Skip to content

ACN's security and architecture scomposition and harmonization for certification purposes#1025

Open
peppelinux wants to merge 33 commits into
versione-correntefrom
scomposition_acn
Open

ACN's security and architecture scomposition and harmonization for certification purposes#1025
peppelinux wants to merge 33 commits into
versione-correntefrom
scomposition_acn

Conversation

@peppelinux

Copy link
Copy Markdown
Member

This pull request resolves #894, #895 and #896.

It introduces a comprehensive annex describing the certification scheme and component decomposition for the IT-Wallet system, clarifies certification scope and terminology, and aligns technical documentation with regulatory requirements (notably CIR 2024/2981). It also updates definitions and acronyms to support these changes, and makes minor clarifications in related sections.

Certification Scheme and Component Decomposition:

  • Added a new annex (annex-certification-scheme.rst) that details the certification scheme, including regulatory background, decomposition hierarchy, in-scope and out-of-scope components, and cross-references to technical specifications. This annex clarifies which system components require certification and under what circumstances, in line with CIR 2024/2981. [1] [2]
  • Updated architecture overview and credential issuer documentation to reference the new certification scheme, explicitly listing components in and out of scope for certification, and mapping technical components to certification macro-components. [1] [2]

Terminology and Definitions:

  • Expanded the definitions in defined-terms.rst to include new terms such as "Certification Scope," "Certification Macro-component," "Identity Proofing," "NPID," "WL2," "WL3," and others, ensuring clear understanding of certification-related concepts. [1] [2] [3] [4] [5]
  • Added and updated acronyms for new and existing components (e.g., ICT, NPID, PPBE, WL2, WL3, WPBE, WWI) to support the expanded terminology. [1] [2] [3]

Regulatory References:

  • Added new regulatory hyperlinks (e.g., CIR 2024/2981, Regulation (EU) 2016/679) to the common definitions file for consistent referencing throughout the documentation.

Security and Certification Requirements:

  • Clarified and enforced requirements for WSCD security levels (WL2 and WL3) in the credential issuance flow and credential issuer requirements, specifying which security level is needed for each credential type (PID, NPID, (Q)EAA). [1] [2] [3]

Minor Documentation Improvements:

  • Made minor wording clarifications in the architecture overview and credential issuance flow for consistency and clarity. [1] [2]

These changes collectively improve the clarity and completeness of the IT-Wallet system's certification documentation and ensure alignment with current regulatory requirements.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR updates the IT-Wallet technical documentation to align with ACN/ENISA-style certification decomposition and CIR 2024/2981, introducing a dedicated certification annex and propagating certification scope / component mapping across architecture and requirements sections.

Changes:

  • Added a new certification annex (EN/IT) describing the certification scheme, in-scope/out-of-scope components, and cross-references.
  • Reworked Wallet Solution requirements (EN/IT) into decomposition-aligned requirement tables and added WSCD WL2/WL3 security-level constraints across lifecycle/issuance/issuer sections.
  • Updated common references/glossary/acronyms and improved CI pip caching configuration.

Reviewed changes

Copilot reviewed 37 out of 37 changed files in this pull request and generated 8 comments.

