may impede movement, coordination, or sensation or +what is most commonly referred to as motor disability. Therefore, it +concerns a much wider audience that one may initially think. The +definition of disability differs as the term disability refers to +'long-term physical, mental, intellectual or sensory impairments which +in interaction with various barriers may hinder a person's full and +effective participation in society on an equal basis with others. By +delivering the user experience in a way that is accessible to people +with the aforementioned needs, we are providing equal access to +information for all citizens regardless of their situation or condition.
+Aim to have at least the main controls for the app at the bottom half of +the screen when they are easily reachable with the thumb when operating +the phone with one hand. The top half should be used for displaying +information, documents, QR codes etc.
+| + | + |
|---|---|
 |
+ |
+
Figure 13: Layout
+A target size is the area that can be activated in order to interact +with an element. Individuals with dexterity challenges may find it more +challenging to utilize a website if the target size is smaller. In this +section, we\'ll examine methods2 for generating target sizes that are +user-friendly, uniform, and properly spaced. A person\'s ability to +interact with smaller controls may be impacted by a disability or a +combination of disabilities that affect their motor movements and +dexterity, as well as by the act of using a website while on the move, +such as while walking or commuting.
+
Figure 14: Target Sizes
+Text to background colour contrast should meet a 4.5:1 ratio.
+How to check: enter the hex codes for the foreground and background +colours using
+ +The UI should be designed to support up to x2 the text size without +breaking.
+Avoid adding flashing, blinking, and rotating animations on the +background. Excessive screen movement with no mechanism to control can +make it difficult for users to gather information.
+Animations and transitions should be:
+Informative (Motion design informs users by highlighting + relationships between elements, action availability, and action + outcomes.)
+Focused (Motion focuses attention on what\'s important, without + creating unnecessary distraction.)
+Expressive (Motion celebrates moments in user journeys, adds + character to common interactions, and can express a brand's style.)
+Make sure you provide the relative support for screen readers. Consider +how the reader is going to read the screen and place items accordingly +for convenience. In case of having to read through a lot of content to +get to the main controls, consider providing a skip button.
+Text should be understandable by anyone, anywhere, regardless of their +culture or language. UI text can make interfaces more usable and build +trust. Text should be clear, accurate, and concise.
+Use the present tense to describe product behaviour. Avoid using the +future tense as this usually requires later updates.
+Use the present tense to describe product behaviour. Avoid using the +future tense to describe the way a product always acts. When you need to +write in the past or future tenses, use simple verb forms. This may not +be applicable to all languages; the overall goal is to be as concise as +possible without compromising clarity.
+
Document added
Write in the present tense.
+
Document has been added
Don't write in different variations of the present tense, such as the +present perfect tense.
+When a phrase describes a goal and the action needed to achieve it, +start the sentence with the goal.
+ To add a document, click +
Start a statement with the objective ("to add a document") and end it +with the user action ("click +").
+ Click + to add a document
Don\'t state the action the user takes ("Click +") before the +objective ("to add a document").
+To avoid confusing the user, avoid using \"me\" or \"my,\" and \"you\" +or \"your,\" in the same phrase.
+ Change your preferences in My Account
Don\'t refer to the user in both the second person and the first person +within the same phrase.
+ Change your preferences in Account
This section lists specific areas/features on which design +considerations are deemed important to ensure a common user experience +across the national implementations of the EUDI Wallets. It shall be +noted that this list highlights specific areas which are prioritised as +important but does not aim to be an exhaustive list.
+Covering common user authentication aspects, e.g. PIN, biometrics + etc.
+Exploring the balance between the corresponding security aspects + comparing to the user friction points throughout the entire user + flow (e.g. required only at the point of sharing data? Or at login + as well?)
+Guidelines around 'user consent' in data sharing scenarios (e.g. + requesting user consent, enforcing trust)
+Guidelines in relation to the authentication results presentation, + i.e. successful/unsuccessful identification and authentication
+Guidelines in relation to data transfer results for proximity + sharing use cases, i.e. successful/unsuccessful data transfer)
+Covering guidelines related to the confirmation/summary results + presented to the user
+Handling/Display of error messages in different scenarios
+Erroneous user credentials
+User is not authenticated.
+Document is considered invalid.
+Relying party is not considered trusted.
+Principles/guidelines on how these shall be presented/structured + etc.
+Establish trust through the use of the EUDI Wallet Trust Mark
+Applicability and placement in the corresponding sharing processes
+In conclusion, this EUDI Wallet Design Guide document represents the +first iteration of what intends to be a \'living\' document, which will +be further elaborated for the specificities of the EUDI Wallet +functionalities, as listed in section 3 of the document. As such, it is +recognized that there may be areas for further elaboration and analysis +on which feedback and improvement suggestions from stakeholders is +anticipated.
+Taking into consideration that the EUDI Wallet Design Guide shall be +applicable for the national implementations of the EUDI Wallet, the +boundaries of this document are set to common principles that shall be +applicable to all national implementations. These shall be considered as +recommendations to ensure a similar user experience across the different +national implementations. By taking a collaborative approach and +continuously improving upon this document, the aim is to create a EUDI +Wallet Design Guide that assists in the national implementations, while +at the same time meets the user expectations. We encourage stakeholders +to review this EUDI Wallet Design Guide document thoroughly and kindly +provide feedback that will assist if further shaping this design guide.
+NNGroup https://www.nngroup.com/articles/ten-usability-heuristics/ ↩
+Methods examined: By Apple +https://developer.apple.com/design/human-interface-guidelines/layout +and Google +https://m3.material.io/foundations/layout/understanding-layout/overview +& +https://m3.material.io/foundations/accessible-design/accessibility-basics ↩
+Version: 1.10
+In alignment with section '6.4' of the Architecture Reference Framework +(ARF), there are four main types of flows that the EUDI Wallet must +support. These main flows are as follows:
+Remote same-device flow
+Remote cross-device flow
+Proximity supervised flow
+Proximity unsupervised flow
+It shall be noted that remote supervised cases are also considered as +possible in some use cases, but the document focuses mainly on the types +of flows detailed in the ARF, as listed in the above list.
+The 'EUDI Wallet Design Guide' aims to expand on the defined 'Service +Blueprints' (published in 'ARF v1.1.0' where the focus is on the 'remote +same-device' and 'proximity' flows. However, design interactions +applicable for the 'remote cross-device' flow will also be analysed at a +high-level.
+
In relation to the remote flows, it shall be noted that the data exchange occurs over the Internet, but the key differentiator is related to the devices being utilized in the flows. In the 'remote same-device' flow, the EUDI Wallet User is on a mobile device, requesting access to a Relying Party's service (i.e. app or browser) and authorizes by using the EUDI Wallet app, which is also installed on the same device.
+In contrast, in the 'remote cross-device' flow, the EUDI Wallet user +consumes information from a Relying Party service on another device than +the EUDI Wallet device, e.g. user visits the relying party's service on +their web browser on a PC and uses the EUDI Wallet app to scan a QR Code +on a login page in order to get access to a service provided by the +Relying Party.
+
In relation to the 'proximity' flows, both flows are related to +scenarios where the EUDI Wallet User is physically close to a Relying +Party, the user does not necessarily have internet connectivity and the +data presentation occurs using proximity protocols (NFC, Bluetooth, +QR-Code, etc.). The key differentiator in the two proximity flows, is +that in the supervised flow, the EUDI Wallet presents data (e.g. a +mobile driving license) to, or under the supervision of, a human acting +as a Relying Party (who may operate a device of their own). In the +unsupervised flow, the EUDI Wallet presents verifiable attributes to a +machine without human supervision.
+
The following points are depicted as identification points within the +described user flows:
+identification on application launch
+identification when authorizing disclosure of data in proximity + flows (possibility to be disabled via corresponding settings) + (authorization process)
+identification when presenting via deep link (authorization process)
+identification after being idle
+A set of 'authentication means' applicable for the EUDI Wallet are being +analysed in this Design Guide. These are:
+PIN
+Pattern
+Biometrics
+Password
+OTP
+
It shall be clarified that different levels of security shall be +required per use case, e.g. sharing a user's 'Person Identification +Data' is associated with 'High Level of Assurance', while showing a +'quick proof' that user is over 18 years of age may be associated with +simpler means of authentication.
+Thus, it is expected that a combination of 'authentication means' are +available for the user to select and be used as per the needs of the +applicable use case. However, it shall be clarified that the available +authentication means are defined by the 'EUDI Wallet Provider' and the +'Device Manufacturer' and in principle shall adhere to the native way of +the operating system, e.g. password and biometrics.
+It shall be noted that this section reflects a preliminary analysis +which is based on desk research and not on usability testing/field +research and it shall further be expanded and validated with detailed +research/user testing.
+The analysed authentication means are being scored-in a scale of 0 to +10-against a set of design-related criteria, aiming to quantify the pros +and cons of each mean.
+The criteria used for the rating are:
+Convenience: The level of intuitiveness of each authentication + method
+Experience: Overall user experience from a user perspective (i.e. + smooth experience)
+Speed: Speed of use for the user's authentication process
+Error Prevention: Assisting users to minimize potential errors in + the authentication process
+Accessibility: Adherence to accessibility standards/specificities
+[[CHART]]{.chart}
+Ratings have been based on a desk study and not actual first-hand +testing
+| Method | +Pros | +Cons | +
|---|---|---|
| PIN | +• Short and easy authentication method | +• Slower unlocking compared to other authentication methods | +
| + | • Flexibility in PIN requirements | +• Requires users to memorize numbers | +
| + | + | • Recovery can be hard if you forget the PIN | +
| + | + | • Often predictable | +
| Pattern | +• Simple and intuitive to use | +• Many people choose simple, predictable patterns | +
| + | + | • Input method is visible to those around you | +
| + | + | • Belongs to a third party | +
| Password | +• More secure than a PIN | +• Easy to guess | +
| + | • Flexibility in password requirements | +• Slower unlocking | +
| + | + | • Password recovery can be as hard as a PIN recovery | +
| Biometrics (fingerprint) | +• Fast and convenient authentication method | +• Fingerprints can be replicated. | +
| + | + | • Fingerprint distortion can cause failures. | +
| + | + | • Belongs to a third party | +
| Biometrics | +• Fast unlocking method | +• Light effects and facial changes can cause failures | +
| (face scan) | +• It doesn’t require memorizing codes and passwords. | +• Screen orientation and distance from the camera can impact readability | +
The EUDI Wallet should provide a secure and user-friendly environment by +empowering users with granular control over presenting their data, +ensuring transparency and clarity, and enabling user control and +consent.
+Selective Disclosure: The EUDI Wallet should empower users to + have granular control over the information they present. The EUDI + Wallet should provide clear options for selective disclosure, + allowing users to choose between mandatory and optional information + to be presented, intending to emphasize on the data points which are + required to be shared by the user. It is recommended that optional + data shall be grouped in collapsed sections and be unselected by + default. On the other hand, it should be clearly depicted that + mandatory data cannot be unselected. The app should show users a + concise summary of the requested data, clearly indicating which + fields are mandatory and which are optional, as per each Member + State (MS) / Relying Party (RP) policy decision. This empowers users + to make informed decisions about what information they want to + disclose, ensuring their privacy preferences are respected, with the + risk of not completing a data request in a later step (more details + in section 5 Error Cases).
+Transparency and Clarity: Transparency is key in ensuring that + users are always aware of what information is being presented. The + EUDI Wallet should include clear and concise explanations about the + purpose of each data request, the relying party\'s identity, and how + the data will be used, highlighting data storage and 'intent to + store' aspects to the user. Utilising plain language and avoiding + technical jargon can enhance understanding and minimise user + confusion.
+User Control and Consent: To promote a sense of trust and + control, the EUDI Wallet should prioritise user consent throughout + the data-sharing process. The app should provide intuitive controls + to enable users to configure their preferences easily. Clear + notifications should be presented when changes are made, ensuring + users are always aware of their data-sharing settings and can adjust + them as needed.
+Pre-authorisation: Pre-authorisation is a feature allowing the + user to give automatic consent for releasing certain attributes, + prior to any interaction. 'Pre-authorisation' as a concept may be + implemented in the form of one or multiple 'profiles'. For example, + if the user selects an 'age verification' profile, the EUDI Wallet + will always release the corresponding attribute (e.g. age_over_NN) + when requested by a Relying Party. However, if the user chooses to + set a 'law enforcement' profile, the EUDI Wallet will release all + attributes with a Relying Party, without giving the User the option + of withholding consent during the transaction.
