Demystifying the EUDI ARF part one: Towards common credential issuance with OpenID4VCI
MATTR • Mar 30, 2023 • 16 min read
It’s clear that both people and organisations need better tools to allow consent-driven sharing of identity and entitlement information. These tools should work seamlessly in our daily lives. That means we need digital trust technology that is simple and convenient to use. The claims we make using these tools must be verifiable, and the whole system should be designed to support data minimisation, privacy, confidence and interoperability.
What does the future of digital trust look like?
The European Union has traditionally taken a proactive stance on privacy rights, as evidenced by the General Data Protection Regulation (GDPR). In recent weeks, the European Commission's eIDAS expert group has introduced its own set of preliminary specifications to support its vision for a key piece of any digital trust infrastructure: digital wallets.
The specifications are laid out in the European Digital Identity Architecture and Reference Framework (EUDI ARF), and they lay out a set of standards for credential formats that will be supported by EU member state wallets. Whilst a number of these standards are still evolving, the framework sets out a direction that implementors can work towards.
As your trusted partner in the evolving world of digital trust, MATTR is here to demystify what’s suggested in the EUDI ARF and the standards it builds upon.
Our decentralised identity and verifiable data platforms and products are based on these open standards. In fact, we started working in the global standards community groups before we started building our products. Today, we are always working to ensure our product evolves in line with the developing standards landscape, so you can be sure your MATTR solution is future-fit.
In part one of our Demystifying the EUDI ARF series, we’ll discuss:
- An introduction to the EUDI ARF
- Credential configurations within the EUDI ARF
- Global standards within this framework and beyond
- Working towards common issuance and verification protocols: What is OpenID4VCI
- How OpenID4VCI is allowing world-class credential provisioning within MATTR products
In part two of the paper, we will go into more depth on the types of credential formats laid out in the EUDI ARF for individual credential configurations, and the standards they are built upon. We’ll also introduce MATTR’s Credential Profiles and explain how we’re making it easy to keep up with these standards as they evolve.
What is the European Digital Identity Architecture Reference Framework (EUDI ARF)?
Many governments and regulatory bodies are starting to produce guidance on digital identity technology and services as the industry grows, and the European Commission is among these.
Early this year, the eIDAS expert group composed a framework referencing existing standards and practices to enable common tooling and best practice for the EUDI Wallet Solution. With EU member states combining to form a large market, any regulations that could come out of the region have the potential to significantly influence digital wallets everywhere.
Their first published reference document, titled the Architecture Reference Framework (ARF), focuses on defining the key aspects of the digital wallet ecosystem needed to enable wallets to work together, or be interoperable, on a broad level across different regions and countries. For now, nothing is set in stone, but the document is still a major milestone in signalling what’s to come for digital identity and wallets.
The framework covers topics such as:
- The different roles in the ecosystem
- The types of data exchanged
- How the data is secured
- What standards and formats the data adheres to
- The protocols used to exchange that data
Defining digital credential configurations in the EUDI ARF
The promise, and the challenge, with a document like this is to support a wide range of business use cases with differing requirements. The types of information and security practices needed for different cases are not one-size-fits-all. And, as is often typical while new technologies are built and moulded, there are currently multiple ways to generate a digital credential, each with their own benefits and considerations.
For example, different credential formats support different things like:
- selective disclosure of information
- digital or in-person presentations
- including things like biometrics to enable higher levels of identity assurance
- varying cryptographic schemes for different levels of security and privacy
The EUDI ARF defines two classes of data that are relevant to the EU ecosystem. These are Person Identification Data (PID) and Qualified Electronic Attestations of Attributes (QEAA). We can think of PIDs as “core identity documents”. The (QEAA) class encompasses credentials from both “trusted issuers” as well as “non-trusted issuers”, these are called “qualified” and “unqualified” in the EUDI parlance, respectively.
In general, the framework recommends support for two types of credential configurations, which each map roughly to the two classes of data identified above:
- Type 1: For credentials where the relying party, or verifier, needs a high Level of Assurance (LoA), i.e., where PID is required to ensure authenticity.
- Type 2: Designed to enable flexibility and additional feature support for credentials that Type 1 configurations cannot meet. This type would work best for cases where QEAA is enough to ensure validity, without the need for PID.
How are internet standards informing and responding to the EUDI ARF?
Digital technologies are often developed as a group effort to ensure that they can work together; this is the basis of interoperability on the web. To enable this, global standards organisations exist to bring together those working on these technologies to collaborate.
The EUDI framework builds on top of existing specifications and standards which have been developed at organizations such as the World Wide Web Consortium (W3C), OpenID Foundation (OIDF), Internet Engineering Task Force (IETF) and International Organization for Standardization (ISO). The framework also recommends specific standards or credential configurations that should underpin each of the credential types listed above.
The team at MATTR has been fortunate to work alongside other players in the industry as part of these standards communities. We have co-authored and contributed to building standards for formats, protocols and cryptographic schemes for digital and verifiable credentials, many of which have gained increased market convergence and are recommended in the EUDI ARF. Because of this, MATTR products are well-equipped to help you meet requirements based on these standards.
