7. Registry Infrastructure¶
The IT-Wallet ecosystem operates through a registry infrastructure that provides standardized data definitions, entity registration, and Credential discovery capabilities. The registry system consists of multiple interconnected components that support the complete lifecycle of digital Credential operations from entity onboarding to Credential presentation.
The registry architecture addresses semantic standardization, federation trust management, and Credential discovery requirements through specialized registry components that ensure interoperability and compliance across the ecosystem.
7.1. Registry Architecture Overview¶
The IT-Wallet System Register comprises six main components:
Claims Registry: Standardized semantic definitions for individual Credential attributes, data types, and validation rules.
Authentic Source (AS) Registry: Catalog of registered data providers with their declared capabilities and available claims.
Federation Registry: Authoritative list of trusted entities participating in the federation with their technical configurations.
Digital Credentials Catalog: Public discovery mechanism for available Credential types with their metadata and issuance information.
Schema Registry: Authoritative list of Credential Schemas.
Taxonomy: Hierarchical classification system organizing Credentials by domain and purpose.
These registry components are interconnected and maintained by the Supervisory Body to ensure consistency, security, and regulatory compliance across the ecosystem.
7.2. Registry Discovery Endpoint¶
The Trust Anchor MUST provide a discovery mechanism for all registry components through standardized well-known endpoints providing metadata and REST API discovery information to handle complex operations like pagination and filtering.
The Trust Anchor MUST publish registry discovery metadata at the .well-known/it-wallet-registry endpoint with content negotiation support:
Default Content-Type:
application/jwt(signed JWT ensuring authenticity and integrity)Alternative Content-Type:
application/json(plain JSON for development/debugging purposes)
Moreover, the IT-Wallet System Register MUST use two distinct access patterns:
Data Registry APIs: MUST support pagination and filtering capabilities.
Federation Trust Infrastructure: as defined in The Infrastructure of Trust.
Below a non-normative example is given.
GET /.well-known/it-wallet-registry HTTP/1.1
Host: trust-anchor.eid-wallet.example.it
Accept: application/jwt
HTTP/1.1 200 OK
Content-Type: application/jwt
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
GET /.well-known/it-wallet-registry HTTP/1.1
Host: trust-anchor.eid-wallet.example.it
Accept: application/json
HTTP/1.1 200 OK
Content-Type: application/json
7.2.1. Registry Discovery Endpoint Parameters¶
The JWT payload of the Registry Discovery response MUST contain the following parameters:
Field Name |
Description |
|---|---|
id |
REQUIRED. Unique identifier of the discovery document (e.g., |
version |
REQUIRED. Version of the discovery document format (e.g., |
last_updated |
REQUIRED. Timestamp of the last modification to the discovery document (e.g., |
endpoints |
REQUIRED. JSON object containing the URIs of all registry components. The following endpoint keys MUST be present:
|
content_negotiation |
REQUIRED. Array of content types supported by the discovery endpoint (e.g., |
JWT payload structure (when decoded):
{
"id": "urn:it-wallet-registry:it-wallet",
"version": "1.0.0",
"last_updated": "2024-03-15T10:30:00Z",
"endpoints": {
"claims_registry": "https://trust-anchor.eid-wallet.example.it/api/v1/claims",
"authentic_sources": "https://trust-anchor.eid-wallet.example.it/api/v1/authentic-sources",
"credential_catalog": "https://trust-anchor.eid-wallet.example.it/api/v1/.well-known/credential-catalog",
"taxonomy": "https://trust-anchor.eid-wallet.example.it/api/v1/taxonomy",
"schema_registry": "https://trust-anchor.eid-wallet.example.it/api/v1/schemas",
"federation_list": "https://trust-anchor.eid-wallet.example.it/list",
"federation_fetch": "https://trust-anchor.eid-wallet.example.it/fetch",
"federation_resolve": "https://trust-anchor.eid-wallet.example.it/resolve",
"federation_trust_mark_status": "https://trust-anchor.eid-wallet.example.it/trust_mark_status",
"federation_historical_keys": "https://trust-anchor.eid-wallet.example.it/historical-jwks"
},
"content_negotiation": ["application/json", "application/jwt"]
}
7.3. Claims Registry¶
The Claims Registry provides standardized semantic definitions for individual Credential attributes, data types, and validation rules. This registry serves as the semantic foundation for Credential attribute standardization across the IT-Wallet ecosystem, working in coordination with the Taxonomy component for hierarchical classification.
The Supervisory Body MUST maintain the Claims Registry to ensure semantic consistency and regulatory compliance across the ecosystem. The registry MUST contain:
Standardised Claims: Semantic definitions for all Credential attributes with data types and validation rules.
Interoperability Mappings: Alias definitions for claims that use different terminology across standards (e.g., ISO18013-5
place_of_birthmapped to canonicalbirth_place).Data Formats: Standardised data types (string, date, numeric, boolean, email, url, image, array, object) with validation patterns.
The Claims Registry MUST ensure:
Semantic Consistency: Prevents conflicts between duplicate or overlapping claims across the ecosystem.
Cross-border Interoperability: Ensures EU compliance and consistent claim interpretation.
Schema Validation: Provides authoritative definitions for claim validation across all Credential scenarios.
Regulatory Alignment: Coordinates with national and EU regulatory framework.
Credential-Agnostic Scenarios: Supports scenarios where user convenience and business operational efficiency are prioritized over regulatory compliance and audit trails.
Note
The Claims Registry defines semantic properties of individual attributes, but MUST NOT specify selective disclosure capabilities. Selective disclosure depends on Credential format implementations (SD-JWT, mDocs), issuer technical configurations, and presentation context. These capabilities are specified at the Credential type level within the Digital Credentials Catalog and implemented during Credential presentation flows.
7.3.1. Claims Registry Usage¶
The Claims Registry MUST support the complete ecosystem lifecycle:
During Onboarding Process:
AS Registration: Authentic Sources declare available claims from standardized registry during capability registration.
CI Registration: Credential Issuers select AS entities based on required claims and register Credential types for catalog publication.
RP Registration: Relying Parties specify authorization requirements using domains/purposes for specific Credential types and/or User's attributes.
During Operational Activities:
Credential Issuance: Claims definitions ensure consistent data representation across different Credential types.
Presentation Requests: RPs reference claims for schema validation and authorization verification in both credential-specific and credential-agnostic scenarios.
Policy Enforcement: Authorization policies leverage domain/purpose classifications for access control.
7.3.2. Claims Registry Structure¶
The Claims Registry maintains language-neutral, technical definitions for semantic consistency across the ecosystem. User-facing localizations for claim names and descriptions are provided via dedicated localization bundles referenced through the localization.base_uri field, enabling efficient multilingual support without compromising the registry's structural integrity.
Field Name |
Description |
|---|---|
id |
REQUIRED. Unique identifier of the Claims Registry (e.g., |
version |
REQUIRED. The version of the Claims Registry (e.g., |
last_modified |
REQUIRED. The timestamp indicating when the registry was last updated (e.g., |
localization |
REQUIRED. Localization configuration object containing:
|
claims |
REQUIRED. A JSON Object where each key is a claim name and each value is a JSON Object describing that claim. Each claim object contains the parameters defined in the "Claim Entry Parameters" table below. |
Field Name |
Description |
|---|---|
description_l10n_id |
REQUIRED. Localization key referencing the human-readable description of the claim in the localization bundle (e.g., |
type |
REQUIRED. Data type of the claim. Supported values: |
format |
OPTIONAL. Semantic format qualifier for string types (e.g., |
encoding |
OPTIONAL. Encoding applied to the value (e.g., |
aliases |
OPTIONAL. Array of alternative claim names used in other standards that map to this canonical claim (e.g., |
nested_claims |
OPTIONAL. Array of claim names that form the properties of an |
nested_item_claims |
OPTIONAL. Array of claim names representing the properties of each item in an |
items |
OPTIONAL. JSON object describing the schema of each element in a simple |
A non-normative example of Claims Registry structure is given below:
{
"id": "urn:claims:it-wallet",
"version": "1.0.0",
"last_modified": "2026-03-06T00:00:00Z",
"localization": {
"available_locales": [
"en",
"it"
],
"base_uri": "https://trust-registry.eid-wallet.example.it/.well-known/l10n/claims/",
"default_locale": "it",
"version": "1.0.0"
},
"claims": {
"academic_qualification_date": {
"description_l10n_id": "claim.academic_qualification_date.description",
"format": "date",
"type": "string"
},
"academic_year": {
"description_l10n_id": "claim.academic_year.description",
"type": "string"
},
"address": {
"description_l10n_id": "claim.address.description",
"nested_claims": [
"country",
"house_number",
"locality",
"locality_fraction",
"postal_code",
"region",
"street_address"
],
"type": "object"
},
"birth_date": {
"aliases": [
"birthdate"
],
"description_l10n_id": "claim.birth_date.description",
"format": "date",
"type": "string"
},
"birth_place": {
"description_l10n_id": "claim.birth_place.description",
"type": "string"
},
"codes": {
"description_l10n_id": "claim.codes.description",
"items": {
"properties": {
"code": {
"description_l10n_id": "claim.code.description",
"type": "string"
},
"sign": {
"description_l10n_id": "claim.sign.description",
"type": "string"
},
"value": {
"description_l10n_id": "claim.value.description",
"type": "string"
}
},
"type": "object"
},
"nested_item_claims": [
"code",
"sign",
"value"
],
"type": "array"
},
"constant_attendance_allowance": {
"description_l10n_id": "claim.constant_attendance_allowance.description",
"type": "boolean"
},
"consulate_code": {
"description_l10n_id": "claim.consulate_code.description",
"type": "string"
},
"consulate_name": {
"description_l10n_id": "claim.consulate_name.description",
"type": "string"
},
"content": {
"description_l10n_id": "claim.content.description",
