IT-Wallet Technical Documentation - 1.1.0

This document provides the technical architecture, implementation framework and design requirements to be adopted by the IT-Wallet System Technical Solutions.

Table of Contents

• 1. Introduction
  • 1.1. Scope
  • 1.2. Normative Language and Conventions
  • 1.3. How to Read the Specification
    • 1.3.1. Specification Structure Overview
    • 1.3.2. Reading Paths by Role
    • 1.3.3. Cross-Cutting Topics
    • 1.3.4. Implementation Approach
• 2. Brand Identity
  • 2.1. Naming
  • 2.2. Visual Identity
    • 2.2.1. Logo
    • 2.2.2. Trust Mark
• 3. Architecture Overview
• 4. User Experience Design
  • 4.1. Design Principles
  • 4.2. Functionalities Overview
  • 4.3. Activation of the Wallet Instance
    • 4.3.1. Focus on PID – Person Identification Data
  • 4.4. Issuance of Electronic Attestations of Attributes
    • 4.4.1. Issuance from the Wallet Instance Catalogue
    • 4.4.2. Issuance from a Touchpoint of the Authentic Source
    • 4.4.3. Focus on Electronic Attestations of Attributes
  • 4.5. Presentation of Electronic Attestations
    • 4.5.1. Proximity Presentation
    • 4.5.2. Remote Presentation
  • 4.6. Management of Electronic Attestations
    • 4.6.1. Status of Electronic Attestations
    • 4.6.2. History of Electronic Attestations
    • 4.6.3. Backup and Restore of Electronic Attestation of Attributes
  • 4.7. Deactivation of the Wallet Instance
  • 4.8. Error Management
    • 4.8.1. Activation of the Wallet Instance Errors
    • 4.8.2. Issuance of Electronic Attestations of Attributes Errors
    • 4.8.3. Presentation of Electronic Attestations Errors
    • 4.8.4. Management of Electronic Attestations Errors
    • 4.8.5. Deactivation of the Wallet Instance Errors
  • 4.9. User Assistance
  • 4.10. User Feedback
• 5. The Infrastructure of Trust
  • 5.1. Federation Roles
  • 5.2. General Properties
  • 5.3. Trust Infrastructure Requirements
  • 5.4. Federation API endpoints
  • 5.5. Configuration of the Federation
  • 5.6. Entity Configuration
    • 5.6.1. Entity Configurations Common Parameters
    • 5.6.2. Entity Configuration Trust Anchor
    • 5.6.3. Entity Configuration Leaves and Intermediates
    • 5.6.4. Metadata Types
  • 5.7. Metadata of federation_entity Leaves
  • 5.8. Subordinate Statements
    • 5.8.1. Subordinate Statement
  • 5.9. Trust Evaluation Mechanism
    • 5.9.1. Establishing Trust with Credential Issuers
    • 5.9.2. Establishing Trust with Relying Party
    • 5.9.3. Evaluating Trust with Wallets
    • 5.9.4. Trust Chain
    • 5.9.5. Offline Trust Attestation Mechanisms
  • 5.10. Trust Chain Fast Renewal
  • 5.11. Non-repudiability of the Long Lived Attestations
  • 5.12. X.509 PKI
    • 5.12.1. Federation Trust Anchor and X.509 CA
    • 5.12.2. X.509 Certificates Issuance
    • 5.12.3. X.509 Certificate Revocation
  • 5.13. Privacy Remarks
  • 5.14. Considerations about Decentralization
• 6. Entities
  • 6.1. Wallet Solution
    • 6.1.1. Wallet Solution Requirements
    • 6.1.2. Wallet Solution Components
    • 6.1.3. Wallet Solution Interaction Patterns
    • 6.1.4. Wallet Instance
    • 6.1.5. Backup and Restore
    • 6.1.6. Wallet Provider Entity Configuration
    • 6.1.7. Wallet Provider Metadata
  • 6.2. Credential Issuer Solution
    • 6.2.1. Credential Issuer Requirements
    • 6.2.2. Component Details
    • 6.2.3. Interaction Patterns
    • 6.2.4. Credential Issuer Entity Configuration
    • 6.2.5. Credential Issuer Metadata
  • 6.3. Relying Party Solution
    • 6.3.1. Relying Party Instance
    • 6.3.2. Mobile Relying Party Instance
    • 6.3.3. Web Relying Party Instance
    • 6.3.4. Relying Party Entity Configuration
    • 6.3.5. Relying Party Metadata
  • 6.4. Authentic Sources
• 7. Digital Credential Management
  • 7.1. Digital Credential Data Model
    • 7.1.1. SD-JWT-VC Credential Format
    • 7.1.2. mdoc-CBOR Credential Format
    • 7.1.3. Cross-Format Credential Parameters Mapping
  • 7.2. Digital Credential Lifecycle
    • 7.2.1. Credential Transitions
    • 7.2.2. Digital Credential Lifecycle in a Batch
