AW: AW: The German Government slams JSON-LD from Steffen Schwalm on 2026-02-28 (public-credentials@w3.org from February 2026)

From: Steffen Schwalm <Steffen.Schwalm@msg.group>
Date: Sat, 28 Feb 2026 08:05:27 +0000
To: Jori Lehtinen <lehtinenjori03@gmail.com>
CC: Anders Rundgren <anders.rundgren.net@gmail.com>, Lluís Alfons Ariño Martín <lluisalfons.arino@urv.cat>, "carsten.stoecker@spherity.com" <carsten.stoecker@spherity.com>, Melvin Carvalho <melvincarvalho@gmail.com>, W3C Credentials CG <public-credentials@w3.org>
Message-ID: <AM8P191MB129962D5D4B6E78E9065E931FA70A@AM8P191MB1299.EURP191.PROD.OUTLOOK.COM>

WRAC is the legal abbreviation see Implementing Act

WRAC are necessary for any Relying Party to interact with EUDI Wallet

For signing you need qualif. Certificates acc. ETASI EN 319 411-1. For Payment WRAC needed for RP but not for SCA

________________________________
Von: Jori Lehtinen <lehtinenjori03@gmail.com>
Gesendet: Freitag, 27. Februar 2026 19:11
Bis: Steffen Schwalm <Steffen.Schwalm@msg.group>
Cc: Anders Rundgren <anders.rundgren.net@gmail.com>; Lluís Alfons Ariño Martín <lluisalfons.arino@urv.cat>; carsten.stoecker@spherity.com <carsten.stoecker@spherity.com>; Melvin Carvalho <melvincarvalho@gmail.com>; W3C Credentials CG <public-credentials@w3.org>
Betreff: Re: AW: The German Government slams JSON-LD

Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.

I'm not critizing anything, I'm just having a hard time understanding what you are saying,

Maybe IA means implementing act

And looking closer maybe WRAC means

(14)

‘wallet-relying party access certificate’ means a certificate for electronic seals or signatures authenticating and validating the wallet-relying party issued by a provider of wallet-relying party access certificates;

where WRPAC would be more accurate abbrevation, I'm just trying to understand you Steffen... Because I want to understand the EUDI / eIDAS framework...

But basically are you saying that Relying party access certificates are not required for Signatures and Payments in light of the Implementing Acts?

If yes what does that mean in practice?

pe 27.2.2026 klo 19.50 Steffen Schwalm (Steffen.Schwalm@msg.group) kirjoitti:

  1.
I gave you relevant IA on PID
  2.
on WRAC see https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202500848

Recommend to have look in IA first before we criticize

Gesendet von Outlook für Android<https://aka.ms/AAb9ysg>
________________________________
From: Anders Rundgren <anders.rundgren.net@gmail.com<mailto:anders.rundgren.net@gmail.com>>
Sent: Friday, February 27, 2026 6:41:27 PM
To: Steffen Schwalm <Steffen.Schwalm@msg.group>; Lluís Alfons Ariño Martín <lluisalfons.arino@urv.cat<mailto:lluisalfons.arino@urv.cat>>; carsten.stoecker@spherity.com<mailto:carsten.stoecker@spherity.com> <carsten.stoecker@spherity.com<mailto:carsten.stoecker@spherity.com>>; 'Melvin Carvalho' <melvincarvalho@gmail.com<mailto:melvincarvalho@gmail.com>>
Cc: 'W3C Credentials CG' <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Subject: Re: AW: The German Government slams JSON-LD

Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.

On 2026-02-27 16:50, Steffen Schwalm wrote:
> Hi Anders,
>
> What`s a PID is technically and legally clearly defined in Art. 5a and: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL_202402979&qid=1733300667869 <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL_202402979&qid=1733300667869>
He Steffen,

I did not find anything.  I believe this is OK since there is no consensus on just about anything with respect to identity.  In Sweden you cannot do anything without a "personnummer" while in France, this is considered against the constitution.
https://en.wikipedia.org/wiki/National_identification_number
Usage in Sweden: https://cyberphone.github.io/doc/research/citizen-register.pdf
>
> - Services typically only speak local languages.
>
>   *
>     W3CVCDM allows multi language

In https://github.com/eu-digital-identity-wallet/eudi-doc-standards-and-technical-specifications/blob/main/docs/technical-specifications/ts12-electronic-payments-SCA-implementation-with-wallet.md#23-sca-attestation-metadata I found this little gem:

             "schema": "urn:eudi:sca:payment:1",
             "claims": [
                 {
                     "path": [ "payload", "transaction_id"],
                     "visualisation": 4,
                     "display": [
                         {
                             "lang": "de-DE",
                             "label": "Transaktionsnummer",
                             "description": "Eindeutige Nummer der Transaktion"
                         },
                         {
                             "lang": "en-GB",
                             "label": "Transaction ID",
                             "description": "Unique identifier of the transaction"
                         }
                     ]
                 }

This is not how the industry at large deals with multiple languages and localization.  For the "SCA Rulebook" they are [still] waiting for the "industry" to fill in the blanks...

As a Technologist, European (SE/FR), Consumer, and Tax-payer, I feel a bit concerned.

I also wonder where NFC is.  QR is beginning to get on my nerves with tons of different apps op the phone.   There simply MUST be a better way!

Regards,
Anders

>   *
>     WRAC covers this
>
>
>   *
>     Payment --> Where exactly should be issue (if RP requests data before payment it`s not issue and for SCA the WRAC is IMHO not used)
>
>
> Best
> Steffen
>
>

Received on Saturday, 28 February 2026 08:05:36 UTC