IT-Wallet System Technical Documentation - 1.0.0

This document provides the technical architecture, implementation framework and design requirements to be adopted by the IT-Wallet System Technical Solutions.

Table of Contents

• 1. Introduction
  • 1.1. Scope
• 2. Normative References
• 3. Defined Terms and Acronyms
  • 3.1. Acronyms
• 4. Normative Language and Conventions
• 5. The Digital Identity Wallet Paradigm
• 6. Design Principles
• 7. IT-Wallet System Brand Identity
  • 7.1. Naming
  • 7.2. Visual Identity
    • 7.2.1. Logo
    • 7.2.2. Trust Mark
    • 7.2.3. Components
    • 7.2.4. Authentication Button
• 8. Functionalities
  • 8.1. Activation of the Wallet Instance
  • 8.2. Issuance of Electronic Attestations of Attributes
    • 8.2.1. Layout of Electronic Attestations
  • 8.3. Presentation of Electronic Attestations
    • 8.3.1. Proximity Presentation
    • 8.3.2. Remote Presentation
  • 8.4. Management of Electronic Attestations
    • 8.4.1. Status of Electronic Attestations
    • 8.4.2. History of Electronic Attestations
    • 8.4.3. Backup and Restore of Electronic Attestation of Attributes
  • 8.5. Deactivation of the Wallet Instance
  • 8.6. Error Management
  • 8.7. Activation of the Wallet Instance Errors
  • 8.8. Issuance of Electronic Attestations of Attributes Errors
  • 8.9. Presentation of Electronic Attestations Errors
  • 8.10. Management of Electronic Attestations Errors
  • 8.11. Deactivation of the Wallet Instance Errors
  • 8.12. User Assistance
  • 8.13. User Feedback
• 9. The Infrastructure of Trust
  • 9.1. Federation Roles
  • 9.2. General Properties
  • 9.3. Trust Infrastructure Requirements
  • 9.4. Federation API endpoints
  • 9.5. Configuration of the Federation
  • 9.6. Entity Configuration
    • 9.6.1. Entity Configurations Common Parameters
    • 9.6.2. Entity Configuration Trust Anchor
    • 9.6.3. Entity Configuration Leaves and Intermediates
    • 9.6.4. Metadata Types
  • 9.7. Metadata of federation_entity Leaves
  • 9.8. Subordinate Statements
    • 9.8.1. Subordinate Statement
  • 9.9. Trust Evaluation Mechanism
    • 9.9.1. Establishing Trust with Credential Issuers
    • 9.9.2. Establishing Trust with Relying Party
    • 9.9.3. Evaluating Trust with Wallets
    • 9.9.4. Trust Chain
    • 9.9.5. Offline Trust Attestation Mechanisms
  • 9.10. Trust Chain Fast Renewal
  • 9.11. Non-repudiability of the Long Lived Attestations
  • 9.12. X.509 PKI
    • 9.12.1. Federation Trust Anchor and X.509 CA
    • 9.12.2. X.509 Certificates Issuance
    • 9.12.3. X.509 Certificate Revocation
  • 9.13. Privacy Remarks
  • 9.14. Considerations about Decentralization
• 10. Wallet Solution
  • 10.1. Wallet Solution Requirements
    • 10.1.1. Wallet Attestation Requirements
    • 10.1.2. WSCD Requirements
• 11. Credential Issuer Solution
  • 11.1. Requirements
  • 11.2. Component Details
    • 11.2.1. Frontend Component
    • 11.2.2. Credential Issuer Component
    • 11.2.3. Authorization Server
    • 11.2.4. Relying Party Component
    • 11.2.5. API Interface
    • 11.2.6. Credential Lifecycle Management
    • 11.2.7. Trust & Security Component
  • 11.3. Interaction Patterns
  • 11.4. Exposed Endpoints
    • 11.4.1. Federation Endpoints
    • 11.4.2. Credential Issuer Component Endpoints
• 12. Relying Party Solution
  • 12.1. Relying Party Solution Requirements
    • 12.1.1. Relying Party Instance
    • 12.1.2. Mobile Relying Party Instance
    • 12.1.3. Web Relying Party Instance
    • 12.1.4. Relying Party Endpoints
