Copyright © 2024 the document editors/authors. Text is available under the Creative Commons Attribution 4.0 International Public License

We describe a mechanism enabling Decentralised Identity and Access Management in B2B ecosystems which require a high level of legal certainty, reduced manual processes and reduced dependency in third parties for the operation of the ecosystem. It combines eIDAS X.509 certificates issued by QTSPs with advanced or qualified signatures and seals of Verifiable Credentials.

The mechanism enables authentication and access control of entities acting on behalf of a legal person with much more descriptive power and flexibility than trying to use just X.509 certificates of representation, and in a more efficient and automated way than using just signed PDFs.

The mechanism is aligned with the upcoming EDIW (European Digital Identity Wallet) and its supporting eIDAS2 regulation, but it advances the state of the art by focusing entirely on legal persons with an implementation that can be used today without the need to wait for future supporting regulation.

In particular, we support natural persons acting on behalf of legal entities (e.g., employees or contractors of a business), interacting with other legal entities. The mechanism is not recommended for natural persons acting as citizens, even if technically the mechanism could be adapted. For citizens we recommend to wait for eIDAS2 and EDIW.

The mechanism leverages Verifiable Credentials and the existing eIDAS framework by:

In this way, the credential is a legally binding machine-readable document where the issuer attests that it delegates the set of powers specified in the credential to the user identified as the subject of the credential.

The subject can then use the credential to authenticate to a Relying Party because the identities of holder and subject of the credential are bound.

This mechanism leverages the eIDAS trust framework using advanced or qualified signatures and seals to provide a high level of legal certainty and enjoying the presumption of non-repudiation in the courts, something that does not happen when using other types of basic signatures.

Obtaining the LEAR Credential

Introduction

eIDAS Trust Framework and digital signatures

At the top of the Trust Framework we have the [[[EU_Trusted_Lists]]]. Member States have the obligation to establish, maintain and publish trusted lists with each qualified trust service provider under their control and the services provided by them.

In order to allow access to the trusted lists of all Member States, the Commission makes available to the public the trusted lists as notified by Member States.

Certificates for signatures and for seals are provided by QTSPs under the eIDAS legal framework. There are some 240 QTSPs, providing different Trust Services.

We focus here only on two types of certificates provided by QTSPs to organisations and legal representatives of organisations:

qualified certificate for electronic seal
An electronic seal is data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity, where the creator of a seal is a legal person (unlike the electronic signature that is issued by a natural person). In this document we will informally refer to a legal person as an organisation, when we do not require the more precise terminology.

In this purpose, electronic seals might serve as evidence that an electronic document was issued by a legal person, ensuring certainty of the document’s origin and integrity. Nevertheless, across the European Union, when a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person is equally acceptable.

qualified certificate for electronic signature
An electronic signature is data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign, where the signatory is a natural person.

Like its handwritten counterpart in the offline world, an electronic signature can be used, for instance, to electronically indicate that the signatory has written the document, agreed with the content of the document, or that the signatory was present as a witness.

We are interested here in a qualified certificate for electronic signature issued to a natural person who is an authorised representative of the legal person, informally called a certificate of representation, because it is typically used by the legal representative to sign documents on behalf of the organisation that the natural person represents.

In case you want to seal a document as a legal person (e.g. as a business or organisation), you might be instead interested in an electronic seal.

The qualified certificate for electronic seal is typically installed in a server (using a hardware security module, or HSM) and used to automatically seal documents like eInvoices (typically in XML format), by automated backend processes.

The qualified certificate for electronic signature is used by the natural person who is an authorised representative of the legal person. It is used under the control of the natural person to sign documents typically in PDF format, like contracts, where the natural person acts on behalf of the organisation.

These concepts are described in the following diagram:

Signatures of PDF and XML
Signatures of PDF and XML

In DOME we use eIDAS certificates to sign/seal Verifiable Credentials, which are JSON documents. Verifiable Credentials represent several types of documents in structured format and be machine readable and machine verifiable. Advanced/qualified signatures provide the same legal validity as “traditional” PDF or XML documents.

This is represented in the following diagram, complementing the one above:

Signatures of JSON documents
Signatures of JSON documents

Creating the LEAR Credential

The LEAR Credential is a JSON document which requires an advanced or qualified signature or seal, using one of the certificates described above.