+It shall be highlighted that the 'pre-authorisation' concept may +optionally be implemented, under the following conditions:
+The pre-authorisation mechanism shall give the user the possibility + to select which attribute(s) the EUDI Wallet Instance must release + with which specific Relying Parties without asking for user consent + during the interaction. User consent shall never apply + indiscriminately to all Relying Parties or to all attributes.
+A Relying Party for which pre-consent is given shall have been + authenticated by the EUDI Wallet at least once. This is a + consequence of the previous point as it is not possible to select a + Relying Party if that Relying Party is not unambiguously known to + the Wallet Instance. It shall be noted that this requirement holds + for both proximity use cases and remote use cases.
+Giving pre-authorisation shall be a 'friction-full' process, meaning + that it shall not be too easy and requires a considered user + decision. Possibly, giving pre-authorisation should require an + additional user authentication step.
+The EUDI Wallet shall be able to present to the user a clear + overview of all pre-authorisation given, with the ability to easily + change or withdraw one or more of these pre-authorisations.
+It shall be noted that pre-authorisations shall have a validity + limit or the user should be regularly prompted to review any set up + pre-authorisations.
+If pre-authorisation applies for one or more requested attributes, + the EUDI Wallet shall release these attributes without first + notifying the user. However, immediately afterwards the EUDI Wallet + shall notify the User that one or more attributes were released on + the basis of pre-consent. That notification shall include an option + to withdraw the applicable user consent, but also highlight 'intent + to store' aspects to the user.
+It shall be noted in the case where request also includes additional + optional data request, it would be proposed pre-authorisation would + prevail the potential request of optional data, since the concept of + pre-authorisation would be introduced to simplify the user flow. + However, further exploration and user research would be required for + such flows.
+Solution providers shall duly consider the associated + security/privacy risks associated with the pre-authorisation feature + in conjunction with the specific conditions listed above.
+Relying Party Trustworthiness: Trust in relying parties is + crucial for users to feel confident sharing their personal + information. The EUDI Wallet should incorporate clear information + and visual indicators or badges e.g. Trust Mark could be utilised to + indicate whether the Relying Party is considered trusted, based on + the underpinning trust framework established. Providing users with + this data helps them make informed decisions about which parties + they trust and are comfortable sharing their data with. Further + information must be provided upon clicking on the badge regarding + what it means to be a trusted party and how you become one.
+The EUDI Wallet aims to promote user confidence and foster a sense of +control and privacy, thereby enhancing the overall adoption and utility +of the app.
+
To enable authorization for data sharing during online processes, the +following methods can be employed:
+To enable authorization for data sharing during offline processes, the +following methods can be employed:
+QR/Bluetooth: When presenting data to a Relying Party (attended + service), users can display a QR code on their EUDI Wallet to be + scanned by the Relying Party's reader device and transmit the + information via Bluetooth using their EUDI Wallet.
+NFC/Bluetooth: Alternatively, users can use Near Field Communication + (NFC) to engage with the Relying Party's device and Bluetooth to + transmit the data to the Relying Party service through their EUDI + Wallet.
+QR/Bluetooth: When presenting data to a Relying Party (unattended + service), users can display a QR code and present the information + via Bluetooth through their EUDI Wallet.
+NFC/Bluetooth: Similarly, users can utilize NFC and Bluetooth to + transmit the data to the Relying Party service through their EUDI + Wallet.
+During the authorization processes, a comprehensive screen will be +presented to the citizen which shall clearly display both mandatory and +optional data requested by the third-party service (as presented in +'section 3'). The citizens will have the freedom to choose which +optional information they wish to share, providing them with complete +control over their personal data. Additionally, a clear indication of +the data transfer outcome shall be presented to the users in all +scenarios described above, e.g. descriptive message regarding successful +data transfer.
+Handling/Display of error messages in different scenarios +(Principles/guidelines/consequences on how these shall be +presented/structured etc.)
+When the user attempts to log in to the app, expects to receive feedback +indicating the success or failure of their login attempt.
+
The user gets an error message indicating that his credentials were wrong:\
+When the user is facing multiple failed attempts (e.g., 3) when trying +to log in, they get an error message as feedback from the app.
+The error message typically indicates that the entered credentials are +incorrect or that there has been a problem with the identification +process. It can also guide the user in resolving the issue by reviewing +the credentials or checking for typos, etc., and prompts the user to try +again in 2 minutes or try to recover their password, hence the recovery +functionality may be presented as a fallback option for the user in case +his/her log-in attempts are not successful.
+By limiting the number of login attempts, the app reduces the risk of +malicious factors attempting to gain unauthorized access by repeatedly +guessing passwords or usernames.
+
The user gets an error message indicating that they must try again later.
+When the user presents an invalid document through the app, (e.g., a +driver\'s license to a police officer) the app displays an error message +on the user's screen, indicating that the document could not be verified +because it is expired or revoked.
+
The user gets a message indicating the status of the document.
+However, the user should be warned if a document they have saved within +the app is expired or revoked. The warning could be presented as a +notification or prompt within the app, indicating that a saved document +is approaching or has already passed its expiration date. The message +could include information on how to renew or update the document, +directing the user to the appropriate authorities, or providing relevant +instructions.
+
The user gets a message indicating that the document expires shortly.
+By providing proactive reminders about expired documents, the app can +contribute to a smoother user experience, help users remain compliant +with regulations, and foster trust and confidence in the app\'s +functionality and user support.
+When the user attempts to share information through the app with a third +party -a physical person or a digital service- and it turns out that the +third party is not valid or is a fraud, they must get an alert warning +message.
+
The user gets a message indicating that they must not share information with that party. The options are to report it, to close the app, or to search for information about security.
+When a user scans their QR code using a QR code scanning device, they +receive a prompt to provide additional documents, such as an ID. If the +required document is not present in the user\'s app, an error message is +displayed, notifying the user that the document is not stored in their +app.
+
The error message then suggests adding the document from the available documents list.
+ + + + + + + + + + + + + +February 2024
+Version 1.3.0
| Version | +Date1 | +Changes | +
|---|---|---|
| 1.0.0 | +26 January 2023 | +Initial version | +
| 1.1.0 | +20 April 2023 | +Addition of services blueprints for use cases on:
|
+
| 1.2.0 | +22 June 2023 | +
|
+
| 1.3.0 | +15 December 2023 | +
|
+
On 3 June 2021, the European Commission adopted a Recommendation2 +calling on Member States to work towards the development of a Toolbox +including a technical Architecture and Reference Framework (hereinafter +the ARF), a set of common standards and technical specifications and a +set of common guidelines and best practices.
+The Recommendation specifies that these outcomes will serve as a basis +for the implementation of the proposal for a European Digital Identity +Framework3, without the process of developing the Toolbox interfering +with, or prejudging the legislative process.
+The Recommendation foresees that the Toolbox is developed by Member +States' experts in the eIDAS Expert Group4 in close coordination with +the Commission and, where relevant for the functioning of the European +Digital Identity (EUDI) Wallet infrastructure, other concerned public +and private sector parties.
+Following the indicative timeline set out in the Recommendation, a +process and working procedures were agreed on 30 September 2021 and +discussed in a non-paper on a high-level description of the EUDI Wallet +ecosystem, proposed by the Commission.
+On this basis, an outline was defined providing a more detailed +description of the EUDI Wallet concept, its functionalities and security +aspects and on several core, use cases between October and December +2021. That work resulted in the Outline of the ARF, adopted by the eIDAS +Expert Group in February 2022. The Outline was published on Futurium5 +for public feedback. When the feedback period closed on 15 April 2022, +36 stakeholders had provided their feedback on the Outline.
+The eIDAS Expert Group has since further developed the concepts and +specifications for the European Digital Identity Framework based on the +Commission's legislative proposal6, and will continue to do so until +the legislative negotiations have been concluded and implementing acts +have been adopted.
+The eIDAS Expert Group adopted the present document on 26 January 2023.
+The purpose of the document is to provide all the specifications needed +to develop an interoperable EUDI Wallet Solution based on common +standards and practices. The document presents a state-of-play of +ongoing work of the eIDAS Expert Group and does not imply any formal +agreement regarding its content or the legislative proposal. This +document will be complemented and updated over time through the process +of establishing the toolbox, as described in Chapter 9. Once completed +the document will describe a comprehensive Architecture and Reference +Framework covering all the specifications needed to implement a +European Digital Identity Wallet Solution.
+While Chapters 2-5 and 8-10 are descriptive, Chapters 6 and 7 specify +requirements for PID Providers, (Q)EAA Providers, EUDI Wallet Solution +Providers, Relying Parties and other parties in the EUDI Wallet +ecosystem. The capitalised imperatives in the document are used in +accordance with RFC 2119.
+This document itself holds no legal value and SHALL not prejudge the +forthcoming legislative process and the final mandatory legal +requirements for European Digital Identity Wallets. This document +will be aligned to the outcome of the legislative negotiations of the +proposal for a European Digital Identity Framework. Only the finally +adopted European Digital Identity Framework Regulation, and the +implementing and delegated acts adopted under that legal basis, +will be mandatory.
+This document is mainly meant to be used by the European Commission +developing a reference implementation of an EUDI Wallet and the +consortia piloting the use of the reference implementation in the +context of Pilots. Experience of implementing this specification +may lead to improvements of this document, in accordance with +Chapter 9.
+The Commission will provide a reference implementation of an EUDI Wallet +in a mobile form factor. The source code for the EUDI Wallet reference +implementation will be provided as open source for re-use by +implementers across Europe. The first implementers will be the projects +selected to carry out Large Scale Pilots (LSPs), following a call for +proposals. The LSP projects will be engaged in the further development +of the reference implementation of an EUDI Wallet. The Commission will +also initially supply central services as needed for the functioning of +the EUDI Wallet reference implementation.
+The Commission intends to use the ARF to develop the EUDI Wallet +reference implementation.
+To support the development of a reference implementation of an EUDI +Wallet and to pilot its usage across different priority use cases, the +Commission launched a call for proposals on 22nd February 2022 under the +Digital Europe Programme to pilot large-scale use cases for the EUDI +Wallet.
+The objective of the Large Scale Pilots (LSP) call is to co-fund the +piloting of the EUDI Wallet based on a reference implementation of an +EUDI Wallet, taking into account project specificities, existing +national notified eID and wallet developments and implementation +situations, around the different cross-border use cases involving both +public and private stakeholders.
+The ARF will be used by the LSPs to inform and guide pilot system design +and architecture development together with the release of the reference +implementation.
+The LSPs are expected to provide feedback on the ARF as they develop and +interact with Relying Party services, Qualified or non-qualified +Electronic Attestations of Attributes (Q)EAA Providers, Person +Identification Data (PID) Providers and Users in meaningful transactions +under the proposed use cases.
+In addition to Article 3 of the proposed amendment to the legal text, +the following definitions are provided to either highlight those most +relevant to the Architecture and Reference Framework or to introduce +additional terms not defined in the legal text (denoted with a *).
