Glossary Definitions¶

Wallet User: Person who controls a Wallet Unit.
Wallet Provider: Natural or legal person that provides Wallet Solutions.
PID Provider: Entity issuing and revoking Person Identification Data (PID) and binding it to a Wallet Unit.
Attestation Provider: Collective term for QEAA, PuB-EAA, or EAA providers.
(Wallet-) Relying Party: Natural or legal person intending to rely on Wallet Units for digital interactions.
Access Certificate Authority: Provider mandated by a Member State to issue wallet-relying party access certificates.
Holder: Natural person or legal representative controlling the Wallet and authorising credential issuance or presentation.
Verifier: Entity requesting verifiable presentations, validating the response, and making an authorisation or business decision based on the outcome.
Credential Issuer: Entity that decides to issue Verifiable Credentials and operates, or is associated with, the issuance service.
Authorisation Server: OAuth 2.0 / OpenID component responsible for authenticating the Holder and issuing tokens authorising access to protected endpoints.
Verifier Backend: Server-side component that creates presentation requests, receives presentation responses, validates them, and returns the result to the relying application.
Relying Application: User-facing application, service, or workflow in which credential verification is performed.
Holder (W2W): User presenting attributes from their Wallet Unit to another Wallet Unit.
Verifier (W2W): User requesting attributes from another Wallet Unit.
Wallet Solution: Combination of software, hardware, services, settings, and configurations, including Wallet Instances, WSCA(s), and WSCD(s).
EUDI Wallet: European Digital Identity Wallet used in APTITUDE pilots.
Wallet Unit: Unique configuration of a Wallet Solution provided to a Wallet User.
Wallet Instance: Application installed and configured on a User's device/environment to interact with the Wallet Unit.
Wallet Secure Cryptographic Application (WSCA): Application managing critical assets using the functions of a WSCD.
Wallet Secure Cryptographic Device (WSCD): Tamper-resistant device providing the secure environment and crypto functions used by a WSCA.
Wallet Unit Attestation (WUA): Data object describing Wallet Unit components or enabling their authentication/validation.
Wallet Instance Attestation (WIA): Client attestation material presented by a Wallet Instance at the PAR and Token endpoints to authenticate the Wallet during issuance flows.
Keystore: Hardware-backed repository for generating, storing, and using non-critical cryptographic assets.
Qualified Trust Service Provider (QTSP): A qualified trust services provider authorised, among other things, to issue QEAA under eIDAS/eIDAS2.
Person Identification Data (PID): Data set that enables the establishment of a person's identity.
Electronic Attestation of Attributes (EAA): Electronic attestation that allows attributes to be authenticated.
Qualified Electronic Attestation of Attributes (QEAA): EAA issued by a Qualified Trust Service Provider in line with Annex V.
Public Electronic Attestation of Attributes (PuB-EAA): An attestation issued by a public sector body responsible for an authentic source of data (outside the qualified trust service regime).
Attestation: Collective term for QEAA, PuB-EAA, or non-qualified EAA.
Attestation type: Identifier for a type of attestation, unique within the EUDI Wallet ecosystem.
Namespace: Specification of attribute identifiers, syntax, and semantics for an attestation.
Attestation Rulebook: Document describing attestation type, namespaces, and related features.
Wallet-relying party access certificate: Certificate authenticating and validating a (wallet-) relying party.
Wallet-relying party registration certificate: Data object indicating the attributes a Relying Party has registered to request.
Administrative validity period: Dates during which attributes in an attestation remain valid as represented inside it.
Technical validity period: Metadata dates/times during which the attestation is valid; typically shorter than the administrative period.
Attestation Revocation List: List-based mechanism for communicating revoked PIDs or attestations.
Attestation Status List: Mechanism publishing status (valid/invalid) for relevant PIDs or attestations.
Pseudonym: Data uniquely representing a User without revealing their attributes by itself.
