Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Description

This page is a reflection of the different concepts and terminology used in regards to the digital identity wallet. A try to create a common sensemaking around the digital identity wallet ecosystem.

...

Split comparison in two parts: 'protocol' and trust framework

References


Introduction

The implementation of digital identity wallets, particularly within the EU framework, involves specific terminology tied to technical standards and regulatory approaches. The purpose of this document is to provide an overview of currently used terminologies and to establish semantic and technical references between the systems.

Overview

  • W3C Verifiable Credentials Data Model v2.0
  • eIDAS 2.0
  • ARF 
  • (OpenID Federation)


Matrix


5678910111213A natural or legal person, or 141516A combination of services, settings, and configurations, including Wallet Instances, one or more Wallet Secure Cryptographic Applications and one or more Wallet Secure Cryptographic DevicesThe act of transferring information to the European Commission

Verifiable Credentials 2.0[1]

eIDAS 2.0 (according to itself)

eIDAS 2.0 (according to ARF[2])

Architecture and Reference Framework[3]

Implementing Regulations[4]

OpenID4VCI +
OpenID4VP

OpenID Federation Wallet Architectures 1.0[5]

Functional Aspects

(one of:
Issuance,
Verification,
Governance + Trust,
Holder)

Definition

1

Entity





OpenID4VCI+VP adopts "Entity" as defined by OpenID Connect Core [OpenID.Core]


Any

Anything that can be referenced in statements as an abstract or concrete noun. Entities include but are not limited to people, organizations, physical things, documents, abstract concepts, fictional characters, and arbitrary text. Any entity might perform roles in the ecosystem, if it can do so. Note that some entities fundamentally cannot take actions, for example, the string "abc" cannot issue credentials

2




National Accreditation Bodies (NAB)




Governance + Trust

A body that performs accreditation with authority derived from a Member State under Regulation (EC) No 765/2008

3


Public Sector Body

Public Sector Body

Public Sector Body




Governance + Trust

A state, regional or local authority, a body governed by public law or an association formed by one or several such authorities or one or several such bodies governed by public law, or a private entity mandated by at least one of those authorities, bodies or associations to provide public services, when acting under such a mandate

4

Certificate Authority (CA)


Body governed by Public Law






Governance + Trust

A body defined in point (4) of Article 2(1) of Directive 2014/24/EU of the European Parliament and of the Council

5




Certificate Authority (CA)




Governance + Trust

An entity which is trusted by one or more parties in the EUDI Wallet ecosystem to create and seal certificates

6




Trust Anchor




Governance + Trust

An authoritative entity represented by a public key and associated data. Note: based on RFC 5914

7




Registrar (of wallet-relying parties)




Governance + Trust

The body responsible for establishing and maintaining the list of registered wallet-relying parties established in their territory who has been designated by a Member State

8




Wallet Provider




Governance + Trust

A natural or legal person who provides Wallet Solutions

9







Wallet Provider

Governance + Trust

An Organizational Entity responsible for the development, publication, and management of a Wallet Solution

10





Provider of wallet-relying party access certificates (Access Certificate Authority, Access CA)



Governance + Trust

A natural or legal person mandated by a Member State to issue Relying Party access certificates to (Wallet-) Relying Parties registered in that Member State

11







Organizational Entity

Governance + Trust

A Federation Entity represented by a legal entity, specifically referring to public or private organizations (excluding natural persons) recognized through a unique identifier. For the purposes of this specification, an Organizational Entity is also referred to as an Organization

12

Subject





OpenID4VCI implicitly adopts the W3C Verifiable Credentials Data Model's concept of a subject as the entity about whom claims are made in a Verifiable Credential


(Holder)

A thing about which claims are made

13

Holder







Holder

A role an entity might perform by possessing one or more verifiable credentials and generating verifiable presentations from them. A holder is often, but not always, a subject of the verifiable credentials they are holding. Holders store their credentials in credential repositories

14






Holder


Holder

An entity that receives Credentials and has control over them to present them to the Verifiers as Presentations

15

 

User

User

Trust Service






Issuance, Verification

An electronic service normally provided for remuneration which consists of any of the following → see Article 3(16)

16

 

Qualified Trust Service






Issuance, Verification

A trust service that meets the applicable requirements laid down in this Regulation

17

 

User

User

User




Holder

A natural or legal person, or a natural person representing another natural person or a legal person, that uses trust services or electronic identification means provided in accordance with the [European Digital Identity Regulation]

18

 






Personal Device

Holder

Any electronic device that is primarily used by an individual. This includes smartphones, tablets, laptops, personal computers, smart watches, and other wearable technologies. Personal Devices are owned and managed by End-Users as individuals, rather than by Organizations, or by End-Users on behalf of an Organization

19

 




(Wallet) User



Holder

A user who is in control of the Wallet Unit

20

 

Product

Wallet Solution






Holder

Hardware or

software, or relevant components of hardware or software,

17

 

Wallet Solution

The Wallet Solution is a product offered by a Wallet Provider to enable End-Users to securely manage and use their Digital Credentials. It is delivered by the Wallet Provider in the form of mobile app or cloud service or another form of software application. It may also utilize services and web services for the exchange of data between its Wallet Provider and the Wallet Instances

18

 

Wallet Unit

A unique configuration of a Wallet Solution that includes Wallet instances, Wallet Secure Cryptographic Applications and Wallet Secure Cryptographic Devices provided by a Wallet Provider to an individual Wallet User

19

 

Wallet Instance

The application installed and configured on a Wallet User’s device or environment, which is part of a Wallet Unit, and that the Wallet User uses to interact with the Wallet Unit

20

 

Wallet Instance

Instance of a Wallet Solution belonging to and controlled by a person, be this natural or legal. It enables the request, storage, presentation, and management of Digital Credentials. It can be installed (instantiated) in a Personal Device or in a Remote Service.

