European Digital Identity

  • EIDAS (2014)
    • Trust services
    • Levels of assurance
    • Trusted lists for qualification
  • EBSI (2018)
    • Blockchain services
  • ESSIF (2019)
    • Self-Sovereign Identity (SSI)
  • EUDI (2024)
    • Digital identity wallet
    • Trusted lists for participation

Technical structure (EUDI)

  • Implementing regulations

  • Architecture & Reference Framework (ARF)

    • ETSI (infrastructure)
    • ENISA (cryptography)
    • OpenID (protocol)
      • Verifiable Credential Issuance (OpenID4VCI)
      • Verifiable Presentations (OpenID4VP)
    • ISO, IETF, W3C (credentials)

Neutrality

EUDI as advertised (Q&A, recitals …)

Citizens will be in full control over which data they share with which parties.*

* Fineprint:

  • issuers, wallets, and verifying parties must be included in a trusted list,
  • based on legal, financial, and operational criteria (e.g., liability, continuity, reporting …),
  • approved by government institutions.

Impact reports

Participation in the EU Digital Identity space dependent on economical and political incentives,
putting it at risk for commercial and criminal exploitation.

(ISOC, CEPIS, CA/B, EFF)

Abstraction

OpenID’s “new trust model”

A paradigm shift towards user-centricity, increasing portability, privacy, and control
  • Portability
    • Bring Your Own Identity … like OpenID Connect
    • Offline/asynchronous availability … like OpenID Connect
    • No pre-established verifier–issuer relations … apart from trust relations
  • Privacy
    • Presentation without issuer … like OpenID Connect
    • Verification without issuer … impossible for PKI-based proofs
  • Control
    • Informed consent … like OpenID Connect
    • Selective disclosure … not needed without wallets

A self-sovereignty based on mutual trust

The standard we have:
A ‘local cache’ to manage consent for the access to (signed) personal info by approved parties.

The standard we need:
A ‘remote key’ to manage delegated control for any interaction with any (authentic) service by any party.


Delegation of control

Sharing decision-making power with another person

  • demonstrates trust of the delegator in the delegate;
  • builds trust of the delegate in the delegator.

A practical approach …

  1. Description
    • Technical APIs  (OpenAPI)
    • Legal/industrial DSLs  (DPV)
  1. Authentication
    • Signatures, PKI, ledgers  (EBSI)
    • Certificates, credentials  (VC)
    • Federations  (OpenID Federation, Trusted Lists)
  1. Control 💡
    • Policy evaluation  (ODRL, WACE)
    • Policy enforcement  (OAuth 2.1; receipts)
    • Policy management  (UMA, GNAP, A4DS)
  1. Delegation 💡
    • Federation  (A4DS)
    • Attenuation  (Biscuits)

 

Thanks!

Q&A at the end



Research funded by SolidLab Vlaanderen & SecuWeb