Release/1.6.1 (#991) (#428)

* typos and editorial changes
* added Technical specification drafts

Author: paolo-de-rosa

.vscode/settings.json

@@ -3,7 +3,10 @@
         "AHWG",
         "biometrically",
         "Birkholz",
+        "bitstring",
+        "bitstrings",
         "Bradner",
+        "bstr",
         "Caceres",
         "Cappalli",
         "CBOR",
@@ -13,34 +16,54 @@
         "COMMISSION",
         "CTAP",
         "deepfake",
+        "disclosable",
         "DPIA",
         "ECCG",
         "EDICG",
         "EHIC",
+        "eisvogel",
         "ENISA",
+        "EPUB",
         "EUCC",
         "EUCS",
         "EUDI",
         "FITCEM",
         "GSMA",
         "HAIP",
         "IDAS",
+        "ISSU",
         "Klyne",
         "Kooper",
         "Lodderstedt",
+        "mkdocs",
+        "OJEU",
         "OMAPI",
+        "OOTS",
+        "Pandoc",
+        "pdflatex",
+        "Prox",
         "QEAA",
         "QESRC",
         "QSCD",
         "QTSP",
+        "QTSPAS",
+        "Requestee",
+        "Requestor",
+        "RPACA",
+        "RPRC",
         "Rulebook",
+        "SCAL",
         "Sporny",
+        "tdate",
         "Terbu",
+        "tstr",
         "UICC",
         "UICCs",
         "unlinkability",
         "VCDM",
+        "WIAM",
         "WSCA",
-        "WSCD"
+        "WSCD",
+        "xelatex"
     ]
 }

CHANGELOG

@@ -5,6 +5,10 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semverdoc.org/).
 
+## [1.6.1] - 2025-03-10
+
+Editorial changes and fixing typos.
+
 ## [1.6.0] - 2025-03-03
 
 Added results of "Topic A - Privacy risks and mitigation"

LICENCE

@@ -1,4 +1,5 @@
-The European Digital Identity Wallet Architecture and Reference
-Framework © 2023 by European Commission is licensed under Attribution
-4.0 International. To view a copy of this licence, visit
-http://creativecommons.org/licenses/by/4.0/
+# Licence
+
+The European Digital Identity Wallet Architecture and Reference Framework © 2023
+by European Commission is licensed under Attribution 4.0 International. To view
+a copy of this licence, visit <http://creativecommons.org/licenses/by/4.0/>

Makefile

@@ -26,7 +26,7 @@ SOURCE_DOCS    := $(MAIN_DOC) $(ANNEXES_DOCS)
 # Directories and Build Information
 BUILD_DIR      := ./build
 SITE_DIR       := ./site
-VERSION        := 1.6.0
+VERSION        := 1.6.1
 BUILD          := $(shell date +%Y%m%d.%H%M%S)
 
 # Pandoc configuration
@@ -57,7 +57,6 @@ PANDOC_EPUB_OPTIONS := --to epub3
 %.pdf : %.md
 	@mkdir -p $(BUILD_DIR)/pdf
 	$(PANDOC) $(PANDOC_OPTIONS) $(PANDOC_PDF_OPTIONS) -o $(BUILD_DIR)/pdf/$(notdir $@) $<
-
 # Convert Markdown to DOCX
 %.docx : %.md
 	@mkdir -p $(BUILD_DIR)/docx
@@ -67,14 +66,13 @@ PANDOC_EPUB_OPTIONS := --to epub3
 %.epub : %.md
 	@mkdir -p $(BUILD_DIR)/epub
 	$(PANDOC) $(PANDOC_OPTIONS) $(PANDOC_EPUB_OPTIONS) -o $(BUILD_DIR)/epub/$(notdir $@) $<
-
 # Targets
 # -----------------------------------------------------------------------------
 
 .PHONY: all mkdocs serve copy-pdfs zip-pdfs clean
 
 # Default target: build all exported documents and the MkDocs site.
-all: $(EXPORTED_DOCS) zip-pdfs
+all: $(EXPORTED_DOCS) zip-pdfs mkdocs
 