+| Term | +Description | +
|---|---|
| Attestation | +A signed set of attributes, in either the mdoc format specified in [ISO18013-5] or the SD-JWT format specified in [SD-JWT]. This may be a PID, QEAA or EAA. | +
| Attribute | +A feature, characteristic or quality of a natural or legal +person or of an entity, in electronic form. - eIDAS Regulation +amendment proposal | +
| Authentic Source | +A repository or system, held under the responsibility of a +public sector body or private entity, that contains attributes about a +natural or legal person and is considered to be the primary source of +that information or recognised as authentic in national law. – eIDAS +Regulation amendment proposal | +
| Electronic Attestation of Attributes (EAAs) | +An attestation in electronic form that allows the +authentication of attributes - eIDAS Regulation amendment +proposal | +
| + | + |
| National Accreditation Bodies (NAB)* | +A body that performs accreditation with authority +derived from a Member State under Regulation (EC) No 765/2008. + | +
| Person Identification Data (PID) | +A set of data enabling the identity of a natural or legal +person, or a natural person representing a legal person to be +established - eIDAS Regulation. | +
| Person Identification Data Provider* | +A Member State or other legal entity providing Person +Identification Data to Users. | +
| Public Key Infrastructure (PKI)* | +Systems, software, and communication protocols that are used by EUDI Wallet ecosystem components to distribute, manage, and control public keys. A PKI publishes public keys and establishes trust within an environment by validating and verifying the public keys mapping to an entity. | +
| Qualified Electronic Attestations of Attributes (QEAA) | +An Electronic Attestation of Attributes, which is issued +by a Qualified Trust Service Provider and meets the requirements laid +down in Annex V. - eIDAS Regulation amendment +proposal |
+
| Qualified Electronic Attestations of Attributes (QEAA) provider* | +(Qualified) Trust Service Provider issuing (Q)EAA. Note: there may be multiple (Q)EAA Providers. |
+
| Qualified Electronic Signature Creation Device (QSCD) | +Software or hardware used to create an electronic +signature that meets the requirements laid down in Annex II of the eIDAS +Regulation amendment proposal. -eIDAS Regulation and eIDAS +Regulation amendment proposal | +
| Qualified Trust Service Provider (QTSP) | +A Trust Service Provider who provides one or more Qualified +Trust Services and is granted the qualified status by the supervisory +body. - eIDAS Regulation | +
| Relying Party* | +A natural or legal person that relies upon an electronic +identification or a Trust Service. – eIDAS +Regulation +In the case of the EUDI Wallet, the Relying Party relies on +electronic identification or the Trust Service originating from an EUDI +Wallet. |
+
| Selective Disclosure* | +The capability of the EUDI Wallet that enables the User to +present a subset of attributes provided by the PID and/or +(Q)EAAs. | +
| Trust* | +Trust is the characteristic that one party, is willing to +rely upon a third-party entity to execute a set of actions and/or to +make a set of assertions about a set of subjects and/or +scopes[^7]. | +
| Trust Framework* | +A legally enforceable set of operational and technical rules +and agreements that govern a multi-party system designed for conducting +specific types of transactions among a community of participants and +bound by a common set of requirements. | +
| Trust model* | +Collection of rules that ensure the legitimacy of the +components and the entities involved in the EUDI Wallet +ecosystem. | +
| Trust Service Provider (TSP) | +A natural or a legal person who provides one or more Trust +Services, either as a qualified or as a non-qualified Trust Service +Provider. - eIDAS Regulation | +
| Trust Service | +An electronic service normally provided against payment +which consists of: +(a) the creation, verification, and validation of electronic +signatures, electronic seals or electronic time stamps, electronic +registered delivery services, electronic attestation of attributes and +certificates related to those services; +(b) the creation, verification and validation of certificates +for website authentication; +(c) the preservation of electronic signatures, seals or +certificates related to those services; +(d) the electronic archiving of electronic +documents; +(e) the management of remote electronic signature and seal +creation devices; +(f) the recording of electronic data into an electronic +ledger. - eIDAS Regulation amendment proposal |
+
| Trusted List* | +Repository of information about authoritative entities in a +particular legal or contractual context which provides information about +their current and historical status. | +
| User* | +A natural or legal person using an EUDI +Wallet. | +
| EUDI Wallet Instance* | +Instance of an EUDI Wallet Solution belonging to and which +is controlled by a User. | +
| Relying Party Instance* | +A software module with the capability to interact with a Wallet Instance and to perform Relying Party authentication, that is controlled by a Relying Party. | +
| EUDI Wallet Provider* | +A public or private organisation, responsible for the operation of an eIDAS-compliant EUDI Wallet Solution that can be instantiated on a User's device, e.g., through installation and initialization. | +
| EUDI Wallet Solution* | +An EUDI Wallet Solution is the entire product and service provided by an EUDI Wallet Provider, and offered to all Users of that Solution. | +
| Wallet Secure Cryptographic Application (WSCA)* | +A Wallet Secure Cryptographic Application (WSCA) is software provisioned within the Wallet Secure Cryptographic Device (WSCD). It is tasked with executing all security-sensitive operations such as generating, safeguarding, and handling cryptographic keys and assets. Additionally, it facilitates communication with the Wallet Instance. | +
| Wallet Secure Cryptographic Device (WSCD)* | +Hardware-backed secure environment for creating, storing, and/or managing cryptographic keys and data. Examples include Secure Elements (SE), Trusted Execution Environments (TEEs), and (remote or local) Hardware Security Module (HSM). | +
Table 1: Definitions
+* Additional to definitions in Article 3 of the eIDAS Regulation or +its amendment proposal.
+The development of EUDI Wallet specifications is steered by use cases +that facilitate understanding of user experience while capturing the +value proposition and business requirements of the EUDI Wallet. To +accomplish this, the eIDAS Expert Group begins by creating service +blueprints for each EUDI Wallet use case. These blueprints are visual +representations of the various components and processes involved in +providing a service to users and serve as a tool for pinpointing +potential areas for enhancement, optimising user experience, and +streamlining service delivery. These blueprints then act as the basis +for establishing use case rulebooks and common specifications for all +use cases.
+The service blueprints of the use case can be found in the annexes as +attached documents. It is important to note that the service blueprint +documents offer a viable solution for each use case, but alternatives +and optional steps do exist. For instance, displaying stored data which +the user has already approved to release might be optional. Furthermore, +user journeys may differ depending on the chosen implementation approach, +such as asynchronous attribute storage or synchronous retrieval. This +could affect aspects like providing approval to retrieve and release data.
+The eIDAS Expert Group has described service blueprints for the following use cases: +* Identification and authentication to access online services, see section 3.13.1, +* Mobile Driving Licence, see section 3.2, +* A number of other use cases that will be detailed in subsequent versions of this document, see section 3.3.
+The primary purpose of the EUDI Wallet is to offer secure identification +and authentication of users at a high Level of Assurance (LoA) for both +public and private online services. This essential functionality ensures +that Relying Parties can confidently verify that they are interacting +with the correct User.
+In this use case, the User is utilising the EUDI Wallet Instance to +confirm their identity. They access online services that demand +authentication and currently employ multiple methods for identity +verification while accessing these services. The User is also concerned +about sharing person identification data (PID) during online +interactions. Their objectives include identifying themselves with +services requiring user identification and maintaining control over +personal data sharing.
+This use case encompasses the entire EUDI Wallet life cycle from the +User's viewpoint, from obtaining a valid Wallet Instance to identifying and +authenticating the User within an online service. The focus of the +current description is a workable remote same-device flow (refer to +section 7.4), where a natural person User employs a single mobile device +for both securing the session and accessing the service's information.
+PID issuance requirements, PID attribute schema and Trust Infrastructure +details are further detailed in Chapter 6 and Annex A.6.
+A significant use case for the EUDI Wallet involves allowing Users to +acquire, store, and display a mobile Driving Licence (mDL) as an +attestation to prove their driving privileges. In this use case, the +User employs an EUDI Wallet to present a mDL to a Relying Party +(e.g., the Traffic Police)8.
+The use case description concentrates on proximity supervised and +unsupervised flows, which involve scenarios where the User is physically +near a Relying Party, and the mDL attribute exchange and disclosure +occurs using proximity technologies (e.g. NFC, Bluetooth). The two +proximity flows have one significant difference: in the supervised flow, +the EUDI Wallet presents mDL attributes to a human Relying Party or +under their supervision (who may also use a device); whereas in the +unsupervised flow, the EUDI Wallet presents mDL attributes to a machine +without human oversight.
+(Q)EAA issuance requirements, mDL attribute schema and Trust +Infrastructure details are further detailed in Chapter 6 and Annex A.7.
+In subsequent versions of this document, the following use cases will be +detailed as service blueprints:
+Easy access to health data is crucial in both national and cross-border +contexts. An EUDI Wallet Instance MAY enable access to patient summary, +ePrescriptions, etc.
+Providing documents for qualification recognition procedures can be +costly and time-consuming for end Users, Relying Parties such as companies +and employers, and (Q)EAA providers such as education and training +providers or other academic institutions. For example, digital diploma +attestations could be presented cross-border in a verifiable, trusted, +and consumable format to another education or training institution or a +prospective employer. An EUDI Wallet Instance may be a repository for +educational digital credentials as Electronic Attestations of Attributes +and a means for exchanging them by a learner.
+The EUDI Wallet Solutions SHALL facilitate complying with strong customer +authentication requirements. In line with the Commission's Retail +Payments Strategy9, the use case would be developed in close +coordination with Member States' advisory groups on retail payments +and the finance industry.
+EUDI Wallet can store Digital Travel Credentials enabling Users to +benefit from more seamless travel.
+This work may in future be extended to additional use cases.
+This Chapter describes the EUDI Wallet ecosystem as it is foreseen in +the Commission's legislative proposal.
+The roles of the EUDI Wallet ecosystem are described in Figure 1 and +detailed in the following sections.
+
Figure 1: Overview of the EUDI Wallet roles
+Users of EUDI Wallets
+EUDI Wallet Providers
+Person Identification Data Providers
+Trusted Lists providers
+Qualified Electronic Attestation of Attributes (QEAA) Providers
+Non-qualified Electronic Attestation of Attributes (EAA) Providers
+Qualified and non-qualified certificate for electronic + signature/seal Providers
+Authentic Sources
+Relying Parties
+Conformity Assessment Bodies (CAB)
+Supervisory bodies
+Device manufacturers and related subsystems providers
+(Q)EAA Schema Providers
+National Accreditation Bodies
+Users of EUDI Wallets use the EUDI Wallet instance to receive, store and +present PID, QEAA or EAA about themselves, including to prove their +identity. Users can create Qualified Electronic Signatures and Seals +(QES) using an EUDI Wallet instance.
+Who can be a User of an EUDI Wallet depends on national law. The use of +an EUDI Wallet by citizens is not mandatory under the legislative +proposal. However, each Member State SHALL provide at least one European +Digital Identity Wallet within 24 months after the entry into force of +the implementing acts referred to in the Regulation.
+EUDI Wallet Providers are Member States or organisations either mandated +or recognized by Member States making the EUDI Wallet available for end +Users. The terms and conditions of the mandate or recognition are for +each Member State to determine.
+The EUDI Wallet Providers make available to a User, through an instance +of their EUDI Wallet Solution, a combination of several products and +Trust Services foreseen in the legal proposal, which give the User full +control over the use of their Person Identification Data (PID) and +Qualified or non-qualified Electronic Attestations of Attributes (QEAA or +EAA), and any other personal data within their EUDI Wallet. From a +technical viewpoint, this may also imply guaranteeing a User sole +control over sensitive cryptographic material (e.g., private keys) +related to their PID and/or (Q)EAA, including in use cases for electronic +identification and creating a signature or seal.
+EUDI Wallet Providers are responsible for ensuring compliance with the +requirements for EUDI Wallets.
+PID Providers are trusted entities responsible to:
+The terms and conditions of these services are for each Member State to +determine.
+PID Providers MAY e.g., be the same organisations that today issue +official identity documents, electronic identity means, EUDI Wallet +Providers etc. EUDI Wallet Providers MAY be the same organisations as PID +Providers. In case an organisation acts as both a PID Provider and a +Wallet Provider, it SHALL comply with all requirements for both PID +Providers and Wallet Providers.
+The specific status of a role in the EUDI Wallet ecosystem SHALL be +verified in a trustworthy manner. Such roles are:
+Other roles may be necessary and thus need to be defined and explicitly +mentioned depending on the specific role and their criticality for +example the different roles and actors involved with remote signing +processes.
+When used, Trusted List11 need to provide a registration service for +the relevant entities, maintain a registry and enable third party access +to the registry information. The terms and conditions of entities to +become registered are for each registrar to determine unless specified +in e.g., sectoral rules.
+Qualified EAA are provided by QTSPs. The general Trust Framework for +QTSPs apply also to QEAA, but specific rules for this Trust Service need +to be defined as well. QEAA Providers maintain an interface for +requesting and providing QEAAs, including a mutual authentication +interface with EUDI Wallets and potentially an interface towards +Authentic Sources to verify attributes. QEAA Providers provide +information or the location of the services that can be used to enquire +about the validity status of the QEAAs, without having an ability to +receive any information about the use of the attestations. The terms and +conditions of these services are for each QTSP to determine, beyond what +is specified in the eIDAS Regulation.
+Non-qualified EAA can be provided by any Trust Service Provider. While +they are supervised under eIDAS, it can be assumed that other legal or +contractual frameworks than eIDAS mostly govern the rules for provision, +use and recognition of EAA. Such other frameworks may cover policy areas +such as driving licences, educational credentials, digital payments, +although they may also rely on qualified Electronic Attestation of +Attributes Providers. For EAA to be used, TSPs offer Users a way to +request and obtain EAA, meaning they need to technically comply with EUDI +Wallet interface specifications. Depending on the domain rules, EAA +providers may provide validity information about EAA, without having an +ability to receive any information about the use of the EAA. The terms +and conditions of issuing EAAs and related services are subject to +sectoral rules.
