forked from hesusruiz/did-method-elsi
-
Notifications
You must be signed in to change notification settings - Fork 2
/
index.html
745 lines (701 loc) · 58.7 KB
/
index.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8" />
<title>DID ETSI Legal person Semantic Identifier Method Specification (did:elsi)</title>
<meta name="viewport" content="width=device-width, initial-scale=1" />
<!-- Opengraph Facebook Meta Tags -->
<meta property="og:title" content="DID ETSI Legal person Semantic Identifier Method Specification (did:elsi)">
<meta property="og:type" content="website">
<meta property="og:description" content="A DID method for legal persons, maximising at the same time regulatory compliance, decentralisation and privacy for W3C Verifiable Credentials in the European Union.">
<meta property="og:site_name" content="DID:ELSI Method">
<meta property="og:url" content="https://alastria.github.io/did-method-elsi/">
<script src="https://www.w3.org/Tools/respec/respec-w3c" async="" class="remove"></script>
<script class="remove">
var respecConfig = {
latestVersion: "https://alastria.github.io/did-method-elsi/",
github: "https://github.com/alastria/did-method-elsi",
editors: [
{
company: "JesusRuiz",
companyURL: "https://hesusruiz.github.io/hesusruiz",
email: "hesusruiz@gmail.com",
name: "Jesus Ruiz",
},
],
authors: [
{
company: "JesusRuiz",
companyURL: "https://hesusruiz.github.io/hesusruiz",
email: "hesusruiz@gmail.com",
name: "Jesus Ruiz",
},
{
company: "DigitelTS",
companyURL: "https://digitelts.es/",
email: "alejandro.nieto@madisonmk.com",
name: "Alejandro Nieto",
},
{
company: "DigitelTS",
companyURL: "https://digitelts.es/",
email: "alejandro.alfonso@madisonmk.com",
name: "Alejandro Alfonso",
},
{
company: "IN2",
companyURL: "https://www.in2.es/",
email: "oriol.canades@in2.es",
name: "Oriol Canades",
},
{
company: "nicos AG",
companyURL: "https://www.nicos-ag.com/",
email: "jlangkau@nicos-ag.com",
name: "Jörg Langkau ",
},
{
name: "and DOME project participants",
},
],
localBiblio: {
"Actor-DataSpaces": {
date: "April 2023",
href: "https://dl.acm.org/doi/pdf/10.1145/3543873.3587645",
title: "Extending Actor Models in Data Spaces",
},
"Cryptographic Hyperlinks": {
date: "May 2021",
href: "https://w3c-ccg.github.io/hashlink/",
title: "Cryptographic Hyperlinks",
},
"DEP-DSS": {
date: "2019-10",
href: "https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/Qualified+electronic+signature+-+QES+validation+algorithm",
publisher: "European Commission",
title: "Algorithm for Validation of qualified and advanced signatures and seals",
},
"DID-DNS": {
href: "https://tools.ietf.org/html/draft-mayrhofer-did-dns-01",
publisher: "IETF",
status: "Internet Draft",
title: "The Decentralized Identifier (DID) in the DNS",
},
"DID-ELSI": {
date: "04 June 2023",
href: "https://alastria.github.io/did-method-elsi/",
title: "DID ETSI Legal person Semantic Identifier Method Specification (did:elsi)",
},
"DID-ONBOARDING": {
date: "04 June 2023",
href: "https://alastria.github.io/did-method-elsi/onboarding.html",
title: "Onboarding example with LEARCredential using did:elsi",
},
"DID-PRIMER": {
href: "https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust-fall2017/blob/master/topics-and-advance-readings/did-primer.md",
publisher: "Rebooting the Web of Trust 2017",
title: "DID Primer",
},
"DIF.PresentationExchange": {
href: "https://identity.foundation/presentation-exchange/spec/v2.0.0/",
title: "Presentation Exchange 2.0.0",
},
"ENISA-Qualified Electronic Seals": {
date: "June 2017",
href: "https://www.enisa.europa.eu/publications/security-guidelines-on-the-appropriate-use-of-qualified-electronic-seals",
title: "Security guidelines on the appropriate use of qualified electronic seals",
},
"ENISA-Qualified Electronic Signatures": {
date: "December 2016",
href: "https://www.enisa.europa.eu/publications/security-guidelines-on-the-appropriate-use-of-qualified-electronic-signatures",
title: "Security guidelines on the appropriate use of qualified electronic signatures",
},
"ETSI-CERTOVERVIEW": {
date: "2020-07",
href: "https://www.etsi.org/deliver/etsi_en/319400_319499/31941201/01.04.02_20/en_31941201v010402a.pdf",
publisher: "ETSI",
title: "ETSI EN 319 412-1 V1.4.2 (2020-07) - Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 1: Overview and common data structures",
},
"ETSI-LEGALPERSON": {
date: "2020-07",
href: "https://www.etsi.org/deliver/etsi_en/319400_319499/31941203/01.02.01_60/en_31941203v010201p.pdf",
publisher: "ETSI",
title: "ETSI EN 319 412-3 V1.2.1 (2020-07) - Electronic Signatures and Infrastructures (ESI); Certificate Profiles; Part 3: Certificate profile for certificates issued to legal persons",
},
"EU_Trusted_Lists": {
href: "https://digital-strategy.ec.europa.eu/en/policies/eu-trusted-lists",
title: "EU Trusted Lists",
},
"JAdES": {
date: "2021-03",
href: "https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf",
publisher: "ETSI",
title: "ETSI TS 119 182-1 V1.1.1 (2021-03) - Electronic Signatures and Infrastructures (ESI); JAdES digital signatures; Part 1: Building blocks and JAdES baseline signatures",
},
"NIST-AUTH": {
date: "October 2016",
href: "https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-178.pdf",
title: "NIST Special Publication 800-178: A Comparison of Attribute Based Access Control (ABAC) Standards for Data Service Applications",
},
"ODRL": {
date: "February 2018",
href: "https://www.w3.org/TR/odrl-model/",
title: "ODRL Information Model 2.2",
},
"OWASP-TRANSPORT": {
