WP4 Trust Group

Public resources shared within the WE BUILD WP4 Trust Infrastructure group

The Trust Registry Infrastructure group is dedicated to establishing the framework for trust evaluation and management within digital Wallet ecosystems, in compliance but not limited to the model defined by European regulation (910/2014 as amended by Regulation (EU) 2024/1183).

The group develops an implementation of the trust model based on a trusted third party (Trusted Lists) resulting in a Trust Framework and an demo infrastructure of trust.

The group aims to create a comprehensive infrastructure of trust that supports seamless interactions among diverse entities.

LoTL Publication

The List of Trusted Lists (LoTL) for the WP4 Trust Infrastructure is published at:

https://webuild-consortium.github.io/wp4-trust-group/

Format	URL
JSON	list_of_trusted_lists.json
XML	list_of_trusted_lists.xml

During the WE BUILD MVP (pilot) phase, the WP4 Trust Infrastructure group acts as Ecosystem Authority and Trusted List Provider for all participating entities. The LoTL is the trust anchor in the ETSI TS 119 612 model: it references the Trusted Lists for PID Providers, Wallet Providers, and other entity types, enabling Wallet Units and Relying Parties to validate certificates and trust anchors. In the production phase (MVP+), the European Commission and Member State TLPs take over these roles. Registration, notification, and publication responsibilities are described in the Trust Infrastructure Schema.

Documentation (by reference) — automation, contribution, and local tooling:

• LoTL automation and TL integration — End-to-end specification: participant Trusted List Providers add lotl/tl_entries/{tl_type}/{participant_id}.json via pull request; CI fetches each referenced TL, validates its signature with the supplied trust anchor, and checks ETSI schema; on merge, the signed LoTL is regenerated and published to GitHub Pages. Also covers directory layout, GitHub Actions workflows, published URLs, and acceptance criteria.
• LoTL producer and validator (tools/lotl) — Running the Python producer locally: validating tl_entries, generating and signing list_of_trusted_lists.{json,xml}, LoTL signing certificate creation, CLI options, and tests.

To consume the published LoTL and participant Trusted Lists in verification flows, see Trusted List discovery and consumption.

Tasks

gantt
    title WP4 Trust Group Project Schedule
    dateFormat YYYY-MM-DD
    section Task 1
    Definition of the Use cases :active, task1, 2025-09-25, 2026-01-31
    section Task 2
    Definition of the Trust Framework      :active, task2, 2025-10-25, 2026-06-25
    section Task 3
    X.509 PKI with ETSI alignments :task3, 2025-11-25, 2026-04-25
    section Task 4
    Trust Infrastructure API and features  :active, task4, 2025-10-25, 2026-09-25
    Trust list and deploy (4.1)            :active, task4_1, 2025-10-25, 2026-03-25
    RFC (4.2)                             :task4_2, 2026-01-25, 2026-04-25
    Onboarding API (4.3)                  :task4_3, 2026-06-25, 2026-09-25
    section Task 5
    Participants' Certificates and Policies :task5, 2026-01-01, 2026-07-30
    Data model (5.1)                      :task5_1, 2026-01-01, 2026-03-31
    Trust evaluation methods (5.2) :task5_2, 2026-03-01, 2026-07-30
    section Task 6
    Wallet Instance Conformance/Interop :task6, 2026-02-01, 2026-10-30
    section Task 7
    Testing and Validation :task7, 2026-06-01, 2026-12-31

Loading

Directory Structure

wp4-trust-group/
│
├── references/                     # Standards, Drafts, Documentation
│   ├── standards/                  # Official standards and specifications
│   ├── drafts/                     # Draft specifications and working documents
│   ├── reference-specifications/   # Reference implementations and profiles
│   └── overview.md                 # Overview of all references
│
├── task1-use-cases/               # Use cases​
│   ├── terms-and-entities.md      # Consolidated terms, acronyms, and entity definitions (single source)
│   ├── subtask1-1-onboarding/     # Use cases​ onboarding
│   └── subtask1-2-trust-registry/ # Use cases​ trust registry
│
├── task2-trust-framework/         # Trust Framework
│
├── task3-x509-pki-etsi/           # X.509 PKI with ETSI specializations
│
├── task4-trust-infrastructure-api/ # Trust Infrastructure API and additional features
│   ├── trust-infrastructure-api/   # Trust Infrastructure API
│   └── onboarding-api/             # Onboarding API
│
├── task5-participants-certificates-policies/ # Participants' Certificates and Policies
│   ├── data-model/                 # Data model
│   └── trust-evaluation-methods/   # Trust evaluation methods
│
├── task6-Wallet-conformance-interop/ # Wallet Instance Conformance/Interop Checks
│
├── task7-testing-validation/       # Testing and Validation
│
├── docs/                          # Documentation
│   ├── architecture/              # Architecture documentation
│   ├── api/                       # API documentation
│   ├── standards/                 # Standards compliance documentation
│   └── testing/                   # Testing documentation
│
├── examples/                      # Examples and use cases
│   ├── trust-framework/           # Trust framework examples
│   ├── api-usage/                 # API usage examples
│   └── testing/                   # Testing examples
│
├── tools/                         # Development and validation tools
│   ├── validation/                # Validation tools
│   ├── testing/                   # Testing tools
│   └── deployment/                # Deployment tools
│
├── .github/                       # CI/CD workflows and templates
│   ├── workflows/                 # GitHub Actions workflows
│   ├── ISSUE_TEMPLATE/            # Issue templates
│   └── PULL_REQUEST_TEMPLATE/     # Pull request templates
│
├── README.md                      # This file
└── LICENSE                        # License file

