Skip to main content

EAA ConformanceETSI TS 119 472-1 (v1.2.1) clause 5.2.4.1

EAA-5.2.4.1-03:issuing_authority must not coexist with the qualified certificate

  • shall
  • Ordinary EAA
  • QEAA
  • PuB-EAA
  • SD-JWT VC
  • Issuer
  • Verifier

Spec text

A SD-JWT VC EAA shall not incorporate the issuing_authority claim if it incorporates the qualified certificate supporting the EAA signature.

ETSI TS 119 472-1 (v1.2.1), clause 5.2.4.1, page 28.

In plain English

If the EAA's signature already carries the qualified certificate of the issuer in the x5c header parameter, the issuing_authority claim must be omitted from the payload. The certificate is the authoritative identity; the claim would only duplicate, and could contradict, what is already cryptographically proven.

Why it matters

Two sources of truth for the same fact create a verification ambiguity: which one wins if they disagree? The spec resolves this at issuance time by making the two mutually exclusive, so verifiers always have a single canonical source for issuer identity.

Common mistakes

  • Including both issuing_authority and a full qualified-cert chain in x5c.
  • Treating the two signals as interchangeable belt-and-braces rather than mutually exclusive.
  • Reverting to issuing_authority during a cert rollover without removing the duplicate.

Conformance check

Auto-tested. Use the action in the sidebar to run a Self-Assessment for this control.

Last reviewed against ETSI TS 119 472-1 v1.2.1 on 2026-05-01.

iGrant.io’s EAA Issuer SDK handles this control out of the box. Talk to our team about closing your conformance gaps.

Chat on WhatsAppEmail support