Wallet Attestation

Wallet Attestation is a security mechanism defined in the Architecture Reference Framework that enables relying parties and issuers to verify the authenticity and integrity of a European Digital Identity Wallet instance before engaging in credential exchange. When a wallet presents credentials to a relying party, the relying party needs assurance not only that the credentials themselves are valid, but that the wallet software presenting them is genuine, has not been tampered with, and runs on a device with appropriate security protections. The wallet attestation achieves this by providing a cryptographic proof, issued by the wallet provider (typically the Member State or its delegate), that the specific wallet instance has been certified and meets the security requirements set out in the regulation and implementing acts.

The attestation is bound to the wallet's cryptographic keys and to the device's secure element or trusted execution environment, creating a chain of trust from the device hardware through the wallet software to the credentials it holds. Wallet attestation addresses several important security concerns: it prevents the use of cloned or modified wallet applications that might leak user data, it ensures that credentials are only stored and presented by certified software, and it provides a revocation mechanism if a wallet version is found to have a security vulnerability. For relying parties, verifying the wallet attestation is a recommended (and in some cases required) step in the credential verification flow.

For organisations implementing relying party systems, this means integrating wallet attestation verification into their technical stack, which involves checking the attestation signature against the wallet provider's published keys and verifying the attestation's validity and revocation status.