21

 

Wallet Secure Cryptographic Application (WSCA)

An application that manages critical assets by being linked to and using the cryptographic and non-cryptographic functions provided by the Wallet Secure Cryptographic Device

22

 

Wallet Secure Cryptographic Device (WSCD)

A tamper-resistant device that provides an environment that is linked to and used by the Wallet Secure Cryptographic Application to protect critical assets and provide cryptographic functions for the secure execution of critical operations

23

 

Critical assets

Assets within or in relation to a Wallet Unit of such extraordinary importance that where their availability, confidentiality or integrity are compromised, this would have a very serious, debilitating effect on the ability to rely on the Wallet Unit

24

Issuer

A role an entity can perform by asserting claims about one or more subjects, creating a verifiable credential from these claims, and transmitting the verifiable credential to a holder

25

Provider of person identification data (PID Provider)

A natural or legal person responsible for issuing and revoking the person identification data and ensuring that the person identification data of a user is cryptographically bound to a Wallet Unit

26

Attestation Provider

When not further qualified, a collective term for QEAA Provider, PuB-EAA Provider, or (non-qualified) EAA Provider

27

Attestation Revocation List

A mechanism provided by a PID Provider or an Attestation Provider (or a trusted party acting on its behalf) for communicating the revocation status of PIDs and attestations, by publishing a list of identifiers of revoked PIDs or attestations

28

Attestation Status List

A mechanism provided by a PID Provider or an Attestation Provider (or a trusted party acting on its behalf) for communicating the revocation status of PIDs and attestations, by publishing status information (Valid or Invalid) for all relevant PIDs or attestations

29

Attestation Rulebook

A document describing the attestation type, namespace(s), and other features for a specific attestation type

30

Attestation Type

An identifier for a type of attestation, unique within the context of the EUDI Wallet ecosystem

31

Electronic identification scheme

Electronic identification scheme

A system for electronic identification under which electronic identification means are issued to natural or legal persons or natural persons representing other natural persons or legal persons

which are intended to be used for the provision of electronic identification and trust services

21

 

European Digital Identity Wallet






Holder

An electronic identification means which allows the user to securely store, manage and validate person identification data and electronic attestations of attributes for the purpose of providing them to relying parties and other users of European Digital Identity Wallets, and to sign by means of qualified electronic signatures or to seal by means of qualified electronic seals

22

 

EU Digital Identity Wallet Trust Mark






Governance + Trust

A verifiable, simple and recognisable indication which is communicated in a clear manner that a European Digital Identity Wallet has been provided in accordance with this Regulation

23

 




Wallet Solution



Holder

A combination of software, hardware, services, settings, and configurations, including Wallet Instances, one or more Wallet Secure Cryptographic Applications and one or more Wallet Secure Cryptographic Devices

24

 






Wallet Solution

Holder

The Wallet Solution is a product offered by a Wallet Provider to enable End-Users to securely manage and use their Digital Credentials. It is delivered by the Wallet Provider in the form of mobile app or cloud service or another form of software application. It may also utilize services and web services for the exchange of data between its Wallet Provider and the Wallet Instances

25

 




Wallet Unit



Holder

A unique configuration of a Wallet Solution that includes Wallet instances, Wallet Secure Cryptographic Applications and Wallet Secure Cryptographic Devices provided by a Wallet Provider to an individual Wallet User

26

 




Wallet Instance



Holder

The application installed and configured on a Wallet User’s device or environment, which is part of a Wallet Unit, and that the Wallet User uses to interact with the Wallet Unit

27

 






Wallet Instance

Holder

Instance of a Wallet Solution belonging to and controlled by a person, be this natural or legal. It enables the request, storage, presentation, and management of Digital Credentials. It can be installed (instantiated) in a Personal Device or in a Remote Service.

28

 




Wallet Secure Cryptographic Application (WSCA)



Holder

An application that manages critical assets by being linked to and using the cryptographic and non-cryptographic functions provided by the Wallet Secure Cryptographic Device

29

 




Wallet Secure Cryptographic Device (WSCD)



Holder

A tamper-resistant device that provides an environment that is linked to and used by the Wallet Secure Cryptographic Application to protect critical assets and provide cryptographic functions for the secure execution of critical operations

30

 




Critical assets



Holder

Assets within or in relation to a Wallet Unit of such extraordinary importance that where their availability, confidentiality or integrity are compromised, this would have a very serious, debilitating effect on the ability to rely on the Wallet Unit

31


Electronic registered delivery service






Any

A service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations

32


Qualified electronic registered delivery service






Any

An electronic registered delivery service which meets the requirements laid down in Article 44

33

Issuer







Issuance

A role an entity can perform by asserting claims about one or more subjects, creating a verifiable credential from these claims, and transmitting the verifiable credential to a holder

34





Provider of person identification data (PID Provider)



Issuance

A natural or legal person responsible for issuing and revoking the person identification data and ensuring that the person identification data of a user is cryptographically bound to a Wallet Unit

