11. Credential Issuer Solution¶
An Issuer, as an Organizational Entity participating in the IT-Wallet ecosystem, MUST provide Technical Solutions (Issuer Solution) that combine software, hardware, services, settings, and configurations to issue Digital Credentials to User Wallet Instances in a secure and trusted manner.
The following diagram depicts the Issuer Solution High Level Architecture.
Fig. 11.1 Credential Issuer Solution High Level Architecture.¶
11.1. Requirements¶
The Digital Credential Issuer Solution MUST:
Register with the Federation Authority to obtain proper authorization for issuing specific credential types.
Implement secure creation and issuance mechanisms that ensure integrity and confidentiality.
Communicate with Authentic Sources through secure and reliable API Services to obtain verified User data.
Authenticate to Wallet Instances during issuance to prove its legitimacy.
Support immediate issuance flow and MAY support deferred issuance for various operational scenarios.
Implement appropriate error handling and User notifications for all processes.
Maintain comprehensive audit trails while respecting privacy regulations.
Issue Digital Credentials that support Selective Disclosure.
Periodically renew its trust with the Federation.
Register the Relying Party Component within the CIEid Digital Identity Federation ecosystem (for PID issuance) and, if required, within the IT-Wallet ecosystem (for (Q)EAA issuance).
For PID issuance, authenticate Users with LoA High using national Digital Identity Providers.
For (Q)EAA issuance requiring authentication, verify a valid PID from the User's Wallet Instance via OpenID4VP.
Implement proper procedures for the entire Digital Credential lifecycle as detailed in Section Digital Credential Lifecycle.
For the Frontend Component (if implemented):
Authenticate Users with a Level of Assurance (LoA) at least equal to that used to obtain the Digital Credential being issued or managed.
Provide appropriate security measures to protect User data and Digital Credential information.
11.2. Component Details¶
11.2.1. Frontend Component¶
The Frontend Component, if provided by the Issuer, MUST provide a web-based User interface for Digital Credential management, offering functionality to:
Display and verify issued Digital Credentials and their status.
Manage Digital Credential lifecycle (e.g., revocation).
Initiate issuance through Credential Offers.
Provide User support and documentation.
Issuers MAY provide additional services to the User through the Frontend Component. These additional services MUST NOT conflict with any regulatory or technical requirements defined in this technical specification or in national/European security and privacy regulations.
11.2.2. Credential Issuer Component¶
Following the OpenID4VCI specification and the implementation profile in Section Digital Credential Issuance, this component MUST:
Issue Digital Credentials to Wallet Instances.
Process Digital Credential requests.
Obtain User data from Authentic Sources.
Generate properly formatted and signed Digital Credentials in supported formats (SD-JWT-VC, mDoc-CBOR). See Section Digital Credential Data Model for more details.
Implement the Digital Credential issuance protocols and flows.
11.2.4. Relying Party Component¶
When User authentication is required, this component MUST authenticate Users:
For PID issuance, via national Digital Identity Providers using OIDC or SAML2.
For (Q)EAA issuance, requesting, obtaining and validating PIDs from User Wallet Instances using OpenID4VP in accordance with Section Digital Credential Presentation.
11.2.5. API Interface¶
This component MUST establish secure connections with Authentic Sources to:
Retrieve verified User data.
Properly authenticate and authorize connections.
Format data according to Digital Credential schemas.
Provide cryptographic evidence of User authentication when required.
Note
For public Authentic Sources, a Credential Issuer MUST use PDND according to rules in Sections e-Service PDND, Status Update by Authentic Sources, and Authentic Source Catalogue.
11.2.6. Credential Lifecycle Management¶
This component MUST handle:
Status management (maintaining and updating validity).
Revocation processes (implementing mechanisms to revoke or suspend Digital Credentials), according to Section Digital Credential Lifecycle.
Renewal workflows (managing Digital Credential renewal processes), according to the mechanisms defined in Section Digital Credential Issuance.
11.2.7. Trust & Security Component¶
This component MUST ensure security through:
Key and certificate management.
Audit logging.
Security monitoring and incident response.
Compliance with IT-Wallet Federation security requirements.
11.3. Interaction Patterns¶
The Digital Credential Issuer Solution supports these interaction patterns:
User to Frontend: Web-based interactions for Digital Credential management.
Frontend to Credential Issuer: Converts user requests into OpenID4VCI protocol messages.
Wallet Instance to Credential Issuer: Direct protocol-based interactions following the issuance flow.
Relying Party to Identity Providers: Authentication interactions with national eID systems or PID verification.
API Interface to Authentic Sources: Secure API calls to retrieve verified User data.
All interactions must follow the security considerations in Section Digital Credential Issuance, including proper handling of tokens, proofs, and cryptographic materials.
11.4. Exposed Endpoints¶
11.4.1. Federation Endpoints¶
The Credential Issuers MUST provide an Entity Configuration through the /.well-known/openid-federation endpoint, according to Section Entity Configuration. Technical details are provided in Section Entity Configuration of Credential Issuers.
11.4.2. Credential Issuer Component Endpoints¶
These endpoints implement the protocols described in Section Credential Issuance Endpoints for Digital Credential issuance operations.