1. Introduction¶
Over the last decade, digitalization has radically transformed the way citizens and businesses interact with public and private services, introducing new secure, accessible and user-friendly forms of service access.
In Italy, Decree-Law No. 19 of 2 March 2024, converted, with amendments, by Law No. 56 of 29 April 2024, introduced Article 64-quater of Legislative Decree No. 82 of 7 March 2005, establishing the Italian Digital Wallet System - IT-Wallet System. The IT-Wallet System allows natural or legal persons to access public and private services through the secure presentation of Digital Credential, attesting to entitlements, delegations, characteristics, licenses or qualifications. Article 64-quater also provides for the adoption of one or more implementing decrees (decreti attuativi) to define the rules governing the operation of the IT-Wallet System, including the roles of the entities involved, technical and security requirements, and principles of economic sustainability, of which these Technical Specifications – drafted through an open and collaborative process – form an integral part.
Thanks to the IT-Wallet System, natural and legal persons can directly provide, via their Wallet, the information required for accessing services provided by public and private entities in the form of Digital Credentials. Similarly to a physical wallet, the IT-Wallet can contain identity or document-related data, such as a driver's license or health card, as well as a wide range of verifiable digital information, such as a professional qualification, educational diploma, licence or verifiable attribute.
The main roles in the Wallet ecosystem are listed as follow:
Credential Issuers: parties who issue Digital Credentials to Users;
Relying Parties: parties who request Digital Credentials presentations to the User, for Authentication and authorization purposes;
Users: individuals who own a Wallet Instance and have control over the Digital Credentials they can request, acquire, store, and present to Relying Parties;
In this model, the Credential Issuer (e.g., an educational institution) provides Digital Credentials to the User, who can store them in their Wallet Instance. The Wallet Instance is typically provided as a mobile application on the User's smartphone.
What distinguishes this new approach from previous identity access management systems is that Digital Credentials refer to characteristics, qualities or properties, already authenticated at source. These Digital Credentials can be used by the User without the Credential Issuers being aware of their use. During the use of the Digital Credentials, no usage information is released to third parties as the relationship is exclusive between the User and the Relying Party, in a transparent and informed manner. The development of the IT-Wallet System includes a phased experimentation process, aimed at testing the Wallet and assessing its impact in real-world contexts. This process is designed to validate technical components, user experience elements, and interoperability mechanisms, while ensuring a progressive and controlled adoption of the System. Moreover, it supports the continuous improvement of the IT-Wallet and its gradual alignment with the European Digital Identity Wallet (EUDI Wallet), both in terms of architecture and compliance with evolving European specifications.
Other key elements that characterize this new Digital Identity Wallet paradigm include:
Confidentiality and control: Wallets enable individuals to maintain control over the information provided within the presented Credentials. They can choose what attributes or Credentials to present and to whom;
Security: Wallets leverage cryptographic mechanism for the integrity and the security of exchanged data. This avoids identity theft, fraud, and unauthorized access;
Interoperability: Wallets promote interoperability by enabling different systems and organizations to recognize and verify identities, enabling trusted interactions between individuals, organizations, and even across borders;
Efficiency and cost reduction: Individuals can easily manage their own Credentials, avoid handling multiple identity tokens, and reduce repetitive identity verification processes.
1.1. Scope¶
These Technical Specifications are intended to complement the Guidelines provided for in Article 64-quater of Legislative Decree No. 82/2005 (CAD). Both the Guidelines and these Technical Specifications, once formally adopted, will become part of the regulatory framework for the IT-Wallet System. They will be periodically updated, where necessary, in light of the results of the experimentation phase, the adoption of new national or European legislative acts, and evolving requirements in terms of security and interoperability. These Technical Specifications pursue two main objectives and represent a core component of the implementation framework for the IT-Wallet System.
The first one is to provide a clear and structured set of recommendations, resources and design requirements related to the IT-Wallet System elements that impact on the User Experience. The document, by distinguishing between mandatory regulatory aspects and good design practices, aims to provide to public entities and private entities interested in taking part in the IT-Wallet System what is necessary to:
facilitate the understanding and adoption of the Service Model, increasing the number of potential services and usage opportunities for the User;
adopt the IT-Wallet System's Visual Identity in order to enhance its reliability and recognizability for the User;
ensure design consistency across macro-functionalities and single interactions between the User and the service Touchpoints;
maintain an adequate level of quality, promoting the principles of usability, accessibility and inclusivity.
