1. Introduction¶

Over the last decade, digitalization has radically transformed the way citizens and businesses interact with public and private services, introducing new secure, accessible and user-friendly forms of service access.

In Italy, Decree-Law No. 19 of 2 March 2024, converted, with amendments, by Law No. 56 of 29 April 2024, introduced Article 64-quater of Legislative Decree No. 82 of 7 March 2005, establishing the Italian Digital Wallet System - IT-Wallet System. The IT-Wallet System allows natural or legal persons to access public and private services through the secure presentation of Digital Credential, attesting to entitlements, delegations, characteristics, licenses or qualifications. Article 64-quater also provides for the adoption of one or more implementing decrees (decreti attuativi) to define the rules governing the operation of the IT-Wallet System, including the roles of the entities involved, technical and security requirements, and principles of economic sustainability, of which these Technical Specifications – drafted through an open and collaborative process – form an integral part.

Thanks to the IT-Wallet System, natural and legal persons can directly provide, via their wallet, the information required for accessing services provided by public and private entities in the form of Digital Credentials. Similarly to a physical wallet, the IT-Wallet can contain identity or document-related data, such as a driver's license or health card, as well as a wide range of verifiable digital information, such as a professional qualification, educational diploma, licence or certified attribute.

The main roles in the Wallet ecosystem are listed as follow:

Credential Issuers: parties who issue Digital Credentials to Users;
Relying Parties: parties who request Digital Credentials presentations to the User, for Authentication and authorization purposes;
Users: individuals who own a Wallet Instance and have control over the Digital Credentials they can request, acquire, store, and present to Relying Parties;

In this model, the Credential Issuer (e.g., an educational institution) provides Digital Credentials to the User, who can store them in their Wallet Instance. The Wallet Instance is typically provided as a mobile application on the User's smartphone.

What distinguishes this new approach from previous identity access management systems is that Digital Credentials refer to characteristics, qualities or properties, already authenticated at source. These Digital Credentials can be used by the User without the Credential Issuers being aware of their use. During the use of the Digital Credentials, no usage information is released to third parties as the relationship is exclusive between the User and the Relying Party, in a transparent and informed manner. The development of the IT-Wallet System includes a phased experimentation process, aimed at testing the Wallet and assessing its impact in real-world contexts. This process is designed to validate technical components, user experience elements, and interoperability mechanisms, while ensuring a progressive and controlled adoption of the System. Moreover, it supports the continuous improvement of the IT-Wallet and its gradual alignment with the European Digital Identity Wallet (EUDI Wallet), both in terms of architecture and compliance with evolving European specifications.

Other key elements that characterize this new Digital Identity Wallet paradigm include:

Confidentiality and control: Wallets enable individuals to maintain control over the information provided within the presented Credentials. They can choose what attributes or Credentials to present and to whom;
Security: Wallets leverage cryptographic mechanism for the integrity and the security of exchaged data. This avoids identity theft, fraud, and unauthorized access;
Interoperability: Wallets promote interoperability by enabling different systems and organizations to recognize and verify identities, enabling trusted interactions between individuals, organizations, and even across borders;
Efficiency and cost reduction: Individuals can easily manage their own Credentials, avoid handling multiple identity tokens, and reduce repetitive identity verification processes.

1.1. Scope¶

These Technical Specifications are intended to complement the Guidelines provided for in Article 64-quater of Legislative Decree No. 82/2005 (CAD). Both the Guidelines and these Technical Specifications, once formally adopted, will become part of the regulatory framework for the IT-Wallet System. They will be periodically updated, where necessary, in light of the results of the experimentation phase, the adoption of new national or European legislative acts, and evolving requirements in terms of security and interoperability. These Technical Specifications pursue two main objectives and represent a core component of the implementation framework for the IT-Wallet System.

