Digital wallets and the credentials they hold are ALL the rage these days. Understanding how to make them work in today’s world is where the EU’s Digital Identity Architecture Reference Framework (ARF) comes in.
If you’ve read my posts about verifiable credentials (this one and this one), the next logical step is to discuss how those credentials are stored in a digital wallet.
What’s a Wallet?
OK, so digital identity wallets may be all the rage, but that doesn’t necessarily mean that people—even techies—have a common understanding of what they are. According to the Open Wallet Foundation:
“A digital wallet is a container where you can store and access digital assets, credentials, and other useful items, such as tickets and keys. Another software component, most often called an agent, can put items into a wallet, take items out of a wallet, or process items in a wallet. While the wallet is the container, the agent is the mover and shaker.” — Gordon Gram, “Why the World Needs an Open Source Digital Wallet Right Now,” Open Wallet Foundation, February 2023.
That’s a good functional definition, though it doesn’t quite help determine the standard technical specifications for the container. But that’s a topic for a future blog post.
A Framework for Many Moving Parts
Governments, businesses, and individuals are all concerned with how to give an individual agency over their personal data. This concern is a natural response to the privacy laws that have rolled out worldwide in the last 5+ years. That said, coming up with a structure that supports user agency over their own data while still supporting other legal and cybersecurity-based requirements is a challenge. There are just SO MANY moving parts!
- There are the entities that are responsible for the wallets themselves (i.e., the Holders).
- There are the entities that are responsible for the data that goes into the credentials stored by the wallet (i.e., the Issuers).
- There are the entities that want to ask for the credential (or some of the data that the credential holds) (i.e., the Verifiers).
But wait, there’s more! There are device manufacturers that have to have equipment capable of managing the cryptography associated with complex digital signatures. Services responsible for building a trusted registry of entities participating in this ecosystem. Entities providing audit services to make sure everything is running securely and according to current legal requirements and best practices. And so on.
With so many moving parts and personal data, is it any wonder the EU decided that further guidance was necessary? How many ways this can go wrong is more than a bit terrifying. And yet, the promises of privacy, security, and agency can’t be ignored. And the ARF is where that work starts.
Enter the EUDI Architecture Reference Framework
The ARF is an outline that provides the first blush of a framework for how digital wallets will work in the EU. The European Commission kicked off the work through a Commission Recommendation from June 2021 that urged Member States to develop common standards, technical specifications, and best practices in response to the eIDAS 2.0 regulation. EU Member States sent their experts to join a collaborative process to build the framework.
The work was done very openly via a public GitHub repository, letting people see and comment on the changes as the work developed.
While using the framework isn’t required to comply with eIDAS 2.0, it’s still the best way to help meet the goal of an interoperable environment for digital wallets. Other countries and companies should see this as a great place to start.
Highlights
The ARF isn’t a particularly long document—it’s a comprehensive outline, after all, not the complete guidance— but it is dense with information! Here are a few highlights:
1. Functional Requirements Are A Thing: If your organization is exploring using digital verifiable credentials, then you could do worse than start here. And if you are interested in using digital verifiable credentials AND have a presence in the EU, then you REALLY want to start here. A wallet needs to be able to do a variety of things. From the ability to perform electronic identification, store and manage qualified and non-qualified electronic attestations of attributes, and provide mutual authentication capabilities, this isn’t something you want to get wrong. Given that, the level of detail in the ARF is great kickstarter guide for developers and stakeholders on the technical expectations and capabilities required for the EUDI Wallet. It’s an opportunity to mitigate “you don’t know what you don’t know” when making plans in the digital wallet world.
2. It’s Not All Technical Details: The ARF outline includes space for non-functional requirements, including guidance on security, privacy by design, and user control over personal data. Having a presence in the EU and a reliance on government-issued credentials means playing in the digital wallet and verifiable credential landscape. The ARF puts the framework in a context that will help you comply with the appropriate legal and regulatory frameworks while providing a secure and user-friendly experience.
3. But if You Want to Talk about Interfaces and Integration Points: The framework will specify various interfaces and integration points for a digital identity wallet (specifically the EUDI Wallet) with external entities like Member States’ infrastructures, identity cards, and trusted registries. You probably could go a trial-and-error route to figure out how to integrate with this digital ecosystem, but life is too short. Use the guidance to save time; it’s freely available.
What Happens Next?
As with any v1.0, you can expect changes. The ARF will evolve from an outline to a complete Architecture and Reference Framework. The authors intend to expand this outline into a comprehensive framework as set out in the Commission Recommendation, and it will be aligned with the outcomes of the legislative negotiations regarding the proposal for a European Digital Identity Framework.
As noted earlier, the ARF has its own GitHub repository, and you are free to offer feedback if you have ideas and experience that will help improve the framework.
How Globally Applicable is the ARF?
If you ask me (and it’s my blog), deployers can and should use the ARF as the basis for large-scale wallet deployments worldwide. But others may not agree. The US, in particular, is much more chaotic regarding wallet deployments as each US State is deciding independently of others whether they will build their own or use ones from Google or Apple. The US Federal Government’s Department of Homeland Security is also doing amazing work in the verifiable credential and digital wallet space. Still, they don’t have the same level of mandate that regulations like eIDAS2, GDPR, etc, provide in the European Union.