The credential can be sealed with a qualified certificate for seals in a similar way to how the organisation seals electronic invoices. However, we will focus here in the electronic signature performed by the natural person who is the legal representative of the organisation. The LEAR Credential is an employee credential issued to a small number of employees (maybe one), typically with the intervention of the HR department of the organisation and manual interaction of the legal representative.

In this case, the legal representative controls the qualified certificate for signatures and there are three possibilities for performing the signature:

  1. The certificate is inside a Smart Card or other hardware devices like USB token, and the legal representative uses her PC or laptop equipped with the proper hardware mechanism to perform the actual signature inside the Smart Card or token. This is typically the setup for performing a qualified signature, which has greater legal presumptions of validity than other types of signature.
  2. The certificate is inside a keyring or certificate manager controlled by the operating system of the PC or laptop of the legal representative. Given that this is a software-only solution, the signature achieved has the legal status of an advanced signature, even if a qualified certificate is used. This signature has a lower level of legal certainty than the qualified signature, but it is enough for most business transactions.
  3. The certificate is managed in the cloud by a QTSP which provides remote signature services to its customers. Depending on the mechanisms and policies adopted by the QTSP when performing the signature, the result can be either an advanced or qualified signature.

For the moment, we will focus just on the first and second mechanisms of signature, which we will call local signature for obvious reasons.

Signing the LEAR Credential

We start describing at a high level a typical local signature process when the legal representative signs a PDF document, because it is very familiar and will serve as the base to describe the signature of a Verifiable Credential to generate the LEAR Credential, highlighting the similarities and differences.

An imaginary (but typical) PDF signing process goes like this:

  1. Somebody in another department of the company prepares a PDF document with the appropriate content. If it is a document related to an employee, it may be the HR department the one that prepares a Word document including some relevant employee information.
  2. The HR department sends to the employee the Word document so the employee can complete the document with some information that the HR department did not have. The employee returns the document to the HR department.
  3. The HR department exports the Word document to PDF format and sends the file electronically to the legal representative for signature. It may be sent by email, or in more sophisticated companies the document is managed by a document processing system, and it is made available for signature according to a specified workflow.
  4. The legal representative opens the PDF document in Acrobat Reader or any other application capable of signing PDFs.
  5. The legal representative instructs Acrobat Reader to digitally sign the document, and the program uses the corresponding operating system APIs to access the keyring or filesystem where the certificate is stored securely. Normally, this requires the legal representative to authenticate with the keyring.
  6. Acrobat Reader reads the certificate and its associated private key and performs the signature. Acrobat Reader then asks the legal representative to save the signed file.
  7. The legal representative sends the signed PDF back to HR, so they can provide the document to the employee, together with whatever instructions are appropriate.

When creating the LEAR Credential, the flow is very similar:

  1. Somebody in another department of the company prepares a JSON document with the format of a Verifiable Credential, with the appropriate content. In the case of a LEAR Credential, it may be the HR department the one that prepares the JSON document, including the relevant employee information. The HR department uses a special program called Credential Issuer to generate this version of the Credential and interact with the employee Wallet. The company can implement its own Issuer if they want, or they can simply use the Issuer provided by DOME As-A-Service.
  2. The HR department, using the Credential Issuer, sends the Credential to the employee Wallet. The employee can use any Wallet complying with the EDIW standards (OpenID4VCI), including the one provided by DOME. The Wallet, following the OpenID4VCI protocol, generates a pair of private/public keys and sends back the Credential and the public key to HR (again, following the OpenID4VCI protocol). The private key remains always in control of the user and nobody else knows about it.
  3. The Credential Issuer notifies automatically to the legal person that there is a document to be signed.
  4. The legal representative opens a local program installed in her computer (the equivalent to Acrobat Reader), and reviews the Credential to be signed. This local program is called Credential Signer and is provided by DOME for Windows, Mac and Linux, but the company can develop or buy their own. The Credential Signer uses the APIs of the Credential Issuer to retrieve the Credential to be signed (there may be more than one for different employees).
  5. The legal representative instructs the Credential Signer to digitally sign the document, and the program uses the corresponding operating system APIs to access the keyring or filesystem where the certificate is stored securely. Normally, this requires the legal representative to authenticate with the keyring.
  6. The Credential Signer reads the certificate and its associated private key and performs the signature. The resulting file is now a LEAR Credential.
  7. After confirmation by the legal representative, the Credential Signer sends the LEAR Credential back to the Credential Issuer, which notifies HR and the employee that the Credential is ready. The employee uses her Wallet to retrieve the LEAR Credential from the Credential Issuer, again using the OpenID4VCI protocol.