The first one is to provide a clear and structured set of recommendations, resources and design requirements related to the IT-Wallet System elements that impact on the User Experience. The document, by distinguishing between mandatory regulatory aspects and good design practices, aims to provide to public entities and private entities interested in taking part in the IT-Wallet System what is necessary to:

facilitate the understanding and adoption of the Service Model, increasing the number of potential services and usage opportunities for the User;
adopt the IT-Wallet System's Visual Identity in order to enhance its reliability and recognizability for the User;
ensure design consistency across macro-functionalities and single interactions between the User and the service Touchpoints;
maintain an adequate level of quality, promoting the principles of usability, accessibility and inclusivity.

The second focus is to define the technical architecture and reference framework that will serve as a guideline for all the parties involved in the development of the IT-Wallet System.

Additional documentation, tools and resources - hereinafter defined Official Resources - for the design and development of the IT-Wallet System Technical Solutions will be made available on the upcoming website http://www.wallet.gov.it.

1.2. Normative Language and Conventions¶

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

1.3. How to Read the Specification¶

This specification is designed to fulfil the requirements from multiple stakeholders within the IT-Wallet ecosystem. Each role has different responsibilities and scopes, and therefore different information needs. This section provides tailored reading paths to help you navigate efficiently to the content most relevant to the implementation goals.

1.3.1. Specification Structure Overview¶

The specification is organized into the following major sections:

Section Introduction:: Establishes scope, and normative language for the IT-Wallet ecosystem.
Section Design Principles:: Provides design principles, and brand identity requirements for the IT-Wallet ecosystem.
Section Architecture Overview:: Provides high-level system functionalities and guidance for navigating the specification based on implementation requirements.
Section The Infrastructure of Trust:: Defines the federation-based trust model, entity relationships, and trust evaluation mechanisms that secure the entire ecosystem.
Section Entities:: Comprehensive implementation requirements for each ecosystem participant: Wallet Solutions, Credential Issuers, Relying Parties, and Authentic Sources, including their components, interaction patterns, and configuration requirements.
Section Digital Credential Management:: Covers Digital Credential data models and formats, lifecycle management, validity verification, and the Credentials catalogue structure.
Section Digital Credential Flows:: Detailed implementation guidance for Digital Credential issuance and presentation workflows, including both remote and proximity interaction flows.
Section Endpoints:: Technical specifications for all API endpoints exposed by each entity type, including federation endpoints and specialized service integrations.
Section Cryptographic Algorithms, Security and Privacy Considerations, and General Log Retention Policies (Implementation Support):: Cryptographic requirements, security and privacy considerations, and log retention policies essential for compliant implementations.
Section Defined Terms and References, How to contribute, and Open Source Releases (Terminology and References):: Comprehensive terminology, normative references, contribution guidelines.
Section Appendix:: Provides supplementary technical details, implementation patterns, and testing frameworks including mobile application instance management, national platform integration specifications, and comprehensive test matrices for ecosystem validation.

1.3.2. Reading Paths by Role¶

Before diving into role-specific sections, all readers should be familiar with the foundational concepts outlined in Sections Introduction, Architecture Overview, and The Infrastructure of Trust, which establish the common vocabulary, design principles, and trust infrastructure that provide the underlying framework for the entire ecosystem.

1.3.2.1. Wallet Provider¶

Readers implementing or operating a Wallet Provider Solution should focus on understanding how to securely manage Digital Credentials and facilitate User interactions with other ecosystem participants.

Essential sections:

Section Wallet Solution: Complete wallet implementation requirements, components, and interaction processes.
Section Digital Credential Management: Digital Credential data models, formats and lifecycle management.
Section Digital Credential Flows: Issuance and presentation flows for Digital Credentials.
Section Wallet Provider Endpoints: Federation and IT-Wallet specific API specifications.
Section Cryptographic Algorithms: Security and cryptographic implementation requirements.
Section Mobile Application Instance: Mobile-specific implementation patterns.
Section e-Service PDND: Integration with the National Data Interoperability Platform.

Secondary sections:

Section Credential Issuer Solution: Understanding issuer interactions and requirements.
Section Relying Party Solution: Understanding RP interactions and presentation protocols.

