Waving EU flags.

QEAA Put Simply: Importance of Qualified Electronic Attestation of Attributes for the EUid Wallet

published on 28.11.2023

The virtual “European Digital Identity Wallet”, or EUid Wallet for short, is taking shape. QEAAs play a key role in the EUid Wallet ecosystem. For example, they are always used in e-government, online banking or even in digital education to provide credible proof of the characteristics of natural and legal persons at a qualified level.

But what exactly are QEAAs, and what future role will they play in the virtual wallet?

QE…? Aha! An Introduction to QEAA

Almost ten years ago, the European Union launched the eIDAS Regulation. The regulations on Electronic Identification, Authentication and Trust Services are currently being revised. The goal of eIDAS 2.0 is ambitious: By 2030, 80 per cent of EU citizens are to be provided with a digital identity wallet by the member states – the EUid Wallet. The purpose is to make it possible for people to identify themselves digitally in various areas of everyday life, such as when applying for administrative services, opening bank accounts, booking hire cars or enrolling at university. Companies will also be included among the users. The wallet is based on a basic identity (PID, personal identification data), which in Germany will most likely be created using the online ID function. The plan is for the EUid Wallet to offer citizens the option of adding further attributes to their wallet in order to share their identity, data and certificates with third parties. QEAA comes into play for all the information that goes beyond the basic identity. This somewhat unwieldy abbreviation stands for “qualified electronic attestation of attributes”. In other words, it is about proving the trustworthiness of the characteristics of a natural person or legal entity.

The role of QEAA in the EUid Ecosystem

The use of identity in the context of the EUid Wallet is therefore not limited to attributes such as first name and surname, nationality, place of birth and registered address. In order for the wallet to be usable in many different areas of life, the integration of other attributes, such as a person’s authorisations, qualifications or legal affiliations, will also be necessary. The aim is therefore to allow users to identify themselves as a university graduate, a car driver or a member of a certain professional group. Marital status and – especially for companies – a whole range of different company data can also be integrated into the Wallet.

The QEAA will be a new trust service which will clearly indicate during an online transaction that a certain characteristic really belongs to a person or a company. One example: Only a person whose driving licence has been electronically confirmed in advance will be able to book a hire car. The underlying attributes are always verified using a reliable source that is recognised as the primary source of the respective attribute (authentic source). For driving licenses, this is done by the central driving license register of the German Federal Motor Transport Authority.

Woman holds a smartphone.

Person standing in front of the car with a smartphone.

A distinction needs to be made between EAAs (electronic confirmation of attributes) and QEAAs (qualified electronic confirmation of attributes): EAAs can originate either from government-authorized sources or from sources that are not “authentic sources”. However, EAAs from state-authorized registers automatically fulfil the value of a QEAA and can be issued directly into the Wallet, while other EAAs do not have the same evidential value as a paper certificate or identity document. Attributes from sources not authorized by the state therefore only achieve the status of a QEAA if they have been checked and validated by a qualified trust service provider (qTSP). The attribute must be applied for via an eIDAS-compliant issuing process in order to be issued as a QEAA into the Wallet.

The EUid Ecosystem and Its Players

  • EUid Wallet users
  • PID providers (personal ID data, PID): The provider of a basic identity (PID) verifies the identity of the user of a Wallet and then provides a PID for them. In Germany, this could be done via the online ID function (eID).
  • Member state enabled authentic sources: These are government agencies and registers that are already recognized as the primary source of an attribute and can therefore issue attributes with the same legal value as a QEAA directly into the Wallet. As these bodies have to meet very specific requirements, the number of attributes they issue is limited. Sample EEAs issued by them are the Mobile Driving License (mDL) or the digital passport.
  • Non-enabled authentic sources: These include all other reliable sources that are recognized as primary sources of an attribute, such as certificate or professional license registers. These attributes are issued into the Wallet as QEAAs via a qualified trust service provider.
  • Qualified trust service providers: Only a qTSP may certify attributes electronically in a qualified manner. It must be on the Trusted List. The Trusted List is a directory of all accredited qTSPs and the trust services they offer.
  • Verifier or relying party: This is the service provider with which EUid users digitally identify themselves for a service and provide proof of their attributes. For example, it may be the car-sharing company referred to above that requires proof of a driving license.

Brief Explanation of the QEAA Process

Anyone familiar with the various players in the EUid ecosystem probably already has a good idea of the process involved in the qualified electronic attestation of attributes. Basically, the possible process runs without a great deal of effort for Wallet users.

How is a QEAA issued and verified?

This can be illustrated by the following case:

  1. Someone wants to provide evidence of his/her training for a digital application and requires the corresponding proof as a QEAA. He/she requests the attribute from the qualified trust service provider (qTSP) via the Wallet or the application portal.
  2. This identifies the applicant in a qualified manner via his/her eID on the ID card or the PID and validates the attribute by means of a register enquiry at the relevant Chamber of Industry and Commerce (Industrie und Handelskammer, IHK).
  3. The qTSP then secures the attribute data cryptographically with an electronic seal. Via an interface, it transfers the QEAA to the user’s Wallet, who can then apply with the attribute.

Another thing that the process makes clear: Attributes will never end up in the Wallet at random. The user will always retain control over the process. However, this does not mean that the number of possible features is limitless: In each of the 27 Member States, it is currently possible to determine which attributes are to be issued directly from state-recognised sources and which registers are to be considered primary sources.

“It is with their digital identity that people prove who they are. In many processes, however, it is much more interesting whether someone is acting in a certain role. Does the person represent a company in a legally binding way? Or are they even a managing director? A member of an association? Digital and verified proof of such statements would be possible via attribute confirmation.”

Dr Kim Nguyen, Managing Director of D-Trust GmbH
Dr Kim Nguyen, Managing Director of D-Trust GmbH

Advantages und Applications of the QEAA

The planned introduction of the QEAA in connection with eIDAS 2.0 offers the potential of gradually digitalising all relevant proofs or authorisations, including not only driving licences and school certificates but also marriage certificates and fishing licences. And this also means: Administrative processes in particular, which previously required original documents or notarised copies, could be mapped completely digitally. And register queries could be supplemented by the QEAA as well. Especially in highly regulated industries such as the financial sector, the qualified electronic attestation of attributes would also benefit know-your-customer and compliance processes. It could also help with creating an organisational ID for companies.
However, the qualified electronic attestation of attributes is still a thing of the future. It may be some time before it can be certified as a trust service.