Skip to content

Signature Certificate Profiles for PID Issuer, (Q)EAA, PubEAA Providers and Wallet Provider #1055

Description

@peppelinux

This issue aims to list all the qcStatement types that should be included in the IT-Wallet technical documentation.

EUDI / ETSI TS 119 412-6 Certificate Role Mapping

Role Name Function Characteristics
Root/CA Trust Anchor / Federation CA National root; issues subordinate certificates OpenID Federation + X.509 PKI; no explicit CA profile in TS 119 412-6
End-entity PID provider sign/seal certificate Signs/seals PID attestations MUST include id-etsi-qct-pid in qcStatement
End-entity Wallet provider sign/seal certificate Signs WUA/WAA MUST include id-etsi-qct-wal in qcStatement
End-entity EAA provider attribute sign/seal certificate Signs EAA attestations Inherits EN 319 412-2/3; no specific QcType
End-entity QEAA provider qualified sign/seal certificate Qualified seal for EAA Issued by QTSP; qualified cert profile
End-entity PSBEAA provider qualified sign/seal certificate Qualified seal for public sector EAA MUST include QcPSB qcStatement

Per Application specific roles:

Certificate Type Profile qcStatement
PID provider sign/seal ETSI TS 119 412-6 Clause 4 id-etsi-qct-pid
Wallet provider sign/seal ETSI TS 119 412-6 Clause 5 id-etsi-qct-wal
EAA provider sign/seal ETSI TS 119 412-6 Clause 6 (none; EN 319 412-2/3)
QEAA provider qualified sign/seal ETSI TS 119 412-6 Clause 7 Qualified cert (e.g. id-etsi-qct-eseal)
PSBEAA provider qualified sign/seal ETSI TS 119 412-6 Clause 8 QcPSB

Notes:

  • ETSI TS 119 412-6 defines end-entity sign/seal certificates only. There is no dedicated “PID Issuer CA” profile; the CA role is fulfilled by the Federation Trust Anchor.
  • PID Issuer CA: Not profiled in TS 119 412-6. The Trust Anchor / Federation CA fills this role.
  • EAA provider QcType: No dedicated QcType; uses generic natural/legal person profiles.

QCStatements to Include in Documentation

The following qcStatement types should be documented in the IT-Wallet specification.

4.1 eIDAS 2.0 Extensions (ETSI TS 119 412-6 Annex A)

OID Name Purpose Used By
{ id-etsi-eidas2-qct-extensions 1 } id-etsi-qct-pid PID provider sign/seal certificate PID Provider
{ id-etsi-eidas2-qct-extensions 2 } id-etsi-qct-wal Wallet provider sign/seal certificate Wallet Provider

Parent OID: id-etsi-eidas2-qct-extensions = { itu-t(0) identified-organization(4) etsi(0) id-qc-statements-eidas2-provider-extension(194126) 1 }
Numeric form: 0.4.0.194126.1.1 (id-etsi-qct-pid), 0.4.0.194126.1.2 (id-etsi-qct-wal)

4.2 Qualified Certificate Types (ETSI EN 319 412-5)

OID Name Purpose Used By
{ id-etsi-qcs-QcType 1 } id-etsi-qct-esign Electronic signature Qualified signature certs
{ id-etsi-qcs-QcType 2 } id-etsi-qct-eseal Electronic seal QEAA, PSBEAA qualified seals
{ id-etsi-qcs-QcType 3 } id-etsi-qct-web Website authentication Qualified web auth certs

Parent OID: id-etsi-qcs-QcType = 0.4.0.1862.1.6 (from ETSI TS 101 862 / EN 319 412-5)
Numeric forms: 0.4.0.1862.1.6.1 (esign), 0.4.0.1862.1.6.2 (eseal), 0.4.0.1862.1.6.3 (web)

4.3 PSBEAA-Specific (ETSI TS 119 412-6 Annex A)

OID Name Purpose Used By
id-etsi-qcs-QcPSB QcPSB Public sector body attestation data PSBEAA Provider

Structure:

QcPSB ::= SEQUENCE {
  countryOfLegislation  PrintableString (SIZE (2)),  -- ISO 3166 alpha-2 or 'EU'
  authSourceIdentification  UTF8String,              -- Authentic source ID
  legislationIdentification UTF8String              -- Legislation ID
}

4.4 Other Relevant QCStatements (EN 319 412-5)

OID Name Purpose
id-etsi-qcs-QcCompliance QcCompliance Certificate issued per Directive 1999/93/EC (qualified)
id-etsi-qcs-QcPDS QcPDS Location of PKI Disclosure Statements
id-etsi-qcs-QcLimitValue QcLimitValue Transaction limit for qualified certs
id-etsi-qcs-QcRetentionPeriod QcRetentionPeriod Retention period
id-etsi-qcs-QcSSCD QcSSCD Secure signature creation device

These are relevant when documenting qualified certificates in general (e.g. QEAA, PSBEAA).

Suggested Documentation Additions

New Section: Certificate Profile Comparison

Add a subsection under Trust Infrastructure or a dedicated annex:

  • Short mapping: about the mapping of the EUDI Trust Anchor / sign-seal certificates.
  • Clarify that TS 119 412-6 only profiles end-entity certificates; CA roles are handled by the Federation Trust Anchor.

New Section: QCStatement Reference

Add a reference section listing:

  • All qcStatement OIDs used in the ecosystem (Tables 4.1–4.5).
  • For each: OID, name, purpose, and which provider/certificate type uses it.
  • Link to ETSI TS 119 412-6 and EN 319 412-5.

Example Additions

  • PID sign/seal cert: Example x5chain / x5c containing a cert with id-etsi-qct-pid.
  • Wallet sign/seal cert: Example with id-etsi-qct-wal for WUA/WAA.
  • PSBEAA cert: Example showing QcPSB structure.

Metadata

Metadata

Assignees

Labels

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions