eu-digital-identity-wallet
diff --git a/‎2.7.1/discussion-topics/index.html‎
Lines changed: 8 additions & 8 deletions b/‎2.7.1/discussion-topics/index.html‎
Lines changed: 8 additions & 8 deletions
diff --git a/‎2.7.1/discussion-topics/s-certificate-transparancy/index.html‎
Lines changed: 22 additions & 15 deletions b/‎2.7.1/discussion-topics/s-certificate-transparancy/index.html‎
Lines changed: 22 additions & 15 deletions
@@ -772,31 +772,31 @@ <h3 id="iteration-3">Iteration 3</h3>
 <td>O</td>
 <td><a href="o-catalogues-for-attestations/">Catalogues for Attestations</a></td>
 <td><a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/345">Roadmap issue</a></td>
-<td>Not yet integrated</td>
+<td><a href="https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/2.6.0/">2.6.0</a></td>
 </tr>
 <tr>
 <td>P</td>
 <td><a href="p-secure-cryptographic-interface-between-the-Wallet-Instance-and-WSCA/">Secure Cryptographic Interface between the Wallet Instance and the WSCA</a></td>
 <td><a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/346">Roadmap issue</a></td>
-<td>Not yet integrated</td>
+<td><a href="https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/2.7.0/">2.7.0</a></td>
 </tr>
 <tr>
 <td>Q</td>
 <td><a href="q-interface-user-wallet-instance/">Interface between the User and the Wallet Instance</a></td>
 <td><a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/347">Roadmap issue</a></td>
-<td>Not yet integrated</td>
+<td><a href="https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/2.7.0/">2.7.0</a></td>
 </tr>
 <tr>
 <td>R</td>
 <td><a href="r-authentication-of-user-to-device/">Authentication of the User to the device</a></td>
 <td><a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/348">Roadmap issue</a></td>
-<td>Not yet integrated</td>
+<td><a href="https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/2.7.0/">2.7.0</a></td>
 </tr>
 <tr>
 <td>S</td>
 <td><a href="s-certificate-transparancy/">Certificate transparency</a></td>
 <td><a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/349">Roadmap issue</a></td>
-<td>Not yet integrated</td>
+<td><a href="https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/2.7.0/">2.7.0</a></td>
 </tr>
 <tr>
 <td>T</td>
@@ -808,7 +808,7 @@ <h3 id="iteration-3">Iteration 3</h3>
 <td>Z</td>
 <td><a href="z-device-bound-attestations/">Device-bound Attestations</a></td>
 <td><a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/567">Roadmap issue</a></td>
-<td>Not yet integrated</td>
+<td><a href="https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/2.6.0/">2.6.0</a></td>
 </tr>
 <tr>
 <td>AA</td>
@@ -839,13 +839,13 @@ <h4 id="earlier-topics-planned-to-be-additionally-discussed-in-iteration-3">Earl
 <td>F</td>
 <td><a href="f-digital-credential-api/">Digital Credentials API</a></td>
 <td><a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/336">Roadmap issue</a></td>
-<td></td>
+<td><a href="https://eu-digital-identity-wallet.github.io/eudi-doc-architecture-and-reference-framework/2.7.0/">2.7.0</a></td>
 </tr>
 <tr>
 <td>G</td>
 <td><a href="g-zero-knowledge-proof/">Zero Knowledge Proof</a></td>
 <td><a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/337">Roadmap issue</a></td>
-<td></td>
+<td>-</td>
 </tr>
 </tbody>
 </table>
 
@@ -429,7 +429,7 @@
 
 
 
-<p>Version 0.5, updated 8 October 2025</p>
+<p>Version 1.0, updated 6 November 2025</p>
 <p><a href="https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/discussions/584">Link to GitHub discussion</a></p>
 <h1 id="topic-s-certificate-transparency">Topic S - Certificate Transparency</h1>
 <h2 id="1-introduction">1 Introduction</h2>
@@ -462,7 +462,7 @@ <h3 id="21-commission-implementing-regulation-eu-2025848">2.1 Commission Impleme
 <li><em>a description, where relevant, on how a provider of wallet-relying party 
 access certificates logs all wallet-relying party access certificates they 
