ETSI TS 119 478 V1.1.1 (2026-01)

TECHNICAL SPECIFICATION
Electronic Signatures and Trust Infrastructures (ESI);
Specification of interfaces related to Authentic Sources

2 ETSI TS 119 478 V1.1.1 (2026-01)

Reference
DTS/ESI-0019478
Keywords
API, authentication, authorization, EUDI Wallet,
smart interface
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from the
ETSI Search & Browse Standards application.
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format on ETSI deliver repository.
Users should be aware that the present document may be revised or have its status changed,
this information is available in the Milestones listing.
If you find errors in the present document, please send your comments to
the relevant service listed under Committee Support Staff.
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure (CVD) program.
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
No representation or warranty is made that this deliverable is technically accurate or sufficient or conforms to any law
and/or governmental rule and/or regulation and further, no representation or warranty is made of merchantability or fitness
for any particular purpose or against infringement of intellectual property rights.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2026.
All rights reserved.
ETSI
3 ETSI TS 119 478 V1.1.1 (2026-01)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Executive summary . 5
1 Scope . 6
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 8
3 Definition of terms, symbols, abbreviations and notation . 10
3.1 Terms . 10
3.2 Symbols . 13
3.3 Abbreviations . 14
3.4 Notation . 14
4 System Architecture . 15
4.1 Overview . 15
4.2 Common Services. 15
4.3 Authentic Source . 16
4.4 Authorization Server . 16
4.5 User . 17
4.6 Trust Service Providers . 17
5 Discover Interface . 18
5.1 I1 (Discover) . 18
5.2 Find Attributes (search) . 18
5.2.1 Overview and example for search . 18
5.2.2 Input parameters for search . 18
5.2.3 Output parameters for search . 20
5.3 Find Data Services for Attributes (retrieve) . 21
5.3.1 Overview and example for retrieve . 21
5.3.2 Input parameters for retrieve . 21
5.3.3 Output parameters for retrieve . 22
5.4 Use of HTTP and response format selection . 24
6 Authentic Source Interface . 24
6.1 Authentic Source Interface based on HTTP / OAuth . 24
6.1.1 I2 (Verify) . 24
6.1.1.1 Verify Request . 24
6.1.1.2 Verify Response . 26
6.1.2 I3 (Retrieve) . 28
6.1.2.1 Retrieve Request . 28
6.1.2.2 Retrieve Response . 29
6.1.3 I4 (Authorize) . 29
6.1.3.1 Overview and general requirements . 29
6.1.3.2 Dynamic Client Registration (IETF RFC 7591) . 30
6.1.3.3 Authorization Code Flow (IETF RFC 6749) . 31
6.1.3.4 Security considerations for the Authorization Server . 33
6.2 Authentic Source Interface based on ISO 15000 . 33
6.2.1 Overview . 33
6.2.2 Protocol Binding . 34
6.2.3 I2 (Verify) . 34
6.2.3.1 Verify Request . 34
6.2.3.2 Verify Response . 37
6.2.3.2.1 Successful Verify Response . 37
6.2.3.2.2 Failure Error Response . 40
ETSI
4 ETSI TS 119 478 V1.1.1 (2026-01)
6.2.3.2.3 Deferred Response . 41
6.2.4 I3 (Retrieve) . 41
6.2.4.1 Overview . 41
6.2.4.2 Retrieve Request . 42
6.2.4.3 Retrieve Response . 43
6.2.4.3.1 Successful Retrieve Response . 43
6.2.4.3.2 Failure Error Response . 44
6.2.4.3.3 Deferred Response . 44
Annex A (normative): OpenAPI Specification for Discover Interface . 45
Annex B (normative): OpenAPI Specification for Authentic Source Interface . 46
Annex C (normative): XML-Schemata for PID and RIM binding . 47
C.1 General . 47
C.2 Person Identification Data (PID) schema . 47
C.3 Interface Details schema . 47
C.4 Interface Details RIM Binding schema . 47
Annex D (informative): XML-Examples . 48
History . 49

ETSI
5 ETSI TS 119 478 V1.1.1 (2026-01)
Intellectual Property Rights
Essential patents
IPRs essential or potentially essential to normative deliverables may have been declared to ETSI. The declarations
pertaining to these essential IPRs, if any, are publicly available for ETSI members and non-members, and can be
found in ETSI SR 000 314: "Intellectual Property Rights (IPRs); Essential, or potentially Essential, IPRs notified to
ETSI in respect of ETSI standards", which is available from the ETSI Secretariat. Latest updates are available on the
ETSI IPR online database.
