Context:

Following scenarios demonstrate how users like Alice, Bob, and Felicia can utilize their European Digital Identity Wallets to confirm webshop authenticity and securely share profile data. This process creates a trustworthy online shopping experience, benefiting both consumers and businesses alike.

Prerequisites

• A compliant personal wallet (see section below)

• A Demo PID (Person Identification Data)

Preparation step: Acquire a Demo PID

• Access https://demopidprovider.acc.credenco.com/

• Login with user ID: test_credenco_user and password: fides-credenco

• Click Add Personal ID SW-JWT to wallet

• Scan the QR code with your compliant digital wallet

• Accept credentials in your wallet

Step 1: Verifying Website Authenticity

Storyline:

Alice wants to purchase a camping tent for 2 persons from Decathlon. Before proceeding, she needs to verify that the website is legitimate.

Actions:

• Access the Decathlon Sandbox website page https://decathlon.co.nl

• Click on the Connect with Wallet button.

• A QR code appears, scan it with your digital wallet.

• The wallet shows verified information on the domain, VAT ID, KvK ID, and Thuiswinkel (“Homeshopping”) trustmark.

• Seeing the validation in your wallet, accept the connection as the website is legitimate and safe to use.

What happens here:

The digital wallet verifies the webshop’s digital claims, establishing Decathlon’s authenticity. Alice can now shop confidently, knowing the site is secure and verified.

Step 2: Sharing Profile Information for Customer Onboarding

Storyline:

Alice adds the camping tent to her shopping basket and proceeds to checkout. During checkout, Decathlon prompts her to share profile information to streamline the onboarding process. With her digital wallet, Alice can securely share only the necessary details.

Actions:

• Add the item to the basket

• At checkout, another QR code appears, to securely share personal information with a digital wallet.

• Scan the QR code with your wallet.

• The wallet allows you to choose specific profile information (name, address, if supported by the wallet) and approve sharing it with the website.

• Confirm, and the information is transferred to the webshop for a seamless onboarding.

What happens here:

Alice’s wallet securely transfers only the needed information to Decathlon, improving her checkout experience while protecting her privacy.

Alternative scenarios

DeOnlineDrogist

Felicia, looking to buy organic honey from DeOnlineDrogist, follows the same steps as Alice and Bob. By verifying the website's credentials with her digital wallet, she confirms the webshop’s authenticity before shopping.

Sandbox URL: https://deonlinedrogist.co.nl/

ZonweringStunter

Bob, who recently bought a house, wants to purchase sun blinds from Zonweringstunter, a webshop he hasn’t used before. Hesitant about the site’s trustworthiness, he follows a similar verification process as Alice to confirm the website’s legitimacy.

Sandbox URL: https://www.zonweringstunter.nl/demo

ZonweringStunter [FAKE SITE]

Carl, who also recently bought a house, wants to purchase outdoor screens from Zonweringstunter, a webshop he found on a search engine. Hesitant about the site’s trustworthiness, he follows a similar verification process as Alice to confirm the website’s legitimacy.

However after scanned the QR code of this fake webshop the digital wallet will not be able to show proof that this webshop has digital Thuiswinkel, KVK and BD credentials.

Sandbox URL: https://zonweringstuntr.nl/

<Coming soon>

An introductory video with an overview of the Trusted Webshops Sandbox, walking users through the replay scenarios. The video will include steps for credential sharing, verification, and personal data sharing at secure checkout.

Users in the sandbox use personal digital wallets compatible with the interop specifications, allowing them to receive, manage, and share credentials. The following wallets have been tested on corformity:

UniMe (Impierce Technologies)

• iOS app

• Android app

Talao (does not show Thuiswinkel, KVK and BD checks)

• iOS app

• Android app

AltMe (does not show Thuiswinkel, KVK and BD checks)

• iOS app

• Android app

More information on the Personal Wallets page.

Each participating organization in this use case has an organizational wallet to hold, issue, and/or verify credentials. The organizational wallets for this use case are hosted by the following wallet providers:

• Impierce Technologies: hosting the organizational wallets for Thuiswinkel, Decathlon, DeOnlineDrogist, Zonweringstunter and the Fake Zonweringstunter

• Credenco: hosting the organizational wallet for KVK and hosting a Demo PID issuer

• Sphereon: hosting the organizational wallet for Belastingdienst

More information on the Organizational Wallets page.

Wallet implementations must conform to the following specifications:

DIIP v3 Specification

• OpenID for Verifiable Credential Issuance Implementer's Draft 1

• OpenID for Verifiable Presentations - Draft 20

• Self-Issued OpenID Provider (SIOP) v2 - Draft 13

• DIF Presentation Exchange v2.0.0

• Selective Disclosure JWT (SD-JWT) VC Draft 4

• did:web (For resolving the Issuers)

• did:jwk (For human DIDs)

• Signature Algorithm: ES256 (ECDSA using P-256 and SHA-256)

• Credential status: OAuth Status List - Draft 2

Additional Requirements

• Resolution of DID Domain Linkage in JSON Web Token (JWT) Proof Format

• Resolution of DIF Linked Verifiable Presentation in JWT Proof Format

For both SIOPv2 and OpenID4VP the following specifics are used within the specs

• Cross-Device Flow

• Using Static Configuration Values

• Using the did & client_id_scheme

• Use the vp_token and id_token Authorization Responses
  
  

The Trusted Webshops Sandbox involves the following issuers, responsible for providing verified credentials to webshops:

• KvK (Dutch Chamber of Commerce): Issues business registration credentials (KvK IDs) to verified companies.

• Dutch Tax Office (Belastingdienst): Issues VAT credentials, confirming a business’s VAT registration.

• Thuiswinkel Waarborg: Issues e-commerce trustmarks to certified online retailers, verifying compliance with consumer protection standards.

Credentials

The sandbox operates with test credentials that represent essential information required for mutual authentication. Detailed information about the credentials used can be found in the FIDES Credential Catalog:

• Personal ID: An ARF compliant demo PID.Details: https://credential-catalog.fides.community/credentialType/33

• KvK Registration Credential: Confirms the webshop’s registration with the Dutch Chamber of Commerce. Details: https://credential-catalog.fides.community/credentialType/3

• VAT ID Credential: Confirms the webshop’s VAT registration with the Dutch Tax Office. Details: https://credential-catalog.fides.community/credentialType/17

• Trustmark Credential (Thuiswinkel Waarborg): Confirms the webshop’s certification from Thuiswinkel Waarborg, ensuring customer protection standards are met. Details: <follows soon>
  

Relying parties (verifiers) in the Trusted Webshops Sandbox are actors that validate credentials shared by digital wallets. In this sandbox, the following verifiers are used:

• Digital Wallet apps: Wallets used by individual users (customers) to scan and verify webshop credentials, ensuring website legitimacy before transactions. See list of personal wallets.

• Online Webshops: Platforms that verify customer credentials (personal data) securely, enhancing customer onboarding and security. See list of Involved parties.

<testbed?>