Over the past months we've been hard at work to extend our infrastructure to align with identity standards used in both the European Digital Wallet (EUDI), as well as globally in digital identity solutions. Recently we shipped three major features in Paradym:
- Remote mDOC (ISO 18013-5) verification based on ISO 18013-7
- Verification of credentials signed with X.509 certificates
- Trusted entities, enabling strict control over trusted issuers
To see the new features in action, watch the showcase video where we leverage all features in a request to our Paradym EUDI Prototype Wallet:
X.509 certificates
X.509 certificates are a widely used standard for public key infrastructure (PKI) that enables secure authentication, encryption, and digital signatures. These certificates provide a way to verify the identity of entities, such as individuals, organizations, or servers, using a trusted Certificate Authority (CA). For example, where verifiable credentials enable you to verify the validity of the information in a credential, and that it was issued by a specific party, X.509 certificates enable you to set up a more meaningful system of trust using the accreditation or ecosystem of the party.
Paradym now supports X.509 certificates for credential verification, allowing verifiers to authenticate the issuer of a credential using well-established PKI mechanisms. This ensures interoperability with existing security infrastructures and regulatory compliance frameworks, such as eIDAS 2.0.
Verifying credentials signed with X.509 certificates is supported for mDOC and SD-JWT VC credentials, and supported out of the box. Read more about configuring trusted X.509 certificates using trusted entities below.
mDOC
mDOC, also known as ISO 18013-5 or the Mobile Drivers License (mDL) is a credential format defined by ISO. It supports selective disclosure, and is already widely adopted and supported by the Apple Wallet, Google Wallet, and a growing list of countries from around the world.
Our Paradym EUDI Prototype Wallet already supported both in-person and remote presentation of mDOCs, and now the Paradym platform also supports remote presentation of mDOCs over OpenID4VP based on ISO 18013-7.
Creating an mDOC presentation template
Trusted Entities
With trusted entities, you configure which entities you trust. Currently a trusted entity can be integrated with a presentation template, allowing you to configure the valid and trusted issuers for a credential in a presentation. In the future this will also be extended to configure trusted identity wallets a holder can use.
On a trusted entity, two types of certificates and identifiers can be configured:
- X.509 certificates. This can be either a signing certificate, or a root certificate, and is supported for SD-JWT VC, and mDOC credentials.
- Decentralized Identifiers (DIDs). This is supported for SD-JWT VC and Anoncreds credentials using the
did:cheqd:testnet,did:cheqd:mainnetanddid:webmethod.
You can link multiple DIDs and X.509 certificates to a trusted entity. Once created you can link a trusted entity to as many presentation templates as you like. Each credential can have different trusted entities configured, let's take an example presentation template where we request two credentials:
- The first credential is a PID (Person Identification Data) in SD-JWT VC format, issued by the German Bundesdruckerei.
- The second credential is an IBAN credential in mDOC format, issued by the Deutsche Bank.
In this case you'd create two trusted entities, one containing the X.509 certificate of the Bundesdruckerei which is linked to the PID credential, and another trusted entity containing the X.509 certificate of the Deutsche Bank, which is linked to the IBAN credential.
Creating a trusted entity
As a result of this, you can now create verification templates that specifically require the to-be-verified credential to be issued by one of these trusted entities. In the short term this enables you to add a list of trusted issuers, in the long term the pan-European trust framework will enable you to add government managed lists of trust. Think: a list of accredited universities, a list of official EU drivers' license issuers, etc.
Read more about trusted entities in the docs, or follow the guide on verifying a credential to get started with trusted entities directly.