+Article 6a(3) of COM(2021)281 final requires the EUDI Wallet to enable +the User to create qualified electronic signatures or seals. This goal +can be reached by several ways:
+The EUDI Wallet is certified as a qualified signature/seal creation + device (QSCD), or
+It implements secure authentication and signature/seal invocation + capabilities as a part of a local QSCD or a remote QSCD managed by a + QTSP.
+EUDI Wallet interfaces with QSCDs will be further expanded in future +versions of this document.
+EUDI Wallet interaction with providers of other qualified or +non-qualified Trust Services such as timestamps may be further described +in future versions of the ARF.
+Authentic Sources are the public or private repositories or systems +recognised or required by law containing attributes about a natural or +legal persons. The Authentic Sources in scope of Annex VI of the +legislative proposal are sources for, for instance, attributes on +address, age, gender, civil status, family composition, nationality, +education and training qualifications titles and licences, professional +qualifications titles and licences, public permits and licences, +financial and company data. Authentic Sources in scope of Annex VI are +required to provide interfaces to (Q)EAA Providers to verify the +authenticity of the above attributes, either directly or via designated +intermediaries recognised at national level. Authentic Sources MAY also +issue (Q)EAAs themselves if they meet the requirements of the eIDAS +Regulation.
+It is up to the Member States to define terms and conditions for the +provisioning of these attestations, but according to the minimum +technical specifications, standards, and procedures applicable to the +verification procedures for qualified electronic attestations of +attributes.
+Relying Parties are natural or legal persons that rely upon an +electronic identification or a Trust Service. In the context of EUDI +Wallets, they request the necessary attributes contained within the PID +dataset, QEAA and EAA from EUDI Wallet Users to rely on the EUDI Wallet, +subject to the acceptance by the owner of the Wallet (User) and within +the limits of applicable legislation and rules. The reason for reliance +on the EUDI Wallet may be a legal requirement, a contractual agreement, +or their own decision. To rely on the EUDI Wallet, Relying Parties need +to inform the Member State where they are established and their +intention for doing so. Relying Parties need to maintain an interface +with the EUDI Wallet to request attestations with mutual authentication. +Relying Parties are responsible for authenticating PID and (Q)EAA.
+The EUDI Wallets SHALL be certified by accredited public or private +bodies designated by Member States12. QTSPs SHALL be audited regularly +by Conformity Assessment Bodies (CABs). CABs are accredited by a national +accreditation body according to Regulation 765/2008 as responsible for +carrying out assessments on which Member States will have to rely before +issuing a EUDI Wallet or providing the qualified status to a Trust +Service Provider. The standards and schemes used by CABs to fulfil their +tasks to certify EUDI Wallets are specified further in the Toolbox +process.
+The supervisory bodies are notified to the Commission by the Member +States, which supervise QTSPs and act, if necessary, in relation to +non-qualified Trust Service Providers.
+EUDI Wallets will have several interfaces with the devices they are +based on, which may be for the following purposes:
+For secure cryptographic material storage, specific devices or services +may be interfaced with. Other related entities may be service providers +such as cloud service providers, app store providers etc.
+The legal proposal sets constraints (e.g., compliance with LoA High) for +which kinds of devices and services may be used for the purpose of +issuing the EUDI Wallet. Likewise, the availability as well as terms and +conditions of device interface providers and related service providers +will set further constraints for EUDI Wallet Providers.
+(Q)EAA Schema Providers publish schemas and vocabularies describing +(Q)EAA structure and semantics. It may enable other entities such as +Relying Parties to discover and validate (Q)EAA. The Commission sets out +the minimum technical specifications, standards, and procedures for this +purpose. Common schemas, including by sector- specific organisations are +critical for wide-spread adoption of (Q)EAAs.
+National Accreditation Bodies (NAB) under Regulation (EC) No +765/200813 are the bodies in Member States that perform +accreditation with authority derived from the Member State. NABs +accredit CABs as competent, independent, and supervised professional +certification bodies in charge of certifying products/services/processes +against normative document(s) establishing the requirements (e.g., +legislations, specifications, protection profiles). NABs monitor the +CABs to which they have issued an accreditation certificate.
+The legal text defines the EUDI Wallet on a high level of abstraction, as +well as for the EUDI Wallet Providers that carry the legal obligation to +make sure that the Users can get a valid and fully functional EUDI +Wallet. The lifecycle of an EUDI Wallet will have some interactions with +the Trusted List Providers that specify the status of a role in the EUDI +Wallet ecosystem in a trustworthy manner. Developing an Architecture and +Reference Framework that SHALL provide guidance to the development of +such EUDI Wallet requires a more detailed level of abstraction to be +efficient and to yield a sufficiently expressive architecture description +to be prescriptive.
+This Chapter starts from a minimal object model and defines the +lifecycle of the core concepts: EUDI Wallet Solution, PID, (Q)EAA, and +EUDI Wallet Instance. These are chosen as a starting point because the +joint development of the ARF showed that the lifecycles of these +concepts are closely intertwined, which led to unclear description and +consequently misunderstandings.
+The object model will be extended as required in future versions of the +ARF.
+Figure 2 below distinguishes the concepts of EUDI Wallet Solution and +EUDI Wallet Instance. An EUDI Wallet Solution is the entire product +and/or service provided by a EUDI Wallet Provider. A EUDI Wallet +Instance is a personal instance of a EUDI Wallet Solution that belongs +to and is controlled by a User.
+
Figure 2: Simplified EUDI Wallet Object Model
+This definition is not prescriptive of form factor, hence depending on +the implementation a EUDI Wallet Instance may consist of a single mobile +app, or a set of local and remote components available to a specific +User.
+The lifecycles of PID and (Q)EAA are essentially identical, however, for +the scope of this description we refer subsequently only to PID. The +text of this section applied to PID applies mutatis mutandis to (Q)EAA.
+PID in the context of the EUDI Wallet begins its lifecycle when being +issued to a EUDI Wallet Instance. Please note that this means that the +management of attributes in the Authentic Source (adhering to national +structures and attribute definitions) is outside of the scope of the +ARF.
+Note that for certain use cases, the PID may be pre-provisioned, meaning +it is not yet valid when issued, but reaches its validity later. If PID +is issued on or after the validity start date, it is immediately +considered the state directly changes to valid. This means, however, +that PID could be "pre-issued".
+
Figure 3: State-chart of PID
+There are two possible transitions from a valid PID: it automatically +expires, by passage to the 'validity end date' or it is actively revoked +by its Provider. Expiration and revocation are essentially independent +transitions. Once PID is expired or revoked, it cannot transition back to +valid. If a change needs to be made to the PID (i.e., because of a User +name change), the PID Provider SHALL always issue a new PID.
+An EUDI Wallet Solution has a state of its own, as defined by Article +10a of the Regulation. The state of the Solution affects the state of +all EUDI Wallet Instances of that EUDI Wallet Solution. The +Candidate state is the first state of a EUDI Wallet Solution. This +means it is fully implemented and the EUDI Wallet Provider requests the +solution to be certified as EUDI Wallet.
+If all the legal and technical criteria have been met, including the +certification of the Wallet Solution by CAB(s), then a Member State may +decide to start providing Instances of the Solution to Users. The state +of the Solution becomes "valid". According to Article 6d, Member +State informs the Commission of each change in the certification status +of their EUDI Wallet Solutions. This means the EUDI Wallet Solution can +be officially launched, and Instances of the Solution can be provided to +Users.
+
Figure 4: State-chart of Wallet Solution
+Under the legal conditions in Article 10a, paragraph 1, the issuing +Member State can temporarily suspend an EUDI Wallet Solution. This would +for example be the result of a critical security issue on that EUDI +Wallet Solution. This leads to the suspended state. Under Article +10a, paragraph 2, the issuing Member State can unsuspend the Wallet +Solution and continue issuance, bringing the Solution back to the +valid state. Under paragraph 3, the EUDI Wallet Solution can be +completely withdrawn.
+An EUDI Wallet Instance lifecycle begins when the User installs the +mobile app component of the EUDI Wallet solution provided by The EUDI +Wallet Provider. Once an EUDI Wallet Instance is installed and +activated by the User and the EUDI Wallet Provider, it is in an +operational state. In this state, the User manages the EUDI Wallet +Instance, which may involve:
+In the operational state of the EUDI Wallet Instance:
+Once an EUDI Wallet Instance holds a valid PID set, it is +considered valid. If the PID expires or is revoked, the EUDI Wallet is +not automatically unusable, its state is merely downgraded back to +operational. This may affect the validity of a (Q)EAA or a certificate +for QES.
+
Figure 5: State-chart of Wallet Instance
+Please note that this is independent from the possibility of a PID or +(Q)EAA Provider to revoke their attestations.
+The European Digital Identity Ecosystem data model manages the following +types of attestations: +* Person Identification Data (PID): An attestation in electronic form + that allows the authentication of attributes proofing the identity of a + natural or legal person, or a natural person representing a legal + person, or of an object. +* Electronic Attestation of Attributes (EAA): An attestation in + electronic form that allows the authentication of attributes describing + features, characteristics or qualities of a natural or legal person or + of an entity, or a natural person representing a legal person, or of an + object. +* Qualified Electronic Attestation of Attributes (QEAA): an + electronic attestation of attributes (EAA), which is issued by a + qualified trust service provide, and adhering to Annex V of the + regulation.
+This section details the PID set as presented by the EUDI Wallet. Further +specifications regarding PID are detailed in the PID Rule Book, found in +Annex A.6.
+A PID Provider May issue a PID set to the EUDI Wallet and enable the use +of the EUDI Wallet as an electronic identification means when accessing +online and offline services.
+The mechanisms through which the PID is generated and provided to the +EUDI Wallet are up to the Member States and are only constrained by legal +requirements such as the requirements of LoA High, GDPR or any other +national or union law.
+In the following the data format as presented to the Relying Party will +be described, without any assumptions on how the EUDI Wallet retrieved or +generated this data beforehand.
+This Chapter proposes the definition of the PID set and discusses further +specification, data minimization and identifiers. The dataset proposed +herein is constructed based on the following principles:
+The below table provides an overview of mandatory and optional PID +attributes for natural persons.
+| Mandatory PID Attributes | +Optional PID Attributes | +
|---|---|
| family_name | +family_name_birth | +
| given_name | +given_name_birth | +
| birth_date | +birth_place | +
| + | resident_address | +
| + | gender | +
| + | age_over_18 | +
| + | age_over_NN | +
| + | age_in_years | +
| + | age_birth_year | +
| + | birth_country | +
| + | birth_state | +
| + | birth_city | +
| + | resident_address | +
| + | resident_country | +
| + | resident_state | +
| + | resident_city | +
| + | resident_postal_code | +
| + | resident_street | +
| + | resident_house_number | +
| + | nationality | +
Table 2 - Mandatory and optional PID attributes for natural persons
+Possible additional optional attributes have been added to facilitate a +wider range of authentication options both online and offline as well as +addressing learning from the current eIDAS implementations. Metadata +associated with a PID set is further detailed in Annex A.6.
+The following table defines the requirements applicable to PID regarding +what information is included in the attestation, such as for purposes of +validity checks, authenticity, validation, policies, the data model, and +formats.
+Future versions of this text may expand the table to specify +requirements. Note that these requirements are primarily aimed at the +first version of the EUDI Wallet Solution specifications, and that they +may change as the specifications evolve.
+| # | +Requirement | +
|---|---|
| 1 | +PID attestation MUST contain the information required to identify the PID Provider. | +
| 2 | +PID attestation MUST contain the information required to perform a data integrity check. | +
| 3 | +PID attestation MUST contain the information required for verifying the authenticity. | +
| 4 | +PID attestation MUST contain all the information required to perform validity status checks on the attestation. | +
| 5 | +PID attestation MUST include all the information (as an attribute or as any other signed value) required to perform verification of the holder binding by a Relying Party. | +
| 6 | +PID attestation MUST be issued to be presented in accordance with both the data model specified in ISO/IEC 18013-5:2021 and the W3C Verifiable Credentials Data Model 1.1. | +
| 7 | +PID attestation MUST be encoded as CBOR and JSON format. | +
| 8 | +PID attestation MUST enable Selective Disclosure of attributes by using Selective Disclosure for JWTs (SD-JWT) and Mobile Security Object (ISO/IEC 18013-5) scheme accordingly to the data model. | +
| 9 | +PID attestation MUST use signatures and encryptions formats as detailed in JOSE RFCs and COSE RFCs. | +
| 10 | +PID attestation MUST use signature and encryption algorithms in accordance with SOG-IS ACM. | +
Table 3 - Issuing requirements for PID
+The following table defines the requirements applicable to (Q)EAA-s +regarding what information is included in the attestation, such as for +purposes of validity checks, authenticity, validation, policies related +to key management, the data model, and formats.
