[OpenID-Specs-eKYC-IDA] EC Consultation on eIDAS

[Torsten Lodderstedt]

Hi all,

the European Commission runs a public consultation on the planned update to the eIDAS regulation. 

https://ec.europa.eu/info/law/better-regulation/have-your-say/initiatives/12528-EU-digital-ID-scheme-for-online-transactions-across-Europe

I suggest to comment on the proposal and roadmap before Sept 3rd.

I drafted a text proposal that you will find below. Please comment and indicate your support. 

best regards,
Torsten. 

----------------------

The eKCY and Identity Assurance Working group of the OpenID Foundation welcomes the proposal of the Commission to extend the scope of eIDAS trust services by introducing a new trust service for identification, authentication and for the provision of attributes, credentials and attestations and allowing the provision of identification for devices  This will allow companies operating identity solutions to contribute to securing digital transactions across the EU. 

The eKYC and Identity Working Group is a dedicated working group of the OpenID Foundation (the technical standardisation body specifying OpenID Connect and accompanying extensions) focusing on use cases and extensions to OpenID Connect for strong identity assurance (https://openid.net/wg/ekyc-ida/). 

Most commercial identity providers built their solutions on OpenID Connect, billions of transactions are performed every day using OpenID Connect. A significant number of those identity providers, e.g. financial institutions or telecommunications operators, are also able to assert digital identities on a level comparable to eIDAS trust levels substantial or high. In order to leverage the respective digital identities for the EU Single Market, we recommend the commission to endorse OpenID Connect beside SAML (which was already endorsed under Implementing Act 2015/1501) as a technical standard for eIDAS. 

We also know that most commercial identity providers provide a mixture of attributes maintained according to different trust frameworks and at different trust levels (just think of name vs eMail address) and even self asserted attributes for the same identity. Technical standards utilised to implement the updated eIDAS regulation should consider and support such use cases (https://www.slideshare.net/TorstenLodderstedt/identity-assurance-with-openid-connect). 

The commission might also want to consider use cases where the digital identity of EU citizens is used beyond the boundaries of the EU. This also calls for dedicated representation of metadata about sources, validation process, and trust level embedded in the technical standard for attribute provisioning in order to allow the relying party to process identity data in a robust fashion. 

Since the consultation paper mentions block chain based identity solutions, we would like to point out that technical diversity in implementations is of utmost importance for innovations. However, adoption across member states and services requires technical interoperability. That’s why there is also work under way to provide a bridge between blockchain based identity solutions and relying parties via the mature and simple to integrate OpenID Connect standard. 

As subject matter experts in digital identity we are thrilled with the direction eIDAS is taking and offer our advice in the course of targeted stakeholder interviews.