Authors:
Reviewers:
Status: Approved
Table of contents
The EWC Large Scale Pilot (LSP) must ensure secure, verifiable, and interoperable trust relationships between entities within the ecosystem. Trust infrastructures provide the foundation for secure interactions by enabling the verification of authorised entities in compliance with the trust framework in which they operate.
This specification defines the content of the EWC Trusted List and the requirements and interfaces for its use. It enables wallets, issuers, and relying parties to use the EWC trust infrastructure within the scope of the eIDAS Trust Framework, which in this document includes the eIDAS regulation, Implementing Acts (IA), and the Architecture and Reference Framework (ARF).
The specification covers using trusted lists in the context of EWC Pilots to verify the issuer’s public key, which is used to sign the credential.
Note that this document is not authoritative outside of the pilot projects and that it may make choices and definitions that are not fully aligned with the eIDAS Trust Framework. These choices are made primarily for implementation simplicity purposes.
The eIDAS regulation defines the EU Trusted Lists as the authoritative records of entities authorised to provide services within the eIDAS ecosystem.
The authoritative entities defined in the governance framework maintain the trusted lists. In eIDAS, these authorities are EU Member States (through Supervisory Bodies) or third countries with a Mutual Recognition Agreement (MRA) with the European Union. For piloting purposes, the EWC consortium acts as an authoritative entity maintaining an EWC Trusted List based on the ETSI TS 119 612 [1] standard.
In EWC pilots, all wallet providers, PID issuers, EAA issuers, and certificate providers must be registered in a Trusted List to obtain the authorised status. Once an entity is listed in the trusted list with an active service status, they have legal authorisation to operate as a service provider for the given service type. The service type can be wallet provider, PID issuer, etc. According to the ARF, the Trusted List identifies the registered entity using a service-specific, unique trust anchor. A trust anchor is a combination of a public key and the identifier of the associated entity and may be used to verify signatures created by that entity [Chapter 3.5 ARF 1.5]. However, as ARF is not yet clear about what that entity identifier is, it is omitted in the EWC Trust Mechanism for now. In EWC Trusted List, the trust anchor is primarily the issuer’s public key, signing certificate or a Decentralized Identifier (DID). This is specified in Chapter 4.2.2.
The registered entity must have as many unique trust anchors as the services it is authorised to provide. For example, the same organisation can simultaneously provide multiple service types.
The Trusted List verifies the authorization of the service provider to provide the selected type of service. The trusted list also provides verification of the cryptographic material used to sign a credential or other document. The public key is present in the credential metadata and can be used to verify the key’s authenticity and the provider’s authorisation from the trust list. The figure below shows the basic premise of anchoring and verifying the attestation provider using trusted lists.
flowchart TD
n2["Attestation provider"] -- registered --> n1["Trusted List"]
n2 -- issues --> n4["Credential"]
n4 -- to --> n5["Wallet"]
n7["Relying Party"] -- Verifies key & provider --> n1
n8["Public Key"] -- anchored --> n1
n5 -- presents credential --> n7
n8 -- included in metadata --> n4
n2 -.- n8
n2@{ shape: rounded}
n1@{ shape: cyl}
n4@{ shape: doc}
n5@{ shape: rounded}
n7@{ shape: rounded}
n8@{ shape: rect}
Figure: Anchoring and Verification of Attestation Providers Using Trusted Lists
The following role-specific requirements apply only in the context of the EWC Trusted List. Unless specifically noted, the requirements apply to all types of attestation providers (PID, WUA, QEAA, EAA, Pub-EAA).
The providers of attestations MUST comply with the following requirements:
The provider must register its business information to the EWC Trusted List (See EWC Trust List Github for details).
The provider must sign the credential using the signing key linked to the registered trust anchor corresponding to the service type.
The credential metadata must include the same trust anchor registered in the Trusted List.
The following requirements apply to all actors verifying or validating credentials (e.g., holders and relying parties). For simplicity, the term “verifier” refers to both roles.
In addition to the requirements below, the verifier must perform credential-specific verifications according to the requirements of the respective RFCs.
The verifier must extract the trust anchor and the Trusted List URI from the credential metadata.
The verifier must verify that the Trusted List URI is https://ewc-consortium.github.io/ewc-trust-list/EWC-TL
The verifier must verify that an entry matching the trust anchor is found in the trusted list and make the following verifications against the information retrieved from the trusted list.