+(Q)EAA-s can be also issued under requirements applicable for PID.
+Future versions of this text may expand the table to specify +requirements. Note that these requirements are primarily aimed at the +first version of the EUDI Wallet Solution specifications, and that they +may change as the specifications evolve.
+Mobile Driving Licence attestations are further specified in mDL Rule +Book in Annex A.7.
+| # | +Requirement | +
|---|---|
| 1 | +(Q)EAA MUST contain the information required to identify the Provider. | +
| 2 | +(Q)EAA MUST contain the information required to perform a data integrity check. | +
| 3 | +(Q)EAA MUST contain the information required for verifying the authenticity of the (Q)EAA. | +
| 4 | +(Q)EAA MUST contain all the information required to perform validity status checks on the (Q)EAA. | +
| 5 | +(Q)EAA SHOULD include all the information (as an attribute or as any other signed value) required to perform verification of the holder binding by a Relying Party. | +
| 6 | +(Q)EAA MUST be issued in accordance with one of the data model specifications: ISO/IEC 18013-5:2021, W3C Verifiable Credentials Data Model 1.1. | +
| 7 | +**(Q)EAA SHOULD be encoded as one of the following formats: CBOR or JSON accordingly to the data model used for the attestation ** | +
| 8 | +EAA MAY be encoded as JSON-LD, see [JSON-LD]. | +
| 9 | +(Q)EAA SHOULD enable Selective Disclosure of attributes either by using Selective Disclosure for JWTs (SD-JWT) or Mobile Security Object (ISO/IEC 18013-5) scheme accordingly to the data model used for the attestation. | +
| 10 | +(Q)EAA SHOULD use one of the following signature and encryption formats as detailed in: JOSE RFCs, COSE RFCs accordingly to data model used for the attestation. | +
| 11 | +(Q)EAA SHOULD use signature and encryption algorithms in accordance with SOG-IS ACM. | +
| 12 | +(Q)EAA SHOULD be issued accordingly to OpenID4VCI protocol. | +
Table 4 - Issuing requirements for (Q)EAA
+Since version 1.2.0 of this document, the concept of an attestation +rulebook has been introduced. This is designed to compile a set of rules, +guidelines and standards governing the verification, management, and +usage of a specific attestation or group of attestations related to a use +case within the EUDI ecosystem. The primary goal of the rulebooks is to +ensure interoperability, security, privacy, and trust for EUDI Wallet's +attestations (PID and (Q)EAA).
+Common compulsory specifications, rules, and guidelines are outlined in +the architecture and reference framework document, while those specific +to use cases are collated in the attestation's rulebooks. Two such +rulebooks, namely the PID and mDL rulebooks, have currently been included +as annexes to this document.
+The Trust Model describes, for all interactions in the lifecycle of a +EUDI Wallet Instance and an attestation, which trust relationships SHALL +exist between the interacting parties to enable these interactions.
+Moreover, for the 'Attestation releasing' interaction in section 6.3.2, +this version of this document also describes, on a high level, how this +required trust can be established. This description includes references +to existing or draft standards that define detailed security measures.
+The trust model is valid for both remote and proximity use cases. +However, technical measures taken to ensure that the requirements on +trust are fulfilled may differ between these two use cases. Moreover, the +authentication and authorization mechanisms will depend on the +characteristics of the interacting parties.
+Please note:
+Within the EUDI Wallet ecosystem, many interactions take place between +parties in which one party requests another party to release data or +perform a task. For example, a User may ask a Provider to provide a PID +or (Q)EAA to a Wallet, or a Relying Party may ask a User to release a +specific attestation from its EUDI Wallet Instance. To be able to comply +with such requests, these parties SHALL trust each other. This trust +generally requires the existence of the following two conditions:
+This document makes the following assumptions regarding the need for +trust in the EUDI Wallet ecosystem:
+Besides the trust relationships described in this Chapter, other trust +relations SHALL exist as well. For instance, Users, Providers and Relying +Parties SHALL implicitly trust certification bodies, trusted list +providers, vendors, OEMs, operating systems, and app stores. In many +contexts, this trust is primarily be rooted in authority and in +procedural measures, such as public oversight, published security and +operational policies, audits, etc., rather than in technical measures. To +verify that parties are indeed interacting with a trusted authority, +standard technical measures suitable for the context SHALL be used.
+Moreover, besides the need for trust in the authenticity and +authorization of other parties in the ecosystem, parties SHALL also be +able to trust that the communication with such parties is confidential. +Measures to ensure this are not explicitly discussed in this document.
+When a User decides to install an EUDI Wallet Instance on their device, +the following trust relationships SHALL exist:
+The next sections discuss these trust relationships.
+To be done.
+To be done.
+After its' installation, a new EUDI Wallet Instance will need to be +activated by the Wallet Provider. Activation has at least the following +purposes:
+For successful EUDI Wallet Instance activation, the following trust +relations need to exist:
+The next sections discuss these trust relationships.
+To be done.
+To be done.
+Starting from EUDI Wallet Instance activation and throughout its +lifetime, a EUDI Wallet Instance SHALL be managed by the EUDI Wallet +Provider. Management actions could be initiated by the following +entities.
+For this, the following trust relations need to exist:
+The next sections discuss these trust relationships.
+Section 6.2.2.2. describes how a EUDI Wallet Instance can trust a Wallet +Provider.
+Section 6.2.3.3. describes how a EUDI Wallet Provider can trust a Wallet +Instance.
+To be done.
+To be done.
+When a User requests a Provider to issue a PID or (Q)EAA to their EUDI +Wallet Instance, the following trust relationships SHALL exist:
+The next sections discuss these trust relationships.
+To be done.
+To be done.
+To be done.
+When a Relying Party (RP) requests a User to release some attributes from his/her EUDI Wallet Instance, the following trust relationships mustSHALL exist:
+The next sections discuss these trust relationships.
+Please note the following assumptions, which are valid at least for the +current version of this document:
+A Relying Party SHALL be able to verify that the Provider is trusted to +issue the type of attestation in question. For instance, a Provider may +be trusted to issue a diploma, but not a PID, or conversely.
+As part of this verification process, the Relying Party also obtains a +public key of the Provider, which functions as a trust anchor and allows +it to verify the attestation signatures created by the Provider. There +are at least two methods to communicate this public key, using +peer-to-peer communication, or using a trusted list. The public key +itself may be encapsulated, for instance in a X.509 certificate or in an +Entity Statement according to OpenID Federation.
+Peer-to-peer communication of the Provider public key (trust anchor) +means that every Relying Party individually decides to trust each +Provider. The Relying Party then obtains the Provider's public key via a +manual or automated process agreed between the Provider and the Relying +Party, for instance by downloading it from the Provider's website. A +peer-to-peer process has the advantages of flexibility and low overhead. +However, it is hardly scalable and therefore not suitable for +attestations such as PIDs, mDLs, diplomas, or health insurance cards, for +which there many tens to hundreds of different providers in the EU and +thousands of Relying Parties, which moreover do not (necessarily) know +each other. Moreover, a peer-to-peer process assumes that each Relying +Party has sufficient technical knowledge and budget to judge the level of +security of each Provider's systems and processes for, among others, +private key management. This is not realistic for high-value +attestations. A peer-to-peer process may therefore be suitable for +low-value attestations in contexts where Providers and Relying Parties +know each other, for example membership cards or vouchers.
+For more valuable attestations, or for attestations for which Providers +and Relying Parties do not know each other, a trusted list of Providers +is a better solution. This trusted list is provided by a trusted list +provider, which is a central party responsible for (and capable of) +verifying that the level of security of an Providers' systems and +processes is sufficient for the type of attestation it issues, and +comparable to the level of security of other Providers for the same type +of attestation. This may include requiring that a Provider documents +these systems and processes, for example in a certificate policy +complying with EN 319 411, and is audited regularly for compliance to +that policy. The trusted list provider also validates that each Provider +is (legally) allowed to issue the type(s) of attestation it wants to +issue. The trusted list provider documents that in its trusted list, +together with the public key (trust anchor) of each trusted Provider. The +list is signed by the trusted list provider and can be downloaded and +processed by a Relying Party in an automated fashion.
+Please note the following:
+Finally, note that freedom of contract applies to all Relying Parties. +This means that a Relying Party can determine itself which Providers they +want to recognize, except if there is a legal requirement that the +attestations of certain Providers SHALL be accepted. That is generally +the case for PID Providers and QEAA Providers. However, this does not +mean that the above process is not necessary for these providers.
+The following steps are essential for ensuring that the Relying Party +can trust the attestation:
+If and only if all these verifications succeed, the Relying Party can +trust the authenticity of the attestation.
+Regarding the technical implementation of these steps:
+The Relying Party SHALL be able to trust that an attestation it receives was not copied and replayed. In other words, the Relying Party trusts that the attestation is bound to the same device to which the Provider issued it 16.
+The Relying Party can trust that this is the case if the EUDI Wallet Instance signs some contextual information with the private key of the attestation. This information SHALL include a random number generated by the Relying Party. To verify this signature, the Relying Party needs to receive the public key of the attestation, which SHALL be signed (directly or indirectly) by the Provider of the attestation. By signing the public key, the Provider certifies that the public key indeed belongs to the attestation. The Relying Party SHALL additionally verify that the Wallet Instance is in possession of the corresponding private key; the Relying Party does so by verifying the signature over the random number generated by the Relying Party.
+Note that a EUDI Wallet Instance can contain multiple attestations, originating from multiple Providers. For each attestation, the EUDI Wallet Instance has access to an attestation private key, which is stored in the WSCD in (or connected to) the User's device. As discussed in section 6.2.2, the EUDI Wallet Instance also contains a EUDI Wallet Instance private key. Depending on the attestation requested by the 6.3.2.4, the EUDI Wallet Instance SHALL use the correct private key for signing the random number generated by the Relying Party.
+[ISO/IEC 18013-5] specifies a mechanism for this, called mdoc authentication. The EUDI Wallet Instance signs contextual information (called the SessionTranscript), which includes a nonce from the Relying Party, namely its ephemeral public key for session encryption. The standard specifies which algorithms can be used for signing and how the attestation public key is incorporated in the MSO.
+[SD-JWT] similarly specifies how an attestation public key can be incorporated in the JWT.
+To trust these mechanisms, the Relying Party SHALL trust that the security of the attestation private key has not been compromised. This private key is stored in a WSCD, or connected to, the device on which the EUDI Wallet Instance is installed. As discussed in section 6.3.2.1, the Relying Party does not need to perform an independent evaluation of the security of the WSCD, because it trusts the Provider to have done this. However, the Relying Party SHALL verify that the Provider did not revoke the attestation.
+A Relying Party SHALL be able to trust the EUDI Wallet.
+Note: Use cases involving legal representation and similar situations, +which imply that the person presenting is different from the User, but +the same as the person having the legal representation rights, are out of +scope of the current version of the Trust Model and will be explored in +future versions of this document.
+The mechanism(s) for User binding depend on the type of use case:
+To ensure that the User knows and trusts the identity of the Relying +Party, a mechanism for Relying Party authentication mustSHALL be +implemented. In essence, such a mechanism works as follows:
+How this trust relationship is established is described in section 7.6 on Relying Party authorization.
+Throughout its lifetime, an attestation needs to be managed by the +Provider. This means that for the purposes of this Trust Model, +attestation management has similarities to the part of EUDI Wallet +Instance management that involves the EUDI Wallet Provider as the +Provider of a EUDI Wallet Instance attestation, which was already +discussed in section 6.2.3.
+Attestation revocation is a process whereby the Provider of an +attestation declares that Relying Parties SHOULD no longer trust a +particular attestation, even though the attestation is still valid +temporally and contains a valid Provider signature. As described in +section 4.2.4 of [TrustModel], during the process of releasing an +attestation, a Relying Party SHOULD verify that the Provider has not +revoked the attestation. Revocation checking is a process that takes +place after the Relying Party has validated that the validity period of +the attestation has not expired and the signature over the attestation is +correct.
+The Relying Party uses a Relying Party Instance to interact with the +User's Wallet Instance. This includes carrying out attestation revocation +checking.
