Identity Assurance; eIDAS Recital 3
Combined Session
Friday, June 07, 2024 11:30—12:30
Location: C 01
Friday, June 07, 2024 11:30—12:30
Location: C 01
In this session, I will delve into the application of Verifiable Credentials to elevate user identity assurance levels. By leveraging Verifiable Credentials for attribute assurance, we establish a foundation that enhances user confidence and trust. Through a detailed exploration of real-world use cases, we will illustrate how this approach not only safeguards user identities but also fosters a secure and reliable environment for system utilization. I unravel the key principles and practical implementations that contribute to a heightened sense of security, ensuring a robust and trustworthy user experience.
In the next three years, the twenty seven states of the European Union (EU) will have to finalize the implementing acts for the eIDAS2 regulation and issue digital identity wallets to their citizens. Although the Architecture Reference Framework (ARF) defined by the EU expert group has clearly identified mandatory standards for several parts of the wallet, such as the credentials formats, or the verification or presentation protocols, it has not mandated standards on how to secure of the wallet credentials, sensitive data and key materials.
The ARF has identified use cases requiring a high level of assurance (LoA) in terms of security, such as the provisioning of the Personal Identification Data (PID) or the use of qualified signature, as well as possible means to ensure this high LoA: with secure elements embedded into the mobile device, with external electronic identity documents accessed by communication channels such as Near Field Communication (NFC), or with the use of remote Hardware Security Modules.
Today, the vast majority of mobile devices are embedding secure elements and trusted execution environments that already provide certified high level of security for several use cases such as secure connectivity, payment, ticketing, or digital keys. These secure elements are deployed on billions of mobile devices, and are based on recognized standards such GlobalPlatform Secure Element or Trusted Execution Environment specifications.
This presentation will give an overview of the different security standards and technologies available in mobile devices, and how they can be applied for securing digital identity wallets. Besides the secure storage and secure execution environment aspects, this presentation will also address secure provisioning of wallet applications, credentials and sensitive data, as well as their security certification. It will bridge the gap between the high level requirements of security and the possible deployment scenarios that will enable digital identity wallet to enjoy the same level of security as existing proven and largely deployed solutions.
Online manipulation is mentioned in several EU Regulations as one of the cyber threats that need to be countered. Recital 3 in the eIDAS 2.0 regulation also mentions manipulation as a threat that the European Digital Identity Wallet and other subjects covered in eIDAS are to address. This talk will detail from a normative perspective what manipulation is and how online manipulation has specific traits. From that perspective the way the EUDIW is discussed and how it can aggravate or reduce manipulative capabilities in the online realm.
This talk draws from research that is conducted at Delft University by Henk Marsman on the topic of digital wallets, national identity and online manipulation, for which a paper is forthcoming in 2024.
