IT-Wallet Technical Documentation - 1.2.0

This document provides the technical architecture, implementation framework and design requirements to be adopted by the IT-Wallet System Technical Solutions.

Table of Contents

• 1. Introduction
  • 1.1. Scope
  • 1.2. Normative Language and Conventions
  • 1.3. How to Read the Specification
    • 1.3.1. Specification Structure Overview
    • 1.3.2. Reading Paths by Role
    • 1.3.3. Cross-Cutting Topics
    • 1.3.4. Implementation Approach
• 2. Brand Identity
  • 2.1. Naming
  • 2.2. Visual Identity
    • 2.2.1. Logo
    • 2.2.2. Trust Mark
• 3. Architecture Overview
• 4. Onboarding System
  • 4.1. Onboarding System Architecture
  • 4.2. Authentic Source Registration Process
  • 4.3. Federation Onboarding Process
  • 4.4. Entity Lifecycle Management
    • 4.4.1. Ongoing Operations Management
    • 4.4.2. Federation Exit and Removal Processes
    • 4.4.3. Lifecycle Coordination Requirements
  • 4.5. Onboarding Journey Maps
    • 4.5.1. Ecosystem Overview
    • 4.5.2. Authentic Source Operator Journey
    • 4.5.3. Credential Issuer Operator Journey
    • 4.5.4. Wallet Provider Operator Journey
    • 4.5.5. Relying Party Operator Journey
  • 4.6. End User Experience Journey
• 5. User Experience Design
  • 5.1. Design Principles
  • 5.2. Functionalities Overview
  • 5.3. Activation of the Wallet Instance
    • 5.3.1. Focus on PID – Person Identification Data
  • 5.4. Issuance of Electronic Attestations of Attributes
    • 5.4.1. Issuance from the Wallet Instance Catalog
    • 5.4.2. Issuance from a Touchpoint of the Authentic Source
    • 5.4.3. Focus on Electronic Attestations of Attributes
  • 5.5. Presentation of Electronic Attestations
    • 5.5.1. Proximity Presentation
    • 5.5.2. Remote Presentation
  • 5.6. Management of Electronic Attestations
    • 5.6.1. Status of Electronic Attestations
    • 5.6.2. History of Electronic Attestations
    • 5.6.3. Backup and Restore of Electronic Attestation of Attributes
  • 5.7. Deactivation of the Wallet Instance
  • 5.8. Error Management
    • 5.8.1. Activation of the Wallet Instance Errors
    • 5.8.2. Issuance of Electronic Attestations of Attributes Errors
    • 5.8.3. Presentation of Electronic Attestations Errors
    • 5.8.4. Management of Electronic Attestations Errors
    • 5.8.5. Deactivation of the Wallet Instance Errors
  • 5.9. User Assistance
  • 5.10. User Feedback
• 6. The Infrastructure of Trust
  • 6.1. Federation Roles
  • 6.2. Trust Infrastructure and Registry Integration
  • 6.3. General Properties
  • 6.4. Trust Infrastructure Requirements
  • 6.5. Federation API endpoints
  • 6.6. Configuration of the Federation
  • 6.7. Entity Configuration
    • 6.7.1. Entity Configurations Common Parameters
    • 6.7.2. Entity Configuration Trust Anchor
    • 6.7.3. Entity Configuration Leaves and Intermediates
    • 6.7.4. Metadata Types
  • 6.8. Metadata of federation_entity Leaves
  • 6.9. Subordinate Statements
    • 6.9.1. Subordinate Statement
  • 6.10. Federation Discovery
    • 6.10.1. Establishing Trust with Credential Issuers
    • 6.10.2. Establishing Trust with Relying Party
    • 6.10.3. Evaluating Trust with Wallets
  • 6.11. Trust Chain
    • 6.11.1. Offline Trust Attestation Mechanisms
    • 6.11.2. Trust Chain Fast Renewal
  • 6.12. Trust Evaluation Mechanism
    • 6.12.1. Establishing Trust with Credential Issuers
    • 6.12.2. Establishing Trust with Relying Party
    • 6.12.3. Evaluating Trust with Wallets
  • 6.13. Non-repudiability of the Long Lived Attestations
  • 6.14. X.509 PKI
    • 6.14.1. Federation Trust Anchor and X.509 CA
    • 6.14.2. X.509 Certificates Issuance
    • 6.14.3. X.509 Certificate Revocation
    • 6.14.4. Federation Subordinate Events Endpoint