Selective Disclosure: Capability for a User to present only a subset of attributes from a PID or attestation.
EU-mVRC (European Union mobile Vehicle Registration Certificate): The mobile (digital) vehicle registration certificate as an attestation in the EUDI Wallet; a profile of mVC under ISO/IEC 7367‑2.
mVC (mobile Vehicle Certificate: The family of mobile vehicle certificates defined in ISO/IEC 7367‑2, on which the EU‑mVRC is profiled.
mTR (mobile Technical Report): A mobile roadworthiness/inspection report (companion to mVRC/mDL) per ISO/IEC 7367‑3.
mDL (mobile Driving Licence): The mobile driving licence per ISO/IEC 18013‑5/-7; used alongside mVRC and mTR in the EUDI Wallet.
MSO (Mobile Security Object): A security object carrying metadata and the issuer’s signature over data elements in mdoc/mDL/mVRC.
mdoc: The generic model and protocols for mobile documents per ISO/IEC 23220‑4.
Proximity flow: Short‑range presentation protocol (NFC/BLE/Wi‑Fi Aware) per ISO/IEC 18013‑5/‑7.
Remote flow: Remote presentation protocol (same‑device or cross‑device).
Trust anchor: The root of trust (certificates/chain) required to verify an attestation’s signature.
IACA: The issuing authority/CA used in the mDL/mVRC trust infrastructure under ISO (may be shared with mDL or set up separately).
CBOR (Concise Binary Object Representation): The binary serialisation format used for mdoc transfers.
CDDL (Concise Data Definition Language): The language to define CBOR structures (e.g., tstr, uint, bstr, tdate).
eCoC (electronic Certificate of Conformity): Manufacturer’s electronic certificate; selected entries are mapped into EU‑mVRC.
SD‑JWT VC (Selective Disclosure Java Web Token Verifiable Credential): A verifiable credential format based on Selective Disclosure JWT; one of the formats supported in EUDI for some attestations.
W3C VCDM v2.0 (W3C Verifiable Credentials Data Model v2.0): A family of specifications for VC data models.
OID4VCI (OpenID for Verifiable Credentials Issuance): OID4VCI is an open standard that defines a secure API for issuing Verifiable Credentials (VCs) to a user's digital wallet.
OID4VP (OpenID for Verifiable Presentation): OID4VP is a standard that defines how a user presents Verifiable Credentials from their wallet to a verifier.
HAIP (High Assurance Interoperability Profile): OpenID4VC profile aimed at higher assurance interoperability.
IANA JWT Claims (Internet Assigned Numbers Authority JSON Web Token Claims): IANA registry of standard JWT claim names.
Credential Offer: Data structure created by a Credential Issuer to initiate issuer-initiated issuance, containing grant information and credential configuration references.
Proof-of-possession: Cryptographic proof demonstrating control of a private key, produced by signing a server-issued challenge; used to bind credentials and tokens to a Wallet key.
Key binding: Cryptographic binding of a credential to a specific key pair held by the Wallet, ensuring only the key holder can present that credential.
Device binding: Association of a credential or session with a specific device, establishing that the credential can only be used from the bound device.
Nonce: A single-use, unpredictable value issued by a server to prevent replay attacks; Wallets must include it verbatim in proofs or responses.
PKCE: Proof Key for Code Exchange (RFC 7636). An extension to the OAuth 2.0 authorization code flow that prevents authorization-code interception attacks using a code verifier and code challenge.
DPoP: Demonstrating Proof of Possession (RFC 9449). A mechanism that binds access tokens and refresh tokens to a client key pair, preventing token replay by third parties.
Request Object: A JWT carrying OAuth 2.0 authorization request parameters as defined in RFC 9101, which may be passed by value or by reference (JAR); used in OID4VP to convey the Verifier's presentation request.
Presentation Request: A request from a Verifier, conveyed in a Request Object, that specifies which credentials or attributes the Wallet must present, typically using a Presentation Definition (DIF PE).