This issue aims to list all the qcStatement types that should be included in the IT-Wallet technical documentation.
EUDI / ETSI TS 119 412-6 Certificate Role Mapping
| Role |
Name |
Function |
Characteristics |
| Root/CA |
Trust Anchor / Federation CA |
National root; issues subordinate certificates |
OpenID Federation + X.509 PKI; no explicit CA profile in TS 119 412-6 |
| End-entity |
PID provider sign/seal certificate |
Signs/seals PID attestations |
MUST include id-etsi-qct-pid in qcStatement |
| End-entity |
Wallet provider sign/seal certificate |
Signs WUA/WAA |
MUST include id-etsi-qct-wal in qcStatement |
| End-entity |
EAA provider attribute sign/seal certificate |
Signs EAA attestations |
Inherits EN 319 412-2/3; no specific QcType |
| End-entity |
QEAA provider qualified sign/seal certificate |
Qualified seal for EAA |
Issued by QTSP; qualified cert profile |
| End-entity |
PSBEAA provider qualified sign/seal certificate |
Qualified seal for public sector EAA |
MUST include QcPSB qcStatement |
Per Application specific roles:
| Certificate Type |
Profile |
qcStatement |
| PID provider sign/seal |
ETSI TS 119 412-6 Clause 4 |
id-etsi-qct-pid |
| Wallet provider sign/seal |
ETSI TS 119 412-6 Clause 5 |
id-etsi-qct-wal |
| EAA provider sign/seal |
ETSI TS 119 412-6 Clause 6 |
(none; EN 319 412-2/3) |
| QEAA provider qualified sign/seal |
ETSI TS 119 412-6 Clause 7 |
Qualified cert (e.g. id-etsi-qct-eseal) |
| PSBEAA provider qualified sign/seal |
ETSI TS 119 412-6 Clause 8 |
QcPSB |
Notes:
- ETSI TS 119 412-6 defines end-entity sign/seal certificates only. There is no dedicated “PID Issuer CA” profile; the CA role is fulfilled by the Federation Trust Anchor.
- PID Issuer CA: Not profiled in TS 119 412-6. The Trust Anchor / Federation CA fills this role.
- EAA provider QcType: No dedicated QcType; uses generic natural/legal person profiles.
QCStatements to Include in Documentation
The following qcStatement types should be documented in the IT-Wallet specification.
4.1 eIDAS 2.0 Extensions (ETSI TS 119 412-6 Annex A)
| OID |
Name |
Purpose |
Used By |
{ id-etsi-eidas2-qct-extensions 1 } |
id-etsi-qct-pid |
PID provider sign/seal certificate |
PID Provider |
{ id-etsi-eidas2-qct-extensions 2 } |
id-etsi-qct-wal |
Wallet provider sign/seal certificate |
Wallet Provider |
Parent OID: id-etsi-eidas2-qct-extensions = { itu-t(0) identified-organization(4) etsi(0) id-qc-statements-eidas2-provider-extension(194126) 1 }
Numeric form: 0.4.0.194126.1.1 (id-etsi-qct-pid), 0.4.0.194126.1.2 (id-etsi-qct-wal)
4.2 Qualified Certificate Types (ETSI EN 319 412-5)
| OID |
Name |
Purpose |
Used By |
{ id-etsi-qcs-QcType 1 } |
id-etsi-qct-esign |
Electronic signature |
Qualified signature certs |
{ id-etsi-qcs-QcType 2 } |
id-etsi-qct-eseal |
Electronic seal |
QEAA, PSBEAA qualified seals |
{ id-etsi-qcs-QcType 3 } |
id-etsi-qct-web |
Website authentication |
Qualified web auth certs |
Parent OID: id-etsi-qcs-QcType = 0.4.0.1862.1.6 (from ETSI TS 101 862 / EN 319 412-5)
Numeric forms: 0.4.0.1862.1.6.1 (esign), 0.4.0.1862.1.6.2 (eseal), 0.4.0.1862.1.6.3 (web)
4.3 PSBEAA-Specific (ETSI TS 119 412-6 Annex A)
| OID |
Name |
Purpose |
Used By |
id-etsi-qcs-QcPSB |
QcPSB |
Public sector body attestation data |
PSBEAA Provider |
Structure:
QcPSB ::= SEQUENCE {
countryOfLegislation PrintableString (SIZE (2)), -- ISO 3166 alpha-2 or 'EU'
authSourceIdentification UTF8String, -- Authentic source ID
legislationIdentification UTF8String -- Legislation ID
}
4.4 Other Relevant QCStatements (EN 319 412-5)
| OID |
Name |
Purpose |
id-etsi-qcs-QcCompliance |
QcCompliance |
Certificate issued per Directive 1999/93/EC (qualified) |
id-etsi-qcs-QcPDS |
QcPDS |
Location of PKI Disclosure Statements |
id-etsi-qcs-QcLimitValue |
QcLimitValue |
Transaction limit for qualified certs |
id-etsi-qcs-QcRetentionPeriod |
QcRetentionPeriod |
Retention period |
id-etsi-qcs-QcSSCD |
QcSSCD |
Secure signature creation device |
These are relevant when documenting qualified certificates in general (e.g. QEAA, PSBEAA).
