digeorgi
commented
2 days ago Thank you for your input. We believe there are some misunderstandings regarding the role of status lists:
- Firstly, the ARF requires status lists only as one of the possible mechanisms for revocation checking. Status lists are not intended to replace the trust chain going back to the Attestation Provider's trust anchor in a Trusted List. Verification of the trust chain ensures that the attestation is authentic. In addition, a verification of a status list ensures that the Attestation Provider did not revoke the attestation.
- Secondly: Status lists, like standard CRLs for certificates, can (and will) be cached by Relying Parties. This enables a Relying Party to verify that the attestation was not revoked even when the RP is offline. Obviously, the RP should ensure that it regularly refreshes the cached status list in order to have the latest revocation information. But this requires only intermittent internet access, and not necessarily at the moment the RP requests an attestation from a Wallet Instance and verifies it.
Please let us know if this answers your questions.
vilmosa
ivanek666
According to the eIDAS 2 regulation "Relying Parties shall be responsible for carrying out the procedure for authenticating and validating person identification data and electronic attestation of attributes requested from European Digital Identity Wallets". According to the ARF there are status list which will facilitate the validation. However these lists cannot be reached if RPs are offline, therefore in such transactions the technical conditions for validation are missing. The use of status lists does not comply with the legal requirements. Alternative methods should be used which can better guarantee the validity and integrity of PIDs and attestations. A trust chain from provider through user to verifier would be a more suitable solution.