Gataca logo
Gataca Studio
Gataca Wallet
Gataca Vouch
All Use Cases & Industries

Industries

Public Sector
iGaming
Media & Content
Banking
Higher Education

Use Cases

Client Onboarding
User Authentication
Age Verification
Physical Access Control
Credentials Issuance
About
Careers
Contact Us
Become a Partner
Blog
Certifications
eIDAS 2.0
Demo
Open menu

Regulations

8 min read

The EUDI Wallet Architecture & Reference Framework in Plain English

May 17, 2022

EUDI Wallet

On June 6th, 2021, the European Commission announced the launch of a European Digital Identity with a digital ID Wallet as a key component as part of an update of the current eIDAS regulation. The Architecture and Reference Framework (ARF) is part of the eIDAS 2.0 proposal, and Self-Sovereign Identity (SSI) principles are all over it.

The new European digital identity framework will allow citizens to identify and authenticate themselves online via a European digital identity wallet and give users complete control of their data, letting them decide what information to share, with whom, and when.

In April 2023, the EU published version 1.1.0 of the European Digital Identity Wallet ARF to provide a set of specifications needed to develop an interoperable European Digital Identity (EUDI) Wallet Solution based on common standards and practices. Let’s jump into it!

eIDAS 2.0 and EUDI Wallet Timeline

ARF Timeline.png

While eIDAS 2.0 is still under legislative process, the European Commission is preparing the Architecture and Reference Framework for the EUDI Wallet. The process is organized into four sub-working groups, each concerned with a separate feature or functionality of the toolbox.

The regulation is expected to be formally adopted in the first quarter of 2024 and according to the latest text, Member States will have 24 months to provide at least one EUDI wallet, during which both the public and private spheres must prepare for its implementation.

At the same time, the European Commission has designed a program through Large Scale Pilots (LSPs) with the participation of over 250 early adopters from private and public organizations across nearly every Member State to evaluate the EUDI Wallet in real-world scenarios like opening bank accounts, applying for university admissions, or requesting a SIM card.

Gataca is participating in the Digital Credentials for Europe (DC4EU) consortium, which focuses on using the EU Digital Identity Wallet for three specific use cases: Identity, Social Security, and Education.

The Architecture Reference Framework (ARF): How it works?

The ARF serves as a critical guide and reference for the design and architecture development of the EUDI Wallet under the Large Scale Pilots (LSPs) program.

The LSPs aim to develop an ecosystem of supporting organizations, issuing attributes, and facilitating the sharing of credentials using the EUDI Wallet.

Thus, the ARF is a crucial component in a continuous feedback loop. Its specifications serve as the input for developing the reference implementation (RI), which in turn forms the foundation for large-scale pilots (LSPs). The feedback and proposals generated by the LSPs are then channeled back into the ARF.

It's important to acknowledge that the provided roadmap represents a preliminary plan, and the timeline may evolve as the review and adoption process advances.

eIDAS 2.0 Roles adapted to the SSI ecosystem

So far, the EU has defined 14 basic roles and actors for the EUDI ecosystem, and the majority can be re-categorized into SSI stakeholder categories: Issuer, Holder, and Verifier.

For those under the Issuer umbrella, the eIDAS toolbox distinguishes 3 different roles relative to the type of data they issue: personal data, official & non-official attributes.

Additionally, it has emphasized other types of providers, which SSI has not yet identified as roles or entities, but rather as sources of information (or registries): Schema Catalogue Providers, Authentic Source providers, and Providers of Registries of Trusted Sources.

Interestingly, eIDAS extends the definition of the Provider of registries of trusted sources also to include trusted lists of verifiers and wallet providers, information that is not included in typical SSI implementation.

There have also been new roles/actors added that had been uncontemplated by the SSI ecosystem: Conformity Assessment Bodies (CAB) and Supervisory Bodies, which certify and supervise EUDI Wallet, qualified and non-qualified trust service providers, respectively.

For your reference and easier understanding, we have arranged and adapted the eIDAS roles into an SSI stakeholder map for a clearer visualization of information and relationship flow - see below.

eidas2-0roles.png

A look into the functional requirements

In this next section, we’ll dive into the most critical functional requirements established by the ARF Outline in February 2022 and aim to explain them in simpler, casual English.

Section 4.1: Store person identification data, qualified electronic attestation of attributes, and electronic attestation of attributes

Plain English section summary:

Storing personal data in the Wallet

  • Wallets must be able to store and manage personal data on their smartphone (locally) or remotely (in-cloud).
  • As in SSI, users have to be able to receive their Verifiable Credentials, store them in their Wallet, and share these credentials without having to ask the issuer.