The second focus is to define the technical architecture and reference framework that will serve as a guideline for all the parties involved in the development of the IT-Wallet System.
Additional documentation, tools and resources - hereinafter defined Official Resources - for the design and development of the IT-Wallet System Technical Solutions will be soon available in the Official Resources section and will be periodically updated.
1.2. Normative Language and Conventions¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.
1.3. How to Read the Specification¶
This specification is designed to fulfil the requirements from multiple stakeholders within the IT-Wallet System. Each role has different responsibilities and scopes, and therefore different information needs. This section provides tailored reading paths to help you navigate efficiently to the content most relevant to the implementation goals.
1.3.1. Specification Structure Overview¶
The specification is organized into the following major sections:
Section Introduction: Establishes scope, and normative language for the IT-Wallet ecosystem.
Section Architecture Overview: Provides high-level view on the Architecture in terms of governance and operational processes enabled.
Section Brand Identity: Provides the IT-Wallet Brand Identity requirements, guidance on the naming convention and on the application of the visual elements that identify the ecosystem.
Section User Experience Design: Provides design principles and high-level functional requirements to ensure a high-quality User Experience across all stages of interaction between the User and the service.
Section The Infrastructure of Trust: Defines the federation-based trust model, entity relationships, and trust evaluation mechanisms that secure the entire ecosystem.
Section Entities: Comprehensive implementation requirements for each ecosystem participant: Wallet Solutions, Credential Issuers, Relying Parties, and Authentic Sources, including their components, interaction patterns, and configuration requirements.
Section Digital Credential Management: Covers Digital Credential data models and formats, lifecycle management, validity verification, and the Credentials Catalog structure.
Section Digital Credential Flows: Detailed implementation guidance for Digital Credential issuance and presentation workflows, including both remote and proximity interaction flows.
Section Endpoints: Technical specifications for all API endpoints exposed by each entity type, including federation endpoints and specialized service integrations.
Section Cryptographic Algorithms, Security and Privacy Considerations, and General Log Retention Policies (Implementation Support): Cryptographic requirements, security and privacy considerations, and log retention policies essential for compliant implementations.
Section Defined Terms and References, Official Resources, How to contribute, and Open Source Releases (Terminology and References): Comprehensive terminology, normative references, additional documentation, tools, resources and contribution guidelines.
Section Appendix: Provides supplementary technical details, implementation patterns, and testing frameworks including mobile application instance management, national platform integration specifications, and comprehensive test matrices for ecosystem validation.
1.3.2. Reading Paths by Role¶
For easier access to the topics covered in these specifications, role-based reading paths are presented below. Each path is organized according to the different stages of onboarding to and participation in the IT-Wallet System, with direct references to the sections most relevant to each role.
The proposed reading paths are intended as guidance and do not replace the need to consult other sections when a broader understanding of the system is required.
For entities interested in addressing multiple roles, it is recommended to deepen all the reading paths related to relevant roles.
1.3.2.1. Authentic Source¶
The Authentic Source focuses on securely exposing, managing, and guaranteeing the absolute accuracy and integrity of the authoritative raw data underlying (Q)EAA.
Phase 1: Discovery
To understand the general functioning of the ecosystem, the technical architecture and the Infrastructure of Trust.
Section Introduction: Scope and regulatory context of the IT-Wallet System.
Section Architecture Overview: Overview of the IT-Wallet System architecture in terms of governance and enabled operational processes.
Section The Infrastructure of Trust: Key requirements of the federation-based trust model and trust evaluation mechanisms between entities.
Section Defined Terms and References: Comprehensive terminology, normative references, additional documentation, tools, resources and contribution guidelines.
Phase 2: Design
To understand the requirements and design the features, functionalities and specific characteristics underlying a (Q)EAA to be issued.
Section User Experience Design: Key requirements on how to enable Users to obtain (Q)EAAs, (Q)EAA structures, status and management over time.
Section Digital Credential Management: Technical and functional requirements related to (Q)EAA lifecycle.
Section PDND e-Service Template: Standardized blueprint containing all necessary technical and descriptive metadata for the e-service definition.
Phase 3: Implementation
To implement the technological interfaces required to communicate with Credential Issuers and to manage the entire (Q)EAA data lifecycle.
Section Authentic Sources: Authentic Source role and responsibilities.
