PPT, ENISA, service delivery webinar 310522

Dr. Evgenia Nikoulouzou
ENISA, Policy Implementation and Development unit
DIGITAL IDENTITY, LEVERAGING THE SELF-
SOVEREIGNTY IDENTITY (SSI) CONCEPT TO
BUILD TRUST
31 05 2022
CSA: Support the development and implementation of Union policy in the field of
electronic identity and trust services

ENISA eIDAS : AGENDA
eIDAS : Overview of ENISA Activities
Digital Wallets Process in a Nutshell
Report: Digital Identify, SSI
Conclusions
ENISA: Digital Identities and Remote Identity Proofing

3
POLICY CONTEXT FOR ENISA
3
eIDAS Regulation 910/2014, Trust Services, Article 19
• Support MS with supervision and security measures
• Support MS with incident reporting, and cross-border notifications
• Annual reports Trust services incidents
• CIRAS Incident reporting and Analysis system
• Future role for ENISA in the eID Cooperation network
ENISA mandate - CSA Article 5
Support the development and implementation of Union policy in the field of electronic identity and trust
services, in particular by providing advice and issuing technical guidelines, as well as by facilitating the
exchange of best practices between competent authorities
NIS2 proposal - brings trust services under NISD
ENISA supports the NIS Cooperation group
eIDAS2 package
- Proposal for eΙDAS2 - COM (2021) 281 final
- Commission Recommendation on Toolbox for eID wallets
ENISA supports the EC toolbox work – technical security measures

4
OVERVIEW OF ENISA ACTIVITIES
Leading role for:
 ENISA Article 19 EG
 CIRAS Tool – Incident
reporting
 ENISA Trust Services Forum
(annual conference since
2015 – Berlin, September)
Advisory role for:
 FESA
 Commission eIDAS expert
group
 eID Cooperation Network
Find more under: Trust Services — ENISA (europa.eu), Building Trust in the Digital Era: ENISA boosts the
uptake of the eIDAS regulation — ENISA (europa.eu)
Support MS with Trust Services
- 12 reports to support TSPs and SBs
- 5 reports to support relying parties
- Cyber incident reporting tool, CIRAS
- Secretariat of ENISA Article 19
group
- Hosting of 19 meetings of ENISA
Article 19 group since 2015
Support MS with Digital
Identity
- 4 reports on eID, e.g. SSI
- Occasional invitation to the
eID CN
2014 eIDAS
regulation
2015 ENISA Art19
group
2016 ENISA incident
tool for trust services
(CIRAS)
2021 Supporting
EC/MS with
digital wallets
Recent example (of ENISA bridging between authorities, market players, and standards bodies)
- 2020 Security of remote identify proofing (especially relevant in a pandemic)
- 2021 Attack scenarios-countermeasures and workshop on remote identity proofing

5
PEEK INTO EU DIGITAL WALLET PROCESS
September
Agreement on
Process
December
Agreement on
Technical Outline
June 2022
Technical
Architecture-
Standards-
guidelines
September 2022
Agreement on
ToolBox
October 2022
Publication of
ToolBox
Note: Aggressive timeline – ENISA supports the MSs and the Commission
eIDAS2

6
Introduction to SSI
EU & Global SSI Landscape
Architecture Elements of SSI
Governance
Consideration of Risks
Conclusions
REPORT OVERVIEW
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust

7
SSI IN A NUTSHELL
Digital Identity: Leveraging the Self-Sovereign identity Concept to Build Trust
• Aimed at digital IDs across global open networks
• Current technology is for federated identities for separate communities with
several hierarchies cooperating to share trusted digital IDs
• SSI allows a user to have greater control of his or her own identity
o Users can request multiple decentralised identifiers (DIDs) from
different identity controllers
• Identity can be related to different attributes issued by different authorities
for different activities
o Verifiable credentials (VCs) bind the user-centred identity to formal or
informal names
o VCs can also carry other user attributes (e.g., age or qualification)
used to control access to service