"encoding": "base64",
"format": "data",
"type": "string"
},
"country": {
"description_l10n_id": "claim.country.description",
"type": "string"
},
"cpia_school_year": {
"description_l10n_id": "claim.cpia_school_year.description",
"type": "string"
},
"degree_class": {
"description_l10n_id": "claim.degree_class.description",
"type": "string"
},
"degree_class_name": {
"description_l10n_id": "claim.degree_class_name.description",
"type": "string"
},
"degree_course_name": {
"description_l10n_id": "claim.degree_course_name.description",
"type": "string"
},
"degree_course_year": {
"description_l10n_id": "claim.degree_course_year.description",
"type": "string"
},
"document_iss_authority": {
"description_l10n_id": "claim.document_iss_authority.description",
"type": "string"
},
"document_iss_country": {
"description_l10n_id": "claim.document_iss_country.description",
"type": "string"
},
"document_number": {
"description_l10n_id": "claim.document_number.description",
"type": "string"
},
"driving_privileges": {
"description_l10n_id": "claim.driving_privileges.description",
"nested_item_claims": [
"vehicle_category_code",
"issue_date",
"expiry_date",
"codes"
],
"type": "array"
},
"education_degrees": {
"description_l10n_id": "claim.education_degrees.description",
"nested_item_claims": [
"academic_qualification_date",
"degree_class",
"degree_class_name",
"degree_course_name",
"institute_name",
"programme_type_name",
"qualification_grade_value",
"qualification_name"
],
"type": "array"
},
"education_enrollments": {
"description_l10n_id": "claim.education_enrollments.description",
"nested_item_claims": [
"academic_year",
"degree_class",
"degree_class_name",
"degree_course_name",
"degree_course_year",
"institute_name",
"programme_type_name"
],
"type": "array"
},
"educational_track": {
"description_l10n_id": "claim.educational_track.description",
"type": "string"
},
"effective_date": {
"description_l10n_id": "claim.effective_date.description",
"format": "date",
"type": "string"
},
"expiry_date": {
"aliases": [
"date_of_expiry"
],
"description_l10n_id": "claim.expiry_date.description",
"format": "date",
"type": "string"
},
"family_name": {
"description_l10n_id": "claim.family_name.description",
"type": "string"
},
"foreign_residence": {
"description_l10n_id": "claim.foreign_residence.description",
"type": "boolean"
},
"given_name": {
"description_l10n_id": "claim.given_name.description",
"type": "string"
},
"house_number": {
"description_l10n_id": "claim.house_number.description",
"type": "string"
},
"institute_code": {
"description_l10n_id": "claim.institute_code.description",
"type": "string"
},
"institute_name": {
"description_l10n_id": "claim.institute_name.description",
"type": "string"
},
"issue_date": {
"description_l10n_id": "claim.issue_date.description",
"format": "date",
"type": "string"
},
"link_qr_code": {
"description_l10n_id": "claim.link_qr_code.description",
"format": "uri",
"type": "string"
},
"locality": {
"description_l10n_id": "claim.locality.description",
"type": "string"
},
"locality_fraction": {
"description_l10n_id": "claim.locality_fraction.description",
"type": "string"
},
"nationalities": {
"description_l10n_id": "claim.nationalities.description",
"items": {
"type": "string"
},
"type": "array"
},
"place_of_birth": {
"description_l10n_id": "claim.place_of_birth.description",
"nested_claims": [
"country",
"locality",
"region"
],
"type": "object"
},
"portrait": {
"description_l10n_id": "claim.portrait.description",
"encoding": "base64",
"format": "data",
"type": "string"
},
"postal_code": {
"description_l10n_id": "claim.postal_code.description",
"type": "string"
},
"professional_qualification": {
"description_l10n_id": "claim.professional_qualification.description",
"type": "string"
},
"programme_type_name": {
"description_l10n_id": "claim.programme_type_name.description",
"type": "string"
},
"qualification_grade_value": {
"description_l10n_id": "claim.qualification_grade_value.description",
"type": "string"
},
"qualification_name": {
"description_l10n_id": "claim.qualification_name.description",
"type": "string"
},
"qualification_type": {
"description_l10n_id": "claim.qualification_type.description",
"type": "string"
},
"qualification_type_description": {
"description_l10n_id": "claim.qualification_type_description.description",
"type": "string"
},
"qualification_year": {
"description_l10n_id": "claim.qualification_year.description",
"type": "string"
},
"region": {
"description_l10n_id": "claim.region.description",
"type": "string"
},
"restrictions_conditions": {
"description_l10n_id": "claim.restrictions_conditions.description",
"type": "string"
},
"school_attendance_type": {
"description_l10n_id": "claim.school_attendance_type.description",
"type": "string"
},
"school_code": {
"description_l10n_id": "claim.school_code.description",
"type": "string"
},
"school_course_year": {
"description_l10n_id": "claim.school_course_year.description",
"type": "string"
},
"school_name": {
"description_l10n_id": "claim.school_name.description",
"type": "string"
},
"school_qualifications": {
"description_l10n_id": "claim.school_qualifications.description",
"nested_item_claims": [
"educational_track",
"institute_code",
"institute_name",
"professional_qualification",
"qualification_grade_value",
"qualification_type",
"qualification_type_description",
"qualification_year",
"school_code",
"school_name",
"school_year"
],
"type": "array"
},
"school_year": {
"description_l10n_id": "claim.school_year.description",
"type": "string"
},
"street_address": {
"description_l10n_id": "claim.street_address.description",
"type": "string"
},
"tax_id_code": {
"description_l10n_id": "claim.tax_id_code.description",
"type": "string"
},
"un_distinguishing_sign": {
"description_l10n_id": "claim.un_distinguishing_sign.description",
"type": "string"
},
"vehicle_category_code": {
"description_l10n_id": "claim.vehicle_category_code.description",
"type": "string"
}
}
}
Note
For a better and more efficient management of the localization of the information contained in the Claims Registry, an Entity consulting it SHOULD:
Download the basic version of the Claims Registry (compact, without localizations) using the
.well-known/claimsendpoint.Determine the User's preferred language.
Download only the necessary localization bundles.
Dynamically merge localised content with the Claims Registry structure.
A non-normative example of a localization bundle output is given below:
{
"claim.given_name.description": "Person's given name(s) as they appear on official documents.",
"claim.birth_date.description": "Date of birth, in ISO 8601 format (YYYY-MM-DD). Also known as birthdate.",
"claim.driving_privileges.description": "Array of authorized vehicle categories with details.",
"...": "..."
}
Localization bundles MUST be available at the URI composed by appending the locale code and .json to the localization.base_uri value (e.g., https://trust-registry.eid-wallet.example.it/.well-known/l10n/claims/it.json).
7.4. Authentic Source Registry¶
The Supervisory Body MUST maintain the Authentic Source Registry to enable coordinated data access and Credential issuance across the ecosystem. The AS Registry MUST contain at least:
Organization Information: Legal entity details, regulatory status, and authoritative role within specific domains.
Data Capabilities: Declared claims availability referencing standardized definitions from the Claims Registry with corresponding Taxonomy classifications.
Integration Methods: Technical access mechanisms (PDND).
Intended Purposes: Supported Credential types and business contexts for AS-CI coordination.
Data Quality Assurance: Authoritative status, update frequency, and audit trail capabilities.
The AS Registry MUST ensure:
Coordinated Data Access: Enables CI discovery of appropriate data from Authentic Sources for Credential issuance.
AS-CI Integration: Facilitates approval workflows and data access coordination between entities.
Quality Assurance: Maintains authoritative status and data reliability across different domains.
Regulatory Compliance: Supports public administration transparency and private sector coordination requirements.
Note
Authentic Source Registry is a technical and non-public registry that provides guidance for the Credential Issuer for Credential provisioning.
7.4.1. Authentic Source Registry Usage¶
The AS Registry supports ecosystem coordination throughout the operational lifecycle:
- During Onboarding Process:
AS Self-Declaration: Authentic Sources register capabilities before any Credential types exist in the catalog.
CI Discovery: Credential Issuers search for AS entities based on required claims and intended Credential types.
Approval Coordination: AS entities evaluate and approve CI access requests for data provision.
- During Operational Activities:
Data Source Resolution: CI systems reference AS Registry for real-time data access during Credential issuance.
Quality Validation: AS Registry information supports data origin verification and audit requirements.
Integration Management: Technical endpoints and access methods enable standardized AS-CI communication.
7.4.2. Public vs Private AS Coordination¶
The AS Registry architecture supports different coordination patterns reflecting distinct operational requirements:
Public Administration AS (Standardized Integration): Government entities provide authoritative data through regulated mechanisms:
PDND Integration:
"integration_method": "pdnd"for standardized government data access.Regulatory Compliance: Full transparency requirements with public catalog publication.
Audit Requirements: Complete traceability for government Credential issuance processes.
Private Sector AS (Flexible Integration): Private entities provide specialized data through custom arrangements:
Custom APIs:
"integration_method": "pdnd"for business-specific data access.Regulatory Compliance: Full transparency requirements with public catalog publication.
Selective Disclosure: Limited public visibility with CI-specific approval workflows.
Business Flexibility: Tailored integration supporting diverse private sector use cases.
This approach enables both regulatory transparency for public administration and business flexibility for private sector entities while maintaining coordinated data access across the ecosystem.
7.4.3. AS Registry Structure¶
During registration, Authentic Sources declare their capabilities before Credential types exist in the catalog. This declaration establishes the foundation for subsequent CI registration and Credential type creation.
7.4.3.1. AS Unique Identifier Schema¶
Each Authentic Source MUST be assigned a unique identifier that follows the HTTPS URL schema defined below. This identifier is used for referencing AS entities across the registry system and in the Digital Credentials Catalog, ensuring consistency with OpenID Federation entity identification patterns.
