Auflistung P312 - Open Identity Summit 2021 nach Erscheinungsdatum
1 - 10 von 22
Treffer pro Seite
- KonferenzbeitragA lightweight trust management infrastructure for self-sovereign identity(Open Identity Summit 2021, 2021) Kubach, Michael; Roßnagel, HeikoDecentralized approaches towards digital identity management, often summarized under the currently popular term Self-sovereign identity (SSI) are being associated with high hopes for a bright future of identity management (IdM). Numerous private, open source as well as publicly funded research initiatives pursue this approach with the aim to finally bring universally usable, trustworthy, interoperable, secure, and privacy friendly digital identities for everyone and all use cases. However, a major challenge that so far has been only rudimentary addressed, is the trust management in these decentralized identity ecosystems. This paper first elaborates this problem before presenting an approach for a trust management infrastructure in SSI ecosystems that is based on already completed work for trust management in digital transactions.
- KonferenzbeitragFAPI 2.0: A High-Security Profile for OAuth and OpenID Connect(Open Identity Summit 2021, 2021) Fett, DanielA growing number of APIs, from the financial, health and other sectors, give access to highly sensitive data and resources. With the Financial-grade API (FAPI) Security Profile, the OpenID Foundation has created an interoperable and secure standard to protect such APIs. The first version of FAPI has recently become an official standard and has already been adopted by large ecosystems, such as OpenBanking UK. Meanwhile, the OpenID Foundation’s FAPI Working Group has started the work on a the second version of FAPI, putting a focus on robust interoperability, simplicity, a more structured approach to security, and improved non-repudiation. In this paper, we give an overview of the FAPI profiles, discuss the learnings from practice that influence the development of the latest version of FAPI, and show how formal security analysis helps to shape security decisions.
- KonferenzbeitragOpen Identity Summit 2021 - Complete Volume(Open Identity Summit 2021, 2021)
- KonferenzbeitragEvaluation of Account Recovery Strategies with FIDO2-based Passwordless Authentication(Open Identity Summit 2021, 2021) Kunke, Johannes; Wiefling, Stephan; Ullmann, Markus; Lo Iacono, LuigiThreats to passwords are still very relevant due to attacks like phishing or credential stuffing. One way to solve this problem is to remove passwords completely. User studies on passwordless FIDO2 authentication using security tokens demonstrated the potential to replace passwords. However, widespread acceptance of FIDO2 depends, among other things, on how user accounts can be recovered when the security token becomes permanently unavailable. For this reason, we provide a heuristic evaluation of 12 account recovery mechanisms regarding their properties for FIDO2 passwordless authentication. Our results show that the currently used methods have many drawbacks. Some even rely on passwords, taking passwordless authentication ad absurdum. Still, our evaluation identifies promising account recovery solutions and provides recommendations for further studies.
- KonferenzbeitragAdapting the TPL Trust Policy Language for a Self-Sovereign Identity World(Open Identity Summit 2021, 2021) Alber, Lukas; More, Stefan; Mödersheim, Sebastian; Schlichtkrull, AndersTrust policies enable the automated processing of trust decisions for electronic transactions. We consider the Trust Policy Language TPL of the LIGHTest project [Mö19] that was designed for businesses and organizations to formulate their trust policies. Using TPL, organizations can decide if and how they want to rely on existing trust schemes like Europe’s eIDAS or trust scheme translations endorsed by them. While the LIGHTest project is geared towards classical approaches like PKI-based trust infrastructures and X.509 certificates, novel concepts are on the rise: one example is the self-sovereign identity (SSI) model that enables users better control of their credentials, offers more privacy, and supports decentralized solutions. Since SSI is based on distributed ledger (DL) technology, it is a question of how TPL can be adapted so that organizations can continue to enjoy the benefits of flexible policy descriptions with automated evaluation at a very high level of reliability. Our contribution is a first step towards integrating SSI and the interaction with a DL into a Trust Policy Language. We discuss this on a more conceptual level and also show required TPL modifications. We demonstrate that we can integrate SSI concepts into TPL without changing the syntax and semantics of TPL itself and have to add new formats and introduce a new built-in predicate for interacting with the DL. Another advantage of this is that the “business logic” aspect of a policy does not need to change, enable re-use of existing policies with the new trust model.