href: "https://www.owasp.org/index.php/Transport_Layer_Protection_Cheat_Sheet",
title: "Transport Layer Protection Cheatsheet",
},
"OpenID.Core": {
date: "8 November 2014",
href: "http://openid.net/specs/openid-connect-core-1_0.html",
title: "OpenID Connect Core 1.0 incorporating errata set 1",
},
"OpenID.SIOP2": {
date: "28 January 2022",
href: "https://openid.bitbucket.io/connect/openid-connect-self-issued-v2-1_0.html",
title: "Self-Issued OpenID Provider v2",
},
"OpenID.VCI": {
date: "3 February 2023",
href: "https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html",
title: "OpenID for Verifiable Credential Issuance",
},
"OpenID.VP": {
date: "21 April 2023",
href: "https://openid.net/specs/openid-4-verifiable-presentations-1_0.html",
title: "OpenID for Verifiable Presentations",
},
"RFC6749": {
href: "https://www.rfc-editor.org/rfc/rfc6749.html",
title: "The OAuth 2.0 Authorization Framework",
},
"RFC7515": {
href: "https://www.rfc-editor.org/rfc/rfc7515",
title: "JSON Web Signature (JWS)",
},
"RFC7519": {
href: "https://www.rfc-editor.org/rfc/rfc7519",
title: "JSON Web Token (JWT)",
},
"RFC8414": {
href: "https://www.rfc-editor.org/rfc/rfc8414",
title: "OAuth 2.0 Authorization Server Metadata",
},
"RFC8725": {
href: "https://www.rfc-editor.org/rfc/rfc8725",
title: "JSON Web Token Best Current Practices",
},
"STORK2.MandateReport": {
date: "2012",
href: "https://ec.europa.eu/digital-building-blocks/wikis/display/EIDCOMMUNITY/STORK+2.0+WP3+-+Legal+and+Trust+Analysis?preview=/84415420/84415378/STORK_2_0_D3_3_MandateAttribute_Management_Report_v_1_0.pdf",
title: "STORK 2.0: D.3.3 – Mandate/Attribute Management Report",
},
"eIDAS": {
href: "https://digital-strategy.ec.europa.eu/en/policies/discover-eidas",
title: "Discover eIDAS",
},
"eIDAS-SAML_V1.2": {
date: "August 2019",
href: "https://ec.europa.eu/digital-building-blocks/wikis/download/attachments/467109280/eIDAS%20SAML%20Attribute%20Profile%20v1.2%20Final.pdf",
title: "eIDAS SAML Attribute Profile. Version 1.2",
},
"eIDAS.Regulation": {
date: "23 July 2014",
href: "https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG",
title: "Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC",
},
"eIDAS2.Regulation": {
date: "March 2023",
href: "https://www.europarl.europa.eu/doceo/document/A-9-2023-0038_EN.html",
title: "REPORT on the proposal for a regulation of the European Parliament and of the Council amending Regulation (EU) No 910/2014 as regards establishing a framework for a European Digital Identity",
},
},
};
</script>
<link rel="stylesheet" href="./assets/templates/respec/additional.css">
</head>
<body>
<p class="copyright">
Copyright © 2023 the document editors/authors. Text is available under the <a rel="license" href="https://creativecommons.org/licenses/by/4.0/legalcode"> Creative Commons Attribution 4.0 International Public License</a>
</p>
<section id='abstract'>
<p>This is a DID method for <b>legal persons</b>, bridging the world of the eIDAS regulation with the world of W3C Verifiable Credentials, maximising at the same time regulatory compliance, decentralisation and privacy.
</p>
<p>The main use case of the <code>did:elsi</code> method is to enable usage of W3C Verifiable Credentials in processes that require high levels of <b>legal certainty, scalability, privacy and eIDAS compliance</b>. It is a good complement to <code>did:web</code> in ecosystems like Data Spaces with machine-to-machine interactions, but <code>did:elsi</code> can be used when some processes can not use <code>did:web</code> because they require high levels of legal certainty and compliance that can not be achieved with <code>did:web</code> (e.g., onboarding, contract signing processes, or in general when presumption of non-repudiation is required).
</p>
<p>The <code>did:elsi</code> method facilitates the use of <a href="https://www.etsi.org/deliver/etsi_ts/119100_119199/11918201/01.01.01_60/ts_11918201v010101p.pdf">JAdES digital signatures</a> with Verifiable Credentials, and so it can be used to meet the requirements of <b>electronic signatures, advanced electronic signatures, qualified electronic signatures, electronic seals, advanced electronic seals, and qualified electronic seals</b> as defined in Regulation (EU) No 910/2014 (eIDAS).
</p>
<table style='width:100%;'><tr><td class='xwarnt'><aside class='xwarna'>
<p><b>Natural persons MUST NOT</b> use this DID method, or for that matter, any DID method that registers anything related to personal information in any type of Verifiable Registry or shared data store.
</p>
<p>A good DID method for natural persons is <code>did:key</code> which is a perfect complement to <code>did:elsi</code> to build ecosystems that maximise privacy, regulatory compliance, safety, scalability, and decentralisation.
</p>
</aside></td></tr></table>
<p>This DID method is highly decentralised because any legal person than can operate in the digital economy and that can digitally sign a document using an advanced or qualified signature or seal according to eIDAS (like an invoice or a contract) has automatically a DID identifier under the <code>did:elsi</code> method without any further action and without any intervention by any third party. If the legal person can not engage in electronic transactions, it must perform whatever process is legally required in its jurisdiction to do so, before it can use this DID method. No third parties, apart from the ones legally required by its jurisdiction, are involved in this DID method.