AS Identifier Schema:
https://{organization_domain}[/{optional_path}]
Schema Components:
organization_domain: DNS domain controlled by the organization
optional_path: Additional path component for specific services or departments
The AS identifier MUST follow these normative rules:
HTTPS Protocol: MUST use HTTPS scheme for security and trust verification
Domain Ownership: Organization MUST control the DNS domain used in the identifier
Uniqueness: Guaranteed through DNS namespace uniqueness
Stability: SHOULD remain stable over time to avoid reference breakage
Resolvability: The URL SHOULD be resolvable (though not required to serve content)
Examples of compliant AS identifiers:
https://motorizzazione.gov.example: Public - Ministry of Transport, Motorization Depthttps://registry.anpr.example: Public - National Registry of Resident Populationhttps://api.bank.example/auth-source: Private - Example Bank Financial Services
7.4.3.2. Authentic Source Registry Parameters¶
The Authentic Source Registry MUST contain the following parameters for each registered Authentic Source:
Field Name |
Description |
|---|---|
id |
REQUIRED. Unique identifier of the Authentic Source Registry (e.g., |
version |
REQUIRED. The version of the Authentic Source Registry (e.g., |
last_modified |
REQUIRED. The timestamp indicating when the list was last updated (e.g., |
localization |
REQUIRED. Localization configuration object containing:
|
authentic_sources |
REQUIRED. A JSON Array where each entry is a JSON Object representing an Authentic Source entity. Each object contains the parameters defined in the "Authentic Sources Parameters" table below, including entity identification, organizational information, data capabilities, and integration methods. |
Parameter |
Type |
Description |
|---|---|---|
entity_id |
string |
REQUIRED. Unique identifier following the normative schema: |
organization_info |
JSON object |
REQUIRED. Legal entity details and organizational metadata. |
organization_info.organization_name_l10n_id |
string |
REQUIRED. Localization key referencing the localized organization name in the localization bundle (e.g., |
organization_info.organization_type |
string |
REQUIRED. Entity classification: |
organization_info.ipa_code |
string |
REQUIRED only for Public AS. IPA registration code for government entities. |
organization_info.legal_identifier |
string |
REQUIRED. Legal registration identifier (Fiscal Code/VAT Number, or equivalent national identifier for foreign entities). |
organization_info.homepage_uri |
string |
REQUIRED. URL pointing to the organization's homepage. |
organization_info.contacts |
String Array |
REQUIRED. Array of contact email addresses for at least one user-support, one application, and one systems specialist. |
organization_info.dpa_contact |
string |
REQUIRED. An e-mail address of Authentic Source DPA. |
organization_info.policy_uri |
string |
REQUIRED. URL to privacy policy document. |
organization_info.tos_uri |
string |
OPTIONAL. URL to terms of service document. |
organization_info.organization_country |
string |
REQUIRED. Two-letter ISO 3166-1 alpha-2 country code of the organization. |
organization_info.logo_uri |
string |
OPTIONAL. URL to the organization's logo image. |
organization_info.logo_uri#integrity |
string |
CONDITIONAL. Cryptographic digest of the logo image resource for integrity verification. REQUIRED if |
organization_info.logo_alt_text_l10n_id |
string |
OPTIONAL. Alternative text for the organization's logo image. |
organization_info.logo_extended_uri |
string |
OPTIONAL. URL to the organization's extended logo image. |
organization_info.logo_extended_uri#integrity |
string |
CONDITIONAL. Cryptographic digest of the extended logo image resource for integrity verification. REQUIRED if |
organization_info.logo_extended_alt_text_l10n_id |
string |
OPTIONAL. Alternative text for the organization's extended logo image. |
data_capabilities |
JSON Objects Array |
REQUIRED. Array containing data capability specifications. |
data_capabilities[].dataset_id |
string |
REQUIRED. The unique identifier of the dataset within the scope of the Authentic Source, which MAY be used as a query parameter for the |
data_capabilities[].data_origin_l10n_id |
string |
REQUIRED. Localization key referencing the human-readable name of the data origin or department providing the data (e.g., |
data_capabilities[].intended_purposes |
String Array |
REQUIRED. Business purposes served, using taxonomy purpose identifiers (e.g., |
data_capabilities[].available_claims |
String Array |
REQUIRED. Claims available from this data capability. |
data_capabilities[].available_claims.claim_name |
string |
REQUIRED. It Contains the name of the claim. |
data_capabilities[].available_claims.order |
number |
REQUIRED. Defines the order in which the information would be shown. |
data_capabilities[].available_claims.mandatory |
boolean |
REQUIRED. Defines if a claim is always available or not. |
data_capabilities[].integration_method |
string |
REQUIRED. Authorization framework used for data access. MUST be |
data_capabilities[].integration_endpoint |
string |
OPTIONAL. Service access point (PDND endpoint). |
data_capabilities[].api_specification |
string |
OPTIONAL. URL to OAS3 specification document for this data capability. |
data_capabilities[].data_provision |
JSON object |
OPTIONAL. Data provision capabilities and timing specifications. |
data_capabilities[].data_provision.immediate_flow |
boolean |
REQUIRED. Indicates if the Authentic Source supports immediate data provision. |
data_capabilities[].data_provision.deferred_flow |
boolean |
REQUIRED. Indicates if the Authentic Source supports deferred data provision. |
data_capabilities[].data_provision.max_response_time_minutes |
integer |
CONDITIONAL. Maximum time in minutes for the Authentic Source to respond to a deferred data provision request. REQUIRED if |
data_capabilities[].data_provision.notification_methods |
String Array |
CONDITIONAL. Array of notification methods supported by the Authentic Source for deferred data provision, such as |
data_capabilities[].user_information_l10n_id |
string |
OPTIONAL. Localization key referencing a Markdown-formatted string with human-readable information about the data capability relevant to the User (e.g., |
data_capabilities[].service_documentation |
string |
OPTIONAL. URL pointing to the Authentic Source service documentation. |
data_capabilities[].update_frequency |
string |
OPTIONAL. Indicates how frequently the Authentic Source updates its data. Possible values: |
data_capabilities[].logo_uri |
string |
OPTIONAL. URL to the logo image related to the data. |
data_capabilities[].logo_uri#integrity |
string |
CONDITIONAL. Cryptographic digest of the logo image resource for integrity verification. REQUIRED if |
data_capabilities[].logo_alt_text_l10n_id |
string |
OPTIONAL. Alternative text for the organization's logo image. |
data_capabilities[].background_color |
string |
OPTIONAL. String value of the background color related to be displayed together with the data. |
data_capabilities[].contacts |
String Array |
OPTIONAL. Array of customer service contacts or user support channels (e.g., email address). |
Note
For further details on the required features and the expected outcome in terms of user experience, see the Section Issuance from the Wallet Instance Catalog for the parameter data_capabilities.user_information and Section Focus on Electronic Attestations of Attributes for the parameters organization_info.logo_uri, organization_info.logo_extended_uri, data_capabilities.logo_uri, data_capabilities.background_color and data_capabilities.available_claims.order.
7.4.3.3. AS Registry Example¶
A non-normative example of AS Registry structure is given below:
{
"id": "urn:authentic-sources:it-wallet",
"version": "1.0.0",
"last_modified": "2025-03-15T12:00:00Z",
"localization": {
"default_locale": "it",
"available_locales": [
"en",
"it"
],
"base_uri": "https://trust-registry.eid-wallet.example.it/.well-known/l10n/authentic-sources/",
"version": "1.0.0"
},
"authentic_sources": [
{
"entity_id": "https://motorizzazione.gov.example",
"organization_info": {
"contacts": [
"registry@motorizzazione.gov.example",
"technical-support@motorizzazione.gov.example"
],
"dpa_contact": "dpa@motorizzazione.gov.example",
"homepage_uri": "https://www.gov.example/transport",
"ipa_code": "m_inf",
"legal_identifier": "80192770587",
"logo_extended_uri": "https://trust-registry.eid-wallet.example.it/logos/m_inf/extended-image.svg",
"logo_extended_uri#integrity": "sha-256-a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3",
"logo_uri": "https://trust-registry.eid-wallet.example.it/logos/m_inf/image.svg",
"logo_uri#integrity": "sha-256-a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3",
"organization_country": "IT",
"organization_name": "Ministero dei Trasporti - Direzione generale per la Motorizzazione",
"organization_name_l10n_id": "authentic_source1.name",
"organization_type": "public",
"policy_uri": "https://www.gov.example/transport/privacy-policy",
"tos_uri": "https://www.gov.example/transport/terms-of-service"
},
"data_capabilities": [
{
"api_specification": "https://docs.gov.example/transport/api-oas3.yaml",
"available_claims": [
{
"claim_name": "given_name",
"mandatory": true,
"order": 1
},
{
"claim_name": "family_name",
"mandatory": true,
"order": 2
},
{
"claim_name": "birth_date",
"mandatory": true,
"order": 3
},
{
"claim_name": "birth_place",
"mandatory": true,
"order": 4
},
{
"claim_name": "issue_date",
"mandatory": true,
"order": 5
},
{
"claim_name": "document_iss_country",
"mandatory": true,
"order": 6
},
{
"claim_name": "document_iss_authority",
"mandatory": true,
"order": 7
},
{
"claim_name": "expiry_date",
"mandatory": true,
"order": 8
},
{
"claim_name": "document_number",
"mandatory": true,
"order": 9
},
{
"claim_name": "portrait",
"mandatory": true,
"order": 10
},
{
"claim_name": "un_distinguishing_sign",
"mandatory": true,
"order": 11
},
{
"claim_name": "restrictions_conditions",
"mandatory": false,
"order": 12
},
{
"claim_name": "driving_privileges",
"mandatory": true,
"order": 13
}
],
"background_color": "#12107c",
"contacts": [
"citizen-support@motorizzazione.gov.example"
],
"data_origin_l10n_id": "authentic_source1.dataset1.origin",
"data_provision": {
"deferred_flow": false,
"immediate_flow": true
},
"dataset_id": "38832801",
"integration_endpoint": "https://api.gov.example/transport/driving-license",
"integration_method": "pdnd",
"intended_purposes": [
"IDENTITY_VERIFICATION",
"PERSON_IDENTIFICATION",
"DRIVING_RIGHTS_VERIFICATION",
"LAW_ENFORCEMENT_CONTROLS"
],
"logo_uri": "https://trust-registry.eid-wallet.example.it/logos/38832801/image.svg",
"logo_uri#integrity": "sha-256-b1946ac92492d2347c6235b4d2611184e2a3f8b8c8f8f8e8f8f8f8f8f8f8f8f8",
"service_documentation": "https://docs.gov.example/transport/api-docs",
"update_frequency": "real_time",
"user_information_l10n_id": "authentic_source1.dataset1.userinfo"
}
]
},
{
"entity_id": "https://api.bank.example/auth-source",
"organization_info": {
"contacts": [
"digital-credentials@bank.example",
"api-support@bank.example"
],
"dpa_contact": "dpa@bank.example",
"homepage_uri": "https://www.bank.example",
"legal_identifier": "12345678901",
"logo_extended_uri": "https://trust-registry.eid-wallet.example.it/logos/12345678901/extended-image.svg",
"logo_extended_uri#integrity": "sha-256-a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3",
"logo_uri": "https://trust-registry.eid-wallet.example.it/logos/12345678901/image.svg",
"logo_uri#integrity": "sha-256-a665a45920422f9d417e4867efdc4fb8a04a1f3fff1fa07e998e86f7f7a27ae3",
"organization_country": "IT",
"organization_name": "Banca Esempio SpA",
"organization_name_l10n_id": "authentic_source2.name",
"organization_type": "private",
"policy_uri": "https://www.bank.example/privacy-policy",
"tos_uri": "https://www.bank.example/terms-of-service"
},
"data_capabilities": [
{
"api_specification": "https://api.bank.example/docs/psd2-openapi.yaml",
"available_claims": [
{
"claim_name": "given_name",
"mandatory": true,
"order": 1
},
{
"claim_name": "family_name",
"mandatory": true,
"order": 2
},
{
"claim_name": "birth_date",
"mandatory": false,
"order": 3
},
{
"claim_name": "tax_id_code",
"mandatory": true,
"order": 4
},
{
"claim_name": "account_holder_name",
"mandatory": true,
"order": 5
},
{
"claim_name": "iban",
"mandatory": true,
"order": 6
},
{
"claim_name": "account_status",
"mandatory": false,
"order": 7
},
{
"claim_name": "account_opening_date",
"mandatory": false,
"order": 8
},
{
"claim_name": "bank_name",
"mandatory": true,
"order": 9
},
{
"claim_name": "bank_code",
"mandatory": true,
"order": 10
}
],
"background_color": "#003366",
"contacts": [
"digital-credentials@bank.example"
],
"data_origin_l10n_id": "authentic_source2.dataset1.origin",
"data_provision": {
"deferred_flow": false,
"immediate_flow": true
},
"dataset_id": "38854801",
"integration_endpoint": "https://api.bank.example/psd2/v1/accounts",
"integration_method": "pdnd",
"intended_purposes": [
"PAYMENT_AUTHORIZATION",
"ELIGIBILITY_VERIFICATION"
],
"logo_uri": "https://trust-registry.eid-wallet.example.it/logos/38854801/image.svg",
"logo_uri#integrity": "sha-256-d8e8fca2dc0f896fd7cb4cb0031ba249e3f8b8c8f8f8e8f8f8f8f8f8f8f8f8f9",
"service_documentation": "https://docs.bank.example/psd2-api",
"update_frequency": "daily",
"user_information_l10n_id": "authentic_source2.dataset1.userinfo"
},
{
"api_specification": "https://api.bank.example/docs/psd2-openapi.yaml",
"available_claims": [
{
"claim_name": "given_name",
"mandatory": true,
"order": 1
},
{
"claim_name": "family_name",
"mandatory": true,
"order": 2
},
{
"claim_name": "tax_id_code",
"mandatory": true,
"order": 3
},
{
"claim_name": "transaction_history",
"mandatory": true,
"order": 4
},
{
"claim_name": "average_balance",
"mandatory": false,
"order": 5
},
{
"claim_name": "credit_score_indicator",
"mandatory": false,
"order": 6
}
],
"background_color": "#003366",
"contacts": [
"digital-credentials@bank.example"
],
"data_origin_l10n_id": "authentic_source2.dataset2.origin",
"data_provision": {
"deferred_flow": true,
"immediate_flow": false,
"max_response_time_minutes": 1440,
"notification_methods": [
"push",
"poll"
]
},
"dataset_id": "38854802",
"integration_endpoint": "https://api.bank.example/psd2/v1/transactions",
"integration_method": "pdnd",
"intended_purposes": [
"PROOF_OF_PAYMENT",
"RECURRING_PAYMENT_MANAGEMENT"
],
"logo_uri": "https://trust-registry.eid-wallet.example.it/logos/38854802/image.svg",
"logo_uri#integrity": "sha-256-f4a2b7e1dc0f896fd7cb4cb0031ba249e3f8b8c8f8f8e8f8f8f8f8f8f8f8f8fb",
"service_documentation": "https://docs.bank.example/psd2-api",
"update_frequency": "weekly",
"user_information_l10n_id": "authentic_source2.dataset2.userinfo"
}
]
}
]
}
Note
For a better and more efficient management of the localization of the information contained in the Authentic Source Registry, an Entity consulting it SHOULD:
Download the basic version of the Authentic Source Registry (compact, without localizations) using the
.well-known/authentic-sourcesendpoint.Determine the User's preferred language.
