- KonferenzbeitragPublic online services at the age of mydata: a new approach to personal data management in Finland(2016) Rissanen, Teemu; Hühnlein, Detlef; Roßnagel, Heiko; Schunck, Christian H.; Talamo, MaurizioMyData is a framework and model for a human-centric approach for managing and processing personal information in the context of online services. The MyData approach is based on the right of individuals to access all data collected about them in public and commercial records. The core principle driving the MyData effort is that individuals should be in control of their own data. The MyData approach aims at strengthening digital human rights while opening new opportunities for businesses to develop innovative personal data based services built on mutual trust and respect of digital privacy rights in a positive way. The Finnish Trust Network (FTN) is a circle of trust composing of nationally notified Identity Providers (IDP) and notified identity service Brokers. It is a technical and legal framework under which different notified IDP's are mandated to provide strong authentication services for Finnish citizens and residents that can access public online services in Finland, in compliance with the provisions of the eIDAS regulation. As a whole, the FTN and MyData networks offer a new platform for reorganising public online services for the 21st century.
- KonferenzbeitragRisk-centred role engineering within identity data audits - continuous improvement of the rights structure and possible risk accumulations(2016) Kurowski, Sebastian; Hühnlein, Detlef; Roßnagel, Heiko; Schunck, Christian H.; Talamo, MaurizioSuccess and costs of audits in identity management largely depend on the structure of the underlying access control model. Auditing access rights includes the determination of actuality and adequacy of provided access rights. In order to ease audit and administration of access rights, role mining approaches have provided several solutions for identifying a minimal set of roles based upon either existing usage data, or business data. However, these approaches have focused on homogeneous, static environments. When facing dynamic, heterogeneous environments, such as infrastructure administration or smart systems, the accompanied noise of access rights provisioning hinder the determination of adequacy and actuality of access rights. With application of static approaches, accumulation of access risks at users may arise due to inadequate access rights, or aggregation of access roles. These issues are however mostly neglected by current approaches. Within this contribution we propose a method based upon the design structure matrix approach, which enables the identification of role aggregations, and examination of access risk accumulation within aggregated roles, and their assigned users throughout continuous audits of the access control model.
- KonferenzbeitragAn eid mechanism built along privacy by design principles using secure elements, pseudonyms and attributes(2016) Pinkas, Denis; Hühnlein, Detlef; Roßnagel, Heiko; Schunck, Christian H.; Talamo, MaurizioThis eID mechanism has been built taking into consideration Privacy by Design principles. It uses some of the basic principles of the FIDO model (Fast Identification On-line) adding certain constraints and extending the model to push user attributes. It allows a user to open an anonymous account on a server using a random pseudonym and then to push one or more attributes contained in an access token that has been obtained from an Attribute Issuer. In order to prevent the forwarding of an access token between collaborative users, a Secure Element must be used. That Secure Element shall conform to specific requirements, e.g. defined using a Protection Profile. This eID mechanism will be worldwide usable as soon as the providers of such Secure Elements publish information that can verify the genuineness of these secure elements.
- KonferenzbeitragFuturetrust - future trust services for trustworthy global transactions(2016) Hühnlein, Detlef; Frosch, Tilman; Schwenk, Joerg; Piswanger, Carl-Markus; Sel, Marc; Hühnlein, Tina; Wich, Tobias; Nemmert, Daniel; Lottes, René; Somorovsky, Juraj; Mladenov, Vladislav; Condovici, Cristina; Leitold, Herbert; Stalla-Bourdillon, Sophie; Tsakalakis, Niko; Eichholz, Jan; Kamm, Frank-Michael; Kühne, Andreas; Wabisch, Damian; Dean, Roger; Shamah, Jon; Kapanadze, Mikheil; Ponte, Nuno; Martins, Jose; Portela, Renato; Karabat, Çağatay; Stojičić, Snežana; Nedeljkovic, Slobodan; Bouckaert, Vincent; Defays, Alexandre; Anderson, Bruce; Jonas, Michael; Hermanns, Christina; Schubert, Thomas; Wegener, Dirk; Sazonov, Alexander; Hühnlein, Detlef; Roßnagel, Heiko; Schunck, Christian H.; Talamo, MaurizioAgainst the background of the regulation 2014/910/EU [EU1] on electronic identification (eID) and trusted services for electronic transactions in the internal market (eIDAS), the FutureTrust project, which is funded within the EU Framework Programme for Research and Innovation (Horizon 2020) under Grant Agreement No. 700542, aims at supporting the practical implementation of the regulation in Europe and beyond. For this purpose, the FutureTrust project will address the need for globally interoperable solutions through basic research with respect to the foundations of trust and trustworthiness, actively support the standardisation process in relevant areas, and provide Open Source software components and trustworthy services which will ease the use of eID and electronic signature technology in real world applications. The FutureTrust project will extend the existing European Trust Service Status List (TSL) infrastructure towards a “Global Trust List”, develop a comprehensive Open Source Validation Service as well as a scalable Preservation Service for electronic signatures and seals. Furthermore it will provide components for the eID-based application for qualified certificates across borders, and for the trustworthy creation of remote signatures and seals in a mobile environment. The present contribution provides an overview of the FutureTrust project and invites further stakeholders to actively participate as associated partners and contribute to the development of future trust services for trustworthy global transactions.
