This document specifies Globally Qualified Electronic Seals / Signatures (GQES) Core as the GIDAS profile for qualified-signature and qualified-seal semantics packaged as verifier-checkable credentials.
It defines deterministic verification requirements for VC-carried proof artifacts, DID-linked public verification material, revocation and key-history cutoffs, and relying-party decision outputs.
This specification does not create legal recognition by itself. Legal effect is an external policy and governance decision.
This is an unofficial draft.
Document authority: this text is not a legal instrument and does not create jurisdictional recognition effects.
AI assistance disclosure: this draft used OpenAI GPT-5 Codex for drafting support, structure proposals, and editorial rewrites. Human editor review determined normative intent, accepted/rejected changes, and final wording.
Source currency note: linked source pages were checked on February 19, 2026.
The key words MUST, MUST NOT, REQUIRED, SHALL, SHALL NOT, SHOULD, SHOULD NOT, RECOMMENDED, MAY, and OPTIONAL in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals.
Conforming implementations MUST satisfy all requirements for at least one conformance class in Conformance Classes.
Unless explicitly overridden, data-model terms such as list, set, tuple, and byte sequence are interpreted according to Infra [INFRA]. JSON payload and array semantics are interpreted according to [RFC8259].
This specification defines externally observable data models, verification invariants, and deterministic processing outcomes. It does not define implementation architecture, runtime internals, or optimization strategy.
End-to-end machine verifiability is mandatory: any acceptance decision, legal-status claim, or policy-compatibility claim MUST be backed by machine-verifiable artifacts and explicit source references.
Conformance in this specification is outcome-based: required verifier outputs and security/privacy invariants are normative; implementation strategy remains implementation-defined.
This document does not define programming-language implementations or API usage recipes.
NOTE: The openapi.yaml contracts are indicative and are not yet normative. Official schemas will be finalized after the first reference implementation.
This specification covers:
This specification does not:
This section is informative. It describes stakeholder adoption pathways as explicit goal -> required artifact/interface -> verifier behavior -> adoption pathway mappings.
| Stakeholder | Goal | Required Artifact/Interface | Verifier Behavior | Adoption Pathway |
|---|---|---|---|---|
| Device and platform manufacturers | Expose auditable signer-intent and key-custody evidence. | Device assurance outputs consumed by QES/QSeal verification flows. | Verify that QES claims include QSCD-class evidence linkage when policy requires. | Publish profile bindings from platform evidence to GQES verifier checks. |
| Wallet and app implementers | Keep proof custody private while enabling deterministic verification. | VC proof artifacts, consent logs, selective-disclosure controls, countersignature support. | Verify challenge, audience, freshness, and artifact-binding for countersigned presentations. | Publish conformance reports and avoid remote-by-default custody shortcuts. |
| Standards development organizations (SDOs) | Define interoperable profiles and test suites. | Profile constraints, deterministic test vectors, and requirement mappings. | Require identical outputs for identical inputs across implementations. | Adopt profile work items over GQES Core requirements. |
| Governments and regulators | Publish recognition inputs without changing cryptographic semantics. | Authoritative registries, trusted lists, status feeds, and policy-discovery endpoints. | Keep cryptographic validity separate from legal recognition outputs. | Publish compatibility mappings over the baseline web profile. |
| Auditors, CABs, and assessors | Evaluate machine-verifiable conformance evidence. | Requirement-id mapped evidence artifacts, test assertions, and deterministic verifier transcripts. | Reject narrative-only assurance claims lacking artifact-level verification. | Issue clause-mapped reports with explicit pass/fail rationale. |
| Verifiers and relying parties | Produce deterministic acceptance or rejection decisions. | Public DID-linked verification material and holder-provided proof artifacts. | Check proof validity, revocation, key-history cutoffs, and countersignature order where applicable. | Deploy policy overlays without replacing baseline cryptographic checks. |
This specification defines only GQES-specific terms. Terms such as governance area, PID, DID Controller, wallet, and trust-network host behavior are imported from sibling specifications and are not redeclared here: [GDIS-CORE], [GQSCD-CORE], [GQTS-CORE], and [GQTW-CORE].
ReSpec prose in this specification defines interface invariants and processing behavior. It does not restate wire-format field contracts.
During the provisional phase this repository does not define GQES-specific protocol endpoints. If a future revision adds protocol endpoints, normative wire contracts MUST be defined in openapi.yaml, while this specification remains authoritative for invariants, processing behavior, and conformance outcomes.
