CEN/TR 17982:2023
(Main)European Digital Identity Wallets standards Gap Analysis
European Digital Identity Wallets standards Gap Analysis
This document identifies relevant existing standards and standards work in progress around European Digital Identity Wallets. It also identifies missing work items and overlaps in standards and is supposed to work as a roadmap for future standardization projects in the area.
Analyse von europäischen Normungsbedarfen für digitale Identitätsbrieftaschen
Analyse des écarts entre les standards existants et les exigences du portefeuille européen d’identité numérique
Analiza vrzeli v standardih evropskih denarnic za digitalno identiteto
Ta dokument določa ustrezne obstoječe standarde in nastajajoče standarde v zvezi z evropskimi denarnicami za digitalno identiteto. Prav tako ugotavlja manjkajoče delovne elemente in prekrivanja v standardih in naj bil deloval kot načrt za prihodnje projekte standardizacije na tem področju.
General Information
Standards Content (Sample)
SLOVENSKI STANDARD
01-februar-2024
Analiza vrzeli v standardih evropskih denarnic za digitalno identiteto
European Digital Identity Wallets standards Gap Analysis
Analyse von europäischen Normungsbedarfen für digitale Identitätsbrieftaschen
Analyse des écarts entre les standards existants et les exigences du portefeuille
européen d’identité numérique
Ta slovenski standard je istoveten z: CEN/TR 17982:2023
ICS:
35.030 Informacijska varnost IT Security
35.240.15 Identifikacijske kartice. Čipne Identification cards. Chip
kartice. Biometrija cards. Biometrics
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.
CEN/TR 17982
TECHNICAL REPORT
RAPPORT TECHNIQUE
September 2023
TECHNISCHER REPORT
ICS 35.240.15; 35.030
English Version
European Digital Identity Wallets standards Gap Analysis
Analyse des écarts entre les standards existants et les Analyse von europäischen Normungsbedarfen für
exigences du portefeuille européen d'identité digitale Identitätsbrieftaschen
numérique
This Technical Report was approved by CEN on 14 August 2023. It has been drawn up by the Technical Committee CEN/TC 224.
CEN members are the national standards bodies of Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia,
Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway,
Poland, Portugal, Republic of North Macedonia, Romania, Serbia, Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and
United Kingdom.
EUROPEAN COMMITTEE FOR STANDARDIZATION
COMITÉ EUROPÉEN DE NORMALISATION
EUROPÄISCHES KOMITEE FÜR NORMUNG
CEN-CENELEC Management Centre: Rue de la Science 23, B-1040 Brussels
© 2023 CEN All rights of exploitation in any form and by any means reserved Ref. No. CEN/TR 17982:2023 E
worldwide for CEN national Members.
Contents Page
European foreword . 3
Introduction . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
4 Gap Analysis . 5
Annex A (informative) Status of ISO/IEC 23220 series . 38
Bibliography . 39
European foreword
This document (CEN/TR 17982:2023) has been prepared by Technical Committee CEN/TC 224
“Personal identification, electronic signature and cards and their related systems and operations”, the
secretariat of which is held by AFNOR.
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
Introduction
The proposal of revision of the eIDAS regulation [1] introduces the concept of European Digital Identity
Wallet.
Throughout the proposal of regulation, numerous requirements are set forth regarding the Wallet, its
functionalities, the services it shall provide to user, as well as its interactions with other entities it shall
support.
Interoperability and user experience of the Wallet are key factors for its uptake but also for its large use
and reach amongst European population. So much that the proposal of regulation also vests the European
Commission with the responsibility to define the technical specifications the Wallet shall meet through
implementing acts, which are legally binding. In that regards, standards are crucial.
