Public Key infrastructure (PKI) has been, and still is, a very valid technology that we use every day without even noticing. It brings us security when we navigate on the internet since it provides a way to know the site you are connecting to really is owned by who the site claims to be. In other words, if you are buying in Amazon, you need to be sure you are about to purchase in Amazon and not in a fake site. In that sense, we could say that identifying legal entities on the internet is kind of a solved matter. Nonetheless, if you wonder how many of us, users, can really take advantage of PKI for identifying ourselves on the internet, the answer is quite deceiving. This mature technology has been available for decades but has never become mainstream among the society for identifying end users. The reason is obvious, the user experience is very poor. It is not trivial to use your certificate to authenticate yourself towards a third party. It is much easier to delegate this to a third party like Google or Facebook at the expense of telling them what you do.
This is where Self Sovereign Identity (SSI) comes in. This new paradigm aims to bring the control to end users by means of using Verifiable Credentials (VC). These credentials are issued by an issuer and consists of a set of attributes that define certain claims about the holder. Then, the holder can independently use this VC to create a Verifiable Presentation (VP) and deliver it to a verifier. The key issue is the holder can present this information to identify himself/herself towards the requester without the need of letting anyone else know with who is he/she interacting. The holder of this credential is sovereign on the use of credentials of his/her property.
Validated ID has been working in this new paradigm for the last three years by means of developing VIDchain and contributing in relevant projects and initiatives such as the European Blockchain Service Infrastructure (EBSI) in the European Commission, Sovrin, Alastria…. to make this model become a reality.
A bridge with the existing regulation
Although there are many credential wallets under development and several companies like us are looking forward this prominent paradigm, the reality is that the legal framework is still not fully mature. Currently we have the eIDAS regulation, mostly focused on traditional PKIs and Certificates. In June 2021, the EC approved a new draft of this regulation that states that the new identities of the European citizens will be based in the SSI principles and backed by identity wallets. However, this regulation still needs to be formally approved and developed”. In a nutshell, there is still not a clear trust framework. Therefore, the eIDAS bridge has raised as an in-between step.
The eIDAS bridge project is an initiative by the European Commission (EC) within the ISA2 program where Validated ID participated as expert of matter in PKI and SSI. The EC developed eIDAS bridge to promote eIDAS as a trust framework for the SSI ecosystem. In a nutshell, this project pretends to provide a solution to one of the most urgent existing challenges SSI faces: having a trust framework where to rely. The result of this project, i.e. the technical specifications, integration guidelines and the legal reports produced, can be found here.
Sometime later, eSSIF Lab, another EU-funded project that aims to provide an ecosystem of parties that work together to make existing SSI technology into a scalable and interoperable infrastructure, opened a program to evolve eIDAS bridge.
The main goal of this new program was to provide an implementation of eIDAS bridge and to proof the interoperability between different provider implementations. Validated ID was selected to participate in part of the Call 1 of infrastructure. The results of this project are available as open source. If you are interested in digging into the code, you can find it all in the following repositories: our open source version implementation and the SSI eIDAS Bridge interoperability performed with SICPA.
What is eIDAS Bridge and how does it work
The eIDAS bridge consists of an API that allows you to sign and validate credentials using Qualified Electronic Certificates (QEC). As you can see, this is the reason why this tool is called a bridge since it is “bridging” the world of certificates with SSI credentials SSI. For an end user, it should be really simple to use since the API mainly exposes three endpoints for three steps: certificate storage for did association, signature with a QEC (CAdES) and QEC signature validation.
Step 1: certificate storage for did association
The issuer sends the certificate and associates it to the DID that will be used as Verifiable Credential (VC) issuer. The API stores the certificate in Confidential Storage.
Step 2: signature with a QEC
The issuer requests to sign a VC using his/her previously stored certificate and the API provides a VC containing a CAdES signature.
Step 3: QEC signature validation
The verifier sends a VC with CAdES signature to be validated and the API provides the validation result.
These three steps above are the main functionalities developed for eIDAS Bridge project and the interoperability of VC signed with our implementation and other providers was proven successfully. For that reason, we have taken this code and included in our VIDchain API to provide our users the ability of using their certificates to issue VCs and validating VPs containing QEC signatures.
Since the project finished at the end of June 2021, VIDchain API has taken the open-source implementation and evolved it to provide an improved eIDAS Bridge with more security for end users. Validated ID offers eIDAS Bridge as a service to help issuers and verifiers to use this innovative solution that fill the gap between certificates and SSI while this last emerges. VIDchain API offers these endpoints shown above as an entity authenticated service and is currently working on providing new features such as support for HSMs and the integration with external Certification Authorities (CAs).
eIDAS Bridge and Business Process Value
As pioneers and defenders of the SSI paradigm, we are the first ones who wish to create the necessary trust environment so that verifiable credentials can be created with a Level of Assurance&Credibility that allows public and private organizations to start accepting them as elements well supported by the models of trust already covered by the eIDAS(v1) While new eIDASv2 gets formally approved.
This would imply that we can rely on formal processes for the issuance of verifiable credentials, and that the credentials incorporate components recognizable by consumers of Trust Services and the solutions used to recognize eIDAS electronic identities.
For the first case, the credential issuance process could already incorporate the sealing of the credential based on a qualified certificate from the issuer, endorsing with its own credibility the originality of the issued credential, and clearly differentiating it from self-issued credentials. Or, it can be sealed later. And according to the cases, contributing its branding to the issued credential.
In fact, in this sense, a Certification Authority could participate in the Trust chain issuing a credential from their Registration Authority, after a formal verification of the holder, or based on the authentic source that is considered appropriate to the case. It would imply that the signing process was carried out, in a similar way to the qualified signature, in the HSM of the TSP. In this way, we would be able to extend the Trust context of classic electronic identities to the decentralized identities that concern us now. And this would cover not only the geographical context of eIDAS but would be perfectly applicable to any country with advanced electronic signature laws, to explore the use of verifiable credentials backed by their national PKIs.
Regarding the capacity of recognition by the counterparts who want to verify the presentation of a credential, the stamping component itself is verifiable through the eIDAS Bridge, facilitating the recognition of the source entity that has signed the credential, in the same sense given to the act of sealing in PKI. But allowing later to take advantage of the programmatic nature of verifiable credentials for process automation.
If you have more interest on eIDAS Bridge and you want to try out our ready to use and supported implementation, feel free to reach out us at firstname.lastname@example.org.