+When discussing attestation revocation, it is essential to realize that +in many cases there is a difference between an attestation and the +document it represents, for instance a driving license, passport, +recurring medicine prescription, health insurance card, vehicle +registration card, etc. Such a document typically has an administrative +validity period of multiple years. A diploma typically even has no end of +validity at all. In contrast, an attestation is a digital representation +of such a document and has a cryptographic proof of its authenticity with +a validity period that is typically short, for example - several weeks.
+This implies that an attestation Provider will renew the attestation +regularly during the validity period of the document19. Also, an +attestation Provider MAY issue multiple attestations that are +simultaneously valid but represent the same document. For example, a User +MAY have a mobile passport on their private phone and their work phone. +The attestations representing the passport on both phones will be +different, even though they contain the same attributes. The difference +is in the MSO (for ISO-compliant attestation) or SD-JWT + JWS (for SD-JWT +compliant attestation).
+In some cases, this difference is relevant for revocation. For example, +if the above User loses their personal phone, the Provider will probably +revoke the mobile passport on that phone. But the attestations on the +work phone will remain valid, and the User will continue to be able to +use their passport on that phone. On the other hand, if the passport +itself is revoked, then all attestations representing their passport, +across both devices, will be revoked.
+Within the EUDI Wallet ecosystem, an attestation SHALL be revoked if one +of the following conditions occur:
+age_over_18 attribute, and the User has their
+ 18th birthday. The value of the attribute needs to change from False
+ to True.The attestation Provider SHALL analyze whether revocation is required in +these circumstances. Also, the Provider SHALL analyze if there are more +situations in which attestation revocation is required.
+A PID Provider or a (Q)EAA Provider MAY outsource the responsibility of +operating the revocation solution to a third party. However, the Provider +SHALL always remain responsible for triggering the revocation process for +an attestation if needed, and for the correctness of the revocation +information.
+The only party in the EUDI Wallet ecosystem capable of revoking an +attestation SHALL be the attestation Provider. This is important, because +in some use cases, there are third parties that have the (legal) right to +invalidate an attestation. For example, in many jurisdictions the police +are allowed to confiscate a driving license if the User is caught is a +serious traffic violation. Another example is an electronic prescription +for medicines that is valid only once and must not be usable anymore +after the User has received the medicines20 . A third example is when +the attestation Provider and the Authentic Source for that attestation +are different parties. If so, the Authentic Source contains the +authoritative information about whether an attribute value must be +changed, and an attestation revoked or reissued. It must be the +responsibility of attestation Providers to regularly query the authentic +source for changes and reissue or revoke the relevant attestations +accordingly.
+However, third parties that want to invalidate an attestation SHALL use +an out-of-band mechanism to notify the Providers about the attestation +that must be revoked. It is then up to the Provider to revoke the +attestation.
+Comment: In case an attestation Provider is hacked, lost or ceases to +operate permanently for any reason, regular procedures SHALL be initiated +according to the situation. Instead of revoking each attestation that was +issued by that attestation Provider, the Provider itself SHALL be +revoked and taken out from the relevant Trusted List, for example, so +that each time that attestation will be verified, it will fail because +the Providers' anchor of trust was not found in the Trusted List.
+This document assumes that in some circumstances, a Wallet Provider +(perhaps on the initiative of a Member State) will need to revoke a +Wallet Instance. For example:
+As can be seen from these examples, Wallet Instance revocation is more +complicated than attestation revocation, as a Wallet Instance consists of +multiple components that each may fail for different reasons. This +document does not specify a mechanism to be used by a Wallet Provider to +revoke a Wallet Instance, and by a Relying Party to verify if a Wallet +Instance has been revoked. Such a mechanism will be specified in a future +Epic.
+In addition to revocation, there is the concept of suspension of an attestation. The main difference between these concepts is that suspension is reversible, whereas revocation SHALL be irreversible. However, suspension is inherently more complex to manage than revocation. Moreover, in the EUDI Wallet ecosystem, in which issuance of a new attestation to replace a revoked one is typically easy, the advantages of a suspension mechanism are limited. Therefore, a Provider SHOULD NOT suspend any attestation. No mechanisms for suspension of attributes are foreseen in this document.
+A (possible) exception to this rule is that Wallet Providers MAY be able to suspend a Wallet Instance in case the corresponding Wallet Solution is suspended. As described in section 4.2.3, this MAY be a legal requirement. This will be discussed in a future Epic.
+Unless indicated otherwise, all requirements and other statements in this document for a revocation mechanism are applicable for a suspension mechanism as well.
+To be done.
+To be done.
+To be done.
+A mechanism for attestation revocation and revocation checking SHALL comply with the following requirements:
+The concept of an attestation, is in many ways similar to digital +certificates in Public Key Infrastructures (PKI). The experience of +revoking such certificates can therefore be drawn upon. Two main +revocation mechanisms are generally supported in a PKI:
+Apart from these two mechanisms, Attestation Status Lists (ASL) are often +mentioned as a third possible revocation mechanism. The basic idea of an +Attestation Status List is that an attestation Provider, or a trusted +party acting on its behalf, publishes revocation status information for +all of its valid attestations in the form of a bitstring or byte array. +Each attestation is associated with a specific position in the +Attestation Status List. If the binary value of the position in the list +is 1, the associated attestation has status Revoked. If it is 0, it is +Valid. To verify whether a specific attestation has been revoked, a +Relying Party needs to retrieve the Attestation Status List. Therefore, +each attestation contains the URL where the ASL is located. The +attestation also contains an index, which is the position of the bit +associated with the attestation within the Attestation Status List. The +Relying Party then verifies if the value of the bit at the index position +is equal to 0 (Valid) or 1 (Revoked).
+Other approaches to revocation exist. However, these have not been +implemented widely compared to the CRL and OCSP mechanisms described +above, and sometimes require comparatively more advanced cryptography.
+Relying Party Instances and Relying Parties SHALL support the Attestation +Status List mechanism and the Attestation Revocation List mechanism +specified in section 6.3.4.8. Relying Party Instances and Relying Parties +MAY additionally support the Online Attestation Status Protocol specified +in section 6.3.4.8.
+Wallet Instances SHALL support the Attestation Status List mechanism +specified below and the Attestation Revocation List mechanism specified +in section 6.3.4.8. Wallet Instances MAY additionally support the Online +Attestation Status Protocol specified in section 6.3.4.8.
+Wallet Instances and Relying Party instances MAY additionally support +OASP stapling. However, the current version of this document does not +contain a full specification of this mechanism.
+Attestation Providers SHALL support one of the following methods for +attestation revocation:
+Providers MAY additionally support the Online Attestation Status +Protocol. In this case, depending on whether the attestations are +ISO-compliant or SD-JWT-compliant, the Provider SHALL extend the MSO of +its attestations or the Provider SHALL extend the SD-JWT of its +attestations.
+To be done.
+After obtaining an attestation from a Wallet Instance, a Relying Party +Instance SHALL verify the revocation status of the attestation. To do so, +the Relying Party Instance SHALL perform the following steps:
+If none of these methods result in reliable information regarding the +revocation status of the attestation, it is up to the Relying Party to +take a decision on acceptance or refusal of the attestation. A Relying +Party SHALL perform a risk analysis to support this decision and SHALL +consider all relevant factors for the use case.
+The reference architecture represents a set of choices made during the +architecture design process for EUDI Wallet Solutions. These choices were +informed by the need for EUDI Wallet Solutions to support various +scenarios where either the User or the Relying Party, or both, are +offline while providing flexibility for Member States to implement an +EUDI Wallet Solution in various configurations of components
+To limit complexity, the initial EUDI Wallet Solution specifications will +include only a minimum number of solution components that enable the use +of the EUDI Wallet Instance for identification of the User, so that it +can function as an eID means.
+The choices herein are neither a reflection of relative importance nor a +long-term commitment. Instead, the selection was guided by factors such +as the availability and maturity of standards and specifications, an +estimation of ease of adoption, and how much flexibility (in terms of use +cases enabled) is afforded by each solution component.
+The solution components proposed herein evidence the current expectation +of using the ISO/IEC 23220 standard series, once publicly available, for +future ARF versions.
+The following components have been identified as the building blocks of +the EUDI Wallet architecture needed to implement an EUDI Wallet +Solution:
+Cryptographic keys management system. This component is + responsible to manage and store cryptographic information like the + private keys generated for instance during the PID issuance process.
+Attestation exchange Protocol. This protocol defines how to + request and present the PID and the (Q)EAA in a secure and privacy + preserving fashion. The protocol also defines how authentication is + performed between the Relying Party and the EUDI Wallet Instance, in + particular the mechanism through which the Relying Party can request + identification through the EUDI Wallet. The request contains all the + required information about the Relying Party and the requested data. + Trust negotiation and mutual authentication are addressed by this + protocol.
+Issuance Protocol. The protocol defines how PID and (Q)EAA SHOULD + be issued and in which formats.
+Data model. The data model defines and describes the data elements + and how they interact with each other and their properties.
+PID and (Q)EAA schemas. The attestation schema contains the + structure and the logical organisation of the data that define the + properties of the attestation, the attributes of the User. The + attestation schema also contains additional information including, but + not limited to, the verification mechanisms, the underlying identity + assurance, and Trust Framework to which the properties are related, + and the proof of possession by the legitimate User.
+PID and (Q)EAA formats. PID and (Q)EAA formats are used to + represent the characteristic, quality, right or permission of a + natural or legal person or of an object, in the form of signed and + verifiable digital artifacts, containing any additional properties for + interoperability purposes.
+Signature formats. Technical implementation of one or more + mathematical methods in the form of a digital artifact, aimed at + demonstrating the authenticity of a digital document, its integrity, + authenticating the author of a document and optionally also its + recipient (audience of the document).
+Trust Model. Collection of rules that ensure the legitimacy of the + components and the entities involved in the EUDI Wallet + infrastructure, covering:
+++Trust Model components enable the identification of the entities that +rely on the EUDI Wallet and are instrumental for the authenticity, +confidentiality, integrity, and non-repudiation of the information. +Different Trust Models are available based on different rules.
+Trusted List is a mechanism under a Trust Model to publish and obtain +information about authoritative parties, e.g., Providers of PID, (Q)EAA +and Relying Parties.
+
Cryptographic suites and mechanisms. Algorithms and methods that + secure the data exchange in terms of confidentiality and integrity.
+Entity identifiers. Unique identifiers for all the elements of the + data model.
+Validity status check. Mechanism to publish and obtain information + about validity status of, inter alia, PID, (Q)EAA, certificate, etc.
+Where an EUDI Wallet Solution has an application running on a mobile +device, there may be a need for additional trusted components which are +not part of that application but are nevertheless logically part of the +EUDI Wallet. Such a need may arise for various reasons:
+These trusted components may be: external trusted storage, external or +embedded trusted hardware or other remote EUDI Wallets components. Below +is a conceptual representation of variations in implementing the EUDI +Wallet components:
+
Figure 6: EUDI Wallet logical architecture
+The table below maps the EUDI Wallet components with the conceptual +model in Figure 6 above.
+|
+ Functional block in the conceptual model + |
+
+ Applicable EUDI Wallet Solution components + |
+
|
+ EUDI Wallet Secure Cryptographic Device (WSCD) + |
+
+ User Keys & Certificates + |
+
|
+ Secure and isolated environment for keys and data + |
+|
|
+ Cryptographic algorithms (e.g., symmetric, asymmetric key derivation, +hash functions, random number generation) and protocols (e.g., ECDH, +TLS). + |
+|
|
+ HW-defined secure environment for keys and data: a secure Elements +(SE), Trusted Execution Environments (TEEs), Hardware Security Module +(HSM) etc. (remote or local) + |
+|
|
+ Authentication data (PIN, biometrics) + |
+|
|
+ EUDI Wallet Data Storage Components + |
+|
|
+ User unique identifier(as persistent as possible in time) + |
+|
|
+ User attributes + |
+|
|
+ User personal data and attributes + |
+|
|
+ Secure environment for keys and data + |
+|
|
+ EUDI Wallet "PID/EAA Presentation" Creation Application (WCA) + |
+
+ Logs, history of EUDI Wallet Instance operations, telemetry + |
+
|
+ EUDI Wallet Instance application identifier (e.g., configuration, +manufacturer, and version) + |
+|
|
+ Internal EUDI Wallet Instance interfaces (e.g., between storage, +components, encryption) + |
+|
|
+ EUDI Wallet Driving Application (WDA) + |
+
+ Logs, history of EUDI Wallet Instance operations, telemetry + |
+
|
+ EUDI Wallet Instance application identifier (e.g., configuration, +manufacturer, and version) + |
+|
|
+ EUDI Wallet User interface + |
+|
|
+ Relying Party interface + |
+
+ EUDI Wallet interface to (Q)TSP, (Q)EAA providers, Member States +Infrastructures, National e-ID, Relying Parties, and other sources of +EEAs +Communication channels (online/offline) between the EUDI Wallet and +other parties + |
+
Table 5 - Mapping between EUDI Wallet components and conceptual model +functional blocks
+The table below maps the EUDI Wallet components to the two perimeters +represented in Figure 6.
