Versions Compared

Old Version 1

changes.mady.by.user Amineh Akhavan Saraf

Saved on

compared with

New Version Current

changes.mady.by.user Amineh Akhavan Saraf

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This draft regulation outlines a structured and verifiable process for registering relying parties. It ensures that all entities wanting to connect to the European Digital Identity Wallet (e.g., universities, banks, public authorities, service providers) are formally registered, transparent, and trustworthy across the EU.

Most Important Points

  1. Creation of National Registers: Each Member State must establish a national register of wallet-relying parties and make the information publicly accessible, both in human-readable and machine-readable form.

  2. Registration Policies: Member States must publish transparent rules for the registration process, including authentication procedures, required documents, and official data sources.

  3. Online and Automated Registration: Registration processes should be simple, digital, and (where possible) automated, with quick verification of applications.

  4. Certificates for Access and Registration: Wallet-relying parties must obtain access certificates, and possibly registration certificates, to be recognized by wallets throughout the EU.

  5. Suspension or Revocation of Registration: Registrations can be suspended or cancelled if the party provides false information, violates policies, or breaches EU/national law.

  6. Record-Keeping: Member States must store registration data and updates for a legally defined period (e.g., up to 10 years).

  7. Alignment with Existing Standards: The mechanism is designed to be compatible with standards like OpenID Connect, OAuth 2.0, and SCIM.

  8. Unique Identification: Each relying party is assigned a globally unique identifier to prevent impersonation or duplication.

  9. Authentication Mechanisms: Secure protocols (e.g., mutual TLS, signed tokens) are used to verify the identity of relying parties during interactions.

  10. Credential Management: Relying parties must securely manage their credentials (e.g., client secrets, certificates) and rotate them periodically.

  11. Policy Enforcement: Identity providers enforce access control policies and validate the trustworthiness of relying parties before granting access.

  12. Audit & Logging: All interactions are logged to enable traceability and detect suspicious behavior.

Implications for the Education and Research Wallet in Europe

  • Registration as a Wallet-Relying Party

    • The university or institution must be included in the National Register of its Member State to use the European Digital Identity Wallet for providing services (e.g., issuing diplomas or verifying student identity).

  • Prepare Required Documentation

    • Provide legal and institutional documents (e.g., official registration of the institution, authorization to issue academic certificates) for verification during the registration process.

  • Follow National Registration Policies

    • Comply with the Registration Policies published by the Member State (procedures for authentication, supporting documents, official sources for data verification).

  • Obtain Access Certificates

    • Acquire digital certificates that allow the institution to be recognized and authenticated by wallets across the EU.

    • If required, also obtain Registration Certificates indicating which attributes (e.g., degree, enrollment status) the institution is authorized to request from users.

  • Request Minimum Data Only

    • When interacting with a student’s wallet, request only the attributes strictly necessary (e.g., proof of enrollment or awarded degree). Requesting excessive data may breach the regulation.

  • Manage Suspension or Revocation Risks

    • Ensure continuous compliance with EU and national laws. Non-compliance could lead to suspension or cancellation of the institution’s registration.

  • Record-Keeping Obligations

    • Maintain records of registration information and updates for the legally required period (e.g., up to 10 years) in accordance with national and EU rules.


Related Standards

This regulation does not directly list technical standards but rather establishes the governance and legal framework for registers and certificates.


Feedback from DC4EU

The DC4EU consortium’s feedback on the this draft regulation stress that registration processes must be harmonised across Member States to avoid fragmentation and call for national registers to provide transparent, machine-readable information. The consortium raises technical concerns about the regulation’s reliance on specific standards, notably mandatory use of X.509 PKI certificates and older specifications such as RFC 5755 and RFC 9162, which they believe may create unnecessary complexity and poor interoperability. Instead, they recommend considering modern alternatives, including distributed ledger technologies (DLT) or JSON-based approaches rather than older ASN.1 structures.

The feedback also emphasises the importance of efficient, automated registration processes that work quickly and consistently, regardless of national differences in access to official data. They call for clearer rules on the issuance, suspension, and revocation of access and registration certificates, as well as timely notification to affected entities. Concerns are expressed about provisions that allow suspension or deregistration without prior notice, which they argue undermines legal certainty; they propose introducing formal redress mechanisms. Overall, DC4EU urges that the regulation be more technically adaptable, legally transparent, and uniformly implemented across the EU to build trust and avoid unnecessary burdens

DRAFT

...

.