</p>
<p>The identifiers in this DID method are based on the unique identifiers that are already used in the eIDAS certificates that comply to the relevant ETSI standards for electronic signatures and seals. This is in contrast to most other did methods, which "invent" or use identifiers and mechanisms that are not well integrated with the legal framework and which are not in general legally recognised in the EU for economic transactions (e.g., they can not be used as legal person identifiers in electronic invoices across the EU).
</p>
<p>With those other did methods, creating the supporting trust framework is complex and cumbersome and requires additional trusted third parties if a high level of legal certainty is required. <code>did:elsi</code> leverages the existing eIDAS trust framework, so nothing additional is required and credentials and transactions using them have the same status as any other types of documents using the eIDAS framework.
</p>
<p>With this approach, SSI ecosystems can use W3C Verifiable Credentials that have the same legal status as any other document which uses advanced or qualified electronic signatures and seals, and so can replace easily other documents in less efficient formats, like signed PDFs.
</p>
</section>
<section id='Introduction'><h2>Introduction</h2>
<section id='Preface'><h2>Preface</h2>
<p>The <code>elsi</code> DID method specification conforms to the requirements specified in the Decentralized Identifiers v1.0 Specification [[DID-CORE]]. For more information about DIDs and DID method specifications, please also see the [[?DID-PRIMER]]
</p>
</section>
<section id='conformance'>
<!-- href='-' This='' section='' is='' filled='' automatically='' by='' ReSpec.=''>
</!-->
</section>
<section id='Examples'><h2>Examples</h2>
<p>Some example DIDs are the following:
</p>
<ul>
<li>Gaia-X: <code>did:elsi:VATBE-0762747721</code>
</li>
<li>International Data Spaces Association: <code>did:elsi:VATDE-325984196</code>
</li>
<li>Alastria: <code>did:elsi:VATES-G87936159</code>
</li>
<li>IN2: <code>did:elsi:VATES-B60645900</code>
</li>
<li>Digitel TS: <code>did:elsi:VATES-B47447560</code>
</li>
<li>FIWARE Foundation: <code>did:elsi:VATDE-309937516</code>
</li>
<li>TNO: <code>did:elsi:LEIXG-724500AZSGBRY55MNS59</code>
</li>
</ul>
<p>The corresponding DID Documents are described later in this document.
</p>
</section>
</section>
<section id='The did:elsi format'><h2>The did:elsi format</h2>
<p>The format for the <code>did:elsi</code> method conforms to the [[DID-CORE]] specification and is simple. It consists of the <code>did:elsi</code> prefix, followed by the <code>organizationIdentifier</code> field which is used in the eIDAS certificates for legal persons as defined in [[ETSI-LEGALPERSON]].
</p>
<p>The ABNF for the key format is described below:
</p>
<table style="width:100%;"><tr><td class="codecolor">
<pre class='nohighlight precolor'>
<span style="color:#458;font-weight:bold">did-key-format</span> :<span style="color:#000;font-weight:bold">=</span> <span style="color:#458;font-weight:bold">did</span>:<span style="color:#458;font-weight:bold">elsi</span>:<<span style="color:#458;font-weight:bold">organizationIdentifier</span>>
</pre></td></tr></table>
<section id='About the <code>organizationIdentifier</code>'><h2>About the <code>organizationIdentifier</code></h2>
<p>The [[ETSI-LEGALPERSON]] standard states the following about the <code>organizationIdentifier</code> field in the digital certificates for legal persons:
</p>
<blockquote>
<p>The subject field shall include at least the following attributes as specified
in Recommendation ITU-T X.520:
</p>
<ul>
<li>countryName
</li>
<li>organizationName
</li>
<li><strong>organizationIdentifier</strong>
</li>
<li>commonName
</li>
</ul>
</blockquote>
<p>And regarding the <code>organizationIdentifier</code> attribute it says:
</p>
<blockquote>
<p>The <code>organizationIdentifier</code> attribute shall contain an
identification of the subject organization different from the organization
name. Certificates may include one or more semantics identifiers as
specified in clause 5 of ETSI EN 319 412-1.
</p>
</blockquote>
<p>And the document referenced, [[ETSI-CERTOVERVIEW]] states:
</p>
<blockquote>
<p>When the legal person semantics identifier is included, any present
organizationIdentifier attribute in the subject field shall contain
information using the following structure in the presented order:
</p>
<ul>
<li>3 character legal person identity type reference
</li>
<li>2 character ISO 3166 [2] country code
</li>
<li>hyphen-minus "-" (0x2D (ASCII), U+002D (UTF-8)) and
</li>
<li>identifier (according to country and identity type reference)
</li>
</ul>
<p>The three initial characters shall have one of the following defined values:
</p>
<ol>
<li><code>VAT</code> for identification based on a national value added tax identification number.
</li>
<li><code>NTR</code> for identification based on an identifier from a national trade register.
</li>
<li><code>PSD</code> for identification based on the national authorization number of a payment service provider under Payments Services Directive (EU) 2015/2366 [i.13]. This shall use the extended structure as defined in ETSI TS 119 495 [3], clause 5.2.1.
</li>
<li><code>LEI</code> for a global Legal Entity Identifier as specified in ISO 17442 [4]. The 2 character ISO 3166 [2] country code shall be set to 'XG'.
</li>
<li>Two characters according to local definition within the specified country and name registration authority, identifying a national scheme that is considered appropriate for national and European level, followed by the character ":" (colon).
