Does an EUDI Wallet only support LoA High?

[sander]

I heard various answers of this question. Let’s see if we can get to a common one.

[sander]

My interpretation: the concept of LoA only applies to e-identification means containing PID, such as a valid EUDIW unit. The Regulation requires this LoA to be High. That means the EUDIW unit must at least have one WSCA with an authentication mechanism meeting LoA High requirements.

The unit may also have other WSCAs, including ones that don’t meet LoA High requirements, but for example LoA Substantial. Presence of such WSCAs does not render the EUDIW unit an e-identification means at LoA Substantial by itself. Only if a PID Provider also issues PID to this WSCA under some e-identification scheme, the EUDIW unit may be considered to have LoA Substantial under that scheme.

An EAA, QEAA or PuB-EAA does not have a LoA. It may be bound to a WSCA with an authentication mechanisms meeting certain LoA requirements. The overall assurance of the attestation is also determined by other factors.

If the EAA, QEAA or PuB-EAA is recognised as PID within some e-identification scheme, the EUDIW unit containing it may be considered to have that LoA under that scheme. In order for the scheme to operate under the EUDI trust framework, the Attestation Provider would then also need to meet the requirements to PID Providers. In ARF 1.4 it does not seem possible for a valid EUDIW unit to also contain PID for LoA Substantial this way, for the same reason as not supporting PID from multiple Member States: the unit lifecycle seems to take only a single PID set into account.

So for example, a valid EUDIW unit could contain:

• a PID set bound to the high-assurance WSCA (making it a valid EUDIW unit)
• another PID set bound to another high-assurance WSCA, as long as it’s the same PID from the same PID Provider (for example for high availability)
• QEAA bound to the same high-assurance WSCA
• QEAA bound to some lower-assurance WSCA (for example for quick daily use)

And it could not at the same time contain:

• PID bound to some lower-assurance WSCA
• PID issued by another PID Provider

[ivanek666]

Hi Sander,

Article 5a, point 24 says "The Commission shall, by means of implementing acts, establish a list of reference standards and, where necessary, establish specifications and procedures in order to facilitate the onboarding of users to the European Digital Identity Wallet either by electronic identification means conforming to assurance level high or by electronic identification means conforming to assurance level substantial in conjunction with additional remote onboarding procedures that together meet the requirements of assurance level high."

As I understand the text, "onboarding of users" means having a valid EUDIW unit with a valid PID with LoA High or Substantial with additional remote onboarding procedures.

What I'm missing at the moment is some clues as to what are these "additional onboarding procedures", as I'm not seeing it on the ARF roadmap nor announced Implementing Acts.

Can we get any clarification regarding that? Or at least having it on the roadmap. @david-bakker

[sander]

Example specifications of such additional onboarding procedures are in ETSI TS 119 461 v2.1.1 § 9.5.

[david-bakker]

In addition to the specification mentioned by Sander, there is also

• WD prCEN/TS 18098 Guidelines for the PID onboarding

[ivanek666]

Thank you both for directions, but unfortunately prCEN/TS 18098 is not yet available for public.

Basically by ETSI TS 119 461, the only viable way is to use NFC reader to read the data from the ICAO9303 passport or idcard, use data to doublecheck the identity and use the photo for a liveness check.