KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Oh, thanks. Thanks a lot. And thanks a lot Kurt, for inviting me.
This, this is a really pleasure to be here because one of the first conference I had when, since I started working for, for the wallets in the commission was EAC. And this is, I'm, I'm, I'm very happy to be one years later here to see what is happening in one year. Okay. So today what I'm going to talk about is mainly an update on what has been done this year and, but I, I would like to share also some of my opinion on where we are in terms more general terms with, with the wallet and implementation of it.
So are the key updates since the last year, well, where one very important update is that we do have a regulation enter into force, the T of May. This is, I believe, a real milestone that we reached. And this is very important because it's setting a lot of requirements, is setting the complete scene of the whole framework of at the regulatory level. And then the other milestone, important milestone is the architectural reference framework document that's been published just a few days after that and is the version 1.4 where a lot of changes have been introduced.
I will go through that later on. The third important key update is that also the reference implementation, the prototype that we are developing is, has being released the first MVP and is available on Git A together with the, with the UDI wallets. And the third one is that the A LSP, thanks to all these updates have been able to progress in their work. You most probably have seen how many things they are, they're doing and, and that's, this was thanks to the I expert group. I've seen many people you're participating also in the previous talk that was mentioned to that.
So it was possible really to all the people have been participating from our contractors and also, yeah, all the expert groups are from a member state are collaborating there. And now we are going to open it up a bit more. I will explain that later on.
So what, what's in the ref? 1.4 though? It's published, it's on GitHub and the latest version is publicly available so everybody can comment. It was released in May and we are really looking for feedback. What are the main changes of the rev? So first of all, the document has been cleaned up and streamlined in more narrative descriptive format.
So it's, it's all the, all the definition and all the normative aspect of me moved in two different annexes. So we believe now it's much more clear what we are talking about. Then the new has been introduced on new high level architecture will refinement of what was there to clarify all the different components that we have there. And also the trust module has been described a bit more. So we do have much more information what we think about the trust model is or should be, even if it's not entirely defining, it's a, a great improvement that is there.
And then the certification, the first draft of the certification requirement have been added as a nex. I believe these are the main changes, at least those most important that we believe they're being introduced in DRF.
So what, what about the new eye level architecture? So we are trying to, it's very important to define all the different components we are talking to in, in an abstract way in order to understand what are the requirements around this components and how they interact each other in this, in in, in this scenario we identified obviously the protocols you, we seen, you have seen already in the previous version, but now it's clear where they are going to be used in the different scenarios of proximity and remote and for the issuance and all the other components.
And I like just to mention, well, the two months farmers, I think you, you already know as open ID for VP in the presentation and ISO 18 0 13 part five always in the presentation for the proximity scenario. On, on, on, on the issuance for now is open I for VCI, but the two main parts I think we have been working a lot on is what is called the W-S-C-A-W-C-D, so the wallet criticalized secure application and the wallet crypto secure device and all the different options that you have to implement that. At least those we have foresee.
Maybe there are others that we don't know yet, but this is very important because we introduced the, the requirements for these components are obviously they have, they need to have some characteristics to assure the security and privacy of the whole system. And then the, the last one, I think it's, it's much more, well it's, it is important like the, the WWCD and WCA is how the wallet will talk with other application because if you think the wallet, the the, the interaction with with the wallet will re rarely start directly from the wallet.
So the user will always start in all, on many cases will start from another application or from the browser. How this, how the communication between the browser and the wallet, how the communication between the app and the wallet will happen. We believe in this communication there are a lot of, there might be a lot of issue and this is very important to tackle.
There is, there is some project going on that there is a lot of discussion going on in W2 C and right now on this, but we do believe it's a very important component that was not there before and so we introduced because we need to keep an eyes on that. So these are the main, the main, lemme say changes in the, in the eye level architecture, the trust model being a little bit more introduced with a more description.
