You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/annexes/annex-2/annex-2-high-level-requirements.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -86,9 +86,9 @@ identification and authentication of a User using their Wallet Unit.
86
86
87
87
*Short description*
88
88
89
-
A User can obtain their mobile Driver's Licence (mDL) from an mDL Provider and store it in an Wallet Unit. The User can then present the mDL to a Relying Party upon request to prove their driving rights conveniently, securely, and in compliance with the Driving Licences Directive, once it is adopted.
89
+
A User can obtain their mobile Driving Licence (mDL) from an mDL Provider and store it in an Wallet Unit. The User can then present the mDL to a Relying Party upon request to prove their driving rights conveniently, securely, and in compliance with the Driving Licences Directive, once it is adopted.
90
90
91
-
This Topic contains high-level requirements related to a User presenting a mobile Driver's Licence (mDL) to a Relying Party in a supervised or unsupervised scenario, and also in an unsupervised scenario, in proximity mode.
91
+
This Topic contains high-level requirements related to a User presenting a mobile Driving Licence (mDL) to a Relying Party in a supervised or unsupervised scenario, and also in an unsupervised scenario, in proximity mode.
92
92
93
93
*HLRs*
94
94
@@ -393,7 +393,7 @@ This Topic also contains the high-level requirements for [Topic 23](#a2323-topic
393
393
| ISSU_32a | An Attestation Provider SHALL sign its metadata (as defined in OpenID4VCI) using the private key corresponding to its Attestation Provider access certificate. |
394
394
| ISSU_33 | For the verification of Attestation Provider access certificates, a Wallet Unit SHALL accept the trust anchors in all Attestation Provider Access Certificate Authority Trusted List(s). *Note: Attestation Provider Access Certificate Authority Trusted Lists are explained in [[Topic 27](#a2327-topic-27---registration-of-pid-providers-providers-of-qeaas-pub-eaas-and-non-qualified-eaas-and-relying-parties)]. There may be separate Access Certificate Authority Trusted Lists for QEAA Providers, PuB-EAA Providers, and EAA Providers.* |
395
395
| ISSU_33a | A Wallet Provider SHALL support all Attestation Providers, meaning that its Wallet Units SHALL be capable of requesting the issuance of a QEAA, PuB-EAA, or non-qualified EAA from these Providers at the User's request. |
396
-
| ISSU_34 | A Wallet Unit SHALL authenticate and validate the Attestation Provider access certificate before requesting the issuance of an attestation. The Wallet Unit SHALL verify at least that the access certificate indicates that its subject is a QEAA Provider, Pub-EAA Provider, or EAA Provider, that the access certificate is authentic and is valid at the time of validation, and that the issuer of the access certificate is a CA that is in the Attestation Provider Access Certificate Authority Trusted List, as documented in [[Topic 27](#a2327-topic-27---registration-of-pid-providers-providers-of-qeaas-pub-eaas-and-non-qualified-eaas-and-relying-parties)]. *Note: PID Providers, QEAA Providers, and PuB-EAA Providers are trusted by other actors in the EUDI Wallet ecosystem to not fraudulently issue attestations (or PIDs) that they are not legally allowed to issue. This trust is warranted since these kinds of providers operate within a regulated framework and are regularly audited. However, non-qualified EAA Providers are unregulated and may not be completely trustworthy. Therefore, before requesting an EAA from a non-qualified EAA Provider, a Wallet Unit may need to verify that that EAA Provider is authorised or registered to issue the type of EAA the Wallet Unit is requesting. Such verification requirements, as well as the mechanisms allowing to do this, may be defined in the applicable Rulebook.* |
396
+
