[Openid-specs-ab] SIOP call 2022-June-9

Torsten Lodderstedt torsten at lodderstedt.net
Thu Jun 9 19:04:46 UTC 2022 

Thanks for sharing. 

I would like to understand whether "two certified EUDI Wallets“ in this statement refer to two different implementations/service providers or just two different instances for different users. I assume the later since the former does not have privacy implications.

best regards,
Torsten. 

> Am 09.06.2022 um 20:36 schrieb David Chadwick via Openid-specs-ab <openid-specs-ab at lists.openid.net>:
> 
> During today's call I asserted that the EU Digital Identity Wallet should be able to prove to an RP that it is certified without revealing its identity or who the software provider is. I was asked to find a reference to this. It is on page 26 of "European Digital Identity Architecture and Reference Framework" available here: 
> 
> https://cloud.eid.as/index.php/s/DQ5aRjyzJDNKXpW <https://cloud.eid.as/index.php/s/DQ5aRjyzJDNKXpW>
> Here is the relevant text
> 
> "In addition, the mechanism for relying parties to verify whether a EUDI Wallet used is genuine and certified, shall not enable the relying party to distinguish between two certified EUDI Wallets, in order to preserve the privacy of the user when performing pseudonymous authentication." 
> 
> This could be implemented using traditional asymmetric crypto, in which each EUDI wallet is issued its own VC, stating that it is a certified wallet, issued by the EUDI certification authority, in which the subject ID is the public key of the wallet. There would be no information to indicate who the wallet provider is, or who the wallet holder is. However, this certificate, if long lived, would then be a correlating handle, so by issuing transient short lived VCs to the wallet each time an RP requires assurance, the public key would change every time thereby removing the ability to correlate the certifying VCs.
> 
> Kind regards
> 
> David
> 
> In addition, the mechanism for relying parties to verify whether a EUDI Wallet used is genuine and
> certified, shall not enable the relying party to distinguish between two certified EUDI Wallets, in order to
> preserve the privacy of the user when performing pseudonymous authentication. 
> 
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20220609/0178530d/attachment.html>

More information about the Openid-specs-ab mailing list