Public Key Infrastructure (PKI) has been and still is, a very valid technology we use daily without even noticing. It brings us security when navigating the internet since it provides a way to know the site you are connecting to is owned by who the site claims to be. In other words, if you are buying on Amazon, you need to be sure you are about to purchase on Amazon and not on a fake site. In that sense, identifying legal entities on the internet is a solved matter. Nonetheless, if many of us users can take advantage of PKI to place ourselves on the internet, the answer is quite deceiving. This mature technology has been available for decades but has never become mainstream among society for identifying end users. The reason is apparent; the user experience is inferior. Using your certificate to authenticate yourself to a third party is not trivial. It is much easier to delegate this to a third party like Google or Facebook at the expense of telling them what you do.
This is where Self-Sovereign Identity (SSI) comes in. This new paradigm aims to bring control to end users using Verifiable Credentials (VC). These credentials are issued by an issuer and consist of attributes defining specific claims about the holder. Then, the holder can independently use this VC to create a Verifiable Presentation (VP) and deliver it to a verifier. The critical issue is that the holder can present this information to identify themself to the requester without letting anyone else know with whom they are interacting. The holder of this credential is sovereign on the use of their credentials.
Validated ID has been working in this new paradigm for the last three years using developingVIDchainand contributing to relevant projects and initiatives such as theEuropean Blockchain Service Infrastructure (EBSI) in the European Commission,Sovrin,Alastria…. to make this model become a reality.
A bridge with the existing regulation
Although there are many credential wallets under development, and several companies like ours are looking forward to this significant paradigm, the reality is that the legal framework still needs to be fully mature. Currently, we have the eIDAS regulation, primarily focused on traditional PKIs and Certificates. In June 2021, the EC approved a new draft of this regulation that states that the new digital identities of European citizens will be based on the SSI principles and backed by identity wallets. However, this regulation still needs to be formally approved and developed”. In a nutshell, there is still not a clear trust framework. Therefore, the eIDAS Bridge has been raised as an in-between step.
The eIDAS bridge project is an initiative by the European Commission (EC) within the ISA2 program where Validated ID participated as an expert of matter in PKI and SSI. The EC developed eIDAS Bridge to promoteeIDASas a trust framework for the SSI ecosystem. In a nutshell, this project pretends to provide a solution to one of the most urgent existing challenges SSI faces: having a trust framework on which to rely. The result of this project, i.e., the technical specifications, integration guidelines, and legal reports produced, can be found here.
Sometime later,eSSIF Lab, another EU-funded project that aims to provide an ecosystem of parties that work together to make existing SSI technology into a scalable and interoperable infrastructure, opened a program to evolve eIDAS Bridge.
The main goal of this new program was to provide an implementation of the eIDAS Bridge and to prove the interoperability between different provider implementations. Validated ID was selected to participate in part of Call 1 of infrastructure. The results of this project are available as open source.
If you are interested in digging into the code, you can find it all in the following repositories:
- our open-source version implementation
- our VIDchain Enterprise supported version in Integration of eIDAS Bridge | VIDchain documentation
What is eIDAS Bridge, and how does it work
The eIDAS Bridge consists of an API that allows you to sign and validate credentials using Qualified Electronic Certificates (QEC). As you can see, this is the reason why this tool is called a bridge since it is “bridging” the world of certificates with SSI credentials SSI. For an end user, it should be straightforward since the API mainly exposes three endpoints for three steps: certificate storage for did association, signature with a QEC (CAdES) and QEC signature validation.
Step 1: certificate storage for did association
The issuer sends the certificate and associates it to the DID that will be used as a Verifiable Credential (VC) issuer. The API stores the certificate in Confidential Storage.
Step 2: signature with a QEC
The issuer requests to sign a VC using their previously-stored certificate, and the API provides a VC containing a CAdES signature.
Step 3: QEC signature validation
The verifier sends a VC with a CAdES signature to be validated, and the API provides the validation result.
These three steps above are the main functionalities developed for the eIDAS Bridge project, and the interoperability of VC signed with our implementation and other providers was proven successful. For that reason, we have included this code in our VIDchain API to provide our users the ability to use their certificates to issue VCs and validate VPs containing QEC signatures.
Since the project finished at the end of June 2021, VIDchain API has taken the open-source implementation and evolved to provide an improved and professionally supported service based on the eIDAS Bridge and with more security for end users.
Validated ID offers eIDAS Bridge-based solutions to help issuers and verifiers use this innovative solution that fills the gap between certificates and SSI while this last emerges. VIDchain API offers these endpoints shown above as an entity-authenticated service. It is currently working on providing new features, such as support for HSMs and integration with external Certification Authorities (CAs).
eIDAS Bridge and Business Process Value
As pioneers and defenders of the SSI paradigm, we are the first ones who wish to create the necessary trust environment so that verifiable credentials can be created with a Level of Assurance&Credibility that allows public and private organizations to start accepting them as elements well supported by the models of trust already covered by the eIDAS(v1) While new eIDASv2 gets formally approved.
This would imply that we can rely on formal processes for the issuance of verifiable credentials and that the credentials incorporate components recognizable by consumers of Trust Services and the solutions used to recognize eIDAS electronic identities.
For the first case, the credential issuance process could already incorporate the sealing of the credential based on a qualified certificate from the issuer, endorsing with its own credibility the originality of the issued credential and differentiating it from self-issued credentials. Or, it can be sealed later. And according to the cases, contributes its branding to the issued credential.
A Certification Authority could participate in the Trust chain by issuing a credential from their Registration Authority after a formal verification of the holder or based on the authentic source considered appropriate to the case. It would imply that the signing process was carried out, in a similar way to the qualified signature, in the HSM of the TSP. In this way, we can extend the Trust context of classic electronic identities to the decentralized identities that concern us now. And this would cover not only the geographical context of eIDAS but would be perfectly applicable to any country with advanced electronic signature laws to explore the use of verifiable credentials backed by their national PKIs.
Regarding the capacity of recognition by the counterparts who want to verify the presence of a credential, the stamping component itself is verifiable through the eIDAS Bridge, facilitating the recognition of the source entity that has signed the credential, in the same sense given to the act of sealing in PKI—but allowing later to take advantage of the programmatic nature of verifiable credentials for process automation.
If you have more interest in eIDAS Bridge and want to try out our ready-to-use and supported implementation, feel free to reach us firstname.lastname@example.org.