EIDAS 2.0

From MgmtWiki
Jump to: navigation, search

Full Title

Electronic Identification, Authentication and Trust Services (eIDAS)

Context

European Identifier Standards[1]

eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions in the European Single Market. It was established in EU Regulation 910/2014 of 23 July 2014. All organizations delivering public digital services in an EU member state must recognize electronic identification from all EU member states from September 29, 2018.

European Digital Identity (EUDI)

  • The European Digital Identity is based on a European Commission document called “European Digital Identity Architecture and Reference Framework” that has established the functional and architectural requirements for an upcoming European Digital Identity Wallet.

eIDAS 2 defines three different legal regimes

  1. European digital identity wallet (EUDIW) - a new, harmonized, electronic identification means
  2. (Qualified) electronic attestations of attributes ((Q)EEAs) - expansion of the trust services market, with legal effect and access to authentic sources for attribute verification
  3. Electronic attestations of attributes issued by or on behalf of a public sector body responsible for an authentic source (EEAPSBs) - administrative procedure-based authentic data legal cross-border legal recognition, based in fulfilling requirements equivalent to QEEAs.

The EUDIW will support (Q)EEAS and EEAPBS, of course.

But (Q)EEAs or EEAPSBs can be issued to EUDIWs or elsewhere, and according to different identity management approaches, specially federated and decentralized approaches, and data spaces as well.

But the eIDAS proposal does not cover federations or other sources of Identifiers and so "is not providing a full solution."[2]

Architecture

Problems

Much the the slide below makes sense for many implementations, but given a good security Framework, they can all be mitigated. What is unclear is whether there will be any such Framework in place prior to roll-out of eIDAS wallets. EIDAS not trustworthy.jpg

Comments from IIW 2023-04

from Giuseppe 
Working on the next release of the ARF (1.2) [Architectural Reference Framework]. Tech spec that must be adopted in the EIDAS system 
User stories from the Italian Delegation -- https://docs.google.com/document/d/1SLoEHBLcsPJ-TCt9iIBCCGk4CzXehFn0ijswMBPUbFY/edit
References OIDC4VP, OIDC4VCI, SIOPv2, Selective disclosure JWTs
Specified specs for online and offline use cases
Working on the details of the trust model
Also pushing OpenID Connect Federation as part of the trust model
Have the wallet ecosystem leverage OpenID Connect Federation
Won't use only x509
Revocation list is another area that needs more specification
Status-list uses JSON LD
Need "official"  specs not just individual drafts
x509 PKI Trusted list
More interested in OpenID Federation trust chain
Working with European Blockchain group for digital identity to propose an API based on OpenID Federation
TLS is not sufficient for trust
Italian Delegation shared doc  https://docs.google.com/document/d/1uL61cfbFsOxC9zMJV81iTTUc7ZOv_WFgLD5Ruyr_fJ8/edit#
targeting IETF for this work, Some discussion on revocation lists (status list) - Christian
Tobias working on a proposal
Trust Management 
small session at IIW
an area that still needs work across the industry

References

  1. European Commission, eIDAS Regulation https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation
  2. Ignacio Alamillo, Standardization in Digital Credentials for Education Workshop Logalty (2023-09-21) https://www.youtube.com/watch?v=jjOd6JAEJmk