+| Perimeters | +Applicable EUDI Wallet Solution Components | +
| Potential trusted components perimeters | +
+ Device Information (type, configuration, firmware version, status, +etc) + |
+
|
+ System Keys & Certificates + |
+|
|
+ Back-end systems (Database servers) + |
+|
|
+ Trusted Connected devices + |
+|
| Potential mobile perimeter | +
+ Device Information (type, configuration, firmware version, status, +etc) + |
+
|
+ Smartphone sensors: camera, NFC reader, fingerprint sensor, +accelerometer etc. + |
+
Table 6: mapping of the EUDI Wallet components to perimeters
+
Figure 7. EUDI Wallet configurations.
+This section describes the four types of flows that the EUDI Wallet SHALL +support on a general level. The four flows are as follows:
+Flows 1 and 2 are related to a scenario where the EUDI Wallet User is +physically close to a Relying Party and the attestation exchange and +disclosure (PID and/or QEAA) happens using proximity protocols (NFC, +Bluetooth, QR-Code, etc.), without the User having internet connectivity +(note that this does not imply that any other function aside from +transport is possible offline). The two proximity flows differ in one +important way. In the supervised flow, the EUDI Wallet presents +verifiable attributes to, or under supervision of, a human acting as a +Relying Party (who may operate a device of their own). In the +unsupervised flow, the EUDI Wallet presents verifiable attributes to a +machine without human supervision.
+Flows 3 and 4 are related to a scenario where data exchange happens over +the Internet. The two remote flows differ in one important way. In the +remote cross-device flow, the EUDI Wallet User consumes information from +the service on another device than the EUDI Wallet device, which is only +used to secure the session (for instance using the EUDI Wallet to scan a +QR code on a login page to access a bank account on their web browser). +In contrast, in the remote same-device flow, the EUDI Wallet User uses +the EUDI Wallet device both for securing the session and to consume the +information from the service.
+The User journeys will rely on at least one, and likely a combination, +of the above described four flows. Note that the four flows can be +implemented in multiple ways. The specific implementations are outside +the scope of this text.
+Further consideration is particularly warranted with regards to the two +proximity flows as these are possible with or without internet +connectivity. Possible scenarios include:
+For all the flows described above and specifically for the proximity +unsupervised flow the User authorization is a prerequisite for data +exchange.
+The initial PID and EAA configurations are detailed next (configurations +may be added as required in the future).
+To perform Relying Party authentication, the Wallet Instance needs to +check and validate the module entity with which it communicates, which is +called a "Relying Party Instance". There could be multiple Relying Party +Instances for each Relying Party. Let's take for example a Relying Party +called the "Traffic Police", which is represented by numerous policemen +stationed along the highways and in the cities, each policeman carrying a +hand-held Relying Party device and a suitable application, that has the +capability to authenticate the Traffic Police to a User holding a Wallet +Instance and an mDL stored inside it. The concept of a Relying Party +Instance is readily understood in this proximity scenario.
+The same could be visualized for the remote scenarios. Let's take for +example the Tax Authority as a Relying Party that wants to communicate +with Wallet Instances. To do so, the Tax Authority needs a software +module that is capable of sending ISO-compliant or SD-JWT-compliant +requests to Wallet Instances, and to receive (and possibly process) the +responses. The Tax Authority can have one Relying Party Instance for all +of its activities, or alternatively, it can decide to have several +Relying Party Instances, for separate operational purposes. For example, +it could have separate Relying Party Instances for different geographical +regions, or one Relying Party Instance for natural persons' Wallet +Instances and a separate Relying Party Instance for legal persons' Wallet +Instances. In each use case, a User will authenticate the relevant +Relying Party Instance that has contacted him during the session.
+When a Relying Party requests a User to release some attributes from +their Wallet Instance, the User SHALL be able to trust that they are +dealing with an identified and authenticated Relying Party. Additionally, +the User SHALL be able to trust that the request from the Relying party +was not copied and replayed.
+To allow this, the following is required:
+Note: This requirement was discussed and there were different opinions +about the need to authenticate the Relying Party in each of the scenarios +– proximity or remote. The goal of this requirement is to secure the +users of the EUDI wallets in any transaction they are involved in, from +any risk of false authentication - without exceptions.
+Note: This recommendation stems from realizing that strict requirements +to use HSMs for all relying parties will not be practical to enforce and +will limit the usage of the wallets in cases where this high-level +security is not necessary.
+In essence, a Relying Party authentication mechanism works as follows:
+Below is a high-level sequence diagram for Relying Party Authentication, +independent of the protocol beneath for retrieving the attestations;
+
+Figure 8. High-level sequence diagram for Relying Party Authentication
Section 7.5.8 specifies in detail how Relying Party authentication SHALL be implemented by ISO-compliant Wallet Instances and Relying Party Instances. Section 7.5.9 describes the same for SD-JWT-compliant Wallet Instances and Relying Party Instances.
+As explained above, for the authentication process, each Relying Party +Instance SHALL have a unique Relying Party Instance certificate. This +certificate SHALL be signed (directly or indirectly) by a Relying Party +root Certificate Authority.
+To obtain certificates for its Relying Party Instances, each Relying +Party SHALL therefore register itself and after going through this +process successfully, a registered Relying Party SHALL obtain the Relying +Party Instance certificates it needs for all of its Relying Party +Instances.
+During the authentication of a Relying Party Instance, it is necessary to +validate the certificate of that Relying Party Instance, and the whole +chain of trust up to the anchor of trust.
+Within the EUDI Wallet ecosystem, Relying Party Instance certificates +SHALL be signed by a Certification Authority. Each CA in the trust chain +SHALL employ operational and security practices that are sufficient to +guarantee the trustworthiness of the certificates it issues. Each CA +SHALL document these operational and security practices in a Certificate +Policy complying with [EN 319 411].
+This section outlines a risk analysis for each failure reason and proposes an action for the Wallet Instance. If Relying Party authentication fails for any reason, the Wallet Instance SHALL NOT release the requested attributes to the Relying Party when failures listed below occur.
+There are quite a few reasons for which a Relying Party authentication mechanism as described in section 7.5.2 can fail or indicate a MITM attack. This document categorizes these reasons in the following manner:
+| No. | +Reason for failure | +Associated risk | +
|---|---|---|
| 1 | +The Relying Party request does not contain a signature created by the Relying Party Instance. | +If the request does not contain a Relying Party Instance signature, most probably the Relying Party did not yet register itself and the Relying Party Instance does have a Relying Party Instance key pair and/or an associated Relying Party Instance certificate. This does not imply that the Relying Party is untrustworthy. In fact, it will probably take a long time after the start of the EUDI Wallet ecosystem before most Relying Parties are registered, and we may never reach a point where 100% of all Relying Parties are registered. If this error occurs, the Wallet Instance SHALL NOT release any attributes to the Relying Party. | +
| 2 | +The Relying Party signature is wrong. | +In this case, the Relying Party Instance signed the wrong data, for example data that does not represent the requested attributes. Alternatively, to create the signature, the Relying Party Instance used a private key not corresponding to the public key in the Relying Party Instance certificate. In both cases, there is a real risk that a Man-In-The-Middle attack is going on or that a fake Relying Party Instance attempts to use another Relying Party certificate. If this error occurs, the Wallet Instance SHALL NOT release any attributes to the Relying Party. | +
| 3 | +The signature over the Relying Party Instance certificate (or any of the other CA certificates in the trust chain) is wrong. | +If the signature over the Relying Party Instance certificate or any of the other CA certificates in the trust chain is wrong, there is a real risk that the Relying Party attempted to create its own (fake) certificate or other CA. If this error occurs, the Wallet Instance SHALL NOT release any attributes to the Relying Party. | +
| 4 | +The Wallet Instance does not contain the trust anchor indicated in the Relying Party Instance certificate (or in a higher-level CA certificate, if a multiple-level PKI is used). | +If the Wallet Instance does not contain the trust anchor indicated in the certificate, several things can have gone wrong. Perhaps the Relying Party authentication CA changed its key pair recently, and the Wallet Instance did not update its trust anchors yet. However, there is also a possibility that the Relying Party attempted to create its own fake CA. Therefore, if this error occurs, the Wallet Instance SHOULD attempt to update its trust anchors. If that is not possible, or the problem persists, the Wallet Instance SHALL NOT release any attributes to the Relying Party. | +
| 5 | +The Relying Party Instance certificate (or any of the other CA certificates in the trust chain) has expired. | +If the Relying Party Instance certificate, or any of the other CA certificates in the trust chain has expired, the problem is most likely due to an omission by the Relying Party to timely update its certificates. This does not imply that the Relying Party is untrustworthy, but the Wallet Instance SHALL NOT release any attributes to the Relying Party. | +
| 6 | +The Relying Party Instance certificate (or any of the other CA certificates in the trust chain) has been revoked. | +If the Relying Party Instance certificate or any of the other CA certificates in the trust chain, has been revoked, this means that the issuer of that certificate has concluded that the certificate cannot be trusted anymore and has actively taken measures to prevent that Wallet Instances from using this certificate. If this error occurs, the Wallet Instance SHALL NOT release any attributes to the Relying Party. | +
Note: A more detailed risk analysis may be performed on this section if +deemed necessary.
+To be done.
+The Wallet Instance SHALL inform the User about the outcome of Relying +Party authentication. This document does not contain detailed guidance +for how the Wallet Instance must do this. However, it requires that,
+Additionally, if Relying Party authentication fails, the Wallet Instance +MAY inform the User about the reason for failure
+Relying Party Instances interacting with an ISO/IEC 18013-5-compliant +Wallet Instance SHALL implement the general Relying Party authentication +mechanism outlined in section 7.5.2 as follows:
+The Relying Party Instance certificate format SHALL comply with the +requirements for mdoc reader authentication certificates in Appendix +B.1.7 of [ISO/IEC18013-5], with the following exceptions:
+The Relying Party authentication root CA certificate format SHALL comply +with the requirements for Issuing Authority CA certificates in Appendix +B.1.2 of [ISO/IEC18013-5], with the following exceptions:
+To be done.
+There is a risk that relying parties may over-ask, i.e., ask a Wallet +instance for more attributes than the Relying Party reasonably needs for +its use case. This is obviously a risk for the privacy of the user, and +this risk must be mitigated. At least three approaches can in principle +be used to protect the user against over-asking: the user approval +mechanism discussed in Chapter 4, technical measures in the Wallet +Instance, and legal and organizational measures on Member State or EU +level.
+User Approval protects against over-asking by allowing the User to refuse +sharing attributes that they deem unnecessary for the specific use case +and the specific Relying Party they are dealing with.
+User approval SHALL be implemented in all use cases.
+However, User Approval has some limitations that MAY make it +insufficiently effective in preventing Relying Parties from over-asking, +as described below:
+In this document the term 'User approval' exclusively refers to a User's +decision to release an attribute to the Relying Party requesting it. +Under no circumstances User approval to releasing data from their EUDI +Wallet Instance SHOULD be construed as lawful grounds for the processing +of personal data by the Relying Party or any other party. Relying Party +or any party requesting or processing personal data from a EUDI Wallet +Instance SHALL ensure that they have grounds for lawful processing that +data, according to Article 6 of the GDPR.
+User approval refers to a decision by a User to release one or more +attributes to a Relying Party that is requesting these attributes. This +document requires the following:
+These requirements are explained in more detail in the next subsections. +This document does not specify any further details on how Wallet +Providers SHALL implement a User's approval mechanism.
+A Wallet Instance SHALL always ask the User to give approval for any +attribute released. This goes for any use case, both in proximity and +remote, and including:
+This principle is a basic protection of the User's privacy. It also +ensures a consistent User experience. Moreover, this principle means that +the level of control Users have over their attributes is not less than in +the existing 'plastic-card based' situation. That is, a User SHALL always +be able to refuse presenting an attribute that is requested by a Relying +Party, even when knowing that the consequence of that refusal may have +negative consequences for the User.
+Note: Attributes that the Relying Party intends to store is regulated +GDPR. This feature is seen as preference known in ISO as "intent to +retain" and is included in the ARF as "privacy by design" element.