35




Attestation Provider




Issuance

When not further qualified, a collective term for QEAA Provider, PuB-EAA Provider, or (non-qualified) EAA Provider

36




Attestation Revocation List




Issuance

A mechanism provided by a PID Provider or an Attestation Provider (or a trusted party acting on its behalf) for communicating the revocation status of PIDs and attestations, by publishing a list of identifiers of revoked PIDs or attestations

37




Attestation Status List




Issuance

A mechanism provided by a PID Provider or an Attestation Provider (or a trusted party acting on its behalf) for communicating the revocation status of PIDs and attestations, by publishing status information (Valid or Invalid) for all relevant PIDs or attestations

38




Attestation Rulebook




Issuance

A document describing the attestation type, namespace(s), and other features for a specific attestation type

39




Attestation Type




Issuance

An identifier for a type of attestation, unique within the context of the EUDI Wallet ecosystem

40


Electronic Identification






Issuance

The process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing another natural person or a legal person

41


Electronic Identification Means






Issuance

A material and/or immaterial unit containing person identification data and which is used for authentication for an online service or, where appropriate, for an offline service

42


Electronic identification scheme

Electronic identification scheme

Electronic identification scheme




Issuance

A system for electronic identification under which electronic identification means are issued to natural or legal persons or natural persons representing other natural persons or legal persons

43


Identity matching






Issuance

A process where person identification data, or electronic identification means are matched with or linked to an existing account belonging to the same person

44

Verifier







Verification

A role an entity performs by receiving one or more verifiable credentials, optionally inside a verifiable presentation for processing. Other specifications might refer to this concept as a relying party

45







Credential Verifier

Verification

Entity that requests and verifies Digital Credentials presented by a Holder

46




Relying Party Instance




Verification

A software and/or hardware module with the capability to interact with a Wallet Unit and to perform Relying Party authentication, that is controlled by a Relying Party

47







Credential Verifier Instance

Verification

A software application that allows an individual to request to an Holder and receive from that Holder a Digital Credential, sometimes in a proximity flow, and then verify the received Digital Credential

48


Relying Party

Relying Party

Relying Party




Verification

A natural or legal person that relies upon electronic identification, European Digital Identity Wallets or other electronic identification means, or upon a trust service

49





(Wallet-) Relying Party



Verification

A Relying Party that intends to rely upon Wallet Units for the provision of public or private services by means of digital interaction

50





(Wallet-relying party) access certificate



Governance + Trust

A certificate for electronic seals or signatures authenticating and validating the (Wallet-) Relying Party, issued by a provider of wallet-relying party access certificates

51





(Wallet-relying party) registration certificate



Verification

A data object that indicates the attributes the Relying Party has registered to intend to request from Users

52

Verifiable Data Registry







Governance + Trust

A role a system might perform by mediating the creation and verification of identifiers, verification material, and other relevant data, such as verifiable credential schemas, revocation registries, and so on, which might require using verifiable credentials. Some configurations might require correlatable identifiers for subjects. Some registries, such as ones for UUIDs and verification material, might act as namespaces for identifiers

53




Trusted List




Governance + Trust

Repository of information about authoritative entities in a particular legal or contractual context which provides information about their current and historical status

54


Conformity Assessment Body

Conformity Assessment Body (CAB)

Conformity Assessment Body (CAB)




Governance + Trust

A conformity assessment body as defined in Article 2, point 13, of Regulation (EC) No 765/2008, which is accredited in accordance with that Regulation as competent to carry out conformity assessment of a qualified trust service provider and the qualified trust services it provides, or as competent to carry out certification of European Digital Identity Wallets or electronic identification means.

55


Trust Service Provider






Governance + Trust

A natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider

56


Qualified Trust Service Provider

Qualified Trust Service Provider (QTSP)

Qualified Trust Service Provider (QTSP)




Governance + Trust

Qualified Trust Service Provider means a trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body

57

Credential Repository







Issuance

Software, such as a file system, storage vault, or personal verifiable credential wallet, that stores and protects access to holders' verifiable credentials

58


Authentic Source

Authentic Source

Authentic Source




Issuance

A repository or system, held under the responsibility of a public sector body or private entity, that contains and provides attributes about a natural or legal person or object and that is considered to be a primary source of that information or recognised as authentic in accordance with Union law or national law, including administrative practice.

59







Authentic Source

Issuance

A protected Resource Server, not necessarily an OAuth 2.0 Resource Server, utilized by the Credential Issuer to retrieve the data necessary for issuing a Credential related to a subject

60


Electronic Document






Any

Any content stored in electronic form, in particular text or sound, visual or audiovisual recording

61


Data record






Any

Electronic data recorded with related meta-data supporting the processing of the data

62


Electronic ledger






Governance + Trust

A sequence of electronic data records, ensuring the integrity of those records and the accuracy of the chronological ordering of those records

63


Qualified electronic ledger






Governance + Trust

An electronic ledger which is provided by a qualified trust service provider and which meets the requirements laid down in Article 45l

64

Claim







Holder

An assertion made about a subject

65


Attribute

Attribute

Attribute




Holder

A characteristic, quality, right or permission of a natural or legal person or of an object.