 # Build the MkDocs site
 mkdocs:

README.md

@@ -1,19 +1,15 @@
 # The European Digital Identity Wallet
 
-
 ![Digital Identity for all Europeans - A personal digital wallet for EU citizens and residents](./docs/media/top-banner-arf.png)
 
-
-## The Digital Identity Regulation
-
 Under the [Electronic Identification, Authentication and Trust Services (eIDAS)
 Regulation](https://digital-strategy.ec.europa.eu/en/policies/eidas-regulation),
 EU Member States may, on a voluntary basis, notify and recognise, national
 electronic identification schemes in their Member States. The recognition of
 notified electronic identification became mandatory in 2018. Yet, there is no
 requirement for Member States to develop a national electronic identification
 and to make it interoperable with those in other Member States. This has led to
-discrepancies between countries. The new Regulation on digital identity
+discrepancies between countries. The new [European Digital Identity Regulation](https://eur-lex.europa.eu/eli/reg/2014/910/2024-10-18)
 addresses shortcomings in eIDAS by improving the effectiveness of the framework
 and extending its benefits to the private sector. Member States will offer
 citizens and businesses digital wallets that will be able to link various
@@ -39,26 +35,75 @@ control of the data they share.
 
 ## The Architecture and Reference Framework
 
-On 3 June 2021, the European Commission adopted a Recommendation calling on
-Member States to work towards the development of a Toolbox including a
-technical Architecture and Reference Framework a set of common standards and
-technical specifications and a set of common guidelines and best practices.
+On 3 June 2021, the European Commission adopted a Recommendation ([COMMISSION
+RECOMMENDATION (EU) 2021/946 of 3 June 2021 on a
+[Common Union Toolbox](https://digital-strategy.ec.europa.eu/en/policies/eudi-wallet-toolbox)
+for a coordinated approach towards a [European Digital Identity Framework](https://eur-lex.europa.eu/eli/reco/2021/946),
+ [OJ L 210/51, 14.6.2021](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=OJ%3AL%3A2021%3A210%3AFULL))
+calling on Member States to work closely together with the Commission towards
+the development of a Toolbox including a technical Architecture and Reference
+Framework (hereinafter the ARF), a set of common standards and technical
+specifications and a set of common guidelines and best practices.
 
 The Recommendation specifies that these outcomes will serve as a basis for the
-implementation of the European Digital Identity Framework, without the process
-of developing the Toolbox interfering with, or prejudging the legislative
-process.
-
-The Recommendation foresees that the Toolbox is developed by Member States’
-experts in the eIDAS Expert Group  in close coordination with the Commission
-and, where relevant for the functioning of the European Digital Identity (EUDI)
-Wallet infrastructure, other concerned public and private sector parties.
-
-This repository contains the "[Architecture and Reference Framework](docs/architecture-and-reference-framework-main.md)"
-(hereinafter the [ARF](docs/architecture-and-reference-framework-main.md)).
-
-The current **authoritative version** is tagged as [realease/tag in this
-repository](https://github.com/eu-digital-identity-wallet/architecture-and-reference-framework/releases).
+implementation of the [European Digital Identity Regulation](https://eur-lex.europa.eu/eli/reg/2014/910/2024-10-18),
+without the process of developing the Toolbox interfering with, or prejudging
+the legislative process.
+
+The Recommendation establishes a structured framework for cooperation between
+Member States, the Commission, and, where relevant, private sector operators to
+develop the Toolbox. The European Digital Identity Cooperation Group (EDICG),
+formerly known as the eIDAS Expert Group, is responsible for:
+
+* exchange best practices and cooperate with the Commission on emerging
+policy initiatives in the field of digital identity wallets, electronic
+identification means and trust services;
+* advising the Commission in the preparation of draft implementing and delegated
+acts;
+* supporting Supervisory Bodies in the implementation of the [European Digital
+Identity Regulation];
+* organising peer reviews of electronic identification schemes;
+* engaging with the Commission and other relevant stakeholders to develop a
+[Common Union Toolbox](https://digital-strategy.ec.europa.eu/en/policies/eudi-wallet-toolbox);
+
+The European Digital Identity Cooperation Group's page can be found
+[at the official page](https://digital-strategy.ec.europa.eu/en/policies/european-digital-identity-cooperation-group).
+
+The European Digital Identity Cooperation Group has since further developed the
+concepts and specifications for the European Digital Identity Framework. The
+current ARF version is based on the [legal text adopted](https://eur-lex.europa.eu/eli/reg/2014/910/2024-10-18)
+by the co-legislators, including the adopted Commission Implementing Regulations:
+
+* [CIR 2024/2977](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R2977)
+regarding PID and EAA,
+* [CIR 2024/2979](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402979)
+regarding integrity and core functionalities,
+* [CIR 2024/2980](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402980)
+regarding ecosystem notifications,
+* [CIR 2024/2981](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402981)
+regarding certification of Wallet Solutions,
+* [CIR 2024/2982](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202402982)
+regarding protocols and interfaces.
+
+## Contents of the repository
+
+This repository contains:
+
+* "[Architecture and Reference Framework](docs/architecture-and-reference-framework-main.md)"
+the main narrative text that describes the European Digital Identity Wallet and
+its ecosystem.
+* "[Annexes](docs/annexes/README.md)" the list of annexes that provide additional
+information to the main narrative text. In particular, the annexes provide normative
+high-level requirements.
+* "[Technical Specifications](docs/technical-specifications/README.md)" the list
+of specifications that will be developed to support the implementation of the
+European Digital Identity Wallet.
+* "[Discussion Topics](docs/discussion-topics/README.md)" the list of discussion
+topics that are open for public consultation. The topics are organized into
+three iterations, each focusing on a specific set of subjects to be included in
+a major document release.
+
+The latest **authoritative version** is tagged as [release/tag in this repository](https://github.com/eu-digital-identity-wallet/architecture-and-reference-framework/releases).
 