Terms and definitions

A single Consolidated Terms and Entity Definitions document collects all acronyms, key terminology, entity definitions, WEBUILD-specific entities (Trust Infrastructure Responsible Group), MVP/MVP+ definitions, and policy terms used across WP4 Trust Group deliverables. RACI definitions and matrices are kept in the onboarding documents (Base Onboarding Framework and each use case doc). For policy discovery and trust verification from the wallet perspective (WRPRC/WRPAC, Trusted Lists, Registry, entitlement validation), see EUDI Wallet Trust and Entitlement Discovery.

Reading paths by scope

Reading paths group documents by the questions or problems they address. Each path lists documents with their purpose and link.

Who/what are we talking about? — Terminology and entity definitions

• Consolidated Terms and Entity Definitions — Single source for acronyms, key terminology, entity types, WEBUILD-specific entities (Trust Infrastructure Responsible Group), MVP/MVP+ definitions, and policy terms.
• Entities Involved — Description of entities participating in trust evaluation, the trust registry, and trust infrastructure (aligned with the EUDIW ARF).

How do participants join the ecosystem? — Onboarding and registration

• Base Onboarding Framework — Common framework: MVP/MVP+ definitions, Member State requirements, RACI matrix; references use-case-specific documents.
• Relying Party Onboarding — RP registration, policy acceptance, certificate validation, access control setup.
• PID / EAA Provider Onboarding — PID/Attestation Provider registration, attestation type declaration, access/registration certificate issuance, trust anchor publication, notification to Commission.
• Wallet Provider Onboarding — Wallet Provider registration, wallet instance attestation, security compliance, trust establishment.
• Onboarding API — API for participant registration, certificate management, policy management, compliance and audits.

How does the trust infrastructure work? — Registration, notification, Trusted Lists

• Trust Infrastructure Schema — Schema and processes for registration/onboarding, notification, and Trusted List publication; responsibilities matrix (Registrar vs. EC vs. MS TLP).
• Trusted List Registration Trust Evaluation Matrix — Requirements matrix for trusted lists, participant registration, and trust evaluation derived from EUDI Wallet ARF Annex 2.

How do participants verify each other’s trustworthiness? — Trust evaluation use cases

• Trust Evaluation Base — Trust sources, ARF requirement mapping, common terminology for trust evaluation.
• Wallet Unit evaluates Credential Issuer — Wallet Unit verifies PID/Attestation Provider before requesting PID or attestation.
• Credential Issuer evaluates Wallet Unit — PID/Attestation Provider verifies Wallet Unit (WUA) before issuing credentials.
• Wallet Unit evaluates Relying Party — Wallet Unit verifies RP before presentation.
• Relying Party evaluates presented credentials — RP validates PID and attestation signatures using Trusted Lists.
• Trusted List discovery and consumption — How to obtain and use LoTL and Trusted Lists for validation.

How does the wallet discover and verify trust? — Wallet (holder) perspective

• EUDI Wallet Trust and Entitlement Discovery — Policy discovery and trust verification from the wallet perspective: WRPRC/WRPAC discovery, Trusted List validation, Registry lookup, entitlement and attribute validation (ARF RPRC_21, RPA_*).

What are the policy approaches (additive vs. subtractive)? — Authentication, authorization, trust marks

• Authentication Authorization Policy Framework — Distinction between authentication and authorization, additive/subtractive principles, federated trust mark use cases.
• Policy Approaches Definition — Additive vs. subtractive policy models, zero-trust, OpenID Federation trust mark integration, attribute/credential classification.
• Trust Mark Semantics Implementation — Implementation guidance for trust mark semantics for Credential Issuers and Relying Parties.

