Decomposition¶

This chapter documents the overarching roles and components of the architecture as well as their connections and interactions.

Roles¶

Name	Abbreviation	Description
User	USER	Entity that uses the Wallet. Natural person to whom the PID belongs.
PID Provider	PP	Entity that verifies the identity of the User, issues the PID to the User's Wallet and publishes information to let Relying Parties verify the validity of the PID.
eID Server	ES	Entity that verifies the eID Card of the User and provides the contained data groups to the PID Provider.
Wallet Provider	WP	Entity that provides the Wallet Solution.
Relying Party	RP	Entity that relies on the PID.
Platform Attestation Provider	PAP	Entity that provides platform attestations about the integrity of the User Device and the installed Wallet App.

Name	Description
Wallet Solution	The Wallet Provider's product, which encompasses the Wallet App, the Wallet Backend and the Remote WSCD.
Wallet Unit	A unique configuration of a Wallet solution that includes Wallet Instances, Wallet Secure Cryptographic Applications and Wallet Secure Cryptographic Devices provided by the Wallet Provider to an individual User.

Name	Abbreviation	Description
User Device	UD	The mobile device of the User serves as the host for the Wallet Instance.
Wallet Instance	WI	The Wallet App installed on the User's Device.
Hardware-backed Key Store	HKS	A sub-component of the user device that manages locally stored, hardware-backed cryptographic keys (e.g. TEE, Android StrongBox, iOS Secure Enclave).
Wallet Provider Backend	WB	The Backend of the Wallet Provider.
Mobile Device Vulnerability Management Service	MDVM	Entity that provides a vulnerability management system to the Wallet Provider about vulnerabilities in mobile devices and cryptographic key stores.
Remote Wallet Secure Cryptographic Device	RWSCD	A Service offering the functionality of a Wallet Secure Cryptographic Device (WSCD) that protects critical assets.
Remote Wallet Secure Cryptographic Application	RWSCA	A Service offering the functionality of a Wallet Secure Cryptographic Application (WSCA) for a Wallet Unit that the Wallet Instance accesses remotely. This encompasses wallet cryptographic operations for the critical assets with the Remote WSCD.

Name	Description
Graphical User Interface	Primary Interface for the user to operate the app (WI).
EUDI Wallet Reference Implementation	Reference Implementation of the EUDI Wallet providing core functionality on OpenID4VC, SD-JWT, ISO mdoc, storage, WSCD interface and implementation for local WSCD.
AusweisApp SDK	SDK implementing the protocols and interfaces for reading the German eID card.
Wallet backend Client	Client for accessing Wallet Backend (WB) operations.
MDVM Client	Client for accessing Mobile Device Vulnerability Management (MDVM) operations.
Remote WSCA Client	Client for accessing Remote WSCA (RWSCA) operations.

Name	Description
Wallet Provider Backend API	API providing Wallet Provider Backend operations to the Wallet Instance.
Wallet Backend account Database	Database for storing Wallet instance accounts in the Wallet Provider Backend.
Hardware Security Module (HSM)	Hardware module for storing cryptographic keys used to sign Wallet Instance Attestations.

Name	Description
WSCA API	API authenticating the User and providing Remote WSCA operations to the Wallet Instance.
WSCA Account Database	Database for storing Wallet Instance accounts in the Remote WSCA.
HSM Client	Client for accessing the HSM to perform key-related operations.
HSM	Cluster of multiple Hardware Security Modules (HSM) that are synced with a common master key and perform cryptographic operations using wrapped keys.
Wallet Secure Cryptographic Application	Logical abstraction that manages critical assets by providing cryptographic operations through the Wallet Secure Cryptographic Device, as defined by CIR (EU) 2024/2979.
Wallet Secure Cryptographic Device	Logical abstraction for tamper-resistant device that protects critical assets by providing cryptographic operations to the Wallet Secure Cryptographic Application, as defined by CIR (EU) 2024/2979. This component is implemented as a Hardware Security Module (HSM), ensuring that keys created within the WSCD never leave the device (unless for encrypted storage).

Name	Description
MDVM Service	Backend Service that verifies platform attestations, determines device classes and checks for vulnerabilities using the databases for device class vulnerabilities and leaked Platform Attestation keys. The MDVM service then issues a token that enables WB and RWSCD to act on potential device, app or vulnerability information by restricting the WI's capabilities and actions.
RASP SDK	Runtime Application Self-Protection (RASP) as an SDK integrated into the Wallet App to enable detection and prevention of security threats during the application's execution. It allows to monitor its own behavior and environment, identify potential attacks such as tampering or code injection, and respond automatically to protect itself.
Device Class Vulnerability Database	Vulnerability database that provides device class vulnerability information to the MDVM service.
Leaked Platform Attestation Key Database	Vulnerability database that provides leaked attestation keys for Platform Attestation Services to the MDVM service.
MDVM Account Database	Database for storing Wallet Instance accounts in the MDVM.
HSM	Hardware Security Module for signing MDVM tokens.