</li>
</ol>
<p>Other initial character sequences are reserved for future amendments of the present document. In case "VAT" legal person identity type reference is used in combination with the "EU" transnational country code, the identifier value should comply with Council Directive 2006/112/EC [i.12], article 215.
</p>
</blockquote>
<p>That means that any eIDAS certificate issued by <a href="https://digital-strategy.ec.europa.eu/en/policies/eu-trusted-lists">TSPs</a> to legal persons compliant with the ETSI standards including an <code>organizationIdentifier</code> attribute can be used to derive a DID for a legal person from the ETSI standard identifier by applying the rule described above.
</p>
<p>Some examples of DIDs are:
</p>
<table style="width:100%;"><tr><td class="codecolor">
<pre class='nohighlight precolor'>
<span style="color:#008080">Gaia-X</span> <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">did:elsi:VATBE-0762747721</span>
<span style="color:#008080">International Data Spaces Association</span> <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">did:elsi:VATDE-325984196</span>
<span style="color:#008080">Alastria</span> <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">did:elsi:VATES-G87936159</span>
<span style="color:#008080">IN2</span> <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">did:elsi:VATES-B60645900</span>
<span style="color:#008080">Digitel TS</span> <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">did:elsi:VATES-B47447560</span>
<span style="color:#008080">FIWARE Foundation</span> <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">did:elsi:VATDE-309937516</span>
<span style="color:#008080">TNO</span> <span style="color:#000;font-weight:bold">=</span> <span style="color:#d14">did:elsi:LEIXG-724500AZSGBRY55MNS59</span>
</pre></td></tr></table>
</section>
<section id='Proving control of the DID'><h2>Proving control of the DID</h2>
<p>When sending and receiving Verifiable Credentials, a legal person may be required to prove that it controls a DID included in the Verifiable Credential.
</p>
<p>Proving the control of a <code>did:elsi</code>identifier can be done using the associated certificate: it is enough to include the certificate with a signature or seal, as it is required by the eIDAS regulation for advanced/qualified signatures and seals. By the way, this means that any existing eIDAS-compliant signature of any type of document (not only Verifiable Credentials) is already compliant with this DID method specification, just by making the corresponding translation.
</p>
</section>
</section>
<section id='DID method operations'><h2>DID method operations</h2>
<p>The following section describes the DID operations for the did:elsi method. This DID Method is purely derivative, based on the current eIDAS Trust Framework and so it does not require look ups in any additional registry.
</p>
<section id='Create'><h2>Create</h2>
<p>If a legal person can digitally sign or seal a document using an advanced or qualified certificate in the EU, then it already has a valid <code>did:elsi</code>identifier, using the <code>organizationIdentifier</code> in the certificate used to sign or seal. No further actions are required.
</p>
<p>If the legal entity can not perform those electronic signatures, then it does not make sense that it wants an ELSI DID, because it is not really transacting digitally and most probably is performing most processes manually and with paper. Before entering the world of digital transactions with Verifiable Credentials, the legal entity has to become digital at least until it can digitally sign legally-binding documents.
</p>
</section>
<section id='Read (Resolve)'><h2>Read (Resolve)</h2>
<p>This DID Method is purely derivative, based on the current Trust Framework of eIDAS and so it does not require look ups in any additional registry, and the DID document does not have to contain a <code>verificationMethod</code> property.
</p>
<p>Reading a <code>did:elsi</code> value consists on deterministically expanding the value to a minimalist DID Document, like the following:
</p>
<table style="width:100%;"><tr><td class="codecolor">
<pre class='nohighlight precolor'>
{
<span style="color:#000080">"@context"</span>: [
<span style="color:#d14">"https://www.w3.org/ns/did/v1"</span>
],
<span style="color:#000080">"id"</span>: <span style="color:#d14">"did:elsi:exampleOrganizationIdentifier"</span>,
}
</pre></td></tr></table>
<p>It may be surprising to see a DID document without a <code>proof</code> section, but in the case of this DID it is not required (even though implementations may choose to return DID documents including it).
</p>
<p>One of the common situations where DID resolution is required is in the verification of Verifiable Credentials. This DID method is intended to be used in W3C Verifiable Credentials which, when signed using JAdES digital signatures, can be used to meet the requirements of electronic signatures, advanced electronic signatures, qualified electronic signatures, electronic seals, advanced electronic seals, and qualified electronic seals as defined in Regulation (EU) No 910/2014 (eIDAS).
</p>
<p>Section <a href="#didresolution"></a> describes the verification of those credentials and why a <code>verificationMethod</code> property in the DID document is not required.
</p>
</section>
<section id='Update'><h2>Update</h2>
<p>This DID method does not support updates. Management of the DID lifecycle and associated information (e.g., cryptographic material) is performed according to the eIDAS regulation and its implementation.
</p>
</section>
<section id='Deactivate (Revoke)'><h2>Deactivate (Revoke)</h2>
<p>This DID method does not support deactivation. Management of the DID lifecycle and associated information (e.g., cryptographic material) is performed according to the eIDAS regulation and its implementation.
</p>
</section>
</section>
<section id='didresolution' class='informative'><h2>DID resolution and the verification of Verifiable Credentials</h2>
<p>The main use case for this DID method is to use <code>did:elsi</code> identifiers in W3C Verifiable Credentials signed using JAdES digital signatures [[JAdES]], which is a specification for JSON Web Electronic Signatures or Seals fulfilling the requirements of the European Union eIDAS Regulation for advanced electronic signatures and seals and regulatory requirements for many different services.
</p>
<section id='JSON Advanced Electronic Signatures (JAdES)'><h2>JSON Advanced Electronic Signatures (JAdES)</h2>
<p>The JAdES digital signature specification is based on JSON Web Signature and contains the features already defined in the related ETSI standards for AdES (advanced electronic signature/seal) applied to other data formats including XML, PDF and binary.
