ENISA issues new EUDI Wallet recommendations in report on digital ID standards
From ITU and ICAO to NIST and FIDO, organizations across the world have been working on a multitude of standards in the area of digital identity. A new report from the European Union Agency for Cybersecurity (ENISA) is attempting to help digital ID creators find their way through this alphabet soup while formulating recommendations for standard makers.
The Digital Identity Standards report, released in July, proposes new recommendations for standardization organizations, government agencies and policymakers. Special attention is paid to the European Digital Identity (EUDI) Wallet, a project that will give each European citizen and business unique and verifiable credentials which has recently kicked off pilots across the continent.
One of ENISA’s key recommendations for policymakers regarding the EUDI Wallet is finding a clear legal definition of the term “digital identity.” Another is to use the new Digital Markets Act to provide direct access from the mobile application to the security anchor provided by EU CC-certified secure elements available on smartphones.
The cybersecurity agency also wants European organizations to standardize the EUDI Wallet interfaces with QTSP, relying parties, devices, existing national eID documents and existing eIDAS node infrastructures. Another issue that requires standardization is the privacy evaluation methodology for EUDI and digital identities in general.
ENISA wants European standardization organizations to coordinate and divide responsibilities to avoid doing double work. The bloc should adopt standards such as ISO/IEC 18013-5 and the ISO/IEC DIS 23220 series as European norms, the report states.
Standardization organizations should also define a harmonized authentication protocol between the EUDI Wallet and the relying parties and prepare a generic code-of-conduct methodology to be applied to the (Q)TSP and the EUDI Wallet.
The final set of recommendations is aimed at ENISA itself as an agency dedicated to achieving a high common level of cybersecurity across Europe. This includes publishing overviews of endorsed digital ID standards and existing digital ID models, and assessing impacts on cybersecurity standards.
According to the recommendations, ENISA should also create ad hoc groups to address potential EUDI Wallet vulnerabilities and cooperate with other standardization organizations in assisting EU institutions, bodies and agencies, EU Member States and private organizations.
Aside from providing recommendations for the EUDI Wallet, the report gives an overview of the most important standards and standardization organizations, including European and international organizations, commercial forums and consortiums as well as national organizations. It also analyzes different digital identity standards covering several areas, from policy and governance to technical and operational specifications.
Among the areas that are covered are general standards used in trust services and identity management, including identity proofing, biometrics and presentation attack detection. In addition, the paper delves into specific groups of standards, such as the International Civil Aviation Organization’s (ICAO) electronic travel documents, mobile driving licenses (mDLs) and mobile eIDs, X.509 public key certificates, Security Assertion Markup Language (SAML), OpenID Connect, FIDO2, and Self-Sovereign Identity (SSI). A matrix matches the various standards to their areas of application within eIDAS 2.0.