Citizen-centric public services in the Western Balkans:
Webinar 2 - Digital identity and trust services, 31 May 2022.
Presentation by Evgenia Nikolouzou, European Union Agency for Cyber Security (ENISA).
1. Dr. Evgenia Nikoulouzou
ENISA, Policy Implementation and Development unit
DIGITAL IDENTITY, LEVERAGING THE SELF-
SOVEREIGNTY IDENTITY (SSI) CONCEPT TO
BUILD TRUST
31 05 2022
CSA: Support the development and implementation of Union policy in the field of
electronic identity and trust services
2. ENISA eIDAS : AGENDA
eIDAS : Overview of ENISA Activities
Digital Wallets Process in a Nutshell
Report: Digital Identify, SSI
Conclusions
ENISA: Digital Identities and Remote Identity Proofing
3. 3
POLICY CONTEXT FOR ENISA
3
eIDAS Regulation 910/2014, Trust Services, Article 19
âą Support MS with supervision and security measures
âą Support MS with incident reporting, and cross-border notifications
âą Annual reports Trust services incidents
âą CIRAS Incident reporting and Analysis system
âą Future role for ENISA in the eID Cooperation network
ENISA mandate - CSA Article 5
Support the development and implementation of Union policy in the field of electronic identity and trust
services, in particular by providing advice and issuing technical guidelines, as well as by facilitating the
exchange of best practices between competent authorities
NIS2 proposal - brings trust services under NISD
ENISA supports the NIS Cooperation group
eIDAS2 package
- Proposal for eÎDAS2 - COM (2021) 281 final
- Commission Recommendation on Toolbox for eID wallets
ENISA supports the EC toolbox work â technical security measures
4. 4
OVERVIEW OF ENISA ACTIVITIES
Leading role for:
ï¶ ENISA Article 19 EG
ï¶ CIRAS Tool â Incident
reporting
ï¶ ENISA Trust Services Forum
(annual conference since
2015 â Berlin, September)
Advisory role for:
ï¶ FESA
ï¶ Commission eIDAS expert
group
ï¶ eID Cooperation Network
Find more under: Trust Services â ENISA (europa.eu), Building Trust in the Digital Era: ENISA boosts the
uptake of the eIDAS regulation â ENISA (europa.eu)
Support MS with Trust Services
- 12 reports to support TSPs and SBs
- 5 reports to support relying parties
- Cyber incident reporting tool, CIRAS
- Secretariat of ENISA Article 19
group
- Hosting of 19 meetings of ENISA
Article 19 group since 2015
Support MS with Digital
Identity
- 4 reports on eID, e.g. SSI
- Occasional invitation to the
eID CN
2014 eIDAS
regulation
2015 ENISA Art19
group
2016 ENISA incident
tool for trust services
(CIRAS)
2021 Supporting
EC/MS with
digital wallets
Recent example (of ENISA bridging between authorities, market players, and standards bodies)
- 2020 Security of remote identify proofing (especially relevant in a pandemic)
- 2021 Attack scenarios-countermeasures and workshop on remote identity proofing
5. 5
PEEK INTO EU DIGITAL WALLET PROCESS
September
Agreement on
Process
December
Agreement on
Technical Outline
June 2022
Technical
Architecture-
Standards-
guidelines
September 2022
Agreement on
ToolBox
October 2022
Publication of
ToolBox
Note: Aggressive timeline â ENISA supports the MSs and the Commission
eIDAS2
6. 6
Introduction to SSI
EU & Global SSI Landscape
Architecture Elements of SSI
Governance
Consideration of Risks
Conclusions
REPORT OVERVIEW
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
7. 7
SSI IN A NUTSHELL
Digital Identity: Leveraging the Self-Sovereign identity Concept to Build Trust
âą Aimed at digital IDs across global open networks
âą Current technology is for federated identities for separate communities with
several hierarchies cooperating to share trusted digital IDs
âą SSI allows a user to have greater control of his or her own identity
o Users can request multiple decentralised identifiers (DIDs) from
different identity controllers
âą Identity can be related to different attributes issued by different authorities
for different activities
o Verifiable credentials (VCs) bind the user-centred identity to formal or
informal names
o VCs can also carry other user attributes (e.g., age or qualification)
used to control access to service
8. 8
W3C Specifications
Decentralised Identity Foundation (DIF)
ISO TC 307 & CEN/CLC JTC 19
ISO/IEC 23220 & 18013-5
STANDARDS
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
9. Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
9
Sovrin
Hyperledger
ESSIF
LACChain
COMMUNITIES
10. 10
âą Harmonised conditions for the establishment of a framework for European Digital Identity Wallets to be
issued by Member States
âą Union citizens and other residents will able share securely data related to their identity in a user friendly
and convenient way under the sole control of the user
âą European Digital Identity Wallets should allow users to electronically identify and authenticate online and
offline across borders for accessing public and private services
âą Member States should Wallets relying on common standards to ensure seamless interoperability and a
high level of security
âą The conformity Wallets with those requirements should be certified by accredited public or private sector
bodies designated by Member States
âą European Digital Identity Wallets should ensure the highest level of security for the personal data used
for authentication irrespective of whether such data is stored locally or on cloud-based solutions, taking
into account the different levels of risk
EIDAS 2.0
(COM/2021/281 FINAL)
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
12. GERMANY
ID Union SSI project framework (source: Lissi)
12 Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
13. SPAIN
Alastriaâs ID Model â Based on the 10 key principles of SSI (Security, Controllability, Portability)
13 Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
14. POLAND
Credentials presented by mObywatel â (left to right) ID card, driving license, COVID certificate, ePrescription
14 Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
16. 16
MEMBER STATE SURVEY (RESULTS)
Security
âą SSI has the benefit of having no single point of failure
âą Increasing demand on the user associated with user control is worrying
âą âPrivacy by demandâ, with features such as sector-specific identifiers, is crucial
o Hard to achieve in typical SSI (DLT/DID-based) systems, especially when these unique and
persistent identifiers are created sector- or service- or MS-specific in the very moment they are
