Page tree
Skip to end of metadata
Go to start of metadata

EBSI Verifiable Credentials Playbook

What's on this page

Context

Building on the W3C's Verifiable Credentials (VC), the GDPR and other relevant EU Regulations, EBSI aims to create a generic profile for the full life-cycle of verifiable credentials and presentations for use cases that involve VCs (not exclusive).

This document summarises the technical standards, specifications, and decisions that were accepted in order to meet the business requirements of the Use Cases.

The diagram below demonstrates the relations between actors (Trusted Accreditation Organisations [TAO]), Holders, Issuers, Verifiers), use cases, wallet providers, standards and regulations (W3C Verifiable Credentials and DIDsGDPR), and the EBSI VC Playbook (this document).

Relations between actors, playbook and standards

Context

The lifecycle of verifiable credentials is summarised in the table below.

EBSI Verifiable Credentials LifecycleW3C's Verifiable Credentials LifecycleGuidelines
Step 1 Registration and onboarding of actors (Trusted Accreditation Organisation, Holder, Issuer, Verifier)Out of scope of W3C's Lifecycle.

Onboarding and Accrediting Legal Entities - Learn how Legal Entities onboard on EBSI

Examples of onboarding and accreditation of Legal Entities

Onboarding Natural Persons - Learn how Natural Persons onboard on EBSI

Step 2 Issuing and Storage of Verifiable Credential

Issuance of one or more verifiable credentials.

Storage of verifiable credentials in a credential repository (such as a digital wallet).

Verifiable Credential issuance guidelines - Learn how holders request and issuers issue Verifiable Credentials
Step 3 Sharing Verifiable Presentation

Composition of verifiable credentials into verifiable presentations and verifiable presentation exchange.

Verification of the verifiable presentation by the verifier.

Verifiable Presentation exchange guidelines  - Learn how a verifier requests and holder presents Verifiable Credential(s) using Verifiable Presentation(s)
Step 4 Managing schemasOut of scope of W3C's Lifecycle.Managing schemas in the Trusted Schemas Registry - Learn learn how to verify, register, and manage schemas in the Trusted Schemas Registry

EBSI profile of W3C Verifiable Credentials (VC)

EBSI departs from W3C's Verifiable Credentials specification to create a generic profile for VC presented below:


EBSI V2ActorsExamples
Key elements of EBSI's Verifiable Credentials and Verifiable Presentations
Formats
DID DocumentJSON-LDIssuers, Holders, Verifiers (optional)

EBSI DID scheme and DID Document - Learn about the EBSI DID scheme and DID Document data model with examples

Verifiable Credentials / Verifiable Presentations JWTIssuers, Holders, VerifiersVerifiable Credential and Verifiable Presentation in JWT format - Find example Verifiable Credentials and Verifiable Presentations in JWT format
Profile of W3C VCs/ Core data model / Credentials
Structure of Verifiable Credentials

Verifiable Attestation (Data models, schemas and TSR entries)

Verifiable Authorisation (Data models, schemas and TSR entries)

Issuers, Holders, Verifiers
Profile W3C VCs/ Core data model / Presentations
Structure of a presentationVerifiable Presentation (Data models, schemas and TSR entries)Holders, Verifiers
Profile W3C VCs/ Basic Concepts / Proofs (Signatures)
Proofs of Verifiable Credentials/ Presentations

Mandatory: JWS

Optional: JAdESCAdES

Issuers, Holders, Verifiers

Verifiable Credential and Verifiable Presentation proofs - Learn how to sign VCs and VPs in a JSON-JWT format

Supported signing algorithm(s)

Mandatory: ECDSA ES256

Optional: RSA (RS256), ECDSA (ES256K, ES256), EdDSA

Issuers, Holders, Verifiers

ECDSA with SHA256

RSA PKCS#1 with SHA256

EdDSA

Examples: connect2id examples

Protocols defined by EBSI

(the W3C does not define any protocol for transferring verifiable credentials and verifiable presentations)

VC Issuance protocolOpenID Connect - Self-Issued OpenID Provider v2Issuers, Holders

Credential issuance implementation guidelines

VP Exchange protocol

OpenID Connect - Self-Issued OpenID Provider v2

OpenID Connect - OIDC for Verifiable Presentations

Holders, Verifiers

Presentation exchange implementation guidelines

Verifiable Presentation exchange scenarios

As a holder, I'm sharingHowEBSI V2Important remarks
a single VCSingle Verifiable PresentationCovered-
claim(s) from a single VCVerifiable Presentation with selective disclosureOut of scopeSelective disclosure must conserve the claims assurance
multiple VCs issued to the same DIDSingle Verifiable PresentationCovered-
multiple VCs issued to different DIDsMultiple Verifiable PresentationsCoveredIn all scenarios, the user is authenticated, so revealing several user DIDs is not compromising the user privacy
claims from multiple DIDsVerifiable Presentation with selective disclosureOut of scopeSelective disclosure must conserve the claims assurance

EBSI Trust Framework

In addition to the above, EBSI is building on the W3C's DID specifications to define a comprehensive trust framework as a common set of best practice standards-based rules that ensure minimum requirements for security, privacy, identification management and interoperability through accreditation and governance. Some of the emerging digital identity trust frameworks based on a decentralised web of trust are:


