Certificate Transparency for Relying Party Certificates

eIDAS 2’s European Digital Identity framework shifts control to the user via a secure wallet app. Relying Parties (RPs) willing to access wallet data must register with the authorities and declare their intended data use (purpose) before doing so. During a transaction, an RP Access Certificate (RPAC) authenticates the RP’s service instance; an RP Registration Certificate (RPRC) enumerates the specific attributes the RP is authorized to request. Together, these certificates implement privacy by design: the wallet can inform users about which RP is asking for which attributes and refuse requests that go beyond what was officially registered as necessary.

However, the regulation leaves a critical enforcement gap: there is no built-in mechanism for users or auditors to verify what has been registered or whether those limits are respected. This project proposes RP Certificate Transparency (RPCT), a public, cryptographically verifiable log infrastructure inspired by Certificate Transparency and adapted to the RP authentication and authorization model of eIDAS 2. RPCT provides inclusion, consistency, and history proofs suitable for unlinkable wallet verification, supports revocation transparency and per-RP audit trails, and enables regulators and third-party monitors to detect misissuance and over-scoped requests.

Downloads

File	Description	File size
Report_EN		813 KB