- KonferenzbeitragA user-centric approach to IT-security risk analysis for an identity management solution(Open Identity Summit 2022, 2022) Fähnrich, Nicolas; Winterstetter, Matthias; Kubach, Michael; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianIn order to build identity management (IdM) solutions that are secure in the practical application context, a holistic approach their IT-security risk analysis is required. This complements the indispensable technical, and crypto-focused analysis of risks and vulnerabilities with an approach that puts another important vector for security in the center: the users and their usage of the technology over the whole lifecycle. In our short paper we focus exclusively on the user-centric approach and present an IT-security risk analysis that is structured around the IdM lifecycle.
- KonferenzbeitragRisk variance: Towards a definition of varying outcomes of IT security risk assessment(Open Identity Summit 2022, 2022) Kurowski, Sebastian; Schunck, Christian H.; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianAssessing IT-security risks in order to achieve adequate and efficient protection measures has become the core idea of various industry practices and regulatory frameworks in the last five years. Some research however suggests that the practice of assessing IT security risks may be subject to varying outcomes depending on personal, situational and contextual factors. In this contribution we first provide a definition of risk variance as the variation of risk assessment outcomes due to individual traits, the processual environment, the domain of the assessor, and possibly the target of the assessed risk. We then present the outcome of an interview series with 9 decision makers from different companies that aimed at discussing whether risk variance is an issue in their risk assessment procedures. Finally, we elaborate on the generalizability of the concept of risk variance, despite the low sample size in light of varying risk assessment procedures discussed in the interviews. We find that risk variance could be a general problem of current risk assessment procedures.
- KonferenzbeitrageIDAS 2.0: Challenges, perspectives and proposals to avoid contradictions between eIDAS 2.0 and SSI(Open Identity Summit 2022, 2022) Schwalm, Steffen; Albrecht, Daria; Alamillo, Ignacio; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianThe proposal for review of the eIDAS Regulation from 2021 has opened strong expectations for a deep change in traditional identity models. The user-centric identity model proposed starts with the creation of European Digital Identity Wallets that will enable citizens’ control over their data in identification and authentication processes without control by entities providing the identification services. Likewise, with the proposed legal rules for giving legal certainty to electronic ledgers and blockchains, [eIDAS2]opens possibilities to decentralization, especially for the provision and management of user’s attributes. The implementation of qualified trust services for attestations or electronic ledgers limits decentralization by requirement of a trusted 3rd party. Standardization will be key in assuring interoperability at the EU level. What are the challenges and opportunities of eIDAS 2.0? And what are the main focuses and needs of (European) standardization? These and other questions will be analysed and discussed in the paper.
- KonferenzbeitragCorporate Digital Responsibility and the current Corporate Social Responsibility standard: An analysis of applicability(Open Identity Summit 2022, 2022) Carl, K. Valerie; Zilcher, Timothy M. C.; Hinz, Oliver; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianCorporate Digital Responsibility (CDR) takes a key role in developing, deploying, and managing digital technologies, products, and services responsibly and ethically. New technologies offer new chances but also expose new threats, especially related to privacy and data security that managers need to cope with. CDR puts privacy and data security attempts in a broader context to provide a more holistic approach to Corporate Responsibilities and to strengthen consumer trust in corporate activities. However, managers still face a lack of CDR guidelines that support the implementation of CDR activities. Existing guidelines related to Corporate Responsibilities, like the ISO standard 26000, provide guidance on Corporate Social Responsibility (CSR) addressing socially responsible and sustainable behaviour. However, current standards do not cover CDR directly. As such, the purpose of this contribution is to evaluate the applicability of the existing CSR standard to CDR to pave the way for CDR standardization in the future
- KonferenzbeitragFlexible Method for Supporting OAuth 2.0 Based Security Profiles in Keycloak(Open Identity Summit 2022, 2022) Norimatsu, Takashi; Nakamura, Yuichi; Yamauchi, Toshihiro; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianKeycloak is identity and access control open-source software. When used for open banking, where many OAuth 2.0 clients need to be managed and a different OAuth 2.0-based security profile needs to be applied to each type of API, the problem of increasing managerial costs by the Keycloak administrator occurs because Keycloak's security profile logic depends on the client settings, and the logic cannot be changed for each client's request. This paper proposes its solution by separating the security profile logic from the client settings, and by changing the security profile for each client's request based on the content of the request, and actual security profiles Financial-grade API (FAPI) are implemented to Keycloak. The paper calculates managerial costs in both the existing and proposed methods in scenarios managing FAPI, and compares the results. The comparison shows that using the proposed method reduces costs. Our implementations are contributed to Keycloak.