- KonferenzbeitragRole of Identity, Identification, and Receipts for Consent(Open Identity Summit 2021, 2021) J. Pandit, Harshvardhan; Jesus, Vitor; Ammai, Shankar; Lizar, Mark; D’Agostino, SalvatoreThis article outlines issues in the current ecosystem of data sharing based on consent and the role of identity and identification. It argues how the consent mechanism is hostile to individuals in the form of: (a) inscrutable third parties who remain largely unknown; (b) denying ability to identify and manage consent; and (c) lack of technological solution. The article discusses the role and feasibility of Consent Receipts, and presents its role in the Privacy as Expected: Consent Gateway (PaE:CG) project for the future of accountable identity and identification mechanisms for consent.
- KonferenzbeitragAnalyzing Requirements for Post Quantum Secure Machine Readable Travel Documents(Open Identity Summit 2021, 2021) Morgner, Frank; von der Heyden, JonasIn a post-quantum world, the security of digital signatures and key agreements mechanisms used for Machine Readable Travel Documents (MRTDs) will be threatened by Shor’s algorithm. Due to the long validity period of MRTDs, upgrading travel documents with practical mechanisms which are resilient to attacks using quantum computers is an urgent issue. In this paper, we analyze potential quantum-resistant replacements that are suitable for those protocols and the ressource-constrained environment of embedded security chips.
- KonferenzbeitragRecords Management and Long-Term Preservation of Evidence in DLT(Open Identity Summit 2021, 2021) Kusber, Tomasz; Schwalm, Steffen; Dr. Korte, Ulrike; Schamburger, KalindaDLT improves decentralized business models and transactions from supply chain or cryptocurrencies to shared mobility, electronic registries or proof of origin. The planned enhancement of European Blockchain Service Infrastructure approximately 2021-2022 is expected to accelerate these developments based on a scalable, standardized framework. Like any infrastructure or IT-system used for business relevant transactions also in DLT is has to be possible to make decisions and processes evident against 3rd parties such as courts, auditors or regulative authorities. This leads to the challenge to fulfil requirements on a valid records management acc. to current standards [IS20b] [IS16] as well as to preserve the evidences of electronic records as long as they are needed according to current regulations and standards [eIDAS] [ETS19b] [VDG]. Based on international standardization the authors are taking part in, this paper focuses on the challenges and requirements for records management and preservation of evidence in DLT as well as possible solutions and needs for further standardization.
- KonferenzbeitragApplying assurance levels when issuing and verifying credentials using Trust Frameworks(Open Identity Summit 2021, 2021) Martinez Jurado, Victor; Vila, Xavier; Kubach, Michael; Henderson Johnson Jeyakumar, Isaac; Solana, Albert; Marangoni, MatteoTechnical interoperability of the issuance, presentation, and verification of verifiable credentials (VC) across domains of trust is a current challenge for self-sovereign identity. We present an approach incorporating different levels of assurance and trust domains in an eIDAS compliant way. This is illustrated through a use case with real-world relevance: the issuance and cross-border usage of the European Health Insurance Card.
- KonferenzbeitragWhy should they care? Conceptualizing the challenges of information security training(Open Identity Summit 2021, 2021) Kurowski, Sebastian; Cetin, Fatma; Fischer, RudolfMost organizations rely on individuals without or with little security knowledge to participate in information security tasks. Intending to enable them, information security trainings are usually used. But their effectiveness is debatable. In this contribution we combine descriptive analysis with the social systems theory and current literature on organizational learning and change management to conceptualize the challenges of information security training. We find that the challenges of security training are rooted within a basic dilemma of security: its value-promise (addressing of risks) is not suitable for communication within an organization. These findings are part of an ongoing research project on trainings for IoT security.