ACN's security and architecture scomposition and harmonization for certification purposes#1025
Open
peppelinux wants to merge 19 commits intoversione-correntefrom
Open
ACN's security and architecture scomposition and harmonization for certification purposes#1025peppelinux wants to merge 19 commits intoversione-correntefrom
peppelinux wants to merge 19 commits intoversione-correntefrom
Conversation
Co-authored-by: Cursor <cursoragent@cursor.com> # Conflicts: # docs/en/wallet-solution-requirements.rst
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the IT-Wallet technical documentation to align with ACN/ENISA-style certification decomposition and CIR 2024/2981, introducing a dedicated certification annex and propagating certification scope / component mapping across architecture and requirements sections.
Changes:
- Added a new certification annex (EN/IT) describing the certification scheme, in-scope/out-of-scope components, and cross-references.
- Reworked Wallet Solution requirements (EN/IT) into decomposition-aligned requirement tables and added WSCD WL2/WL3 security-level constraints across lifecycle/issuance/issuer sections.
- Updated common references/glossary/acronyms and improved CI pip caching configuration.
Reviewed changes
Copilot reviewed 37 out of 37 changed files in this pull request and generated 8 comments.
Show a summary per file
| File | Description |
|---|---|
| preview_build/requirements.txt | Removed legacy local preview build dependency list. |
| preview_build/preview_configuration.py | Removed legacy Sphinx preview configuration. |
| preview_build/build.sh | Removed legacy local preview build script. |
| docs/common/common_definitions.rst | Added shared hyperlinks for CIR 2024/2981 and GDPR (Reg. 2016/679). |
| docs/it/appendix.rst | Included the new certification annex in the IT appendix. |
| docs/it/annex-certification-scheme.rst | Added IT annex describing certification scheme and decomposition approach. |
| docs/it/credential-issuer-solution.rst | Added certification decomposition mapping for PID Provider (PPBE) and WSCD level checks. |
| docs/it/credential-issuance-high-level.rst | Added explicit WL3 requirement check for PID issuance. |
| docs/it/defined-terms.rst | Extended terms/acronyms to support certification decomposition terminology. |
| docs/it/how-to-read-spec.rst | Updated references to use the new test-plans anchors. |
| docs/it/normative-ref.rst | Added CIR 2024/2981 to normative references. |
| docs/it/test-plans.rst | Added test-plans anchor and minor wording update. |
| docs/it/test-plans-wallet-provider.rst | Added test-plans-wallet-provider anchor. |
| docs/it/wallet-attestation-issuance.rst | Added WSCD WL2/WL3 classification step during WAA/WUA issuance flow. |
| docs/it/wallet-instance-lifecycle.rst | Added WSCD WL2/WL3 classification requirement during activation. |
| docs/it/wallet-solution-components.rst | Added decomposition+certification scope mapping section and expanded Secure Storage description. |
| docs/it/wallet-solution-requirements.rst | Converted requirements into decomposition/scoping tables and added WSCD security-level section. |
| docs/it/wallet-solution.rst | Added Wallet Solution certification decomposition overview and references. |
| docs/en/appendix.rst | Included the new certification annex in the EN appendix. |
| docs/en/annex-certification-scheme.rst | Added EN annex describing certification scheme and decomposition approach. |
| docs/en/architecture-overview.rst | Added certification/conformity assessment as an explicit core interaction process. |
| docs/en/credential-issuer-solution.rst | Added certification decomposition mapping for PID Provider (PPBE) and WSCD level checks. |
| docs/en/credential-issuance-high-level.rst | Added explicit WL3 requirement check for PID issuance. |
| docs/en/defined-terms.rst | Added certification/decomposition terms plus WL2/WL3 and NPID definitions/acronyms. |
| docs/en/how-to-read-spec.rst | Updated references to use the new test-plans anchors. |
| docs/en/normative-ref.rst | Added CIR 2024/2981 to normative references. |
| docs/en/test-plans.rst | Added test-plans anchor and minor wording update. |
| docs/en/test-plans-wallet-provider.rst | Added test-plans-wallet-provider anchor. |
| docs/en/wallet-attestation-issuance.rst | Added WSCD WL2/WL3 classification step during WAA/WUA issuance flow. |
| docs/en/wallet-instance-lifecycle.rst | Added WSCD WL2/WL3 classification requirement during activation. |
| docs/en/wallet-solution-components.rst | Added decomposition+certification scope mapping section and expanded Secure Storage description. |
| docs/en/wallet-solution-requirements.rst | Converted requirements into decomposition/scoping tables and added WSCD security-level section. |
| docs/en/wallet-solution.rst | Added Wallet Solution certification decomposition overview and references. |
| .github/workflows/ci-html.yml | Improved pip cache keying by setting cache-dependency-path to requirements-dev.txt. |
| .github/workflows/build-pdf.yml | Improved pip cache keying by setting cache-dependency-path to requirements-dev.txt. |
| .github/workflows/build-html.yml | Improved pip cache keying by setting cache-dependency-path to requirements-dev.txt. |
| .github/workflows/build-html-manual.yml | Improved pip cache keying by setting cache-dependency-path to requirements-dev.txt. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…the merge conflict
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 37 out of 37 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| - The Wallet Unit Attestation MUST NOT be issued by the Wallet Provider if the WSCD trustworthiness is not guaranteed. In this case, the Wallet Instance MUST be revoked. | ||
| - WPBE, WI | ||
| * - WUA-011 | ||
| - An Attestation Provider issuing non-device-bound attestations SHALL indicate in its Credential Issuer metadata that it does not need a WUA. A Wallet Unit SHALL NOT send a WUA to an Attestation Provider when requesting a non-device-bound attestation. Note: A Wallet Unit sends a WIA to the Attestation Provider regardless of whether the attestations it issues are device-bound or not. |
There was a problem hiding this comment.
