Digital Identity Wallet: A place for your self-sovereign identity

Illustration: Digital Identity Wallet

This article explains what a wallet is, how it works and how you can use it for managing your digital identity. While there are also wallets for institutions, this article only focuses on wallets for end users. The article also takes into consideration the revised eIDAS regulation including the ‘European Digital Identity Wallet’.

An Introduction

A digital wallet is a key management application, which provides a user with a graphical interface to store, manage and secure digital keys. These keys can be used to sign transactions, statements, credentials, documents or claims.

A digital identity wallet enables a user to establish relationships and interact with third parties in a trusted manner. While the wallet aspect is mainly dealing with key management, storage aspects and the graphical interface (UI = User Interface), the third party interactions are rather organised by your agent, which is a part of your wallet. Your agent handles third-party interactions in your name and acts in your interest. It is a piece of software, which helps you to stay in control of your messaging, security, health records, privacy, purchases etc.

A digital identity wallet based on self-sovereign identity (SSI) principles.

Not all wallets are the same! A wallet is a piece of technology, which can be implemented in different ways. While it can leverage decentralised identifiers (DIDs) and verified credentials, it doesn’t necessarily need to follow the principles of SSI. There are cloud wallets, which are hosted and provided by a third party. A good comparison is a wallet for cryptocurrencies — think of an exchange like Coinbase or Binance. These companies offer you a hosted wallet, which you don’t control. You might have the authentication means (password + second factor) to access your wallet, but it’s not yours. In this case, you are the owner, but not the possessor and you don’t have data sovereignty. This is in stark contrast to so-called self-custody wallets, which you install on your device. These wallets randomly create a private key, which only you know. The key point is that your wallet creates keys for you, which only you know and not a third party.

A digital identity wallet, which follows the principles of SSI enables the user to have data sovereignty and complete control as well as data portability. It provides you with the necessary autonomy to be independent of a third party. It not only enables ownership but also possession. It enables transparency and explicit consent when sharing information. It’s also vendor-independent, meaning you can export your data and import it into another wallet of your choice since it is built on open standards, which are widely used. It also creates peer identifiers for every new contact or rather an interaction, instead of getting an identifier assigned to it.

The core functions of an SSI wallet

Please note that the described characteristics below are not universally valid for all (SSI) wallets. It’s rather a desired status.

Interactions in an SSI ecosystem, picture by Adrian Doerk from Lissi.

Establish trusted relationships with third parties:
The wallet can create an encrypted communication channel to exchange information between you and a (trusted) third party. This communication channel is based on a unique identifier, which you control. Hence it is not hosted by a third party. This in turn enables you the portability of communication channels. Meaning if you switch from one wallet to another you can use the communication channels, which you already created without the reliance on any third-party platform.

Store, organise and present verified data:
The user can store and manage (verified) credentials among other information within the wallet. Once in the wallet, credentials can be used to answer a proof request from every connection. The wallet creates a verifiable presentation, which the user can choose to send or instead decline the proof request. Users are also able to verify the identity of the other party, effectively establishing a trusted relationship, which can be leveraged to share and receive information within a defined trust framework such as the eIDAS regulation. This trust might be based on an electronic seal or similar trust mechanisms. However, this might not be the case for all contacts.

The information exchanged can be verified, but can also be self-attested or just proof a certain threshold without revealing the exact information like your age when proofing you are 18 or older.

A transparent history of shared data:
Since the wallet usually keeps a history of interactions, the user can track who shared what data and when. This leads to greater transparency for the user and helps to better exercise data protection rights. A framework for the integration of detailed consent forms is currently under development.

Self-custody: With great control comes great responsibility

These digital wallets run locally as an application on the device of the user. From a technical perspective, these wallets are similar to self-custody wallets for cryptocurrencies. Similar to these wallets the user has the responsibility to do a backup.

Identification, authentication and authorization:
Before diving deeper into the core functions of a digital wallet we need to understand the differences between the three words above. The questions are from the perspective of the verifier or issuer.

Identification answers the question: “Who is I’m talking to?”
Authentication answers the question: “Is it you (whom I’ve identified already) again?”
Authorization answers the question: “What rights do I want to grant you?”

The wallet can enable a variety of additional functions and thus serves as a central point for the user to manage and access services. For example, the wallet can be used to replace traditional authentication methods such as passwords with a single sign-on (SSO) functionality. Furthermore, existing standards such as the OpenID Connect protocol can also be connected to enable communication with existing infrastructure. Hence, once widespread adopted the wallet will completely replace passwords for you and enable you to identify and authenticate yourself, identity third-parties as well as authorise third-parties to use your data according to your permissions.

The European Digital Identity Wallet

Illustration: European Digital Identity Wallet

The main regulation within the European Union, which addresses the topic of identification (among other topics) is the regulation on electronic identification and trust services for electronic transactions in the internal market better known as eIDAS regulation. The regulation just went through a major revision and now includes several aspects regarding self-sovereign identities in its draft version. It also includes the aspect of a European Digital Identity Wallet, which “is a product and service that allows the user to store identity data, credentials and attributes linked to her/his identity, to provide them to relying parties on request and to use them for authentication, online and offline, for a service in accordance with Article 6a; and to create qualified electronic signatures and seals”.