</p>
<p>[[JAdES]] can be used for any transaction between an individual and a company, between two companies, between an individual and a governmental body, etc. applicable to any electronic communications. The technical features of the specification can therefore be applied to the use of PKI based digital signature technology and in both regulated and general commercial environments.
</p>
<p>Essentially, JAdES specifies a JSON [[RFC8259]] format for AdES signatures (JAdES signatures) built on JSON Web Signatures (JWS) as specified in [[RFC7515]]:
</p>
<ul>
<li>Extends the JSON Web Signatures specified in [[RFC7515]] by defining an additional set of JSON header parameters that can be incorporated in the JOSE Header.
</li>
<li>Specifies the mechanisms for incorporating the above JSON components in JSON Web Signatures to build JAdES signatures, offering the same features as CAdES and XAdES in JSON syntax, and therefore fulfilling the same requirements.
</li>
</ul>
</section>
<section id='Validation of the signature of Verifiable Credentials'><h2>Validation of the signature of Verifiable Credentials</h2>
<p>The process of validation of verifiable credentials or verifiable presentations is composed of different individual validations, depending on several factors like type of credential and use case requirements.
</p>
<p>One of those validations which is normally critical is the verification of signatures in the credential, for example the signature of the issuer. In the case of credentials signed with eIDAS certificates/seals using the JAdES format, the verification process can be based in the guidelines described in the implementation of the algorithm of the Digital Europe eSignature Building Block for the validation of qualified and advanced electronic signatures (e-signatures) and electronic seals (e-seals).
</p>
<p>The algorithm [[DEP-DSS]] focuses on determining 3 sub-conclusions:
</p>
<ol>
<li>Whether the certificate is qualified
</li>
<li>What is the type of this certificate
</li>
<li>Whether the corresponding private key is protected by a QSCD.
</li>
</ol>
<p>To achieve a high level of trust in the validation, this can be delegated to Qualified Trust Service Providers (QTSPs) that offer services specifically for this purpose.
</p>
<p>By using a QTSP, users can be confident that the validation service meets the requirements set out in eIDAS regulations, which in turn provides a higher level of legal certainty. This is because QTSPs are legally obligated to be listed in the national Trusted List, which is easily accessible to users via the Trusted List Browser.
</p>
<p>Alternatively, an electronic signature or seal can also be verified by implementing the Digital Signature Software (DSS) library, which is open-source and provided by the EU.
</p>
</section>
</section>
<section id='Security and privacy considerations' class='informative'><h2>Security and privacy considerations</h2>
<section id='Security considerations'><h2>Security considerations</h2>
<p>When using this DID method and signing Verifiable Credentials with eIDAS certificates/seals using the JAdES format, the credential is essentially a signed document with the same security profile as any other document with an advanced signature in the eIDAS framework.
</p>
<p>This security profile is very well understood and described in many places, for example in the <a href="https://ec.europa.eu/digital-building-blocks/wikis/display/DIGITAL/eSignature">eSignature building block of the Digital Europe Program</a>.
</p>
</section>
<section id='Privacy considerations'><h2>Privacy considerations</h2>
<p>This DID method is only for legal persons. Natural persons MUST not use it, due to privacy considerations.
</p>
<p>For legal persons, this DID method does not add any privacy consideration to the ones managed in the eIDAS framework.
</p>
<p>Actually, the EU regulatory environment requires that identities (and identifiers) of any legal person be completely public and subject to public scrutiny, whether from regulators, consumer organisations, industry watchdogs or any other interested party. Some examples:
</p>
<ul>
<li>Any of the 30 million businesses in the EU is required by law to register with the appropriate national or international body before being able to engage in any relevant activity. During the process, an identifier is assigned to the business. The registration process and the way to obtain the identifier varies depending on the industry regulation (e.g., banking, telco, health, ...) and other factors.
</li>
<li>The identities of businesses are public and anybody can access all related information from the relevant registries. Even if in some EU countries access is not free, it is public. Information includes many details about the business, including identifier, ownership and place of establishment.
</li>
<li>Businesses are required to include those identifiers in any relevant transaction, whether they are electronic or offline. When citizens buy any product or service, they have the right to obtain documentation about the purchase including the identifier of the company.
</li>
<li>Any relevant process in the real economy (agrifood, health, manufacturing, transportation, ...) imposes requirements on traceability of the supply chain, related among others with safety, health and consumer protection and the ability to react properly to emergencies. Information recorded and on custody by all businesses participating in the chain has to use the legally valid identifiers of each business.
</li>
</ul>
</section>
</section>
<section id='Example: <code>did:elsi</code> and onboarding with Verifiable Credentials' class='informative'><h2>Example: <code>did:elsi</code> and onboarding with Verifiable Credentials</h2>
<p>A common problem in ecosystems like Data Spaces is how organisations can onboard the ecosystem in a trusted and automated way, avoiding manual paperwork.
</p>
<p>To illustrate the usefulness of the <code>did:elsi</code> method, this section describes the relationship of the <code>did:elsi</code> method with a special type of Verifiable Credential that we call <b>LEARCredential</b> and which can be very useful to perform, among others, the onboarding process in ecosystems like Data Spaces with compliance to the eIDAS regulation.
</p>
<p>This section describes how the process of onboarding can be performed by an employee of an organisation, who has been appointed to do so by a legal representative of the organisation using eIDAS certificates and Verifiable Credentials.
</p>
<p>The appointed employee will perform the process by using a special type of Verifiable Credential called <code>LEARCredential</code> (from <b>L</b>egal <b>E</b>ntity <b>A</b>ppointed <b>R</b>epresentative).