66


Person Identification Data (PID)

Person Identification Data (PID)

Person Identification Data (PID)




Holder

A set of data that is issued in accordance with Union or national law and that enables the establishment of the identity of a natural or legal person, or of a natural person representing another natural person or a legal person

67


Personal data






Holder

Any information as defined in Article 4, point (1), of Regulation (EU) 2016/679

68




Pseudonym




Holder

Data uniquely representing a user which in itself does not allow to infer any user's attribute or person identification data, without the use of additional information that is kept separately by the issuer of the data uniquely representing the user

69

Credential







Issuance, Holder

A set of one or more claims made by an issuer. The claims in a credential can be about different subjects. The definition of credential used in this specification differs from, NIST's definitions of credential

70

Verifiable Credential







Issuance, Holder

A tamper-evident credential whose authorship can be cryptographically verified. Verifiable credentials can be used to build verifiable presentations, which can also be cryptographically verifiable

71

Presentation







Issuance, Holder

Data derived from one or more verifiable credentials issued by one or more issuers that is shared with a specific verifier

72

Verifiable Presentation







Issuance, Holder

A tamper-evident presentation of information encoded in such a way that authorship of the data can be trusted after a process of cryptographic verification. Certain types of verifiable presentations might contain data that is synthesized from, but does not contain, the original verifiable credentials (for example, zero-knowledge proofs)

73




Attestation




Issuance

When not further qualified, a collective term for a QEAA, PuB-EAA, or (non-qualified) EAA.

74


Electronic attestation of attributes

Electronic attestation of attributes (EAA)

Electronic attestation of attributes (EAA)




Issuance

An attestation in electronic form that allows attributes to be authenticated

75


Electronic attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source

Electronic attestation of attributes issued by or on behalf of a public sector body (PuB-EAA)

Electronic attestation of attributes issued by or on behalf of a public sector body (PuB-EAA)




Issuance

An electronic attestation of attributes issued by a public sector body that is responsible for an authentic source or by a public sector body that is designated by the Member State to issue such attestations of attributes on behalf of the public sector bodies responsible for authentic sources in accordance with Article 45f and with Annex VII

76


Qualified Electronic Attestation of Attributes

Qualified Electronic Attestation of Attributes (QEAA)

Qualified Electronic Attestation of Attributes (QEAA)




Issuance

An electronic attestation of attributes which is issued by a qualified trust service provider and meets the requirements laid down in Annex V

77

Graph







Issuance

A set of claims, forming a network of information composed of subjects and their relationship to other subjects or data. Each claim is part of a graph; either explicit in the case of named graphs, or implicit for the default graph

78

Default Graph







Issuance

The graph containing all claims that are not explicitly part of a named graph

79

Named Graph







Issuance

A graph associated with specific properties, such as verifiableCredential. These properties result in separate graphs that contain all claims defined in the corresponding JSON objects

80

Decentralized Identifier







Any

A portable URL-based identifier, also known as a DID, is associated with an entity. These identifiers are most often used in a verifiable credential and are associated with subjects such that a verifiable credential can be easily ported from one credential repository to another without reissuing the credential. An example of a DID is did:example:123456abcdef

81

Verification Material







Verification

Information that is used to verify the security of cryptographically protected information. For example, a cryptographic public key is used to verify a digital signature associated with a verifiable credential

82


Advanced Electronic Signature






Governance + Trust

An electronic signature which meets the requirements set out in Article 26

83


Qualified Electronic Signature

Qualified Electronic Signature (QES)

Qualified Electronic Signature (QES)




Governance + Trust

An advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures

84


Electronic Signature Creation Data






Governance + Trust

Unique data which is used by the signatory to create an electronic signature

85


Electronic Signature Creation Device






Governance + Trust

Configured software or hardware used to create an electronic signature

86


Qualified Electronic Signature Creation Device

Qualified Electronic Signature Creation Device (QSCD)

Qualified Electronic Signature Creation Device (QSCD)




Governance + Trust

Configured software or hardware used to create an electronic signature that meets the requirements laid down in Annex II of the European Digital Identity Regulation

87


Remote Qualified Electronic Signature Creation Device






Governance + Trust

A qualified electronic signature creation device that is managed by a qualified trust service provider in accordance with Article 29a on behalf of a signatory

88




Qualified Electronic Signature Remote Creation Provider




Governance + Trust

A natural or a legal person that offers services related to the remote creation, validation, and management of qualified electronic signatures that meet legal requirements and standards in the [European Digital Identity Regulation] to be considered as legally equivalent to handwritten signatures

89


Electronic Signature

(Electronic) signature

(Electronic) signature




Governance + Trust

Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign

90


Certificate for Electronic Signature






Governance + Trust

An electronic attestation which links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person

91


Qualified Certificate for Electronic Signature






Governance + Trust

A certificate for electronic signatures, that is issued by a qualified trust service provider and meets the requirements laid down in Annex I

92


Signatory






Governance + Trust

A  natural person who creates an electronic signature

93


Electronic seal

(Electronic) seal

(Electronic) seal




Governance + Trust

Data in electronic form which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity

94




Public Key Infrastructure (PKI)




Governance + Trust

Systems, software, and communication protocols that are used by EUDI Wallet ecosystem components to distribute, manage, and control public keys. A PKI publishes public keys and establishes trust within an environment by validating and verifying the public keys mapping to an entity

95

Verification







Verification

The evaluation of whether a verifiable credential or verifiable presentation is an authentic and current statement of the issuer or presenter, respectively. This includes checking that the credential or presentation conforms to the specification, the securing mechanism is satisfied, and, if present, the status check succeeds. Verification of a credential does not imply evaluation of the truth of claims encoded in the credential.