Download only the necessary localization bundles.
Dynamically merge localised content with the Authentic Source Registry structure.
A non-normative example of a localization bundle output is given below:
{
"authentic_source1.name": "Ministero delle infrastrutture e dei trasporti",
"authentic_source1.dataset1.origin": "MIT -- Direzione Generale per la Motorizzazione",
"authentic_source1.dataset1.userinfo": "###### Patente di Guida\nSono disponibili le patenti rilasciate dopo il 1° gennaio 2020. Per le patenti più vecchie, contattare l'ufficio motorizzazione locale.",
"authentic_source2.name": "Banca Esempio SpA",
"authentic_source2.dataset1.origin": "Esempio origine dei dati 1",
"authentic_source2.dataset1.userinfo": "###### Informazioni sulla disponibilità dei dati\nL'accesso ai dati finanziari richiede il consenso del cliente ed è soggetto alla normativa PSD2. Le informazioni sui conti sono disponibili solo per i conti attivi.",
"...": "..."
}
Localization bundles MUST be available at the URI composed by appending the locale code and .json to the localization.base_uri value defined in the registry. Each locale bundle MUST be accessible following the naming pattern {locale_code}.json, where {locale_code} is replaced with the corresponding locale code from the available_locales array.
A non-normative example of the Italian localization URI for the bundle would be https://trust-registry.eid-wallet.example.it/.well-known/l10n/authentic-sources/it.json.
7.4.4. AS-CI Coordination¶
Following AS registration, the AS Registry enables Credential Issuers to discover suitable AS entities and request integration approval. This coordination process is detailed in Authentic Source to Credential Issuer Authorization Process.
7.5. Federation Registry¶
The Federation Registry provides the cryptographic trust infrastructure for all IT-Wallet ecosystem participants. The Federation Registry maintains the authoritative list of trusted entities and their operational status using federation-specific endpoints as defined in Federation API endpoints.
7.5.1. Registry Integration Role¶
Within the IT-Wallet System Register architecture, the Federation Registry serves as the trust validation layer for:
Entity Authentication: Validates the cryptographic identity of all participants before registry operations
Trust Chain Verification: Provides the cryptographic foundation for Credential Issuers, Relying Parties, and Wallet Providers entity validation
Compliance Verification: Maintains Trust Marks that attest regulatory compliance and operational status
7.5.2. Federation Registry Access¶
Federation Registry operations are accessed through the Trust Anchor's federation endpoints as detailed in Federation API endpoints. The registry discovery architecture provides federation endpoint information via the registry discovery endpoint described in Registry Discovery Endpoint.
Note
Federation endpoints are available through both the registry discovery mechanism (for unified registry access) and the Trust Anchor's Entity Configuration at .well-known/openid-federation (for federation-specific operations). Both sources provide the same endpoint URLs but serve different discovery patterns: registry discovery for initial ecosystem orientation, Entity Configuration for standard OpenID Federation 1.0 compliance.
For complete technical specifications of federation protocols, entity configurations, trust evaluation mechanisms, and trust chain validation, see The Infrastructure of Trust.
7.6. Digital Credentials Catalog¶
The Digital Credentials Catalog is the registry of all available Digital Credentials recognized within the IT-Wallet ecosystem. It is published by the Trust Anchor and publicly available by all Entities through a specialized Federation endpoint. It acts as a single reference point for all actors involved in the process of issuing, verifying and using Digital Credentials.
The Digital Credential Catalog aims to:
Facilitate Digital Credential discovery for Users.
Standardize the technical and functional description of Digital Credentials.
Enable interoperability between different Issuers and Relying Parties.
Simplify the integration process for Wallet Providers and Relying Parties.
Ensure trust in the ecosystem through verifiable and trustworthy information.
Provide transparency on the ecosystem of available Digital Credentials.
The main Entities involved in the Digital Credential Catalog are:
Trust Anchor: It manages and maintains the Digital Credential Catalog, guaranteeing its authenticity and integrity.
Supervisory Body: It interacts with the Trust Anchor and the Digital Credential Catalog to monitor the registration phase ensuring security and privacy according to national/European regulations, keeping all the information reliable and updated.
Digital Credential Issuers: The entities authorized to issue Digital Credentials, registering them in the Catalog.
Relying Parties: They use the Digital Credential Catalog to gather all the information needed about the Digital Credentials they intend to request during the presentation phase.
Wallet Providers: They access the Digital Credential Catalog to identify the available Digital Credentials and to retrieve all necessary information for integrating them into their Wallet Solutions.
Users: The Users who indirectly use the Digital Credentials Catalog through their Wallet Instances to discover and request Digital Credentials.
Authentic Sources: The Entities that hold the original data that is attested in the Digital Credentials. They provide support to Issuers in registering the Digital Credentials in the Catalog.
Fig. 7.1 Entity-Relationship diagram of Digital Credential Catalog.¶
The following table summarizes the main information that MUST be provided by the Digital Credential Catalog:
Information related to |
Description |
|---|---|
Digital Credential Metadata |
Essential identifying information and characteristics of the Digital Credential, including:
|
Digital Credential Issuers |
Details about the organization authorized to issue the Digital Credential, such as:
|
Authentic Sources |
Information about the authoritative data source. |
Technical Specification |
Technical details, including:
|
Terms of Use |
Conditions and limitations for Digital Credential usage, such as:
|
The Trust Anchor MUST publish and keep up to date all the information at the Digital Credential Catalog .well-known endpoint ensuring data reliability, authenticity and integrity. In particular, the Digital Credential Catalog MUST be available through the .well-known/credential-catalog endpoint. It MUST support application/jose as content-type.
Below a non-normative example is given.
GET /.well-known/credential-catalog HTTP/1.1
Host: trust-anchor.eid-wallet.example.it
Accept: application/jose
HTTP/1.1 200 OK
Content-Type: application/jose
eyJhbGciOiJSUzI1NiIsImtpZCI6ImV4YW1w...
In the section Digital Credentials Catalog Structure an example of Digital Credentials Catalog is given as decoded in JSON.
7.6.1. Digital Credentials Hierarchy¶
Digital Credentials recognized within the IT-Wallet ecosystem are classified and standardized according to the following multi-level hierarchical model designed to improve semantic clarity, credential discovery, and compatibility with both credential-specific and claim-based verification workflows.
The hierarchy is defined as follows:
Domain
A Domain represents a high-level thematic area grouping Credential families that relate to the same broad context (e.g., Identity, Health, Education, Mobility). Domains provide a top-level organizational layer.
Credential Class
A Credential Class represents a family of Credentials sharing similar nature, function, or structure (e.g., Identification Documents, Civil Status Certificates).
Each Class SHOULD define:
a stable Class identifier (URI),
the expected semantics of the Credential Family.
Classes enable Relying Parties and Wallet Solutions to request or match Credentials based on their type category.
Credential Type
A Credential Type represents a specific Credential within a Class (e.g. Digital Travel Credential, Birth Certificate, Mobile Driving License). Each Credential Type MUST include:
a unique identifier,
the Credential Issuer identifier,
the set of Attributes that may be included in presentations.
Credential Types enable precise targeting for compliance-driven or regulation-mandated verification flows.
Purpose (Verification Intent)
A Purpose (Verification Intent) describes why a credential may be requested by a Relying Party (e.g., Identity Verification, Age Verification, Eligibility for specific services). Purposes MUST describe verification outcomes. Each Credential Type MUST declare its Domain, Class, and supported Purposes.
The following tables provide non-exhaustive examples illustrating the relationships between Domains, Credential Classes, and Credential Types, followed by their mapping to verification Purposes. Additional Domains, Classes, specific Credentials, and verification Purposes MAY be added over time as the IT-Wallet ecosystem evolves.
