Recent European efforts around digital identity -- the EUDI regulation and its OpenID architecture -- aim high to provide an EU-wide authentication framework. However, its current technical and legislative architecture are based on a limited conceptualization of identity. None of the legal and technical texts involved explicitly define this central term; and their implicit model of the concept does not go beyond a digitalization of identity cards and similar documents. Based on several other standards, we therefore propose a deeper, explicit definition. Grounded in this definition, we identify several issues in the design of OpenID4VCI and OpenID4VP, and show that neither the functional requirements nor the non-functional advantages claimed by OpenID's new trust model surpasses equivalent existing solutions. Also the EUDI legislation itself cannot accommodate its promise of self-sovereign identity. In particular, we criticize the introduction of institutionalized trusted lists, and discuss their economical and political risks. Their potential to decline into an exclusory, recentralized ecosystem endangers the vision of a user-oriented identity management in which individuals are in charge. In anticipation of revisions to the EUDI regulations, we suggest several technical alternatives for the OpenID architecture, as well as paths for future research, addressing a heterogeneity of attestations and providers.

翻译：近期欧洲在数字身份领域的努力——即EUDI法规及其OpenID架构——旨在提供一个覆盖欧盟全境的认证框架。然而，其当前的技术与立法架构基于一种对身份的有限概念化。相关法律和技术文本均未明确定义这一核心术语；且其隐含的概念模型并未超越身份证件及类似文件的数字化范畴。因此，我们基于若干其他标准提出一种更深入、更明确的定义。基于这一定义，我们指出了OpenID4VCI和OpenID4VP设计中的若干问题，并表明无论是OpenID新信任模型所声称的功能需求还是非功能优势，均未超越现有的等效解决方案。此外，EUDI立法本身也无法实现其自我主权身份的承诺。我们特别批判了制度化可信列表的引入，并讨论了其经济与政治风险。这些列表退化为排他性、再中心化生态系统的可能性，危及以用户为导向、由个人掌控的身份管理愿景。为应对EUDI法规的修订，我们为OpenID架构提出了若干技术替代方案及未来研究路径，以解决认证与提供者异构性的问题。