Orchestrating an ecosystem

By ANIL JOHN on | Permalink

Miss the (identity ecosystem) forest for the (digital wallet) trees

The European Commission is orchestrating a fundamental change across the EU to both the public and private sector in how digital identity interactions will happen in the future. This has global implications.

However, it tends to be easy to miss the forest for the trees if we are blinded by the globally visible bright-n-shiny object that is the European union digital identity (EUDI) wallet. So, let us pause and zoom out to see the mutually supporting set of initiatives that the European Commission (EC) is working on.

I see this orchestration happening via three related and mutually re-enforcing activities:

  1. Enabling user-controlled digital identity via the EUDI personal wallet
  2. Seeding the private sector ecosystem via the EC Next Generation Internet (NGI) initiative’s eSSIF-Lab
  3. Building public sector technical infrastructure via the EC European Blockchain Services Infrastructure (EBSI) initiative

The EU Ecosystem

1. Enabling user-controlled digital identity via the EUDI personal wallet

Let us get past the obvious first; On 2 December, 2022 the European Commission awarded a 26 M€ contract to “Netcompany – Intrasoft S.A” and “Scytáles AB” to develop a prototype (reference implementation) wallet, update this prototype in two subsequent releases, develop ancillary software for its ecosystem, and provide implementation support to Member States between Q4/2022 and 2023.

It is important to note that this is not a fire and forget deal where the vendors get to implement whatever they want. An eIDAS expert group is actively developing and refining an Architecture Reference Framework (ARF) which will be the reference implementation for the digital wallet. And the intention is to test that reference implementation in Large Scale Pilots (LSP) to get practical implementation feedback on both the ARF and the actual wallet implementation, while using that feedback cycle to further update and refine the ARF.

The early and draft public releases of the ARF speak to a variety of use cases that the wallet needs to support, but does not go into the specific standards and associated credential formats that the wallet will need to support.

Given that the wallet prototype contract supports at least two subsequent releases of the wallet, the EC is baking in at least two update-deploy-learn cycles that can support a variety of standards, APIs and other needed capabilities into the development of the reference digital wallet, which can then be used as an exemplar by EU Member States in the development of their digital wallets.

I consider this iterative refinement cycle thoughtful, and a creative use of contracting in the face of ongoing change and uncertainty.

2. Seeding the private sector ecosystem via the EC NGI initiative’s eSSIF-Lab

This is where it starts to get so much more interesting! Any such massive change requires that competency and technology to support it exists in the private sector. And if the desire is to ensure that the efforts are not captured and channeled to serve the interests of large platform and technology vendors, and that the ecosystem be strong, vibrant, competitive and self-sustaining for the long term, there needs to be a clear focus on standards-based interoperability.

So, the EC has invested over the last number of years in ensuring the existence of such an ecosystem via the use of cascade funding from the Commission’s Next Generation Internet (NGI) initiative to enable the European Self-Sovereign Identity Framework Lab (eSSIF-Lab) Consortium.

The eSSIF-Lab Consortium is composed of TNO - an independent non-profit research and technology organization that acted as the expert technical coordinator, FundingBox - a cascade funding expert, BLUMORPHO - a business accelerator, and GRNET - a cloud computing and IT infrastructure service provider.

The make-up of the Consortium provides insight into the EC/NGI thinking that simply throwing funding to private sector companies and encouraging a variety of pilots is not a path to enabling a vibrant identity ecosystem. Instead, you need to provide holistic support composed of technical expertise, funding, business training and IT infrastructure to enable such a vibrant ecosystem that is self-sustaining.

eSSIF-Lab, from its beginning, has championed standards based global interoperability based on W3C Verifiable Credentials Data Model and W3C Decentralized Identifiers which are openly developed, global standards. These standards have significant mind-share from both the security and privacy communities and supports, out-of-the-box, the user-controlled personal digital wallet that moves the locus of control for identity to the individual, where it rightly belongs.

All in all, NGI have delivered success for the EC by enabling the vibrant ecosystem of competency and service providers they needed and wanted!

3. Building public sector technical infrastructure via the EC EBSI initiative

One thing that became readily apparent when you have conversations with European government and private sector technologists is that they typically do not have the almost instinctive negative reaction to the term “Blockchain” that many of the US based experts, technologists and companies have – and just to be clear this is about Blockchain/DLT/DAG as IT infrastructure, and not about cryptocurrency and NFT related techno-utopianism.

I personally believe that this reflects the EU approach, supported by their regulation, to constraining and limiting the power and influence of big technology platforms and providers and the belief that the philosophical underpinnings of blockchain (decentralization, resilience) support that competitive ecosystem view – while continuing to have a healthy skepticism around particular technology implementations of blockchain.

This perspective looks to be part of the DNA of the European Blockchain Services Infrastructure (EBSI) Initiative which is a partnership of all EU Member States, Norway and Liechtenstein and the European Commission to build public sector infrastructure for the broader ecosystem.

If those who remain skeptical of blockchain-based techno-utopianism can put that on hold for a moment and look at what EBSI is actually doing, what you will see is a pan-European initiative that is building and operating a distributed, multi-nodal technical infrastructure that aligns with the distributed nature of EU Member States, and provides the EU a resilient and scalable content and metadata distribution network that supports openly developed global standards and APIs.