Infrastructure for obtaining the LEAR Credential

This section describes the components and infrastructure required by an organisation to create the LEAR Credential for one of its employees.

LEAR Credential Issuer (part 1)

The LEAR Credential Issuer is the main application that manages the credential flow. We assume here that it is specialised in creating LEAR Credentials, though it could be used for other types of credentials. In this context, we will use the term LEAR Credential Issuer and Credential Issuer as interchangeable.

For the explanation, we are going to assume the issuance flow described above and a given set of actors. However, the flows can be adapted to other scenarios.

The main actors are:

Appointed employee
This is the employee that will receive the LEAR Credential and that has been nominated or appointed by the organisation to perform some role in DOME on behalf of the organisation.
HR employee
The employee from the Human Resources department of the organisation that introduces the Appointed employee data in the Credential Issuer application.
The natural person that is the official legal representative of the organisation.

Obtaining an eIDAS certificate

Before starting the process, the legal representative should have an eIDAS certificate. This is the same certificate that can be used to sign documents in PDF form. The legal representative will be signing the LEAR Credential in a similar way to signing a PDF in her machine, except she will use a special program provided by DOME instead of Acrobat Reader. The technical requirements for signing LEAR Credentials are essentially the same as for signing a PDF. More details about this later.

Introduction of data about the Appointed Employee

The HR employee uses an HTML form provided by the LEAR Credential Issuer application to input the required data about the employee. The application enables also to provide such data with a YAML file, to facilitate automation of the process.

The required data includes name, surname, contact data (phone and company email), and the roles that the employee is authorised to perform. For simplicity we assume here the role onboarder, but the HR employee can specify a list of roles relevant for DOME.

Once the data is completed, the HR employee confirms the operation and the LEAR Credential Issuer notifies the Appointed Employee using the company email provided.

The Appointed employee receives the Credential Offer

The employee receives an email from the LEAR Credential Issuer with the proper instructions, including a unique transaction code that the employee requires to start the process for receiving the LEAR Credential.

The Appointed employee enters into the HTML portal provided by the LEAR Credential Issuer (the URL of the portal is well-known, but it is also described in the email).

The portal does not require the Appointed employee to be pre-registered in the application, because the unique transaction code received via email is used to access its Credential Offer.

Once the employee enters the transaction code in the portal, a QR code is displayed with the content of Credential Offer (compliant with the OpenID4VCI protocol).

The employee scans the QR code with her Wallet. She can use the Wallet provided by DOME, or any other which is compatible. This includes the possibility that the company provides employees with its own Wallet, which could even be a branded version of the DOME Wallet.

The Wallet of the Appointed employee

The Appointed employee should have a Wallet compatible with the OpenID4VCI specifications, in particular capable of the subset of functionalities specified in the DOME profile.

The employee uses the Wallet to scan the QR code presented by the LEAR Credential Issuer containing the Credential Offer. After the employee reviews the request in her Wallet and providing explicit confirmation, the Wallet generates a private/public key pair according to the did:key specification, and sends this generated did:key to the LEAR Credential Issuer following the OpenID4VCI specifications.

The LEAR Credential Issuer replies to the Wallet with an OpenID4VCI Access Token to be used later when the credential has been signed by the legal representative.

The LEAR Credential Issuer notifies via email to the legal representative (her email is pre-registered in the application, as the contact person in the organisation capable of signing the LEAR Credentials).

The LEAR Credential Signer

This is a simple program provided by DOME that should be installed locally in the PC of the legal representative and that performs the actual signing of the LEAR Credential (there are versions for Windows, Mac and Linux). Alternatively, any organisation can develop an equivalent program themselves if they wish, because it performs standard JAdES signatures and uses documented APIs of the LEAR Credential Issuer program.

The LEAR Credential Signer supports the following mechanisms to access the eIDAS certificate and sign the credential:

  1. PKCS#12 which defines a file format commonly used to store X.509 private key accompanying public key certificates, protected by symmetrical password.
  2. MS CAPI which is the Microsoft interface to communicate with SmartCards and Windows keyring.
  3. Apple Keystore allowing to access a Keychain store in a MacOS environment.
  4. PKCS#11 is widely used to access smart cards and HSMs in different operating systems and environments.

The functionalities of the LEAR Credential Signer are described below.

Sending the signed credential to the LEAR Credential Signer

After the signature is performed, the program asks for another confirmation from the legal representative to continue with the process.