Cross-Spec Boundary Layer
GQES Core defines seal/signature semantics, proof/privacy invariants, and verifier behavior. It relies on other GIDAS specifications for component-specific mechanics.
This section defines the GQES object of standardization: qualified signatures and qualified seals are both VC-packaged proof artifacts with DID-linked public verification material.
Hard invariant split: verification material is public; proof artifact is private and controlled by the liable/relying party.
| Artifact Type | Custody | Publication Requirement | Verifier Use |
|---|---|---|---|
| Verification material | Public | MUST be published as public DID-linked history and status material under the declared profile. | Resolve keys, history continuity, revocation status, and key validity interval. |
| Proof artifact (VC) | Wallet/private | MUST remain private by default; disclosure is holder-mediated. | Validate proof, issuer/subject linkage, and presentation semantics. |
| Private attributes and witnesses | Wallet/private | MUST NOT be required by hosts for verification material publication. | Used only when holder discloses under policy and consent. |
A governance-recognized PID issuer listed on the EU Trusted List extracts identity data from a physical identity item via MRZ and NFC and binds it to a user-controlled widely available (phone, tablet, laptop, pc, etc.) Qualified Signature Creation Device. This initial binding is structured as a Verifiable Credential whose subject is a DID representing that device-controlled digital identity. The issuer (physical identity item) applies a Qualified Electronic Seal, establishing the legal trust anchor for the identity binding and certifying that the PID evidence corresponds to the DID’s verification methods.
The DID becomes the public resolution handle for that identity. Its DID Document publishes verification material and service endpoints and is hosted across multiple HTTP origins participating in a tamper-evident replicated network operated by qualified trust services. These hosts maintain append-only directed linear graph histories and cross-check signatures so inconsistencies are detectable and state converges without reliance on a single operator.
The user interacts through a wallet implemented via navigator.credentials and WebAuthn. The QSCD-backed keys can produce Qualified Electronic Signatures and Qualified Electronic Attestations of Attributes directly from the device. The wallet can also store externally issued Qualified Electronic Seals and present them, optionally countersigned with a qualified signature, which itself constitutes a qualified attestation presentation. Private attributes remain local unless selectively disclosed.
All signed or sealed artifacts reference the DID for verification, while status, revocation, and key-history data are published on the replicated trust network. If the user revokes or terminates the PID binding to the DID—such as by issuing a signed revocation event with a defined timestamp—claims asserted after that point must be treated as invalid. This preserves user agency while maintaining verifiable historical integrity.
In effect, governance provides legally recognized issuers, certified devices enforce sole control of keys, and web standards supply global resolution and interoperability. That alignment forms the operational model known as GIDAS.
VerifyGQES(vc, now, policy) with deterministic output
semantics.
vc is a VC object and that required proof
fields are present. If this fails, return
invalid with reason
ERR_NOT_VC or
ERR_PROOF_MISSING.
| Requirement Unit | Primary Artifact | Producer | Primary Checker | Conformance Class Binding |
|---|---|---|---|---|
| REQ-GQES-01 Proof artifact format | VC proof artifact | Issuer/Sealer, Wallet | Verifier | Issuer/Sealer, Wallet, Verifier |
| REQ-GQES-02 DID binding and DID profile selection | DID references and DID history | Issuer/Sealer, Wallet | Verifier | Issuer/Sealer, Wallet, Verifier |
| REQ-GQES-03 Verification material publicness | Public DID-linked verification material | Issuer/Sealer, Publication operator | Verifier | Issuer/Sealer, Verifier |
| REQ-GQES-04 Proof privacy and custody | Wallet-private proof store and disclosure policy | Wallet | Verifier, Auditor | Wallet |
| REQ-GQES-05 Revocation and key-history cutoffs | Status/revocation and key-lineage evidence | Publication operator | Verifier | Issuer/Sealer, Verifier, Relying Party |
| REQ-GQES-06 Countersigning and presentation order | Presentation envelope and countersignature | Wallet | Verifier | Wallet, Verifier, Relying Party |
| REQ-GQES-07 Deterministic algorithm inputs | Canonicalization profile and input tuple transcript | Issuer/Sealer, Wallet | Verifier | Issuer/Sealer, Wallet, Verifier |
| REQ-GQES-08 VerifyGQES procedure | Verifier transcript and decision output | Verifier | Auditor, Relying Party | Verifier |
| REQ-GQES-09 Verification output contract | Machine-readable decision object | Verifier | Relying Party, Auditor | Verifier, Relying Party |
| Class | Required Requirements |
|---|---|
| GQES Issuer/Sealer | REQ-GQES-01, REQ-GQES-02, REQ-GQES-03, REQ-GQES-05, REQ-GQES-07 |
| GQES Wallet | REQ-GQES-01, REQ-GQES-02, REQ-GQES-04, REQ-GQES-06, REQ-GQES-07 |
| GQES Verifier | REQ-GQES-02, REQ-GQES-03, REQ-GQES-05, REQ-GQES-06, REQ-GQES-07, REQ-GQES-08, REQ-GQES-09 |
| GQES Relying Party | REQ-GQES-05, REQ-GQES-06, REQ-GQES-09 |
A conformance claim MUST be accompanied by a machine-readable conformance report.
