Meeco.me

In the past week, I was at #DICE2024 in #Zurich together with Linas Išganaitis representing Meeco.me. I'll do a couple of posts describing my takeaways in the same vein as I did for #EIC2024 #Berlin. Day 1️⃣ was the conference before the unconference. It featured a list of speakers providing various perspectives. 🇨🇭 Beat Jans, head of the FDJP, under which the Swiss eID initiative resides, talked about their journey which after a rough start in 2021 (electronic id was rejected in a referendum) has found new momentum. The new vision and proposal is rooted in providing technological flexibility (i.e. not mandating technology) and it has received, for the first time ever in his time with the govt, wide range support. Their ambition is to launch in 2026, about the same time as the EUDIW. Notably the Swiss join the trend of being very transparent on their choices and actively seeking feedback. The technical roadmap for example, can be found on Github: https://lnkd.in/ePiUj6kp 🛫 Xavier Vila Pueyo gave a wonderfully detailed overview of the Digital Travel Credentials (DTC) specified at ICAO. When implemented and rollout out correctly, this initiative could reduce border control processing times by 50%. I’m willing to bet that for conference goers this is music to their ears. The challenge they have at the moment however is to align with the EUDIW specifications. 🏃♀️ Franziska Granc speedwalked the audience through eIDAS 2014, eIDAS 2.0 and the EU Digital Identity Framework, including the most recent changes in ARF 1.4, emphasising the importance of (lots of) lists. In her opinion Trust List Registrars could be the rising star and cash cows when played correctly, along with the EAA providers. The big losers are the traditional ID Providers, alongside Pub-EAA providers. Wallet providers are a question mark. Is it too soon to place bets in lieu of a killer use case? 🇺🇸 Anil John slapped the audience to death (his words, not mine) with an impressive amount of slides for a 20min slot. What stood out for me was a refresher on the core principles of the US initiative: - Digital is not a requirement, but a *choice* - Eliminate *phone-home* - Eliminate *back-channel* interactions between issuers and verifiers - Support non-trackable selective disclosure - Encourage plurality of independent, interoperable implementations While I don’t necessarily question his intentions, I just can’t help but think that other parts of the US govt might not feel the same and don’t necessarily have a good track record when it comes to not tracking things. After that we had a swim in Lake Geneva, all in all a perfect start of what was a good conference. #digitalidentity #eudiw

All good things must come to an end, and #DICE2024 #Zurich is no different. Below is what we learned on day 3️⃣. 🎫 Wallet Trust Evidence (WTE) and Wallet Instance Attestation (WIA) are defined in the ARF to relay trust, as required by eIDAS 2.0. The omnipresent German EUDIW delegation, represented by Torsten Lodderstedt and Paul Bastian, provided an argument why they think (WTE), issued by a Wallet Provider with the aim to prove to an issuer that the keys used to bind the credential are properly managed, is not only a bad idea from an interop perspective, but provides serious concerns when it comes to correlations issues as the WTE is send to multiple Issuers. They would like to see this removed. The proposal is to instead use Issuer Trust Evidence (ITE), an attestation that is generated by the Wallet and not by the Wallet Provider. The ITE is part of the Credential request, achieves the same goals and has none of the privacy drawbacks. 👨🏫 Oliver Terbu hosted a session on OpenID4VC Advanced Topics. One of the items he discussed is the proposed new OID4VP Query Language. The goal here is to make simple requests, well, simple to implement for Verifiers, as they are usually the least sophisticated but critical for adoption. DIF’s Presentation Exchange spec, prevalent today in profiles features a polymorphic design and a myriad of available options that have proven difficult to implement and as a consequence hinder interoperability as it is doing too many things at once. 📱Me and Linas Išganaitis called a session for the Potential Interop - Track 2, where participants in attendance were able to test OpenID for Verifiable Credential Issuance in person and get quick feedback. Quite useful as you don’t get the opportunity all too often to do this in person these days. ☁ In our last session Mirko Mollik presented Credhub, a new OpenWallet Foundation labs initiative, that provides an alternative to the edge wallet (or device wallet) approach. Much like Meeco's API based approach to wallets, a cloud wallet removes some of the burden for end users, is easy to integrate with and can support a wide variety of devices and clients. With that we bid Zurich adieu. Hope to be there again next year. Thanks to the organising team and hosts for a wonderful event.

