Attestation: Electronic Attestation

An electronic attestation is a digitally signed data structure issued by an authorized entity that confirms specific attributes about a person are true and valid. In the eIDAS 2.0 regulation, attestations are the fundamental building blocks of the EUDI Wallet: they represent identity documents, qualifications, licenses, and other personal attributes in a cryptographically verifiable digital format. Each attestation is signed by its issuer using digital signature algorithms, making it tamper-proof and independently verifiable by any relying party that trusts the issuer.

The eIDAS 2.0 regulation establishes a hierarchy of attestation types with different trust levels. Person Identification Data (PID) attestations are the highest-trust attestations, issued exclusively by member state authorities. PID contains core identity attributes: full name, date of birth, nationality, and a unique identifier. Every EUDI Wallet must contain a PID attestation, as it serves as the foundation for all other credentials.

Qualified Electronic Attestations of Attributes (QEAAs) are issued by Qualified Trust Service Providers (QTSPs) that have been audited and accredited by national supervisory bodies. QEAAs have enhanced legal standing under eIDAS 2.0 and are presumed to be accurate. Examples include university diplomas, professional qualifications, and healthcare certifications. QEAAs benefit from cross-border recognition throughout the EU.

Electronic Attestations of Attributes (EAAs) are issued by any trusted entity, including private companies, without requiring QTSP accreditation. While they carry less regulatory weight than QEAAs, EAAs serve important functions such as loyalty program memberships, employee badges, gym memberships, and other non-critical credentials. The EUDI Wallet treats all attestation types as first-class citizens, allowing users to manage and present them through a unified interface.

An attestation's lifecycle begins with issuance, where the credential issuer creates the attestation data structure, signs it with their private key, and delivers it to the user's EUDI Wallet through the OpenID for Verifiable Credential Issuance (OID4VCI) protocol. During issuance, the attestation is bound to the wallet's device-specific cryptographic key, preventing cloning or unauthorized transfer.

During the active phase, the attestation resides in the user's wallet and can be presented to verifiers on demand. Each presentation involves the user authenticating to their wallet (via biometric or PIN), selecting which attributes to share (selective disclosure), and transmitting the cryptographic proof to the verifier through the OpenID for Verifiable Presentations (OID4VP) protocol. The verifier validates the issuer's signature, checks the attestation's status, and confirms the device binding.

Attestations can be revoked by their issuer at any point, for example when a driving license is suspended or a professional qualification expires. Revocation is published through status list mechanisms that verifiers check during each presentation. Attestations also have natural expiration dates after which they must be renewed. The EUDI Wallet notifies users of approaching expirations and guides them through the renewal process.

EUDI Wallet attestations use two standardized technical formats. SD-JWT VC (Selective Disclosure JSON Web Token Verifiable Credential) is a JSON-based format that supports selective disclosure of individual attributes. The issuer signs the full credential, and the wallet can derive proofs that reveal only selected attributes while maintaining cryptographic verifiability. SD-JWT VC is the primary format for PID and most QEAAs.

The mdoc format (based on ISO 18013-5) was originally designed for mobile driving licenses and has been adopted for other credential types in the EUDI Wallet. mdoc uses CBOR encoding and COSE signatures, providing compact credential representations that are efficient for NFC-based offline presentations. Both formats support selective disclosure and device binding, ensuring consistent security properties regardless of the format used.

Cross-border interoperability requires that verifiers in any EU member state can validate attestations issued by any other member state. This is achieved through a common trust framework that publishes trusted issuer registries, standardized credential schemas, and uniform verification procedures. The European Commission maintains the root trust list that all member states reference.