- From: Steffen Schwalm <Steffen.Schwalm@msg.group>
- Date: Sat, 28 Feb 2026 12:09:44 +0000
- To: Detlef Hühnlein (ecsec GmbH) <detlef.huehnlein@ecsec.de>, "public-credentials@w3.org" <public-credentials@w3.org>
- Message-ID: <AM8P191MB1299A09FB622B2CC087531BFFA70A@AM8P191MB1299.EURP191.PROD.OUTLOOK.COM>
Hi Detlef,
thanks for your comprehensive Email. As you know ETSI is no legislative & 119400 wrong standard.
Rught one I guess is ETSI TS 119 411-8 which does not contain the abbreviation you mentioned but also not my one.
Quelle: ETSI https://share.google/5GgXhOeQrZjRDbZRz
AI says
Wallet-Relying Party Access Certificate (WRAC or RPAC) is a specialized, cryptographic certificate used within the European Digital Identity (EUDI) Wallet ecosystem to authenticate and authorize a service provider (the "Relying Party") when they request personal data from a user's digital wallet.
EUR-Lex
EUR-Lex
+2
Key Aspects of WRAC:
Purpose: It proves the identity of the Relying Party (RP)
Verification: Wallet Units (apps) must verify these certificates against national trusted lists before releasing any data.
Security: If authentication via the WRAC fails, the wallet must refuse to share the requested attributes."
Seems both of us are half right. There's no legal abbreviation but both abbreviation common.
But thanks for highlighting this important topic
Best
Steffen
Gesend
________________________________
Von: Detlef Hühnlein (ecsec GmbH) <detlef.huehnlein@ecsec.de>
Gesendet: Samstag, Februar 28, 2026 10:42:17 AM
An: public-credentials@w3.org <public-credentials@w3
Betreff: Re: The German Government slams JSON-LD
Good Morning Steffen,
>WRAC is the legal abbreviation see Implementing Act
Which "Implementing Act" are you referring to here?
My guess would be CIR (EU) 2025/848 [1], but this implementing act,
as most others, does NOT introduce something like a "legal abbreviation".
On the other hand, there are by now quite a few ETSI standards,
which use "WRPAC" as abbreviation for "Wallet-Relying Party Access Certificate"
(see [2,3]) and in a similar vain "WRPRC" as abbreviation for
"Wallet-Relying Party Registration Certificate" (see [2]).
[1] http://data.europa.eu/eli/reg_impl/2025/848/oj
[2] https://www.etsi.org/deliver/etsi_ts/119400_119499/119475/01.01.01_60/ts_119475v010101p.pdf
[3] https://www.etsi.org/deliver/etsi_ts/119400_119499/119478/01.01.01_60/ts_119478v010101p.pdf
Am 28.02.2026 um 09:05 schrieb Steffen Schwalm:
WRAC is the legal abbreviation see Implementing Act
WRAC are necessary for any Relying Party to interact with EUDI Wallet
For signing you need qualif. Certificates acc. ETASI EN 319 411-1. For Payment WRAC needed for RP but not for SCA
________________________________
Von: Jori Lehtinen <lehtinenjori03@gmail.com><mailto:lehtinenjori03@gmail.com>
Gesendet: Freitag, 27. Februar 2026 19:11
Bis: Steffen Schwalm <Steffen.Schwalm@msg.group><mailto:Steffen.Schwalm@msg.group>
Cc: Anders Rundgren <anders.rundgren.net@gmail.com><mailto:anders.rundgren.net@gmail.com>; Lluís Alfons Ariño Martín <lluisalfons.arino@urv.cat><mailto:lluisalfons.arino@urv.cat>; carsten.stoecker@spherity.com<mailto:carsten.stoecker@spherity.com> <carsten.stoecker@spherity.com><mailto:carsten.stoecker@spherity.com>; Melvin Carvalho <melvincarvalho@gmail.com><mailto:melvincarvalho@gmail.com>; W3C Credentials CG <public-credentials@w3.org><mailto:public-credentials@w3.org>
Betreff: Re: AW: The German Government slams JSON-LD
Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.
I'm not critizing anything, I'm just having a hard time understanding what you are saying,
Maybe IA means implementing act
And looking closer maybe WRAC means
(14)
‘wallet-relying party access certificate’ means a certificate for electronic seals or signatures authenticating and validating the wallet-relying party issued by a provider of wallet-relying party access certificates;
where WRPAC would be more accurate abbrevation, I'm just trying to understand you Steffen... Because I want to understand the EUDI / eIDAS framework...
