From 793e9e450154eb65b9ec46e0119ac8f045ab801b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9C=D0=B0=D0=BA=D1=81=D0=B8=D0=BC=20=D0=A1=D0=BE=D1=85?= =?UTF-8?q?=D0=B0=D1=86=D1=8C=D0=BA=D0=B8=D0=B9?= Date: Sat, 16 Nov 2024 06:31:55 +0200 Subject: [PATCH 1/6] Update EUDI.md --- EUDI.md | 33 +++++++++++++++++++++++---------- 1 file changed, 23 insertions(+), 10 deletions(-) diff --git a/EUDI.md b/EUDI.md index 72282eb..0f67676 100644 --- a/EUDI.md +++ b/EUDI.md @@ -3,16 +3,7 @@ EU Digital Identity SYNRC CA server supports decentralized EUDI issuing architecture. -EUDI Architecture ------------------ - -* eIDAS Node -- State Certificate Authority -* EUID Wallet -- iOS/Android Application -* EUDI Provider -- OpenID for Verifiable Credentials (OpenID4VC) -* Personal Identification Data Provider (PP) -- Diia State Enterprise (PID) mDOC -* Attestation Providers (AT) -- Qualified and Non-Qualified Electronic Attestation (QEAA) of Attributes Schema Providers -* Qualifiied Electronic Signature Provider (QP) -- Qualified Certificates (QC) -* EUDI Verifier -- Verifiable Presentations +### PKIX vs OpenID4VC EUDI model has a similarity with PKIX. The same way person use a signed attribute set (a X.509 certificate from CSR attributes) @@ -24,3 +15,25 @@ However, unlike PKIX with its centralized model, EUDI provide distributed model without single root CA, where all parties bounded cryptographycally. Also, EUDI has more subtle and rigorous control over attributes (claims) like in ABAC model. + +### Holder, Issuer, Verifier + +In an OpenID4VC ecosystem, the Verifier and the Issuer are connected indirectly +through the credential lifecycle, with interactions primarily mediated by the Holder. +This architecture ensures trust without requiring a direct, continuous relationship +between the Verifier and the Issuer, adhering to privacy and decentralization principles. +The Verifier does not directly contact the Issuer during typical operations unless a status check is required. +The Holder acts as the intermediary, ensuring their privacy and control over the data being shared. + +EUDI Wallet acts as Holder, QEAA, EAA, PIP (TSPs) act as EUDI Providers or Issuers. EUDI Verifier perform +status verification of credentials and acts as Verifier. + +### Architecture + +* eIDAS Node -- State Certificate Authority +* EUID Wallet -- iOS/Android Application +* EUDI Provider -- OpenID for Verifiable Credentials (OpenID4VC) +* Personal Identification Data Provider (PP) -- Diia State Enterprise (PID) mDOC +* Attestation Providers (AT) -- Qualified and Non-Qualified Electronic Attestation (QEAA) of Attributes Schema Providers +* Qualifiied Electronic Signature Provider (QP) -- Qualified Certificates (QC) +* EUDI Verifier -- Verifiable Presentations From b5e031e93bd4bd6f9a9a82512f6cd4d4e28109c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9C=D0=B0=D0=BA=D1=81=D0=B8=D0=BC=20=D0=A1=D0=BE=D1=85?= =?UTF-8?q?=D0=B0=D1=86=D1=8C=D0=BA=D0=B8=D0=B9?= Date: Sat, 16 Nov 2024 06:38:25 +0200 Subject: [PATCH 2/6] Update EUDI.md --- EUDI.md | 46 ++++++++++++++++++++++++++++------------------ 1 file changed, 28 insertions(+), 18 deletions(-) diff --git a/EUDI.md b/EUDI.md index 0f67676..f7f4951 100644 --- a/EUDI.md +++ b/EUDI.md @@ -3,18 +3,17 @@ EU Digital Identity SYNRC CA server supports decentralized EUDI issuing architecture. -### PKIX vs OpenID4VC +### Architecture -EUDI model has a similarity with PKIX. -The same way person use a signed attribute set (a X.509 certificate from CSR attributes) -for authentication and authorization in PKI, the OpenID4VC provider (PIP) envelops -set of attributes (digital presentation of claims) and -issue and Electronic Documents in mDOC format for EUDI Wallet. +EUDI is decetralized PKIX with ABAC level control over attributes. -However, unlike PKIX with its centralized model, -EUDI provide distributed model without single root CA, -where all parties bounded cryptographycally. Also, EUDI has more subtle -and rigorous control over attributes (claims) like in ABAC model. +* eIDAS Node -- State Certificate Authority +* EUID Wallet -- iOS/Android Application +* EUDI Provider -- OpenID for Verifiable Credentials (OpenID4VC) +* Personal Identification Data Provider (PP) -- Diia State Enterprise (PID) mDOC +* Attestation Providers (AT) -- Qualified and Non-Qualified Electronic Attestation (QEAA) of Attributes Schema Providers +* Qualifiied Electronic Signature Provider (QP) -- Qualified Certificates (QC) +* EUDI Verifier -- Verifiable Presentations ### Holder, Issuer, Verifier @@ -28,12 +27,23 @@ The Holder acts as the intermediary, ensuring their privacy and control over the EUDI Wallet acts as Holder, QEAA, EAA, PIP (TSPs) act as EUDI Providers or Issuers. EUDI Verifier perform status verification of credentials and acts as Verifier. -### Architecture +### PKIX vs OpenID4VC + +EUDI model has a similarity with PKIX. +The same way person use a signed attribute set (a X.509 certificate from CSR attributes) +for