Domain |
Description |
Credential Class |
Credential Type |
|---|---|---|---|
IDENTITY |
Credentials that establish or confirm a person's legal identity and personal, civil or legal status. |
|
|
HOME AND FAMILY |
Credentials that attest household composition, residence, and housing-related legal or fiscal relationships. |
|
|
EDUCATION |
Credentials that attest educational achievements, academic qualifications, and professional training. |
|
|
HEALTH |
Credentials related to healthcare coverage, medical status, and health-related certifications. |
|
|
FINANCIAL |
Credentials related to payment instruments, financial authorizations, and proof of payments. |
|
|
CULTURE AND LEISURE |
Credentials that attest membership, affiliation, or participation in cultural or recreational programs. |
|
|
EMPLOYMENT |
Credentials that attest employment relationships, professional status, and contribution records. |
|
|
MOBILITY AND TRAVEL |
Credentials that attest mobility rights, vehicle-related status, and travel-related entitlements. |
|
|
BONUSES |
Credentials that attest entitlement to economic benefits, incentives, or vouchers. |
|
|
Credential Class |
Supported Purposes |
|---|---|
Identification Documents |
|
Civil Registry and Personal Status Certificates |
|
Economic and Legal Status |
|
Property and Cadastral Documents |
|
Family Documents |
|
Local Tax Documents |
|
Educational Qualifications |
|
Professional Certifications |
|
Certifications and Eligibility |
|
Medical Records |
|
Payment Instruments |
|
Payment Credentials and Authorisations |
|
Public Payments and Fees |
|
Recurring Payments and Subscriptions |
|
Cultural Cards and Benefits |
|
Membership and Loyalty Programs |
|
Employment Documents |
|
Employment Status |
|
Licenses and Authorizations |
|
Vehicle Documents |
|
Transport Subscriptions |
|
Travel Documents |
|
Travel Insurance and Bookings |
|
Discounts and Benefits |
|
Economic Benefits and Allowances |
|
Incentives and Vouchers |
|
Health and Wellbeing Bonuses |
|
Employment Affiliation |
|
Each Credential MUST specify domains, classes and purposes to enable both Credential-Specific Scenarios and Credential-Agnostic Scenarios according to Relying Party's requirements and presentation request patterns, as defined in the mapping tables above.
Credential-Specific Scenarios (Primary for Government/Regulated Sectors): RPs request specific Credential types for compliance and audit requirements, including for example:
Government Services:
"credential_type":"pid"for PID-specific identity verification.Police Controls:
"credential_type":"mDL"for driving license verification.Banking KYC: Specific credential types mandated by financial regulations.
Healthcare Services:
"credential_type":"european_disability_card"for EU-compliant disability benefit access.
Credential-Agnostic Scenarios (Typical for Private Business): RPs request specific claims regardless of Credential source for operational efficiency, such as:
E-commerce Delivery: Any credential, among those to which he is authorized to access, containing
given_name,family_name,addressfor shipping.Subscriptions: Any credential, among those to which he is authorized to access, with
given_name,Service Personalization: Business applications requiring basic personal data without strong source requirements.
This approach allows:
Policy-based authorization by using Domain / Class / Credential Type / Purpose mappings.
Flexible RP registration supporting both government compliance needs and business operational requirements.
7.6.2. Digital Credentials Catalog Structure¶
Digital Credentials Catalog contents is secured in a JWS that contains the following JOSE header parameters:
JOSE header |
Description |
Reference |
|---|---|---|
typ |
REQUIRED. It MUST be set to |
[RFC 7515 Section 4.1.9]. |
alg |
REQUIRED. A digital signature algorithm identifier such as per IANA "JSON Web Signature and Encryption Algorithms" registry. It MUST be one of the supported algorithms in Section Cryptographic Algorithms and MUST NOT be set to |
[RFC 7515 Section 4.1.1]. |
kid |
REQUIRED. Unique identifier of the public key. |
[RFC 7515 Section 4.1.4]. |
x5c |
OPTIONAL. Contains the X.509 public key Certificate or Certificate chain [RFC 5280] corresponding to the key used to digitally sign the JWS. When the header parameter kid value is present, it MUST refer to the same leaf's cryptographic public key used with the X.509 Certificate. |
[RFC 7515 Section 4.1.6.]. |
cty |
REQUIRED. It MUST be set to |
[RFC 7515 Section 4.1.6.]. |
The JWS payload contains the following parameters:
Field Name |
Description |
|---|---|
id |
REQUIRED. Unique identifier of the Digital Credentials Catalog (e.g., |
version |
REQUIRED. Version of the Digital Credential Catalog format. |
last_modified |
REQUIRED. Timestamp of the last modification to the Digital Credential Catalog. |
iss |
REQUIRED. Issuer identifier of the Digital Credential Catalog. |
credentials |
REQUIRED. Array containing Digital Credential definitions. |
Each element of the credentials array contains at least the following information:
Field Name |
Description |
|---|---|
version |
REQUIRED. Version of the Digital Credential definition. |
credential_type |
REQUIRED. Unique identifier of the Digital Credential type. For PID it MUST be |
credential_name_l10n_id |
REQUIRED. Localization key referencing the human-readable name of the Digital Credential in the localization bundle (e.g., |
legal_type |
REQUIRED. Legal classification of the Credential (e.g., |
restriction_policy |
OPTIONAL. Legal restrictions on Wallet Solutions and/or Credential Issuers allowed to request/issue the Digital Credential.
|
pricing_policy |
OPTIONAL. Information about Digital Credential pricing, including:
|
validity_info |
Information about Digital Credential validity, including at least:
|
authentication |
REQUIRED. Digital Credential authentication requirements.
|
domains |
REQUIRED. Array of domains to which Digital Credential belongs, such as:
|
classes |
REQUIRED. Array of classes to which Digital Credential belongs, such as:
|
purposes |
REQUIRED. Array of usage purposes for which the Digital Credential can be used, defining specific usage contexts and required claims for each purpose, such as:
|
issuers |
REQUIRED. Array of relevant information about authorized Credential Issuers, including administrative and technical data such as Organization name, a reference to the API specification document and supported issuance mechanisms (for example the deferred flow support). |
authentic_sources |
REQUIRED. Array of Authentic Source JSON objects referencing authorized Authentic Sources. Each object MUST contain the AS entity identifier and the specific data capability identifier:
|
Note
The union of credential_type and version MUST be unique in the Credential Catalog.
The corresponding example of Digital Credentials Catalog as decoded in JSON for both header and payload is the following:
{
"typ":"JOSE",
"alg":"ES256",
"kid":"e9bc097a-ce51-4036-9562-d2ade882db0d",
"cty":"application/json"
}
{
"id": "urn:credential-catalog:it-wallet",
"version": "1.0.0",
"last_modified": "2025-03-15T12:00:00Z",
"iss": "https://trust-registry.eid-wallet.example.it",
"credentials": [
{
"version": "1",
"credential_type": "mDL",
"credential_name_l10n_id": "mDL.name",
"legal_type": "pub-eaa",
"restriction_policy": {
"allowed_wallet_ids": [
"https://wallet-provider.example.org/wallet_solution",
"https://wallet-provider2.example.org/wallet_solution"
],
"allowed_issuer_ids": [
"https://issuer.example.org"
],
"presentation_flows": {
"remote": true,
"proximity": true
}
},
"pricing_policy": {
"models": [
{
"pricing_type": "verification_based",
"price": 0.01,
"currency": "EUR"
}
],
"pricing_model_uri": "https://example.com/pricing"
},
"validity_info": {
"max_validity_days": 365,
"status_methods": [
"status_list"
],
"administrative_expiration_user_info": {
"title_l10n_id": "mDL.administrative_expiration_user_info.title",
"description_l10n_id": "mDL.administrative_expiration_user_info.description"
},
"allowed_states": [
{
"0x00": "VALID",
"title_l10n_id": "mDL.VALID.title",
"description_l10n_id": "mDL.VALID.description"
},
{
"0x01": "INVALID",
"title_l10n_id": "mDL.INVALID.title",
"description_l10n_id": "mDL.INVALID.description"
},
{
"0x02": "SUSPENDED",
"title_l10n_id": "mDL.SUSPENDED.title",
"description_l10n_id": "mDL.SUSPENDED.description"
},
{
"0x03": "UPDATE",
"title_l10n_id": "mDL.UPDATE.title",
"description_l10n_id": "mDL.UPDATE.description"
},
{
"0x0F": "ATTRIBUTE_UPDATE",
"title_l10n_id": "mDL.ATTRIBUTE_UPDATE.title",
"description_l10n_id": "mDL.ATTRIBUTE_UPDATE.description"
}
]
},
"authentication": {
"user_auth_required": true,
"min_loa": "high",
"supported_schemes": [
"it-wallet"
]
},
"domains": [
{
"id": "IDENTITY"
},
{
"id": "MOBILITY_TRAVEL"
}
],
"classes": [
{
"id": "IDENTIFICATION_DOCUMENTS"
},
{
"id": "LICENSES_AUTHORIZATIONS"
}
],
"purposes": [
{
"id": "IDENTITY_VERIFICATION"
},
{
"id": "AGE_VERIFICATION"
},
{
"id": "DRIVING_RIGHTS"
}
],
"issuers": [
{
"id": "https://issuer.example.org",
"organization_name_l10n_id": "mDL.issuer1.name",
"organization_code": "ci_example_it",
"organization_country": "IT",
"contacts": [
"mailto:informazioni@example.it",
"mailto:protocollo@pec.example.it"
],
"legal_type": "pub-eaa",
"homepage_uri": "https://issuer.example.org",
"logo_uri": "https://issuer.example.org/logo.svg",
"policy_uri": "https://issuer.example.org/privacy",
"tos_uri": "https://issuer.example.org/terms",
"service_documentation": "https://issuer.example.org/.well-known/service-doc",
"issuance_flows": {
"deferred_flow": true,
"max_deferred_issuance_time_minutes": 1440,
"notification_methods": [
"push",
"polling"
]
}
}
],
"authentic_sources": [
{
"id": "https://motorizzazione.gov.example",
"dataset_id": "38832801"
}
]
}
]
}
Note
For a better and more efficient management of the localization of the information contained in the Digital Credentials Catalog, an Entity consulting it SHOULD:
Download the basic version of the Digital Credentials Catalog (compact, without localizations) using the
.well-known/credential-catalogendpoint.Determine the User's preferred language.
Download only the necessary localization bundles.
Dynamically merge localised content with the Digital Credentials Catalog structure.
A non-normative example of a localization bundle output is given below:
{
"mDL.name": "Patente di Guida",
"mDL.issuer1.name": "Esempio di Credential Issuer",
"...": "..."
}
Localization bundles MUST be available at the URI composed by appending the locale code and .json to the localization.base_uri value defined in the catalog. Each locale bundle MUST be accessible following the naming pattern {locale_code}.json, where {locale_code} is replaced with the corresponding locale code from the available_locales array.
A non-normative example of the Italian localization URI for the bundle would be https://trust-registry.eid-wallet.example.it/.well-known/l10n/credential-catalog/it.json.
7.6.3. Decentralization of Display and Claim Information¶
The canonical source for display characteristics and claim structure is determined by the Credential Issuer's Metadata (Entity Configuration).
The overall logic for presenting a Credential is:
The Wallet/Relying Party retrieves the lightweight Digital Credentials Catalog to discover the available credential_type and the entity_id of their Credential Issuers.
It retrieves the full Credential Issuer Metadata (Entity Configuration) from the discovered entity_id.