  • 6.15. Privacy Remarks
  • 6.16. Considerations about Decentralization
• 7. Registry Infrastructure
  • 7.1. Registry Architecture Overview
  • 7.2. Registry Discovery Endpoint
  • 7.3. Claims Registry
    • 7.3.1. Claims Registry Usage
    • 7.3.2. Claims Registry Structure
  • 7.4. Authentic Source Registry
    • 7.4.1. AS Registry Usage
    • 7.4.2. Public vs Private AS Coordination
    • 7.4.3. AS Registry Structure
    • 7.4.4. AS-CI Coordination
  • 7.5. Federation Registry
    • 7.5.1. Registry Integration Role
    • 7.5.2. Federation Registry Access
  • 7.6. Digital Credentials Catalog
    • 7.6.1. Digital Credentials Hierarchy
    • 7.6.2. Digital Credentials Catalog Structure
  • 7.7. Taxonomy
  • 7.8. Registry Integration and Cross-References
• 8. Entity Onboarding
  • 8.1. Overview
    • 8.1.1. Entity Onboarding System Architecture
    • 8.1.2. Entity Types and Onboarding Pathways
    • 8.1.3. Administrative and Technical Registration
  • 8.2. Authentic Sources Registration Process
    • 8.2.1. Authentic Source Registration Requirements
    • 8.2.2. Authentic Sources Registration Information Requirements
    • 8.2.3. Authentic Source Registration Procedure
  • 8.3. Authentic Source to Credential Issuer Authorization Process
  • 8.4. Federation Entities Onboarding Process
    • 8.4.1. Hierarchical Federation Authority Model
    • 8.4.2. Federation Onboarding Prerequisites
    • 8.4.3. Federation Onboarding Procedure
    • 8.4.4. IT-Wallet Federation Trust Marks
• 9. X.509 Certificate Management Operations
  • 9.1. Federation PKI Architecture
  • 9.2. X.509 Certificate Chain Structure and Analysis
    • 9.2.1. X.509 Certificate Chain Visualization
    • 9.2.2. X.509 Certificate Chain Validation
  • 9.3. X.509 Certificate Revocation Management
    • 9.3.1. CRL Distribution and Access
    • 9.3.2. X.509 Certificate Revocation Verification
  • 9.4. X.509 Certificate Management Best Practices
    • 9.4.1. X.509 Certificate Validation Integration
    • 9.4.2. Diagnostic and Troubleshooting
    • 9.4.3. X.509 Certificate Lifecycle Coordination
  • 9.5. Technical Configuration Updates
  • 9.6. Technical Federation Exit Procedures
    • 9.6.1. Voluntary Exit - Technical Deactivation
    • 9.6.2. Supervisory Body Removal - Technical Implementation
• 10. Entities
  • 10.1. Wallet Solution
    • 10.1.1. Wallet Solution Requirements
    • 10.1.2. Wallet Solution Components
    • 10.1.3. Wallet Solution Interaction Patterns
    • 10.1.4. Wallet Instance
    • 10.1.5. Backup and Restore
    • 10.1.6. Wallet Provider Entity Configuration
    • 10.1.7. Wallet Provider Metadata
  • 10.2. Credential Issuer Solution
    • 10.2.1. Credential Issuer Requirements
    • 10.2.2. Component Details
    • 10.2.3. Interaction Patterns
    • 10.2.4. Credential Issuer Entity Configuration
    • 10.2.5. Credential Issuer Metadata
  • 10.3. Relying Party Solution
    • 10.3.1. Relying Party Instance
    • 10.3.2. Mobile Relying Party Instance
    • 10.3.3. Web Relying Party Instance
    • 10.3.4. Relying Party Entity Configuration
    • 10.3.5. Relying Party Metadata
  • 10.4. Authentic Sources
• 11. Digital Credential Management
  • 11.1. Digital Credential Data Model
    • 11.1.1. SD-JWT-VC Credential Format
    • 11.1.2. mdoc-CBOR Credential Format
    • 11.1.3. Cross-Format Credential Parameters Mapping
  • 11.2. Digital Credential Lifecycle
    • 11.2.1. Credential Transitions
    • 11.2.2. Digital Credential Lifecycle in a Batch
    • 11.2.3. Credential Lifecycle Management
    • 11.2.4. Validity Verification Mechanisms
• 12. Digital Credential Flows
  • 12.1. Digital Credential Issuance
    • 12.1.1. Credential Issuance High-Level Flows
    • 12.1.2. Credential Issuance Low-Level Flows