• 13. Authentic Sources
• 14. Digital Credential Data Model
  • 14.1. SD-JWT-VC Credential Format
    • 14.1.1. Credential SD-JWT Parameters
    • 14.1.2. Digital Credential Metadata Type
    • 14.1.3. PID Claims
    • 14.1.4. PID Non-Normative Examples
    • 14.1.5. (Q)EAA non-normative Examples
  • 14.2. mdoc-CBOR Credential Format
    • 14.2.1. Attribute Namespaces
    • 14.2.2. Attributes
    • 14.2.3. Mobile Security Object
    • 14.2.4. mdoc-CBOR Examples
    • 14.2.5. CBOR Acronyms
  • 14.3. Cross-Format Credential Parameters Mapping
• 15. Digital Credential Issuance
  • 15.1. Credential Issuance High-Level Flows
    • 15.1.1. High-Level PID flow
    • 15.1.2. High-Level (Q)EAA flow
  • 15.2. Credential Issuance Low-Level Flows
    • 15.2.1. Low-Level Issuance Flow
    • 15.2.2. Refresh Token Flow
    • 15.2.3. Re-Issuance Flow
  • 15.3. Credential Issuance Endpoints
    • 15.3.1. Credential Offer Endpoint
    • 15.3.2. Pushed Authorization Request Endpoint
    • 15.3.3. Authorization endpoint
    • 15.3.4. Token endpoint
    • 15.3.5. Nonce Endpoint
    • 15.3.6. Credential endpoint
    • 15.3.7. Deferred Endpoint
    • 15.3.8. Notification endpoint
• 16. Digital Credential Presentation
  • 16.1. Remote Flow
    • 16.1.1. Authorization Request
    • 16.1.2. Request URI Request
    • 16.1.3. Request URI Response
    • 16.1.4. Authorization Response
    • 16.1.5. Relying Party Response
    • 16.1.6. Status Endpoint
    • 16.1.7. Redirect URI
  • 16.2. Proximity Flow
    • 16.2.1. Device Engagement
    • 16.2.2. mdoc Request
    • 16.2.3. mdoc Response
    • 16.2.4. Session Termination
• 17. Digital Credential Lifecycle
  • 17.1. Credential Transitions
    • 17.1.1. Credential Transition to Issued
    • 17.1.2. Credential Transition to Valid
    • 17.1.3. Credential Transition to Expired
    • 17.1.4. Credential Transition to Revoked
    • 17.1.5. Credential Transition to Suspended
  • 17.2. Credential Lifecycle Management
    • 17.2.1. Digital Credential Revocation and Suspension
    • 17.2.2. Entities Involved
    • 17.2.3. Status Update Flows
  • 17.3. Validity Verification Mechanisms
    • 17.3.1. OAuth Status Assertions
  • 17.4. OAuth Status Lists
    • 17.4.1. Status Lists Creation
• 18. Backup and Restore
  • 18.1. Backup Flow
  • 18.2. Restore flow for Hardware Binding Credential
• 19. Digital Credentials Catalogue
  • 19.1. Digital Credentials Categories
  • 19.2. Digital Credentials Catalogue Structure
  • 19.3. Claims Taxonomy
  • 19.4. Digital Credentials Catalogue Endpoint
    • 19.4.1. Digital Credentials Catalogue Request
    • 19.4.2. Digital Credentials Catalogue Response
• 20. e-Service PDND Catalogue
  • 20.1. Credential Issuer Catalogue
    • 20.1.1. Notify Available Credential
    • 20.1.2. Notify Update Credential
    • 20.1.3. Notify Wallet Instance Revocation
    • 20.1.4. Get Statistics
  • 20.2. Authentic Source Catalogue
    • 20.2.1. Get Attribute Claims
  • 20.3. Wallet Provider Catalogue
    • 20.3.1. Notify User Death
• 21. e-Service PDND
  • 21.1. Requirements and Security Patterns
  • 21.2. PDND Voucher Issuance
    • 21.2.1. PDND Voucher for e-Service
    • 21.2.2. PDND Voucher for Interoperability API
    • 21.2.3. PDND Authorization Server Endpoint
  • 21.3. Key Retrieval
    • 21.3.1. PDND Authorization Server Keys
    • 21.3.2. PDND Authorization Server .well-known Endpoint
    • 21.3.3. Participants' Keys
    • 21.3.4. PDND Interoperability API Endpoint
  • 21.4. e-Service Usage