| ISSU_34 | A Wallet Unit SHALL authenticate and validate the Attestation Provider access certificate before requesting the issuance of an attestation. The Wallet Unit SHALL verify at least that the access certificate indicates that its subject is a QEAA Provider, PuB-EAA Provider, or EAA Provider, that the access certificate is authentic and is valid at the time of validation, and that the issuer of the access certificate is a CA that is in the Attestation Provider Access Certificate Authority Trusted List, as documented in [[Topic 27](#a2327-topic-27---registration-of-pid-providers-providers-of-qeaas-pub-eaas-and-non-qualified-eaas-and-relying-parties)]. *Note: PID Providers, QEAA Providers, and PuB-EAA Providers are trusted by other actors in the EUDI Wallet ecosystem to not fraudulently issue attestations (or PIDs) that they are not legally allowed to issue. This trust is warranted since these kinds of providers operate within a regulated framework and are regularly audited. However, non-qualified EAA Providers are unregulated and may not be completely trustworthy. Therefore, before requesting an EAA from a non-qualified EAA Provider, a Wallet Unit may need to verify that that EAA Provider is authorised or registered to issue the type of EAA the Wallet Unit is requesting. Such verification requirements, as well as the mechanisms allowing to do this, may be defined in the applicable Rulebook.* |
397
397
398
398
#### A.2.3.11 Topic 11 - Pseudonyms
399
399
@@ -459,7 +459,7 @@ C. Requirements regarding attestation attribute schemas
459
459
| ARB_17 | The Schema Provider for an Attestation Rulebook describing a type of attestation that is a non-qualified EAA SHOULD include in the Rulebook one or more attributes representing the set of data meant in [Annex V](https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32024R1183#d1e40-54-1) point c) of the [European Digital Identity Regulation]. |
460
460
| ARB_18 | The Schema Provider for an Attestation Rulebook describing a type of attestation that is a QEAA or a PuB-EAA SHALL include in the Rulebook one or more attributes or metadata representing the set of data meant in [Annex V](https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32024R1183#d1e40-54-1) point e) or [Annex VII](https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32024R1183#d1e40-56-1) point e) of the [European Digital Identity Regulation]. |
461
461
| ARB_19 | The Schema Provider for an Attestation Rulebook describing a type of attestation that is a non-qualified EAA SHOULD include in the Rulebook one or more attributes representing the set of data meant in [Annex V](https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32024R1183#d1e40-54-1) point e) of the [European Digital Identity Regulation]. |
462
-
| ARB_20 | The Schema Provider for an Attestation Rulebook describing a type of attestation that is a QEAA or a PuB-EAA SHALL include in the Rulebook one or more attributes or metadata representing the location meant in [Annex V](https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32024R1183#d1e40-54-1) point h) or [Annex VII](https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32024R1183#d1e40-56-1) point h) of the [European Digital Identity Regulation]. For a QEAA, this location SHALL indicate at least the URL at which a machine-readable version of the trust anchor to be used for verifying the QEAA can be found or looked up. For a Pub-EAA, this location SHALL indicate at least the URL at which a machine-readable version of the qualified certificate that signed the PuB-EAA can be found or looked up. |
462
+
| ARB_20 | The Schema Provider for an Attestation Rulebook describing a type of attestation that is a QEAA or a PuB-EAA SHALL include in the Rulebook one or more attributes or metadata representing the location meant in [Annex V](https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32024R1183#d1e40-54-1) point h) or [Annex VII](https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=CELEX:32024R1183#d1e40-56-1) point h) of the [European Digital Identity Regulation]. For a QEAA, this location SHALL indicate at least the URL at which a machine-readable version of the trust anchor to be used for verifying the QEAA can be found or looked up. For a PuB-EAA, this location SHALL indicate at least the URL at which a machine-readable version of the qualified certificate that signed the PuB-EAA can be found or looked up. |
463
463
| ARB_21 | The Schema Provider for an Attestation Rulebook describing a type of attestation that is a non-qualified EAA SHOULD include in the Rulebook one or more attributes or metadata representing the location at which a machine-readable version of the trust anchor to be used for verifying the EAA can be found or looked up.*Note: What this location indicates precisely is dependent on the nature of the mechanism used for distributing trust anchors; see requirement ARB_26.* |
Copy file name to clipboardExpand all lines: docs/architecture-and-reference-framework-main.md
+6-6Lines changed: 6 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -382,7 +382,7 @@ are described in Figure 1 and detailed in the following sections.
