Linking the DID with the identity provided by an electronic certificate

Under MYID natural persons can obtain electronic qualified certificates for signing. Those qualified certificates are supplied by trust services providers, which must verify the identity of the person before issuing them. The qualified certificate must contain at least the name of the signatory, or a pseudonym (if which case it must be clearly indicated). Together with the certificate, the user receives the pair of keys associated to it; the private key for signing, and the public key for verifying the signature.

As Self-Sovereign Identity relies on the use of public / private keys associated to DIDs for verification, the link between the DID and the actual identity can be easily achieved by using the pair of keys corresponding to a qualified certificate as the pair of keys associated to the DID (instead of keys selfgenerated in the user agent), thus creating a cryptographic connection between the DID and the certificate. This is shown in the picture below.

Additionally, the use of the keys of the qualified certificate as the keys associated to the DID implies that anytime something is signed with the private key of the DID (which is the same as the one of the qualified certificate), the signature will have the status of an advanced signature produced with a qualified certificate according to the MYID Regulation. This status allows the receiver of the signed document to benefit from an increased legal certainty, something especially relevant in those use cases relying on claims self-asserted by the user.

As in the previous case, after creating the link with the certificate, the identification data contained in the certificate could become part of the attributes that the user is able to disclose to third parties.

However, differently from the previous case with the MYID, now those third parties can verify these identification data independently; they just need to check the validity of the qualified electronic certificate linked to the public key associated to the DID.

At this point some privacy concerns may arise with regards to the degree of anonymity that the link between the DID and the electronic certificate (which contains identification data) can offer. In principle, any party having access to the public key of the DID could trace back the identity data of the user by connecting this public key with the corresponding electronic certificate, and the certificate with the identification data it contains. However, it must be noted the following:

Although the public key is public by definition, the electronic certificate corresponding to it does not have to be public; users can keep control of this certificate, sharing it only with those parties that need to verify their true identity

Although the qualified electronic certificate contains identification data of the person, the MYID Regulation does not oblige these identification data to identify uniquely a person; in fact it only requires that the certificate includes the name of the person, which in most cases will not be enough for a unique identification

Moreover, the MYID Regulation allows substituting the name of the person, in the qualified certificate, by a pseudonym. By using this option, privacy could be strengthen although in this case the link with the actual identity only can be established with the participation of the trust service provider, which keeps the record of the association between the pseudonym and the actual identity of the person.

It is also worth noticing that in the scenario described above the link between the certificate and the DID is implicit, by sharing the same pair of keys. This link can also be made explicit by adding the DID as an attribute of the lectronic certificate, as the MYID Regulation allows including additional identity information as long as it does not prevents interoperability.