eudi-doc-architecture-and-reference-framework icon indicating copy to clipboard operation
eudi-doc-architecture-and-reference-framework copied to clipboard

Published 20 hours ago verified publisher icon eu-digital-identity-wallet

Service interoperability for EUDIW

Open GSMA-EIG opened this issue 1 year ago • 1 comments

The ARF details several protocols that will ensure technical interoperability for the EUDIW. However, service interoperability is also needed. Let’s take for example, a European citizen from country A who wants to buy a prepaid SIM in country B. Country B’s regulation stipulates the MNO must request specific attributes beyond PID. However, the required additional attributes in Country B are different from those in Country A. It could be the same in all sectors with national legislations, including e.g. healthcare. It is therefore important that the data in wallets in country A corresponds with the data mandated by Country B and vice versa. How will this issue be tackled ?

Furthermore, the regulation in one country might require a specific level of security or privacy that could prevent a service which works inside one country with the wallet of this country from working in another European country. For example, in country C a given service may require level of assurance substantial; the same service in other countries might be mandated by local regulation to use level of assurance high and the related data might not be available at level high in the wallets of country C. How and where will this issue be tackled ?

GSMA-EIG avatar Nov 01 '23 13:11 GSMA-EIG

Thank you for your comment.

The ARF (Annex 2, Topic 12) stipulates that for every type of attestation, there must be an attestation rulebook, that defines the mandatory and optional attributes of that attestation. For the PID, the PID rulebook is published as an annex (annex 3.1) to the ARF - this ensures that Relying Parties know what minimum PID attributes they can request.

For other attestation types, section 5.3 of the ARF main document says "The rulebook for an attestation intended to be used across organisations and/or across borders can be defined by an organisation in which, insofar possible, all stakeholders are represented. " Relying Parties are of course among these stakeholders. This implies that if a given Relying Party knows or foresees that they have have a need for some specific attributes, they should make sure that these attributes are included in the relevant Rulebook.

The same goes for countries that have specific requirements regarding a Level of Assurance - they should make sure they are represented when the relevant Rulebook is drafted and that this Rulebook stipulates that the attestation in question is issued at (e.g.) LoA High.

We hope this answers your question.

digeorgi avatar Sep 12 '24 12:09 digeorgi