</p>
<p>Any Verifier that trusts the eIDAS Trust Framework will be able to verify that:
</p>
<ul>
<li><b>The person presenting the LEARCredential is the same as the one identified in the credential</b>
</li>
<li><b>A legal representative of the organisation has attested that the person has the powers described in the credential</b>
</li>
</ul>
<p>This enables the person presenting the LEARCredential to start the onboarding process and also to provide any additional required documentation, preferably as additional Verifiable Credentials to enable automatic verification of compliance with the onboarding requirements (including Gaia-X credentials issued by the Compliance Service of Gaia-X).
</p>
<table style='width:100%;'><tr><td class='xnotet'><aside class='xnotea'><p class='xnotep'>NOTE: Detailed example of onboarding with the LEARCredential</p>
<p>To see a much more <code>detailed</code> description of the LEARCredential, its issuance process and its usage for authenticating in an onboarding portal, see <b>[[[DID-ONBOARDING]]]</b>.
</p>
</aside></td></tr></table>
<section id='A little bit about onboarding'><h2>A little bit about onboarding</h2>
<p>The word <i>onboarding</i> refers to a process which precedes entering into a business relationship with a new participant, which in our case has to be a legal person (because <code>did:elsi</code> is only for legal persons).
</p>
<p>In general, the onboarding process is one of the less digitised and more diverse, with different implementations depending on the sector of activity and local regulation. Even within the same sector the actual implementation of onboarding processes for different companies can vary considerably. Onboarding of participants in an ecosystem may also present differences depending on the specific ecosystem.
</p>
<p>This chapter presents an approach based on eIDAS certificates that can facilitate in the EU area a fully digital and automated cross-border onboarding process and compliance with KYC (Know Your Customer) requirements.
</p>
<p>Onboarding of a new participant in the ecosystem is a critical activity, and proper identification of the new participant at this stage affects very much to the level of trust of the whole onboarding process and so the level of trust that all the other participants in the ecosystem can place on the identity of the new participant. The objective here is to provide a reasonable balance between convenience and level of legal certainty and security of the electronic transactions involved in the onboarding process.
</p>
<p>To facilitate the descriptions later in this document, we reproduce here some relevant definitions taken from the eIDAS Regulation:
</p>
<p><b>Electronic identification</b> means the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person.
</p>
<p><b>Person identification data</b> means a set of data enabling the identity of a natural or legal person, or a natural person representing a legal person to be established.
</p>
<p><b>Authentication</b> means an electronic process that enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed.
</p>
<p><b>Relying party</b> means a natural or legal person that relies upon an electronic identification or a trust service;
The onboarding process presented in this chapter is just one of the possible options that can be implemented, but it should be the main one supported in the EU region given its advantages.
</p>
</section>
<section id='typesofcertificates'><h2>Types of certificates for onboarding</h2>
<p><code>did:elsi</code> uses eIDAS certificates. The types of certificates which are relevant for the onboarding process are the ones issued to natural persons, to legal persons and to natural persons representing a legal person (as described in article 3(1) of eIDAS for the case of representation).
</p>
<p>Based on the eIDAS regulation, some TSPs (Trust Service Providers) in the EU provide several types of certificates for electronic signatures and seals:
</p>
<ul>
<li><b>Natural Person</b> certificate for electronic signatures
</li>
<li><b>Legal Person</b> certificate for electronic seals
</li>
<li><b>Natural Person as Legal Entity Representative</b> certificate for electronic signatures
</li>
</ul>
<aside class='note' title='electronic signature vs. electronic seals'>
<p><b>Electronic signature</b>: An electronic signature is a data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign, <b>where the signatory is a natural person</b>.
</p>
<p>Like its handwritten counterpart in the offline world, an electronic signature can be used, for instance, to electronically indicate that the signatory has written the document, agreed with the content of the document, or that the signatory was present as a witness.
</p>
<p><b>Electronic seal</b>: An electronic seal is a data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity, <b>where the creator of a seal is a legal person</b> (unlike the electronic signature that is issued by a natural person).
</p>
<p>In this purpose, electronic seals might serve as evidence that an electronic document was issued by a legal person, ensuring certainty of the document’s origin and integrity. Nevertheless, across the European Union, <b>when a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorized representative of the legal person is equally acceptable</b>.
</p>
</aside>
</section>
<section id='Some terminology'><h2>Some terminology</h2>
<p>Not all Member States implement at this moment the certificate for a Natural Person as Legal Entity Representative, but the onboarding process described below takes advantage of it when it is available for a participant initiating the onboarding.
</p>
<p>In this way, the onboarding process is prepared for the future, because given that there are different cases of representation, the eIDAS Technical subgroup has been requested by the eIDAS Cooperation Network to amend the technical specifications to include all the cases of representation (see section "2.8. NATURAL AND LEGAL PERSON REPRESENTATIVE from eIDAS SAML Attribute Profile V1.2., 31 August 2019"). It is expected that in the near future most TSPs will start issuing those certificates that simplify and streamline enormously the onboarding processes, not just for this specific use case but for any type of use case in the economy.
</p>
<p>To facilitate the explanation below, we will use the following terminology:
<ul>
<li><b>NP</b>: Natural Person holding a certificate for electronic signature.
</li>
<li><b>LE</b>: the Legal Entity that is being onboarded, holding a certificate for electronic seal.
</li>
<li><b>LER</b>: the Natural Person as Legal Entity Representative, holding a certificate for electronic signature when acting as legal representative of a legal entity.
</li>
</ul>
</p>
<p>The above concepts have a one-to-one relationship with the legal entities in eIDAS. However, we need a little bit more flexibility with respect to the person/employee that can initiate and drive the onboarding process of the legal person in the ecosystem. Even in a big company there are not many employees that have the power of legal representation. We define here an additional concept that is being used already in many other contexts:
<ul>
<li><b>LEAR</b>: Legal Entity Appointed Representative, a natural person that has been nominated (appointed) by a legal representative to act on behalf of the organisation to perform a limited set of processes, in our case the onboarding process (and maybe some additional tasks).