Pursuant to the ETSI Directives including the ETSI IPR Policy, no investigation regarding the essentiality of IPRs,
including IPR searches, has been carried out by ETSI. No guarantee can be given as to the existence of other IPRs not
referenced in ETSI SR 000 314 (or the updates on the ETSI Web server) which are, or may be, or may become,
essential to the present document.
Trademarks
The present document may include trademarks and/or tradenames which are asserted and/or registered by their owners.
ETSI claims no ownership of these except for any which are indicated as being the property of ETSI, and conveys no
right to use or reproduce any trademark and/or tradename. Mention of those trademarks in the present document does
not constitute an endorsement by ETSI of products, services or organizations associated with those trademarks.
DECT™, PLUGTESTS™, UMTS™ and the ETSI logo are trademarks of ETSI registered for the benefit of its
Members. 3GPP™, LTE™ and 5G™ logo are trademarks of ETSI registered for the benefit of its Members and of the
3GPP Organizational Partners. oneM2M™ logo is a trademark of ETSI registered for the benefit of its Members and of ®
the oneM2M Partners. GSM and the GSM logo are trademarks registered and owned by the GSM Association.
Foreword
This Technical Specification (TS) has been produced by ETSI Technical Committee Electronic Signatures and Trust
Infrastructures (ESI).
Modal verbs terminology
In the present document "shall", "shall not", "should", "should not", "may", "need not", "will", "will not", "can" and
"cannot" are to be interpreted as described in clause 3.2 of the ETSI Drafting Rules (Verbal forms for the expression of
provisions).
"must" and "must not" are NOT allowed in ETSI deliverables except when used in direct citation.
Executive summary
Article 45e of the amended eIDAS-Regulation (EU) No 910/2014 [i.33] obliges the EU Member States to ensure from
24 December 2026 onwards, that qualified trust service providers are able to verify at least the attributes listed
Annex VI of the regulation, wherever those attributes rely on authentic sources within the public sector, at the request of
the user. The present document specifies the interface for this purpose.
Furthermore, the present document also specifies a second interface, which allows to retrieve additional attributes of the
user upon request, if supported by the involved authentic sources.
The present document specifies the necessary technical framework for the required access of the involved authentic
sources, which includes architectures, components, interfaces, protocols and data structures.

ETSI
6 ETSI TS 119 478 V1.1.1 (2026-01)
1 Scope
Article 45e of the amended eIDAS-Regulation (EU) No 910/2014 [i.33] obliges the EU Member States to ensure until
24 December 2026, that qualified trust service providers are able to verify at least the attributes listed Annex VI of the
Regulation, wherever those attributes rely on authentic sources within the public sector, at the request of the user.
Article 9 of CIR (EU) 2025/1569 [i.11] provides more information with respect to the verification mechanism, which
can involve single points of verification for the attributes listed in Annex VI. Such a verification access point receives
the attributes and the identification data of the subject of the attribute as input (see Article 9 (3) of [i.11]) and returns a
verification result, which exclusively states whether the attribute under consideration has been verified or not, and the
public sector body responsible for the authentic source or, where applicable, the public sector body designated to act on
behalf of the authentic source against which the attribute has been verified (see Article 9 (4) of [i.11]).
According to Article 10 (1) of CIR (EU) 2025/1569 [i.11], the "Member States may refer to and re-use the common
services of the technical system set out in Article 14 of regulation (EU) 2018/1724 [i.35], as well as the national
components connected to them". In a similar manner, according to Article 10 (2) of CIR (EU) 2025/1569 [i.11], "the
European Commission shall refer to and re-use, where appropriate, the common services of the technical system
pursuant to regulation (EU) 2018/1724 [i.35]". To be able to profit from the functionality of these services, the present
document introduces in clause 5 the Discover Interface, which allows to access the semantic repository and the data
services directory within the common services of the OOTS. The I1 (Discover) interface described in clause 5 is an
HTTP-based interface according to ISO 15000-3 [24], as profiled by the European Commission in [i.16]. Annex A of
the present document contains an OpenAPI specification [27] for this interface.
