Skip to content

Architecture Proposal for the German eIDAS Implementation

As part of the consultation process for the implementation of the EU Digital Identity Wallet in Germany, this document provides a thorough exploration of potential architecture options and describes various related considerations.

  • The GitLab repository for this document is hosted on OpenCoDE.
  • For reading, the content is available at this website.

Current Status — Version 2.3

The main focus for this version still is on Person Identification Data credential issuance and presentation on top of the German eID system. The document aims at describing those potential architecture options that are not obviously infeasible in order to compare and discuss advantages and disadvantages.

The document is not intended to be complete or final. It is expected that the document will be updated based on feedback and further discussion.

Version 2.0

  • substantiates the design options found in Version 1,
  • provides more details, e.g., for the PID contents,
  • features expanded privacy considerations to serve as the basis for in-depth discussions during the upcoming privacy workshop about the exact privacy requirements and how the various options align with those, and finally,
  • is meant to provide a starting point for prototypical evaluation and security assessment.

This document incorporates parts of the feedback received on Version 1 of the proposal, but is not yet a complete response to all feedback received.

Version 2.1 to 2.3 are minor increments to Version 2.0 in particular updating and completing technical details in the various flows. Please find the full changelog below.

Providing Feedback

At this step, we are interested in receiving feedback on the architecture and the proposed options such as the following:

  • Are the descriptions of the options clear and understandable?
  • Are there any flaws in the proposed architecture options?
  • Feedback regarding the security, privacy, user experience, potential user reach, and implementation complexity of the proposed options.
  • Any other comments and suggestions.

To provide feedback, please file an Issue on OpenCoDE.

Changelog

Version 2.3 (August 2024)

Major changes:

  • Add list of used standards and their versions
  • Add rendered HTML version of the architecture document
  • add information for the batch size
  • update ECDH and MAC draft url
  • add clarification for issuer MACing device signed in B and B'
  • distinguish pid issuer session id and wallet backend session id in C'

Other changes:

  • migrate the terminology table to a list

Version 2.2 (August 2024)

Major changes:

  • Added section on Performance, Availability
  • Add detailed flow for PID Option C''
  • Added credential response encryption to (Q)EAA and all PID issuing flows
  • Cryptographic Algorithms: Added secp256r1 (known as NIST P-256) to the issuer list to increase the publicly available HSM support

Other changes:

  • Cryptographic Algorithms: Aligned the sha bit size with the signature size
  • Cryptographic Algorithms: Made it clearer which algorithms the verifier needs to use when signing the oid4vp request
  • align across the flows how the information about the keys and cryptographic artifacts is expressed
  • Re-naming dev_eph_priv/pub to pp_eph_priv/pub
  • Updated example of a new seed_credential grant type
  • Removed references to Batch Credential Endpoint since it was deprecated in VCI spec itself
  • Various minor editorial fixes

Note: This version does not yet contain the outcome of the privacy workshop.

Version 2.1 (July 2024)

Major changes:

  • Added UX Considerations for all Options
  • Added PID metadata for the SD-JWT VC format
  • Cleanup of description of Option D, added step-by-step description of the issuance flow
  • Optimization of the eID card scan from two scans to a single scan
  • Add seed credential grant type extension for OpenID4VCI for PID issuance (flow B')
  • Add supported crypto algorithms
  • Defined a new credential format seed_credential for seed credential issuance to send two PoPs and pin_derived_eph_pub in the credential request and not a separate request.
  • Changed from concatenating two parameters to using JWT claims in the payload when generating PoPs
  • Defined a new credential format mso_mdoc_authenticated_channel that returns not just IssuerSigned, but also DeviceSigned in the credential response in option B and B'
  • Defined how to pass rp_eph_pub in the credential request in option B and B'

Other changes:

  • Added examples for requests and payloads
  • Changed terms from "user_pin signed nonce" to "PoP for pin derived ephemeral key"; "dev signed nonce" to "PoP for dev key"; "wallet_auth signed nonce" to "PoP for wallet app's key"
  • Clarified which key to use for DPoP key in Option B'
  • Optimized User Journeys
  • Changed calls that fetch a nonce from HTTP GET to HTTP POST
  • Renamed pid_issuer_nonce to pid_issuer_session_id
  • Improve introduction text
  • Introduced term "EUDIW Provider"
  • Various minor editorial fixes
  • Various adaptations to align with updated specifications
  • Removed usage of TLS-PSK in issuance flows
  • Option B: changed to PAR to be compliant with other PID options
  • Option B': removed PID PIN derived cryptographic key from the seed credential & added description of the seed credential
  • Option C': changed Seed Credential to DPoP-bound refresh token

Tooling changes:

  • Automatic PDF generation from markdown files

Version 2 (March 2024)

New content:

  • Added Options B', C' and C'' as variants of the existing options B and C
  • Added section on Revocation
  • Added section for PID content for SD-JWT VC
  • Added new chapter Operating Model
  • Added section Wallet Invocation
  • Added terminology section

Major changes:

  • Reworked the PID option overview
  • Expanded privacy considerations
  • Consolidated PID Options B.1.1 and B.1.2 into a unified Option with a single sequence diagram

Other changes:

  • Incorporated UI/UX feedback
  • Various minor editorial fixes from feedback on version 1

Version 1 (November 2023)

  • Initial release