Guardians of the Registry: Certificate Transparency for Relying Party Authorization in eIDAS 2

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review

Abstract

User-centric, privacy-preserving identity wallets---such as those defined under the EU Digital Identity~(EUDI) framework---control access to their ecosystem by requiring Relying Parties (RPs) to authenticate and declare their data access permissions. Under eIDAS 2, this is realized through two certificates: Access Certificates (RPACs), which authenticate individual service instances, and Registration Certificates (RPRCs), which specify the attributes a service is permitted to request. However, in the absence of auditability, misissuance and silent revocation of these certificates remain undetectable—undermining user trust and regulatory oversight.
To address this gap, we propose RP Certificate Transparency (RPCT): a transparent logging architecture that records both issuance and revocation of RP certificates in an append-only, publicly auditable log. By adapting Certificate Transparency (CT) principles to the EUDI context, RPCT enables monitoring of issued certificates and detection of overly permissive authorizations. Our design addresses known CT limitations, such as lack of revocation transparency, privacy leakage, and monitoring overhead, and adds support for offline-verifiable proofs that preserve user unlinkability.
We demonstrate that our architecture meets the regulation's accountability, auditability, and privacy goals. More generally, our architecture represents an efficient, general-purpose transparency service that can be applied to any user-centric credential system.
Original languageEnglish
Title of host publicationAvailability, Reliability and Security
Subtitle of host publicationARES 2025 International Workshops, Proceedings, Part IV
EditorsBart Coppens, Bruno Volckaert, Bjorn De Sutter, Vincent Naessens
PublisherSpringer
Pages148-165
Number of pages18
ISBN (Print)9783032006387
DOIs
Publication statusPublished - 11 Aug 2025
Event20th International Conference on Availability, Reliability and Security, ARES 2025 - Ghent, Belgium
Duration: 11 Aug 202514 Aug 2025

Publication series

NameLecture Notes in Computer Science
Volume15997 LNCS
ISSN (Print)0302-9743
ISSN (Electronic)1611-3349

Conference

Conference20th International Conference on Availability, Reliability and Security, ARES 2025
Abbreviated titleARES 2025
Country/TerritoryBelgium
CityGhent
Period11/08/2514/08/25

Keywords

  • Accountability
  • Certificate Transparency
  • EUDI Wallet

ASJC Scopus subject areas

  • Theoretical Computer Science
  • General Computer Science

Fields of Expertise

  • Information, Communication & Computing

Access to Document

Other files and links

  • EU - LICORICE - reLIable and sCalable tOols foR self-sovereIgn identity and data proteCtion framEwork

    Tauber, A. (Project manager on research unit)

    1/10/2430/09/27

    Project: Research project

  • A-SIT - Secure Information Technology Center Austria

    Posch, R. (Project manager), Oswald, M. E. (Other function), Payer, U. (Other function), Neuherz, E. (Other function), Ivkovic, M. (Attendee), Tauber, A. (Attendee), Reiter, A. (Attendee), Zefferer, T. (Attendee), Kreuzhuber, S. (Attendee), Rössler, T. (Other function), Mangard, S. (Attendee), Bratko, H. (Other function), Dietrich, K. (Attendee), Stranacher, K. (Attendee), Bonato, M. (Other function), Bauer, W. (Attendee), Orthacker, C. (Attendee), Wolkerstorfer, J. (Attendee), Zwattendorfer, B. (Attendee), Aigner, M. J. (Other function), Scheibelhofer, K. (Other function), Suzic, B. (Attendee), Knall, T. (Other function), Leitold, H. (Coordinator), Bratko, D. (Attendee), Dominikus, S. (Attendee), Lipp, P. (Attendee), Marsalek, A. (Attendee), Reimair, F. (Attendee), Feichtner, J. (Attendee) & Teufl, P. (Attendee)

    21/05/9931/12/24

    Project: Research area

  • 1 Talk at conference or symposium

Cite this