12.1. Digital Credential Issuance

This section describes the PID and (Q)EAAs issuance flow with a high level of security.

Credential Issuance Table of Contents

• 12.1.1. Credential Issuance High-Level Flows
  • 12.1.1.1. High-Level PID flow
  • 12.1.1.2. High-Level (Q)EAA flow
• 12.1.2. Credential Issuance Low-Level Flows
  • 12.1.2.1. Low-Level Issuance Flow
  • 12.1.2.2. Refresh Token Flow
    • 12.1.2.2.1. Security Considerations
  • 12.1.2.3. Re-Issuance Flow
    • 12.1.2.3.1. Re-Issuance Flow: Security Considerations
• 12.1.3. eID Substantial Authentication with MRTD Verification for PID Issuance
  • 12.1.3.1. Design Principles
  • 12.1.3.2. System Architecture
  • 12.1.3.3. High-Level Flow
  • 12.1.3.4. Session Management
  • 12.1.3.5. Low-Level Flow
    • 12.1.3.5.1. Phase 1: OAuth Authorization Request
    • 12.1.3.5.2. Phase 2: Primary Authentication
    • 12.1.3.5.3. Phase 3: MRTD PoP Validation Flow
    • 12.1.3.5.4. Phase 4: OAuth Authorization Response
  • 12.1.3.6. Error Management
    • 12.1.3.6.1. MRTD PoP Response Errors
    • 12.1.3.6.2. MRTD PoP Validation Response Errors
    • 12.1.3.6.3. HTTP Status Code Mapping
  • 12.1.3.7. Security Considerations
    • 12.1.3.7.1. Secure Session Management
    • 12.1.3.7.2. Cryptographic Challenge Generation
    • 12.1.3.7.3. Nonce Lifecycle Management
    • 12.1.3.7.4. Security Controls
  • 12.1.3.8. Implementation Considerations