 ## Contributing
 
@@ -72,16 +117,16 @@ see the [tags on this repository](https://github.com/eu-digital-identity-wallet/
 
 ## Authors
 
-See the list of [contributors](https://github.com/eu-digital-identity-wallet/architecture-and-reference-framework/graphs/contributors) who participated in this project.
+See the list of [contributors](https://github.com/eu-digital-identity-wallet/architecture-and-reference-framework/graphs/contributors)
+who participated in this project.
 
 ## License
 
-This project is licensed under the [Attribution 4.0
-International](http://creativecommons.org/licenses/by/4.0/) - see the
-[LICENSE.txt](LICENSE) file for details.
+This project is licensed under the [Attribution 4.0 International](http://creativecommons.org/licenses/by/4.0/)
+see the [LICENSE.txt](LICENSE) file for details.
 
 ## [European Commission website](https://commission.europa.eu/index_en)
 
 * [Contact the European Commission](https://commission.europa.eu/about-european-commission/contact_en)
 * [Follow the European Commission on social media](https://european-union.europa.eu/contact-eu/social-media-channels_en#/search?page=0&institutions=european_commission)
-* [Resources for partners](https://commission.europa.eu/resources-partners_en)
+* [Resources for partners](https://commission.europa.eu/resources-partners_en)

SECURITY.md

@@ -1,6 +1,15 @@
 # EU Digital Identity Wallet Vulnerability Disclosure Policy (VDP)
 
-At the European Commission, we treat the security of our Communication and Information Systems as a top priority, in line with Commission Decision EC 2017/46. However, vulnerabilities can never be completely eliminated, despite all efforts. If exploited, such vulnerabilities can harm the confidentiality, integrity or availability of the Commission's systems and of the information processed therein. To identify and remediate vulnerabilities as soon as possible, we value the input of external entities acting in good faith, and we encourage responsible vulnerability research and disclosure. This document sets out our definition of good faith in the context of finding and reporting vulnerabilities, as well as what you can expect from us in return.
+At the European Commission, we treat the security of our Communication and
+Information Systems as a top priority, in line with Commission Decision EC
+2017/46. However, vulnerabilities can never be completely eliminated, despite
+all efforts. If exploited, such vulnerabilities can harm the confidentiality,
+integrity or availability of the Commission's systems and of the information
+processed therein. To identify and remediate vulnerabilities as soon as
+possible, we value the input of external entities acting in good faith, and we
+encourage responsible vulnerability research and disclosure. This document sets
+out our definition of good faith in the context of finding and reporting
+vulnerabilities, as well as what you can expect from us in return.
 
