General and technical news sources are touting a new EU digital ID wallet. These articles have high visibility because of the obvious linkage to the controversial vaccine passport, even as many of the articles never explicitly mention that passport. None of the news sources have any technical information about how the ID and wallet would work. The simple reason for this lack of tech details: there are none.Neither the digital ID nor the wallet exist, yet. For now, all we have is a formal recommendation from the European Commission to create a digital identification framework to include a digital ID and a digital wallet.
From the 3 June 2021 Press Release, Commission proposes a trusted and secure Digital Identity for all Europeans, we learn, “The Commission invites Member States to establish a common toolbox by September 2022 and to start the necessary preparatory work immediately. This toolbox should include the technical architecture, standards and guidelines for best practices.” The EU has just begun the first step in a multi-year cooperative effort leading to software to implement that framework on multiple mobile operating systems.
To learn what the proposed toolbox will entail, we turn to the actual proposal document, A trusted and secure European e-ID – Recommendation. For those deep into the technology of the framework, here is the key paragraph from the document:
“It is recommended that Member States identify common standards and technical references in particular in the following areas: European Digital Identity Wallets user functionalities including signing by means of qualified electronic signatures, interfaces and protocols, level of assurance, notification of relying parties and verification of their authenticity, electronic attestation of attributes, mechanisms for verifying validity of electronic attestations of attributes and associated person identification data, certification, publication of a list of European Digital Identity Wallets, communication of security breaches, verification of identity and attributes by qualified trust providers of electronic attestations of attributes, identity matching, minimum list of attributes from authentic sources such as addresses, age, gender, civil status, family composition, nationality, educational and professional qualifications, titles and licenses, other permits and payment data, catalogue of attributes and schemes for the attestation of attributes and verification procedures for qualified electronic attestations of attributes, cooperation and governance.”
So many questions come to mind that the toolbox will have to answer.
- How many mobile operating systems must be supported? While Google Android and Apple iOS hold almost 99% of the market, one source has identified seven mobile operating systems, and recently a possible eighth is in sight as Huawei goes its own way with new OS.
- What technologies can be “qualified electronic signatures?” Will they be limited to the current PKI technology, or might other options be available? Note that in USA, the law recognizes digital signatures(PKI-based) as only one option for a legally valid electronic signature.
- With the need for extensive use of cryptology in both the IDs and e-signed documents, how will federation of multiple independent certificate servers be managed?
- How many languages will the system support? If in-system translation is needed, will the translation happen on the mobil device or on a trusted remote server system?
- Will all components and data with a digital wallet be stored only on the owner’s mobile device? Or will there be a supporting cloud storage system that works with the wallets?
- Who will operate the required crypto key generators and servers?
- How stringent will be the enrollment identity verification processes be as each digital ID is initially issued?
- Who will test and validate the many components of the crypto, database, and e-signature services on supporting servers and on the wallet apps?
- Will all programming be done only by government software services, or will there be a system to certify commercial developers to create and maintain the wallet component applications?
- How will traditional judicial authorities and processes be involved in the case of a rejected ID or a contested legal or financial document?
The list will go on, and the actual toolbox task force will come up with many more questions, as well as (we hope) acceptable answers.
Oh.. and how will the USA government and industry react and respond to this EU initiative?
(C) 2021, D. Cragin Shelton
This article originally appeared in the blog Cragin's Random Thoughts.