Demystifying the EUDI Wallet Architecture Reference Framework

The Architecture and Reference Framework (ARF) recently published by the European Commission has raised interpretations and many questions within the digital identity community.

In this webinar Viky Manaila of the Intesi Group and Andy Tobin of Gen take a deep dive into this complex document with one of the co-authors of the ARF – Peter Altmann.

In one and a half hours you will have an extensive overview of the ARF with a dedicated Q&A session at the end.

Documentation

The technical documentation is published here, which highlights that rather than this initiative being about a single, standalone technology, it defines an overall inter-operating digital ecosystem, featuring:

• End Users of EUDI Wallets – End users are defined as natural or legal persons that will be using the wallets to send, receive, store and share attestations and personal attributes about themselves which would be used to prove identity. End users will be able to produce qualified electronic signatures and seals (QES) using an EUDI Wallet.
• EUDI Wallet Providers – They are Member States or organizations mandated or recognized by Member States that make the EUDI Wallet available to End Users. The terms and conditions of the mandate or recognition would be determined by each Member State. EUDI Wallet Providers are responsible for ensuring compliance with the requirements.
• Person Identification Data Providers (PID) – PID providers are trusted entities and are responsible for verifying the identity of the EUDI Wallet user, maintaining an interface to securely provide PID to the EUDI Wallet, and making information available for Relying Parties to verify the validity of the PID, without receiving any information about the PID’s use.
• Qualified Electronic Attestation of Attributes (QEAA) Providers – Qualified EAA are provided by QTSPs. QEAA providers maintain an interface for requesting and providing QEAAs, including a mutual authentication interface with EUDI Wallets and potentially an interface towards Authentic Sources to verify attributes.
• Non-Qualified Electronic Attestation of Attributes (EAA) Providers – Non-qualified EAA can be provided by any Trust Service Provider. While they are supervised under eIDAS, it can be assumed that other legal or contractual frameworks than eIDAS mostly govern the rules for provision, use and recognition of EAA.
• Qualified and Non-Qualified Certificate for Electronic Signature/Seal Providers – The EUDI Wallet enables the user to create qualified electronic signatures or seals.
• Providers of other Trust Services – Providers of other qualified or non-qualified Trust Services such as timestamps may be further expanded in future versions of the ARF.
• Authentic Sources – Authentic Sources are the public or private repositories or systems recognized or required by law containing attributes about a natural or legal persons. Authentic sources are sources for attributes on address, age, gender, civil status, family composition, nationality, education and training qualifications titles and licenses, professional qualifications titles and licenses, public permits and licenses, financial and company data.
• Relying Parties – Relying Parties are natural or legal persons that rely upon an electronic identification or a Trust Service. Relying Parties need to maintain an interface with the EUDI Wallet to request the necessary attributes within the PID dataset with mutual authentication. Relying parties are responsible for carrying out the procedure for authenticating PID and (Q)EAA.
• Conformity Assessment Bodies (CAB) – The EUDI Wallets must be certified by accredited public or private bodies designated by Member States. QTSPs need to be audited regularly by Conformity Assessment Bodies (CABs).
• Supervisory Bodies – The supervisory bodies are notified to the Commission by the Member States, which supervise QTSPs and take action, if necessary, in relation to non-qualified Trust Service Providers.
• Device Manufacturers and Related Entities – EUDI Wallets will have a number of interfaces with the devices they are based on, which may be for purposes such as local storage, online Internet access, sensors such as smartphone cameras, IR sensors, microphones, etc, offline communication channels such as Bluetooth Low Energy (BLE), WIFI Aware, Near Field Communication (NFC) as well as emitters such as screens, flashlights, speakers etc, and smart cards and secure elements.
• Qualified and Non-Qualified Electronic Attestation of Attributes Schema Providers – (Q)EAA Schema Providers publish schemas and vocabularies describing (Q)EAA structure and semantics. It may enable other entities such as Relying Parties to discover and validate (Q)EAA. Common schemas, including by sector-specific organizations are critical for widespread adoption of (Q)EAAs.
• National Accreditation Bodies – National Accreditation Bodies (NAB) under Regulation (EC) No 765/2008 are the bodies in Member States that perform accreditation with authority derived from the Member State.