OpenID for European Digital Identity: An architectural analysis of user-centric identity management
This work critiques a major EU-wide digital identity initiative, highlighting technical and legislative flaws that could undermine user-centric goals, making it relevant for policymakers and identity management researchers.
The paper analyzes the OpenID architecture for European Digital Identity, finding that its current design and legislation fail to surpass existing solutions and cannot achieve self-sovereign identity, with issues like institutionalized trusted lists posing risks of a recentralized ecosystem.
Recent European efforts around digital identity -- the EUDI regulation and its OpenID architecture -- aim high to provide an EU-wide authentication framework. However, its current technical and legislative architecture are based on a limited conceptualization of identity. None of the legal and technical texts involved explicitly define this central term; and their implicit model of the concept does not go beyond a digitalization of identity cards and similar documents. Based on several other standards, we therefore propose a deeper, explicit definition. Grounded in this definition, we identify several issues in the design of OpenID4VCI and OpenID4VP, and show that neither the functional requirements nor the non-functional advantages claimed by OpenID's new trust model surpasses equivalent existing solutions. Also the EUDI legislation itself cannot accommodate its promise of self-sovereign identity. In particular, we criticize the introduction of institutionalized trusted lists, and discuss their economical and political risks. Their potential to decline into an exclusory, recentralized ecosystem endangers the vision of a user-oriented identity management in which individuals are in charge. In anticipation of revisions to the EUDI regulations, we suggest several technical alternatives for the OpenID architecture, as well as paths for future research, addressing a heterogeneity of attestations and providers.