I ensure you, nothing wakes you up more than a morning session on Zero-Knowledge Proofs (ZKP) on day 2️⃣ of #DICE2024 #Zurich. So what did we learn? ☕ Johannes Sedlmeir did a very good job taking everyone on a journey. The upside is clear, privacy is protected even better as we only need to send proof of statements instead of revealing underlying data. What made it click for me was that this essentially means that the verification moves from the Verifier to the Holder. The latter simply sends the output and the cryptographic proof that the verification code was executed properly, removing the necessity to send the input (data). He puts his chips on General Purpose ZKP as this is purely software based, meaning we can use existing hardware and existing Credential formats. One of the downsides is that this method is on average a factor 1M slower than traditional cryptography, but this is improving at a steady pace, mostly due to advancements coming out of the blockchain space. The extensions to OpenID4VP could be minimal. To the request we add the verification logic of the Verifier and as a result we send back the same Credential format as today. It would contain the output and the proof allowing the Verifier to validate the result. 🔐 Paul Bastian and Torsten Lodderstedt presented their latest findings from the German EUDIW implementation. They elaborated on their “Authenticated Channel approach”. A countermeasure to ensure that govt signed data provided to the RP can’t be shared with other parties. Why? Because govt verified data is very valuable on the dark web. How does it work? A shared (symmetric) key is used to validate the data between the PID Provider and Wallet, and Wallet and Relying Party to provide assurances to the RP and ensure they can’t easily forward this information. 0️⃣ 1️⃣ Christian Bormann and Paul Bastian explained existing VC Status List approaches using JSON-LD didn’t fit JWT or CWT style credentials, such as IETF’s SD-JWTs and ISO’s Mobile Documents. The Token Status List goal is to be JSON, CBOR based, simple to implement, support multiple statuses and works with all JSON/CBOR based tokens. The people from BDR gave a demo stressing the fact that the implementation indeed was very straightforward. Something to look into for sure. 🏢 Harmen van der Kooij called a session on Organisation Wallets, a topic close and dear to my heart. In these conferences, it is easy to think that govt are the only game in town, but I for one am convinced that private B2C, and B2B, G2B initiatives will be the real drivers for mainstream adoption. The Dutch non-profit is doing proof of concepts on issuing Credentials from the Dutch Chamber of Commerce into Company Wallets. Read all about functional and technical of the “Company Passport” on https://lnkd.in/epbdNAj2.

In the past week, I was at #DICE2024 in #Zurich together with Linas Išganaitis representing Meeco.me. I'll do a couple of posts describing my takeaways in the same vein as I did for #EIC2024 #Berlin. Day 1️⃣ was the conference before the unconference. It featured a list of speakers providing various perspectives. 🇨🇭 Beat Jans, head of the FDJP, under which the Swiss eID initiative resides, talked about their journey which after a rough start in 2021 (electronic id was rejected in a referendum) has found new momentum. The new vision and proposal is rooted in providing technological flexibility (i.e. not mandating technology) and it has received, for the first time ever in his time with the govt, wide range support. Their ambition is to launch in 2026, about the same time as the EUDIW. Notably the Swiss join the trend of being very transparent on their choices and actively seeking feedback. The technical roadmap for example, can be found on Github: https://lnkd.in/ePiUj6kp 🛫 Xavier Vila Pueyo gave a wonderfully detailed overview of the Digital Travel Credentials (DTC) specified at ICAO. When implemented and rollout out correctly, this initiative could reduce border control processing times by 50%. I’m willing to bet that for conference goers this is music to their ears. The challenge they have at the moment however is to align with the EUDIW specifications. 🏃♀️ Franziska Granc speedwalked the audience through eIDAS 2014, eIDAS 2.0 and the EU Digital Identity Framework, including the most recent changes in ARF 1.4, emphasising the importance of (lots of) lists. In her opinion Trust List Registrars could be the rising star and cash cows when played correctly, along with the EAA providers. The big losers are the traditional ID Providers, alongside Pub-EAA providers. Wallet providers are a question mark. Is it too soon to place bets in lieu of a killer use case? 🇺🇸 Anil John slapped the audience to death (his words, not mine) with an impressive amount of slides for a 20min slot. What stood out for me was a refresher on the core principles of the US initiative: - Digital is not a requirement, but a *choice* - Eliminate *phone-home* - Eliminate *back-channel* interactions between issuers and verifiers - Support non-trackable selective disclosure - Encourage plurality of independent, interoperable implementations While I don’t necessarily question his intentions, I just can’t help but think that other parts of the US govt might not feel the same and don’t necessarily have a good track record when it comes to not tracking things. After that we had a swim in Lake Geneva, all in all a perfect start of what was a good conference. #digitalidentity #eudiw

🎉 Privacy by Design is an #ISO standard. 🎉 🎙️ We take a look back on some of our previous guests that tell the story of Privacy by Design - Ann Cavoukian, creator of Privacy by Design and Katryna Dow, CEO at Meeco.me #PrivacyByDesign #ISO31700 #LTADI

I’m honoured to be part of CONVERGENCE 2023 in Brussels 🇧🇪 alongside so many leading #cybersecurity professionals. Cybersecurity is the critical foundation to a trusted digital economy. CONVERGENCE brings together academics, policymakers and technologists doing work behind the scenes. 🇪🇺 🔐 I’ll be joining the European Data and Identity Strategies session alongside Esther Makaay Muhamed Turkanović and Cristian Lepore You can read more about the event and discover this community to follow this important work.👇 Big thank you to David Goodman and Trust in Digital Life for bringing our session together. 🙏 https://lnkd.in/g5pbvjWz