The Credential Issuer Metadata MUST contain the full display characteristics (logos, colors) and the detailed schema information (via links to the appropriate Type Metadata or directly in the configuration). The Issuer builds this metadata based on the suggestions provided by the Authentic Source (via the AS Registry) and the standard schema specifications (via the Schema Registry).
7.7. Taxonomy¶
The Taxonomy provides the semantic foundation for Digital Credential interoperability by maintaining the authoritative vocabulary for organizing Credentials within the IT-Wallet ecosystem. The taxonomy is neutral with respect to the Credential format.
The Taxonomy provides, in a single resource, the hierarchical classification system organizing Domains, Classes and Purposes that can be applied to Credential Types, supporting authorization policy evaluation and ecosystem-wide standardization.
Taxonomy Objectives:
Semantic Foundation: Establish standardized vocabulary for domains and purposes across the ecosystem
Policy Framework: Enable structured authorization decisions based on hierarchical classification
Interoperability: Ensure consistent interpretation of credential classifications
Extensibility: Support evolution of the ecosystem with new Domains, Classes, Credential Types and Purposes
Cross-Border Compliance: Align with EU regulatory requirements and international standards
Taxonomy Structure:
The taxonomy maintains a four level hierarchical structure:
Domains: Top-level classification representing broad functional areas (e.g., IDENTITY, HEALTH, FINANCIAL)
Class (Credential Family): Family of Credentials sharing similar function, structure, or legal meaning (e.g., Identification Documents, Civil Status Certificates, Professional Licenses, Access)
Credential Type: Specific Credential definition issued by an authority (e.g., Digital Travel Credential, Birth Certificate, Mobile Driving License).
Purpose (Verification Intent): Verification objectives that a Credential can satisfy (e.g., Identity Verification, Age Verification, Eligibility for specific services, Access permit verification).
Note
Credential Type is a concept defined at the Digital Credentials Catalog level, not within the Taxonomy. The Taxonomy provides the classification vocabulary (Domains, Classes, Purposes) that Credential Types in the Catalog reference.
Localization Support:
The taxonomy supports multilingual environments through the _l10n_id suffix pattern, enabling efficient localization management for user interfaces and cross-border implementations.
Taxonomy Usage:
Claims Registry: Individual claims catalog
AS Registry: Authentic Sources declare capabilities using taxonomy classifications
Digital Credentials Catalog: Credential Types specify Domains, Classes and Purposes
Authorization Policies: Policy evaluation leverages taxonomy structure for access control decisions
The Taxonomy is accessible through the dedicated taxonomy endpoint as defined in the registry discovery mechanism and is maintained by the Supervisory Body to ensure regulatory compliance and semantic consistency.
Taxonomy JSON Structure:
Field Name |
Description |
|---|---|
id |
REQUIRED. Unique identifier of the Taxonomy (e.g., |
version |
REQUIRED. The version of the Taxonomy (e.g., |
last_modified |
REQUIRED. The timestamp indicating when the Taxonomy was last updated (e.g., |
name_l10n_id |
REQUIRED. Localization key referencing the human-readable name of the Taxonomy (e.g., |
description_l10n_id |
REQUIRED. Localization key referencing the human-readable description of the Taxonomy (e.g., |
localization |
REQUIRED. Localization configuration object containing:
|
domains |
REQUIRED. Array of Domain objects, each containing:
|
purposes |
REQUIRED. Flat array of all Purpose objects defined across the taxonomy, each containing:
|
A non-normative example of Taxonomy structure is given below:
{
"id": "urn:taxonomy:it-wallet",
"version": "1.0.0",
"last_modified": "2026-03-11T00:00:00Z",
"name_l10n_id": "taxonomy.name",
"description_l10n_id": "taxonomy.description",
"localization": {
"available_locales": [
"en",
"it"
],
"base_uri": "https://trust-registry.eid-wallet.example.it/.well-known/l10n/taxonomy/",
"default_locale": "it",
"version": "1.0.0"
},
"domains": [
{
"classes": [
{
"id": "IDENTIFICATION_DOCUMENTS",
"name_l10n_id": "class.identification_documents.name",
"supported_purposes": [
"IDENTITY_VERIFICATION",
"AGE_VERIFICATION",
"PERSON_IDENTIFICATION"
]
},
{
"id": "CIVIL_REGISTRY_STATUS",
"name_l10n_id": "class.civil_registry_status.name",
"supported_purposes": [
"CIVIL_STATUS_VERIFICATION",
"RIGHT_OF_RESIDENCE",
"HOUSEHOLD_COMPOSITION_VERIFICATION"
]
},
{
"id": "ECONOMIC_LEGAL_STATUS",
"name_l10n_id": "class.economic_legal_status.name",
"supported_purposes": [
"ELIGIBILITY_VERIFICATION",
"LEGAL_STATUS_VERIFICATION",
"CRIMINAL_RECORD_CHECK"
]
}
],
"description_l10n_id": "domain.identity.description",
"id": "IDENTITY",
"name_l10n_id": "domain.identity.name"
},
{
"classes": [
{
"id": "PROPERTY_CADASTRAL_DOCS",
"name_l10n_id": "class.property_cadastral_docs.name",
"supported_purposes": [
"RESIDENCE_HOUSEHOLD_VERIFICATION",
"PROPERTY_OWNERSHIP_VERIFICATION",
"REAL_ESTATE_COMPLIANCE"
]
},
{
"id": "FAMILY_DOCUMENTS",
"name_l10n_id": "class.family_documents.name",
"supported_purposes": [
"HOUSEHOLD_COMPOSITION_VERIFICATION",
"FAMILY_SOCIAL_SERVICES_ELIGIBILITY"
]
},
{
"id": "LOCAL_TAX_DOCUMENTS",
"name_l10n_id": "class.local_tax_documents.name",
"supported_purposes": [
"LOCAL_TAX_COMPLIANCE",
"PROPERTY_TAX_VERIFICATION"
]
}
],
"description_l10n_id": "domain.home_family.description",
"id": "HOME_FAMILY",
"name_l10n_id": "domain.home_family.name"
},
{
"classes": [
{
"id": "EDUCATIONAL_QUALIFICATIONS",
"name_l10n_id": "class.educational_qualifications.name",
"supported_purposes": [
"QUALIFICATION_DEGREE_VERIFICATION",
"EDUCATION_PATHWAY_ELIGIBILITY"
]
},
{
"id": "PROFESSIONAL_CERTIFICATIONS",
"name_l10n_id": "class.professional_certifications.name",
"supported_purposes": [
"PROFESSIONAL_LICENSE_VERIFICATION",
"SKILLS_ASSESSMENT"
]
}
],
"description_l10n_id": "domain.education.description",
"id": "EDUCATION",
"name_l10n_id": "domain.education.name"
},
{
"classes": [
{
"id": "CERTIFICATIONS_ELIGIBILITY",
"name_l10n_id": "class.certifications_eligibility.name",
"supported_purposes": [
"VACCINATION_STATUS_VERIFICATION",
"FITNESS_STATUS_VERIFICATION",
"HEALTH_RESTRICTED_ACCESS"
]
},
{
"id": "MEDICAL_RECORDS",
"name_l10n_id": "class.medical_records.name",
"supported_purposes": [
"HEALTHCARE_SERVICES_ACCESS",
"MEDICAL_RECORDS_SHARING",
"MEDICAL_HISTORY_VALIDATION"
]
}
],
"description_l10n_id": "domain.health.description",
"id": "HEALTH",
"name_l10n_id": "domain.health.name"
},
{
"classes": [
{
"id": "PAYMENT_INSTRUMENTS",
"name_l10n_id": "class.payment_instruments.name",
"supported_purposes": [
"PAYMENT_AUTHORIZATION",
"PAYMENT_EXECUTION",
"PROOF_OF_PAYMENT"
]
},
{
"id": "PAYMENT_CREDENTIALS_AUTHORIZATIONS",
"name_l10n_id": "class.payment_credentials_authorizations.name",
"supported_purposes": [
"FINANCIAL_AUTHORIZATION_MANAGEMENT",
"STRONG_CUSTOMER_AUTHENTICATION"
]
},
{
"id": "PUBLIC_PAYMENTS_FEES",
"name_l10n_id": "class.public_payments_fees.name",
"supported_purposes": [
"PROOF_OF_TAX_PAYMENT",
"PROOF_OF_FEE_PAYMENT",
"DIGITAL_STAMP_DUTY_VALIDATION"
]
},
{
"id": "RECURRING_PAYMENTS_SUBSCRIPTIONS",
"name_l10n_id": "class.recurring_payments_subscriptions.name",
"supported_purposes": [
"RECURRING_PAYMENT_MANAGEMENT",
"SUBSCRIPTION_MANDATE_VERIFICATION"
]
}
],
"description_l10n_id": "domain.financial.description",
"id": "FINANCIAL",
"name_l10n_id": "domain.financial.name"
},
{
"classes": [
{
"id": "CULTURAL_CARDS_BENEFITS",
"name_l10n_id": "class.cultural_cards_benefits.name",
"supported_purposes": [
"CULTURAL_SERVICES_ACCESS",
"LEISURE_SERVICES_ACCESS",
"MEMBER_DISCOUNT_APPLICATION"
]
},
{
"id": "MEMBERSHIP_LOYALTY_PROGRAMS",
"name_l10n_id": "class.membership_loyalty_programs.name",
"supported_purposes": [
"AFFILIATION_VERIFICATION",
"PARTICIPATION_VERIFICATION",
"LOYALTY_BENEFITS_USE"
]
}
],
"description_l10n_id": "domain.culture_leisure.description",
"id": "CULTURE_LEISURE",
"name_l10n_id": "domain.culture_leisure.name"
},
{
"classes": [
{
"id": "EMPLOYMENT_DOCUMENTS",
"name_l10n_id": "class.employment_documents.name",
"supported_purposes": [
"EMPLOYMENT_STATUS_VERIFICATION",
"PROFESSIONAL_PROFILE_VALIDATION"
]
},
{
"id": "EMPLOYMENT_STATUS",
"name_l10n_id": "class.employment_status.name",
"supported_purposes": [
"CONTRIBUTION_RECORDS_VERIFICATION",
"EMPLOYMENT_BENEFITS_ELIGIBILITY"
]
},
{
"id": "EMPLOYMENT_AFFILIATION",
"name_l10n_id": "class.employment_affiliation.name",
"supported_purposes": [
"ACCESS_PERMIT"
]
}
],
"description_l10n_id": "domain.employment.description",
"id": "EMPLOYMENT",
"name_l10n_id": "domain.employment.name"
},
{
"classes": [
{
"id": "LICENSES_AUTHORIZATIONS",
"name_l10n_id": "class.licenses_authorizations.name",
"supported_purposes": [
