Simplest implementation of the EU eID wallet that can be used already now
By csc |By Margus Pala, CEO, eID Easy
European Digital Identity wallet is in the process of finalizing technical specifications. Among the main goals the wallet must be able to:
- Create qualified electronic signatures
- Contain and allow sharing an electronic attestiations of attributes about the person
At the same time we have all the building blocks already available and in use. We need to list existing best practices, publish them and take the wallet into use.
eID Easy’s proposal
- Issue 2 certificates into every wallet. First certificate for user identification that is used to verify user ID. Second certificate for qualified electronic signatures.
- All the electronic attestiations of attributes must be ASiC-E containers with machine readable and optionally human readable representations. If only machine readable data is needed the JAdES format would work too.
- Machine readable part must be JSON similar to the W3C Verifiable Credential standard.
- Attestation verification process must involve checking the issuer signature, trust list status and user identity using identification certificate.
- Flexible trust list system must be developed. Each attestation category must have its own trust list. New category creation must be an easy and fast process.
- Access to the wallet system must not be restricted. Cost of being included in the trust list as attestation issuer must be reasonable.
eID wallet applications in practice
The EU Digital COVID Certificate shows us one very good example of the wallet. The EU COVID Certificate is in fact information about your vaccination status digitally signed by an authorized institution. It also has visual representation and trust lists where you can check if the signer is authorized to prove your vaccination status or not.
Some other examples come from Estonia; all Estonian banks allow you to download payment confirmations and account statements with the bank’s eSeal. This way you can prove completion of the payment to your business partner or apply for the loan with the loan issuer being confident in your financial situation.
Furthermore, every Estonian company can request proof of tax debt status from the Estonian tax office and it is issued as ASiCE container containing both machine readable XML and human readable PDF files.
Finally, the European Commission is developing the Europass Digital Credentials Infrastructure (EDCI) to support efficiency and security in how credentials, such as qualifications and other learning achievements, can be recognised across Europe. Europass is already being used by universities issuing diplomas. These credentials are also based on Qualified eSeals.
From these examples we can see a common theme where machine readable and human readable proofs or attestations are digitally signed by qualified electronic seals or qualified electronic signatures.
Architecture for electronic attestations
The W3C Verifiable Credentials standard workgroup has done a great job to figure out general architecture for electronic attestations. Many seem to think that Verifiable Credentials need blockchain, but actually the technology does not matter. The specification says a verifiable credential is a tamper-evident credential that has authorship that can be cryptographically verified. We can use principles of the Verifiable Credentials to build electronic attestation machine readable data.
For issuing the attestation, the issuer needs to verify the user and attribute, compose attestation, sign it with it’s electronic seal and give the file to the user to store and share as need.
Verification of the attestations can even be done automatically. For instance, when checking someone’s age at a bar entrance, the verification machine asks over 18 type of attestation via the NFC, the wallet presents it after user confirmation, the verifier asks to sign the nonce using identification certificate, the user activates signature using fingerprint or PIN, and the verifier confirms that this attestation belongs to this person.
Sometimes the user PIN and identification certificate does not need to be used. If the ID is a passport or national ID number, then it’s enough if the user will send only the attestation and the verifier checks the ownership of the attestation using the passport.
The building blocks for the European Digital Identity wallet are in our hands, and we could start using it today. The main risk in doing so is that the exact trust list framework and list of values in the attestations could be different when the European Commission publishes the detailed specifications. However, we as industry players can design our wallet in such a way that it could be upgraded to the final specs.
Let’s make EU digital identity wallet happen.