8
W3C Specifications
Decentralised Identity Foundation (DIF)
ISO TC 307 & CEN/CLC JTC 19
ISO/IEC 23220 & 18013-5
STANDARDS

9
Sovrin
Hyperledger
ESSIF
LACChain
COMMUNITIES

10
• Harmonised conditions for the establishment of a framework for European Digital Identity Wallets to be
issued by Member States
• Union citizens and other residents will able share securely data related to their identity in a user friendly
and convenient way under the sole control of the user
• European Digital Identity Wallets should allow users to electronically identify and authenticate online and
offline across borders for accessing public and private services
• Member States should Wallets relying on common standards to ensure seamless interoperability and a
high level of security
• The conformity Wallets with those requirements should be certified by accredited public or private sector
bodies designated by Member States
• European Digital Identity Wallets should ensure the highest level of security for the personal data used
for authentication irrespective of whether such data is stored locally or on cloud-based solutions, taking
into account the different levels of risk
EIDAS 2.0
(COM/2021/281 FINAL)

11
Germany
Spain
Netherlands
Poland
Member States Survey
EU SSI & eID WALLET
INITIATIVES

GERMANY
ID Union SSI project framework (source: Lissi)
12 Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust

SPAIN
Alastria’s ID Model – Based on the 10 key principles of SSI (Security, Controllability, Portability)

POLAND
Credentials presented by mObywatel – (left to right) ID card, driving license, COVID certificate, ePrescription

POLAND
Electronic identification with mObywatel

16
MEMBER STATE SURVEY (RESULTS)
Security
• SSI has the benefit of having no single point of failure
• Increasing demand on the user associated with user control is worrying
• ‘Privacy by demand’, with features such as sector-specific identifiers, is crucial
o Hard to achieve in typical SSI (DLT/DID-based) systems, especially when these unique and
persistent identifiers are created sector- or service- or MS-specific in the very moment they are
requested
• Important: freshness of attributes (e.g., representation, mandates, professional
capacity, custody of minors, etc.) needs to be maintained
o This can only be achieved with online/cloud-based wallets

ARCHITECTURE ELEMENTS
for Self-Sovereign Identity

VC Issuer
• Confirms wallet holder
identity
• Credential proofing
• Issues verifiable
credentials
• Revokes verifiable
credential
DID Controller
• Ensures uniqueness of ID
• Confirms wallet control
• Issues secure DID
document
Wallet Holder
• Obtains wallet
from provider
• Authenticates to
the wallet
• Collects new
verifiable data
• Authenticates ID
to relying party
Wallet Provider
• Provides certified
wallet software /
hardware
• May be cloud-
based
Relying Party
(verifier)
• Validates
presented
credentials
• Authenticates
holder
Verifiable
credential
Wallet control proof
ID authentication &
Presentation of credentials
Trusted DID/VC Registry
WALLET
Information on
issuance and
revocation of
verifiable data
Information
used to validate
verifiable data
Information used to
validate verifiable
data
Architecture
Elements

GOVERNANCE
for a Digital Identity Framework

20
GOVERNANCE
Governance of SSI-based schemes still under development
Most experience comes from Sovrin, which takes an approach similar to that
applied by many PKI services, including eIDAS Trust Services:
• There is a governing body that oversees the operation of the SSI service providers and
sets the rules for assuring the operation of the SSI service providers
• Conformity assessment of the provider by an independent assessor against the
assurance rules set by the governing body
• A means for relying parties to assess whether are considered trustworthy by the
governing body
ISO and CEN are in the early stages of developing standards for
managing trust based around SSI with working drafts looking at trust
anchors

21
GOVERNANCE
Governance of wallets
• User has control over the use of their wallet
o They can decide whether to use any particular wallet, as well as select a particular DID or
VC within a wallet, to authenticate their identity to a relying party
• Security of SSI depends on the security of the wallet software and
environment
o In particular, that the keys and verifiable data are under the sole control of the holder and
cannot be leaked to other parties
• Security of the wallet will need to be certified against specific criteria
to give assurance for the security of wallets

