◆ |
A person uses an Electronic Identification (eID) wallet app on their smartphone to manage their electronic identity(s). Within the same wallet app the person can configure multiple eID profiles. For example they may hold both personal and organisational identities. |
◆ |
A person can also choose to install an eID wallet app on multiple devices, each holding multiple eID profiles. This is benefical as a backup if they lose or damage a device. |
◆ |
A person's electronic identity is issued by an Identity Service Provider. The Identity Service Provider is often also the issuer of the eID app, however multiple Identity Service Providers can choose to share a common app. |
◆ |
Each eID profile is represented within the wallet by a cryptographic public/private key pair, which is generated by the app. The private key is bound to the device as it is created and remains in (never leaves) the Secure Element of the device. |
◆ |
The key pair represents the possession element in a Strong Customer Authentication (SCA) procedure. The private key is activated using the biometric sensor on the device (inheritance) and/or by supplying a PIN (knowledge). |
◆ |
The Identity Service Provider is responsible for binding the person to their eID profile (key pair), the device, the operating system and the wallet app. This ensures that only the person represented by the eID profile can operate it. |
◆ |
The Identity Service Provider issues an Identity Certificate to the eID profile within the wallet app. This certificate represents the person's SCA credentials. It contains the public key and the pseudonym of the user. It does not contain any personal information, for privacy reasons. |
◆ |
Attributes containing information about the person (e.g. name, address, DOB, passport number) are also added to their eID profile. These are issued by Attribute Service Providers in the form of Attribute Certificates and are stored locally within the wallet app. |
◆ |
Individual attributes can be held separately within multiple Attribute Certificates. This allows the person to present only the minimum required information about themselves to a third party (Relying Party). This is important for privacy reasons. |
◆ |
The Attribute Service Provider is responsible for binding the attribute(s) to the person's eID profile. This is achieved by each Attribute Certificate directly referencing the eID profile Identity Certificate. |
◆ |
Identity Service Providers will also often perform the role of an Attribute Service Provider, issuing their own Attribute Certificates to the person's eID wallet. |
◆ |
The Identity Service Provider can also procure attributes directly from Attribute Service Providers on behalf of the person. For example, a bank acting as an Identity Service Provider issues a person with a new eID profile. The person has presented their physical passport to the bank. The bank then automatically procures a passport Attribute Certificate from the passport office (the original source Attribute Service Provider) to add to the person's eID profile. |
◆ |
A person can then also procure additional attributes directly from Attribute Service Providers, in a Self Soverign Identity (SSI) manner. For example, a person is able to add flight or concert tickets directly to their eID wallet without the involvement of their Identity Service Provider. |
◆ |
All Identity and Attribute certificates will need to be replaced on a regular basis to prevent the person from being tracked. This procedure can be actioned automatically at a pre-defined frequency. Once the new set of certificates have been downloaded to the device, the old set can be replaced and revoked automatically. |
◆ |
From time to time, a user may wish to temporarily suspend an eID profile. For example they can suspend an organisational identity while they are on annual leave. |