Saved in:
Bibliographic Details
Main Authors: Termont, Wouter, Esteves, Beatriz
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2601.14503
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866910061631111168
author Termont, Wouter
Esteves, Beatriz
author_facet Termont, Wouter
Esteves, Beatriz
contents Recent European efforts around digital identity -- the EUDI regulation and its OpenID architecture -- aim high to provide an EU-wide authentication framework. However, its current technical and legislative architecture are based on a limited conceptualization of identity. None of the legal and technical texts involved explicitly define this central term; and their implicit model of the concept does not go beyond a digitalization of identity cards and similar documents. Based on several other standards, we therefore propose a deeper, explicit definition. Grounded in this definition, we identify several issues in the design of OpenID4VCI and OpenID4VP, and show that neither the functional requirements nor the non-functional advantages claimed by OpenID's new trust model surpasses equivalent existing solutions. Also the EUDI legislation itself cannot accommodate its promise of self-sovereign identity. In particular, we criticize the introduction of institutionalized trusted lists, and discuss their economical and political risks. Their potential to decline into an exclusory, recentralized ecosystem endangers the vision of a user-oriented identity management in which individuals are in charge. In anticipation of revisions to the EUDI regulations, we suggest several technical alternatives for the OpenID architecture, as well as paths for future research, addressing a heterogeneity of attestations and providers.
format Preprint
id arxiv_https___arxiv_org_abs_2601_14503
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle OpenID for European Digital Identity: An architectural analysis of user-centric identity management
Termont, Wouter
Esteves, Beatriz
Cryptography and Security
Computers and Society
Networking and Internet Architecture
C.2.1; K.4.1
Recent European efforts around digital identity -- the EUDI regulation and its OpenID architecture -- aim high to provide an EU-wide authentication framework. However, its current technical and legislative architecture are based on a limited conceptualization of identity. None of the legal and technical texts involved explicitly define this central term; and their implicit model of the concept does not go beyond a digitalization of identity cards and similar documents. Based on several other standards, we therefore propose a deeper, explicit definition. Grounded in this definition, we identify several issues in the design of OpenID4VCI and OpenID4VP, and show that neither the functional requirements nor the non-functional advantages claimed by OpenID's new trust model surpasses equivalent existing solutions. Also the EUDI legislation itself cannot accommodate its promise of self-sovereign identity. In particular, we criticize the introduction of institutionalized trusted lists, and discuss their economical and political risks. Their potential to decline into an exclusory, recentralized ecosystem endangers the vision of a user-oriented identity management in which individuals are in charge. In anticipation of revisions to the EUDI regulations, we suggest several technical alternatives for the OpenID architecture, as well as paths for future research, addressing a heterogeneity of attestations and providers.
title OpenID for European Digital Identity: An architectural analysis of user-centric identity management
topic Cryptography and Security
Computers and Society
Networking and Internet Architecture
C.2.1; K.4.1
url https://arxiv.org/abs/2601.14503