96

Validation







Verification

The assurance that a claim from a specific issuer satisfies the business requirements of a verifier for a particular use. This specification defines how verifiers verify verifiable credentials and verifiable presentations. It also specifies that verifiers validate claims in verifiable credentials before relying on them. However, the means for such validation vary widely and are outside the scope of this specification. Verifiers trust certain issuers for certain claims and apply their own rules to determine which claims in which credentials are suitable for use by their systems

97


Validation






Verification

The process of verifying and confirming that data in electronic form are valid in accordance with this Regulation

98


Validation data






Verification

Data used to validate an electronic signature or an electronic seal

99


Authentication

Authentication

Authentication





Issuance, Verification

An electronic process that enables the confirmation of the electronic identification of a natural or legal person or the confirmation of the origin and integrity of data in electronic form

100


Strong user authentication






Issuance, Verification

An authentication based on the use of at least two authentication factors from different categories of either knowledge, something only the user knows, possession, something only the user possesses or inherence, something the user is, that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data

101




Administrative validity period (of a PID or attestation)




Issuance, Verification

The date(s) from and/or up to which the attributes in the attestation are valid, which are represented as attribute(s) in the attestation

102




Technical validity period (of a PID or attestation)




Issuance, Verification

The dates (and possibly times) from and up to which the attestation is valid, which are represented as metadata of the attestation. Note: All PIDs and attestations have a technical validity period, which is typically much shorter than its administrative validity period (if existent). The technical validity period is chosen based on a risk analysis, e.g. with regard to User privacy.

103

Selective Disclosure







Holder

The ability of a holder to make fine-grained decisions about what information to share.

104



Selective Disclosure

Selective Disclosure




Holder

Selective disclosure is a concept empowering the owner of data to disclose only certain parts of a larger data set, in order for the receiving entity to obtain only such information as is necessary for the provision of a service requested by a user

105




Selective Disclosure




Holder

The capability enabling the User to present a subset of the attributes included in a PID or attestation.

106





Embedded disclosure policy



Issuance, Verification

A set of rules, embedded in an electronic attestation of attributes by its provider, that indicates the conditions that a wallet-relying party has to meet to access the electronic attestation of attributes

107




Namespace




Governance + Trust

A specification of the attribute identifier, syntax and semantics of attributes that can be used in an attestation, having an identifier that is unique within the context of the EUDI Wallet ecosystem

108




Notification




Governance + Trust

The act of transferring information to the European Commission

109






Credential Dataset [OpenID4VCI] →  Credential [OpenID4VP]


Issuance

OpenID4VCI: Credential Dataset is a set of one or more claims about a subject, provided by a Credential Issuer.

OpenID4VP: Credential is a set of one or more claims about a subject made by a Credential Issuer. In this specification, Credentials are usually Verifiable Credentials (defined below). Note that the definition of the term "Credential" in this specification is different from that in [OpenID.Core].

110






Credential (or Verifiable Credential (VC)) →  Verifiable Credential [OpenID4VCI]


Issuance

OpenID4VCI: Credential (or Verifiable Credential (VC)) is an instance of a Credential Configuration with a particular Credential Dataset, that is signed by an Issuer and can be cryptographically verified. An Issuer may provide multiple Credentials as separate instances of the same Credential Configuration and Credential Dataset but with different cryptographic values. In this specification, the term "Verifiable Credential" is also referred to as "Credential". It's important to note that the use of the term "Credential" here differs from its usage in [OpenID.Core] and [RFC6749]. In this context, "Credential" specifically does not encompass other meanings such as passwords used for login credentials.

OpenID4VP: Verifiable Credential (VC) is 
an Issuer-signed Credential whose authenticity can be cryptographically verified. Can be of any format used in the Issuer-Holder-Verifier Model, including, but not limited to those defined in [VC_DATA] (VCDM), [ISO.18013-5] (mdoc), and [I-D.ietf-oauth-sd-jwt-vc] (SD-JWT VC).

111






Credential Format [OpenID4VCI]


Issuance

Data Model used to create and represent Credential information. This format defines how various pieces of data within a Verifiable Credential are organized and encoded, ensuring that the Verifiable Credential can be consistently understood, processed, and verified by different systems. The exact parameters required to use a Credential Format in the context of this specification are defined in the Credential Format Profile. Definitions of Credential Formats is out of scope for this specification. Examples for Credential Formats are IETF SD-JWT VC [I-D.ietf-oauth-sd-jwt-vc], ISO mdoc [ISO.18013-5], and W3C VCDM [VC_DATA].

112






Credential Format Profile [OpenID4VCI]


Issuance

Set of parameters specific to individual Credential Formats. This specification provides Credential Format Profiles for IETF SD-JWT VC [I-D.ietf-oauth-sd-jwt-vc], ISO mdoc [ISO.18013-5], and W3C VCDM [VC_DATA], which can be found in the section Appendix A. Additionally, other specifications or deployments can define their own Credential Format Profiles by utilizing the extension points defined in this specification.

113






Credential Format Identifier [OpenID4VCI & OpenID4VP]


Issuance

An identifier to denote a specific Credential Format in the context of this specification. This identifier implies the use of parameters specific to the respective Credential Format Profile.