This is nowhere more clear that when looking at EBSI’s Verifiable Credentials Playbook which utilizes W3C Decentralized Identifiers (DIDs), W3C Verifiable Credentials (VCs) to enable public sector support for the private sector ecosystem that was seeded and brought forward via the EC NGI initiative’s eSSIF-Lab, and can in turn support the EUDI wallet initiative.

An aside: Just like no one calls IBM “International Business Machines” anymore, I predict that over time everyone will simply start calling this initiative “EBSI”, while not knowing or caring what the original letters stood for!

Global implications

Ecosystem building is hard, long-term work which requires vision and commitment. I’ve had a front row seat and in some cases been involved in similar efforts in past professional lives and know that failure is a result of a lack of imagination, lack of leadership or lack of political will. It is not a result of lack of technology or funding – however much those involved in such failures may attempt to re-write that history.

What is clear at this time is that EC is absolutely NOT suffering from a lack of imagination, leadership or political will in this area and it is impressive to see all three in action!

Similar to how the EU’s General Data Protection Regulation (GDPR) and its associated technical implementations required the global community to react and adapt, this digital identity ecosystem initiative from the EU will have similar and even more global impact.

A critical difference that I see here is that in this case, the EU is basing what they are doing on openly developed global standards such as W3C Decentralized Identifiers (DIDs) and W3C Verifiable Credentials (VCs), that if implemented thoughtfully with clear attention paid to multi-vendor, multi-platform interoperability cannot be gatekeeper’d by entrenched platforms and technology players.

This also provides a clear opportunity for non-EU entities to engage with the confidence that the technical foundation for this effort is something that is openly developed, global in nature, and is not something that is owned by a jurisdiction or in some manner of a vendor driven foundation that does not have the public interest at its core.

I certainly have some ideas around how best to do so, but will save that for a future article. For now, I am looking forward to your feedback!


  • NGI eSSIF-Lab - The European Self-Sovereign Identity Framework Lab is funded by the European Commission’s Next Generation Internet initiative and aims at advancing the broad uptake of Self-Sovereign Identities (SSI) as a next generation, open and trusted digital identity solution for faster and safer electronic transactions via the Internet and in real life.

  • European Commission’s European Blockchain Services Infrastructure (EBSI) Initiative - The European Blockchain Services Infrastructure (EBSI) aims to leverage the power of blockchain for the public good. EBSI is a Partnership of all EU Member States, Norway and Liechtenstein and the European Commission, building a European Blockchain Services Infrastructure.

  • EBSI Verifiable Credentials Playbook - EBSI Verifiable Credentials Playbook provides all information for integrating and becoming compatible with all systems utilizing identity based on the EBSI framework. Building upon the W3C Decentralized Identifiers (DIDs), W3C Verifiable Credentials (VCs), W3C Verifiable Presentations (VPs), OpenID Connect for Verifiable Credentials, GDPR, eIDAS, and other EU Regulations, EBSI is creating a generic profile for the full life-cycle of self-sovereign identity (SSI).

  • EBSI Wallet Conformance Testing - Turn your wallet into an EBSI conformant wallet and become part of a pan-European wallet ecosystem.

  • Verifiable Credential Data Integrity 1.0 (W3C First Public Working Draft) - This specification describes mechanisms for ensuring the authenticity and integrity of Verifiable Credentials and similar types of constrained digital documents using cryptography, especially through the use of digital signatures and related mathematical proofs.

  • JSON Web Signature 2020 (W3C First Public Working Draft) - This specification describes a JSON Web Signature Suite created in 2020 for the Verifiable Credentials Data Integrity Proof specification. The Signature Suite utilizes Detached JWS signatures to provide support for a subset of the digital signature algorithms registered with IANA.

  • The BBS Signature Scheme (IETF Internet Draft @ CFRG) - BBS is a digital signature scheme categorized as a form of short group signature that supports several unique properties. Notably, the scheme supports signing multiple messages whilst producing a single output digital signature. Through this capability, the possessor of a signature is able to generate proofs that selectively disclose subsets of the originally signed set of messages, whilst preserving the verifiable authenticity and integrity of the messages. Furthermore, these proofs are said to be zero-knowledge in nature as they do not reveal the underlying signature; instead, what they reveal is a proof of knowledge of the undisclosed signature.

  • The Envelope Structured Data Format (IETF Internet Draft) - The envelope protocol specifies a structured format for hierarchical binary data focused on the ability to transmit it in a privacy focused way. Envelopes are designed to facilitate “smart documents” and have a number of unique features including: easy representation of a variety of semantic structures, a built-in Merkle-like digest tree, deterministic representation using CBOR, and the ability for the holder of a document to selectively encrypt or elide specific parts of a document without invalidating the document structure including the digest tree, or any cryptographic signatures that rely on it.

Continue the Conversation

 Reply via Email  Discuss on Mastodon


Get the best cybersecurity research, resources and insights to help secure and safeguard the digital world; via 
No Spam. Unsubscribe Anytime.