 have issued, in compliance with internet engineering task force (‘IETF’) 
-request for comments (‘RFC’) 9162 Certificate Transparency version 2.0</em></li>
+request for comments (‘RFC’) 9162 Certificate Transparency Version 2.0</em></li>
 </ul>
 <p>Note: “<em>…a provider of wallet-relying party access certificates</em>” – above is 
 a CA authorized to issue access certificates.</p>
@@ -480,7 +480,9 @@ <h2 id="3-discussion">3 Discussion</h2>
 <h3 id="31-certificate-transparency">3.1 Certificate Transparency</h3>
 <p>A CA issuing access certificates SHALL register these in a CT log according to 
 RFC 9162. Examples of CT log providers are Google and Cloudflare for SSL/TLS 
-certificates issued for a domain or subdomain.</p>
+certificates issued for a domain or subdomain. Currently no CT log providers are available in Europe. How to address this situation is out of scope of the ARF.</p>
+<p>CT logs are used to ensure accuracy of issued access certificates with two or more log providers. This does not mean that the RP is registered or published twice. It only means that there is way to detect access certificates that were issued in error or fraudulently.</p>
+<p>Trust provided by CT logs is limited to the issuance of access certificates. They are two or more sources of truth stating who an access certificate has been issued to.</p>
 <h4 id="certificate-transparency-logs">Certificate Transparency Logs</h4>
 <p>Certificate Transparency (CT) is an open framework designed to improve the 
 security and accountability of the Public Key Infrastructure (PKI) used on the 
@@ -551,9 +553,8 @@ <h4 id="331-eu-ct-log-infrastructure">3.3.1 EU CT log infrastructure</h4>
 append-only, and that no unauthorized modifications or omissions go unnoticed. 
 Finally, drawing from the Web PKI best practice, it is important that
  <strong>each certificate be registered in at least two independent CT logs</strong>. </p>
-<p>It is assumed that the new European CT log infrastructure will define what 
- version of RFC 9162 and other implementation requirements such as the number 
- of CT logs a CA issuing access certificates shall register with is defined.</p>
+<p>It is assumed that the new European CT log infrastructure will define 
+ which standard to use, version of RFC 9162 or RFC 6962, and other implementation requirements such as the number of CT logs a CA issuing access certificates shall register with is defined.</p>
 <h4 id="332-ct-log-usage">3.3.2 CT log usage</h4>
 <p>In the Web PKI, browsers do not directly interact with Certificate Transparency 
 (CT) logs to verify the inclusion of a certificate. Instead, they <strong>trust the 
@@ -577,7 +578,7 @@ <h4 id="333-security-threats">3.3.3 Security threats</h4>
 for detecting new domains (see for example, Kondracki et al. "Uninvited Guests: 
 Analyzing the Identity and Behavior of Certificate Transparency Bots", in Usenix 
 Security, 2022)</p>
-<p>However, this is not expected to be case for CT logs for access certificates, 
+<p>However, this is not expected to be the case for CT logs for access certificates, 
 as the list of access certificates is already public. Collating all access certificates in one or more CT logs does not seem to pose any threat as this information is already publicly available.</p>
 <h4 id="334-incident-response">3.3.4 Incident response</h4>
 <p>It is important to recognise that <strong>Certificate Transparency (CT) logs do 
@@ -613,39 +614,41 @@ <h3 id="41-possible-hlrs">4.1 Possible HLRs</h3>
 <tbody>
 <tr>
 <td>CT_01</td>
-<td>A CA issuing access certificates SHALL register these in a CT log according to RFC 9162, if such a log is available.</td>
+<td>An Access CA issuing access certificates SHALL register these in a CT log according to RFC 9162, if such a log is available for access certificates.</td>
 </tr>
 <tr>
 <td>CT_02</td>