114






Credential Configuration [OpenID4VCI]


Issuance

Credential Issuer's description of a particular kind of Credential that the Credential Issuer is offering to issue, along with metadata pertaining to the issuance process and the issued Credentials. Each Credential Configuration references a Credential Format and specifies the corresponding parameters given in the Credential Format Profile. It also includes information about how issuance of a described Credential be requested, information on cryptographic methods and algorithms supported for issuance, and display information to be used by the Wallet. A Credential Configuration is identified by a Credential Configuration Identifier string that is unique to an Issuer. Credential Issuer metadata includes one or more Credential Configurations.

115






Presentation [OpenID4VCI & OpenID4VP]


Verification

OpenID4VCI: Data that is presented to a specific Verifier, derived from one or more Verifiable Credentials that can be from the same or different Credential Issuers. It can be of any Credential Format.

OpenID4VP: Data that is presented to a specific Verifier, derived from a Credential. In this specification, Presentations are usually Verifiable Presentations including Holder Binding (as defined below), but may also be Presentations without Holder Binding (discussed in Section 5.3).

116






Credential Issuer (or Issuer) [OpenID4VCI & OpenID4VP]


Issuance

OpenID4VCI: An entity that issues Verifiable Credentials. In the context of this specification, the Credential Issuer acts as an OAuth 2.0 Resource Server (see [RFC6749]). The Credential Issuer might also act as an Authorization Server.

OpenID4VP: An entity that issues Credentials. Also called Issuer.

N.B.: In the context of the OpenID4CVI specification,  the Credential Issuer acts as an OAuth 2.0 Resource Server and might also act as an Authorization Server.

117






Holder [OpenID4VCI & OpenID4VP]


Holder

An entity that receives Verifiable Credentials and has control over them to present them to the Verifiers as Presentations.

118






Verifier [OpenID4VCI & OpenID4VP]


Verification

OpenID4VCI: An entity that requests, receives, and validates Presentations.

OpenID4VP: An entity that requests, receives, and validates Presentations. The Verifier is a specific case of an OAuth 2.0 Client, just like a Relying Party (RP) in [OpenID.Core].

119






Issuer-Holder-Verifier Model [OpenID4VCI & OpenID4VP]


Governance + Trust

OpenID4VCI: Model that facilitates the exchange of claims, where claims are issued as Verifiable Credentials independently of the process of presenting them to Verifiers in the form of Presentations. An issued Verifiable Credential may be used multiple times, although this is not a requirement.

OpenID4VP: A model for exchanging claims, where claims are issued in the form of Credentials independent of the process of presenting them as Presentations to the Verifiers. An issued Credential may be used multiple times.

120






Holder Binding [OpenID4VCI] → Holder Binding or Key Binding [OpenID4VP]


Holder

Ability of the Holder to prove legitimate possession of a Verifiable Credential.

121






Cryptographic Key Binding [OpenID4VCI] → Cryptographic Holder Binding [OpenID4VP]


Holder

OpenID4VCI: Ability of the Holder to prove legitimate possession of a Verifiable Credential by proving control over the same private key used during issuance and presentation. The mechanism might depend on the Credential Format. For example, in IETF SD-JWT VC [I-D.ietf-oauth-sd-jwt-vc], the Issuer can enable key binding by including a public key or a reference to a public key, matching a private key controlled by the Holder, in the cnf claim.

OpenID4VP: Ability of the Holder to prove legitimate possession of a Credential by proving control over the same private key during the issuance and presentation. Mechanism might depend on the Credential Format. For example, in jwt_vc_json Credential Format, a Credential with Cryptographic Holder Binding contains a public key or a reference to a public key that matches to the private key controlled by the Holder.

122






Claims-based Binding [OpenID4VCI & OpenID4VP]


Holder

Ability of the Holder to prove legitimate possession of a Verifiable Credential by proofing certain claims, e.g., name and date of birth, for example, by presenting another Verifiable Credential. Claims-based Holder Binding allows long-term, cross-device use of a Credential as it does not depend on cryptographic key material stored on a certain device. One example of such a Verifiable Credential could be a Diploma.

123






Biometrics-based Binding [OpenID4VCI & OpenID4VP]


Holder

Ability of the Holder to prove legitimate possession of a Verifiable Credential by demonstrating a certain biometric trait, such as fingerprint or face. One example of a Verifiable Credential with Biometrics-based Holder Binding is a mobile driving license [ISO.18013-5], which contains a portrait of the holder.

124






Wallet [OpenID4VCI & OpenID4VP]


Holder

OpenID4VCI: An entity used by the Holder to request, receive, store, present, and manage Verifiable Credentials and cryptographic key material. There is no single deployment model of a Wallet: Credentials and keys can be stored and managed either locally, through a remote self-hosted service, or via a remote third-party service. In the context of this specification, the Wallet acts as an OAuth 2.0 Client (see [RFC6749]) and obtains an Access Token to access an OAuth 2.0 Resource Server (Credential Endpoint).

OpenID4VP: An entity used by the Holder to receive, store, present, and manage Credentials and key material. There is no single deployment model of a Wallet: Credentials and keys can both be stored/managed locally, or by using a remote self-hosted service, or a remote third-party service.

N.B.: In the context of the OpenID4VCI specification, the Wallet acts as an OAuth 2.0 Client (see [RFC6749]) and obtains an Access Token to access an OAuth 2.0 Resource Server (Credential Endpoint).

125






Deferred Credential Issuance [OpenID4VCI]


Issuance

Issuance of Credentials not directly in the response to a Credential issuance request but following a period of time that can be used to perform certain offline business processes.