    • 21.4.1. e-Service Usage Prerequisites
    • 21.4.2. e-Service Usage Flow
    • 21.4.3. e-Service Endpoint
• 22. Mobile Application Instance
  • 22.1. Mobile Application Instance Initialization
    • 22.1.1. Mobile Application Nonce Request
    • 22.1.2. Mobile Application Nonce Response
    • 22.1.3. Mobile Application Instance Initialization Request
    • 22.1.4. Mobile Application Instance Initialization Response
  • 22.2. Mobile Application Key Binding
    • 22.2.1. Mobile Application Key Binding Request
    • 22.2.2. Mobile Application Key Binding Response
• 23. Entity Configurations
  • 23.1. Wallet Provider Entity Configuration
    • 23.1.1. Wallet Provider Entity Configuration JWT Header
    • 23.1.2. Wallet Provider Entity Configuration JWT Payload
    • 23.1.3. wallet_provider metadata
    • 23.1.4. federation_entity metadata
  • 23.2. Entity Configuration of Credential Issuers
    • 23.2.1. Metadata for oauth_authorization_server
    • 23.2.2. Metadata for openid_credential_issuer
    • 23.2.3. Example of a (Q)EAA Provider Entity Configuration
  • 23.3. Entity Configuration of Relying Parties
    • 23.3.1. Metadata for openid_credential_verifier
    • 23.3.2. Example of a Relying Party Entity Configuration
• 24. Cryptographic Algorithms
• 25. Security and Privacy Considerations
  • 25.1. Security Requirements
    • 25.1.1. SR-CF-10 and SR-E-10
    • 25.1.2. SR-CF-20
    • 25.1.3. SR-CF-21
    • 25.1.4. SR-E-20
    • 25.1.5. SR-E-30
    • 25.1.6. SR-E-40
    • 25.1.7. SR-I-10
    • 25.1.8. SR-I-20
    • 25.1.9. SR-I-30
    • 25.1.10. SR-I-40
    • 25.1.11. SR-I-50
    • 25.1.12. SR-P-20
    • 25.1.13. SR-P-30
    • 25.1.14. SR-P-40
    • 25.1.15. SR-P-41
    • 25.1.16. SR-P-50
    • 25.1.17. SR-V-10
    • 25.1.18. SR-V-20
    • 25.1.19. SR-W-20
    • 25.1.20. SR-W-30
  • 25.2. Privacy Requirements
    • 25.2.1. PR-CF-30
    • 25.2.2. PR-CF-40
    • 25.2.3. PR-E-60
    • 25.2.4. PR-E-70
    • 25.2.5. PR-W-40
    • 25.2.6. PR-W-60
    • 25.2.7. PR-W-70
  • 25.3. Security and Privacy Requirements
    • 25.3.1. SPR-E-50
    • 25.3.2. SPR-P-10
    • 25.3.3. SPR-P-60
    • 25.3.4. SPR-P-70
    • 25.3.5. SPR-P-80
    • 25.3.6. SPR-W-50
• 26. General Log Retention Policies
  • 26.1. ISO/IEC 27001 Logging General Requirements
    • 26.1.1. Wallet Provider Log Retention Policy
    • 26.1.2. Credential Issuer Log Retention Policy
    • 26.1.3. Relying Party Log Retention Policy
    • 26.1.4. Wallet Instances Logging Features
• 27. Technical References
  • 27.1. Wallet Paradigm Frameworks
  • 27.2. Infrastructure of Trust
  • 27.3. Digital Credential Data Format
  • 27.4. Digital Credential Issuance
  • 27.5. Digital Credential Presentation
  • 27.6. Digital Credential Revocation Check Mechanisms
  • 27.7. National Data Interoperability Platform Specifications
  • 27.8. National Digital Identity Platform Specifications
  • 27.9. Security and Protection Profiles
• 28. Test Plans
  • 28.1. Structure of the Test Matrix
  • 28.2. Signed Statements Evaluation Test Matrix
  • 28.3. Trust Evaluation Test Matrix
  • 28.4. Wallet Solution Test Matrix
  • 28.5. Credential Issuance Test Matrix
  • 28.6. Credential Presentation Test Matrix
    • 28.6.1. Remote Credential Presentation Test Matrix
    • 28.6.2. Proximity Credential Presentation Test Matrix
• 29. How to contribute
  • 29.1. Acknowledgements
• 30. Open Source Releases
  • 30.1. Wallet Providers
  • 30.2. Credential Issuers
  • 30.3. Relying Parties
  • 30.4. Responsible Disclosure