The European Digital Identity Architecture and Reference Framework (the "Framework") is the most current document to be released, after the recent request for ideas for digital identity pilots and infrastructure. All of this leads to a planned and determined drive for secure digital identification for all European people, which may perhaps set the benchmark for the rest of the world.
The Framework can be found here: European Digital Identity Architecture and Reference Framework – Outline.
You can read an introduction to eIDAS 2.0 in our previous article.
Roles in the EUDI Wallet Ecosystem
The underlying illustration sets out the possible architecture of the future EUDI Wallet ecosystem and details the various roles and process flows:
The potential roles could be:
1. End Users of EUDI Wallets
End users are defined as natural or legal persons that will be using the wallets to send, receive, store and share attestations and personal attributes about the user which would be used to prove identity.
End users would be able to produce qualifying electronic signatures and seals using the EUDI Wallet (QES).
2. EUDI Wallet Issuers
EUDI Wallet Issuers are Member States or organizations required or authorized by Member States that make the EUDI Wallet available to end users. The terms and circumstances of the mandate or recognition would be determined by each Member State.
3. Person Identification Data Providers (PID)
PID providers would verify the identity of the EUDI Wallet user, maintain an interface to securely provide PID to the EUDI Wallet, and make information available for relying parties to verify the validity of the PID, without receiving any information about the PID's use.
4. Providers of registries of trusted sources
The status of a role in the EUDI Wallet ecosystem may need to be verified. Such roles may be:
- EUDI Wallet issuers
- Person Identification Data Providers
- Qualified electronic attestation of attributes (QEAA) providers
- Qualified certificate for electronic signature/seal providers
- Relying parties
- Non-qualified electronic attestation of attributes (EAA) providers
- Non-qualified certificate for electronic signature/seal providers
- Providers of other trust services
- Catalogue of attributes and schemes for the attestations of attribute providers
5. Qualified electronic attestation of attributes (QEAA) providers
Qualified EAA would be provided by QTSPs. QEAA providers would maintain an interface for requesting and providing QEAA, including a mutual authentication interface with EUDI Wallets and potentially an interface towards authentic sources to verify attributes.
6. Non-qualified electronic attestation of attributes (EAA) providers
Non-qualified EAA can be provided by any trust service provider. While they would be supervised under eIDAS, it can be assumed that other legal or contractual frameworks than eIDAS would mostly govern the rules for provision, use and recognition of EAA.
7. Qualified and non-qualified certificate for electronic signature/seal providers
The EUDI Wallet is required to enable the user to sign by means of qualified electronic signatures or seals. This can be achieved in two ways:
- The EUDI Wallet includes a qualified signature/seal creation device (QSCD),
- It is a secure authentication tool as a part of a local or remote QSCD managed by a QTSP.
The EUDI Wallet may also enable the user to sign by means of non-qualified signatures or seals.
8. Providers of other trust services
Providers of other qualified or non-qualified trust services such as timestamps may be interacting with EUDI Wallet.
9. Authentic sources
Authentic sources would be the public or private repositories or systems recognised or required by law to be recognised by relying parties to contain attributes about a natural or legal person. Authentic sources are sources for attributes on address, age, gender,
civil status, family composition, nationality, education and training qualifications titles and licenses, professional qualifications titles and licenses, public permits and licenses, financial and company data.
10. Relying parties
Relying Parties are natural or legal persons that rely upon an electronic identification or a trust service. Relying parties would need to maintain an interface with the EUDI Wallet to request attestations with mutual authentication. Relying parties are responsible for carrying out the procedure for authenticating the attestations they receive from the EUDI Wallet.
11. Conformity assessment bodies (CAB)
The EUDI Wallets would have to be certified by accredited public or private bodies designated by Member States. QTSPs need to be audited regularly by Conformity Assessment Bodies (CABs).
12. Supervisory bodies
The supervisory bodies shall be notified to the Commission by the Member States, which supervise QTSPs and take action if necessary in relation to non-qualified trust service providers.
13. Device manufacturers and related subsystems providers
EUDI Wallets will have a number of interfaces with the devices they are based on, which may be for purposes such as local storage, online Internet access, sensors such as smartphone cameras, IR sensors, microphones, etc, offline communication channels such as Bluetooth Low Energy (BLE), WIFI Aware, Near Field Communication (NFC) as well as emitters such as screens, flashlights, speakers etc.
14. Catalogue of attributes and schemes for the attestations of attribute providers
Providers of QEAA and EAA may publish relevant information about the attestations they provide. It would potentially enable other entities such as relying parties to discover the attributes and schemes that are provided, and how to validate/verify them and also to differentiate between types of qualified electronic attestations of attributes.
IMPORTANT: Please note that the above-mentioned information provides only a brief summary of the possible roles within the EUDI Wallet ecosystem. For more detailed information, it is strongly advised that you refer to the European Digital Identity Architecture and Reference Framework – Outline.
The eIDAS 2.0 Roadmap & Toolbox
The initial planning of the European Commission is detailed in the following Roadmap:
By September 2022, a Toolbox European Digital Identity Framework is expected from the EU Commission. EU States will then have 12 months to prepare their versions of wallets built to common standards.
The Toolbox will explain everything the Member States need to construct the proper technological infrastructure to support the EDIW and implement it. It will include a collection of common standards, technical references, practises, and recommendations. It shall also describe everything the Member States need to construct the appropriate technical infrastructure to support the EDIW and to implement it. A collection of common standards, technical references, practises, and guidelines will also be provided.
The following illustration details the eIDAS toolbox mapped into SSI architecture:
The illustration details how the Wallet should have 4 functions:
- Identification and authentication,
- Verifiability of the validity of the evidence by third parties throughout Europe,
- Secure storage and presentation of verified identities and their data and
- Generation of qualified electronic signatures.
Building the Toolbox - How can you prepare for eIDAS 2.0?
In preparation for the toolbox development and final rollout of the European Digital Identity (EUDI) Wallet, speak to Utimaco about the range of solutions that your organization may require as a part of your toolbox. An example of some of the services and solutions that Utimaco provides are:
• Qualified Trust Services for secure digital identity wallets
- Qualified certificates for electronic signatures & seals
- Remote Qualified Signature/ Seal Creation Devices (QSCD)
- Enhancing log-on security with strong authentication, alongside regulations such as PSD2 SCA
- Mutual authentication between the EUDI Wallet and external entities
- Payment authentication with a high degree of security
• Data Encryption
- Data may need to be stored or moved between different storage components, local or remote. Therefore, sensitive personal data requires secure storage and encryption
Please speak to us for further information in order to discuss your requirements.
About the Author
Dawn Illing is a product development manager with over 25 years of product management experience in the banking, insurance and cyber security industries. By working internationally across EMEA, this has inspired her interest in cross-border digital identity and cyber security, including the interoperable requirements that necessitate successful delivery of digital product and market solutions.