- KonferenzbeitragA shared responsibility model to support cross border and cross organizational federation on top of decentralized and self-sovereign identity: Architecture and first PoC(Open Identity Summit 2023, 2023) Kubach, Michael; Henderson, Isaac; Bithin, Alangot; Dimitrakos, Theo; Vargas, Juan; Winterstetter, Matthias; Krontiris, Ioannis; Roßnagel, Heiko; Schunck, Christian H.; Günther, JochenThis paper discusses the challenges of transitioning from legacy federated identity systems to emerging decentralized identity technologies based on self-sovereign identities (SSI) and verifiable credentials, which are being used in initiatives such as Gaia-X and Catena-X for secure and sovereign data sharing. The adoption of SSI and decentralized identity technologies requires a standardized reference model that addresses challenges around trust in cross-border and crossorganizational federations based on decentralized identities. To facilitate this transition, the paper proposes a new Fed2SSI architecture that introduces a middle layer of abstraction for the policybased transformation of credentials, enabling interoperability between legacy federated identity solutions and SSI/decentralized identity environments. The architecture is implemented in a prototype and an exemplary use case is presented to illustrate the added value of this approach.
- KonferenzbeitragThe possible impact s of the eIDAS 2.0 digital identity approach in Germany and Europe(Open Identity Summit 2023, 2023) Schwalm, Steffen; Roßnagel, Heiko; Schunck, Christian H.; Günther, JocheneIDAS 2.0 introduces the EU Digital Wallet as the eID mean including not only the PID (eID Scheme) but also additional attributes like (qualified) attestation of attributes and gives the control over its identity back to the user in regulated approach. This means that eIDAS 2.0 gives the possibility to provide legal trust on decentralized digital identities in self-sovereign manner by combining existing trust model from eIDAS 1.0 with SSI-approach. The paper describes based on the legal proposal possible impacts of eIDAS 2.0 on German and European identity and trust services in order to provide framework for trustworthy digital transactions in EU and EFTA
- KonferenzbeitragA more User-Friendly Digital Wallet? User Scenarios of a Future Wallet(Open Identity Summit 2023, 2023) Krauß, Anna-Magdalena; Kostic, Sandra; Sellung, Rachelle A.; Roßnagel, Heiko; Schunck, Christian H.; Günther, JochenIdentity wallets enable the management and use of digital identities and verification documents stored in one app. Users manage their data independently and decide for themselves which data they want to disclose for identification purposes. Recent research shows that current digital wallets face many usability problems, which makes it difficult for users to grasp their concept and how to use them. This paper presents an enhanced concept of a wallet, where its functionality is presented with user scenarios that have a user centric approach. The user scenarios illustrate a variety of possible uses of the wallet. For example, the new wallet concept envisions, how data can be transferred from one wallet to another person's wallet, how data can be managed by different people in one wallet, or how only individual pieces of information from credentials can be shared to maintain greater privacy for users.
- KonferenzbeitragModeling the Threats to Self-Sovereign Identities(Open Identity Summit 2023, 2023) Pöhn, Daniela; Grabatin, Michael; Hommel, Wolfgang; Roßnagel, Heiko; Schunck, Christian H.; Günther, JochenSelf-sovereign identity (SSI) is a relatively young identity management paradigm allowing digital identities to be managed in a user-centric, decentralized manner, often but not necessarily utilizing distributed ledger technologies. This emerging technology gets into the focus through the new electronic IDentification, Authentication and trust Services (eIDAS) regulation in Europe. As identity management involves the management and use of personally identifiable information, it is important to evaluate the threats to SSI. We apply the STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, and Elevation of Privilege) threat modeling approach to the core components of SSI architecture and the interactions between them. Based on the summarized results, we discuss relevant mitigation methods and future research areas.
- KonferenzbeitragX out of N Credential Requests using Presentation Exchange(Open Identity Summit 2023, 2023) Otto, Sarah; Meisel, Michael; Roßnagel, Heiko; Schunck, Christian H.; Günther, JochenSelf-sovereign identity (SSI) is a new management model for digital identities. Here, the exchange of so-called verifiable credentials - digitally signed pieces of (personal) data - is one of the main aspects of "using" such an identity. Therefore, one party called a verifier requests credentials from another one holding them. We note that the main problem is to find a way to formulate a credential request in such a way that the holding party can choose which credentials to be sent from a predefined pool. Using the Presentation Exchange specification in its current version 2.0.0 is the only way to achieve this directly. Finally, we describe a sample implementation that supports such a mechanism using this specification as part of DIDComm messages.