382
382
3. Person Identification Data (PID) Providers, see [Section 3.4](#34-person-identification-data-pid-providers),
383
383
4. Trusted List Providers, see [Section 3.5](#35-trusted-list-provider),
384
384
5. Qualified Electronic Attestation of Attributes (QEAA) Providers, see [Section 3.6](#36-qualified-electronic-attestation-of-attributes-qeaa-providers),
385
-
6. Electronic Attestation of Attributes issued by or on behalf of a public sector body responsible for an authentic source (Pub-EAA) Providers, see [Section 3.7](#37-eaa-issued-by-or-on-behalf-of-a-public-sector-body-responsible-for-an-authentic-source-pub-eaa-providers),
385
+
6. Electronic Attestation of Attributes issued by or on behalf of a public sector body responsible for an authentic source (PuB-EAA) Providers, see [Section 3.7](#37-eaa-issued-by-or-on-behalf-of-a-public-sector-body-responsible-for-an-authentic-source-pub-eaa-providers),
386
386
7. Electronic Attestation of Attributes (EAA) Providers, see [Section 3.8](#38-non-qualified-electronic-attestation-of-attributes-eaa-providers),
387
387
8. Qualified Electronic Signature Remote Creation Providers, see [Section 3.9](#39-qualified-electronic-signature-remote-creation-qesrc-providers),
388
388
9. Authentic Sources, see [Section 3.10](#310-authentic-sources),
@@ -523,7 +523,7 @@ User attributes from the PID in the Wallet Unit.
523
523
The terms and conditions of these services are for each QEEA Provider to
524
524
determine, beyond what is specified in the [European Digital Identity Regulation].
525
525
526
-
### 3.7 EAA issued by or on behalf of a public sector body responsible for an authentic source (Pub-EAA) Providers
526
+
### 3.7 EAA issued by or on behalf of a public sector body responsible for an authentic source (PuB-EAA) Providers
527
527
528
528
As specified in the [European Digital Identity Regulation], an attestation may
529
529
be issued by or on behalf of a public sector body responsible for an Authentic
@@ -541,7 +541,7 @@ to [Section 6.6.3.6](#6636-relying-party-instance-verifies-the-authenticity-of-t
541
541
542
542
the [European Digital Identity Regulation] stipulates that PuB-EAAs, like QEAAs, have the same legal effect
543
543
as attestations in paper form. It is up to the Member States to define terms and
544
-
conditions for the provisioning of Pub-EAAs, but PuB-EAA Providers will comply
544
+
conditions for the provisioning of PuB-EAAs, but PuB-EAA Providers will comply
545
545
with the same technical specifications and standards as Providers of PIDs and
546
546
other attestations.
547
547
@@ -605,7 +605,7 @@ In Figure 1 this is indicated by the arrow 'provides qualified data'.
605
605
606
606
Relying Parties are natural or legal persons that rely upon an electronic
607
607
identification scheme or on a Trust Service. They request attributes contained
608
-
within a PID, QEAA, Pub-EAA or EAA from the Wallet Unit, subject to the approval
608
+
within a PID, QEAA, PuB-EAA or EAA from the Wallet Unit, subject to the approval
609
609
of the User and within the limits of applicable legislation and rules.
610
610
611
611
The reason for reliance on the Wallet Unit may be a legal requirement, a
@@ -1871,7 +1871,7 @@ certificate does not contain further information about its authorisation or
1871
1871
registration to issue attestations of a specific type, for instance an mDL or
1872
1872
diploma. Authorisation is dealt with in the following manner:
1873
1873
1874
-
- For QEAA Providers and Pub-EAA Providers, no authorisation is necessary, since
1874
+
- For QEAA Providers and PuB-EAA Providers, no authorisation is necessary, since
1875
1875
these kinds of Providers are trusted by other actors in the EUDI Wallet
1876
1876
ecosystem to not fraudulently issue attestations that they are not legally
1877
1877
allowed to issue. This trust is warranted since these kinds of Providers operate
@@ -2078,7 +2078,7 @@ PID Provider. Each Wallet Provider will, prior to or during installation of a
2078
2078
Wallet Instance, let the User know which PID Providers are supported by this
2079
2079
Wallet Solution.
2080
2080
2081
-
For QEAAs, Pub-EAAs, and non-qualified EAAs, the situation is different.
2081
+
For QEAAs, PuB-EAAs, and non-qualified EAAs, the situation is different.
2082
2082
Providers of such attestations will support all Wallet Solutions and are not
2083
2083
allowed to discriminate between them when processing a request for the issuance
2084
2084
of an attestation. Conversely, a Wallet Solution supports all Attestation
0 commit comments