Wallet Security
Combined Session
Wednesday, June 05, 2024 15:30—16:30
Location: A 03-04
Wednesday, June 05, 2024 15:30—16:30
Location: A 03-04
The concept of building trust relationships is an integral part of a decentralized ecosystem. A verifier must trust the identities of issuers to ensure the authenticity and integrity of data and a wallet must trust the identities of verifiers to ensure data is only sent to identified and authorized parties. The other important trust relationship is in the identity of the wallet and assures both issuer and verifier that they are communicating with a genuine, verified and unaltered wallet. Especially in the environment of eIDAS 2.0, this trust becomes all the more important, as highly sensitive and regulated use cases require a secure environment in the wallet. Among other things, device binding, user binding and wallet authenticity must be proven and issued in a wallet attestation in a technology-neutral and interoperable manner. In this presentation, the general concept of wallet attestations is explained, followed by the current state of discussions in the eIDAS process and the Architecture Reference Document (ARF). Furthermore, I explain the technical realization using the IETF Draft Attestation-Based Client Authentication and how it integrates into the omnipresent OpenID4VCI protocol.
In the digital era, the security and privacy of personal and sensitive information has become a critical concern. Digital identity wallets have been introduced as a result of the new European regulation known as eIDAS 2.0. The digital identity wallet offers a practical and secure method for individuals to manage their personal data across various online platforms through a decentralized digital identity management model, without the reliance on centralized identity providers. However, since the model is relatively new, the security and privacy threats are still not fully known; this makes it difficult to prevent data breaches, unauthorized access, and violations of user privacy.
This session will delve into the emerging threats by providing a high-level overview of potential threats applicable to the digital identity wallet, derived from academic literature, technical specifications, and relevant regulations (including eIDAS 2.0). Furthermore, it will include an analysis of existing digital identity wallet solutions, and an assessment of adopted security measures against identified threats. This analysis aims to provide an overview of available and effective mitigation strategies against a set of identified threats.
eIDAS version 2 introduces a new trust service that will significantly impact the identity landscape: the provisioning of attestations of attributes. Having attributes issued by a qualified trust provider will greatly enhance the reliability and availability of attributes required for business decisions. Businesses generate data about themselves and other natural and legal persons, and they are the authentic source of the attributes they generate. Hypervault (https://hypervault.com/) and Trust Agency (https://www.trust-agency.eu/) are collaborating on a study to explore the use of attributes generated in business entities, the impact on business processes, and the requirements for issuing, distributing, and validating trustworthy attributes. This presentation will disseminate some of the outcomes of that study, including what businesses need to do to tap into the potential of these authentic business attributes. We will also discuss how eIDAS 2 can help exploit the potential of these attributes to improve automation, strengthen security, and even open up new business processes that were previously impossible.