The present document specifies in clause 6 the Authentic Source Interface. The I2 (Verify) interface allows to verify
attributes against the content stored in an authentic source as requested in Article 45e of the amended
eIDAS-Regulation (EU) No 910/2014 [i.33]. In addition, an optional I3 (Retrieve) interface is specified, which allows
to retrieve attributes from an authentic source, or an intermediary acting on behalf the authentic source.
The Authentic Source Interface specified in the present document contains in clause 6.1 an HTTP-based Application
Programming Interface (API), which corresponding OpenAPI specification [27] is provided in Annex B of the present
document. Furthermore, the present document also specifies in clause 6.2 a second ISO 15000-based interface, which
utilizes the electronic delivery mechanisms according to ISO 15000-2 [23].
Moreover, according to Article 9 (5) of [i.11], the "Member States may impose access controls or other verification
mechanisms that provide integrity, authenticity, and confidentiality to determine that the requester is a qualified trust
service provider and is acting at the request of a legitimate user". For the HTTP-based API, clause 6.1.3 specifies such
an authorization mechanism based on the OAuth 2.0 authorization framework according to IETF RFC 6749 [6] and
related standards. For the ISO 15000-based interface, the qualified trust service status is verified and the trust service
provider is registered as client in advance, under procedures out of scope of the present specification. In this case the
evidence that the client is acting at the request of a legitimate user is also gathered before the request under procedures
out of scope of the present specification.
The present document specifies the necessary technical framework for the required access of the involved authentic
sources, which includes architectures, components, interfaces, protocols and data structures.
Note, that policy and security requirements for the involved resource service endpoints are beyond the scope of the
present document.
ETSI
7 ETSI TS 119 478 V1.1.1 (2026-01)
2 References
2.1 Normative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
Referenced documents which are not found to be publicly available in the expected location might be found in the
ETSI docbox.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long-term validity.
The following referenced documents are necessary for the application of the present document.
[1] IETF RFC 1738: "Uniform Resource Locators (URL)".
[2] IETF RFC 3986: "Uniform Resource Identifier (URI): Generic Syntax".
[3] IETF RFC 4648: "The Base16, Base32, and Base64 Data Encodings".
[4] IETF RFC 5141: "A Uniform Resource Name (URN) Namespace for the International
Organization for Standardization (ISO)".
[5] IETF RFC 5280: "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation
List (CRL) Profile".
[6] IETF RFC 6749: "The OAuth 2.0 Authorization Framework".
[7] IETF RFC 6819: "OAuth 2.0 Threat Model and Security Considerations".
[8] IETF RFC 6838: "Media Type Specifications and Registration Procedures".
[9] IETF RFC 7519: "JSON Web Token (JWT)".
[10] IETF RFC 7591: "OAuth 2.0 Dynamic Client Registration Protocol".
[11] IETF RFC 7636: "Proof Key for Code Exchange by OAuth Public Clients".
[12] IETF RFC 8259: "The JavaScript Object Notation (JSON) Data Interchange Format".
[13] IETF RFC 8705: "OAuth 2.0 Mutual-TLS Client Authentication and Certificate-Bound Access
Tokens".
[14] IETF RFC 9068: "JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens".
[15] IETF RFC 9110: "HTTP Semantics".
[16] IETF RFC 9449: "OAuth 2.0 Demonstrating Proof of Possession (DPoP)".
[17] IETF RFC 9535: "JSONPath: Query Expressions for JSON".
[18] IETF RFC 9562: "Universally Unique IDentifiers (UUIDs)".
[19] IETF RFC 9700: "Best Current Practice for OAuth 2.0 Security".
[20] ISO 639:2023: "Code for individual languages and language groups".
[21] ISO 3166-1:2020: "Codes for the representation of names of countries and their subdivisions —
Part 1: Country code".
[22] ISO 8601-1:2019: "Date and time — Representations for information interchange — Part 1: Basic
rules".
ETSI
8 ETSI TS 119 478 V1.1.1 (2026-01)
[23] ISO 15000-2:2021: "Electronic business eXtensible Markup Language (ebXML) — Part 2:
Applicability Statement (AS) profile of ebXML messaging service".