But basically are you saying that Relying party access certificates are not required for Signatures and Payments in light of the Implementing Acts?
If yes what does that mean in practice?
pe 27.2.2026 klo 19.50 Steffen Schwalm (Steffen.Schwalm@msg.group<mailto:Steffen.Schwalm@msg.group>) kirjoitti:
1.
I gave you relevant IA on PID
2.
on WRAC see https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ:L_202500848
Recommend to have look in IA first before we criticize
Gesendet von Outlook für Android<https://aka.ms/AAb9ysg>
________________________________
From: Anders Rundgren <anders.rundgren.net@gmail.com<mailto:anders.rundgren.net@gmail.com>>
Sent: Friday, February 27, 2026 6:41:27 PM
To: Steffen Schwalm <Steffen.Schwalm@msg.group><mailto:Steffen.Schwalm@msg.group>; Lluís Alfons Ariño Martín <lluisalfons.arino@urv.cat<mailto:lluisalfons.arino@urv.cat>>; carsten.stoecker@spherity.com<mailto:carsten.stoecker@spherity.com> <carsten.stoecker@spherity.com<mailto:carsten.stoecker@spherity.com>>; 'Melvin Carvalho' <melvincarvalho@gmail.com<mailto:melvincarvalho@gmail.com>>
Cc: 'W3C Credentials CG' <public-credentials@w3.org<mailto:public-credentials@w3.org>>
Subject: Re: AW: The German Government slams JSON-LD
Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remains. Only open attachments and links from known and trusted senders.
On 2026-02-27 16:50, Steffen Schwalm wrote:
> Hi Anders,
>
> What`s a PID is technically and legally clearly defined in Art. 5a and: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL_202402979&qid=1733300667869 <https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=OJ%3AL_202402979&qid=1733300667869>
He Steffen,
I did not find anything. I believe this is OK since there is no consensus on just about anything with respect to identity. In Sweden you cannot do anything without a "personnummer" while in France, this is considered against the constitution.
https://en.wikipedia.org/wiki/National_identification_number
Usage in Sweden: https://cyberphone.github.io/doc/research/citizen-register.pdf
>
> - Services typically only speak local languages.
>
> *
> W3CVCDM allows multi language
In https://github.com/eu-digital-identity-wallet/eudi-doc-standards-and-technical-specifications/blob/main/docs/technical-specifications/ts12-electronic-payments-SCA-implementation-with-wallet.md#23-sca-attestation-metadata I found this little gem:
"schema": "urn:eudi:sca:payment:1",
"claims": [
{
"path": [ "payload", "transaction_id"],
"visualisation": 4,
"display": [
{
"lang": "de-DE",
"label": "Transaktionsnummer",
"description": "Eindeutige Nummer der Transaktion"
},
{
"lang": "en-GB",
"label": "Transaction ID",
"description": "Unique identifier of the transaction"
}
]
}
This is not how the industry at large deals with multiple languages and localization. For the "SCA Rulebook" they are [still] waiting for the "industry" to fill in the blanks...
As a Technologist, European (SE/FR), Consumer, and Tax-payer, I feel a bit concerned.
I also wonder where NFC is. QR is beginning to get on my nerves with tons of different apps op the phone. There simply MUST be a better way!
Regards,
Anders
> *
> WRAC covers this
>
>
> *
> Payment --> Where exactly should be issue (if RP requests data before payment it`s not issue and for SCA the WRAC is IMHO not used)
>
>
> Best
> Steffen
>
>
--
Dipl. Inform. (FH)
Dr. rer. nat. Detlef Hühnlein
ecsec GmbH
Sudetenstrasse 16
96247 Michelau
Germany
Phone +49 9571 948 1020
Mobile +49 171 9754980
Mail detlef.huehnlein@ecsec.de<mailto:detlef.huehnlein@ecsec.de>
ecsec GmbH
Sudetenstrasse 16
96247 Michelau
Germany
Registered at Court of Coburg HRB 4622
EUID: DED4401V.HRB4622
Directors:
Tina Hühnlein
Dr. Detlef Hühnlein
This e-mail may contain strictly confidential information and is intended for the person to which it is addressed only. Any dissemination, even partly, is prohibited. If you receive this e-mail by mistake, please contact the sender and delete this e-mail from your computer, including your mailserver. Except in case of gross negligence or wilful misconduct we accept no liability for any loss or damage caused by software or e-mail viruses.
Received on Saturday, 28 February 2026 12:09:54 UTC