Citizen-centric public services in the Western Balkans:
Webinar 2 - Digital identity and trust services, 31 May 2022.
Presentation by Evgenia Nikolouzou, European Union Agency for Cyber Security (ENISA).
1. Dr. Evgenia Nikoulouzou
ENISA, Policy Implementation and Development unit
DIGITAL IDENTITY, LEVERAGING THE SELF-
SOVEREIGNTY IDENTITY (SSI) CONCEPT TO
BUILD TRUST
31 05 2022
CSA: Support the development and implementation of Union policy in the field of
electronic identity and trust services
2. ENISA eIDAS : AGENDA
eIDAS : Overview of ENISA Activities
Digital Wallets Process in a Nutshell
Report: Digital Identify, SSI
Conclusions
ENISA: Digital Identities and Remote Identity Proofing
3. 3
POLICY CONTEXT FOR ENISA
3
eIDAS Regulation 910/2014, Trust Services, Article 19
• Support MS with supervision and security measures
• Support MS with incident reporting, and cross-border notifications
• Annual reports Trust services incidents
• CIRAS Incident reporting and Analysis system
• Future role for ENISA in the eID Cooperation network
ENISA mandate - CSA Article 5
Support the development and implementation of Union policy in the field of electronic identity and trust
services, in particular by providing advice and issuing technical guidelines, as well as by facilitating the
exchange of best practices between competent authorities
NIS2 proposal - brings trust services under NISD
ENISA supports the NIS Cooperation group
eIDAS2 package
- Proposal for eΙDAS2 - COM (2021) 281 final
- Commission Recommendation on Toolbox for eID wallets
ENISA supports the EC toolbox work – technical security measures
4. 4
OVERVIEW OF ENISA ACTIVITIES
Leading role for:
ENISA Article 19 EG
CIRAS Tool – Incident
reporting
ENISA Trust Services Forum
(annual conference since
2015 – Berlin, September)
Advisory role for:
FESA
Commission eIDAS expert
group
eID Cooperation Network
Find more under: Trust Services — ENISA (europa.eu), Building Trust in the Digital Era: ENISA boosts the
uptake of the eIDAS regulation — ENISA (europa.eu)
Support MS with Trust Services
- 12 reports to support TSPs and SBs
- 5 reports to support relying parties
- Cyber incident reporting tool, CIRAS
- Secretariat of ENISA Article 19
group
- Hosting of 19 meetings of ENISA
Article 19 group since 2015
Support MS with Digital
Identity
- 4 reports on eID, e.g. SSI
- Occasional invitation to the
eID CN
2014 eIDAS
regulation
2015 ENISA Art19
group
2016 ENISA incident
tool for trust services
(CIRAS)
2021 Supporting
EC/MS with
digital wallets
Recent example (of ENISA bridging between authorities, market players, and standards bodies)
- 2020 Security of remote identify proofing (especially relevant in a pandemic)
- 2021 Attack scenarios-countermeasures and workshop on remote identity proofing
5. 5
PEEK INTO EU DIGITAL WALLET PROCESS
September
Agreement on
Process
December
Agreement on
Technical Outline
June 2022
Technical
Architecture-
Standards-
guidelines
September 2022
Agreement on
ToolBox
October 2022
Publication of
ToolBox
Note: Aggressive timeline – ENISA supports the MSs and the Commission
eIDAS2
6. 6
Introduction to SSI
EU & Global SSI Landscape
Architecture Elements of SSI
Governance
Consideration of Risks
Conclusions
REPORT OVERVIEW
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
7. 7
SSI IN A NUTSHELL
Digital Identity: Leveraging the Self-Sovereign identity Concept to Build Trust
• Aimed at digital IDs across global open networks
• Current technology is for federated identities for separate communities with
several hierarchies cooperating to share trusted digital IDs
• SSI allows a user to have greater control of his or her own identity
o Users can request multiple decentralised identifiers (DIDs) from
different identity controllers
• Identity can be related to different attributes issued by different authorities
for different activities
o Verifiable credentials (VCs) bind the user-centred identity to formal or
informal names
o VCs can also carry other user attributes (e.g., age or qualification)
used to control access to service
8. 8
W3C Specifications
Decentralised Identity Foundation (DIF)
ISO TC 307 & CEN/CLC JTC 19
ISO/IEC 23220 & 18013-5
STANDARDS
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
9. Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
9
Sovrin
Hyperledger
ESSIF
LACChain
COMMUNITIES
10. 10
• Harmonised conditions for the establishment of a framework for European Digital Identity Wallets to be
issued by Member States
• Union citizens and other residents will able share securely data related to their identity in a user friendly
and convenient way under the sole control of the user
• European Digital Identity Wallets should allow users to electronically identify and authenticate online and
offline across borders for accessing public and private services
• Member States should Wallets relying on common standards to ensure seamless interoperability and a
high level of security
• The conformity Wallets with those requirements should be certified by accredited public or private sector
bodies designated by Member States
• European Digital Identity Wallets should ensure the highest level of security for the personal data used
for authentication irrespective of whether such data is stored locally or on cloud-based solutions, taking
into account the different levels of risk
EIDAS 2.0
(COM/2021/281 FINAL)
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
12. GERMANY
ID Union SSI project framework (source: Lissi)
12 Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
13. SPAIN
Alastria’s ID Model – Based on the 10 key principles of SSI (Security, Controllability, Portability)
13 Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
14. POLAND
Credentials presented by mObywatel – (left to right) ID card, driving license, COVID certificate, ePrescription
14 Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
16. 16
MEMBER STATE SURVEY (RESULTS)
Security
• SSI has the benefit of having no single point of failure
• Increasing demand on the user associated with user control is worrying
• ‘Privacy by demand’, with features such as sector-specific identifiers, is crucial
o Hard to achieve in typical SSI (DLT/DID-based) systems, especially when these unique and
persistent identifiers are created sector- or service- or MS-specific in the very moment they are