This technical report aims at supporting the implementation of the Wallet as defined in the proposal of
regulation by:
• Identifying the articles and clauses in the proposal of regulation defining requirements that are
applicable to the Wallet;
• Identifying for each requirement listed above (1) the available standards or standards under
preparation that could be used or considered, as well as their scope of application, and (2) the
missing standards (named “Missing Standard” in the document) which may require to start
standardization activities;
• Proposing suggestions for standards under preparation so that they fully meet the requirements
listed above (named “Recommendation” in the document);
In that regards, this technical report may be useful to several stakeholders:
• European Commission that could use this technical report as a guide when preparing implementing
act for the implementation of the Wallet;
• Authorities willing to issue a Wallet or entities willing to provide Wallet that could use it to easily
identify available standards on which they could leverage to implement, use or interact with the
Wallet;
• Standardization Organisations that could use it to easily identify normalization gaps where they could
contribute by preparing standards in accordance with their mandate and core competencies;
• Entity tasked by the European Commission in charge of preparing the European Digital identity
Wallet reference implementation;
• Pilot projects launched by the European Commission to build and realize use cases based on the
European Digital Identity Wallet;
The purpose of this document that started before the Architecture Reference Framework (ARF) release
is to map the legal text (here the proposal of revision of the eIDAS regulation [1]) to available standards
and identify possible gaps. Note that the proposal of revision of the eIDAS regulation [1] is likely to be
updated as the legislative process is still ongoing at the time of preparation of this document.
1 Scope
This document identifies relevant existing standards and standards work in progress which could
support implementation of the European Digital Identity Wallets. It also identifies missing work items
and overlaps in standards and is supposed to serve as a roadmap for future standardization projects in
the area. This document takes into account the gap analysis produced by TC224/WG17.
This document is based on the proposal of revision of the eIDAS regulation [1] which was the only
available text at the time this document was initiated
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
3.1
wallet
product and service that allows the user to store identity data and attributes linked to her/his identity,
to provide them to relying parties on request and to use them for authentication, online and offline; and
to create qualified electronic signatures and seals
Note 1 to entry Adapted from article 3(42) of [1]
4 Gap Analysis
Item Article Topic Possible standards – for specific
requirements
1 3(42) “‘European Digital Identity Wallet’ is a The following standards have been
product and service that allows the identified
6a(3)b
user to store identity data, credentials
If the Wallet has the capacity to
and attributes linked to her/his
sign/seal by means of qualified
identity, to provide them to relying
electronic signature/seal:
parties on request and to use them for
-CEN/EN 419 212-1 - Application
authentication, online and offline, for a
Interface for Secure Elements for
service in accordance with Article 6a;
Electronic Identification,
and to create qualified electronic
Authentication and Trusted Services -
signatures and seals”;
Part 1: Introduction and common
“European Digital Identity Wallets shall
definitions
enable the user to:
-CEN/EN 419 212-2 - Application
(b) sign by means of qualified
Interface for Secure Elements for
electronic signatures.”
Electronic Identification,
This requirement may be achieved in Authentication and Trusted Services -
several ways: either (1) the Wallet has Part 2: Signature and Seal Services
the capacity to sign/seal by means of
If the Wallet relies on an external but
qualified electronic signature/seal –
local qualified signature/seal creation
and thus is a QSCD, or (2) relies on an
device:
external but local qualified
1/For applicative layer
signature/seal creation device with
which it interacts locally to create a
Item Article Topic Possible standards – for specific
requirements
qualified signature/seal or (3) relies on -CEN/EN 419 212-1 - Application
a remote qualified signature/seal Interface for Secure Elements for
creation device with which it interacts Electronic Identification,
to create a qualified signature/seal. Authentication and Trusted Services -
Part 1: Introduction and common
Case 1: If the Wallet has the capacity to
definitions
sign/seal by means of qualified
electronic signature/seal: -CEN/EN 419 212-2 - Application
Interface for Secure Elements for
The creation of qualified signature/seal
Electronic Identification,
is supported by a local secure
Authentication and Trusted Services -
hardware part of the Wallet, such as a
Part 2: Signature and Seal Services
SE, an eUICC, a TPM,….
