OpenID for European Digital Identity: An architectural analysis of user-centric identity management

TL;DR

This paper critically analyzes the European EUDI digital identity framework, highlighting its limitations in conceptualizing identity, and proposes technical alternatives to enhance user-centric, self-sovereign identity management within the OpenID architecture.

Contribution

It offers a deeper, explicit definition of digital identity, identifies issues in OpenID4VCI and OpenID4VP, and suggests technical improvements and future research directions for European digital identity systems.

Findings

OpenID's trust model does not surpass existing solutions.

EUDI legislation cannot fully support self-sovereign identity.

Institutionalized trusted lists pose economic and political risks.

Abstract

Recent European efforts around digital identity -- the EUDI regulation and its OpenID architecture -- aim high to provide an EU-wide authentication framework. However, its current technical and legislative architecture are based on a limited conceptualization of identity. None of the legal and technical texts involved explicitly define this central term; and their implicit model of the concept does not go beyond a digitalization of identity cards and similar documents. Based on several other standards, we therefore propose a deeper, explicit definition. Grounded in this definition, we identify several issues in the design of OpenID4VCI and OpenID4VP, and show that neither the functional requirements nor the non-functional advantages claimed by OpenID's new trust model surpasses equivalent existing solutions. Also the EUDI legislation itself cannot accommodate its promise of self-sovereign identity. In particular, we criticize the introduction of institutionalized trusted lists, and discuss their economical and political risks. Their potential to decline into an exclusory, recentralized ecosystem endangers the vision of a user-oriented identity management in which individuals are in charge. In anticipation of revisions to the EUDI regulations, we suggest several technical alternatives for the OpenID architecture, as well as paths for future research, addressing a heterogeneity of attestations and providers.