EUSTIX Alliance

We are a non-profit organization supporting the development and usage of electronic identities. We think, electronic identities, and their management, are a core component of infrastructure solutions to provide users of networks with security and to build trust. Our focus is the discussion about how to balance the requirements of data security, freedom of expression and public safety and the consiliation on proposals to transform discussion results into technical realities.

MAPPING at the IGF 2014

The MAPPING team held a panel session at the Internet Governance Forum in Istanbul. I commented with a blog entry, arguing that a Shengen Net is not a huge VPN, but needs to have a fundamentally different architecture

EUSTIX: new focus team for "Mapping the Internet"

The transition into a digital society is putting up a challenge for policy makers who need to consider the competing objectives of the innovation ecosystem, consumer protection, intellectual property rights, law enforcement and privacy. Will there be different Internets - a safe one with security, accountability and redress, and a uncensored one featuring better anonymity? Would strict forms of protection of privacy, security or intellectual property rights result in an excess of repression and censorship, or discourage innovation? Would pseudonymity be a feasible compromise? What are the legal and technical measures that are appropriate?

MAPPING - Managing Alternatives for Privacy, Property and Internet Governance - is an EU-funded project to work out a better understanding and contribute to an enabling framework for managing the digital transition and improving the innovation climate in Europe. EUSTIX, with its cross-cutting topic of trust, privacy and identity, is participating in the project to coordinate the contribution of Austrian stakeholders.

Read more unter Focus Team: Internet Governance, Privacy and IPR if you are interested to join the discussion.

Trust in the Digital World - Vienna 2014" Conference: 7/8.April 2014

"Enabling the Economics of Trust"
EUSTIX is coordinating together with EEMA, TDL and the Austrian Chamber of Commerce this conference, which focuses on discussion and consultation rather than presentation, is essential for anyone involved in the digital identity debate. We look forward to welcoming you for the two days of 7th and 8th April 2014, in Vienna.

Main topics are:

Trust: business vs. economics vs. value
eID enabling new lines of business and location factor
Security vs. Privacy
Roles of government vs. private sector
Information Sharing (NIS, CERT)

Broker function for Service Providers in eHerkenning IDM

The Dutch eHerkenning IDM system features a 3-tier architecture with a broker between service providers and identity providers. However, the interface between the broker and the SP has several updates per yer and is not fully compliant to standard SAML profiles. For smaller operators the is quite a burden.
Inter Access offers a broker (slim) to convert between the SP and the eHerkenning Broker, to offload the technical integration burden. At the same time it offers a single integration to the technically different DigiD federation for citiens. (Presentation at #IDN13)

Remark: LFRZ follows the same approach with the Standardportal in the upcoming version 2 of PVP in the Austrian Government-internal federation.

Swedish eID system revision

Identity.Next in Den Haag by Nils Fjelkegard:
The Swedish eID system was known in the past for relying mainly on BankIDs, and a telco as well. In 2011 the Swedish eID boards was installed that will steer the transition to a new system. It is a complete overhaul of the system, with new purchasing structures, non-PKI credentials and the migration to a SAML 2.0 (Saml2Int profile) federation.
The current usage rates is about 300m lodgings per year, with 20% use by the government. The current system costs the government approx. 3 eurocent per login at this volume. The new system will probably move to subscriptions fees, such as per person and month, to better support high volume services.

NSTIC Trust Framework Gap Analysis

Ken Klingenstein gave a presentation at the Terena REFEDS meeting on the progress of NSITC pilot projects. A particular interesting point is the gap analysis that the American Association of Motor Vehicle Administrators performed on trust frameworks. From key findings:
The prescriptive TFs tended to be either excessively domain-centric or failed to take account of the unique legal status of government agencies, particularly state government; issues of sovereignty, statutory authority, liability and grant of authority will need to be fully addressed in the Project TF.

Veranstaltung Wirtschaftsportalverbund in der Wirtschaftskammer

Der Arbeitskreis Wirtschaftsportalverbund der Austriapro präsentiert unter dem Titel Vertrauen schaffen durch gemeinsames Management elektronischer Identitäten Konzepte und Anwendungsfälle von föderiertem Identitätsmanagement. Der AK Wirtschaftsportalverbund hat eine starke Überlappung mit den österreichischen Mitgliedern von EUSTIX und komplementäre Ziele beim Aufbau von eID-Systemen.