126






Digital Credentials API [OpenID4VP]


Issuance (Wallet-to-Issuer / Wallet-to-Verifier API for exchanging verifiable credentials, independent of credential format).

The Digital Credentials API (DC API) refers to the W3C Digital Credentials API [W3C.Digital_Credentials_API] on the Web Platform and its equivalent native APIs on App Platforms (such as Credential Manager on Android).

127






Origin [OpenID4VP]


Verification

An identifier for the calling website or native application, asserted by the web or app platform. A web origin is the combination of a scheme/protocol, host, and port, with port being omitted when it matches the default port of the scheme. An app platform may use a linked web origin, or use a platform-specific URI for the app origin. For example, the Verifier for the organization MyExampleOrg is served from https://verify.example.com. The web origin is https://verify.example.com with https being the scheme, verify.example.com being the host, and the port is not explicitly included as 443 is the default port for the protocol https. The native applications origin on some platforms will also be https://verify.example.com and on other platforms, may be platform:pkg-key-hash:Z4OFzVVSZrzTRa3eg79hUuHy12MVW0vzPDf4q4zaPs0.

128






VP Token [OpenID4VP]


Verification

An artifact containing one or more Presentations returned as a response to an Authorization Request. The structure of VP Tokens is defined in Section 8.1.

129






Verifiable Presentation (VP) [OpenID4VP]


Verification

A Presentation with a cryptographic proof of Holder Binding. Can be of any format used in the Issuer-Holder-Verifier Model, including, but not limited to those defined in [VC_DATA] (VCDM), [ISO.18013-5] (mdoc), and [I-D.ietf-oauth-sd-jwt-vc] (SD-JWT VC).

32

Verifier

A role an entity performs by receiving one or more verifiable credentials, optionally inside a verifiable presentation for processing. Other specifications might refer to this concept as a relying party

33

Credential Verifier

Entity that requests and verifies Digital Credentials presented by a Holder

34

Relying Party Instance

A software and/or hardware module with the capability to interact with a Wallet Unit and to perform Relying Party authentication, that is controlled by a Relying Party

35

Credential Verifier Instance

A software application that allows an individual to request to an Holder and receive from that Holder a Digital Credential, sometimes in a proximity flow, and then verify the received Digital Credential

36

Relying Party

Relying Party

A natural or legal person that relies upon electronic identification, European Digital Identity Wallets or other electronic identification means, or upon a trust service

37

(Wallet-) Relying Party

A Relying Party that intends to rely upon Wallet Units for the provision of public or private services by means of digital interaction

38

(Wallet-relying party) access certificate

A certificate for electronic seals or signatures authenticating and validating the (Wallet-) Relying Party, issued by a provider of wallet-relying party access certificates

39

(Wallet-relying party) registration certificate

A data object that indicates the attributes the Relying Party has registered to intend to request from Users

40

Verifiable Data Registry

A role a system might perform by mediating the creation and verification of identifiers, verification material, and other relevant data, such as verifiable credential schemas, revocation registries, and so on, which might require using verifiable credentials. Some configurations might require correlatable identifiers for subjects. Some registries, such as ones for UUIDs and verification material, might act as namespaces for identifiers

41

Trusted List

Repository of information about authoritative entities in a particular legal or contractual context which provides information about their current and historical status

42

Conformity Assessment Body (CAB)

Conformity Assessment Body (CAB)

A conformity assessment body as defined in Article 2, point 13, of Regulation (EC) No 765/2008, which is accredited in accordance with that Regulation as competent to carry out conformity assessment of a qualified trust service provider and the qualified trust services it provides, or as competent to carry out certification of European Digital Identity Wallets or electronic identification means.

43

Qualified Trust Service Provider (QTSP)

Qualified Trust Service Provider (QTSP)

Qualified Trust Service Provider means a trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body

44

Credential Repository

Software, such as a file system, storage vault, or personal verifiable credential wallet, that stores and protects access to holders' verifiable credentials

45

Authentic Source

Authentic Source

A repository or system, held under the responsibility of a public sector body or private entity, that contains and provides attributes about a natural or legal person or object and that is considered to be a primary source of that information or recognised as authentic in accordance with Union law or national law, including administrative practice.

46

Authentic Source

A protected Resource Server, not necessarily an OAuth 2.0 Resource Server, utilized by the Credential Issuer to retrieve the data necessary for issuing a Credential related to a subject

47

Claim

An assertion made about a subject

48

Attribute

Attribute

A characteristic, quality, right or permission of a natural or legal person or of an object.

49

Person Identification Data (PID)

Person Identification Data (PID)

A set of data that is issued in accordance with Union or national law and that enables the establishment of the identity of a natural or legal person, or of a natural person representing another natural person or a legal person

50

Pseudonym

Data uniquely representing a user which in itself does not allow to infer any user's attribute or person identification data, without the use of additional information that is kept separately by the issuer of the data uniquely representing the user

51

Credential

A set of one or more claims made by an issuer. The claims in a credential can be about different subjects. The definition of credential used in this specification differs from, NIST's definitions of credential

52

Verifiable Credential

A tamper-evident credential whose authorship can be cryptographically verified. Verifiable credentials can be used to build verifiable presentations, which can also be cryptographically verifiable

53

Presentation

Data derived from one or more verifiable credentials issued by one or more issuers that is shared with a specific verifier

54

Verifiable Presentation

A tamper-evident presentation of information encoded in such a way that authorship of the data can be trusted after a process of cryptographic verification. Certain types of verifiable presentations might contain data that is synthesized from, but does not contain, the original verifiable credentials (for example, zero-knowledge proofs)

55

Attestation

When not further qualified, a collective term for a QEAA, PuB-EAA, or (non-qualified) EAA.