authentication and authorization in PKI, the OpenID4VC provider (PIP) envelops +set of attributes (digital presentation of claims) and +issue and Electronic Documents in mDOC format for EUDI Wallet. + +However, unlike PKIX with its centralized model, +EUDI provide distributed model without single root CA, +where all parties bounded cryptographycally. Also, EUDI has more subtle +and rigorous control over attributes (claims) like in ABAC model. + +CRLs and OCSP can create privacy concerns since they involve +querying a CA, potentially exposing the user's activity. +OpenID4VC mitigates this by enabling the Holder to mediate +the process, and some implementations avoid real-time statu +checks entirely by including cryptographic proofs within the +credential itself. -* eIDAS Node -- State Certificate Authority -* EUID Wallet -- iOS/Android Application -* EUDI Provider -- OpenID for Verifiable Credentials (OpenID4VC) -* Personal Identification Data Provider (PP) -- Diia State Enterprise (PID) mDOC -* Attestation Providers (AT) -- Qualified and Non-Qualified Electronic Attestation (QEAA) of Attributes Schema Providers -* Qualifiied Electronic Signature Provider (QP) -- Qualified Certificates (QC) -* EUDI Verifier -- Verifiable Presentations From 8b9b4962eefe55df1b2a672e945ccae84758dd0c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9C=D0=B0=D0=BA=D1=81=D0=B8=D0=BC=20=D0=A1=D0=BE=D1=85?= =?UTF-8?q?=D0=B0=D1=86=D1=8C=D0=BA=D0=B8=D0=B9?= Date: Sat, 16 Nov 2024 06:39:41 +0200 Subject: [PATCH 3/6] Update EUDI.md --- EUDI.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EUDI.md b/EUDI.md index f7f4951..c620f34 100644 --- a/EUDI.md +++ b/EUDI.md @@ -5,7 +5,7 @@ SYNRC CA server supports decentralized EUDI issuing architecture. ### Architecture -EUDI is decetralized PKIX with ABAC level control over attributes. +EUDI is decetralized PKIX with ABAC level control over attributes that is using JSON as encoding and HTTP as transport. * eIDAS Node -- State Certificate Authority * EUID Wallet -- iOS/Android Application From 8576cb57a2f57960ac6784ba217e322db673c7ca Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9C=D0=B0=D0=BA=D1=81=D0=B8=D0=BC=20=D0=A1=D0=BE=D1=85?= =?UTF-8?q?=D0=B0=D1=86=D1=8C=D0=BA=D0=B8=D0=B9?= Date: Sat, 16 Nov 2024 06:40:47 +0200 Subject: [PATCH 4/6] Update EUDI.md --- EUDI.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EUDI.md b/EUDI.md index c620f34..6af3a9f 100644 --- a/EUDI.md +++ b/EUDI.md @@ -25,7 +25,7 @@ The Verifier does not directly contact the Issuer during typical operations unle The Holder acts as the intermediary, ensuring their privacy and control over the data being shared. EUDI Wallet acts as Holder, QEAA, EAA, PIP (TSPs) act as EUDI Providers or Issuers. EUDI Verifier perform -status verification of credentials and acts as Verifier. +status verification of credentials and acts as presentations Verifier. ### PKIX vs OpenID4VC From 1b0e0db07e94e13753a6eeabc6291d115d5d501b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9C=D0=B0=D0=BA=D1=81=D0=B8=D0=BC=20=D0=A1=D0=BE=D1=85?= =?UTF-8?q?=D0=B0=D1=86=D1=8C=D0=BA=D0=B8=D0=B9?= Date: Sat, 16 Nov 2024 06:47:24 +0200 Subject: [PATCH 5/6] Update EUDI.md --- EUDI.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/EUDI.md b/EUDI.md index 6af3a9f..bfbc9bd 100644 --- a/EUDI.md +++ b/EUDI.md @@ -1,7 +1,7 @@ EU Digital Identity =================== -SYNRC CA server supports decentralized EUDI issuing architecture. +SYNRC CA server supports EUDI. ### Architecture From 538e4929fc7d933ae3ca4b6e080babe8b6be6418 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?=D0=9C=D0=B0=D0=BA=D1=81=D0=B8=D0=BC=20=D0=A1=D0=BE=D1=85?= =?UTF-8?q?=D0=B0=D1=86=D1=8C=D0=BA=D0=B8=D0=B9?= Date: Sat, 16 Nov 2024 06:52:29 +0200 Subject: [PATCH 6/6] Update EUDI.md --- EUDI.md | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/EUDI.md b/EUDI.md index bfbc9bd..85d57d8 100644 --- a/EUDI.md +++ b/EUDI.md @@ -8,12 +8,12 @@ SYNRC CA server supports EUDI. EUDI is decetralized PKIX with ABAC level control over attributes that is using JSON as encoding and HTTP as transport. * eIDAS Node -- State Certificate Authority -* EUID Wallet -- iOS/Android Application -* EUDI Provider -- OpenID for Verifiable Credentials (OpenID4VC) -* Personal Identification Data Provider (PP) -- Diia State Enterprise (PID) mDOC -* Attestation Providers (AT) -- Qualified and Non-Qualified Electronic Attestation (QEAA) of Attributes Schema Providers -* Qualifiied Electronic Signature Provider (QP) -- Qualified Certificates (QC) * EUDI Verifier -- Verifiable Presentations +* EUID Wallet (Holder) -- iOS/Android Application +* EUDI Provider (Issuer) -- OpenID for Verifiable Credentials (OpenID4VC) +* Personal Identification Data (PID) Provider -- Diia State Enterprise (mDOC) +* Qualified and Non-Qualified Electronic Attestation of Attributes (QEAA) Schema Providers +* Qualifiied Electronic Signature Provider (QP) -- Qualified Certificates (QC) ### Holder, Issuer, Verifier