Show a summary per file
File Description
preview_build/requirements.txt Removed legacy local preview build dependency list.
preview_build/preview_configuration.py Removed legacy Sphinx preview configuration.
preview_build/build.sh Removed legacy local preview build script.
docs/common/common_definitions.rst Added shared hyperlinks for CIR 2024/2981 and GDPR (Reg. 2016/679).
docs/it/appendix.rst Included the new certification annex in the IT appendix.
docs/it/annex-certification-scheme.rst Added IT annex describing certification scheme and decomposition approach.
docs/it/credential-issuer-solution.rst Added certification decomposition mapping for PID Provider (PPBE) and WSCD level checks.
docs/it/credential-issuance-high-level.rst Added explicit WL3 requirement check for PID issuance.
docs/it/defined-terms.rst Extended terms/acronyms to support certification decomposition terminology.
docs/it/how-to-read-spec.rst Updated references to use the new test-plans anchors.
docs/it/normative-ref.rst Added CIR 2024/2981 to normative references.
docs/it/test-plans.rst Added test-plans anchor and minor wording update.
docs/it/test-plans-wallet-provider.rst Added test-plans-wallet-provider anchor.
docs/it/wallet-attestation-issuance.rst Added WSCD WL2/WL3 classification step during WAA/WUA issuance flow.
docs/it/wallet-instance-lifecycle.rst Added WSCD WL2/WL3 classification requirement during activation.
docs/it/wallet-solution-components.rst Added decomposition+certification scope mapping section and expanded Secure Storage description.
docs/it/wallet-solution-requirements.rst Converted requirements into decomposition/scoping tables and added WSCD security-level section.
docs/it/wallet-solution.rst Added Wallet Solution certification decomposition overview and references.
docs/en/appendix.rst Included the new certification annex in the EN appendix.
docs/en/annex-certification-scheme.rst Added EN annex describing certification scheme and decomposition approach.
docs/en/architecture-overview.rst Added certification/conformity assessment as an explicit core interaction process.
docs/en/credential-issuer-solution.rst Added certification decomposition mapping for PID Provider (PPBE) and WSCD level checks.
docs/en/credential-issuance-high-level.rst Added explicit WL3 requirement check for PID issuance.
docs/en/defined-terms.rst Added certification/decomposition terms plus WL2/WL3 and NPID definitions/acronyms.
docs/en/how-to-read-spec.rst Updated references to use the new test-plans anchors.
docs/en/normative-ref.rst Added CIR 2024/2981 to normative references.
docs/en/test-plans.rst Added test-plans anchor and minor wording update.
docs/en/test-plans-wallet-provider.rst Added test-plans-wallet-provider anchor.
docs/en/wallet-attestation-issuance.rst Added WSCD WL2/WL3 classification step during WAA/WUA issuance flow.
docs/en/wallet-instance-lifecycle.rst Added WSCD WL2/WL3 classification requirement during activation.
docs/en/wallet-solution-components.rst Added decomposition+certification scope mapping section and expanded Secure Storage description.
docs/en/wallet-solution-requirements.rst Converted requirements into decomposition/scoping tables and added WSCD security-level section.
docs/en/wallet-solution.rst Added Wallet Solution certification decomposition overview and references.
.github/workflows/ci-html.yml Improved pip cache keying by setting cache-dependency-path to requirements-dev.txt.
.github/workflows/build-pdf.yml Improved pip cache keying by setting cache-dependency-path to requirements-dev.txt.
.github/workflows/build-html.yml Improved pip cache keying by setting cache-dependency-path to requirements-dev.txt.
.github/workflows/build-html-manual.yml Improved pip cache keying by setting cache-dependency-path to requirements-dev.txt.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/en/wallet-solution-requirements.rst
Comment thread docs/en/defined-terms.rst Outdated
Comment thread docs/en/annex-certification-scheme.rst Outdated
Comment thread docs/it/wallet-instance-lifecycle.rst Outdated
Comment thread docs/it/wallet-attestation-issuance.rst Outdated
Comment thread docs/en/architecture-overview.rst Outdated
Comment thread docs/en/wallet-solution-requirements.rst Outdated
Comment thread docs/en/wallet-solution-requirements.rst Outdated

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 37 out of 37 changed files in this pull request and generated 4 comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread docs/it/credential-issuer-solution.rst Outdated
- The Wallet Unit Attestation MUST NOT be issued by the Wallet Provider if the WSCD trustworthiness is not guaranteed. In this case, the Wallet Instance MUST be revoked.
- WPBE, WI
* - WUA-011
- An Attestation Provider issuing non-device-bound attestations SHALL indicate in its Credential Issuer metadata that it does not need a WUA. A Wallet Unit SHALL NOT send a WUA to an Attestation Provider when requesting a non-device-bound attestation. Note: A Wallet Unit sends a WIA to the Attestation Provider regardless of whether the attestations it issues are device-bound or not.

Copilot AI Feb 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The acronym "WIA" is used in the note but is not defined in the glossary or acronyms section. Based on context, this might be intended to refer to "WAA" (Wallet App Attestation), or it could be a shorthand for "Wallet Instance Attestation". Please verify that this acronym is correct and consider adding it to the defined terms if it's intentional, or correct it to "WAA" if it's a typo.

Suggested change
- An Attestation Provider issuing non-device-bound attestations SHALL indicate in its Credential Issuer metadata that it does not need a WUA. A Wallet Unit SHALL NOT send a WUA to an Attestation Provider when requesting a non-device-bound attestation. Note: A Wallet Unit sends a WIA to the Attestation Provider regardless of whether the attestations it issues are device-bound or not.
- An Attestation Provider issuing non-device-bound attestations SHALL indicate in its Credential Issuer metadata that it does not need a WUA. A Wallet Unit SHALL NOT send a WUA to an Attestation Provider when requesting a non-device-bound attestation. Note: A Wallet Unit sends a WAA to the Attestation Provider regardless of whether the attestations it issues are device-bound or not.

Copilot uses AI. Check for mistakes.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WAA doesn not exist anymore, #1031 aligns the specification according to this evidence.