56

Electronic attestation of attributes (EAA)

Electronic attestation of attributes (EAA)

An attestation in electronic form that allows attributes to be authenticated

57

Electronic attestation of attributes issued by or on behalf of a public sector body (PuB-EAA)

Electronic attestation of attributes issued by or on behalf of a public sector body (PuB-EAA)

An electronic attestation of attributes issued by a public sector body that is responsible for an authentic source or by a public sector body that is designated by the Member State to issue such attestations of attributes on behalf of the public sector bodies responsible for authentic sources in accordance with Article 45f and with Annex VII

58

Qualified Electronic Attestation of Attributes (QEAA)

Qualified Electronic Attestation of Attributes (QEAA)

An electronic attestation of attributes which is issued by a qualified trust service provider and meets the requirements laid down in Annex V

59

Graph

A set of claims, forming a network of information composed of subjects and their relationship to other subjects or data. Each claim is part of a graph; either explicit in the case of named graphs, or implicit for the default graph

60

Default Graph

The graph containing all claims that are not explicitly part of a named graph

61

Named Graph

A graph associated with specific properties, such as verifiableCredential. These properties result in separate graphs that contain all claims defined in the corresponding JSON objects

62

Decentralized Identifier

A portable URL-based identifier, also known as a DID, is associated with an entity. These identifiers are most often used in a verifiable credential and are associated with subjects such that a verifiable credential can be easily ported from one credential repository to another without reissuing the credential. An example of a DID is did:example:123456abcdef

63

Verification Material

Information that is used to verify the security of cryptographically protected information. For example, a cryptographic public key is used to verify a digital signature associated with a verifiable credential

64

Qualified Electronic Signature (QES)

Qualified Electronic Signature (QES)

An advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures

65

Qualified Electronic Signature Creation Device (QSCD)

Qualified Electronic Signature Creation Device (QSCD)

Configured software or hardware used to create an electronic signature that meets the requirements laid down in Annex II of the [European Digital Identity Regulation

66

Qualified Electronic Signature Remote Creation Provider

A natural or a legal person that offers services related to the remote creation, validation, and management of qualified electronic signatures that meet legal requirements and standards in the [European Digital Identity Regulation] to be considered as legally equivalent to handwritten signatures

67

(Electronic) signature

(Electronic) signature

Data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign

68

(Electronic) seal

(Electronic) seal

Data in electronic form which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity

69

Public Key Infrastructure (PKI)

Systems, software, and communication protocols that are used by EUDI Wallet ecosystem components to distribute, manage, and control public keys. A PKI publishes public keys and establishes trust within an environment by validating and verifying the public keys mapping to an entity

70

Verification

The evaluation of whether a verifiable credential or verifiable presentation is an authentic and current statement of the issuer or presenter, respectively. This includes checking that the credential or presentation conforms to the specification, the securing mechanism is satisfied, and, if present, the status check succeeds. Verification of a credential does not imply evaluation of the truth of claims encoded in the credential.

71

Validation

The assurance that a claim from a specific issuer satisfies the business requirements of a verifier for a particular use. This specification defines how verifiers verify verifiable credentials and verifiable presentations. It also specifies that verifiers validate claims in verifiable credentials before relying on them. However, the means for such validation vary widely and are outside the scope of this specification. Verifiers trust certain issuers for certain claims and apply their own rules to determine which claims in which credentials are suitable for use by their systems

72

Authentication

Authentication

An electronic process that enables the confirmation of the electronic identification of a natural or legal person or the confirmation of the origin and integrity of data in electronic form

73

Administrative validity period (of a PID or attestation)

The date(s) from and/or up to which the attributes in the attestation are valid, which are represented as attribute(s) in the attestation

74

Technical validity period (of a PID or attestation)

The dates (and possibly times) from and up to which the attestation is valid, which are represented as metadata of the attestation. Note: All PIDs and attestations have a technical validity period, which is typically much shorter than its administrative validity period (if existent). The technical validity period is chosen based on a risk analysis, e.g. with regard to User privacy.

75

Selective Disclosure

The ability of a holder to make fine-grained decisions about what information to share.

76

Selective Disclosure

Selective Disclosure

Selective disclosure is a concept empowering the owner of data to disclose only certain parts of a larger data set, in order for the receiving entity to obtain only such information as is necessary for the provision of a service requested by a user

77

Selective Disclosure

The capability enabling the User to present a subset of the attributes included in a PID or attestation.

78

Embedded disclosure policy

A set of rules, embedded in an electronic attestation of attributes by its provider, that indicates the conditions that a wallet-relying party has to meet to access the electronic attestation of attributes

79

Namespace

A specification of the attribute identifier, syntax and semantics of attributes that can be used in an attestation, having an identifier that is unique within the context of the EUDI Wallet ecosystem

80

Notification



[1] https://www.w3.org/TR/vc-data-model-2.0/#terminology

...

[5] https://openid.net/specs/openid-federation-wallet-1_0.html#name-terminology

(Building Material)

Core Terminology in EU Standards

...