Section 4.2: Request and obtain person identification data, qualified electronic attestation of attributes and electronic attestation of attributes

Plain English section summary:

Requesting and obtaining personal data in the Wallet

  • Wallet must allow organizations to request and obtain personal user data during onboarding/authentication. For example, Bank asks the user for a National ID verifiable credential in the “create your bank account process.”
  • Users should be able to request personal data credentials from issuers. Users should also be able to delete data from their wallets.

Section 4.3: Cryptographic functions

Plain English section summary:

Access and management of cryptographic functions

  • This section mainly emphasizes the correct use of cryptographic functions (keys, computation, environments). The Wallet should be able to create, store, use and delete cryptographic material (i.e., keys).
  • Users should have secure access to cryptographic functions (i.e., cryptographic keys) wherever they are hosted.

Section 4.4: Mutual authentication

Plain English section summary:

Entities, users, and wallets authenticating each other

  • EUDI Wallet must be able to recognize and identify organizations it is interacting with and vice versa.
  • These actions should be possible both online and offline.
  • There must be a standard specified as EU-level interoperability is required.

Section 4.5: Selection, combination and sharing of personal identification data, qualified electronic attestation of attributes and electronic attestation of attributes

Plain English section summary:

Selecting, combining, and sharing personal data

  • Users should be able to use their EUDI Wallet as a method of authentication (prove their identity). This digital form of proving who they are will have legal validity.
  • The Wallet should follow standard presentation interfaces to communicate and share the user’s data in an effort to make it interoperable at the European level.
  • The Wallet Provider cannot see/store any user information unless it is absolutely necessary for it to continue providing the service.
  • The Wallet is required to have the possibility of sharing information through selective disclosure mechanisms. This enables users to share bits of their identity without revealing all of their attributes. For example, to prove her age at a liquor store, thanks to selective disclosure, the holder would only share their full name and birthdate information. The rest would be hidden from the liquor store.
  • In an offline (in-person) scenario, if a user shares attributes that are not directly linked to their EUDI Wallet (for example, the Covid Health Certificate), they may have to support it with additional documentation.
  • In an online scenario, when proving their identity through the sharing of personal data via their Wallet, users must be able to prove they control or have access to the cryptographic keys linked to the information being shared. “My keys, my Wallet, my info”

Section 4.6: User interface for user awareness and authorization mechanism

Plain English section summary:

Maximizing user experience and transparency

  • This section is all about the user-friendliness of the EUDI Wallet
  • The user should be able to know/see clearly:
    • Who they’re interacting with (issuers, verifiers, wallets, registries, etc.)
    • The reason third parties request particular information
    • Their data protection rights
    • Which data is mandatory to be authenticated and which is optional
    • The history or log of events of the wallet’s use (i.e. when they’ve shared a credential, been issued a credential, or linked to a service)
  • The Wallet should follow privacy and security-by-design principles, specifically requesting users to clearly express their consent to sharing information.
  • The Wallet has to allow two-factor authentication

Section 4.7: Sign by means of qualified electronic signature or seal

Plain English section summary:

Being able to sign and seal digitally

  • The Wallet must allow its user to digitally sign documents and data

Conclusion

The first outline for the European Digital Identity Architecture and Reference Framework has provided a solid foundation for the main requirements and objectives of the EUDI Wallet.

We’re looking forward to the evolution of this framework to see which specific mechanisms and methodologies will appropriately gear and guide Wallet providers for accurate implementation.

The reference framework currently emphasizes data privacy, highlighting selective disclosure protocols and interoperability, requiring it at a European level at a minimum - two essential characteristics for the usability and security of the EUDI Wallet.

We will have to wait for further details on how exactly European interoperability will be guaranteed, which is a long-time goal SSI enthusiasts have been working on. Other key points we're hoping the updated document expands on are high Level of Assurance (LOA), two-factor authentication (2FA), and security requirements.

As for governance, we’re especially curious to see how the potential complexity of the EUDI Wallet certification process driven by these factors, along with the selectivity from Member States, can threaten the competitiveness of the Wallet provider market.

We’re looking forward to seeing eIDAS 2.0 Toolbox progress and adapting the Gataca Wallet to its specifications.

Chiara Casoni - Business Development & Partnerships
Chiara Casoni

Business Development & Partnerships