IT-Wallet Technical Documentation - 1.1.0

This document provides the technical architecture, implementation framework and design requirements to be adopted by the IT-Wallet System Technical Solutions.

Table of Contents

• 1. Introduction
  • 1.1. Scope
  • 1.2. Normative Language and Conventions
  • 1.3. How to Read the Specification
    • 1.3.1. Specification Structure Overview
    • 1.3.2. Reading Paths by Role
    • 1.3.3. Cross-Cutting Topics
    • 1.3.4. Implementation Approach
• 2. Design Principles
  • 2.1. Brand Identity
    • 2.1.1. Naming
    • 2.1.2. Visual Identity
• 3. Architecture Overview
  • 3.1. Functionalities
    • 3.1.1. Activation of the Wallet Instance
    • 3.1.2. Issuance of Electronic Attestations of Attributes
    • 3.1.3. Presentation of Electronic Attestations
    • 3.1.4. Management of Electronic Attestations
    • 3.1.5. Deactivation of the Wallet Instance
    • 3.1.6. Error Management
    • 3.1.7. User Assistance
    • 3.1.8. User Feedback
• 4. The Infrastructure of Trust
  • 4.1. Federation Roles
  • 4.2. General Properties
  • 4.3. Trust Infrastructure Requirements
  • 4.4. Federation API endpoints
  • 4.5. Configuration of the Federation
  • 4.6. Entity Configuration
    • 4.6.1. Entity Configurations Common Parameters
    • 4.6.2. Entity Configuration Trust Anchor
    • 4.6.3. Entity Configuration Leaves and Intermediates
    • 4.6.4. Metadata Types
  • 4.7. Metadata of federation_entity Leaves
  • 4.8. Subordinate Statements
    • 4.8.1. Subordinate Statement
  • 4.9. Trust Evaluation Mechanism
    • 4.9.1. Establishing Trust with Credential Issuers
    • 4.9.2. Establishing Trust with Relying Party
    • 4.9.3. Evaluating Trust with Wallets
    • 4.9.4. Trust Chain
    • 4.9.5. Offline Trust Attestation Mechanisms
  • 4.10. Trust Chain Fast Renewal
  • 4.11. Non-repudiability of the Long Lived Attestations
  • 4.12. X.509 PKI
    • 4.12.1. Federation Trust Anchor and X.509 CA
    • 4.12.2. X.509 Certificates Issuance
    • 4.12.3. X.509 Certificate Revocation
  • 4.13. Privacy Remarks
  • 4.14. Considerations about Decentralization
• 5. Entities
  • 5.1. Wallet Solution
    • 5.1.1. Wallet Solution Requirements
    • 5.1.2. Wallet Solution Components
    • 5.1.3. Wallet Solution Interaction Patterns
    • 5.1.4. Wallet Instance
    • 5.1.5. Backup and Restore
    • 5.1.6. Wallet Provider Entity Configuration
    • 5.1.7. Wallet Provider Metadata
  • 5.2. Credential Issuer Solution
    • 5.2.1. Credential Issuer Requirements
    • 5.2.2. Component Details
    • 5.2.3. Interaction Patterns
    • 5.2.4. Credential Issuer Entity Configuration
    • 5.2.5. Credential Issuer Metadata
  • 5.3. Relying Party Solution
    • 5.3.1. Relying Party Instance
    • 5.3.2. Mobile Relying Party Instance
    • 5.3.3. Web Relying Party Instance
    • 5.3.4. Relying Party Entity Configuration
    • 5.3.5. Relying Party Metadata
  • 5.4. Authentic Sources
• 6. Digital Credential Management
  • 6.1. Digital Credential Data Model
    • 6.1.1. SD-JWT-VC Credential Format
    • 6.1.2. mdoc-CBOR Credential Format
    • 6.1.3. Cross-Format Credential Parameters Mapping
  • 6.2. Digital Credential Lifecycle
    • 6.2.1. Credential Transitions
    • 6.2.2. Digital Credential Lifecycle in a Batch
    • 6.2.3. Credential Lifecycle Management
    • 6.2.4. Validity Verification Mechanisms
    • 6.2.5. OAuth Status Lists
  • 6.3. Digital Credentials Catalogue
    • 6.3.1. Digital Credentials Categories
    • 6.3.2. Digital Credentials Catalogue Structure
    • 6.3.3. Claims Taxonomy
    • 6.3.4. Digital Credentials Catalogue Endpoint
• 7. Digital Credential Flows
