eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework

Registration, Issuance and usage af RP access certificates

nguyekim opened this issue · 1 comments

nguyekim commented

Access certificates are required to present the relevant authorization of a RP towards the Wallet and also ensure proper authentication of the RP towards the Wallet.

Without doubt this will is required in order to proper restrict access to PID, (Q)EAA or other data stored within the wallet by any RP.

However it must be taken into account this requirement can be divided into two main parts: on the one hand the technical realization of authentication and authorization on protocol level, i.e. in the technical interaction between wallet and RP and the related infrastructure and on the other hand the registration and issuance procedure or more generally speaking the lifecycle management of the access certificates by both RP and the registrar.

Is it absolutely important to understand that the complexity of the latter part is of vital importance for the acceptance of the newly established eIDAS EUDIW ecosystem by RPs.

A largely manual process will certainly influence scalabilty and acceptance, especially when considering cross border use cases.

However it is also clear that a fully automated process without any type of clearance process by either the registrar or some other third party will certianly not meet the high security and data privacy requirements imposed to the eIDAS wallet system.

Hence it does seem reasonable to look at authentication and authorization as different requirements implemented by means of access certificates.

Without doubt every RP will be required to be authenticated by strong cryptographic means against the wallet.

However it might be recommendable to add authorization as an additional element to this procedure that could possibly be realized by interaction of the wallet with various elements of the ecosystem (while authentication necessarily will need to performed end to end between wallet and RP).

Experiences from existing live systems (e.g. in Germany) should be taken into account in the design of the access certificate requirements. Furthermore it should be noted there seems to be a substantial analogy to the existing PSD2 regime, where the authentication AND authorization is performed using the eIDAS tools of QWACs and qSeals.