Section e-Service PDND: Mandatory integration specifications with the PDND (National Digital Data Platform) and the associated interoperability requirements for publishing an e-service.
Section Authentic Source Endpoints: Key requirements for the implementation of APIs enabling the Credential Issuer to securely and consistently retrieve authoritative data and to manage the data lifecycle through Signal Hub endpoints.
Section Registry Infrastructure: Focus on Registry components of interest to the Authentic Source.
Section General Log Retention Policies: General log retention requirements and specific requirements for Authentic Sources in accordance with ISO/IEC 27001.
Section Test Plans: Guide to set up the test environment and validate backend interactions with the test matrices provided by the ecosystem.
Phase 4: Registration
To become registered as an Authentic Source within the system by completing the administrative and technical procedures required.
Section Onboarding System: Overview of the onboarding system architecture and the Authentic Source registration process.
Section Entity Onboarding: Focus on technical implementation procedures for Authentic Source registration.
Section X.509 Certificate Management Operations: Operational procedures for managing X.509 Certificates within the IT-Wallet federation.
1.3.2.2. Wallet Provider¶
The Wallet Provider focuses on designing and developing the Wallet Solution that enables the User to store, manage, and present their PID and (Q)EAAs.
Phase 1: Discovery
To understand the general functioning of the ecosystem, the technical architecture and the Infrastructure of Trust.
Section Introduction: Scope and regulatory context of the IT-Wallet System.
Section Architecture Overview: Overview of the IT-Wallet System architecture in terms of governance and enabled operational processes.
Section The Infrastructure of Trust: Key requirements of the federation-based trust model and trust evaluation mechanisms between entities.
Section Defined Terms and References: Comprehensive terminology, normative references, additional documentation, tools, resources and contribution guidelines.
Phase 2: Design
To understand the User Experience requirements and design the Wallet Solution following common patterns to ensure the usability and accessibility of the solutions.
Section Brand Identity: Overview of the IT-Wallet Brand Identity and indications on assets to be adopted by the Wallet Provider.
Section User Experience Design: Key requirements on Interaction Models and Interface layouts and graphic assets to ensure an effective and seamless User Experience and coherence among Wallet Solutions.
Section Digital Credential Management: Technical and functional requirements related to (Q)EAA lifecycle.
Phase 3: Implementation
To implement the Wallet Solution in line with specific technological standards to ensure the communication between the Wallet Solution and other actors.
Section Wallet Solution: Technical and functional requirements on components, functionalities and lifecycle to configure the Wallet Solution.
Section Digital Credential Flows: Technical and functional requirements on (Q)EAA issuance and presentation flows.
Section Wallet Provider Endpoints: Key requirements for the implementation of the Wallet Provider interfaces (APIs) required for interoperability among entities.
Section Registry Infrastructure: Overview of Registry infrastructure and federation Registry.
Section Cryptographic Algorithms: Selection and implementation of cryptographic standards required to secure keys and transactions.
Section Security and Privacy Considerations: Security and compliance requirements for Wallet Solutions.
Section General Log Retention Policies: General log retention requirements and requirements specific for Wallet Providers, in accordance with ISO/IEC 27001.
Section Mobile Application Instance: Requirements for mobile application instance, related to initialization request and response.
Section Test Plans: Guide to set up the test environment and validate backend interactions with the test matrices provided by the ecosystem.
Phase 4: Registration
To become registered as a Wallet Provider within the system by completing the administrative and technical procedures so that the Wallet Solution is recognized by the system.
Section Onboarding System: Overview of the onboarding system architecture and the Wallet Provider registration process.
Section Entity Onboarding: Focus on technical implementation procedures for Wallet Provider registration.
Section X.509 Certificate Management Operations: Operational procedures for managing X.509 Certificates within the IT-Wallet federation.
1.3.2.3. Credential Issuer¶
The Credential Issuer focuses on transforming authoritative raw data from Authentic Sources into (Q)EAAs, and managing their entire lifecycle from issuance to revocation or expiration.
Phase 1: Discovery
To understand the general functioning of the ecosystem, the technical architecture and the Infrastructure of Trust.
Section Introduction: Scope and regulatory context of the IT-Wallet System.
Section Architecture Overview: Overview of the IT-Wallet System architecture in terms of governance and enabled operational processes.
Section The Infrastructure of Trust: Key requirements of the federation-based trust model and trust evaluation mechanisms between entities.
