Federal Office for Information Security (BSI)

eID infrastructure

Online authentication with the German eID is based on a direct mutual authentication between the relying party and the user. One advantage of this setting is that it avoids the risk of a central security hotspot and/or tracking entity.

The notion eID infrastructure denotes the infrastructure to enable the secure electronic identification of the holder of the German eID towards a service provider over the internet. It consists of the following components:

eID-Infrastruktur – Kommunikations-Beziehungen im Kontext des Prozesses der Online-Authentifizierung eID-Infrastruktur – Kommunikations-Beziehungen im Kontext des Prozesses der Online-Authentifizierung

User environment

The environment of the user consists of a computer (e.g. desktop PC, notebook, tablet, cell phone,...), eID Client software and a card reader. The local eID Client software manages the online authentication process on the client side and serves as the link between the German eID, the user and the service provider (certified eID Clients). One certified implementation – the AusweisApp2– is provided by the German Federal Government.

Furthermore, the user uses a card reader for the physical communication with the eID card. Different types of readers ensure a flexible integration into different user environments. Examples are

Eine Person hält ein Smartphone und einen Personalausweis in der Hand, um sich elektronisch auszuweisen. Mit dem neuen Personalausweis können sich Bürgerinnen und Bürger über einen eID-Client, wie z.B. der AusweisApp2 des Bundes online ausweisen. Source: Bundesamt für Sicherheit in der Informationstechnik

Service provider

A service provider wishing to integrate online authentication with the German eID into their IT systems has to deploy an eID Server. The eID server communicates with the application of the service provider, the eID Client software of the user and the background system (How to Become a Service Provider).

Background system

The Background system consists of a Document PKI, Authorisation PKI and a revocation system in order to impede illegitimate use of lost or stolen eIDs (revocation of the lost of stolen eIDs).

Working group DIF eID

The DIF AG eID-Infrastructure (short: DIF eID) is a working group for discussing organisational matters with the goal of a coordinated development of the eID infrastructure.

The working group acts as a communication and information platform and initiates cross-organizational technical workshops where required. Under moderation of the German Federal Office for Information Security (BSI) the members of the working group meet on a regular basis to discuss and evaluate cross-component changes among all participating parties.

The participant of the DIF eID manufacturers and operators of components within the eID infrastructure, service providers, certificate suppliers as well as other involved authorities.


Questions or feedback concerning the eID-Infrastructure and the DIF working group
E-Mail: eid@bsi.bund.de