| Report Field | Requirement |
|---|---|
| Implementation identifier and version | MUST be declared. |
| Conformance class set | MUST list all claimed classes. |
| Requirement coverage | MUST list satisfied and excluded REQ-GQES-xx identifiers. |
| Cross-spec dependency declaration | MUST identify applicable GDIS/GQSCD/GQTS/GQTW dependency versions. |
| Cryptographic suite declaration | MUST declare canonicalization and verification suites. |
| Test evidence | MUST include pass/fail results and artifact samples. |
| Negative-case coverage | MUST include invalid and indeterminate decision vectors. |
| Policy input evidence | MUST list registry/trusted-list/status inputs used for recognition determination. |
Reports SHOULD include machine-readable fields so independent tooling can compare behavior across implementations.
This section maps GQES requirements to formal source families and sibling GIDAS specifications. It is informative and does not create new requirements.
| GQES Concern | Requirement IDs | Formal Source Family | Sibling Spec Boundary |
|---|---|---|---|
| VC proof container and integrity model | REQ-GQES-01, REQ-GQES-07 | W3C VC Data Model / Data Integrity [VC-DM2] [VC-DATA-INTEGRITY] | GQES defines semantics; wire profile remains external. |
| Natural-person QES linkage to PID and QSCD evidence | REQ-GQES-01, REQ-GQES-05, REQ-GQES-08 | eIDAS legal baseline + ETSI trust-service baseline [EU-910/2014] [ETSI-319401] | PID issuance/binding in GDIS; QSCD controls in GQSCD. |
| Organization/government seal authorization/delegation | REQ-GQES-01, REQ-GQES-08 | eIDAS legal baseline + trusted-list governance inputs [EU-910/2014] [EU-TRUSTED-LISTS] | Delegation and issuer-chain evidence in GDIS mappings. |
| Public verification material and status publication | REQ-GQES-02, REQ-GQES-03, REQ-GQES-05 | Web/DID resolution profiles and EBSI compatibility mappings [DID-CORE] [EBSI-VC-VP] | Replication and host behavior in GQTS. |
| Wallet custody and countersigned presentation behavior | REQ-GQES-04, REQ-GQES-06 | Wallet and presentation profile constraints [EBSI-VC-VP] | Wallet private history and portability in GQTW. |
Implementations MUST assume hostile client/network environments unless security boundaries are cryptographically enforced.
Verifier behavior MUST follow a zero-trust verification model: each acceptance decision MUST be based on explicit, cryptographically checkable artifacts and declared policy inputs.
At minimum, conforming designs MUST model compromised hosts, compromised wallet UI pathways, replay attempts, revocation/key-history downgrade attempts, and countersignature confusion attacks.
| Threat | Required Control | Evidence Type |
|---|---|---|
| Compromised or malicious host | Cross-origin/profile-conformant DID history verification and proof validation before acceptance. | DID history transcript and proof-verification trace. |
| Compromised wallet UI or coercive UX | GQSCD-linked user-intent ceremony checks and explicit presentation binding validation. | Invocation evidence and countersignature-binding transcript. |
| Replay of proof artifacts | Nonce/audience/freshness verification for presentations. | Verifier challenge log and response-binding evidence. |
| Revocation/key-history downgrade | Mandatory revocation and key-lineage checks at asserted timestamp and evaluation instant. | Status snapshot, cutoff event, and key authorization path. |
| Countersignature misuse | Enforce verification order: base seal/signature validity first, countersignature second. | Ordered verifier transcript with step-level verdicts. |
Relying parties MUST check revocation and key-history cutoffs and MUST treat missing required status inputs as indeterminate.
"Approved software lists" or governance labels alone MUST NOT be treated as technical guarantees without cryptographic enforcement.
This draft defines no new IANA registries.