[24] ISO 15000-3:2023: "Electronic business eXtensible Markup Language (ebXML) — Part 3:
Registry and repository".
[25] ISO/IEC 27001:2022: "Information security, cybersecurity and privacy protection — Information
security management systems — Requirements".
[26] OASIS: "ebXML Messaging Protocol Binding for RegRep Version 1.0", Committee
Specification 01, 09 March 2021.
[27] OpenAPI Initiative: "OpenAPI Specification".
[28] OpenID Foundation: "FAPI 2.0 Security Profile".
[29] OpenID Foundation: "OpenID Connect Core 1.0 incorporating errata set 2". ®
[30] W3C Recommendation 21 March 2017: "W3C XML Path Language (XPath) 3.1".
2.2 Informative references
References are either specific (identified by date of publication and/or edition number or version number) or
non-specific. For specific references, only the cited version applies. For non-specific references, the latest version of the
referenced document (including any amendments) applies.
NOTE: While any hyperlinks included in this clause were valid at the time of publication, ETSI cannot guarantee
their long-term validity.
The following referenced documents may be useful in implementing an ETSI deliverable or add to the reader's
understanding, but are not required for conformance to the present document.
[i.1] Commission Implementing Regulation (EU) No 1352/2013 of 4 December 2013 establishing the
forms provided for in Regulation (EU) No 608/2013 of the European Parliament and of the
Council concerning customs enforcement of intellectual property rights.
[i.2] Commission Implementing Regulation (EU) 2015/1501 of 8 September 2015 on the
interoperability framework pursuant to Article 12 (8) of Regulation (EU) No 910/2014 of the
European Parliament and of the Council on electronic identification and trust services for
electronic transactions in the internal market.
[i.3] Commission Implementing Regulation (EU) 2020/2244 of 17 December 2020 laying down rules
for the application of Directive (EU) 2017/1132 of the European Parliament and of the Council as
regards technical specifications and procedures for the system of interconnection of registers and
repealing Commission Implementing Regulation (EU) 2015/884.
[i.4] Commission Implementing Regulation (EU) 2021/1042 of 18 June 2021 laying down rules for the
application of Directive (EU) 2017/1132 of the European Parliament and of the Council as regards
technical specifications and procedures for the system of interconnection of registers and repealing
Commission Implementing Regulation (EU) 2020/2244.
[i.5] Commission Implementing Regulation (EU) 2022/1463 of 5 August 2022 setting out technical and
operational specifications of the technical system for the cross-border automated exchange of
evidence and application of the "once-only" principle in accordance with Regulation (EU)
2018/1724 of the European Parliament and of the Council.
NOTE: CIR (EU) 2022/1463 defines the "Once-Only Technical System" (OOTS) for the cross-border automated
exchange of evidence referred to in Article 14 (1) of the "Single Digital Gateway" (SDG)
Regulation (EU) 2018/1724 [i.35], whereas the technical details are specified within [i.19].
[i.6] Commission Implementing Regulation (EU) 2022/1860 of 10 June 2022 laying down
implementing technical standards for the application of Regulation (EU) No 648/2012 of the
European Parliament and of the Council with regard to the standards, formats, frequency and
methods and arrangements for reporting.
ETSI
9 ETSI TS 119 478 V1.1.1 (2026-01)
[i.7] Commission Implementing Regulation (EU) 2024/2977 of 28 November 2024 laying down rules
for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council
as regards person identification data and electronic attestations of attributes issued to European
Digital Identity Wallets.
[i.8] Commission Implementation Regulation (EU) 2024/2979 of 28 November 2024 laying down rules
for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council
as regards the integrity and core functionalities of European Digital Identity Wallets.
[i.9] Commission Implementing Regulation (EU) 2025/846 of 6 May 2025 laying down rules for the
application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as
regards cross-border identity matching of natural persons.
[i.10] Commission Implementing Regulation (EU) 2025/848 of 6 May 2025 laying down rules for the
application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as
regards the registration of wallet-relying parties.
[i.11] Commission Implementing Regulation (EU) 2025/1569 of 29 July 2025 laying down rules for the
application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as
regards qualified electronic attestations of attributes and electronic attestations of attributes
provided by or on behalf of a public sector body responsible for an authentic source.
[i.12] Council Directive 2006/112/EC of 28 November 2006 on the common system of value added tax.
