We are one step closer to European Digital Identity. Recently the European Commission made public a document called “European Digital Identity Architecture and Reference Framework” that has established the functional and architectural requirements for the incoming European Digital Identity Wallet.
The document covers an exhaustive list of different capabilities that are aimed to offer the citizen a digital wallet with his identity and complete control over it, therefore albeit SSI was not directly stated it is, indeed, an SSI wallet. But also covers a lot more. 💳
If you do not know well what Early Binding is, I recommend you to read the article Introduction to SSI where it is explained, since this wallet for the European Digital Identity uses this model.
A bit of history on the European Identity 📃
In 2014 the eIDAS regulation appeared :
Preamble:
…
This Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union.
…
With a view to ensuring the proper functioning of the internal market while aiming at an adequate level of security of electronic identification means and trust services this Regulation:
- lays down the conditions under which the Member States recognize electronic identification means of natural and legal persons falling under a notified electronic identification scheme of another Member State;
- lays down rules for trust services, in particular for electronic transactions; and
- Establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services, and certificate services for website authentication.
This regulation was way ahead of any other initiatives and it took a long road until the latest publication of the European Digital Identity Architecture and Reference Framework (here) yet to be final.
In parallel to eIDAS there are EBSI and its use cases, including the Identity initiative which is a SSI solution created with the focus of building a solution. The EBSI approach is more practical than the eIDAS more legal approach so both, eIDAS and EBSI should find common ground to build a better European Digital Identity.
The European Identity Wallet
The European Identity Wallet extends all the capabilities of an SSI wallet and also establishes some extra requirements for the state members.
There must be a wallet within 12 months of publishing the regulation, take note that actual publication is not the regulation but the framework for the wallet, so the 12 months are not yet counting.
The wallet shall be considered as an electronic identification scheme with the level of assurance ‘high’, which means full valid identity. Also should be free for the natural persons and the user shall be in full control of the wallet.
The wallet could be created by a member state or by the private sector, ensuring always the maximum security and privacy standards, explicitly it should not collect information of usage except the necessary for the provision of the wallet services.
Improvements over basic SSI: different kinds of credentials and selective disclosure ✅
The new European Identity Wallet makes a difference between three type of credentials, what it calls Electronic Attestation of Attributes (EAA), and the difference relies on the origin of the data:
- PID: Personal Information Data. PID providers may e.g. be the same organizations that today issue official identity documents, electronic identity means, EUDI Wallet issuers, etc.
- QEAA: Qualified electronic attestation of attributes: Qualified EAA would those credentials issued by QTSPs (Qualified Trusted Service Providers).
- EAA: Non- Qualified electronic attestation of attributes: Any other EAA that is provided by an issuer that is not a QTSP.
Along with these three kinds of attributes the European Wallet establishes the capability to selectively disclose part of the attributes.
For example, if the credential is the whole National ID with name, ID number, address, age, and other data a relying party requiring that its customers are older than 18 should have only access to the age data.
More on, it should only have access to certification of being older than 18. The best-case scenario would be the implementation of ZKP (Zero-Knowledge Proofs) that can validate claims without the disclosure of any other data.
New capabilities: Qualified signature certificates and more secure web services ✅
Once the user has his own digital identity validated, what prevents him to use it for other advance uses like signing documents? Nothing should. That’s why the qualified signature is included in the wallet. Any document the user may sign using his wallet (or a cloud signature system if the wallet is not capable by itself) will have the same legal validity as if it was manually signed and his identity validated. This is a huge step towards governmental services digitalization.
And then the new functions towards web security:
- Authoritative sources login: if a service requires a user to be identified with a high level of confidence (i.e. banking services) the wallet can certify by linking civil registry information or interfacing with national ID documents.
- Pseudonymous authentication: opposite to the previous login a user may use a pseudonymous authentication to a system that does not require any further identification. This allows a single identification system without the disclosure of personal information.
- Mutual authentication: this is beyond SSL and certificates and looking for the maximum security of the user. When a user connects to a website there’s a mutual authentication procedure where the user can be sure of the service he is connecting to, effectively avoiding the potential problems of phishing and similar kind of security attacks. This is done using QWACs (Qualified Website Authentication Certificates), please note this has raised controversy and concerns form major browser vendors and it will certainly bring a lot of discussions.
At a glance ✅
The classical SSI capabilities (lighter red) have been completed with all the new and improved capabilities (Document signature, ID and another hardware interfacing, off-line sharing, trusted execution environments integration) and security (login, mutual authentication, and wallet integrity check) to a point where the user can advance to a new era of HIS digital information, under his CONTROL.
This is the start of a whole new era regarding digital identity for the EU citizens and hopefully, a model other countries will follow globally.
Santander Global T&O is a global company of Santander Group with more than 3,000 employees and based in Madrid, we work to make Santander an open platform for financial services.
Check out the positions we have open here to join this great team and Be Tech! with Santander.
Follow us on LinkedIn and Instagram.
Juan Tavira
Universia
Specialist, architect and interdisciplinary geek passionate about all kinds of innovations. This is easy to say for oneself, but when my computing colleagues, my geek friends and even my wife say so, then it must be true somehow ;-). I also like to build violins as a hobby. I see code