Then the LEAR Credential Signer program invokes another API provided by the LEAR Credential Issuer server to send the signed credential.

LEAR Credential Issuer (part 2)

When the Issuer receives the signed Credential from the LEAR Credential Signer, it makes the Credential available for retrieval by the Appointed employee. It also notifies via email to the involved parties (Appointed employee, legal representative and HR employee).

When the Appointed employee receives the notification, she uses her Wallet to restart the issuance process.

The Wallet uses the Access Token received in the first phase of the process to request the Credential using the OpenID4VCI protocol. After the protocol is executed, the Wallet has the LEAR Credential signed by the legal representative, ready to be used for authentication into DOME.

Deployment scenarios

Deployment of the LEAR Credential Issuer

The LEAR Credential Issuer is a web application consisting of a server part, HTML interface, the APIs implementing the OpenIDVCI protocol, and the APIs required by the LEAR Credential Signer program.

The LEAR Credential Issuer does not require integration with the rest of the DOME infrastructure, so it supports different deployment scenarios.

By DOME as a service

Regardless of the other scenarios, DOME provides an instance of the LEAR Credential Issuer as a service, so organisations (especially SMEs) do not have to worry about deployment.

The application is standalone and does not require interaction with any other system except a compatible the Wallet and the LEAR Credential Signer.

By an organisation willing to generate LEAR Credentials to its employees

The LEAR Credential Issuer can be deployed by any organisation wishing to control the full system. It can be deployed either on-premises or in any cloud environment that the organisation wants to use. The only requirements are that the HTML interface and APIs should be available to the involved actors in the company. They can even not be available through Internet, if the company so wishes.

The application is provided as a set of Docker containers that can be easily deployed in many environments.

By an entity willing to provide the service to third-parties

An entity willing to provide the LEAR Credential issuance service to third-parties for whatever reason, can do so by deploying the LEAR Credential Issuer on their own system.

Deployment of the LEAR Credential Signer

This is a simple program that is installed in the PC of the legal representative. It is intended for self-installation without requiring technical knowledge, though it is expected to be installed by the IT personnel taking care of the personal computer infrastructure of the employees in the organisation. The program can be installed using the typical automated installation processes in big organisations.

The only configuration required is the URL of the LEAR Credential Issuer that the organisation wants to use for Credential issuance. It may be the URL of the instance operated by DOME, or any other instance that the organisation wants.

Glossary

As far as possible and in order to enhance consistency with the regulation, we use in this document the following definitions, which is essentially a subset of the definitions in Article 3 of the document [[eIDAS2.Regulation]] and in the original [[[eIDAS.Regulation]]].

This is the reason why in some definitions below the description refers to an article or section that does not exist in this document. We have decided to keep the definitions like in the original, as we think it does not limit the understanding of the concept.