Section Defined Terms and References: Comprehensive terminology, normative references, additional documentation, tools, resources and contribution guidelines.
Phase 2: Design
To understand the requirements and technically design (Q)EAA by structuring metadata to meet technical and regulatory requirements.
Section User Experience Design: Key requirements on (Q)EAA structure, issuance, status and management over time.
Section Digital Credential Management: Technical and functional requirements related to (Q)EAA lifecycle.
Phase 3: Implementation
To develop endpoints based on specific protocols, and to implement (Q)EAA issuance, renewal, revocation and all the technical lifecycle management functions.
Section Credential Issuer Solution: Technical and functional requirements on components and interaction patterns to issue and manage (Q)EAAs lifecycle.
Section Digital Credential Flows: Technical and functional requirements on (Q)EAA issuance and presentation flows.
Section Credential Issuer Endpoints: Key requirements for the implementation of Credential Issuer metadata and authorization endpoints.
Section Cryptographic Algorithms: Selection and implementation of cryptographic standards required to secure keys and transactions.
Section e-Service PDND: Mandatory integration specifications with the PDND (National Digital Data Platform) and the associated interoperability requirements for accessing authoritative data required for (Q)EAA issuance.
Section Security and Privacy Considerations: Security and compliance requirements for implemented solutions.
Section General Log Retention Policies: General log retention requirements and requirements specific for Credential Issuers in accordance with ISO/IEC 27001.
Section Test Plans: Guide to set up the test environment and validate backend interactions with the test matrices provided by the ecosystem.
Phase 4: Registration
To become registered as a Credential Issuer within the system, by completing the administrative and technical procedure so that (Q)EAA issued to the Wallet are officially trusted.
Section Onboarding System: Overview of the onboarding system architecture and the Credential Issuer registration process.
Section Entity Onboarding: Focus on technical implementation procedures for Credential Issuer registration.
Section X.509 Certificate Management Operations: Operational procedures for managing X.509 Certificates within the IT-Wallet federation.
1.3.2.4. Relying Party¶
The Relying Party focuses on securely requesting, receiving, and verifying the authenticity and validity of the PID and (Q)EAAs presented by the User to grant access to online and offline services.
Phase 1: Discovery
To understand the general functioning of the ecosystem, the technical architecture and the Infrastructure of Trust.
Section Introduction: Scope and regulatory context of the IT-Wallet System.
Section Architecture Overview: Overview of the IT-Wallet System architecture in terms of governance and enabled operational processes.
Section The Infrastructure of Trust: Key requirements of the federation-based trust model and trust evaluation mechanisms between entities.
Section Defined Terms and References: Comprehensive terminology, normative references, additional documentation, tools, resources and contribution guidelines.
Phase 2: Design
To understand the User Experience requirements and design the verification functionalities necessary to provide the service to the end User.
Section Brand Identity: Overview of the IT-Wallet Brand Identity and indications on assets to be adopted by the Relying Party.
Section User Experience Design: Key requirements on Interaction Models, Interface layouts and graphic assets to ensure an effective and seamless User Experience, and coherence among presentation and verification systems.
Section Digital Credential Management: Technical and functional requirements related to (Q)EAA lifecycle.
Phase 3: Implementation
To implement verification functionalities following specific protocols, to send verification requests to the Wallet and receive a response with the User authorization.
Section Relying Party Solution: Technical and functional requirements on components and functionalities for PID and (Q)EAA verification.
Section Digital Credential Flows: Technical and functional requirements on (Q)EAA presentation and verification flows.
Section Relying Party Endpoints: Key requirements for the implementation of (Q)EAA verification endpoints.
Section Security and Privacy Considerations: Security and compliance requirements for implemented solutions.
Section General Log Retention Policies: General log retention requirements and requirements specific for Relying Parties, in accordance with ISO/IEC 27001.
Section Test Plans: Guide to set up the test environment and validate backend interactions with the test matrices provided by the ecosystem.
Phase 4: Registration
To become registered as a Relying Party within the system, by completing the administrative and technical procedure and becoming a reliable actor when requesting User data.
Section Onboarding System: Overview of the onboarding system architecture and the Relying Party registration process.
Section Entity Onboarding: Focus on implementation procedures for Relying Party registration.
Section X.509 Certificate Management Operations: Operational procedures for managing X.509 Certificates within the IT-Wallet federation.