Webseite der Veranstaltung

Veranstalter: AUSTRIAPRO
Termin: 28.05.2013 13:00 - 17:00
Veranstaltungsort: Wirtschaftskammer Österreich, Saal 2. Wiedner Hauptstraße 63, 1045 Wien

ABA Identity Management Legal Task Force Meeting (London, Dec 10-11)

This meeting brought together lawyers and other identity experts from the EU and U.S. to discuss the legal challenges of identity management. Hans Graux and Andrea Servida presented the views from the perspective of the EC's new eID regulation draft, the U.S. perspectives were presented by Naomi Lefkovitz NSTIC. Other public sector viewpoints came from David Rennie (UK Cabinet Office Identity Assurance Programme) and the eCODEX project.
Besides the public sector efforts there are priveate sector services that do operate across multiple jurisdictions, although in closed systems, i.e. not addressing consumers/citizens. Identrust provides a trustframwork that its clients use in 175 countries, and the SAFE Biopharma framework is used by CAs that comply with both the Federal Bridge policy and requirements to issue qualified certificates. 
ISOC's Christine Runnegar shed a light on the differences of data protection legislation in different continents, however was unable to provide a simple, fast and consistent solution to all the consequential problems ;-)
Renaud Sorieul, Director of UNCITRAL's International Trade Law Division explained the status of identiy management in UNCITRAL. The are aware that this is an important and upcoming problem, however did not put the topic on the agenda yet. Given the available resources UNCITRAL will need contributions from members, but could then be an appropriate forum to esablish international treaties.

Consent als last resort

At today'S ISOC Federation across boundaries meeting in Prague there was a session on "context and consent". JANET's (UK academic federation) position is interesting: do not ask for consent if it is a binary choice anyway. This is partially founded on the requirement of freely given consent. Their best practice is to integrate the release of attributes to a relying party as a notification, that offers the choice to continue or cancel the transaction.

EUSTIX Symposium

The EUSTIX Launch Event: Symposium on December 13, 2012, Vienna
Over 50 participants from 7 European countries met on a sunny day at a nice location with direct sight over downtown Vienna to discuss eID projects and make plans for future cooperation.

STORK 2.0: European Member States advance eID Interoperability

STORK 2.0... the story continues!

Building on the success and results of STORK project, STORK 2.0 (Secure idenTity acrOss boRders linKed 2.0) goes a step further towards the creation of a single framework and infrastructure for cross-border electronic identification and authentication (eID) in the EU.

Launched in April 2012, this 3-year EU co-funded project will be a key-enabler to support the open, competitive digital economy envisaged in the Europe 2020 Strategy, thus contributing to Europe’s leadership in the field of eID and facilitating borderless digital living and mobility in the EU.
See more at... 
This means that European Member States advance eID interoperability (interoperability of their national eID schemes) and make national eIDs usable for the private sector as well. So let us bring this advantage to all eID stakeholders. EUSTIC is looking forward to see STORK progressing.

Will dumb browsers become extinct with the Web Crypto API?

From the point of identity services web browsers lack intelligence. The only access to identity management is relying on the TCP stack using TLS and client certificates, which proved to be neither scalable nor secure in the standard case. Browsers do not know their identity providers and cannot reliably execute the cryptographic primitives of hashing, signing verifying etc.
Multiple initiatives including Microsoft's Cardspace failed to mitigate the problem with plugins or active clients. OIX (driven by Google) is moving the problem to the cloud using the Account Chooser concept.
W3C, late in the game, is up to fix the problem at the source. The Web Cryptography API spec (now available as a working draft for public comment) is about extending the browser's security model at the application (=Javascript) level. By providing the user agent with operations on keys, signatures etc. it shall enable applications in the browser to achieve crypto-grade confidentiality, integrity and authenticity.
This effort has to complete the W3C process and be adopted by the browser venders. Although this might take years, the approach is absolutely worthwhile. Please support it! It will help bowsers to be not dumb any more regarding security. It won't help to filter dumb contents, alas.

RFC 6711: An IANA Registry for Level of Assurance (LoA) Profiles

Finally this RFC was published. Its intend is to have a single normative point of reference for security policies like NIST SP 800-63, Kantara IAF and other schemes that have levels of Assurance, Assurance Levels, Security Classes etc. This is the starting point for any mapping and interoperability execise.

Craig Burton: SAML is dead


Craig (@craigburton) said at the Cloud Identity Summit (#CIS2012) that SAML is dead. He argues:

  • SAML is the Windows XP of Identity. OAuth is Android, OpenID Connect IOS and Shibboleth Linux
  • No funding. No innovation. People still use it. But it has no future
  • SAML is dead != SAML is bad. SAML is dead != SAML isn’t useful. SAML is dead means SAML != the future.

The ensuing twitter storm gave a topic for the following analyst panel session:

Sally Hudson (IDC):

SAML will be augmented and extended. From a quantitative perspective SAML’s life expectancy can be comparted with age-old mainframe authentication sytems: they still made 200m $ in 2011. However, there will be newer, more adapted technologies.

It will also be interesting to see how a competition between SAML and OIDC evolves. The story between SAML and WS-* stalled the federation market for a considerable time.

Steve Coplan, 451 Research:

SOAP will not stay forever, rather be replaced by REST. SAML might not support all use cases, but will have a place to stay. It might not accommodate new architectures coming up the next 3-4 years, like the mobile/app space.


Kantara’s Global Trust Framework Survey shows that 75% of all federations in production use SAML WebSSO. (In my talk tomorrow in Track C)


My 2 cents: SAML is mature. SAML is functional and scalable for bread and butter business applications. To do large projects in 2012 and 2013 it is still the safe bet.


Subscribe to RSS