eIDAS 2.0 is certainly progressing at a pace to be applauded! The EU eIDAS expert group working on eIDAS 2.0 has just published the European Digital Identity Architecture and Reference Framework (the “ARF”).
Almost simultaneously the EU has published a call for proposals for digital identity pilots and infrastructure.
At OIX, members will be collectively reviewing the ARF in detail and providing constructive feedback to the eIDAS Expert Group. Here are our first impressions…
From a first read, the ARF is landing in exactly the right spot! It’s well thought through and aligns almost perfectly with OIX’s new Trust Framework for Smart Digital ID.
OK, some of the terminology is different, but on the roles side for instance there is almost complete alignment with OIX’s view on global trust framework roles. The terms used in the ARF, such as Electronic Attribute Attestation (EAA) are clear and descriptive, and perhaps give the whole ID industry chance to move on from some semantically overloaded terms that currently cause much confusion (yes, I am referring to credential…).
Some initial thoughts on the ARF are:
- The PID is intimately tied to the requirement for ‘High’ LoA, and forms the trust anchor for the ID. This is good. OIX would regard the PID as another EEA, just a special one that must be present in the wallet as a pre-requisite to allow the rest of the processes.
- When is a Qualified EAA required Vs a Non-qualified EAA?
- The trust value of an EAA is higher when it is verified by an Authentic Source – doe this needs to be recognised in the ARF?
- Why are only QEAA providers are referenced as accessing Authentic Sources? Is the implication that EEA that are verified against Authentic Sources must be QEAA? This is inconsistent with the notes in the ARF role diagram.
- Once I have the PID in the EUDI Wallet, the user is trusted. There is then a difference then between whether an issuer of a EAA verifies who the user is themselves before issuing the EAA (OIX “Direct Issuer”) or trusts the Digital ID has verified the user – which it has – has issues its EEA on that basis (OIX “Indirect Issuer”). Does this distinction need to be recognised in the ARF?
- Are data standards required to enable interoperability across member states and with other trust frameworks around the world? OIX is working on a global assessment of Data Standards for Digital ID.
- The ARF cements the distributed philosophy of the EU Digital Identify (EUDI) Wallet, whilst sensibly recognising that there are device-based and could-based options to achieve this. As expected, the requirement is for the EUDI Wallet to work in offline situations where face to face presentation of ID information is required.
- The principle that issuers cannot see and track where the user shares their data is well enshrined. As is the fact that issuer, and then users, can restrict who can see and use data.
- A Trust Registry is central to the framework, so all parties roles can be verified. OIX is working on global role and role permissions as part of it’s Global Interoperability working group. Alignment with this would make EU to third country transactions more easily verifiable in due course.
A key functionality option statement in the ARF really leapt out at us:
Selective disclosure and combination of attestations can be handled in two different ways:
- the EUDI Wallet may hold a very broad collection of attributes as PID, QEAA and EAA, and each time a specific attribute or the derivation of a specific attribute is required, a new PID or (Q)EAA has to be requested from providers.
- the EUDI Wallet may have the intrinsic capability, based on the obtained PID and (Q)EAA, to selectively disclose, derivate a specific attribute and aggregate several single attributes, without the need for new PID, (Q)EAA or interactions with the PID and (Q)EAA providers. For instance, specific fit for purpose signature schemes in PID and (Q)EAA could enable such capabilities.
The first option is clunky for the user and puts an undue burden on EAA providers. Not recommended!
The second option is ‘bang on’. This is a Smart Digital ID per OIX’s new trust framework. The Digital ID – the EUDI Wallet – is trusted and has the capability to aggregate EEAs to derive new composite attributes to meet the needs of relying parties. It must do this in a way that allows the relying party to specify the rules, but that protects the user from needing to understand the detail of the rules. The user needs to be part of the process, and consent to any aggregations and derivations, but the Smart EUDI Wallet must help and guide them through this process.
So overall, looking good so far!
OIX will be making its more detailed assessment to share with EU Expert Group over the next couple of weeks.
Nick Mothershaw, Chief Identity Strategist