by Giancarlo Degani, Romualdo Carbone, Pasquale Chiaro, Gianluca Markos and Mayra Ovando – INFOCERT
IMPULSE is the new paradigm for Identity Management in PUbLic SErvices, in which blockchain technology exposed in EBSI-ESSIF will be the driver of a new vision of the eID, more equitable and with the direct self-control of the citizens.
The IMPULSE solution is a new identity system aligned with eIDAS, based on the SSI (Self Sovereign Identity) decentralised model, and oriented to Public Administrations (PAs) of the European Union. IMPULSE helps PAs to improve their services by adding an authentication based on an SSI model with a trusted blockchain framework and using Verifiable Credentials (VCs). For this reason, INFOCERT pushed for an orientation of the choice on the EU EBSI-ESSIF framework [1] released by EBP (European Blockchain Partnership) and a potential contribution for the future release of the EU eIDAS 2.0 Wallet within the IMPULSE project.
EBSI-ESSIF is a framework with a specific technological level corresponding to the IMPULSE project needs. In addition, it is highly trusted by the PAs and it is integrable with eIDAS 2.0 framework. This integration will be improved and discussed in the official EU eIDAS 2.0 Wallet with the EC by the EBP-EBSI team during the Early Adopters Programme [2]. IMPULSE is the Proof of Concept for this union of vision and technology between the two institutional initiatives by EC, i.e., EBP and eIDAS.
The PA services will be available thanks to the IMPULSE Mobile App (Wallet, Biometric AI eID solution), which will have the purpose of identifying the citizen in the authentication phase with Verifiable Credentials (VCs) generated and managed in an SSI model. In the ESSIF blockchain framework, IMPULSE will register the VCs after the onboarding phase of the users with a trusted Issuer. In this way, future cross-border validation of these VCs could be managed by a third party as Verifier. The IMPULSE wallet App stores the VCs in the mobile phone of the citizens with a secure level of authentication and a strong cryptographic mechanism. Before being stored on the device, the VCs are certified and signed with a Qualified Seal Remote Service to obtain the highest level of security from identity fraud. This will be possible thanks to the INFOCERT Remote Qualified Seal Service. INFOCERT QSeal service is aligned with eIDAS standards and with the last technical guidelines by the EC. In the specific, the VCs are signed with JWS/ JaDES format as it is requested by the most recently eIDAS guidelines (as for actual references) and EBSI/ESSIF specifications.
INFOCERT – Remote Qualified Seal Service: Verifiable Credential and Verifiable Presentation
The INFOCERT Remote Qualified Seal (QSeal) Service is dedicated to the signature and validation of “Verifiable Credential” and “Verifiable Presentation” data structures. The service has been designed and realised following the guidelines and object definitions contained in the EBSI specifications [3]. The validation engine in use is a specialisation of the CEF BB reference implementation “sd-dss”[3], [4]. The report produced for the validation of JADES and JWS signatures is an INFOCERT proprietary format, which will be shared in IMPULSE project only with the verified Issuers and Verifiers already registered as trusted Issuer/Verifier on to the EBSI-ESSIF framework.
The INFOCERT Remote QSeal Service aims to offer a complete solution to:
- generate the needed cryptographically-secure JADES/JWS signature that encloses a compliant DID elements like VCs and VPs.
- validate a signed VC/VP enforcing checks on the signature integrity and on the reliability and revocation state of the signatory certificate.
The service is protected at two different levels in the authentication: one dedicated to the REST resources and the other connected with an offline onboarding phase with the Issuer. To use the service the, Issuers are required to comply with a lightweight vetting procedure, which is built to ascertain the identity of the requesting subject and her allowances before the completion of the onboarding.
The INFOCERT Remote QSeal Service is already available for each Entity (Public Administrations or Private Company) that wants to build a secure and qualified service for VCs signature. It is aligned with eIDAS wallet 2.0 qualified signatures specification so if you are a supplier for it, do not hesitate to contact us. You are welcome! Contact us in INFOCERT for connecting your Identity wallet to this specific Remote QSeal Service for VCs.
[1] https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/EBSI
[2] https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/Early+Adopters+Programme
[3] General documentation: https://ec.europa.eu/digital-building-blocks/wikis/display/EBSIDOC/General
[4] Signature and validation: https://ec.europa.eu/digital-building-blocks/wikis/display/EBSIDOC/E-signing+and+e-sealing+Verifiable+Credentials+and+Verifiable+Presentations
[5] Supported VC formats: https://ec.europa.eu/digital-building-blocks/wikis/display/EBSIDOC/Data+Models+and+Schemas