Guide: Digital Transformation for Authentic Sources 

How to become an eIDAS high Qualified Electronic Attestation of Attributes Provider

Under new regulation, EU citizens have the right to digitally interact with their governments. This means that all EU governments need to transition their (analog) attributes to a digital counterpart. This applies for PID providers, like IDs, driving licenses and so on. But also for all other governmental authentic sources, like the Land Registry, the Social Service and so on. So what do this parties need to do to become compliant?

What is a (Q)EAA Provider?

A (Qualified) Electronic Attestation of Attributes Provider is an issuer of digital proof of governmental documents. For example, the proof that you own the land your house is built upon. Or the proof that you have a parking permit for your car. This (analog) registration needs to be made digitally available for citizens, so they can view, take and show it, using a digital wallet. 

Governments thus need to make this available to their citizens. This means they need to start to become a QEAA Provider and start issuing digital certificates that citizens can use to proof their attributes. 

What does a government need to do to become a QEAA Provider?

A government needs to take the following steps to become a QEAA:

  1. Organizational: Your organization needs to become a trustworthy organization. Read our guide on becoming a trustworthy organization. 
  1. Technological: In essence you need to do the following things:
    1. Issue a certificate of the relevant attribute
    2. Be able to manage the issued certificate. So make sure you can revoke it. I.e. a driving license that has been revoked. 
    3. Being able to handle and verify requests from wallets. So how do you know for sure it is the right person asking for the right certificate? Read our guide on managing wallet requests.

To be compliant you need the following modules implemented and certified:

  1. Qualified attestation of Attributes Authority

Module is responsible for the workflow of the creation, issuance, renewal, and revocation of digital certificates and verifiable credentials. It manages the workflow and ensures all relevant modules are activated as required by the work order for the relevant issuer/wallet interaction. 

  1. Verifiable Credential Issuer Module(CA):
    Verifiable Credential Issuer Module is responsible for the creation, issuance, renewal, and revocation of digital certificates and verifiable credentials. It manages the entire lifecycle of certificates and credentials incl revocation and publishing to VA, ensuring that they are issued securely and in compliance with relevant standards.
  1. Registration Authority (RA) Module:

The RA Module works in conjunction with the Verifiable Credential Issuer to verify the identity of credential applicants before the issuance of certificates. It acts as an intermediary, collecting and authenticating user information before forwarding it to the CA for certificate creation.

  1. Validation Authority Module

Guards the validity of issued certificates. Enables OCSP responses and CRL downloads for certificates and relevant status for MDL and open ID VC 4VP.

  1. Subject device provisioning Module

Ensure the proper issuance of QSCD’s and wallet and the interaction to enable the creation of credentials in certified QSCD’s and wallet by issuers.

  1. Remote secure element and electronic signature and seal creation devices module

Ensure the operation of the HSM components of the  QSCD’s, wallet and QES in compliance with relevant standards.

  1. Qualified electronic registered delivery services module

Ensure the operation the combination of the above module enable eRDS.

Supplemental services for the above modules

  1. Time-Stamping Authority (TSA) Module
    In some cases, an Issuer may provide timestamping services. The TSA Module issues trusted timestamps, indicating the precise time when a particular event or action occurred. This can be crucial for applications such as digital signatures.
  1. Open ID connect and oAuth2 module

For Verifiers and for issuers and internal service to enable using Access token based on previous presentation to facilitate secure and efficient operation after validations.

  1. Audience management module

Some data and verifiable credential content needs to be protected for confidentiality and not only integrity, this module facilitates Audience management and ensure compliance and assurance at the same level as the integrity.

  1. Preservation service

Some data and verifiable credential content needs to be protected for confidentiality and not only integrity, this module facilitates Audience management and ensure compliance and assurance at the same level as the integrity.

  1. Audit and Logging Module:

The Audit and Logging Module records events and activities related to certificate issuance and management. It supports auditing processes and helps in identifying security incidents or policy violations.