[i.13] Council Regulation (EU) No 389/2012 of 2 May 2012 on administrative cooperation in the field of
excise duties and repealing Regulation (EC) No 2073/2004.
[i.14] ETSI TS 119 411-8: "Electronic Signatures and Trust Infrastructures (ESI); Policy and security
requirements for Trust Service Providers issuing certificates; Part 8: Access Certificate Policy for
EUDI Wallet Relying Parties".
[i.15] ETSI TS 119 461: "Electronic Signatures and Trust Infrastructures (ESI); Policy and security
requirements for trust service components providing identity proofing of trust service subjects".
[i.16] European Commission: "Common Services API Specification".
[i.17] European Commission: "DCAT-AP 3.0".
[i.18] European Commission: "eDelivery ebCore Party Id 2.0".
[i.19] European Commission: "OOTS Technical Design Documents".
[i.20] European Commission: "Specification of systems enabling the notification and subsequent
publication of Provider information".
[i.21] European Commission: "Specification of common formats and API for Relying Party Registration
information".
[i.22] European Data Protection Board: "Guidelines 01/2022 on data subject rights - Right of access".
[i.23] IETF RFC 7521: "Assertion Framework for OAuth 2.0 Client Authentication and Authorization
Grants".
[i.24] IETF RFC 7523: "JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and
Authorization Grants".
[i.25] IETF RFC 7662: "OAuth 2.0 Token Introspection".
[i.26] IETF RFC 8610: "Concise Data Definition Language (CDDL): A Notational Convention to
Express Concise Binary Object Representation (CBOR) and JSON Data Structures".
[i.27] ISO 17442-1:2020: "Financial services — Legal entity identifier (LEI) - Part 1: Assignment".
[i.28] ISO/IEC 18013-5: "Personal identification - ISO - compliant driving licence - Part 5: Mobile
driving licence (mDL) application".
ETSI
10 ETSI TS 119 478 V1.1.1 (2026-01)
[i.29] ISO/IEC 23220-2: "Cards and security devices for personal identification - Building blocks for
identity management via mobile devices - Part 2: Data objects and encoding rules for generic eID-
System".
[i.30] JSON Schema Community: "JSON Schema Specification".
[i.31] OpenID Foundation: "OpenID for Verifiable Credential Issuance 1.0".
[i.32] OpenID Foundation: "OpenID for Verifiable Credential Presentation 1.0".
[i.33] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on
electronic identification and trust services for electronic transactions in the internal market and
repealing Directive 1999/93/EC.
NOTE: The Regulation (EU) No 910/2014 [i.33] on electronic identification and trust services enacted in 2014,
which is informally referred to as "eIDAS-Regulation", has been amended in 2024 by the Regulation
(EU) 2024/1183 [i.36] on the "European Digital Identity Framework" to form what is called in the present
document the "amended eIDAS-Regulation".
[i.34] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the
protection of natural persons with regard to the processing of personal data and on the free
movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
NOTE: The Regulation (EU) 2016/679 is referred to in the present text as "GDPR".
[i.35] Regulation (EU) 2018/1724 of the European Parliament and of the Council of 2 October 2018
establishing a single digital gateway to provide access to information, to procedures and to
assistance and problem-solving services and amending Regulation (EU) No 1024/2012.
NOTE: The Regulation (EU) 2018/1724 is in the present document referred to as "SDG-Regulation".
[i.36] Regulation (EU) 2024/1183 of the European Parliament and of the Council amending
Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework.
[i.37] W3C Recommendation 22 August 2024: "Data Catalog Vocabulary (DCAT) - Version 3".
[i.38] W3C Recommendation 16 July 2020: "JSON-LD 1.1".
[i.39] W3C Recommendation 5 April 2012: "W3C XML Schema Definition Language (XSD) 1.1 Part 1:
Structures".
[i.40] W3C Recommendation 5 April 2012: "W3C XML Schema Definition Language (XSD) 1.1 Part 2:
Datatypes".
[i.41] W3C Recommendation 03 March 2022: "Verifiable Credentials Data Model v1.1".
