Decomposition¶

This chapter documents the overarching roles and components of the architecture as well as their connections and interactions.

Roles¶

Name	Abbreviation	Description
User	USER	Entity that uses the Wallet. Natural person to whom the PID belongs.
PID Provider	PP	Entity that verifies the identity of the User, issues the PID to the User's Wallet and publishes information to let Relying Parties verify the validity of the PID.
eID Server	ES	Entity that verifies the eID Card of the User and provides the contained data groups to the PID Provider.
Wallet Provider	WP	Entity that provides the Wallet Solution.
Relying Party	RP	Entity that relies on the PID.
Platform Attestation Provider	PAP	Entity that provides platform attestations about the integrity of the User Device and the installed Wallet App.
Mobile Device Vulnerability Management Provider	MDVMP	Entity that provides a vulnerability management system to the Wallet Provider about vulnerabilities in mobile devices and cryptographic key stores.
Remote KMS Provider	RKP	Entity that provides a HSM-based remote key management solution as a service for the Remote WSCD.

Name	Description
Wallet Solution	The Wallet Provider's product, which encompasses the Wallet App, the Wallet Backend and the Remote WSCD.

Name	Abbreviation	Description
User Device	UD	The mobile device of the User serves as the host for the Wallet Instance.
Wallet Instance	WI	The Wallet App installed on the User's Device.
Hardware-backed Key Store	HKS	A sub-component of the user device that manages locally stored, hardware-backed cryptographic keys (e.g. TEE, Android StrongBox, iOS Secure Enclave).
Wallet Provider Backend	WB	The Backend of the Wallet Provider.
Remote Wallet Secure Cryptographic Device	RWSCD	A Wallet Secure Cryptographic Device (WSCD, as defined by the ARF) that the Wallet Instance accesses remotely.

Name	Description
Graphical User Interface	Primary Interface for the user to operate the app (WI).
EUDI Wallet Reference Implementation	Reference Implementation of the EUDI Wallet providing core functionality on OpenID4VC, SD-JWT, ISO mdoc, storage, WSCD interface and implementation for local WSCD.
AusweisApp SDK	SDK implementing the protocols and interfaces for reading the German eID card.
Wallet backend Client	Client for accessing Wallet Backend (WB) operations.
Remote WSCD Client	Client for accessing Remote WSCD (RWSCD) operations.

Name	Description
Wallet Provider Backend API	API providing Wallet Provider Backend operations to the Wallet Instance.
Wallet Provider Backend Database	Database for storing Wallet instance accounts in the Wallet Provider Backend.
Hardware Security Module (HSM)	Hardware module for storing cryptographic keys used to sign Wallet Instance Attestations.
Vulnerability Management Client	Client for accessing the API of the Vulnerability Management Provider.

Name	Description
Remote WSCD API	API providing Remote WSCD operations to the Wallet Instance.
Remote WSCD Database	Database for storing Wallet Instance accounts in the Remote WSCD.
KMS Client	Client for accessing the KMS API to perform key-related operations.
Hardware Security Module (HSM)	Hardware module for storing cryptographic keys used to sign Wallet Trust Evidence.

Name	Description
Platform Attestation Verification	Backend Service that verifies platform attestations and provides verified information of the device/app security posture and the device class to the decision engine.
Decision Engine	Backend Service that gathers inputs and acts on device/app/vulnerability information.
MDVMP RASP SDK	Runtime Application Self-Protection (RASP) as an SDK integrated into the Wallet App to enable detection and prevention of security threats during the application's execution. It allows to monitor its own behavior and environment, identify potential attacks such as tampering or code injection, and respond automatically to protect itself. It provides signals about the authenticity and integrity of the user device and the wallet app to the MDVMP RASP Backend.
MDVMP RASP Backend	Backend Service that supports the functionality of the MDVMP Runtime Application Self-Protection (RASP) SDK by receiving and analyzing authenticity and integrity signals from the SDK and providing verified information of the device/app security posture and the device class to the decision engine.
MDVMP Threat Intelligence	Vulnerability database that provides device class vulnerability information to decision engine.