MATTR’s work in the standards community
A few ways we have worked closely with the standards emerging as part of the EUDI ARF:
- We’re members of the W3C and have been early adopters and contributors to the Verifiable Credentials data model, which achieved an official W3C recommendation in 2019. Read the W3C Verifiable Credentials standard.
- We’ve been working closely with members of the IETF to drive the standardisation of a JOSE-based proof format (I.e. JWP and SD-JWT) that will build on these well-established standards to enable new, desirable features such as selective disclosure.
- We have been developing standards at the OIDF to enable credential issuance and verification. We are authors on both the OpenID4VCI issuance protocol as well as the OpenID4VP verification protocol, both of which are currently in draft form.
- We have been working within ISO to ensure that OpenID4VCI can serve as a standardised issuance mechanism for mDLs and mDocs, effectively enabling a common provisioning layer that works across different formats. We’ll talk more about this in part two.
As the technology evolves, there are always trade-offs to enable a successful ecosystem. At MATTR, we have and will continue to invest in the standards that create the best possible outcomes for people, meet emerging government recommendations and match the needs of our customers.
Towards common credential issuance and verification in the EUDI ARF: What is OpenID4VCI?
In addition to recommending credential “types” or configurations, the ARF also defines a standardised issuance and verification protocol for exchanging credentials within the ecosystem. At this stage, these are primarily defined for only the Type 1 configuration, which will effectively be for high-assurance identity credentials such as ones issued by a governmental authority.
The standard defined in the framework for issuance is OpenID for Verifiable Credential Issuance, or OpenID4VCI for short. We have been working to implement the OpenID4VCI protocol on the MATTR VII platform and are thrilled to see it become the recommended protocol within EUDI Wallet documentation.
In MATTR’s view, the OpenID4VCI protocol has many benefits including allowing more native support of credentials within platforms and simpler and smoother issuance to digital wallets.
In 2020, when we first launched the preview version of our MATTR VII platform, we needed a way to implement credential issuance that worked with the types of systems our customers already had. We initially used the OpenID standards and existing infrastructure like the OpenID Connect authentication protocol to issue credentials. We authored a spec called “OIDC Credential Provider”, which we’ve continued to support and evolve since.
The OpenID4VCI protocol is the next evolution of credential issuance using OpenID and we are proud to have played a part in this evolution and to now join a growing chorus of implementers across both the OIDF as well as the ISO working groups that are aiming to support the protocol.
This kind of market convergence doesn’t come easily, and it represents the efforts of many organisations and people working together to make difficult decisions. We think that OpenID4VCI is exciting because its design enables us to abstract away the complexity resulting from supporting the various credential formats that are competing in the market. This kind of architecture doesn’t privilege one community over another, it creates a common playground that will allow for different credential formats to co-exist and evolve together.
NOTE: The ARF also defines two types of attestation exchange protocols for credential presentation and verification. For the “proximity flow” which is intended for in-person style presentations, the ARF recommends the presentation protocol defined by ISO 18013-5. For remote flows, they recommend the OpenID4VP protocol being developed at OIDF. This is the counterpart to the OpenID4VCI specification, and we are also co-authors on this standard as well.
Beyond conformance: Meeting the market where they are
Beyond creating products that are interoperable and meet compliance and regulatory needs, we know that any new technology needs to be simple and user-friendly to foster adoption by the masses. Our roadmap is focused on supporting multiple credential technologies and on making them easy to use. The OpenID4VCI protocol is leading the charge in allowing the issuance of multiple credential types and we have built several features on top of it that go beyond conformance to truly bring this technology to life.
Our latest platform updates, available early April, include a raft of features that make working with Verifiable Credentials easier:
- We’ve simplified the process of configuring a credential, allowing you to set up an authentication provider and configure claims all in the same place.
- We’ve added the ability to pull data from different sources to issue credentials, which allows issuers to retrieve claims from the databases and sources where they already exist. This provides a greater level of flexibility for credential issuers and allows for easier integration into existing systems.
- We now support the ability to issue multiple credentials to a wallet holder within a single journey or flow. This is just the start, with support for other credential profiles within our products on the horizon.
- We’ve realized that issuers frequently need a way to add their own custom logic to the credential issuance journey. To support this, we’ve added a feature we call “interaction hooks” that allows the issuer to redirect the wallet holder to their webpage in order to do things such as additional biometric checks, identity assurance flows, user record matching and more!
We’re excited about these improvements, and we have more future updates on our roadmap that will continue to make it easy for businesses and people to use this technology in a transformational way.
What’s coming in part two: Deep dive into credential configurations
In part two of our series, The future of digital trust, we will dig deeper into the specific credential configurations recommended in the EUDI ARF and how MATTR uses Credential Profiles to make it easy to interact with this technology.
Read part two of the series now, where we expand on the credential configurations laid out in the EUDI ARF and introduce MATTR's Credential Profiles.
Sign up to our newsletter to keep up to date with the latest updates from MATTR.