</li>
</ul>
</p>
<p>Instead of using traditional X.509 certificates, we require that the LEAR receives a special type of Verifiable Credential called <b>LEARCredential</b> with proof that the person has the power to represent the legal person in some limited capacity. This credential is described later in this document.
</p>
<p>This concept of LEAR is very similar to the equivalent one for how organisations interact with the European Commission to perform certain tasks on behalf of their organisation, as part of its participation in EU funded grants, procurements and prizes that are managed via the EU Funding & Tenders Portal. To illustrate further, see below the description of LEAR from the Commission.
</p>
<aside class='note' title='LEAR appointment and validation'>
<p>Parallel to the validation of your organisation, you will be requested by the Central Validation Service to appoint your Legal Entity Appointed Representative (LEAR).
</p>
<p>This must be done by a <b>legal representative of your organisation with the necessary legal authority to commit the organisation</b> for this type of decisions (e.g. typically CEOs, rectors, Director-Generals, etc. always in accordance with the statutes of your organisation).
</p>
<p>The LEAR role, which <b>can be performed by any member of the organisation</b> (typically from the central administration), is key. They are formally nominated to manage your organisation's use of the Portal and thus bear the final responsibility for all your actions in the Portal. Once validated, they will be responsible for:
</p>
<ul>
<li>keeping an overview of all the proposals/projects/contracts your organisation is involved in
</li>
<li>managing all the legal and financial information about your organisation
</li>
<li>managing the access rights at organisation-level (and read-only access at project-level)
</li>
<li>appointing the persons which will be able to electronically sign grants/contracts (Legal Signatories — LSIGNs) and cost claims/invoices (Financial Signatories — FSIGNs).
</li>
</ul>
</aside>
</section>
<section id='The LEARCredential'><h2>The LEARCredential</h2>
<p>The LEARCredential can be generated in different ways, using the different eIDAS certificates described in section <a href="#typesofcertificates"></a> and the Trust Service Providers:
</p>
<ul>
<li><b>Using the LE certificate</b>. The person controlling the LE certificate issues a Verifiable Credential to a natural person which typically is an employee of a department in charge of managing the onboarding processes and the relationship with a given ecosystem. The Verifiable Credential includes a description of the actual powers that are being delegated (the required ones have to be defined by the ecosystem). The Verifiable Credential is sealed with the certificate of the LE. This VC is then called a LEARCredential and the person controlling it can use it to authenticate in the onboarding process and act as LEAR.
</li>
<li><b>Using the LER certificate</b>. The main difference with the above is that in this case the Verifiable Credential is signed with a LER certificate. This tends to be easier, especially in big companies because there are normally more than one LER depending on the company structure. As a special case, the LER can issue a LEARCredential to herself and then become a LEAR. This can be used when the LER wants to be the one performing the onboarding process.
</li>
<li><b>Using a trusted entity before onboarding</b>. When neither LE nor LER certificates are already available in the company, a TSP or other trusted entity accepted by the ecosystem could generate and sign the Verifiable Credential directly, instead of generating a LER certificate.
<div>
<p>The main difference with the previous scenarios is that the LEARCredential is signed by a trusted entity and that it has to be involved before the onboarding process starts, making the process somewhat more cumbersome and less self-service.
</p>
</div>
</li>
</ul>
<p>The LEARCredential replaces its analog counterpart with a more efficient, machine-interpretable version. To illustrate, we continue using here the example of the LEAR for the Funding & tender portal of the EC, with the natural language letter that has to be signed: <a href="https://ec.europa.eu/info/funding-tenders/opportunities/docs/2021-2027/common/temp-form/lev/lear-appointment-letter-and-lear-roles-and-duties_en.pdf">LEAR APPOINTMENT LETTER</a>.
</p>
<section id='Claims about the subject'><h2>Claims about the subject</h2>
<p>The LEARCredential should include claims identifying the subject of the credential, the person who will act as LEAR. Each Data Space can define their own depending on their specific requirements. For the example for the EC portal, they should replace their analog counterparts in the first page of the letter, displayed here for illustration.
</p>
<figure id='lear-appointment-letter-1'>
<p><img src="images/lear-appointment-letter-1.png" alt="" />
</p>
<figcaption>LEAR subject identification data.
</figcaption>
</figure>
</section>
<section id='Roles and duties'><h2>Roles and duties</h2>
<p>The LEARCredential should specify the roles and duties of the LEAR. This can be done either embedding a machine-interpretable definition of the roles and duties in the credential, or with just a pointer to an external definition of the roles and duties in natural language, hosted somewhere else. The ideal approach is the first option, expressing the semantics with a proper machine-readable language, because this will allow automatic access control at the granularity of the individual sentences of that expression language.
</p>
<p>For illustration, the following figure shows some of the roles and duties in our LEAR example.
</p>
<figure id='lear-appointment-letter-2'>
<p><img src="images/lear-appointment-letter-2.png" alt="" />
</p>
<figcaption>LEAR roles and duties.
</figcaption>
</figure>
<p>The major problem here is to what level the natural language description of the roles and duties of the LEAR and delegation of those will be described in a formal language, versus simply embedding a secure pointer to somewhere where the actual natural language description is stored. This is an important subject for automating completely access control.
</p>
</section>
<section id='Further delegation of powers'><h2>Further delegation of powers</h2>
<p>The LEAR has delegated powers from the legal representative of the legal person. Using a similar mechanism, the LEAR can further delegate a subset of those powers to one or more persons who will act as account administrators. This can be seen in section 4 of the letter for our example LEAR:
</p>
<figure id='lear-appointment-letter-3'>
<p><img src="images/lear-appointment-letter-3.png" alt="" />
</p>
<figcaption>Further delegation of LEAR roles and duties.