- KonferenzbeitragPrivate Authentication with Alpha-Beta Privacy(Open Identity Summit 2023, 2023) Fernet, Laouen; Mödersheim, Sebastian; Roßnagel, Heiko; Schunck, Christian H.; Günther, JochenAlpha-beta privacy is a new approach for security protocols that aims to provide a logical and intuitive way of specifying privacy-type goals. Recently the tool noname was published that can automatically analyze specifications for a bounded number of sessions, but ships only with a few simple examples. This paper models two more complicated case studies, namely the ICAO 9303 BAC and the Privacy Authentication protocol by Abadi and Fournet, and applies the noname tool to analyze them, reproducing known vulnerabilities and verifying the corresponding fixes, as well as providing a better understanding of the privacy properties they provide
- KonferenzbeitragResearch on User Experience for Digital IdentityWallets: State-of-the-Art and Recommendations(Open Identity Summit 2023, 2023) Sellung, Rachelle; Kubach, Michael; Roßnagel, Heiko; Schunck, Christian H.; Günther, JochenDigital identity wallets are central components for Decentralised and Self-Sovereign Identity (SSI) approaches. They are the interface for users to manage their identities and gain access to services. Hence, the usability and user experience of these wallets is pivotal for the adoption of those popular and privacy friendly identity management concepts. As research on the user experience of wallets is still in its infancy, this paper aims to provide a first overview of recent research – published and from completed and ongoing research projects. Findings are summarized and recommendations for developers are derived.
- KonferenzbeitragOpen Identity Summit 2023 - Complete proceedings(Open Identity Summit 2023, 2023) Chadwick, David W.; Kubach, Michael; Sette, Ioram; Johnson Jeyakumar, Isaac Henderson; Bochnia, Ricardo; Richter, Daniel; Anke, Jürgen; Sellung, Rachelle; Kubach, Michael; Otto, Sarah; Meisel, Michael; Fernet, Laouen; Mödersheim, Sebastian; Krauß, Anna-Magdalena; Kostic, Sandra; Sellung, Rachelle A.; Pöhn, Daniela; Grabatin, Michael; Hommel, Wolfgang; Kubach, Michael; Henderson, Isaac; Bithin, Alangot; Dimitrakos, Theo; Vargas, Juan; Winterstetter, Matthias; Krontiris, Ioannis; Schwalm, Steffen; Fuxen, Philipp; Hackenberg, Rudolf; Heinl, Michael P.; Ross, Mirko; Roßnagel, Heiko; Schunck, Christian H.; Yahalom, Raphael; Ruff, Christopher; Benthien, Benedict; Orlowski, Alexander; Astfalk, Stefanie; Schunck, Christian H.; Fritsch, Lothar; Fähnrich, Nicolas; Köster, Kevin; Renkel, Patrick; Huber, Richard; Menz, Nadja; Roßnagel, Heiko; Schunck, Christian H.; Günther, Jochen
- KonferenzbeitragLifting the Veil of Credential Usage in Organizations: A Taxonomy(Open Identity Summit 2023, 2023) Bochnia, Ricardo; Richter, Daniel; Anke, Jürgen; Roßnagel, Heiko; Schunck, Christian H.; Günther, JochenWith the emergence of self-sovereign identity (SSI) as a paradigm for digital identity management the handling of verifiable credentials (VCs) has become an important topic in organizations. Organizations process a wide variety of documents which can be considered credentials. Previous research shows that a challenge in developing SSI systems is a lack of understanding of the core aspects of the paradigm and their relation to existing organizational practices. Our research focuses on the different characteristics of credentials in organizations and maps the characteristics of VCs to physical credentials. Our findings indicate that credentials in organizations can be classified by ten dimensions. Additionally, VCs have many possible characteristics of physical credentials, althoughmplementation and support for certain features may be vendor-specific. Finally, we provide insights and suggestions for SSI researchers and developers.
- KonferenzbeitragElectronic identity mass compromize: Options for recovery(Open Identity Summit 2023, 2023) Fritsch, Lothar; Roßnagel, Heiko; Schunck, Christian H.; Günther, JochenA National Digital Identity Framework should be designed in a proactive manner, should focus on a resilience-oriented approach, and should be aimed at limiting the risks that may originate from identity data management [IT18]. What is the preparedness of digital identity providers for recovery from compromise that affects large numbers of identities? Failures or attacks may destroy authenticators, data or trust chains that are the foundations of large identity ecosystems. The re-issuance of digital identities, of authenticators or the re-enrollment of the user base should get planned as contingency measures. Important parameters will be recovery time, complexity of re-registering subjects, distribution of effort between certification authorities, registrars and relying parties, and the availability of alternative technologies and staff resources. The article will, based on a review of standards and requirements documents, present evidence for a shortage of recovery readiness that endangers relying parties and identity ecosystems. From a review of standards and practice, we extract recovery procedures as far as they are planned for.