Least Privilege: Principle of Least Privilege

Definition

Selective Disclosure as Least Privilege

The most visible application of least privilege in the EUDI Wallet ecosystem is selective disclosure -- the ability for wallet holders to share only specific credential attributes rather than entire credentials. Both SD-JWT and mDoc credential formats support this capability, allowing users to prove specific facts without revealing unnecessary personal information.

For example, when entering a venue that requires age verification, a user should only need to prove they are over a certain age. With selective disclosure, the EUDI Wallet can present a simple age-over-18 confirmation derived from the date of birth attribute, without revealing the user's name, address, photo, or exact date of birth. This is the principle of least privilege applied to personal data sharing.

The eIDAS 2.0 regulation explicitly requires that EUDI Wallets support selective disclosure and that verifiers must not request more data than necessary for the specific service being provided. This regulatory requirement codifies the least privilege principle into European digital identity law, with potential penalties for over-collection of personal data.

Some EUDI Wallet implementations go further by supporting zero-knowledge proofs or predicate proofs, where the wallet can prove a statement (like "age is over 18") without revealing the underlying data element at all. This represents the strongest possible application of least privilege for credential disclosure.

Infrastructure Access Controls

Within EUDI Wallet backend infrastructure, least privilege is enforced through multiple complementary mechanisms. Kubernetes Role-Based Access Control (RBAC) ensures that each service account has only the permissions needed for its specific function. The credential issuance service has access to signing keys but not to revocation lists. The status service can update revocation information but cannot issue new credentials.

Network policies implement least privilege at the communication level. Each microservice can only communicate with the specific services it needs. A compromised monitoring service cannot reach the key management system because network policies block that traffic path, regardless of any application-level vulnerabilities.

Database access follows the same principle: each service connects with credentials that grant access only to the specific tables and operations it requires. The issuance service has write access to the credential registry but read-only access to configuration tables. Audit logging captures all access attempts, providing visibility into any privilege escalation attempts.

API and Protocol-Level Least Privilege

The OAuth 2.0 scoping mechanism implements least privilege for API access in the EUDI Wallet ecosystem. When a wallet requests an access token for credential issuance, it specifies only the scopes needed for the specific credential type. The authorization server issues a token with exactly those scopes, preventing the wallet from performing unauthorized operations.

Verifier registration in the EUDI Wallet trust framework also embodies least privilege. Each relying party is registered with specific permissions defining which credential types it can request and which attributes within those credentials it is authorized to access. A retail store registered for age verification cannot request educational credentials or health information, even if those credentials exist in the user's wallet.

The combination of user-facing selective disclosure and infrastructure-level access controls creates a complete least privilege architecture that protects personal data at every stage of its lifecycle within the EUDI Wallet ecosystem.

Related Terms