Suggested Documentation Additions
New Section: Certificate Profile Comparison
Add a subsection under Trust Infrastructure or a dedicated annex:
- Short mapping: about the mapping of the EUDI Trust Anchor / sign-seal certificates.
- Clarify that TS 119 412-6 only profiles end-entity certificates; CA roles are handled by the Federation Trust Anchor.
New Section: QCStatement Reference
Add a reference section listing:
- All qcStatement OIDs used in the ecosystem (Tables 4.1–4.5).
- For each: OID, name, purpose, and which provider/certificate type uses it.
- Link to ETSI TS 119 412-6 and EN 319 412-5.
Example Additions
- PID sign/seal cert: Example
x5chain / x5c containing a cert with id-etsi-qct-pid.
- Wallet sign/seal cert: Example with
id-etsi-qct-wal for WUA/WAA.
- PSBEAA cert: Example showing QcPSB structure.
This issue aims to list all the qcStatement types that should be included in the IT-Wallet technical documentation.
EUDI / ETSI TS 119 412-6 Certificate Role Mapping
id-etsi-qct-pidin qcStatementid-etsi-qct-walin qcStatementPer Application specific roles:
id-etsi-qct-pidid-etsi-qct-walid-etsi-qct-eseal)QcPSBNotes:
QCStatements to Include in Documentation
The following qcStatement types should be documented in the IT-Wallet specification.
4.1 eIDAS 2.0 Extensions (ETSI TS 119 412-6 Annex A)
{ id-etsi-eidas2-qct-extensions 1 }{ id-etsi-eidas2-qct-extensions 2 }Parent OID:
id-etsi-eidas2-qct-extensions={ itu-t(0) identified-organization(4) etsi(0) id-qc-statements-eidas2-provider-extension(194126) 1 }Numeric form:
0.4.0.194126.1.1(id-etsi-qct-pid),0.4.0.194126.1.2(id-etsi-qct-wal)4.2 Qualified Certificate Types (ETSI EN 319 412-5)
{ id-etsi-qcs-QcType 1 }{ id-etsi-qcs-QcType 2 }{ id-etsi-qcs-QcType 3 }Parent OID:
id-etsi-qcs-QcType=0.4.0.1862.1.6(from ETSI TS 101 862 / EN 319 412-5)Numeric forms:
0.4.0.1862.1.6.1(esign),0.4.0.1862.1.6.2(eseal),0.4.0.1862.1.6.3(web)4.3 PSBEAA-Specific (ETSI TS 119 412-6 Annex A)
id-etsi-qcs-QcPSBStructure:
4.4 Other Relevant QCStatements (EN 319 412-5)
id-etsi-qcs-QcComplianceid-etsi-qcs-QcPDSid-etsi-qcs-QcLimitValueid-etsi-qcs-QcRetentionPeriodid-etsi-qcs-QcSSCDThese are relevant when documenting qualified certificates in general (e.g. QEAA, PSBEAA).
Suggested Documentation Additions
New Section: Certificate Profile Comparison
Add a subsection under Trust Infrastructure or a dedicated annex:
New Section: QCStatement Reference
Add a reference section listing:
Example Additions
x5chain/x5ccontaining a cert withid-etsi-qct-pid.id-etsi-qct-walfor WUA/WAA.