If any of the verifications fail, the whole credential verification MUST fail and be considered untrustworthy.
The EWC Trusted List is based on a subset of information defined in ETSI TS 119 612. All providers are on the same trusted list to simplify implementation and adoption in EWC Pilots. This means that in addition to the trust service providers (QEAA, QC, etc.), the trusted list will include other EUDI providers, such as wallet providers, PID Providers and Pub-EAA providers, which may not normally exist in the same trusted list.
The EWC Trusted List provides the following information for each registrant.
| Name | Field name | Description |
|---|---|---|
| Provider name | TSPName | Name of the legal entity providing the service. |
| Provider tradename | TSPTradeName | Official registration identifier or alternative name that uniquely identifies the provider. |
| Street address | StreetAddress | Street address of the provider. |
| City | Locality | City of the provider. |
| Postal Code | PostalCode | Postal code of the provider. |
| Country (code) | CountryName |
Country where the provider is registered. Format: ISO 3166-1 Alpha-2 codes with exceptions: 1. United Kingdom = "UK" 2. Greece = "EL" |
| ElectronicAddress | Contact email of the provider. | |
| Information URI | TSPInformationURI | URI(s) where users (e.g., relying parties) can obtain provider-specific information. |
| Service Type URI | ServiceTypeIdentifier | URI describing the type of the service. See chapter 3.2 for a list of possible service type URIs. |
| Service current status | ServiceStatus |
The current status of the service as a URI identifier: Granted: http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted Withdrawn: http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/withdrawn |
| Service Status Starting time | StatusStartingTime | Date-time character string formatted according to ISO 8601 (UTC). |
| Service name | ServiceName | Name of the service. |
| Service endpoint (supply point) URI | ServiceEndpointURI | One or more URIs where relying parties can access the service or related services. |
| Service definition URI | ServiceDefinitionURI | URIs where relying parties can obtain service-specific information. |
| Service Digital Identity (Trust Anchor) | DigitalIdentity | Specifies a unique service digital identifier/public key identifying the service. |
The trusted list includes providers and all the services a provider is authorised to provide within the scope of the governance framework. Each service has a service type, denoted with a unique type URI. Please note that for Service Provider types not yet covered by the ETSI 119 612 standard, a URI definition following the standard syntax is marked with “EWC” as the source. These URIs will be updated if a future version of the standard (or a dedicated one) is released.
| Service | Object | URI | Source |
|---|---|---|---|
| QES Provider | QC | http://uri.etsi.org/TrstSvc/Svctype/CA/QC | ETSI 119 612 |
| QEAA Provider | QEAA | http://uri.etsi.org/TrstSvc/Svctype/EAA/Q | ETSI 119 612 |
| EAA Provider | EAA | http://uri.etsi.org/TrstSvc/Svctype/EAA | ETSI 119 612 |
| Pub-EAA Provider | Pub-EAA | http://uri.etsi.org/TrstSvc/Svctype/EAA/Pub-EAA | ETSI 119 612 |
| Qualified Electronic Ledger | Ledger record | http://uri.etsi.org/TrstSvc/Svctype/Ledgers/Q | ETSI 119 612 |
| Non-qualified Electronic Ledger | Ledger record | http://uri.etsi.org/TrstSvc/Svctype/Ledgers | ETSI 119 612 |
| Natural Person PID Provider | PID | https://ewc-consortium.github.io/ewc-trust-list/TrstSvc/Svctype/PID | EWC |
| Legal Person PID Provider | LPID | https://ewc-consortium.github.io/ewc-trust-list/TrstSvc/Svctype/LPID | EWC |
| Natural Person Wallet Provider | NPWP | https://ewc-consortium.github.io/ewc-trust-list/TrstSvc/Svctype/NPWP | EWC |
| Legal Person Wallet Provider | LPWP | https://ewc-consortium.github.io/ewc-trust-list/TrstSvc/Svctype/LPWP | EWC |
The European Wallet Consortium (EWC) trust list is published on the EWC Trust List and used to validate trust. The service definitions referenced align with Chapter 3.2. Trust validation occurs when the wallet unit (WU) interacts with the relying party or issuer (attestation provider) in the following scenarios:
NOTE: During verification of an incoming credential, the WU or the RP shall consult the issuer’s service history (as per ETSI TS 119 612) to validate signatures against historical signing keys, ensuring trust continuity even when issuers rotate or update cryptographic keys.