 ## Scope
 
@@ -9,34 +18,50 @@ At the European Commission, we treat the security of our Communication and Infor
 
 ## If you have identified a vulnerability, please do the following
 
-- E-mail your findings to <[email protected]>, specifying whether or not you agree to your name or pseudonym being made publicly available as the discoverer of the problem.
-- Encrypt your findings using our [PGP key](https://ec.europa.eu/assets/digit/pgpkey/ec-vulnerability-disclosure-pgp.txt) to prevent this critical information from falling into the wrong hands.
-- Provide us with sufficient information to reproduce the problem so that we can resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation in terms of technical information or potential proof-of-concept code.
-- Provide your report in English, preferably, or in any other official language of the European Union.
-- Inform us if you agree to make your name/pseudonym publicly available as the discoverer of the vulnerability.
+- E-mail your findings to <[email protected]>, specifying
+whether or not you agree to your name or pseudonym being made publicly available
+as the discoverer of the problem.
+- Encrypt your findings using our [PGP key](https://ec.europa.eu/assets/digit/pgpkey/ec-vulnerability-disclosure-pgp.txt)
+to prevent this critical information from falling into the wrong hands.
+- Provide us with sufficient information to reproduce the problem so that we can
+resolve it as quickly as possible. Usually, the IP address or the URL of the
+affected system and a description of the vulnerability will be sufficient, but
+complex vulnerabilities may require further explanation in terms of technical
+information or potential proof-of-concept code.
+- Provide your report in English, preferably, or in any other official language
+of the European Union.
+- Inform us if you agree to make your name/pseudonym publicly available as the
+discoverer of the vulnerability.
 
 ## Please do not do the following
 
-- Do not take advantage of the vulnerability or problem you have discovered, for example, by downloading more data than necessary to demonstrate the vulnerability, deleting, or modifying other people’s data.
+- Do not take advantage of the vulnerability or problem you have discovered, for
+example, by downloading more data than necessary to demonstrate the
+vulnerability, deleting, or modifying other people’s data.
 - Do not reveal any data downloaded during the discovery to any other parties.
 - Do not reveal the problem to others until it has been resolved.
 - Do not perform the following actions:
-  - Placing malware (virus, worm, Trojan horse, etc.) within the system.
-  - Reading, copying, modifying or deleting data from the system.
-  - Making changes to the system.
-  - Repeatedly accessing the system or sharing access with others.
-  - Using any access obtained to attempt to access other systems.
-  - Changing access rights for any other users.
-  - Using automated scanning tools.
-  - Using the so-called "brute force" of access to the system.
-  - Using denial-of-service or social engineering (phishing, vishing, spam, etc.).
+    - Placing malware (virus, worm, Trojan horse, etc.) within the system.
+    - Reading, copying, modifying or deleting data from the system.
+    - Making changes to the system.
+    - Repeatedly accessing the system or sharing access with others.
+    - Using any access obtained to attempt to access other systems.
+    - Changing access rights for any other users.
+    - Using automated scanning tools.
+    - Using the so-called "brute force" of access to the system.
+    - Using denial-of-service or social engineering (phishing, vishing, spam, etc.).
 - Do not use attacks on physical security.
 
 ## What we promise
 
-- We will respond to your report within three business days with our evaluation of the report.
-
+- We will respond to your report within three business days with our evaluation
+of the report.
 - We will handle your report with strict confidentiality.
 - Where possible, we will inform you when the vulnerability has been remedied.
-- We will process the personal data that you provide (such as your e-mail address and name) in accordance with the applicable data protection legislation and will not pass on your personal details to third parties without your permission.
-- In the public information concerning the problem reported, we will publish your name as the discoverer of the problem if you have agreed to this in your initial e-mail
+- We will process the personal data that you provide (such as your e-mail
+address and name) in accordance with the applicable data protection legislation
+and will not pass on your personal details to third parties without your
+permission.
+- In the public information concerning the problem reported, we will publish
+your name as the discoverer of the problem if you have agreed to this in your
+initial e-mail