3 Definition of terms, symbols, abbreviations and
notation
3.1 Terms
For the purposes of the present document, the terms given in the amended eIDAS-Regulation [i.33], the SDG-
Regulation [i.35] including the related implementing acts CIR (EU) 2015/1501 [i.2], CIR (EU) 2022/1463 [i.5],
CIR (EU) 2025/848 [i.10] as well as the OAuth 2.0 standard from IETF RFC 6749 [6] and the following apply:
NOTE: The most important terms are included here for the convenience of the reader.
attribute: characteristic, quality, right or permission of a natural or legal person or of an object
NOTE: See Article 3 (43) of the eIDAS-Regulation [i.33].
ETSI
11 ETSI TS 119 478 V1.1.1 (2026-01)
authentic source: repository or system, held under the responsibility of a public sector body or private entity, that
contains and provides attributes about a natural or legal person or object and that is considered to be a primary source of
that information or recognized as authentic in accordance with Union or national law, including administrative practice
NOTE: See Article 3 (47) of the eIDAS-Regulation [i.33] and clause 4 of the present document.
authentic source interface: interface. which allows to verify or retrieve attributes, which are stored within an authentic
source
NOTE: See clause 6 of the present document.
authentic source interface provider: provider of an authentic source interface
NOTE: The authentic source interface provider can be an authentic source or an intermediary acting on its behalf.
authorization server: server issuing access tokens to the client after successfully authenticating the resource owner and
obtaining authorization
NOTE: See clause 1.1 of IETF RFC 6749 [6] and clause 6.1.3 of the present document.
authorization server provider: provider of an authorization server
catalogue of attributes: digital repository of attributes that is maintained and published online by the Commission
NOTE: See Article 2 (3) of CIR (EU) 2025/1569 [i.11].
client: application making protected resource requests on behalf of the resource owner and with its authorization
NOTE 1: The term "client" does not imply any particular implementation characteristics (e.g. whether the
application executes on a server, a desktop, or other devices).
NOTE 2: See clause 1.1 of IETF RFC 6749 [6] and clause 6.1.3 of the present document.
common services: collection of services provided by the European Commission related to the catalogue of attributes
and the once-only technical system, which contain the semantic repository and the data service directory and allow to be
accessed through the discover interface
NOTE: See also Article 1 (10) and Article 4 (1) of CIR (EU) 2022/1463 [i.5].
data service directory: registry which can be accessed through the discover interface and which contains the list of
data services for the verification or retrieval of attributes
NOTE: See also Article 1 (7) and Article 5 of CIR (EU) 2022/1463 [i.5].
discover interface: interface provided by a discover interface provider, which allows to search for the unique identifier
of a specific attribute and retrieve related semantic specifications, data models and information related to data services
for the verification or retrieval of attributes
NOTE: See clause 5 of the present document and also Article 1 (7) and Article 5 of CIR (EU) 2022/1463 [i.5].
discover interface provider: provider of a discover interface
electronic attestation of attributes: attestation in electronic form that allows attributes to be authenticated
NOTE: See Article 3 (44) of the eIDAS-Regulation [i.33].
electronic attestation of attributes issued by or on behalf of a public sector body responsible for an authentic
source: electronic attestation of attributes issued by a public sector body that is responsible for an authentic source or
by a public sector body that is designated by the Member State to issue such attestations of attributes on behalf of the
public sector bodies responsible for authentic sources in accordance with Article 45f and with Annex VII
NOTE: See Article 3 (46) of the eIDAS-Regulation [i.33].
ETSI
12 ETSI TS 119 478 V1.1.1 (2026-01)
European Digital Identity Wallet: electronic identification means which allows the user to securely store, manage and
validate person identification data and electronic attestations of attributes for the purpose of providing them to relying
parties and other users of European Digital Identity Wallets, and to sign by means of qualified electronic signatures or
to seal by means of qualified electronic seals
NOTE: See Article 3 (42) of the eIDAS-Regulation [i.33].
Once-Only Technical System ('OOTS'): technical system for the cross-border automated exchange of evidence
NOTE: See Article 14 (1) of Regulation (EU) 2018/1724 [i.35] and Article 1 (1) of CIR (EU) 2022/1463 [i.5].
person identification data: set of data that is issued in accordance with Union or national law and that enables the
establishment of the identity of a natural or legal person, or of a natural person representing another natural person or a
legal person
NOTE: See Article 3 (3) of the eIDAS-Regulation [i.33].
public sector electronic attestation of attributes provider: trust service provider, which issues electronic attestations
of attributes issued as, or on behalf of, a public sector body responsible for an authentic source
qualified electronic attestation of attributes: electronic attestation of attributes which is issued by a qualified trust
service provider and meets the requirements laid down in Annex V of Regulation (EU) No 910/2014
NOTE: See Article 3 (45) of the eIDAS-Regulation [i.33].
qualified trust service provider: trust service provider who provides one or more qualified trust services and is
granted the qualified status by the supervisory body
NOTE: See Article 3 (20) of the eIDAS-Regulation [i.33].
resource owner: entity capable of granting access to a protected resource
NOTE 1: When the resource owner is a natural person, it is referred to as an end-user.
NOTE 2: See clause 1.1 of IETF RFC 6749 [6] and clause 6.1.3 of the present document.
resource server: server hosting the protected resources, capable of accepting and responding to protected resource
requests using access tokens
NOTE: See clause 1.1 of IETF RFC 6749 [6] and clause 6.1.3 of the present document.
semantic data specifications: specifications, with human- and/or machine-processable representations, that define how
data is recommended to be organized, described and interpreted to facilitate accurate understanding and exchange
between systems, applications, and people
NOTE: Artefacts comprising a semantic data specification can include visual diagrams (e.g. UML class
diagrams), human-readable documentation, schemas (e.g. RDF schema, XML schema and JSON
schema), alongside pertinent code lists and constraints, in relevant formats.
semantic repository: collection of descriptions of semantic assets, including semantic data specifications and schemas
related to attributes which can be accessed through the discover interface and which allow to search for the unique
identifier of a specific attribute and retrieve related semantic specifications and pertinent schema distributions
NOTE: See Article 1 (10) and Article 7 of CIR (EU) 2022/1463 [i.5].
trust service: electronic service normally provided for remuneration which consists of any of the following:
a) the issuance of certificates for electronic signatures, certificates for electronic seals, certificates for website
authentication or certificates for the provision of other trust services;
b) the validation of certificates for electronic signatures, certificates for electronic seals, certificates for website
authentication or certificates for the provision of other trust services;
c) the creation of electronic signatures or electronic seals;
d) the validation of electronic signatures or electronic seals;
ETSI
13 ETSI TS 119 478 V1.1.1 (2026-01)
e) the preservation of electronic signatures, electronic seals, certificates for electronic signatures or certificates
for electronic seals;
f) the management of remote electronic signature creation devices or remote electronic seal creation devices;
g) the issuance of electronic attestations of attributes;
h) the validation of electronic attestation of attributes;
i) the creation of electronic timestamps;
j) the validation of electronic timestamps;
k) the provision of electronic registered delivery services;
l) the validation of data transmitted through electronic registered delivery services and related evidence;
m) the electronic archiving of electronic data and electronic documents;
n) the recording of electronic data in an electronic ledger.
NOTE 1: See Article 3 (16) of the eIDAS-Regulation [i.33].
NOTE 2: Within the scope of the present document the trust services for the issuing of certificates according to
Article 3 (16) (a) of the eIDAS-Regulation [i.33] and for the issuing of electronic attestations of attributes
according to Article 3 (16) (g) of the eIDAS-Regulation [i.33] are especially relevant, as the interfaces to
the authentic sources specified in the present document aim at facilitating the implementation of such
trust services.
trust service provider: natural or a legal person who provides one or more trust services either as a qualified or as a
non-qualified trust service provider
NOTE: See Article 3 (19) of the eIDAS-Regulation [i.33] and clause 4 of the present document.
user: natural or legal person, or a natural person representing another natural person or a legal person, that is subject of
the attribute stored in the authentic source and which is capable of authorizing the access to the authentic source
interface
wallet-relying party: relying party that intends to rely upon wallet units for the provision of public or private services
by means of digital interaction
NOTE: See Article 2 (1) of CIR (EU) 2025/848 [i.10].
wallet-relying party access certificate: certificate for electronic seals or signatures authenticating and validating the
wallet-relying party issued by a provider of wallet-relying party access certificates
NOTE: See Article 2 (12) of CIR (EU) 2025/848 [i.10] and ETSI TS 119 411-8 [i.14].
wallet-relying party registration
...