- KonferenzbeitragTowards a decentralized identity management ecosystem for Europe and beyond(2016) Bruegger, Bud P.; Roßnagel, Heiko; Hühnlein, Detlef; Roßnagel, Heiko; Schunck, Christian H.; Talamo, MaurizioThe objective of the FutureID project was to build an identity management infrastructure for Europe in support of a single market of online services. This requires the availability and large-scale use of trusted and secure identities that replace current password credentials. In the FutureID concept the number and topology of intermediary components is not fixed and static. FutureID rather adopts an ecosystem-approach by creating a free market for identity intermediation services. This provides for the flexibility to: scale according to need, adapt to market needs, support special needs of market sectors including niche markets, adapt to established contractual relationships, and easily adapt to various possible business models that render the infrastructure sustainable. This paper summarizes the results from the 3 year EU-funded project.
- KonferenzbeitragArchitecture for controlled credential issuance enhanced with single sign-on (ACCESSO)(2016) Nemmert, Daniel; Hühnlein, Detlef; Wich, Tobias; Hühnlein, Tina; Hühnlein, Detlef; Roßnagel, Heiko; Schunck, Christian H.; Talamo, MaurizioAs more than half of the EU Member States already have rolled out electronic identity cards (eIDs) [Le13], it seems to be a rewarding approach to investigate whether and how eIDs may be used for the purpose of controlling the log-on process for operating systems and similar local access control facilities. While this paper shows that all currently rolled out eIDs may be used for such access control purposes, our investigation also reveals that for some types of eIDs it is significantly harder to support this kind of use case.
- KonferenzbeitragOne mobile ID to secure physical and digital identity(2016) Terbu, Oliver; Vogl, Stefan; Zehetbauer, Sebastian; Hühnlein, Detlef; Roßnagel, Heiko; Schunck, Christian H.; Talamo, MaurizioIn this paper a mobile ID solution called My Identity App (MIA) is shown that combines traditional printed ID documents and electronic identities (eID) into a platform independent smartphone app embedded in an ID ecosystem. MIA aims for transparent identification and authentication in the physical and digital world while security, privacy, data protection, usability and user trust are at equilibrium. Security is built upon secure processes rather than hardware like secure elements, thus providing the fundament for broad adoption including technically challenged people. Scaleable architecture, standard future-proven technologies like OpenID Connect and FIDO authentication build the framework for secure, failsafe and large deployments.
- KonferenzbeitragNon-technical challenges of building ecosystems for trustable smart assistants in the Internet of things: A socioeconomic and legal perspective(2016) Kubach, Michael; Görwitz, Caterina; Hornung, Gerrit; Hühnlein, Detlef; Roßnagel, Heiko; Schunck, Christian H.; Talamo, MaurizioIn this position paper, we present non-technical challenges that arise while building ecosystems for trustable smart assistants in the Internet of Things. Such non-technical challenges are often neglected in the development process of information systems, even though they are important elements for their success. Only if the assistants are technically effective and fit into the non-technical framework conditions of their application area (e.g. the market structure, stakeholder, liability, and data-protection requirements), they will be able to become successful innovations. We will support this argument in our position paper, focusing on the socioeconomic and legal perspective.
- KonferenzbeitragPassword Policy Markup Language(2016) Horsch, Moritz; Schlipf, Mario; Haas, Stefan; Braun, Johannes; Buchmann, Johannes; Hühnlein, Detlef; Roßnagel, Heiko; Schunck, Christian H.; Talamo, MaurizioPassword-based authentication is the most widely used authentication scheme for granting access to user accounts on the Internet. Despite this, there exists no standard implementation of passwords by services. They have different password requirements as well as interfaces and procedures for login, password change, and password reset. This situation is very challenging for users and often leads to the choice of weak passwords and prevents security-conscious behavior. Furthermore, it prevents the development of applications that provide a fully-fledged assistance for users in securely generating and managing passwords. In this paper, we present a solution that bridges the gap between the different password implementations on the service-side and applications assisting users with their passwords on the client-side. First, we introduce the Password Policy Markup Language (PPML). It enables a uniformly specified Password Policy Description (PPD) for a services. A PPD describes the password requirements as well as password interfaces and procedures of a service and can be processed by applications. It enables applications to automatically (1) generate passwords in accordance with the password requirements of a service, (2) perform logins, (3) change passwords, and (4) reset passwords. Second, we present a prototypical password manager which uses PPDs and is capable of generating and completely managing passwords on behalf of users.
- KonferenzbeitragChallenging eID \& eIDAS at University Management(2016) Strack, Hermann; Wefel, Sandro; Hühnlein, Detlef; Roßnagel, Heiko; Schunck, Christian H.; Talamo, MaurizioBased on national eID solutions for university scenarios, in this paper eIDAS extensions will be discussed, with benefits and Challenges (from eID to eIDAS)