EU gathers feedback on EUDI Wallet certification, implementation

As the European Union approaches the launch of its digital identity project, feedback on the certification of the conformity of EU Digital Identity (EUDI) wallets has been collected from the public and several influential voices in tech.

Monday was the last day to send opinions on cybersecurity certification schemes.

The EUDI Wallet certification process and technical specifications were outlined in the Implementing Acts to ensure uniform implementation of wallets across Europe.

According to the European Digital Identity (EUDI) Regulation, which entered into force in March, the Implementing Act would have to be adopted six to 12 months after the regulation’s approval.

EU member states are required to provide their citizens with EUDI wallets within 24 months after the Implementing Acts’ adoption. If a member state cannot use European cybersecurity certification schemes, it is required to establish a national certification scheme.

The bloc also launched large-scale pilot projects in April last year to test EUDI Wallet technical specifications and prototypes across multiple industries and countries.

Recommendations for certification under the Implementing Acts

With the Implementing Acts, the EU has established certification requirements for the Wallet Secure Cryptographic Device (WSCD) and the Wallet Secure Cryptographic Application – an important step in ensuring the EUDI Wallet is secure. But regulators still need to overcome challenges, Jan Lindquist wrote in a blog post this week.

“While the WSCD certification under Common Criteria is a positive step forward, there are significant challenges when it comes to certifying both the WSCD and WSCA as part of the same system,” he says. “This is particularly evident when considering composite evaluation in the Common Criteria framework.

Currently working on mobile security for digital security solutions company Cryptomathic, Lindquist has been working on ISO standardization and is the co-editor of ISO/IEC 27560 on consent record information structure.

His EUDI Wallet deep dive recommends introducing an independent cryptographic layer between the WSCA and WSCD and adopting a more flexible certification process for the WSCA. The Implementing Acts review is the perfect opportunity for these changes, he concludes.

The problem of oversharing through EUDI Wallet

One of the achievements of the EUDI Wallet is allowing users to control how and where they share data with organizations. However, it is still unclear how wallet users will decide what to share or how to prevent the over-sharing of data, a new paper published by a group of Dutch researchers argues.

EUDI Wallet users may be influenced or manipulated into sharing more data than they would like. They could also experience what the authors call “request fatigue,” an overload of requests to share data during which users agree to data sharing just to get through the process.

“Having qualified data to share increases the impact of oversharing and also makes them a more interesting target for ‘data-hungry’ relying parties,” says Henk Marsman, an independent researcher and one of the study’s authors. “When data requests cannot be unbundled the risk of over-sharing is also affected.”

Users are also often unaware of what data is being shared and with whom nor are they aware of the consequences of sharing their data. More research into mitigating measures is necessary, the paper concludes. The analysis was validated by 16 experts working in Dutch organizations that play a role in the EUDI Wallet, according to the authors.

EUDI wallet is setting important standards: WWW inventor

The EU is setting an “important bar” for digital identity wallets and enforcing a standard for credentials, says Tim Berners-Lee, the British computer scientist best known as the inventor of the World Wide Web.

“Once that foundation is commonly available, consumers and citizens will start to expect their wallets to store more and more kinds of data,” he recently told tech news outlet The Next Web. “And organizations will think of more and more ways to serve them via their wallets.”

Berners-Lee is currently working on his startup Inrupt which launched a digital wallet in July this year. The goal is to develop a universal data wallet infrastructure built on open standards that can offer interoperability across multiple services.

Current digital wallets are siloed, they offer a restricted number of applications while the services often request data from users.

Inrupt wants its wallet to open data silos and connect multiple apps as “an extension of the web,” according to Berners-Lee. Information is securely hosted in personal data “pods” and can be reused across apps, services and AI systems with the user maintaining control.

“Almost anything I can use an app to do today, I’ll be able to do from my data wallet tomorrow,” he says.

Article Topics

biometrics  |  certification  |  Cryptomathic  |  digital identity  |  digital wallets  |  EU Digital Identity Wallet  |  Inrupt  |  standards