+A Wallet Instance SHALL authenticate the User before allowing the User to +approve the request. This means that the Wallet Instance SHALL verify +that the person handling the Wallet Instance and approves the request is +the User, i.e., the person to whom the attributes in the attestation +apply. If this is not the case, then the person handling the Wallet +Instance is legally not allowed to approve to release the attributes.
+Note that this requirement is slightly different from the requirement of +User binding discussed in section 6.3.2.5 of [TrustModel]. In some use +cases, for example in attended proximity use cases, the Relying Party can +use a portrait of the User to do User binding, if that portrait is issued +as an attribute in an attestation. Obviously, this is not a possibility +for a Wallet Instance.
+Wallet Instances therefore have no choice but to trust the User +authentication mechanisms present on or connected to the device on which +the Wallet Instance is installed. The discussions in the third bullet of +section 6.3.2.5 therefore apply for User authentication by the Wallet +Instance as well.
+Note that use cases in which the User and the subject of the attributes +are two different persons, such as when somebody has power of attorney or +custodianship, are out of scope of this version of this document.
+Member States, according to Article 6c (3) of the proposal, SHALL +designate accredited CABs which will oversee carrying out conformity +assessment of EUDI Wallets Solutions. This designation process should be +harmonised between Member States.
+Once this designation has been made, Member States SHALL communicate to +the European Commission the names and addresses of these public or +private bodies under Article 6c(5) of the proposal.
+EUDI Wallet Provider SHALL request (select, contract) one or more +designated CABs to assess and certify the conformity of their EUDI Wallet +Solution against the requirements of the eIDAS Regulation.
+EUDI Wallet certification is conducted by the CAB to evaluate and certify +the conformity of the EUDI Wallet Solution (target of the certification) +against normative document(s) which will be the Art. 6a(11) implementing +act(s) on technical and operational specifications and reference +standards. The EUDI Wallet SHALL be certified to ensure conformity +assessments but also security robustness assessment of conformance to a +high level of security.
+The use of a cybersecurity certification scheme should bring a harmonised +level of trust in the security of EUDI Wallet Solution. The secure +storage of cryptographic material is expected to become subject to +cybersecurity certification too.
+The Certification process of EUDI Wallet Providers should leverage, rely +on, and mandate the use of relevant and existing Cybersecurity Act +certification schemes, or parts thereof, to certify the compliance of +wallets, or parts thereof, with the applicable cybersecurity +requirements.
+This document and the backlog items are made publicly available at +the EU Digital Identity Wallet repository in GitHub, where it will be regularly updated according to the workflow described +in Chapter 9.2.
+ +To ensure steady and fast progress on elaborating and updating this +document, the following process and work methodology is applied.
+The eIDAS Expert Group SHOULD maintain a backlog, which is a prioritised +list of work items to complete the ARF. The backlog will be updated based +on feedback from the eIDAS Expert Group, LSPs, the Commission or other +stakeholders such as international standardisation organisations. For +instance, feedback from the development of the reference implementation +of an EUDI Wallet and ensuing drafts of detailed technical specifications +may prompt new work items.
+The European Commission (DG CONNECT) will organise the work on the +backlog items and will facilitate that work is progressing according to +the expected timeline.
+The eIDAS Expert Group will regularly discuss and compare different +proposals regarding technical solutions, recommendations and requirements +related to the relevant backlog issue with a view of updating the ARF. +The eIDAS Expert Group SHALL in this regard maintain a list of +Architecture Decision Records (ADRs), so that it is possible to keep +track of and understand the motivation behind technical decisions +described in the ARF.
+Any changes and/or updates to this document SHALL be agreed by the eIDAS +Expert Group. The eIDAS Expert Group will convene in regular meetings, +with the objective to discuss and approve new release of this document, +as well as updating the development backlog.
+This document will be aligned to the outcome of the legislative +negotiations of the proposal for a European Digital Identity Framework +with updates being made accordingly.
+To avoid interoperability issues and changes to the ARF going unnoticed, +version control system and the following semantic versioning scheme will +be used for the ARF.
+The ARF document will have a given version number following the format +MAJOR.MINOR.PATCH, where:
+MAJOR version is incremented (i.e., new version), when the ARF +document has undergone significant changes, for example introducing some +breaking changes in the architecture,
+MINOR version is incremented when new information has been added to +the document or information has been removed from the document, and
+PATCH version is incremented when minor changes have been made +(e.g., fixing typos).
+[2015/1505] COMMISSION IMPLEMENTING DECISION (EU) 2015/1505 +of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market
+[RFC 2119] RFC 2119 - Key words for use in RFCs to Indicate Requirement Levels, S. Bradner, March 1997
+[Key words for use in ARF to indicate requirement levels] +https://www.rfc-editor.org/rfc/rfc2119
+[ISO/IEC 18013-5] https://www.iso.org/standard/69084.html
+[ISO/IEC AWI TS 23220-4] https://www.iso.org/standard/79126.html
+[W3C-VC-DATA-MODEL] Sporny, M., Noble, G., Longley, D., Burnett, D. +C., Zundel, B., and D. Chadwick, "Verifiable Credentials Data Model +1.0", 19 November 2019, \<https://www.w3.org/TR/vc-data-model>.
+[OpenID4VP] Terbu, O., Lodderstedt, T., Yasuda, K., Lemmon, A., and T. +Looker, "OpenID for Verifiable Presentations", 30 December 2022, +https://openid.net/specs/openid-4-verifiable-presentations-1_0.html
+[OpenID4VCI] Lodderstedt, T., Yasuda, K., and T. Looker, OpenID for Verifiable Presentations – draft 18, 21 April 202323 Retrievable from OpenID for Verifiable Credential Issuance - draft 12
+[Prop_eIDAS] COM(2021) 281 final
+[SIOPv2] K. Yasuda, T. Lodderstedt, M. Jones, "Self-Issued OpenID Provider V2", 1 January 2023, https://openid.net/specs/openid-connect-self-issued-v2-1_0.html
+[DP_Revoc] eIDAS Expert Group WG1 Discussion Paper Revocation for PID and (Q)EAA, v.1.0
+[SD-JWT] Selective Disclosure for JWTs (SD-JWT) draft-ietf-oauth-selective-disclosure-jwt 04, 11 April 202324
+[W3C StatusList2021] https://w3c-ccg.github.io/vc-status-list-2021/
+[COSE] RFC9052 https://www.rfc-editor.org/rfc/rfc9052,
+RFC9053 https://www.rfc-editor.org/rfc/rfc9053
[JOSE] RFC7515 https://www.rfc-editor.org/rfc/rfc7515.html,
+RFC7516 https://www.rfc-editor.org/rfc/rfc7516.html,
+RFC7517 https://www.rfc-editor.org/rfc/rfc7517.html,
+RFC7518 https://www.rfc-editor.org/rfc/rfc7518.html
[SOG-IS] Agreed Cryptographic Mechanisms v1.2 +https://www.sogis.eu/documents/cc/crypto/SOGIS-Agreed-Cryptographic-Mechanisms-1.2.pdf
+[JSON-LD] JSON-LD 1.1 Manu Sporny, Dave Longley, Gregg Kellogg, Markus +Lanthaler, Pierre-Antoine Champin, Niklas Lindström, +https://www.w3.org/TR/json-ld/
+The service blueprint about initialisation and activation of the Wallet +is described in the attached file:
+ +The service blueprint about online identification and authentication for +the Wallet is described in the attached file:
+ +The service blueprint about issuing mDL is described in the attached +file:
+ +The service blueprint about presenting mDL (proximity-supervised) is +described in the attached file:
+ +The service blueprint about presenting mDL (proximity-unsupervised) is +described in the attached file: +* Annex 05 – EUDI Wallet – presenting mDL (proximity-unsupervised).pdf
+The PID attribute schema, indicative EUDI Wallet Instance Attestation +and Trust Infrastructure details are further detailed in the attached +file: +* Annex 06 – EUDI Wallet – PID rulebook.pdf
+The mDL attribute schema is further detailed in the attached file: +* Annex 07 – EUDI Wallet – mDL rulebook.pdf
+A first iteration of an EUDI Wallet Design Guide can be found in the attached file: +* Annex 08 – EUDI Wallet Design Guide.pdf
+The date of adoption by the eIDAS Expert Group. ↩
+COMMISSION RECOMMENDATION (EU) C(2021) 3968 final of 3 June 2021 on +a common Union Toolbox for a coordinated approach towards a European +Digital Identity Framework, OJ L 210/51, 14.6.2021 ↩
+All references in the document to the revision of the eIDAS +regulation are to be understood as a reference to the Commission's +proposal of 3 June 2021, unless otherwise indicated. Proposal for a +REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending +Regulation (EU) No 910/2014 as regards establishing a framework for a +European Digital Identity, COM(2021) 281 final, 3.6.2021 ↩
+https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupID=3032 ↩
+https://futurium.ec.europa.eu/en/digital-identity/toolbox/architecture-and-reference-framework-outline ↩
+All references in the document to the revision of the eIDAS +Regulation are to be understood as a reference to the Commission's +proposal of 3 June 2021, unless otherwise indicated. ↩
+"OASIS Trust," [Online]. Available: http://docs.oasis-open.org/ws-sx/ws-trust/v1.4/ws-trust.html. ↩
+Regarding registration of Relying Pary entities, please refer to +epic 27 that deals with Relying Party Registry. Also, under no +circumstances, Police Relying Party Instances should not be open to +the general public ↩
+Communication from the Commission to the European Parliament, the +Council, the European Economic and Social Committee and the +Committee of the Regions on a Retail Payments Strategy for the EU +COM/2020/592 final. ↩
+Without prejudice to the actual mechanism of how the information +is provided, including whether directly or indirectly. ↩
+Further precisions to the specifics about how the trusted lists +could be implemented will be brought later. ↩
+Article 6c (3) ↩
+Regulation (EC) No 765/2008 of the European Parliament and of the +Council of 9 July 2008 setting out the requirements for +accreditation and market surveillance relating to the marketing of +products and repealing Regulation (EEC) No 339/93 ↩
+Commission Implementing Regulation (EU)2015/1501 of 8 September +2015 on the interoperability framework pursuant to Article 12(8) of +Regulation (EU) No 910/2014 of the European Parliament and of the Council +on electronic identification and trust services for electronic +transactions in the internal market. ↩
+Please note that work on further specifying the EUDI Wallet +Instance Attestation is planned to be carried out. This section may +need to be revised depending on the results of that work. For +instance, EUDI Wallet Instance Attestation may not be issued in all +cases nor are alternative possibilities excluded from consideration. ↩
+The ARF implicitly requires device binding for the Wallet Instance +(by requiring support for ISO/IEC 18013-5 and SD-JWT) ↩
+Preferably the same Issuer that also signed the other attributes +that were released. However, the combined presentation of attributes +originating from different attestations will be further detailed in +a future version of this document. ↩
+Note that this implies that Relying Parties SHALL also trust +device binding, see section 6.2.3.4. The Relying Party trusts that +the attestation is bound to a device trusted by the Provider, and +subsequently trusts that this device has properly authenticated the +User. ↩
+A PID MAY be an exception: because the concept of a PID is new, it +is not known yet what validity period PID Providers will use for +their PIDs, and if there will be a difference between the +administrative validity period as seen by the User and the +cryptographic validity period of the attestation. ↩
+In this case, an alternative to revocation is that the pharmacy +backend marks the prescription as used, and all pharmacies check that +backend before handing out the medicines. This goes in fact for any +attestation: if there is a backend system that allows Relying Parties +to verify whether the attestation is still usable, then revocation is +not needed. However, we cannot assume that such a backend system +exists for all attestations that can be ‘consumed’, i.e., that must +become unusable once they have been used. ↩
+The current version of [JWTStatusList] does not explicitly +describe such a procedure. The EC will point out to the authors that +this should be added. ↩
+Please note that the term "certificate" does not mean only X.509 +certificates, but it includes also other formats of certificates, +such as in Distributed Ledgers. ↩
+The exact version to be referenced is to be determined. [ARF] +references v0.14 of 30 December 2022. Draft 18 is the latest version +available at the time of writing of this document. The level of +interoperability between these versions is not known. As [OpenID4VP] +is still under development, presumably later versions will become +available over time. ↩
+The exact version to be referenced is to be determined. Draft 18 +the latest version available at the time of writing of this document. +The level of interoperability between these versions is not known. As +[SD-JWT] is still under development, presumably later versions may +become available over time. ↩
+