    • 7.2.3. Credential Lifecycle Management
    • 7.2.4. Validity Verification Mechanisms
    • 7.2.5. OAuth Status Lists
  • 7.3. Digital Credentials Catalogue
    • 7.3.1. Digital Credentials Categories
    • 7.3.2. Digital Credentials Catalogue Structure
    • 7.3.3. Claims Taxonomy
    • 7.3.4. Digital Credentials Catalogue Endpoint
• 8. Digital Credential Flows
  • 8.1. Digital Credential Issuance
    • 8.1.1. Credential Issuance High-Level Flows
    • 8.1.2. Credential Issuance Low-Level Flows
  • 8.2. Digital Credential Presentation
    • 8.2.1. Remote Flow
    • 8.2.2. Proximity Flow
• 9. Endpoints
  • 9.1. Wallet Provider Endpoints
    • 9.1.1. Federation Endpoint
    • 9.1.2. Wallet Solution Nonce Endpoint
    • 9.1.3. Wallet Instance Management Endpoint
    • 9.1.4. Wallet Attestation Issuance Endpoint
    • 9.1.5. e-Service PDND Wallet Provider Catalogue
  • 9.2. Credential Issuer Endpoints
    • 9.2.1. Federation Endpoints
    • 9.2.2. Credential Issuance Endpoints
    • 9.2.3. e-Service PDND Credential Issuer Catalogue
  • 9.3. Relying Party Endpoints
    • 9.3.1. Relying Party Federation Endpoint
    • 9.3.2. Relying Party Nonce Endpoint
    • 9.3.3. Relying Party Instance Initialization Endpoint
    • 9.3.4. Relying Party Key Binding Endpoint
    • 9.3.5. Relying Party Access Certificate Endpoint
    • 9.3.6. Relying Party Erasure Endpoint
  • 9.4. Authentic Source Endpoints
    • 9.4.1. e-Service PDND Authentic Source Catalogue
• 10. Cryptographic Algorithms
• 11. Security and Privacy Considerations
  • 11.1. Security Requirements
    • 11.1.1. SR-CF-10 and SR-E-10
    • 11.1.2. SR-CF-20
    • 11.1.3. SR-CF-21
    • 11.1.4. SR-E-20
    • 11.1.5. SR-E-30
    • 11.1.6. SR-E-40
    • 11.1.7. SR-I-10
    • 11.1.8. SR-I-20
    • 11.1.9. SR-I-30
    • 11.1.10. SR-I-40
    • 11.1.11. SR-I-50
    • 11.1.12. SR-P-20
    • 11.1.13. SR-P-30
    • 11.1.14. SR-P-40
    • 11.1.15. SR-P-41
    • 11.1.16. SR-P-50
    • 11.1.17. SR-V-10
    • 11.1.18. SR-V-20
    • 11.1.19. SR-W-20
    • 11.1.20. SR-W-30
  • 11.2. Privacy Requirements
    • 11.2.1. PR-CF-30
    • 11.2.2. PR-CF-40
    • 11.2.3. PR-E-60
    • 11.2.4. PR-E-70
    • 11.2.5. PR-W-40
    • 11.2.6. PR-W-60
    • 11.2.7. PR-W-70
  • 11.3. Security and Privacy Requirements
    • 11.3.1. SPR-E-50
    • 11.3.2. SPR-P-10
    • 11.3.3. SPR-P-60
    • 11.3.4. SPR-P-70
    • 11.3.5. SPR-P-80
    • 11.3.6. SPR-W-50
• 12. General Log Retention Policies
  • 12.1. ISO/IEC 27001 Logging General Requirements
    • 12.1.1. Wallet Provider Log Retention Policy
    • 12.1.2. Credential Issuer Log Retention Policy
    • 12.1.3. Relying Party Log Retention Policy
    • 12.1.4. Wallet Instances Logging Features
• 13. Defined Terms and References
  • 13.1. Normative References
  • 13.2. Defined Terms and Acronyms
    • 13.2.1. Acronyms
  • 13.3. Normative References
    • 13.3.1. Official Resources
  • 13.4. Technical References
    • 13.4.1. Wallet Paradigm Frameworks
    • 13.4.2. Infrastructure of Trust
    • 13.4.3. Digital Credential Data Format
    • 13.4.4. Digital Credential Issuance
    • 13.4.5. Digital Credential Presentation
    • 13.4.6. Digital Credential Revocation Check Mechanisms
    • 13.4.7. National Data Interoperability Platform Specifications
    • 13.4.8. National Digital Identity Platform Specifications
    • 13.4.9. Security and Protection Profiles
• 14. How to contribute
  • 14.1. Acknowledgements
• 15. Open Source Releases
  • 15.1. Wallet Providers
  • 15.2. Credential Issuers
  • 15.3. Relying Parties
  • 15.4. Responsible Disclosure
• 16. Appendix
  • 16.1. Mobile Application Instance
    • 16.1.1. Mobile Application Instance Initialization
    • 16.1.2. Mobile Application Key Binding
  • 16.2. e-Service PDND
    • 16.2.1. Requirements and Security Patterns
    • 16.2.2. PDND Voucher Issuance
    • 16.2.3. Key Retrieval
    • 16.2.4. e-Service Usage
  • 16.3. Template e-Service PDND
    • 16.3.1. PDND Template e-service definition and guidelines
  • 16.4. Test Plans
    • 16.4.1. Structure of the Test Matrix