-<td>A CA issuing access certificates SHALL include a description in its CPS how all access certificates are logged according to RFC 9162</td>
+<td>An Access CA issuing access certificates SHALL describe in its CPS how it logs all access certificates.</td>
 </tr>
 <tr>
 <td>CT_03</td>
-<td>In case a CT log provider is available, the Access CA's SHALL act as monitors in the CT eco-system</td>
+<td>In case a CT log provider for access certificates is available, all Access CAs SHALL act as monitors in the CT ecosystem. Access CAs SHOULD still monitor the CT logs in situations of temporary unavailability.</td>
 </tr>
 <tr>
 <td>CT_04</td>
-<td>The issuing CA SHALL include at least one Signed Certificate Timestamp (SCT) in the certificate</td>
+<td>An Access CA SHALL include at least one Signed Certificate Timestamp (SCT) in each access certificate.</td>
 </tr>
 <tr>
 <td>CT_05</td>
-<td>The Wallet Unit SHALL check that the access certificate includes at least one Signed Certificate Timestamp (SCT)</td>
+<td>When verifying an access certificate during PID or attestation issuance or presentation, a Wallet Unit SHALL also verify that the access certificate includes at least one valid Signed Certificate Timestamp (SCT).</td>
 </tr>
 <tr>
 <td>CT_06</td>
-<td>A Wallet Unit SHALL not communicate with a RP which access certificate does not include a SCT</td>
+<td>If an access certificate does not include a valid SCT, a Wallet Unit SHALL handle this as a failure or Relying Party authentication, in compliance with all requirements in [<a href="#a234-topic-6---relying-party-authentication-and-user-approval">Topic 6</a>] and in particular requirement RPI_06a.</td>
 </tr>
 </tbody>
 </table>
 <p>The HLRs should address:
 1. How the certificate verifier performs checks against the CT log? Directly or via a fraud detection system?
 2. What checks that should be performed and what constitutes a malicious entry?
 3. What protocols that should be offered by a fraud detection system to all certificate verifiers?</p>
-<h3 id="42-version-of-rfc-9162-in-cir-eu-2025848">4.2 Version of RFC 9162 in CIR (EU) 2025/848</h3>
-<p>The CIR clearly states that version 2 of RFC 9162 shall be used. From comments received it seems that the previous version is implemented and used. As version 2 includes substantial improvements and the Commission might be developing a European CT log infrastructure it should be a task for this initiative to decide which version to use. Consideration of which version to use is dependent on if existing services (version 1) from Cloudflare and Google are to be used.</p>
+<h3 id="42-rfc-9162-in-cir-eu-2025848">4.2 RFC 9162 in CIR (EU) 2025/848</h3>
+<p>The CIR clearly states that RFC 9162 shall be used. From comments received it seems that the previous standard (RFC 6962) is implemented and used. As RFC 9162 includes substantial improvements and the Commission might be developing a European CT log infrastructure it should be a task for this initiative to decide which  standard
+to use. Consideration of which version to use is dependent on if existing services from Cloudflare and Google are to be used.</p>
 <h3 id="43-proposed-arf-changes">4.3 Proposed ARF changes</h3>
 <p>It is planned to introduce a new section in the ARF on Certificate Transparency. This new section will describe aspects of CA’s issuing access certificates.</p>
 <p>In addition to these planned changes, further changes on this subject will follow the outcome of the discussion.</p>
+<p>Topic S will be integrated into ARF 2.7.0</p>
 <h2 id="5-references">5 References</h2>
 <table>
 <thead>
@@ -663,6 +666,10 @@ <h2 id="5-references">5 References</h2>
 <td>[CIR 2025/848]</td>
 <td>Commission Implementing Regulation (EU) 2025/848</td>
 </tr>
+<tr>
+<td>[RFC 9162]</td>
+<td>IETF Certificate Transparency Version 2.0</td>
+</tr>
 </tbody>
 </table>