requested
• Important: freshness of attributes (e.g., representation, mandates, professional
capacity, custody of minors, etc.) needs to be maintained
o This can only be achieved with online/cloud-based wallets
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
18. VC Issuer
• Confirms wallet holder
identity
• Credential proofing
• Issues verifiable
credentials
• Revokes verifiable
credential
DID Controller
• Ensures uniqueness of ID
• Confirms wallet control
• Issues secure DID
document
Wallet Holder
• Obtains wallet
from provider
• Authenticates to
the wallet
• Collects new
verifiable data
• Authenticates ID
to relying party
Wallet Provider
• Provides certified
wallet software /
hardware
• May be cloud-
based
Relying Party
(verifier)
• Validates
presented
credentials
• Authenticates
holder
Verifiable
credential
Wallet control proof
ID authentication &
Presentation of credentials
Trusted DID/VC Registry
WALLET
Information on
issuance and
revocation of
verifiable data
Information
used to validate
verifiable data
Information used to
validate verifiable
data
Architecture
Elements
20. 20
GOVERNANCE
Governance of SSI-based schemes still under development
Most experience comes from Sovrin, which takes an approach similar to that
applied by many PKI services, including eIDAS Trust Services:
• There is a governing body that oversees the operation of the SSI service providers and
sets the rules for assuring the operation of the SSI service providers
• Conformity assessment of the provider by an independent assessor against the
assurance rules set by the governing body
• A means for relying parties to assess whether are considered trustworthy by the
governing body
ISO and CEN are in the early stages of developing standards for
managing trust based around SSI with working drafts looking at trust
anchors
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
21. 21
GOVERNANCE
Governance of wallets
• User has control over the use of their wallet
o They can decide whether to use any particular wallet, as well as select a particular DID or
VC within a wallet, to authenticate their identity to a relying party
• Security of SSI depends on the security of the wallet software and
environment
o In particular, that the keys and verifiable data are under the sole control of the holder and
cannot be leaked to other parties
• Security of the wallet will need to be certified against specific criteria
to give assurance for the security of wallets
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
22. 22
GOVERNANCE
Interdependence
Governance of the different elements of an SSI architecture cannot be
considered in isolation
• VC issuer depends on the DID, as issued by the DID controller, being uniquely
assigned to entity identified by the DID controller and on the sole control of the
authentication means being under the sole control of the document
• DID controller needs to be assured that the authentication means is held securely
in a certified wallet
• Both DID controller and VC issuer depend on the registry to provide relying
parties with the latest state of the DID document and VC
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
24. 24
Security Measures
Asset Identification
✓ Processes
✓ Data
Risk Identification
✓ Processes
✓ Data
CONSIDERATION OF
RISKS
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
25. 25
SECURITY MEASURES
Data minimization
• Partial release of user attributes for the purpose of data
minimization
• Unlinkability of transactions at the cryptographic or protocol
level
• Use only identifiers that are required to establish necessary
linkability
• Domain-specific identifiers or pseudonyms – a form of
identifiers that avoid using the same unique identifier for a user
in all its interactions
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
26. 26
SECURITY MEASURES
Consent and choice
• In a user-centric system, users have control over their data
and attributes
• They can exert informed consent, whether the holder attributes
are managed and used by a wallet or another entity
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
27. 27
SECURITY MEASURES
Accuracy and quality
• The user’s attributes shall be bound to the legitimate holder
• Protocols executed between the wallet and other components
protect against eavesdropping at the communication and
logical layer
• Protection of attribute authenticity and integrity of the attributes
o Attributes released to the relying entities are consistent with the issuer's
attributes
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
29. 29
PRIVACY & SSI
SSI CAN PROVIDE AN EFFECTIVE BASIS FOR DIGITAL IDENTITIES
THAT PROTECT THE PRIVACY OF PERSONAL DATA
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
• Decentralised digital IDs can be used to support pseudonyms for privacy
• VCs enable the separation of potentially private attributes from the digital ID;
user selects attributes that are revealed to relying parties
• Cryptographic separation between transactions through holding multiple
authentication keys in a wallet with separate identity documents from
different controllers, helping avoid links between the separate transactions
30. 30
GOVERNING SSI
FOR THE GOVERNANCE OF THE ARCHITECTURAL
ELEMENTS OF AN SSI SOLUTION, WE NEED TO CONSIDER
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
• The certification of wallets
• The audit and oversight of DID controllers, VC issuers, and DID and
VC registries
• That all the above are interdependent and the governance of the DID
controller, the VC issuer, and the other elements of an SSI architecture
must also be properly governed
31. 31
SECURITY & SSI
WHEN THE RISKS OF THE SSI ARCHITECTURE ARE CONSIDERED, THE
FOLLOWING KEY SECURITY MEASURES NEED TO BE IMPLEMENTED
Digital Identity: Leveraging the Self-Sovereign Identity Concept to Build Trust
• Data minimalization: Use only necessary data
• Consent and choice: User controls the process and data used for ID
• Accuracy and quality: All parties can trust identification data stored
and provided by the wallet
32. 32
SAVE THE DATE:
27 – 28 October
2022
Berlin, ESMT
TRUST SERVICES FORUM 2022
8th Trust Services Forum
27 October 2022
14th CA-Day
28 October 2022
ENISA: Digital Identities and Remote Identity Proofing