What credentials exist and who may issue them? — Credential catalogues and issuer constraints

• Credential Catalogue — Catalogue of attributes and attestation schemes (ARF Section 5.5, CIR 2025/1569).
• Credential Catalog and Issuer Constraints — Overview and index linking credential catalogues and Trusted List extensions for issuer constraints.
• Trusted List Extensions for Credential Issuers — Configuring which Credential Issuers are authorised to issue specific attestation types via Trusted List extensions.

How are Trusted Lists implemented? — ETSI Trusted Lists and X.509 PKI

• ETSI Trusted Lists Implementation Profile — Implementation profile for ETSI TS 119 612 and TS 119 602: signing, distribution, XML/JSON formats, examples.
• LoTL automation and TL integration — WP4 List of Trusted Lists on GitHub Pages: participant tl_entries pull requests, CI validation, signed LoTL regeneration, and publication (see also tools/lotl).
• ETSI Identifier Handling — Handling of VAT, LEI, and other business identifiers in ETSI profiles, trusted lists, and certificates.

What certificates exist and what policies apply? — Participant certificates and ETSI policy

• Relying Party Access Certificate — WRPRC/WRPAC (access certificate) for Relying Parties.
• Relying Party Registration Certificate — Registration certificate for Relying Parties.
• EAA Provider Access Certificate — Access certificate for Attestation Providers.
• EAA Provider Registration Certificate — Registration certificate for Attestation Providers.
• PID Provider Access Certificate — Access certificate for PID Providers.
• ETSI Policy Enumeration — Enumeration of ETSI policy identifiers and mechanisms for the trust framework.
• ETSI Policy Evaluation — How ETSI specifications apply in additive/subtractive policy evaluation.

How to consume or expose trust via APIs? — Trust Infrastructure and Onboarding APIs

• Trust Infrastructure API — Endpoints for trust management, trust evaluation, trust policies, monitoring and reporting.
• Onboarding API — Endpoints for participant registration, certificate management, policy management, compliance and audits.

How do wallets conform and interoperate? — Conformance and testing

• Task 6: Wallet Conformance/Interop — Conformance areas (trust, certificates, policy, APIs), interoperability (protocols, formats, cryptography), testing frameworks, certification.
• Task 7: Testing and Validation — Component and integration testing, test strategy and tooling, support for WP4 deliverables and quality evidence.

References

Community Regulations

• eIDAS Regulation (EU) No 910/2014 - Regulation on electronic identification and trust services
  • Official Document
• Regulation (EU) 2024/1183 - Amending Regulation (EU) No 910/2014
  • Official Document
• CIR (EU) 2025/848 - Commission Implementing Regulation on the registration of wallet-relying parties
  • Official Document
• CIR 2025/2164 - Commission Implementing Regulation (trusted lists context; referenced by ARF v2.8.0 for ETSI TS 119 612)
  • Official Document
• CIR (EU) 2025/1569 - Commission Implementing Regulation on catalogue of attributes and catalogue of attestation schemes (Articles 7–8)
  • Official Document
• Commission Implementing Decision (EU) 2015/1505 - Rules for authenticating EUMS trusted lists (implemented by ETSI TS 119 615)
  • Official Document
• Further Implementing Acts (ARF v2.8.0): CIR 2025/2527 (qualified certificates for website authentication), 2025/2530 (qualified trust service providers), 2025/2531 (qualified electronic ledgers), 2025/2532 (qualified electronic archiving services).

Standards

• ETSI TS 119 612 (v2.4.1) - Electronic Signatures and Trust Infrastructures (ESI); Trusted Lists
  • Official Document
  • XSD Schema
  • SIE XSD Schema (ListOfTrustedLists)
• ETSI TS 119 602 (v01.01.01) - Electronic Signatures and Trust Infrastructures (ESI); Lists of trusted entities; Data model. Trusted lists in other formats (JSON, XML, CBOR, ASN.1)
  • Official Document
• ETSI TS 119 615 (v01.03.01) - Procedures for using and interpreting EUMS national trusted lists (consumption/validation of LoTL and national trusted lists; implements CID 2015/1505)
  • Official Document
• ETSI TS 119 411-8 (v01.01.01) - Access Certificate Policy for EUDI Wallet Relying Parties (access certificate issuance per ARF Reg_11).
  • Official Document
• ETSI EN 319 411-1 (v1.4.1, 2023-10) - Certificate policy requirements (NCP); Access Certificate Authorities SHALL comply with at least this for ARF Reg_11. CIR 2025/848 Annex IV/V mandates this version.
  • Official Document
• ETSI TS 119 475 (v1.2.1) - Relying party attributes supporting EUDI Wallet User's authorisation decisions (Relying Party Attributes)
  • Official Document (ETSI TS 119 475 v1.2.1)
• ETSI TS 119 412-6 (v1.1.1) - Electronic Signatures and Trust Infrastructures (ESI); Certificate Profiles; Part 6: Certificate profile requirements for PID, Wallet, EAA, QEAA, and PSBEAA providers
  • Official Document
• ETSI TS 119 472-2 (v1.1.1) - Electronic Signatures and Trust Infrastructures (ESI); Profiles for Electronic Attestation of Attributes; Part 2: Profiles for EAA/PID Presentations to Relying Party
  • Official Document
• ETSI TS 119 472-3 (v1.1.1) - Electronic Signatures and Trust Infrastructures (ESI); Profiles for Electronic Attestation of Attributes; Part 3: Profiles for issuance of EAA or PID
  • Final
• ETSI EN 319 412-1 (V1.6.1) - Certificate Profiles; Part 1: Overview and common data structures (identifier semantics for organizationIdentifier, serialNumber)
  • Official Document
• ETSI EN 319 412-2 - Certificate Profiles; Part 2: Certificate profile for certificates issued to natural persons
  • Official Document
• ETSI EN 319 412-3 - Certificate Profiles; Part 3: Certificate profile for certificates issued to legal persons
  • Official Document
• ETSI EN 319 411-2 - Policy and security requirements for TSPs issuing certificates; Part 2: Requirements for Qualified Certificate Issuers
  • Official Document
• ETSI EN 319 401 - General Policy Requirements for Trust Service Providers
  • Official Document
• ETSI TS 119 461 - Policy and security requirements for identity proofing of natural persons (registration identity verification)
  • Official Document