The acronym "WIA" is used in the note but is not defined in the glossary or acronyms section. Based on context, this might be intended to refer to "WAA" (Wallet App Attestation), or it could be a shorthand for "Wallet Instance Attestation". Please verify that this acronym is correct and consider adding it to the defined terms if it's intentional, or correct it to "WAA" if it's a typo.
Suggested change
| - An Attestation Provider issuing non-device-bound attestations SHALL indicate in its Credential Issuer metadata that it does not need a WUA. A Wallet Unit SHALL NOT send a WUA to an Attestation Provider when requesting a non-device-bound attestation. Note: A Wallet Unit sends a WIA to the Attestation Provider regardless of whether the attestations it issues are device-bound or not. | |
| - An Attestation Provider issuing non-device-bound attestations SHALL indicate in its Credential Issuer metadata that it does not need a WUA. A Wallet Unit SHALL NOT send a WUA to an Attestation Provider when requesting a non-device-bound attestation. Note: A Wallet Unit sends a WAA to the Attestation Provider regardless of whether the attestations it issues are device-bound or not. |
Member
Author
There was a problem hiding this comment.
WAA doesn not exist anymore, #1031 aligns the specification according to this evidence.
| - La Wallet Unit Attestation NON DEVE essere emessa dal Wallet Provider se l'affidabilità del WSCD non è garantita. In tal caso, l'istanza del Wallet DEVE essere revocata. | ||
| - WPBE, WI | ||
| * - WUA-011 | ||
| - Un Attestation Provider che emette attestazioni non vincolate al dispositivo DEVE indicare nei propri metadati del Credential Issuer che non richiede una WUA. Una Wallet Unit NON DEVE inviare una WUA a un Attestation Provider quando richiede un'attestazione non vincolata al dispositivo. Nota: Una Wallet Unit invia una WIA all'Attestation Provider indipendentemente dal fatto che le attestazioni emesse siano vincolate o meno al dispositivo. |
There was a problem hiding this comment.
L'acronimo "WIA" è utilizzato nella nota ma non è definito nel glossario o nella sezione acronimi. In base al contesto, potrebbe essere inteso come riferimento a "WAA" (Wallet App Attestation), oppure potrebbe essere un'abbreviazione per "Wallet Instance Attestation". Si prega di verificare che questo acronimo sia corretto e di considerare di aggiungerlo ai termini definiti se è intenzionale, o di correggerlo in "WAA" se si tratta di un errore di battitura.
Member
Author
There was a problem hiding this comment.
WAA does not exist anymore, the alignment with WIA is provided at #1031
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Lia <139998796+RosaliaGaleano@users.noreply.github.com>
Member
Author
|
During the meeting of 18 feb 2025, we agreed that this PR is about LTS and to be included in the LTS it must remove the NPID, since only this represent a breaking change. |
…rente All NPID content moved to branch npid-national-pid. scomposition_acn now contains only PID (Person Identification Data) as defined in versione-corrente.
…-wallet-docs into scomposition_acn
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request resolves #894, #895 and #896.
It introduces a comprehensive annex describing the certification scheme and component decomposition for the IT-Wallet system, clarifies certification scope and terminology, and aligns technical documentation with regulatory requirements (notably CIR 2024/2981). It also updates definitions and acronyms to support these changes, and makes minor clarifications in related sections.
Certification Scheme and Component Decomposition:
annex-certification-scheme.rst) that details the certification scheme, including regulatory background, decomposition hierarchy, in-scope and out-of-scope components, and cross-references to technical specifications. This annex clarifies which system components require certification and under what circumstances, in line with CIR 2024/2981. [1] [2]Terminology and Definitions:
defined-terms.rstto include new terms such as "Certification Scope," "Certification Macro-component," "Identity Proofing," "NPID," "WL2," "WL3," and others, ensuring clear understanding of certification-related concepts. [1] [2] [3] [4] [5]Regulatory References:
Security and Certification Requirements:
Minor Documentation Improvements:
These changes collectively improve the clarity and completeness of the IT-Wallet system's certification documentation and ensure alignment with current regulatory requirements.