Each credential contains metadata in its headers (for JWT-based credentials) or as part of SD-JWT. The key fields that assist in verification are:
kid (Key Identifier): Allows key lookup without needing the full certificate. This is used if DID or other mechanisms are used.x5c (X.509 Certificate Chain): This is when an X.509 certificate is used for signing. This provides the verification chain, where the first entry verifies the credential’s signature while the remaining certificates establish trust in the first certificate.When a Wallet Unit interacts with another service provider, trust validation must take place. A service provider can be an Issuer, Wallet Unit, or a Verifier (Relying Party). This validation involves checking the certificate of the interacting service provider against the EWC Trust List (EWC TL) [9] using the steps outlined below:
x5c is used, the service provider’s certificate is queried and matched using one of the following:
If a kid is used instead, it can be either a DID (Decentralised Identifier) or a non-DID. If it uses DID, the following mechanism is used to resolve the keys:
[http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted](http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/granted). If the issuer is listed and accredited, and its ServiceStatus is “granted”, the relying party can trust the issuer as a valid trust service provider. This indicates that credentials issued by this provider can be considered valid.[http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/withdrawn](http://uri.etsi.org/TrstSvc/TrustedList/Svcstatus/withdrawn). If the trust service provider is present but marked as “withdrawn”, the relying party must not trust the issuer. This means that any credentials issued by this provider should be treated cautiously, as the provider is no longer recognised as trusted.By following these steps, the relying party ensures the interacting service provider is recognised, trusted, and actively valid. This process helps maintain the integrity and reliability of the verification procedure.
In the OpenID4VCI protocol, issuers ensure credential authenticity through:
kid, jwk, x5c).These measures ensure credentials are cryptographically valid and trusted.
Holders validate received credentials using the following:
kid, jwk, x5c).Trust List: The following mechanisms verify credential integrity and authenticity. When the wallet unit receives the credentials from the issuer in the form of ISO 18013-5 mDL/mDOC, IETF SD-JWT, or JWT, it must:
Before sharing a credential, the holder’s wallet ensures the relying party is trustworthy:
This approach ensures credentials are only shared with legitimate entities.
In the OpenID4VP protocol, relying parties must:
kid, jwk, or x5c.Trust List:
When the wallet unit receives credentials from the issuer (formats include ISO 18013-5 mDL/mDOC, IETF SD-JWT, or JWT), it must:
granted, indicating authorisation to issue credentials.Additionally, when the relying party receives credentials from the wallet unit, it must:
granted on the trust list.Adhering to these processes ensures credentials received by relying parties are valid, trustworthy, and issued by authorised entities.
ETSI TS 119 612 v2.3.1, Electronic Signatures and Trust Infrastructures (ESI); Trusted Lists, https://www.etsi.org/deliver/etsi_ts/119600_119699/119612/02.03.01_60/ts_119612v020301p.pdf
Trusted List Manager for non-EU countries, available at https://ec.europa.eu/digital-building-blocks/sites/display/TLSO/Trusted+List+Manager+non-EU
EWC RFC001, Issue Verifiable Credential - v1.0, Available at: https://github.com/EWC-consortium/eudi-wallet-rfcs/blob/main/ewc-rfc001-issue-verifiable-credential.md (Accessed: 23-January, 2025).
OpenID Foundation (2023) OpenID for Verifiable Credential Issuance 1.0 - Draft 1. Available at: https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-ID1.htm (Accessed: 23-January, 2025)
EWC RFC004, Individual Wallet Unit Attestation - v1.0, Available at: https://github.com/EWC-consortium/eudi-wallet-rfcs/blob/main/ewc-rfc004-individual-wallet-attestation.md (Accessed: 09-February, 2025)
EWC RFC002, Present Verifiable Credential - v1.0, Available at: https://github.com/EWC-consortium/eudi-wallet-rfcs/blob/main/ewc-rfc002-present-verifiable-credentials.md (Accessed: 29-January, 2025)
OpenID Foundation, 2023. OpenID for Verifiable Presentations (OpenID4VP) Draft 18. [online] Available at: https://openid.net/specs/openid4vp-18 [Accessed 2 February 2025].
IETF (2015) OAuth 2.0 Dynamic Client Registration Protocol, Available at: https://www.rfc-editor.org/rfc/rfc7591.html#section-2 [The client metadata could be reused]
EWC Trust List, 2025, Available at: https://ewc-consortium.github.io/ewc-trust-list/EWC-TL (Accessed: 14, Mar, 2025)