Skip to content

Trust in PID Issuance and Presentation

Overview

Personal Identification Data (PID) represents core identity data of a person and forms the foundational identity layer within the EUDI Wallet ecosystem. PID is distinct from other attestation types (EAA, QEAA, PubEAA) in that it focuses on core identity establishment.

Note

Only a single PID Provider is planned for the EUDI Ecosystem in Germany at the moment.

For guidance on the differences between PID and other attestation types, see the Trust Overview and Decision Guide.

Trust Model for PID

Trust in PID is anchored in:

Trust Element Description
Member State responsibility PID is issued by or under the responsibility of the Member State
National certification Based on BSI TR-03189 in Germany
Level of Assurance High As required by eIDAS
National PID providers list Trust status published in national trust list

Liability under PID

The Member State is responsible for the proper functioning of the PID system. This includes:

  • Ensuring the integrity of the identity proofing process
  • Operating or supervising the PID Provider
  • Maintaining the national trust infrastructure

Trust Architecture

The technical trust architecture for the PID-related use cases is shown in the following figure:

Trust

Figure: Technical trust architecture for PID issuance and presentation

This trust architecture is used by several trust-related processes during the lifecycle of a PID. For a description of general trust management between the participants of the ecosystem see Trust Validation Overview.

During PID Issuance

  • Wallet Unit requests the signed issuer metadata from the PID Provider, signed with the PID Providers access certificate and containing the access certificate and service endpoints
  • Wallet checks the trust status of the access certificate via the national access certificate providers list and the validity via its revocation list
  • Wallet Unit checks the trust status of the PID Provider via the national PID providers list
  • Wallet Unit presents a Wallet Attestation and Key Attestation(s) to the PID Provider
  • PID Provider checks the attestations and the Wallet Provider trust status via the national Wallet providers list
  • PID provider signs PIDs and PID TSL using certificates from a PID CA, linked to the PID Providers entries in the national trust list

During PID Presentation and Validation

  • Relying Party Instance presents its access certificate and registration certificate to the Wallet Unit when requesting a PID presentation
  • Access and registration certificates of the RP are verified by the Wallet Unit via the national access certificate and registration certificate providers lists and the corresponding revocation / status lists
  • Trust status of Wallet and PID Providers is checked by the Relying Party Instance via the national Wallet and PID providers lists
  • During PID presentation, an RP does not directly verify the validity of the Wallet Unit but can do so implicitly by verifying the presented PID
  • PID signature certificate is verified against national PID providers list

PID PKI

The issuing and revocation services of a PID Provider use digital certificates to sign issued PID credentials and corresponding PID status lists. These certificates are provided by a PID PKI:

  • different signing keys and certificates are used for PIDs and for status lists
  • signing certificates for PIDs and for status lists are issued by different CAs
  • cryptography is compliant to mandatory algorithms in eIDAS Implementing Acts, see Cryptographic Algorithms in Security Requirements
  • trust anchor for certificates used by PID Provider services is the national PID providers trust List

There are different approaches for the structure and levels of a PID PKI, e.g.:

Option 1:

PKI_PID_M1

  • one PID Root CA for different issuing Sub-CAs
  • Sub-CAs issue signing certificates for PIDs and for status lists
  • Sub-CAs are published with the PID Providers services on the PID providers trusted list

or:

Option 2:

PKI_PID_M2

  • self-signed issuing PID CAs for PID and for status list signing certificates
  • PID CAs are published on the PID providers trusted list

The decision for the structure of a PID PKI is an implementation detail of the PID provider and does not inflict the general PID trust mechanism.

To verify a PID, a Relying Party follows the certificate chain of a signing certificate to the trust anchor in the corresponding trusted list entry for the issuing PID provider.