"DRIVING_RIGHTS_VERIFICATION",
"NAVIGATION_RIGHTS_VERIFICATION",
"LAW_ENFORCEMENT_CONTROLS"
]
},
{
"id": "VEHICLE_DOCUMENTS",
"name_l10n_id": "class.vehicle_documents.name",
"supported_purposes": [
"VEHICLE_REGISTRATION_VERIFICATION",
"VEHICLE_INSPECTION_VERIFICATION",
"INSURANCE_STATUS_CHECK"
]
},
{
"id": "TRANSPORT_SUBSCRIPTIONS",
"name_l10n_id": "class.transport_subscriptions.name",
"supported_purposes": [
"TRANSPORT_SERVICES_ACCESS",
"PUBLIC_TRANSPORT_PASS_VERIFICATION"
]
},
{
"id": "TRAVEL_DOCUMENTS",
"name_l10n_id": "class.travel_documents.name",
"supported_purposes": [
"RIGHT_TO_TRAVEL",
"CROSS_BORDER_IDENTITY_CHECK"
]
},
{
"id": "TRAVEL_INSURANCE_BOOKINGS",
"name_l10n_id": "class.travel_insurance_bookings.name",
"supported_purposes": [
"TRAVEL_INSURANCE_VERIFICATION",
"ACCOMMODATION_RESERVATION_CHECK",
"TRANSPORT_RESERVATION_CHECK"
]
},
{
"id": "DISCOUNTS_BENEFITS",
"name_l10n_id": "class.discounts_benefits.name",
"supported_purposes": [
"MEMBER_DISCOUNT_APPLICATION",
"TOURIST_BENEFITS_ACCESS"
]
}
],
"description_l10n_id": "domain.mobility_travel.description",
"id": "MOBILITY_TRAVEL",
"name_l10n_id": "domain.mobility_travel.name"
},
{
"classes": [
{
"id": "ECONOMIC_BENEFITS_ALLOWANCES",
"name_l10n_id": "class.economic_benefits_allowances.name",
"supported_purposes": [
"FAMILY_BENEFITS_ELIGIBILITY",
"UNEMPLOYMENT_BENEFITS_ELIGIBILITY",
"ECONOMIC_SUPPORT_ALLOCATION"
]
},
{
"id": "INCENTIVES_VOUCHERS",
"name_l10n_id": "class.incentives_vouchers.name",
"supported_purposes": [
"DIGITAL_VOUCHER_USE",
"PURCHASE_INCENTIVE_USE",
"CASHBACK_ELIGIBILITY_VERIFICATION"
]
},
{
"id": "HEALTH_WELLBEING_BONUSES",
"name_l10n_id": "class.health_wellbeing_bonuses.name",
"supported_purposes": [
"HEALTHCARE_BONUS_ACCESS",
"MENTAL_HEALTH_VOUCHER_USE",
"SPORTS_VOUCHER_USE"
]
}
],
"description_l10n_id": "domain.bonuses.description",
"id": "BONUSES",
"name_l10n_id": "domain.bonuses.name"
}
],
"purposes": [
{
"id": "IDENTITY_VERIFICATION",
"name_l10n_id": "purpose.identity_verification.name"
},
{
"id": "AGE_VERIFICATION",
"name_l10n_id": "purpose.age_verification.name"
},
{
"id": "PERSON_IDENTIFICATION",
"name_l10n_id": "purpose.person_identification.name"
},
{
"id": "CIVIL_STATUS_VERIFICATION",
"name_l10n_id": "purpose.civil_status_verification.name"
},
{
"id": "RIGHT_OF_RESIDENCE",
"name_l10n_id": "purpose.right_of_residence.name"
},
{
"id": "HOUSEHOLD_COMPOSITION_VERIFICATION",
"name_l10n_id": "purpose.household_composition_verification.name"
},
{
"id": "ELIGIBILITY_VERIFICATION",
"name_l10n_id": "purpose.eligibility_verification.name"
},
{
"id": "LEGAL_STATUS_VERIFICATION",
"name_l10n_id": "purpose.legal_status_verification.name"
},
{
"id": "CRIMINAL_RECORD_CHECK",
"name_l10n_id": "purpose.criminal_record_check.name"
},
{
"id": "RESIDENCE_HOUSEHOLD_VERIFICATION",
"name_l10n_id": "purpose.residence_household_verification.name"
},
{
"id": "PROPERTY_OWNERSHIP_VERIFICATION",
"name_l10n_id": "purpose.property_ownership_verification.name"
},
{
"id": "REAL_ESTATE_COMPLIANCE",
"name_l10n_id": "purpose.real_estate_compliance.name"
},
{
"id": "FAMILY_SOCIAL_SERVICES_ELIGIBILITY",
"name_l10n_id": "purpose.family_social_services_eligibility.name"
},
{
"id": "LOCAL_TAX_COMPLIANCE",
"name_l10n_id": "purpose.local_tax_compliance.name"
},
{
"id": "PROPERTY_TAX_VERIFICATION",
"name_l10n_id": "purpose.property_tax_verification.name"
},
{
"id": "QUALIFICATION_DEGREE_VERIFICATION",
"name_l10n_id": "purpose.qualification_degree_verification.name"
},
{
"id": "EDUCATION_PATHWAY_ELIGIBILITY",
"name_l10n_id": "purpose.education_pathway_eligibility.name"
},
{
"id": "PROFESSIONAL_LICENSE_VERIFICATION",
"name_l10n_id": "purpose.professional_license_verification.name"
},
{
"id": "SKILLS_ASSESSMENT",
"name_l10n_id": "purpose.skills_assessment.name"
},
{
"id": "VACCINATION_STATUS_VERIFICATION",
"name_l10n_id": "purpose.vaccination_status_verification.name"
},
{
"id": "FITNESS_STATUS_VERIFICATION",
"name_l10n_id": "purpose.fitness_status_verification.name"
},
{
"id": "HEALTH_RESTRICTED_ACCESS",
"name_l10n_id": "purpose.health_restricted_access.name"
},
{
"id": "HEALTHCARE_SERVICES_ACCESS",
"name_l10n_id": "purpose.healthcare_services_access.name"
},
{
"id": "MEDICAL_RECORDS_SHARING",
"name_l10n_id": "purpose.medical_records_sharing.name"
},
{
"id": "MEDICAL_HISTORY_VALIDATION",
"name_l10n_id": "purpose.medical_history_validation.name"
},
{
"id": "PAYMENT_AUTHORIZATION",
"name_l10n_id": "purpose.payment_authorization.name"
},
{
"id": "PAYMENT_EXECUTION",
"name_l10n_id": "purpose.payment_execution.name"
},
{
"id": "PROOF_OF_PAYMENT",
"name_l10n_id": "purpose.proof_of_payment.name"
},
{
"id": "FINANCIAL_AUTHORIZATION_MANAGEMENT",
"name_l10n_id": "purpose.financial_authorization_management.name"
},
{
"id": "STRONG_CUSTOMER_AUTHENTICATION",
"name_l10n_id": "purpose.strong_customer_authentication.name"
},
{
"id": "PROOF_OF_TAX_PAYMENT",
"name_l10n_id": "purpose.proof_of_tax_payment.name"
},
{
"id": "PROOF_OF_FEE_PAYMENT",
"name_l10n_id": "purpose.proof_of_fee_payment.name"
},
{
"id": "DIGITAL_STAMP_DUTY_VALIDATION",
"name_l10n_id": "purpose.digital_stamp_duty_validation.name"
},
{
"id": "RECURRING_PAYMENT_MANAGEMENT",
"name_l10n_id": "purpose.recurring_payment_management.name"
},
{
"id": "SUBSCRIPTION_MANDATE_VERIFICATION",
"name_l10n_id": "purpose.subscription_mandate_verification.name"
},
{
"id": "CULTURAL_SERVICES_ACCESS",
"name_l10n_id": "purpose.cultural_services_access.name"
},
{
"id": "LEISURE_SERVICES_ACCESS",
"name_l10n_id": "purpose.leisure_services_access.name"
},
{
"id": "MEMBER_DISCOUNT_APPLICATION",
"name_l10n_id": "purpose.member_discount_application.name"
},
{
"id": "AFFILIATION_VERIFICATION",
"name_l10n_id": "purpose.affiliation_verification.name"
},
{
"id": "PARTICIPATION_VERIFICATION",
"name_l10n_id": "purpose.participation_verification.name"
},
{
"id": "LOYALTY_BENEFITS_USE",
"name_l10n_id": "purpose.loyalty_benefits_use.name"
},
{
"id": "EMPLOYMENT_STATUS_VERIFICATION",
"name_l10n_id": "purpose.employment_status_verification.name"
},
{
"id": "PROFESSIONAL_PROFILE_VALIDATION",
"name_l10n_id": "purpose.professional_profile_validation.name"
},
{
"id": "CONTRIBUTION_RECORDS_VERIFICATION",
"name_l10n_id": "purpose.contribution_records_verification.name"
},
{
"id": "EMPLOYMENT_BENEFITS_ELIGIBILITY",
"name_l10n_id": "purpose.employment_benefits_eligibility.name"
},
{
"id": "DRIVING_RIGHTS_VERIFICATION",
"name_l10n_id": "purpose.driving_rights_verification.name"
},
{
"id": "NAVIGATION_RIGHTS_VERIFICATION",
"name_l10n_id": "purpose.navigation_rights_verification.name"
},
{
"id": "LAW_ENFORCEMENT_CONTROLS",
"name_l10n_id": "purpose.law_enforcement_controls.name"
},
{
"id": "VEHICLE_REGISTRATION_VERIFICATION",
"name_l10n_id": "purpose.vehicle_registration_verification.name"
},
{
"id": "VEHICLE_INSPECTION_VERIFICATION",
"name_l10n_id": "purpose.vehicle_inspection_verification.name"
},
{
"id": "INSURANCE_STATUS_CHECK",
"name_l10n_id": "purpose.insurance_status_check.name"
},
{
"id": "TRANSPORT_SERVICES_ACCESS",
"name_l10n_id": "purpose.transport_services_access.name"
},
{
"id": "PUBLIC_TRANSPORT_PASS_VERIFICATION",
"name_l10n_id": "purpose.public_transport_pass_verification.name"
},
{
"id": "RIGHT_TO_TRAVEL",
"name_l10n_id": "purpose.right_to_travel.name"
},
{
"id": "CROSS_BORDER_IDENTITY_CHECK",
"name_l10n_id": "purpose.cross_border_identity_check.name"
},
{
"id": "TRAVEL_INSURANCE_VERIFICATION",
"name_l10n_id": "purpose.travel_insurance_verification.name"
},
{
"id": "ACCOMMODATION_RESERVATION_CHECK",
"name_l10n_id": "purpose.accommodation_reservation_check.name"
},
{
"id": "TRANSPORT_RESERVATION_CHECK",
"name_l10n_id": "purpose.transport_reservation_check.name"
},
{
"id": "TOURIST_BENEFITS_ACCESS",
"name_l10n_id": "purpose.tourist_benefits_access.name"
},
{
"id": "FAMILY_BENEFITS_ELIGIBILITY",
"name_l10n_id": "purpose.family_benefits_eligibility.name"
},
{
"id": "UNEMPLOYMENT_BENEFITS_ELIGIBILITY",
"name_l10n_id": "purpose.unemployment_benefits_eligibility.name"
},
{
"id": "ECONOMIC_SUPPORT_ALLOCATION",
"name_l10n_id": "purpose.economic_support_allocation.name"
},
{
"id": "DIGITAL_VOUCHER_USE",
"name_l10n_id": "purpose.digital_voucher_use.name"
},
{
"id": "PURCHASE_INCENTIVE_USE",
"name_l10n_id": "purpose.purchase_incentive_use.name"
},
{
"id": "CASHBACK_ELIGIBILITY_VERIFICATION",
"name_l10n_id": "purpose.cashback_eligibility_verification.name"
},
{
"id": "HEALTHCARE_BONUS_ACCESS",
"name_l10n_id": "purpose.healthcare_bonus_access.name"
},
{
"id": "MENTAL_HEALTH_VOUCHER_USE",
"name_l10n_id": "purpose.mental_health_voucher_use.name"
},
{
"id": "SPORTS_VOUCHER_USE",
"name_l10n_id": "purpose.sports_voucher_use.name"
},
{
"id": "ACCESS_PERMIT",
"name_l10n_id": "purpose.access_permit.name"
}
]
}
Note
For a better and more efficient management of the localization of the Taxonomy, an Entity consulting it SHOULD:
Download the basic version of the Taxonomy (compact, without localizations) using the
.well-known/taxonomyendpoint.Determine the User's preferred language.