In the following, the European Digital Identity Wallet is referred to as “EU Wallet” for simplicity.

Functions of the EU Wallet:

It should technically enable the selective disclosure of attributes to relying parties. Member States should also reach an agreement on common elements of a business model and fee structure of the EU Wallets. The EU Wallet will furthermore enable citizens to create qualified electronic signatures that can facilitate political participation among other functions.

EU Wallets shall enable the user to:

• securely request and obtain, store, select, combine and share, in a manner that is transparent to and traceable by the user, the necessary legal personal identification data and electronic attestation of attributes to authenticate online and offline to use online public and private services;
• sign statements or contracts utilising qualified electronic signatures (QES)
• have full control of the EU Wallet. The issuer of the EU Wallet shall not collect information about the use of the EU Wallet which are not necessary for the provision of the EU Wallet service.
• use it free of charge (natural persons).
• access the wallet for persons with disabilities.

The EU Wallets shall provide a common interface:

• to qualified and non-qualified trust service providers issuing qualified and non-qualified electronic attestations of attributes.
• for relying parties to request and validate personal identification data and electronic attestations of attributes.
• for the presentation to relying parties of personal identification data, electronic attestation of attributes or other data such as credentials, in local mode not requiring internet access for the wallet.

Furthermore, the EU Wallets need to:

• ensure that trust service providers of qualified attestations of attributes cannot receive any information about the use of these attributes.
• meet the requirements in regards to assurance level “high”, in particular as applied to the requirements for identity proofing and verification, and electronic identification means management and authentication.
• provide a mechanism to ensure that the relying party is able to authenticate the user and to receive electronic attestations of attributes;
• ensure that the personal identification data uniquely and persistently represent the natural or legal person is associated with it.

An EU Wallet shall be issued:

(a) by a Member State;
(b) under a mandate from a Member State;
(c) independently but recognised by a Member State.

The draft regulation requires Member States to issue a EU Wallet under a notified eID scheme to common technical standards following a compulsory compliance assessment and voluntary certification within the European cybersecurity certification framework, as established by the Cybersecurity Act.

Service providers should communicate their intent to rely on the EU Wallets to the Member States. Relying on the level of assurance “high”, the EU Wallets should benefit from the potential offered by tamper-proof solutions such as secure elements.

The conformity of EU Wallets should be certified by accredited public or private sector bodies designated by Member States. Certification should in particular rely on the relevant European cybersecurity certifications schemes. The EU Wallet Trust Mark’ means an indication in a simple, recognisable and clear manner that a EU Wallet has been issued in accordance with this Regulation.

The Commission shall establish, publish and maintain a list of certified European Digital Identity Wallets.

Where are heading? A personal opinion:

• A wallet acts as a central point to manage interactions in a digital world. It will be the standard for identity management and be ubiquitous in everyday life.
• Technology is moving fast. While standardisation is taking quite a while, institutions and governments have recognised the need for innovation in this area to secure data sovereignty and not be dependent on a foreign oligopoly of companies with irresponsible business practices.
• Dozens of use-cases from different industries are explored in parallel and will be available in the upcoming months.
• Over time digital wallets for pure identity management and financial applications (e.g. cryptocurrencies or central bank digital currencies (CBDC)) are likely to merge.
• The draft of the revised eIDAS regulation of the European Union is the most comprehensive and ambitious step towards SSI internationally.
• While the exact implementation and technical specifications of the EU Wallets are still to be determined, their compulsory issuance for the EU Member States as well as the compulsory acceptance for big platform providers will have a tremendous international impact.
• Key management is an issue, which still needs to be solved. This means, the user also has the responsibility of having a secure backup solution to restore the wallet in case of lost access.

Sources used:

• Amending Regulation (EU) No 910/2014 as regards establishing a framework for a European digital Identity (eIDAS Draft).
• The current and future state of digital wallets, Darrell O’ Donnell,
• Making sense of digital Wallets, Digital Identification and Authentication Council of Canada (DIACC)
• Digital wallet and digital agents, Self-sovereign identity, manning publications
• What is a wallet, Kaliya Young
• What goes in a wallet, Daniel Hardmann, W3C CCG
• Security, Siloes and sovereignty, Daniel Hardman

About the author:

Adrian Doerk is a trained IT-System Electrician and has a degree in international business. He focuses on data sovereignty for individuals, institutions and governments. Currently, he works at main incubator where he leads the business development for Lissi and is also responsible for the communication at IDunion. He’s also active in foundations such as DIF and ToIP. SSI Ambassador is a private educational endeavour.

Disclaimer:

This article does not represent the official view of any entity, which is mentioned in this article or which is affiliated with the author. It solely represents the opinion of the author.