Who can read a European Digital Identity Wallet
The European Digital Identity Wallet is a solution that will allow citizens to securely share their identification data, attributes, and information about their credentials. Every citizen of the European Union will be able to own the wallet and use it in public and private services. Services that use data shared by the wallet are Relying Parties. Relying Parties need to be registered and authenticated by the wallet.
Personal Identification Data
Security and protection of personal identification data at every stage of their processing are the main requirements for digital wallets. The wallet will become a standard tool for sharing personal identification data with various entities to authenticate the wallet’s owner and confirm transactions in online services. This project will be successful only if the entire data-sharing process is adequately secured and resistant to possible attacks.
Use of the wallet in services
Relying parties can communicate with the European Digital Identity Wallet for electronic identification, obtaining identity attributes or performing other wallet functions, e.g. qualified electronic signature creation. The Relying Party will be subject to mandatory registration in the Member State of the European Union in which it is established. The purpose of registration is to limit access to the wallet functions to authorised entities and reduce the risk of data theft or unauthorised processing. Both the wallet and the citizen will know who wants to access the wallet data and the purpose of the data request.
Wallet data access scheme
The online service will display QR-Code to initiate a connection with the wallet. The first element of this communication will be the authentication of the Relying Party (provider of the service) requesting access to the wallet. The wallet user will be informed about the request and its purpose after successful authentication. The awareness information the user provides will contain information on what Relying Party requests data attributes. The wallet owner will be asked to confirm the data presentation. Only after the consent of the wallet owner will the wallet make the data available to the Relying Party.
Identification and authentication of a Relying Party
A Relying Party must provide reliable information about its identity in order to be able to request information from the wallet. According to the draft amendment to the eIDAS Regulation, a single mechanism will be established to enable the authentication and identification of a Relying Party. Identification of Relying Party will allow wallet users to confirm if their data is shared to proper online service. Relying Party identification data will be displayed directly on the mobile device supporting the wallet. The wallet also displays the purpose of data use and present the range of expected data from the wallet.
Credibility of Relying Parties
According to the eIDAS Regulation, any entity can become a Relying Party and use the wallet. However, the secure use of the wallet requires the user to know with whom he will share the data. This information should not be limited only to the entity’s name but also its credibility level. The credibility of the Relying Party should be separate information that informs the wallet user about the status of the service with which the data will be shared. Establishing credibility depends on the type of business. The individual assessment of credibility can be influenced by the country where the entity providing the service has its registered office – this is due to the legal conditions for providing certain services.
Communicating the credibility of Relying Parties
A digital identity wallet user should receive a reliable message about a Relying Party before sharing data. Giving the name of the Relying Party itself can be misleading because the name may contain information suggesting a different type of activity than carried out. For example, “Information Bank”, “Trust Services Agency”, and the “City of Poznan” can be the only companies with the names Bank, Agency or City. Proper identification will contain not only the name of the Relying Party but also an attribute that determines the level of credibility of a given entity.
Entities with the highest credibility
Among the many entities that provide Internet services, a few should be particularly highlighted due to high user protection needs. These entities include banks, trust service providers and public institutions. This is because they are subject to specific supervisory requirements, and how they operate is laid down by law. Users of the wallet should be informed about which institutions they share their data with and whether these entities are subject to special supervision or not. Developing services based on the wallet may require establishing new categories of entities using the wallet in their online services.
Recognising Relying Parties
The wallet must authenticate Relying Party as the first part of the interaction. This authentication should provide security guarantees and not place too many performance requirements on the systems responsible for keeping a register of the Relying Parties. A proven mechanism that will allow for easy authentication is website authentication certificates, electronic seal certificates and electronic attestations of attributes.
Qualified website authentication certificates
The validated website authentication certificates ensure secure identification and authentication of the Relying Party and ensure secure communication. These certificates are issued by qualified trust service providers and under the supervision of EU Member States. Obtaining such a certificate requires explicit and formal confirmation of the applicant’s data, verification of authorised persons and ensuring the security of public keys related to the certificate mentioned above. A qualified trust service provider carries out this process by supervised and audited procedures. Registration of Relying Parties through qualified suppliers can be direct and does not require any decisions from the Member States’ competent authorities.
Additional certificate attributes
To make it easy to recognise the trustworthiness level of Relying Parties, certificates should have additional attributes that will indicate whether the institution is a bank, a public entity, or a qualified trust service. Certificates containing additional information about the type of service and the body supervising this service are successfully used by banks within the requirements of the PDS2 Directive. Similarly, functioning certificates can also be used to authenticate relying parties with eIDAS2.
Summary
The security mechanisms of the European Digital Identity Wallet described in the above text will allow for their intended secure use. When sharing data to online services, the wallet user will be adequately informed about the Relying Party, its credibility level and the purpose of the transaction. Notably, the presented solutions do not require creating particular infrastructure (e.g. lists of relying parties) by the Member States of the European Union. At the same time, the registration of entities can be wholly carried out by qualified trust service providers.
Date of publication: 10/5/2022