    • 12.1.3. eID Substantial Authentication with MRTD Verification for PID Issuance
  • 12.2. Digital Credential Presentation
    • 12.2.1. Remote Flow
    • 12.2.2. Proximity Flow
• 13. Endpoints
  • 13.1. Wallet Provider Endpoints
    • 13.1.1. Federation Endpoint
    • 13.1.2. Wallet Solution Nonce Endpoint
    • 13.1.3. Wallet Instance Management Endpoint
    • 13.1.4. Wallet Attestation Issuance Endpoint
    • 13.1.5. e-Service PDND Wallet Provider Catalog
  • 13.2. Credential Issuer Endpoints
    • 13.2.1. Federation Endpoints
    • 13.2.2. Credential Issuance Endpoints
    • 13.2.3. e-Service PDND Credential Issuer Catalog
  • 13.3. Relying Party Endpoints
    • 13.3.1. Relying Party Federation Endpoint
    • 13.3.2. Relying Party Nonce Endpoint
    • 13.3.3. Relying Party Instance Initialization Endpoint
    • 13.3.4. Relying Party Key Binding Endpoint
    • 13.3.5. Relying Party Access Certificate Endpoint
    • 13.3.6. Relying Party Erasure Endpoint
  • 13.4. Authentic Source Endpoints
    • 13.4.1. e-Service PDND Authentic Source Catalog
  • 13.5. PDND Signal Hub Endpoints
    • 13.5.1. Prerequisites
    • 13.5.2. Signal Hub e-Services
    • 13.5.3. Signals Processing
• 14. Cryptographic Algorithms
• 15. Security and Privacy Considerations
  • 15.1. Security Requirements
    • 15.1.1. SR-CF-10 and SR-E-10
    • 15.1.2. SR-CF-20
    • 15.1.3. SR-CF-21
    • 15.1.4. SR-E-20
    • 15.1.5. SR-E-30
    • 15.1.6. SR-E-40
    • 15.1.7. SR-I-10
    • 15.1.8. SR-I-20
    • 15.1.9. SR-I-30
    • 15.1.10. SR-I-40
    • 15.1.11. SR-I-50
    • 15.1.12. SR-P-20
    • 15.1.13. SR-P-30
    • 15.1.14. SR-P-40
    • 15.1.15. SR-P-41
    • 15.1.16. SR-P-50
    • 15.1.17. SR-V-10
    • 15.1.18. SR-V-20
    • 15.1.19. SR-W-20
    • 15.1.20. SR-W-30
  • 15.2. Privacy Requirements
    • 15.2.1. PR-CF-30
    • 15.2.2. PR-CF-40
    • 15.2.3. PR-E-60
    • 15.2.4. PR-E-70
    • 15.2.5. PR-W-40
    • 15.2.6. PR-W-60
    • 15.2.7. PR-W-70
  • 15.3. Security and Privacy Requirements
    • 15.3.1. SPR-E-50
    • 15.3.2. SPR-P-10
    • 15.3.3. SPR-P-60
    • 15.3.4. SPR-P-70
    • 15.3.5. SPR-P-80
    • 15.3.6. SPR-W-50
• 16. General Log Retention Policies
  • 16.1. ISO/IEC 27001 Logging General Requirements
    • 16.1.1. Wallet Provider Log Retention Policy
    • 16.1.2. Credential Issuer Log Retention Policy
    • 16.1.3. Relying Party Log Retention Policy
    • 16.1.4. Wallet Instances Logging Features
• 17. Defined Terms and References
  • 17.1. Normative References
  • 17.2. Defined Terms and Acronyms
    • 17.2.1. Acronyms
  • 17.3. Normative References
    • 17.3.1. Official Resources
  • 17.4. Technical References
    • 17.4.1. Wallet Paradigm Frameworks
    • 17.4.2. Infrastructure of Trust
    • 17.4.3. Digital Credential Data Format
    • 17.4.4. Digital Credential Issuance
    • 17.4.5. Digital Credential Presentation
    • 17.4.6. Digital Credential Revocation Check Mechanisms
    • 17.4.7. National Data Interoperability Platform Specifications
    • 17.4.8. National Digital Identity Platform Specifications
    • 17.4.9. Security and Protection Profiles
• 18. How to contribute
  • 18.1. Acknowledgements
• 19. Open Source Releases
  • 19.1. Wallet Providers
  • 19.2. Credential Issuers
  • 19.3. Relying Parties
  • 19.4. Responsible Disclosure
• 20. Appendix
  • 20.1. Mobile Application Instance
    • 20.1.1. Mobile Application Instance Initialization
    • 20.1.2. Mobile Application Key Binding
  • 20.2. e-Service PDND
    • 20.2.1. Requirements and Security Patterns
    • 20.2.2. PDND Voucher Issuance
    • 20.2.3. Key Retrieval
    • 20.2.4. e-Service Usage
  • 20.3. Template e-Service PDND
    • 20.3.1. PDND Template e-service definition and guidelines
  • 20.4. Test Plans
    • 20.4.1. Structure of the Test Matrix