Menu

Homepage

Product Overview

Core Functions

User Identification and Authentication

Issuing Attestation to Wallet Unit

PID Mapping

Verifiable Credentials Mapping

Profile Concept

Utilizing Qualified Electronic Signatures

Issuing Attestation to Wallet Unit

View product

DIW Gateway allows the client to issue their own attestation. The attestation can be used in various scenarios in the internal client flows and for third parties.

Issued credentials are manageable; i.e., the client can revoke them and provide the attestation status to Relaying Parties.

Registering Issuer

The client must register with the member state registrar to request a Verifiable Presentation from a Wallet Unit. This is a mandatory scenario. The exact process can differ for different Registrar products. The product provides a complete set of management APIs to create a registrar request and upload the obtained Access and Registration certificates for the requesting VP. The product offers a multi-tenant solution for registering multiple Relaying Party Instances for a single Relaying Party.

Core Scenario Steps

  1. Create a Relaying Party with required metadata.
  2. Optionally configure Relaying Party Instances.
  3. Configure the list of required credential types for the Relaying Party (Instance).
  4. Configure business mapping for credential types and the selected scenario.
  5. Prepare a request for the Registrar.
  6. Prepare Certificate Signing Request for Access Certificates and Registration Certificates.
  7. Upload the obtained issued certificates from Registrar Access CA.

Use Cases

  • Initial Relaying Party Creation.
  • Renewal certificate request to the EUDIW ecosystem.
  • Change of required data (Verifiable Credential types) from EUDI Wallet.

Issuing SUA Attestation to Wallet Unit

The issuance of a SUA attestation enables the Wallet Unit to be used for strong user authentication in the context of electronic payments. In practice, the user’s bank (ASPSP) issues a dedicated, device-bound SUA attestation to the Wallet Unit to link the Wallet Unit to the user and the payment service; the attestation contains a public key, with the corresponding private key protected in the wallet’s secure environment. Later, when the SUA attestation is presented, the presentation request typically includes transactional data (e.g., to support payment authorization). Thanks to an EUDIW Trust model, only one such SUA attestation can be issued for the entire group (i.e., partners or sister organizations).

The issuance of attestations into the Wallet unit can happen in different ways - it can be initiated on the side of the issuer – either with known authorized user, unauthorized user or the issuance can be initiated from the wallet.

Authorized User Integration

diw-authorized-user-issuer.png

Unauthorized User Integration

diw-unauthorized-user-issuer.png

Wallet Initiated Issuance Integration

Then we have the wallet initiated issuance. In the wallet you can imagine something like a catalogue with different providers. You can select a provider, then the wallet asks if he offers specific attestations that the user wants, the provider responds and then the wallet can request the credential.

diw-wallet-issued.png

Core scenario steps

  1. The client system prepares data for attestation.
  2. DIW Issuer prepares Credential Offer.
  3. (Optional) For an authorized user, the OpenID4VCI Connector prepares a pre-authorized code.
  4. SDK advertises the Credential Offer to the EUDI Wallet Unit.
  5. Wallet Unit authorizes itself against the OpenID4VCI Connector, obtaining an access token.
  6. Wallet Unit requests the SUA Attestation from the OpenID4VCI Credential Endpoint.
  7. OpenID4VCI requests the SUA Attestation from DIW Issuer.*
  8. DIW Issuer signs the SUA Attestation.
  9. The SUA Attestation is returned to the Wallet Unit.

*Custom connector is expected to provide the process with specific attributes for attestation (e.g., username, user IBAN,…)

Use Cases

  • Issuing SUA Attestation for Strong Customer Authentication use cases

Issuing Attestation to Wallet Unit

Apart from the SUA Attestation, which is a special-purpose attestation, the client can issue any data to the Wallet Unit. This can be used either in internal scenarios – as a predecessor to the scenario “requesting verifiable presentation from wallet unit”- or for issuing data to external partners – for example, using it in loyalty schemas for bank confirmation of statements for authorities.

The core scenario steps are the same as in Issuing SUA attestation to Wallet Unit.

Use Cases

  1. Issuing attested data for a partner or sister organization.
  2. Issuing confirmations of bank statements.
  3. Issuing confirmations of used services for loyalty schemes.

Issued Attestation Management

The solution keeps a complete record of issued attestations and provides an API for management - i.e., list and revocation of issued attestations. The revocation functionality also generates a status list so Relaying Parties can check the current status of the Verifiable Presentation.

View product
On this page:

develop

Digital ID Wallet Gateway