- KonferenzbeitragIntegration of Self-Sovereign Identity into Conventional Software using Established IAM Protocols: A Survey(Open Identity Summit 2022, 2022) Kuperberg, Michael; Klemens, Robin; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianSelf-Sovereign Identity (SSI) is an approach based on asymmetric cryptography and on decentralized, user-controlled exchange of signed assertions. Most SSI implementations are not based on hierarchic certification schemas, but rather on the peer-to-peer and distributed “web of trust” without root or intermediate CAs. As SSI is a nascent technology, the adoption of vendor-independent SSI standards into existing software landscapes is at an early stage. Conventional enterprise-grade IAM implementations and cloud-based Identity Providers rely on widely established pre-SSI standards, and both will not be replaced by SSI offerings in the next few years. The contribution of this paper is an analysis of patterns and products to bridge unmodified pre-SSI applications and conventional IAM with SSI implementations. Our analysis covers 40+ SSI implementations and major authentication protocols such as OpenID Connect and LDAP.
- KonferenzbeitragContinuous authorization over HTTP using Verifiable Credentials and OAuth 2.0(Open Identity Summit 2022, 2022) Fotiou, Nikos; Faltaka, Evgenia; Kalos, Vasilis; Kefala, Anna; Pittaras, Iakovos; Siris, Vasilios A.; Polyzos, George C.; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianWe design, implement, and evaluate a solution for achieving continuous authorization of HTTP requests exploiting Verifiable Credentials (VCs) and OAuth 2.0. Specifically, we develop a VC issuer that acts as an OAuth 2.0 authorization server, a VC verifier that transparently protects HTTP-based resources, and a VC wallet implemented as a browser extension capable of injecting the necessary authentication data in HTTP requests without needing user intervention. Our approach is motivated by recent security paradigms, such as the Zero Trust architecture, that require authentication and authorization of every request and it is tailored for HTTP-based services, accessed using a web browser. Our solution leverages JSONWeb Tokens and JSONWeb Signatures for encoding VCs and protecting their integrity, achieving this way interoperability and security. VCs in our system are bound to a user-controlled public key or a Decentralized Identifier, and mechanisms for proving possession are provided. Finally, VCs can be easily revoked.
- KonferenzbeitragOpen Identity Summit 2022, LNI Volume P325 Complete(Open Identity Summit 2022, 2022) Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, Sebastian
- KonferenzbeitragA novel approach to establish trust in verifiable credential issuers in Self-sovereign identity ecosystems using TRAIN(Open Identity Summit 2022, 2022) Johnson Jeyakumar, Isaac H.; Chadwick, David W.; Kubach, Michael; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianSelf-sovereign identity (SSI) promises to bring decentralized privacy friendly identity management (IdM) ecosystems to everyone. Yet, trust management in SSI remains challenging. In particular, it lacks a holistic approach that combines trust and governance frameworks. A practical and scalable mechanism is needed for verifiers to externally verify their trust in credential issuers. This paper illustrates how TRAIN (Trust mAnagement INfrastructure), an approach based on established components like ETSI trust lists and the Domain Name System (DNS), can be used as a trust registry component to provide a holistic approach for trust management in SSI ecosystems. TRAIN facilitates individual trust decisions through the discovery of trust lists in SSI ecosystems, along with published credential schemas, so that verifiers can perform informed trust decisions about issued credentials.
- KonferenzbeitragCombination of x509 and DID/VC for inheritance properties of trust in digital identities(Open Identity Summit 2022, 2022) Bastian, Paul; Stöcker, Carsten; Schwalm, Steffen; Roßnagel, Heiko; Schunck, Christian H.; Mödersheim, SebastianThe proposal for review of the eIDAS Regulation from 2021 has opened strong expectations for a deep change in traditional identity models. The user-centric identity model proposed starts with the creation of European Digital Identity Wallets that will enable citizens’ control over their data in identification and authentication processes without control by entities providing the identification services. Likewise digital identities and digital signatures are in place and interoperability between existing solutions mainly based on x509 certificates and decentralized PKI using DID/VC foreseeable. The paper provides various options to address different aspects in combining x509 and DID/VC approaches.