Download only the necessary localization bundles.
Dynamically merge localised content with the Taxonomy structure.
A non-normative example of a localization bundle output is given below:
{
"taxonomy.name": "IT-Wallet Taxonomy",
"taxonomy.description": "Hierarchical classification system for Digital Credentials in the IT-Wallet ecosystem",
"domain.identity.name": "Identity",
"domain.identity.description": "Credentials that establish or confirm a person's legal identity and personal, civil or legal status.",
"class.identification_documents.name": "Identification Documents",
"purpose.identity_verification.name": "Identity verification",
"domain.authentication.name": "Authentication",
"domain.authentication.description": "Credentials that attest authorisation to access restricted physical or digital spaces, services or resources.",
"class.access.name": "Access",
"purpose.access_permit.name": "Access permit verification",
"...": "..."
}
Localization bundles MUST be available at the URI composed by appending the locale code and .json to the localization.base_uri value defined in the taxonomy. Each locale bundle MUST be accessible following the naming pattern {locale_code}.json, where {locale_code} is replaced with the corresponding locale code from the available_locales array.
A non-normative example of the Italian localization URI for the bundle would be https://trust-registry.eid-wallet.example.it/.well-known/l10n/taxonomy/it.json.
7.8. Schema Registry¶
The Schema Registry is the authoritative inventory of all known and accepted Credential Schemas (JSON Schema for SD-JWT, CBOR Schema for mDOC) within the IT-Wallet ecosystem. It is managed by the Trust Anchor and provides a single, verifiable source for retrieving the technical specifications required for parsing, validating, and displaying Digital Credentials.
Schema Registry Objectives:
Schema Centralization: Provide a centralized access point for all technical schemata used by Digital Credentials.
Integrity and Authenticity: Ensure the integrity and authenticity of the schema documents through cryptographic digests.
Interoperability: Facilitate the seamless integration of Wallet Providers and Relying Parties by providing consistent schema versions.
Credential Lifecycle Support: Act as a verifiable reference point for schema validation during issuance and presentation.
Schema Registry Structure and Access:
The Schema Registry is accessible via the .well-known/it-wallet-registry discovery endpoint under the schema_registry field. It allows for the discovery of schema URIs and their cryptographic integrity checks.
Field Name |
Description |
|---|---|
version |
REQUIRED. The version of the Schema Registry (e.g., |
last_updated |
REQUIRED. The timestamp indicating when the list was last updated (e.g., |
schemas |
REQUIRED. A JSON Array where each entry is a JSON Object representing a Credential Schema definition. Each object contains the parameters defined in the "Schema Definition Parameters" table below, including schema identification, format specifications, URIs, and integrity verification data. |
Field Name |
Description |
|---|---|
id |
REQUIRED. The unique identifier of the scheme (e.g., |
version |
REQUIRED. The version of the schema definition (e.g., |
credential_type |
REQUIRED. The unique identifier of the Digital Credential type (e.g., |
format |
REQUIRED. The technical format of the schema (e.g., |
vct |
CONDITIONAL. It is REQUIRED if the |
docType |
CONDITIONAL. It is REQUIRED if the |
schema_uri |
REQUIRED. The URI where the schema document can be retrieved (e.g., |
schema_uri#integrity |
REQUIRED. Cryptographic digest of the schema document for integrity verification. Format: |
description |
OPTIONAL. A human-readable description of the schema, which may be localized (e.g., "Schema tecnico per la mobile Driving License in formato mdoc."). |
Schema Registry Example:
A non-normative example of the Schema Registry payload:
{
"version": "1.0.0",
"last_updated": "2025-03-15T12:00:00Z",
"schemas": [
{
"id": "mDL+mso_mdoc+org.iso.18013.5.1.mDL",
"version": "1.0.0",
"credential_type": "mDL",
"format": "mso_mdoc",
"docType": "org.iso.18013.5.1.mDL",
"schema_uri": "https://trust-registry.it-wallet.example.it/.well-known/schemas/mdoc/mDL",
"schema_uri#integrity": "sha256-c8b708728e4c5756e35c03aeac257ca878d1f717d7b61f621be4d36dbd9b9c16",
"description": "Schema tecnico per la mobile Driving License in formato mdoc."
},
{
"id": "pid+dc+sd-jwt+urn:eudi:pid:it:1",
"version": "1.0.0",
"credential_type": "pid",
"format": "dc+sd-jwt",
"vct": "urn:eudi:pid:it:1",
"schema_uri": "https://trust-registry.it-wallet.example.it/.well-known/schemas/sd-jwt/pid",
"schema_uri#integrity": "sha256-a1b2c3d4e5f67890...",
"description": "Schema tecnico per la Person Identification Data (PID) in formato SD-JWT."
}
]
}
7.9. Registry Integration and Cross-References¶
The registry components are interconnected and work together to support the complete Credential ecosystem:
AS Registry ↔ Taxonomy: AS entities declare capabilities using taxonomy classifications for standardized categorization.
AS Registry ↔ Catalog: Credential types reference AS capabilities for data source validation.
Catalog ↔ Taxonomy: Credential entries specify domains and purposes from the taxonomy for discovery and authorization.
Federation Registry ↔ All Components: Provides cryptographic trust validation for all registry operations and entity authentication.
Schema Registry ↔ Issuer/RPs: Provides the verifiable link to all known Credential format specifications used in the ecosystem.
7.10. Registry Infrastructure Usage Journeys¶
The components of the Registry Infrastructure are designed to support various operational phases of the IT-Wallet ecosystem, each involving specific interactions between entities. The main Journeys below illustrate the interactions with the Registry Infrastructure.
7.10.1. Catalog Browsing¶
This Catalog Browsing journey supports Users (both human users via a Wallet Instance and automated systems like Relying Parties or web portals) in discovering and selecting available Digital Credentials.
Accessing the Discovery Endpoint: The entity (e.g., a Wallet Provider or informational portal) accesses the Registry Discovery Endpoint (
.well-known/it-wallet-registry) to obtain the URI of the Digital Credentials Catalog and of the Taxonomy.Navigation and Selection:
Credential Discovery: The entity browses the list of Credentials (
credentialsfield) to identify relevant Credential types (e.g.,pid,mDL) and, if needed, uses the information on the Taxonomy to navigate their hierarchy and to provide different localizations.Issuer Metadata: The entity extracts the Issuer Identifier (entity_id within the issuers field) associated with the desired Credential.
Detail Consultation: To obtain complete information oand specific technical requirements, the entity accesses the Entity Configuration (Issuer Metadata) using the retrieved identifier.
Final Action: The entity can then can use the metadata to display the catalog information to a User (or use the information in other way).
7.10.2. Credential Issuance¶
This journey defines how a Credential Issuer uses the Registry Infrastructure to prepare and issue a compliant Digital Credential.
Identifying Requirements: The CI consults the Digital Credentials Catalog for the technical requirements of the Credential type to be issued (e.g.,
max_validity_days,min_loa).Schema and Claim Resolution:
The CI consults the Schema Registry to retrieve the technical specification of the format and schema (e.g., JSON Schema for SD-JWT) required by the Catalog, ensuring validity and integrity via the hash (schema_uri#integrity).
The CI accesses the Claims Registry to retrieve the standardized semantic definitions and data formats (data types) of the necessary attributes (claims).
Authentic Data Retrieval:
The CI consults the Authentic Source (AS) Registry to identify the authorized Authentic Source (AS) for the required dataset. The AS Registry provides the AS's
entity_idand the technical details of the interface (integration_endpoint, integration_method).The CI consults the AS endpoint specification to implement the integration needed to retrieve the User data required to populate the Digital Credential.
Credential Issuance: The CI uses the retrieved data, validated schemas, and specified formats to generate and sign the Digital Credential in the correct format (e.g., SD-JWT or mDOC).
7.10.3. Credential Presentation and Verification¶
This journey describes how a Wallet Instance and a Relying Party (RP) interact with the Registry Infrastructure when a Digital Credential needs to be presented by a User.
Wallet Authorization and Selection:
The Wallet receives a Presentation Request from the RP, verifies the validity of the request comparing the requested claims with the Authorization Policies related to the RP .
The Wallet consults the Digital Credentials Catalog and the Taxonomy to verify the Domains, the Classes and Purposes associated with the Credential types it holds, evaluating which Credentials are suitable for the request.
The Wallet verifies if the required attributes (claims) are available and authorized for disclosure based on the request policy (Credential-Specific or Credential-Agnostic scenarios).
The User authorizes the release of the selected, selectively disclosed attributes. The Wallet then packages and presents the Digital Credential to the RP.
Discovery and Integrity:
The RP receives the Digital Credential from the User.
The RP consults the Federation Registry via the Trust Anchor's endpoint (federation_resolve, federation_trust_mark_status) to verify the cryptographic trust (Trust Mark) of the Issuer and Wallet Provider as defined in Section The Infrastructure of Trust.
The RP consults the Schema Registry to download the schema of the presented Credential (schema_uri), verifying its integrity (schema_uri#integrity).
Schema and Final Policy Validation:
The RP uses the retrieved schema to validate the structure of the Credential and the data types of the revealed attributes.
The RP performs the final check to ensure that the attributes presented comply with the specific requirements of the initial request and authorization policy.
Acceptance or Rejection: Based on cryptographic validation, schema compliance, and policy-based authorization, the RP accepts or rejects the Credential for service access.