electronic identification
means the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person;
electronic identification means
means a material and/or immaterial unit, including European Digital Identity Wallets or ID cards following Regulation 2019/1157, containing person identification data and which is used for authentication for an online or offline service:
person identification data
means a set of data, issued in accordance with national law, enabling the identity of a natural or legal person, or a natural person representing a legal person to be established;
electronic identification scheme
means a system for electronic identification under which electronic identification means, are issued to natural or legal persons or natural persons representing legal or natural persons;
user
means a natural or legal person, or a natural person representing a legal person using trust services, notified electronic identification means or European Digital Identity Wallets;
authentication
means an electronic process that enables the verification of the origin and integrity of data in electronic form;
identification
means an electronic process that establish an unequivocal relationship between a set of data and a natural or legal person;
validation
means the process of verifying that an electronic signature, an electronic seal, a European Digital Identity Wallet, an electronic identification mean, a relying party authorisation, person identification data, an electronic attestation of attributes or any electronic certificates for trust services is valid and has not been revoked;
zero knowledge proof
means cryptographic methods by which a relying party can validate that a given statement based on the electronic attestation of attributes held in a user's European Digital Identity Wallet is true, without conveying any data related to those electronic attestation of attributes to the relying party;
relying party
means a natural or legal person that relies upon an electronic identification means, including European Digital Identity Wallets, or a trust service, directly or through an intermediary, in order to provide services;
public sector body
means a state, regional or local authority, a body governed by public law or an association formed by one or several such authorities or one or several such bodies governed by public law, or private entity mandated by at least one of those authorities, bodies or associations to provide public services, when acting under such a mandate;
body governed by public law
means a body defined in point (4) of Article 2(1) of Directive 2014/24/EU of the European Parliament and of the Council (1);
signatory
means a natural person who creates an electronic signature;
electronic signature
means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;
advanced electronic signature
means an electronic signature which meets the requirements set out in Article 26;
qualified electronic signature
means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures;
electronic signature creation data
means unique data which is used by the signatory to create an electronic signature;
certificate for electronic signature
means an electronic attestation which links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person;
qualified certificate for electronic signature
means a certificate for electronic signatures, that is issued by a qualified trust service provider and meets the requirements laid down in Annex I;
trust service
means an electronic service normally provided against payment which consists of:
  • (a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services, electronic attestation of attributes and certificates related to those services;
  • (b) the creation, verification and validation of certificates for website authentication;
  • (c) the preservation of electronic signatures, seals or certificates related to those services;
  • (d) the electronic archiving of electronic documents;
  • (e) the management of remote electronic signature and seal creation devices;
qualified trust service
means a trust service that meets the applicable requirements laid down in this Regulation;
conformity assessment body
means a body defined in point 13 of Article 2 of Regulation (EC) No 765/2008, which is accredited in accordance with that Regulation as competent to carry out conformity assessment of a qualified trust service provider and the qualified trust services it provides;
trust service provider
means a natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider;
qualified trust service provider
means a trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body;
electronic seal
means data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity;
advanced electronic seal
means an electronic seal, which meets the requirements set out in Article 36;
qualified electronic seal
means an advanced electronic seal, which is created by a qualified electronic seal creation device, and that is based on a qualified certificate for electronic seal;
electronic seal creation data
means unique data, which is used by the creator of the electronic seal to create an electronic seal;
certificate for electronic seal
means an electronic attestation or set of attestations that links electronic seal validation data to a legal person and confirms the name of that person;
qualified certificate for electronic seal
means a certificate for an electronic seal, that is issued by a qualified trust service provider and meets the requirements laid down in Annex III;
electronic seal creation device
means configured software or hardware used to create an electronic seal;
qualified electronic seal creation device
means an electronic seal creation device that meets mutatis mutandis the requirements laid down in Annex II of [[eIDAS.Regulation]];
electronic time stamp
means data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time;
qualified electronic time stamp
means an electronic time stamp which meets the requirements laid down in Article 42 of [[eIDAS.Regulation]];
electronic document
means any content stored in electronic form, in particular text or sound, visual or audiovisual recording;
electronic registered delivery service
means a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations;
qualified electronic registered delivery service
means an electronic registered delivery service which meets the requirements laid down in Article 44;
European Digital Identity Wallet
means an electronic identification means which securely stores, manages and validates identity data and electronic attestations of attributes, to provide them to relying parties and other users of European Digital Identity Wallets on request, and which enables the creation of qualified electronic signatures and seals;
attribute
is a feature, characteristic or quality of a natural or legal person or of an entity;
electronic attestation of attributes
means an attestation in electronic form that allows the presentation and authentication of attributes;
qualified electronic attestation of attributes
means an electronic attestation of attributes, which is issued by a qualified trust service provider and meets the requirements laid down in Annex V;
authentic source
is a repository or system, held under the responsibility of a public sector body or private entity, that contains attributes about a natural or legal person and is considered to be the primary source of that information or recognised as authentic in Union or national law;
electronic archiving
means a service ensuring preservation of electronic data or documents in order to guarantee their integrity, the accuracy of their origin and legal features throughout the conservation period;
qualified electronic archiving service
means a service that meets the requirements laid down in Article 45g;
EU Digital Identity Wallet Trust Mark
means an indication in a simple, recognisable and clear manner that a Digital Identity Wallet has been issued in accordance with this Regulation;
strong user authentication
means an authentication based on the use of at least two authentication factors categorised as user knowledge , possession and inherence that are independent, in such a way that the breach of one does not compromise the reliability of the others, and is designed in such a way to protect the confidentiality of the authentication data;
user account
means a mechanism that allows a user to access public or private services on the terms and conditions established by the service provider;
personal data
means any information as defined in point 1 of Article 4 of Regulation (EU) 2016/679;
identity matching
means a process where person identification data or person identification means are matched with or linked to an existing account belonging to the same person;
offline service
means the capability of a user to electronically identify and authenticate with a third party with close proximity technologies irrespective of whether the device is connected to the internet or not in order to access a wide range of public and private services;