On 10 February, 2023, the European Union published an exciting, but incredibly complicatedly named document, specifically The Common Union Toolbox for a Coordinated Approach Towards a European Digital Identity Framework: The European Digital Identity Wallet Architecture and Reference Framework, or ARF. We will dive into this document and what it means for Europe and for Dusk Network here, and to keep things brief, will follow the EU’s own suggested abbreviations for this document: EUDI and ARF.
The concept of a European Digital Identity (EUDI) has been brewing for a while now. All the way back on the 3rd of June 2021, the European Commission announced its intention to lead the way in making this product available to all European citizens. Now, almost two years later, the EU is ready to start moving on to the piloting phase. But piloting what?
In effect, EUDI is a form of identification that can be used by any citizen of any European Union member state, by any company operating in the European Union, and accepted by any business or government agency in the European Union. Rather than replacing pre-existing identity mechanisms (i.e. national ID cards), EUDI sits alongside those as an auxiliary digitized identity system. For example, a bank in the Netherlands would continue to accept the Dutch identity card for new account openings, but would also accept EUDI for non-Dutch residents, meaning that they would only need to support two forms of identity verification. This is a step forward from banks’ current options to either learn how to support a plethora of identity certificates OR to restrict services to only people with Dutch IDs.
EUDI would not be limited, however, only by the services that a member state’s identity card is used for, but rather would also extend to any interaction where attributes about a person need to be proven. The use cases that the EU itself identified are far and wide, including:
- Secure and trusted identification to access online services
- Mobility and digital driving license
- Professional business certifications
- Paying for things where different prices occur, such as toll roads
- Health records such as patent summaries, or ePrescriptions
- Educational credentials and professional qualifications
- Digital Finance products
- Digital Travel Credentials (such as passports and visas)
Currently, proving identity and credentials in the European Union is confusing and prone to errors. In fact, a huge number of different certifications are needed for whatever it is that a citizen is trying to do, which also differ in number and style from member state to member state. True to the European mission to harmonize all member states into a single trade and travel area, they wish to solve this problem with one single EUDI for all.
What is ARF?
ARF is a recent document that marks the beginning of the EUDI pilot phase. It is essentially a checklist for each member state to agree upon and harmonize before piloting can commence. This includes:
- Defining roles and responsibilities of every player in the EUDI process.
- Outlining functional and non-functional requirements of the EUDI Wallet.
- Identifying potential building blocks.
Since each member state’s implementation of EUDI needs to be interoperable with all the others, it is critical that everyone starts by building on the same set of standards and using consistent terminology. This is important when it comes to specifics like certifying the validity of an ID or document. For example, if a certificate has an expiry date, it should automatically become invalid on or after that date. But should the issuer also have the ability to revoke the certificate at any point before the certificate naturally expires? And if something is valid ‘until it is revoked’, does it need an expiry date just in case? The ARF sets guidelines for how all these things should be set up, how the information would flow between the parties involved, and who should have access to what.
This is crucial, given that multiple parties are involved in even a simple transaction like issuing a discount rail ticket to a student. In this example, the parties include:
- The student.
- The railway operator.
- The university (which verifies the student’s status).
- A national student body (who may also have to verify the student).
- The operator of the railway station (if different from the operator).
- The train ticket website that sold the ticket.
As you can see, even a seemingly simple transaction like purchasing a train ticket for a student can involve up to six different parties. Can you imagine what kind of complexity might be involved in dealing with sophisticated financial instruments?
Why does Dusk Network welcome this?
At Dusk Network we believe that the ARF specifications are an important step towards improving privacy and security in the EUDI process: two of our main priorities. The above (fairly simple) example of a student purchasing a train ticket highlights the need for selective disclosures. They would allow individuals to share only the necessary information, while simultaneously making unsafe practices like sharing copies of IDs or requiring personal data completely obsolete. You can think of selective disclosures like showing someone your driving license, but with your fingers covering all the information except your photo, since that is all that is really needed.
Data leaks are becoming increasingly more common in society, and we at Dusk are alarmed that even the simplest of transactions carry a big potential for data leakage. The easiest way to protect users and organizations is to either store data in a secure encrypted format or to not get any exposure to it.
To address this concern, the ARF specifications point to a EUDI that must-have features such as certificate issuance and revocation, encryption, secure transfer of identity and other personal information, and a range of selective disclosure options.
That sounds a little familiar, doesn’t it?
Read the full article here.