requested
âą Important: freshness of attributes (e.g., representation, mandates, professional
capacity, custody of minors, etc.) needs to be maintained
o This can only be achieved with online/cloud-based wallets
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
18. VC Issuer
âą Confirms wallet holder
identity
âą Credential proofing
âą Issues verifiable
credentials
âą Revokes verifiable
credential
DID Controller
âą Ensures uniqueness of ID
âą Confirms wallet control
âą Issues secure DID
document
Wallet Holder
âą Obtains wallet
from provider
âą Authenticates to
the wallet
âą Collects new
verifiable data
âą Authenticates ID
to relying party
Wallet Provider
âą Provides certified
wallet software /
hardware
âą May be cloud-
based
Relying Party
(verifier)
âą Validates
presented
credentials
âą Authenticates
holder
Verifiable
credential
Wallet control proof
ID authentication &
Presentation of credentials
Trusted DID/VC Registry
WALLET
Information on
issuance and
revocation of
verifiable data
Information
used to validate
verifiable data
Information used to
validate verifiable
data
Architecture
Elements
20. 20
GOVERNANCE
Governance of SSI-based schemes still under development
Most experience comes from Sovrin, which takes an approach similar to that
applied by many PKI services, including eIDAS Trust Services:
âą There is a governing body that oversees the operation of the SSI service providers and
sets the rules for assuring the operation of the SSI service providers
âą Conformity assessment of the provider by an independent assessor against the
assurance rules set by the governing body
âą A means for relying parties to assess whether are considered trustworthy by the
governing body
ISO and CEN are in the early stages of developing standards for
managing trust based around SSI with working drafts looking at trust
anchors
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
21. 21
GOVERNANCE
Governance of wallets
âą User has control over the use of their wallet
o They can decide whether to use any particular wallet, as well as select a particular DID or
VC within a wallet, to authenticate their identity to a relying party
âą Security of SSI depends on the security of the wallet software and
environment
o In particular, that the keys and verifiable data are under the sole control of the holder and
cannot be leaked to other parties
âą Security of the wallet will need to be certified against specific criteria
to give assurance for the security of wallets
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
22. 22
GOVERNANCE
Interdependence
Governance of the different elements of an SSI architecture cannot be
considered in isolation
âą VC issuer depends on the DID, as issued by the DID controller, being uniquely
assigned to entity identified by the DID controller and on the sole control of the
authentication means being under the sole control of the document
âą DID controller needs to be assured that the authentication means is held securely
in a certified wallet
âą Both DID controller and VC issuer depend on the registry to provide relying
parties with the latest state of the DID document and VC
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
24. 24
Security Measures
Asset Identification
â Processes
â Data
Risk Identification
â Processes
â Data
CONSIDERATION OF
RISKS
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
25. 25
SECURITY MEASURES
Data minimization
âą Partial release of user attributes for the purpose of data
minimization
âą Unlinkability of transactions at the cryptographic or protocol
level
âą Use only identifiers that are required to establish necessary
linkability
âą Domain-specific identifiers or pseudonyms â a form of
identifiers that avoid using the same unique identifier for a user
in all its interactions
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
26. 26
SECURITY MEASURES
Consent and choice
âą In a user-centric system, users have control over their data
and attributes
âą They can exert informed consent, whether the holder attributes
are managed and used by a wallet or another entity
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
27. 27
SECURITY MEASURES
Accuracy and quality
âą The userâs attributes shall be bound to the legitimate holder
âą Protocols executed between the wallet and other components
protect against eavesdropping at the communication and
logical layer
âą Protection of attribute authenticity and integrity of the attributes
o Attributes released to the relying entities are consistent with the issuer's
attributes
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
29. 29
PRIVACY & SSI
SSI CAN PROVIDE AN EFFECTIVE BASIS FOR DIGITAL IDENTITIES
THAT PROTECT THE PRIVACY OF PERSONAL DATA
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
âą Decentralised digital IDs can be used to support pseudonyms for privacy
âą VCs enable the separation of potentially private attributes from the digital ID;
user selects attributes that are revealed to relying parties
âą Cryptographic separation between transactions through holding multiple
authentication keys in a wallet with separate identity documents from
different controllers, helping avoid links between the separate transactions
30. 30
GOVERNING SSI
FOR THE GOVERNANCE OF THE ARCHITECTURAL
ELEMENTS OF AN SSI SOLUTION, WE NEED TO CONSIDER
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
âą The certification of wallets
âą The audit and oversight of DID controllers, VC issuers, and DID and
VC registries
âą That all the above are interdependent and the governance of the DID
controller, the VC issuer, and the other elements of an SSI architecture
must also be properly governed
31. 31
SECURITY & SSI
WHEN THE RISKS OF THE SSI ARCHITECTURE ARE CONSIDERED, THE
FOLLOWING KEY SECURITY MEASURES NEED TO BE IMPLEMENTED
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
âą Data minimalization: Use only necessary data
âą Consent and choice: User controls the process and data used for ID
âą Accuracy and quality: All parties can trust identification data stored
and provided by the wallet
32. 32
SAVE THE DATE:
27 â 28 October
2022
Berlin, ESMT
TRUST SERVICES FORUM 2022
8th Trust Services Forum
27 October 2022
14th CA-Day
28 October 2022
ENISA: Digital Identities and Remote Identity Proofing