- La Wallet Unit Attestation NON DEVE essere emessa dal Wallet Provider se l'affidabilità del WSCD non è garantita. In tal caso, l'istanza del Wallet DEVE essere revocata.
- WPBE, WI
* - WUA-011
- Un Attestation Provider che emette attestazioni non vincolate al dispositivo DEVE indicare nei propri metadati del Credential Issuer che non richiede una WUA. Una Wallet Unit NON DEVE inviare una WUA a un Attestation Provider quando richiede un'attestazione non vincolata al dispositivo. Nota: Una Wallet Unit invia una WIA all'Attestation Provider indipendentemente dal fatto che le attestazioni emesse siano vincolate o meno al dispositivo.

Copilot AI Feb 16, 2026

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

L'acronimo "WIA" è utilizzato nella nota ma non è definito nel glossario o nella sezione acronimi. In base al contesto, potrebbe essere inteso come riferimento a "WAA" (Wallet App Attestation), oppure potrebbe essere un'abbreviazione per "Wallet Instance Attestation". Si prega di verificare che questo acronimo sia corretto e di considerare di aggiungerlo ai termini definiti se è intenzionale, o di correggerlo in "WAA" se si tratta di un errore di battitura.

Copilot uses AI. Check for mistakes.

@peppelinux peppelinux Feb 17, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

WAA does not exist anymore, the alignment with WIA is provided at #1031

Comment thread docs/en/architecture-overview.rst
peppelinux and others added 2 commits February 17, 2026 10:17
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Comment thread docs/en/annex-certification-scheme.rst Outdated
Co-authored-by: Lia <139998796+RosaliaGaleano@users.noreply.github.com>
@peppelinux

Copy link
Copy Markdown
Member Author

During the meeting of 18 feb 2025, we agreed that this PR is about LTS and to be included in the LTS it must remove the NPID, since only this represent a breaking change.

@giadas giadas requested review from Sh-Amir and ZAnsaroudi and removed request for giadas February 26, 2026 13:21

@fmarino-ipzs fmarino-ipzs left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should clarify whether the national eID schemes will be under the proposed decomposition before merging this PR.

- :ref:`trust-infrastructure:The Infrastructure of Trust`
* - **Regime di identificazione elettronica** (eID Scheme)
- Cross-cutting (Wallet Provider and PID Provider)
- National eID schemes (CIEid, SPID); :ref:`credential-issuance-l2plus:eID Substantial Authentication with MRTD Verification for PID Issuance`

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

See my comment in #1051 (comment)

Comment on lines +121 to +123
* - eID Scheme
- National eID schemes; :ref:`credential-issuance:Digital Credential Issuance`
- Regime di identificazione elettronica

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not sure. eID schemes are notified according to the eIDAS Regulation, and they don't require further certification. Instead, the "new" eID scheme based on Wallet+PID is in scope.

Further ACN review on scomposition and updates
The Wallet Solution architecture is described according to the certification macro-component **Servizi ICT Wallet** (owner: Wallet Provider). It comprises the following components and sub-components, all of which fall within certification scope:

- **Wallet Instance (WI)**:
- Application Logic: User Interface, Issuer Component, Presentation Component, Wallet Instance Lifecycle Management

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dashboard and Log Management is missing probabaly


- **Wallet Instance (WI)**:
- Application Logic: User Interface, Issuer Component, Presentation Component, Wallet Instance Lifecycle Management
- Local Data management: Local Data Store, Backup and Restore Component, Secure Storage interaction

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What about "Dashboard and Transaction Log Component"?

Comment thread docs/en/wallet-solution.rst Outdated
Comment thread docs/en/wallet-solution.rst Outdated
Comment thread docs/en/wallet-solution.rst Outdated
Comment thread docs/en/wallet-solution-components.rst Outdated
Comment thread docs/en/wallet-solution-components.rst Outdated
Comment thread docs/en/wallet-instance-lifecycle.rst Outdated
Comment thread docs/en/defined-terms.rst Outdated
Comment thread docs/en/credential-issuance-high-level.rst Outdated
Comment thread docs/en/annex-certification-scheme.rst Outdated

@Sh-Amir Sh-Amir left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added some comments for the parts that may need some clarification and the rest looks good to me.

@ghost

ghost commented Mar 4, 2026

Copy link
Copy Markdown

This change may be better introduced in the next version rather than the current one

Co-authored-by: ZAnsaroudi <ZEBADIANSAROUDI@FBK.EU>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 38 out of 38 changed files in this pull request and generated no new comments.


💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@giadas giadas added this to the 1.4.2 milestone May 12, 2026
@peppelinux peppelinux modified the milestones: 1.4.2, 1.5.0 Jun 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Architecture Harmonization according to National Cybersecurity Agency's Decomposition Scheme

8 participants