1.3.2.2. Credential Issuer¶

For readers who are interested in implementing a Credential Issuer Solution, they should focus on the Digital Credential lifecycle and issuance interaction flows.

Essential sections:

Section Credential Issuer Solution: Credential Issuer Solution - Complete Issuer implementation requirements and component details.
Section Authentic Sources: Understanding authoritative data source integration patterns.
Section Digital Credential Management: Digital Credential formats and lifecycle management.
Section Digital Credential Issuance: Detailed issuance flow implementation.
Section Credential Issuer Endpoints: Federation and issuance-specific API specifications.
Section Cryptographic Algorithms: Signing algorithms and security implementation requirements.

Secondary sections:

Section Wallet Solution: Understanding Wallet Instance interactions and requirements.
Section Digital Credential Presentation: Understanding how Digital Credentials are presented in both remote and proximity scenario.
Section e-Service PDND: Integration with the National Data Interoperability Platform.

Note

If the Credential Issuer authenticates the User it must comply with Section Digital Credential Presentation. If the Authentic Source providing User's attributes belongs to the public sector it must comply with Section e-Service PDND.

1.3.2.3. Authentic Source¶

If the reader wants to operate an Authentic Source, the focus should be on secure data provision and integration with Credential Issuers.

Essential sections:

Section Authentic Sources: Requirements and integration patterns with Credential Issuers.
Section Authentic Source Endpoints: API specifications and catalogue integration.
Section Cryptographic Algorithms: Data integrity, authentication, and security requirements.
Section e-Service PDND: PDND integration and interoperability requirements.

Secondary sections:

Section Credential Issuer Solution: Understanding Credential Issuers main components and integration processes.
Section Digital Credential Management: Understanding how authoritative data and attributes becomes Digital Credentials, and how their lifecycle is managed.

1.3.2.4. Relying Party¶

Readers interested in implementing or operating a Relying Party Solution to accept and verify Digital Credentials should focus on presentation protocols and verification mechanisms.

Essential sections:

Section Relying Party Solution: Complete verifier implementation requirements and Entity Configuration.
Section Digital Credential Management: Understanding Digital Credential formats and validity verification.
Section Digital Credential Presentation: Presentation flow implementation for both remote and proximity scenarios.
Section Relying Party Endpoints: Federation and verification related API specifications.
Section Cryptographic Algorithms: Cryptographic suite requirements.

Secondary sections:

Section Wallet Solution: Understanding Wallet Instance interactions and presentation protocols
Section Mobile Application Instance: Mobile-specific implementation patterns.

1.3.3. Cross-Cutting Topics¶

Regardless of your primary role, certain sections contain information relevant to all ecosystem participants:

Security and Compliance:: All implementers must implement their solutions according to Section Security and Privacy Considerations and Section General Log Retention Policies.
Standards and References:: Section Defined Terms and References provides normative references, defined terms, and technical standards to enable secure and proper interoperability among all participants.
Testing and Validation:: Section Test Plans provides a comprehensive test matrix for validating implementations across different roles and interaction flows.

1.3.4. Implementation Approach¶

The following phased reading approach is suggested:

Foundation Phase: Read Sections Introduction, Architecture Overview, and The Infrastructure of Trust to establish conceptual understanding of the IT-Wallet paradigm, design principles, and trust infrastructure.

Role-Specific Phase: Focus on primary role's essential sections to understand specific implementation requirements, main technical component, the general architecture and interaction flows (see Section Entities and Section Endpoints for more details).

Integration Phase: Review secondary sections relevant to interactions with other ecosystem participants and platform integration requirements.

Validation Phase: Study security considerations, testing guidance, and compliance requirements according to Sections Security and Privacy Considerations, General Log Retention Policies, and Test Plans for additional information.

Note

For implementers working on solutions that span multiple roles (e.g., a combined Issuer Relying Party Solutions), it is recommended reviewing the sections for all relevant roles before proceeding with the developments. It is important to take particular note of Entity Configuration requirements and federation flows that apply to multiple roles.