In addition to the above, this project is developed in constant alignment with EUDI Architecture and Reference Framework (ARF) v2.8.0 specifications, adopting LoTE terminology and including core regulatory frameworks (Reg_10/11/31, RPA_02/RPA_04), and access certificate and trusted list standards.

Additional Standards and Drafts

• OpenID Federation 1.0 - Final Specification
• OpenID Federation Wallet Architectures 1.0 - Draft

European Commission Technical Specifications

The following specifications are subject to ongoing updates, which will be integrated and addressed in future project milestones.

• EC TS02 v0.9 (2025-04) - Specification of systems enabling the notification and subsequent publication of Provider information
  • Official Document
• EC TS03 - Wallet Unit Attestation
  • Official Document
• EC TS05 V1.0 (2025-06) - Common Formats and API for Relying Party Registration Information (upcoming ETSI TS)
  • Official Document
• EC TS06 v1.0 (2025-06) - Common set of Relying Party information to be registered
  • Official Document
• EC TS11 - Interfaces and formats for catalogue of attributes and catalogue of attestation schemes
  • Official Document

Security Guidelines

• ENISA EUCC Guidelines Cryptography v.2 (2025-05) - European Union Common Criteria-based Cryptography Guidelines
  • Reference: CIR (EU) 2024/2981, CIR (EU) 2024/482

Dependencies

• ETSI TS 119 182-1 - JAdES digital signatures; Part 1: Building blocks and JAdES baseline signatures (WRPRC JWT/CWT signing)
  • Official Document
• ETSI EN 319 132-1 - XAdES digital signatures; Part 1: Building blocks and XAdES baseline signatures (Trusted List XML signing)
  • Official Document
• IETF RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
• IETF RFC 5914 - Trust Anchor Format
• IETF RFC 5646 - Tags for Identifying Languages (WRPRC language codes)
• IETF RFC 7519 - JSON Web Token (JWT)
• IETF RFC 8392 - CBOR Web Token (CWT)
• W3C XML Digital Signature - XML Signature Syntax and Processing Version 1.1
  • Official Specification
• W3C XML Schema - XML Schema Definition Language
  • Part 1: Structures
  • Part 2: Datatypes

Getting Started

1. Clone the repository
2. Review the task directories for specific implementation details
3. Check the references directory for relevant standards and specifications
4. Clone the repository.
5. Review the task directories for specific implementation details.
6. Check the references directory for relevant standards and specifications.
7. Follow the contributing guidelines for any modifications.

Contributing

We welcome contributions from all collaborators.

• Open issues for bugs, improvements, or questions
• Submit pull requests following the repository structure
• Open issues for bugs, improvements, or questions.
• Submit pull requests following the repository structure.
• Use discussions (if enabled) for ideas and proposals.

By contributing, you agree to follow the project's coding and documentation guidelines above.

Contact

For questions and discussions, please use the GitHub Issues or Discussions section of this repository.

Licensing

Licensed to the WE BUILD Consortium under the consortium agreements. The WE BUILD Consortium licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use these files except in compliance with the License.

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Funding

Co-funded by the European Union

The project is co-funded by the European Union. However, the views and opinions expressed are those of the author(s) only and do not necessarily reflect those of the European Union or the granting authority. Neither the European Union nor the granting authority can be held responsible.