But I, I think nothing, nothing special needs to be said that everyone, it needs to be registered right to, to, to, to talk, to operate in the ecosystem needs to obtain. Then you can obtain and use the wallets attestation that can be shared in different contexts in different way. And then obviously collect and distribute the trusted list of the trust anchor anchor.
And as, as you can see here in the picture, we, we try to identify the different kind of meaning of the trust that there is because it is what I call access control. So to join the ecosystem and be authenticated and what is then the trust in the attestation itself. Then this the, the, the the, the certification. So the last point is the, the certification. So a lots of requirements on the certification process have been introduced in, in, in this in particular annex six.
And the general requirements are available obviously in the, in the regulation and they are mainly related to cybersecurity but also non cybersecurity because this is also very important aspect that is in the regulation. So the wallet will be certified at fourth cybersecurity and for, for functional also aspect. So there will be a way to test if the wallet is behaving in the same way in the way this is expected. So this is, this is a very important concept we will see later because this will ensure the harmonization and that we will reach that level of interability.
We, we, we would like to, to see there cyber security certification will reuse all their existing scheme. So if there is a CSA scheme, it should be used in this case today, as of today we have only one scheme that is UCC scheme to certify ICT products. So this will be asked to be taken in consideration and then the ambition obviously is to have a dedicated scheme for that made of a composite with a composite approach composition approach. But we will have transitional transitory national certification scheme in the meantime we develop this one.
So a member state shall establish the national certification scheme following the, the requirements or set out by, by the regulation, but also lemme say an harmonized approach that will be decided across member state with the commission without the next steps. So this, well first of all continue to finalize the part of the legislation. So the implementing act, because all the work we are doing in DF at the end is to the fine two things. The implementing act is the secondary piece of regulation that we need to provide based on, on the, on the IIEI that's amended.
And and then also the technical specifications. So all the annexes, all the documents that will specify technically how this will be implemented. I believe this is connected with a third point. So I will go back to the others. The third point. So the fourth point is the standardization and harmonization. There are two important things that we are going to do in the next month. First of all, work closely with the SDO because we do believe we need leverage as much as possible.
The work has been done already in many places to standardize piece of this architecture and we need to have valid technical specification that can be referenced in our legislation to reach that level. We are far away unfortunately, but we are, we trust and we see a lot of effort, especially if we look one years back, what has been done in one year on all this, all this work in the STO. At the same time, the certification will be the key of the harmonization, as I said before. So these two are very two important steps in the roadmap.
Then we will continue with the expert group to define the toolbox. So basically all the, all the, the, the, the first part of the techno specification of of the ERF that will continue to be updated in order to follow what is the evolution of, of, of the wallet. And also we will continue to provide new version of the reference implementation that it's a, a demonstration that what we are writing we are designing is possible to be implemented. What then testing, so LSP have a crucial role in testing with in the real life all this.
And also there will be another important step that is to establish the new government's framework. So to start what is envisioned in, in the, in the regulation to work together with the member state, with the private sector that is part of, already of the regulation that will start soon because it's, it's the regulation is entered into force and then mad not least also integrating the whole, the rest of this trusted service in the wallet. So I believe there is already a huge effort to integrate the signature and we will see also the other, other services.
Yeah, so the implementing act, this is just a few of the topics where we are splitting all the work done into the, into the, into the ref. There will be there, there will be, there is already a first batch envisioned by the by by the regulation that will be on those four main topics.
Okay, so the core functionality of the wallet, the general trust model of the, of the OD wallet, how the electronic attestation artery will work and the identity matching. Later on there will, there will be the others coming because we have two deadlines when one is in six months after the entering into fourth, the other, the other batch will arrive to 12 months after entering into fourth. Very important. This is a very important message I want to leave here.
We are also looking forward to open new largescale pilots on different, well on four main use case prioritized use case wallet for business. I've seen there is a lot of talking about this. It's right, so unfortunately this is not the finance, the natural wallet, a natural person wallet. And we do believe we need to invest time in that. And that's why we do have this in the new cold. There is the wallet for business.