22
GOVERNANCE
Interdependence
Governance of the different elements of an SSI architecture cannot be
considered in isolation
• VC issuer depends on the DID, as issued by the DID controller, being uniquely
assigned to entity identified by the DID controller and on the sole control of the
authentication means being under the sole control of the document
• DID controller needs to be assured that the authentication means is held securely
in a certified wallet
• Both DID controller and VC issuer depend on the registry to provide relying
parties with the latest state of the DID document and VC

CONSIDERATION OF RISKS
SSI and Digital Identity

24
Security Measures
Asset Identification
✓ Processes
✓ Data
Risk Identification
✓ Processes
✓ Data
CONSIDERATION OF
RISKS

25
SECURITY MEASURES
Data minimization
• Partial release of user attributes for the purpose of data
minimization
• Unlinkability of transactions at the cryptographic or protocol
level
• Use only identifiers that are required to establish necessary
linkability
• Domain-specific identifiers or pseudonyms – a form of
identifiers that avoid using the same unique identifier for a user
in all its interactions

26
SECURITY MEASURES
Consent and choice
• In a user-centric system, users have control over their data
and attributes
• They can exert informed consent, whether the holder attributes
are managed and used by a wallet or another entity

27
SECURITY MEASURES
Accuracy and quality
• The user’s attributes shall be bound to the legitimate holder
• Protocols executed between the wallet and other components
protect against eavesdropping at the communication and
logical layer
• Protection of attribute authenticity and integrity of the attributes
o Attributes released to the relying entities are consistent with the issuer's
attributes

CONCLUSIONS
Leveraging the SSI Concept to Build Trust

29
PRIVACY & SSI
SSI CAN PROVIDE AN EFFECTIVE BASIS FOR DIGITAL IDENTITIES
THAT PROTECT THE PRIVACY OF PERSONAL DATA
• Decentralised digital IDs can be used to support pseudonyms for privacy
• VCs enable the separation of potentially private attributes from the digital ID;
user selects attributes that are revealed to relying parties
• Cryptographic separation between transactions through holding multiple
authentication keys in a wallet with separate identity documents from
different controllers, helping avoid links between the separate transactions

30
GOVERNING SSI
FOR THE GOVERNANCE OF THE ARCHITECTURAL
ELEMENTS OF AN SSI SOLUTION, WE NEED TO CONSIDER
• The certification of wallets
• The audit and oversight of DID controllers, VC issuers, and DID and
VC registries
• That all the above are interdependent and the governance of the DID
controller, the VC issuer, and the other elements of an SSI architecture
must also be properly governed

31
SECURITY & SSI
WHEN THE RISKS OF THE SSI ARCHITECTURE ARE CONSIDERED, THE
FOLLOWING KEY SECURITY MEASURES NEED TO BE IMPLEMENTED
• Data minimalization: Use only necessary data
• Consent and choice: User controls the process and data used for ID
• Accuracy and quality: All parties can trust identification data stored
and provided by the wallet

32
SAVE THE DATE:
27 – 28 October
2022
Berlin, ESMT
TRUST SERVICES FORUM 2022
8th Trust Services Forum
27 October 2022
14th CA-Day
28 October 2022
ENISA: Digital Identities and Remote Identity Proofing

PPT, ENISA, service delivery webinar 310522

Recomendados

Recomendados

Mais conteúdo relacionado

Semelhante a PPT, ENISA, service delivery webinar 310522

Semelhante a PPT, ENISA, service delivery webinar 310522 (20)

Mais de Support for Improvement in Governance and Management SIGMA

Mais de Support for Improvement in Governance and Management SIGMA (20)

Último

Último (20)

PPT, ENISA, service delivery webinar 310522