digeorgi
commented
1 month ago Thank you very much for your feedback. The Wallet Provider Trusted List exists because we need a method to ensure that only certified Wallets can be used in the EUDI Wallet ecosystem. This is clearly required in the Regulation. In addition, allowing the use of non-certified Wallets is a potential security risk. If such a Wallet would, for instance, be hacked in such a way that the attacker can impersonate the Wallet user, this could lead to severe damage for the user. Moreover, it could also lead to reputational damage to the EUDI Wallet ecosystem as a whole. There is another issue at play here, which is the fact that PID Providers can choose which Wallets (out of all Wallets on the Trusted List) they support for issuing PIDs. They do not have to support all certified Wallets. This is a political reality since PID issuance is a national prerogative. Note: the text you quoted from the ARF v1.4.0 suggests that this is also true for Attestation Providers, but indeed this is an error that will be fixed in the next version of the ARF.
Description
Name: Heather Dahl, Ken Ebert, Indicio
ARF Chapter: 6.6.2.2 WALLET INSTANCE AUTHENTICATES THE PID PROVIDER OR ATTESTATION PROVIDER “This means that the PID Provider or an Attestation Provider are not obliged to issue a PID or an attestation respectively to any certified Wallet Instance upon the request of the User. Instead, they may decide to support only a single Wallet Solution, or a limited number of Wallet Solutions.”
Recommendation This means that my native country wallet may not work when I travel to a different EU country because my wallet provider did not subscribe to the Trusted Lists for that Member State. A more dynamic method for Trusted Lists should be implemented. Instead it should warn, instead of prevent.