European Digital Identity wallet is in the process of finalizing technical specifications. Among the main goals the wallet must be able to:
- Create qualified electronic signatures
- Contain and allow sharing “electronic attestiations of attributes” about the person
At the same time we have all the building blocks already available and in use. We need to list existing best practices, publish them and take the wallet into use.
eID Easy proposal
- Issue 2 certificates into every wallet. First certificate for user identification that is used to verify user ID. Second certificate for qualified electronic signatures.
- All the “electronic attestiations of attributes” must be ASiC-E containers with machine readable and optionally human readable representations. If only machine readable data is needed the JAdES format would work too.
- Machine readable part must be JSON similar to the W3C Verifiable Credential standard.
- Attestation verification process must involve checking the issuer signature, trust list status and user identity using identification certificate.
- Flexible trust list system must be developed. Each attestation category must have its own trust list. New category creation must be an easy and fast process.
- Access to the wallet system must not be restricted. Cost of being included in the trust list as attestation issuer must be reasonable.
EU Digital COVID Certificate shows us one very good example of the wallet. EU COVID Certificate is in fact information about your vaccination status digitally signed by an authorized institution. It also has visual representation and trust lists where you can check if the signer is authorized to prove your vaccination status or not. As a side note, I had a “certificate” as an XML document signed by a medical institution already months before EU covid certificate was fully implemented.
All Estonian banks allow you to download payment confirmations and account statements with the bank’s eSeal. This way you can prove completion of the payment to your business partner or apply for the loan with the loan issuer being confident in your financial situation.
Every Estonian company can request proof of tax debt status from the Estonian tax office and it is issued as ASiC-E container containing both machine readable XML and human readable PDF files.
The European Commission is developing the Europass Digital Credentials Infrastructure (EDCI) to support efficiency and security in how credentials such as qualifications and other learning achievements can be recognised across Europe. Europass is already in use in universities issuing diplomas. These credentials are based on Qualified eSeals as well.
From these examples we can see a common theme where machine readable and human readable proofs or attestations are digitally signed by qualified electronic seals or qualified electronic signatures.
W3C Verifiable Credentials standard workgroup has done a great job to figure out general architecture for electronic attestations. Most people seem to think that Verifiable Credentials need blockchain but actually the technology does not matter. Specification says “A verifiable credential is a tamper-evident credential that has authorship that can be cryptographically verified”. We can use principles of the Verifiable Credentials to build electronic attestation machine readable data.
For issuing the attestation, the issuer needs to verify the user and attribute, compose attestation, sign it with it’s electronic seal and give the file to the user to store and to share with whoever needed.
Verification of the attestations can be done even automatically. To check the person age at the bar entrance the verification machine asks “over 18” type of attestation via the NFC, wallet presents it after user confirmation, verifier asks to sign the nonce using identification certificate, user activates signature using fingerprint or PIN and verifier confirms that this attestation belongs to this person.
Sometimes the user PIN and identification certificate does not need to be used. If the ID is passport number or national ID code then it’s enough if the user will send only the attestation and verifier checks the ownership of the attestation using the passport.
As a summary we have all the building blocks for the “European Digital Identity wallet”. We could start using it today. Main risk is the exact trust list framework and list of values in the attestations that could be different when the European Commission finally will publish the detailed specifications. We as industry players can design our wallet in such a way that it could be upgraded to the final specs.
Let’s make EU digital identity wallet happen, get in touch with eID Easy team at www.eideasy.com