  • 7.1. Digital Credential Issuance
    • 7.1.1. Credential Issuance High-Level Flows
    • 7.1.2. Credential Issuance Low-Level Flows
  • 7.2. Digital Credential Presentation
    • 7.2.1. Remote Flow
    • 7.2.2. Proximity Flow
• 8. Endpoints
  • 8.1. Wallet Provider Endpoints
    • 8.1.1. Federation Endpoint
    • 8.1.2. Wallet Solution Nonce Endpoint
    • 8.1.3. Wallet Instance Management Endpoint
    • 8.1.4. Wallet Attestation Issuance Endpoint
    • 8.1.5. e-Service PDND Wallet Provider Catalogue
  • 8.2. Credential Issuer Endpoints
    • 8.2.1. Federation Endpoints
    • 8.2.2. Credential Issuance Endpoints
    • 8.2.3. e-Service PDND Credential Issuer Catalogue
  • 8.3. Relying Party Endpoints
    • 8.3.1. Relying Party Federation Endpoint
    • 8.3.2. Relying Party Nonce Endpoint
    • 8.3.3. Relying Party Instance Initialization Endpoint
    • 8.3.4. Relying Party Key Binding Endpoint
    • 8.3.5. Relying Party Access Certificate Endpoint
    • 8.3.6. Relying Party Erasure Endpoint
  • 8.4. Authentic Source Endpoints
    • 8.4.1. e-Service PDND Authentic Source Catalogue
• 9. Cryptographic Algorithms
• 10. Security and Privacy Considerations
  • 10.1. Security Requirements
    • 10.1.1. SR-CF-10 and SR-E-10
    • 10.1.2. SR-CF-20
    • 10.1.3. SR-CF-21
    • 10.1.4. SR-E-20
    • 10.1.5. SR-E-30
    • 10.1.6. SR-E-40
    • 10.1.7. SR-I-10
    • 10.1.8. SR-I-20
    • 10.1.9. SR-I-30
    • 10.1.10. SR-I-40
    • 10.1.11. SR-I-50
    • 10.1.12. SR-P-20
    • 10.1.13. SR-P-30
    • 10.1.14. SR-P-40
    • 10.1.15. SR-P-41
    • 10.1.16. SR-P-50
    • 10.1.17. SR-V-10
    • 10.1.18. SR-V-20
    • 10.1.19. SR-W-20
    • 10.1.20. SR-W-30
  • 10.2. Privacy Requirements
    • 10.2.1. PR-CF-30
    • 10.2.2. PR-CF-40
    • 10.2.3. PR-E-60
    • 10.2.4. PR-E-70
    • 10.2.5. PR-W-40
    • 10.2.6. PR-W-60
    • 10.2.7. PR-W-70
  • 10.3. Security and Privacy Requirements
    • 10.3.1. SPR-E-50
    • 10.3.2. SPR-P-10
    • 10.3.3. SPR-P-60
    • 10.3.4. SPR-P-70
    • 10.3.5. SPR-P-80
    • 10.3.6. SPR-W-50
• 11. General Log Retention Policies
  • 11.1. ISO/IEC 27001 Logging General Requirements
    • 11.1.1. Wallet Provider Log Retention Policy
    • 11.1.2. Credential Issuer Log Retention Policy
    • 11.1.3. Relying Party Log Retention Policy
    • 11.1.4. Wallet Instances Logging Features
• 12. Defined Terms and References
  • 12.1. Normative References
  • 12.2. Defined Terms and Acronyms
    • 12.2.1. Acronyms
  • 12.3. Normative References
  • 12.4. Technical References
    • 12.4.1. Wallet Paradigm Frameworks
    • 12.4.2. Infrastructure of Trust
    • 12.4.3. Digital Credential Data Format
    • 12.4.4. Digital Credential Issuance
    • 12.4.5. Digital Credential Presentation
    • 12.4.6. Digital Credential Revocation Check Mechanisms
    • 12.4.7. National Data Interoperability Platform Specifications
    • 12.4.8. National Digital Identity Platform Specifications
    • 12.4.9. Security and Protection Profiles
• 13. How to contribute
  • 13.1. Acknowledgements
• 14. Open Source Releases
  • 14.1. Wallet Providers
  • 14.2. Credential Issuers
  • 14.3. Relying Parties
  • 14.4. Responsible Disclosure
• 15. Appendix
  • 15.1. Mobile Application Instance
    • 15.1.1. Mobile Application Instance Initialization
    • 15.1.2. Mobile Application Key Binding
  • 15.2. e-Service PDND
    • 15.2.1. Requirements and Security Patterns
    • 15.2.2. PDND Voucher Issuance
    • 15.2.3. Key Retrieval
    • 15.2.4. e-Service Usage
  • 15.3. Template e-Service PDND
    • 15.3.1. PDND Template e-service definition and guidelines
  • 15.4. Test Plans
    • 15.4.1. Structure of the Test Matrix