</figcaption>
</figure>
</section>
<section id='Proving control of the LEAR Credential'><h2>Proving control of the LEAR Credential</h2>
<p>The person being appointed as a LEAR is identified as the subject of the credential. In order to later prove control of the credential, the issuer should embed as one of the claims a public key that corresponds to a private key only known by the LEAR and that will be used to sign challenges in the identification and access management systems of the Relying Party that wants to verify the LEAR Credential.
</p>
<p>If the LEAR has an eIDAS certificate, then the contents of that claim should be the certificate itself. Alternatively, the keypair can be generated in a secure and private way during the issuance process (which uses the OIDC4VCI standard).
</p>
<p>The DID identifier for the LEAR in the credential should use the <code>did:elsi</code> method (if the LEARCredential embeds an eIDAS certificate) or <code>did:key</code> if it does not.
</p>
</section>
<section id='Signing of the LEARCredential'><h2>Signing of the LEARCredential</h2>
<p>The LEARCredential must be signed by the issuer using either a LE certificate or a LER certificate, following the JAdES format specified in [[JAdES]].
</p>
<p>The issuer should be identified in the credential using the <code>did:elsi</code> method.
</p>
</section>
</section>
<section id='The identification and verification phase'><h2>The identification and verification phase</h2>
<p>The onboarding service of a Data Space can act as a Relying Party and use the LEARCredential for authentication to identify the legal person involved and the natural person performing the onboarding and additionally verify the binding between both identities and that the natural person has the powers of representation.
</p>
<p>This can be done fully automated and without requiring a previous relationship among the new participant and the onboarding service, enabling self-onboarding.
</p>
<p>Once this step is performed, the LEAR can provide additional documents (ideally as Verifiable Credentials) to complete the onboarding process or perform other required validations. For a Gaia-X compatible Data Space, the LEAR can provide credentials received from the <a href="https://compliance.gaia-x.eu/">Gaia-X Compliance Service</a>.
</p>
</section>
</section>
<section id='Relationship with some other DID methods' class='informative'><h2>Relationship with some other DID methods</h2>
<p>It is difficult (if not impossible) to have a complex ecosystem like Data Spaces with only one DID method, especially if different types of entities coexist in the ecosystem. The "one-size-fits-all" rule does not apply in this case, as is also true in general.
</p>
<p>For example, if there are natural persons, legal persons and machines in the same ecosystem, there is not any DID method that supports all of them while achieving high levels of regulatory compliance, privacy, scalability and decentralisation.
</p>
<p>This is also true of <code>did:elsi</code>, which is designed only for legal persons. Two other DID methods that may be appropriate for the other types of entities are:
</p>
<ul>
<li><code>did:key</code> for natural persons
</li>
<li><code>did:web</code> for machines (servers, sensors, ...)
</li>
</ul>
<p>The next section provides some reasoning on why <code>did:web</code> is not adequate for the same use cases as <code>did:elsi</code>.
</p>
<section id='Comparison with <code>did:web</code>'><h2>Comparison with <code>did:web</code></h2>
<p>In the <code>did:web</code> method, the identifier is essentially a domain name that matches the common name used in the SSL/TLS certificate used in the web server hosting the associated DID document. For example, in the case of <code>https://gaia-x.eu/</code> the common name (CN) in the certificate is <code>CN = gaia-x.eu</code> so the corresponding did would be <code>did:web:gaia-x.eu</code> (assuming that no directories or subdirectories are used).
</p>
<p>This is very convenient, but in most SSL/TLS certificates there is not any relationship between that identifier and the identifier issued by an official registrar that identifies the entity as a legal person or its legal representative, which is required in most types of electronic transactions in the internal market (for example in contract signing or eInvoices). This makes <code>did:web</code> not adequate for processes where you want to achieve legal certainty of substantial or high (according to eIDAS).
</p>
<p>One possibility could be to put an eIDAS certificate as one of the elements of the <code>"verificationMethod"</code> object in the DID document. But this has several problems:
</p>
<ul>
<li>The verifiable credentials should use the <code>did:web</code> identifier, with still no relationship to the legal person or its legal representative, unless a level of indirection is performed, accessing the web server when a verification of the credential is needed.
</li>
<li>Once this access to the web server is done, the same verification process as in <code>did:elsi</code> has to be performed, making the mechanism more complex without adding any real value. In essence, the entity has to prove control of the web server and also of the eIDAS certificate.
</li>
</ul>
<p>Furthermore, the need to access the web server to get the DID document and the embedded eIDAS certificate presents additional problems:
</p>
<ul>
<li>Less resiliency, as verification of a credential with a <code>did:web</code> identifier may fail if the web server is not available at that moment. This may be a big problem if the ecosystem includes many entities with low guarantees of availability of their web servers. Please note that signing the credential with the eIDAS certificate and including it in the credential but using <code>did:web</code> is just a convoluted implementation of the simpler <code>did:elsi</code>: in <code>did:elsi</code> you just sign the credential using the standard format (JAdES) and use the same identifier inside the certificate for the did identifier. No additional web server access is required.
</li>
<li>Less privacy, as the web server of the issuer of a credential has to be accessed every time that a credential is verified (a sensible caching could be used, but there is a risk that the DID document has been changed by the web server in the meantime). This privacy risk does not happen with <code>did:elsi</code> because no access to the web server is required. Given that root anchors for eIDAS certificates would be stored in the Trust Framework, privacy is very high with <code>did:elsi</code>.
</li>
</ul>
</section>
</section>
<section id='references'>
</section>
</body>
</html>