-ISO/IEC IS 7816-15 - Identification
The standard CEN/EN 419 212
cards — Integrated circuit cards -
prepared by the CEN/TC224 to support
Cryptographic information application
qualified signature/seal is relevant and
should be considered with the 2/For the transport protocols to be used
following reservations: for the local communication between
the Wallet and the QSCD:
• The device authentication
protocols described in part 3 may -ISO/IEC IS 7816-3 - Identification
not be applicable depending on the cards — Integrated circuit cards -
form factor (SE/eUICC.); Cards with contacts — Electrical
interface and transmission protocols
• The privacy protocols described in
part 4 may not be relevant; -ISO/IEC IS 18004 - QR Code bar code
symbology specification
• The trust eServices described in
part 5 may not be relevant; -ISO/IEC IS 24778 - Aztec Code bar
code symbology specification
Part 1 and part 2 seem to be the most
relevant parts of this series. -ISO/IEC IS 16022 - Data Matrix bar
code symbology specification
Case 2: If the Wallet relies on an external
but local qualified signature/seal -ISO/IEC IS 23634 (DIS) - JAB Code
creation device: polychrome bar code symbology
specification
The creation of qualified signature/seal
is supported by a local but external -ISO/IEC IS 18092 – Near Field
secure hardware such as an external communication
token or an electronic identification -ETSI/EN 302190 - Near Field
document (e.g. national identity card). Communication
The standard CEN/EN 419 212 -USB specifications as defined by the
prepared by the CEN/TC224 to support USB forum
qualified signature/seal is relevant and
Note: This list is not exhaustive.
should be considered with the
Additional standards and protocols
following reservations:
may exist, or change in the future.
• The device authentication
If the Wallet relies on a remote qualified
protocols described in part 3 may
signature/seal creation device:
not be applicable depending on the
-CEN/EN 419 241-1 - Trustworthy
form factor;
Systems Supporting Server Signing -
• The privacy protocols described in
Part 1: General System Security
part 4 may not be relevant;
Requirements
Item Article Topic Possible standards – for specific
requirements
• The trust eServices described in -ETSI TS 119 462 - Electronic
part 5 may not be relevant; Signatures and Infrastructures (ESI);
Protocols for remote digital signature
Part 1 and part 2 seem to be the most
creation (relying on -“Architectures
relevant parts of this series.
and protocols for remote signature”
The following standards are available
v1.0.3 by Cloud Signature Consortium);
for the transport layer: ISO/IEC
-“Architectures and protocols for
IS 7816-3, barcode capture, BLE, Wifi
remote signature” v1.0.4 by Cloud
aware… These standards should be
Signature Consortium (CSC)
considered.
(https://cloudsignatureconsortium.or
While the transport layer is
g/wp-
standardized, the access to these
content/uploads/2020/01/CSC_API_V
services by the wallet application from
1_1.0.4.0.pdf);
the OS layer is not standardized and
For the provisioning of signature/seal
depends on the OS provider.
qualified certificate:
Standardization is needed.
-WI “Electronic Signatures and
ISO/IEC IS 7816-15 allows the Wallet
Infrastructures (ESI); Wallet interfaces
to use the QSCD by providing a
for trust services and signing “
harmonized description of its capacity,
(DTS/ESI-0019462 (TS)
and thus allowing the discovery of the
https://portal.etsi.org/webapp/Work
QSCD capacity by the Wallet.
Program/Report_WorkItem.asp?WKI_I
Case 3: If the Wallet relies on a remote
D=63566)
qualified signature/seal creation device:
The following standards are relevant:
• “Architectures and protocols for
remote signature” by Cloud
Signature Consortium (CSC)
defining the architecture and
protocols for interfacing each
components needed for remote
signing;
• ETSI TS 119 432 which defines
interfaces and protocols between
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.