A lot of, a lot of red tape could be cut and removed completely for businesses if we are able to develop that properly. Wallets for travel, we do believe that's great use cases for cross border and how the cities are looking to use the wallet and wallet for payments. Payments and banking. This is again a crucial one because we believe that what we are doing is creating a digital public infrastructure. A digital public infrastructure has been defined in the G 20 last year in India.
It's, it's about building the ground, how to say building the bedrock where to build upon all the rest of the application of the services in the digital transformation where public doesn't means only public sector, it means public interest, meaning that public and private needs to work to build this public infrastructure.
And, and and and in the, in the public digital public infrastructure, there are three main components that two of them are provided by the wallet regulation, the digital identity to identify legally, okay in in order to enable the citizen to participate to the, the, the, the digital society. The second one is data exchange, a way to exchange data and the wallet is providing also the this one and the third one is the payments mechanisms to financial to improve financial inclusion and allow everybody to perform payments and maybe fast payment systems.
So we do believe that we are creating a great framework to create the third one component on payments. So we do believe that wallets will be the right place or will provide the right tools to build.
Also the, to elaborate on also on this point, well the last one is the wallets for age verification. It's very specific use case but it's very important. There is a lot of political attention on this. We know why I will go, I will accelerate a bit because few, I have a few seconds left so I want to leave a message, sir, it is, please read the ref, go to the reference implementation GitHub and read it and, and provide your feedback. We have a time window where we really need your feedback, your opinion. It's very important.
After we made a huge work with LSP, with the expert group, now we are trying to open up this to the civil society, to the industry because now it's time to have opinions from everyone because we have, we believe we have a core of the whole concept there. So please go there and also engage discussion with expert there. Well this is the timeline, but thank you know very well. It's nothing new.
So we see, we expect to see in the 2026 the wallets. Yeah, this is all. And if I may just, even if our time is over, I think there are a lot of challenges in this in the, in this, in this in project really a lot and is really ambitious. But I would like to, and we do know that there is security, there is privacy, user experience. Everything needs to be designed around the user. But I would like today to to to point specifically to one fragmentation. Fragmentation in.
Now in the technical specification, if we look where the DPI have been built in this year, I, I may I, I'm thinking to India, I'm thinking to Brazil, India with AOR and UPI Brazil with a peak through this payment system, they realized they reached a scale that is, IM impressive. So 700 million of user in India and this was possible because they had one stack, okay, one stack.
We, we can have many wallets. We can have, we will, we can talk about the many wallets there will be, but we will need to have one stack, one single digital market, one, one level playing field for everyone. If we start again creating silos, snowflakes, this will fall apart. This is my message for for, for everybody, especially for the technical people because now the bo now we have the chance to work on that as the regulation is there is a good compromise at the end that where we can work on. Hello. Thank you very much. Thank You.
Alright, There've been a few. Thank you. There've been a few questions coming in, but too many for you to answer and you've answered a number of them already anyway, but I think one that was raised earlier was about having a single test bed for everyone to test against. Is is there a plan for that?
Yeah, absolutely. There is a plan for that. We do have actually two plans for that. One is together with our contractor needs that we are working on having, lemme say for development, a test bed for development that might be available and I dunno when the it's come down, but it will be available. I think it's in the roadmap already.
And for, for the certification we need to have a test suite. So we are thinking to work with Etsy or n san to develop that kind of tool because obviously as I said, certification is also un fractional aspect. So we need to have that if you want to have a certification. So Still to come in that case.
Yeah, and I'd just like to say as well, congratulations on everything you're doing because it is incredibly hard and you're doing it all in the open. It's, it's really impressive and it's, I think the, the iterative approach, I think people thought it, the A RFV one would be all there, right? They didn't realize, me included, they didn't realize how iterative it was gonna be. And I think that approach is really good. So first of all, con congratulations and thank you. Thank Lee. Thanks for coming. Thanks. Thanks.
