Skip to main content

Trust lists

Trust lists are the foundation of the EUDI Wallet ecosystem's trust model. They publish trust anchors for authorized entities, enabling the Truvity EUDIW Connector to verify credential issuers across borders.

Trusted Lists and Lists of Trusted Entities

The Architecture Reference Framework (ARF) distinguishes between two types of registries that serve different categories of entities in the EUDI ecosystem.

Trusted Lists are registries in the sense of Article 22 of the eIDAS Regulation. They cover entities that are trust service providers:

  • QEAA Providers: Qualified Electronic Attestation of Attributes Providers.
  • PuB-EAA Providers: Providers of attestations published under a specific legal basis.

Lists of Trusted Entities (LoTEs) cover entities that are not trust service providers but still require published trust anchors:

  • PID Providers: Government agencies authorized to issue Personal Identification Data.
  • Wallet Providers: Organizations that provide EUDI Wallet solutions.
  • Access Certificate Authorities: Entities that issue access certificates to Relying Parties.
  • Providers of registration certificates: Entities that issue registration certificates describing an organization's registered scope.

Both Trusted Lists and LoTEs serve the same purpose: publishing trust anchors so that ecosystem participants can verify each other. However, they have different legal bases and governance requirements.

note

There is no Trusted List or LoTE for Relying Parties. The expected number of Relying Parties across the EU makes this infeasible. Instead, Relying Parties are authenticated through access certificates issued by Access Certificate Authorities whose trust anchors are published in a LoTE. See certificates for details on access certificates.

Discovery through the Commission's trust infrastructure

The European Commission maintains a common trust infrastructure that enables any entity in the EUDI Wallet ecosystem to discover all Trusted Lists and LoTEs. Each member state's Trusted List or LoTE Provider signs and publishes its lists, then makes the URLs available through this infrastructure.

This federated model respects national sovereignty while ensuring EU-wide interoperability. Each member state maintains its own lists, and the Commission's infrastructure provides a single discovery point for all of them.

Trust verification

When your app receives a presentation through the connector, the trust verification follows these steps:

  1. The Relying Party discovers the relevant Trusted Lists and LoTEs through the Commission's common trust infrastructure.
  2. The Relying Party obtains trust anchors for PID Providers and Attestation Providers from these lists.
  3. When verifying a credential, the Relying Party uses the trust anchor to verify the Provider's signature, possibly through intermediate certificates in the chain.

Verification paths by attestation category

The trust verification path differs depending on the type of attestation:

  • PIDs and QEAAs: The Relying Party verifies the Provider's signature using trust anchors obtained directly from a LoTE or Trusted List.
  • PuB-EAAs: The Relying Party first verifies the PuB-EAA Provider's signature using a qualified certificate issued by a QTSP, then verifies that certificate using the QTSP's trust anchor from the Trusted List.
  • Non-qualified EAAs: The applicable Attestation Rulebook defines how the Relying Party obtains the relevant trust anchor. These attestations may use domain-specific trust mechanisms.

Automated verification

The EUDIW Connector automates this verification process. When your app receives a presentation (for example, a PID or driver's license), the connector verifies the trust chain, confirms the issuer is authorized, and checks that the issuer's entry is active and not revoked.

Standards

The trust list infrastructure in the EUDI ecosystem is governed by two ETSI standards:

  • ETSI TS 119 612 defines the format and processing rules for Trusted Lists.
  • ETSI TS 119 602 defines the data model for Lists of Trusted Entities.

Further reading