EBSI V2ActorsDocumentation
Key elements of Trust frameworks
EBSI profile of W3C DID
DID Method prefix

did:ebsi

Issuers, Holders, Verifiers (optional)

EBSI DID scheme and DID Document - Learn about the EBSI DID scheme and DID Document data model

DID Method-specific identifier

Multi-base encode <transfrom><version><version-specific-identifier>

Issuers, Holders, Verifiers (optional)

Multi-base data format - Learn everything about the multi-base encoding

EBSI profile of W3C DID Document
Structure of DID DocumentEBSI DID scheme and DID DocumentIssuers, Holders, Verifiers (optional)

Decentralised Identifiers - W3C specifications

Format of DID DocumentJSON-LDIssuers, Holders, Verifiers (optional)

JSON-LD - W3C specification

JSON-LD playground - Everything you need to know about JSON-LD

W3C Verifiable Data Registry
DID verificationDID RegistryIssuers, Holders, VerifiersHow do I verify, create, register and update my DID - Learn how to resolve DID Documents
DID registrationDID RegistryIssuers, Holders, Verifiers (optional)How do I verify, create, register and update my DID - Learn how to get access to the DID Registry and how to register and update your DID(s)
Issuer registrationTrusted Issuers RegistryIssuers

TIR APIs - Learn about the TIR APIs

Issuer verificationTrusted Issuers RegistryHolders, Verifiers

TIR APIs

Schema registrationTrusted Schemas RegistryIssuer

TSR APIs

Schema verificationTrusted Schemas RegistryIssuers, Holders, Verifiers

TSR APIs

Revocation listsStatus/Revocation registryIssuers, Holders, Verifiers

Coming soon 

Identification and authentication frameworkSSI (optional)HoldersVerifiable Presentation exchange

Use Case Data Models and Business Flows

Please refer to the Data Models and Schemas page for more information

*Contributions to EBSI schemas are possible by creating a Pull Request (PR) https://ec.europa.eu/cefdigital/code/projects/EBSI/repos/json-schema/browse. Schemas are registered in the Trusted Schemas Registry and can be accessed via the TSR APIs. New schemes, or proposals to expand existing ones, must be requested, reviewed by domain experts, and approved by UC representatives to guarantee interoperability.

Wallet Conformance Testing (WCT)

The EBSI Wallet Conformance Testing service is intended for third-party application providers developing a digital wallet that want to ensure the interoperability and conformance of their wallet(s) with the specifications defined by the European Blockchain Services Infrastructure (EBSI).

Please find below the links where the wallet providers can access further information about the WCT:

Further linksDescription

EBSI Wallet Conformance Testing Page

All the Wallet Conformance testing protocols and scenarios can be found on this page. Use this as starting point for your WCT journey.

EBSI WCT Profiles

The profile of EBSI WCT is defined on this page. 

EBSI API Catalogue

API Specifications for the WCT are available in this Catalogue. 

Trusted Schemas Registry

This document summarises the process of requesting a registration of a new schema or updating an existing schema in the EBSI.

Appendix

Acronyms

Following acronyms are used in the document 

DID: Decentralised IDentifier

NP: Natural Person

LE: Legal Entity

TAO: Trusted Accreditation Organisation

TI: Trusted Issuer

TRL: Technology Readiness Level

VC: Verifiable Credential

VP: Verifiable Presentation

Comparison of Decentralised identity initiatives and frameworks

How EBSI compares to other initiatives:


EBSI V2GAIA-XGood Healthcare PassMobile Driving LicenseOntario Digital ID
Formats
DID Document formatJSON-LD



Format of Verifiable Credentials/ Presentations JWT2JSON-LDJSON-LDISO/IEC 18013-1
Proofs
Proofs of Verifiable Credentials/ PresentationsJWSLinked data proofLinked data proof

Supported signing algorithm(s)

Mandatory: ECDSA ES256

Optional: RSA, ECDSA3, EdDSA, JAdESCAdES


BBS+

Protocols
VC Issuance protocolOIDC for Credential Issuance
WACI Pe-X
OIDC
VP Exchange protocol

OIDC for Verifiable Presentations

OIDC SIOP V2


WACI Pe-X
OIDC, DIDCOMM
Key elements of Trust frameworks
DID MethodsDID:EBSI1TBDTBDNot SupportedDID:WEB1, DID:KEY1, DID:PEER
Issuer verificationEBSI Trusted Registries

Verified Issuer
Certificate Authority List4
Verifiable Data Registry4
Schema verification




Revocation lists




Identification frameworkSSI (optional)















Privacy

GDPR compliant

data minimization



data minimisation

selective disclosure

data minimisation (via zero-knowledge proofs)

selective disclosure

Legal recognitioneIDAS e-signatures and e-seals



Security

CSIRTs network (ENISA)

Incident reporting using CIRAS-T online tool

Cybertsecurity Certification Framework

EU cybersecurity certification framework





Scalability




TRL5 or 6?291



References

[1] https://learn.mattr.global/docs/concepts/trust-frameworks

[2] https://canada-ca.github.io/PCTF-CCP/

[3] https://www.gov.uk/government/publications/uk-digital-identity-attributes-trust-framework-updated-version

  • No labels