italia · peppelinux · Aug 6, 2024 · Aug 5, 2024 · Aug 6, 2024 · Aug 6, 2024
diff --git a/docs/common/common_definitions.rst b/docs/common/common_definitions.rst
@@ -64,4 +64,6 @@
 .. _Key Attestation: https://developer.android.com/privacy-and-security/security-key-attestation#attestation-v4
 .. _Device Check: https://developer.apple.com/documentation/devicecheck
 .. _attestKey: https://developer.apple.com/documentation/devicecheck/dcappattestservice/attestkey:clientdatahash:completionhandler
+.. _MODI: https://www.agid.gov.it/sites/agid/files/2024-05/linee_guida_interoperabilit_tecnica_pa.pdf
+.. _PDND: https://www.agid.gov.it/sites/agid/files/2024-06/Linee_guida_infrastruttura_interoperabilita_pdnd.pdf
 .. _W3C-SRI: https://www.w3.org/TR/SRI/
diff --git a/docs/common/standards.rst b/docs/common/standards.rst
@@ -75,5 +75,11 @@ Technical References
       - Fett, D., Yasuda, K., Campbell, B., "Selective Disclosure for JWTs (SD-JWT)".
     * - `OAUTH-ATTESTATION-CLIENT-AUTH`_
       - Looker, T., Bastian, P., "OAuth 2.0 Attestation-Based Client Authentication".
+    * - USASCII
+      - American National Standards Institute, "Coded Character Set -- 7-bit American Standard Code for Information Interchange", 1986.
+    * - `MODI`_
+      - "Linee Guida sull'interoperabilità tecnica delle Pubbliche Amministrazioni", November 2023, Version 1.2.
+    * - `PDND`_
+      - "Linee Guida sull'infrastruttura tecnologica della Piattaforma Digitale Nazionale Dati per l'interoperabilità dei sistemi informativi e delle basi di dati", December 2021, Version 1.0.
     * - `W3C-SRI`_
       - Akhawe, D., Braun, F., Marier, F., and J. Weinberger, "Subresource Integrity", 23 June 2016.
diff --git a/docs/en/authentic-sources.rst b/docs/en/authentic-sources.rst
@@ -0,0 +1,40 @@
+.. include:: ../common/common_definitions.rst
+
+
+Authentic Sources
++++++++++++++++++++
+
+Authentic Sources are responsible for the authenticity of the User's attributes provided as Digital Credentials by the PID/(Q)EAA Provider. During the Issuance Flow, PID/(Q)EAA Providers, after authenticating the User, request from Authentic Sources the attributes required to provide the requested Credential. If PID/(Q)EAA Providers and Authentic Sources are both allowed to use PDND, the communication between them is accomplished in compliance with [`MODI`_] and [`PDND`_] and according to the rules defined within this specification. In particular, 
+
+    - The Authentic Source MUST provide an e-service registered within the PDND catalogue which the PID/(Q)EAA Provider, as the recipient, MUST use to request the User's attributes.
+    - In case of unavailability of the User's attributes, the Authentic Source MUST provide a response to the PID/(Q)EAA Provider with an estimation time when a new request can be sent. 
+    - The PID/(Q)EAA Provider MUST provide to the Authentic Source an evidence that:
+
+        - the request for Users attributes is related to data about themselves;
+        - the request for User attributes comes from a valid Wallet Instance. 
+
+    - The PID/(Q)EAA Provider MUST make available to the Authentic Source an e-service for notifications on attributes availability and validity status (revocation or updates). The Authentic Source MUST use this e-service to notify to the PID/(Q)EAA Provider the notifications on the availability of the User's attributes as well as those relating to the attributes updates. 
+    - The protocol flow MUST ensure integrity, authenticity, and non-repudiation of the exchanged data between the Authentic Source and the PID/(Q)EAA Provider. 
+    - The e-services MUST be implemented in REST. SOAP protocol MUST NOT be used.
+
+
+
+Security Patterns
+----------------------
+
+The following security patterns and profiles are applicable: 
+
+    - **[REST_JWS_2021_POP]** JWS POP Voucher Issuing Profile (*Annex 3 - Standards and technical details used for Voucher Authorization* [`PDND`_]): REQUIRED. It adds a proof of possession on the Voucher. The client using the Voucher to access an e-service MUST demonstrate the proof of possession of the private key whose public is attested on the Voucher.  
+
+    - **[ID_AUTH_REST_02]** Client Authentication with X.509 certificate with uniqueness of the token/message (*Annex 2 - Security Pattern* [`MODI`_]): REQUIRED. It guarantees trust between the Authentic Source and the PID/(Q)EAA Provider and provides a mitigation against replay attacks.
+
+    - **[INTEGRITY_REST_01]** REST message payload integrity (*Annex 2 - Security Pattern* [`MODI`_]): REQUIRED. It adds message payload integrity of the HTTP POST request.  
+
+    - **[AUDIT_REST_02]** submission of audit data within the request (*Annex 2 - Security Pattern* [`MODI`_]): OPTIONAL. The Authentic Source MAY request an evidence about the User Authentication related to the User's attributes requested by the PID/(Q)EAA Provider and/or a proof that the Wallet Instance is valid. In this case this pattern MUST be used.
+
+    - **[PROFILE_NON_REPUDIATION_01]** Profile for non-repudiation of transmission (*Annex 3 - Interoperability Profile* [`MODI`_]): REQUIRED. This profile uses the following security patterns:
+
+        - **ID_AUTH_CHANNEL_01** or **ID_AUTH_CHANNEL_02**
+        - **ID_AUTH_REST_02**
+        - **INTEGRITY_REST_01**
+
diff --git a/docs/en/index.rst b/docs/en/index.rst
@@ -42,6 +42,7 @@ Index of content
    pid-eaa-data-model.rst
    pid-eaa-issuance.rst
    pid-eaa-entity-configuration.rst
+   authentic-sources.rst
    relying-party-solution.rst
    relying-party-entity-configuration.rst
    revocation-lists.rst

diff --git a/docs/en/pid-eaa-entity-configuration.rst b/docs/en/pid-eaa-entity-configuration.rst
@@ -87,6 +87,10 @@ The *openid_credential_issuer* metadata MUST contain the following claims.
     - URL of the revocation endpoint. See :rfc:`8414#section-2`.
   * - **status_attestation_endpoint**
     - It MUST be an HTTPs URL indicating the endpoint where the Wallet Instances can request Status Attestations. See Section :ref:`Credential Lifecycle` for more details.
+  * - **notification_endpoint**
+    - It MUST be an HTTPs URL indicating the notification endpoint. See Section 11.2.3 of [`OpenID4VCI`_].
+  * - **authorization_servers**
+    - OPTIONAL. Array of strings, where each string is an identifier of the OAuth 2.0 Authorization Server (as defined in [:rfc:`8414`]) the PID/(Q)EAA Provider relies on for authorization. If this parameter is omitted, the entity providing the PID/(Q)EAA Provider is also acting as the Authorization Server.
   * - **display**
     - See `OpenID4VCI`_ Section 11.2.3. Array of objects containing display language properties. The parameters that MUST be included are: