Zoom Logo

Trust Architecture Task Force - Shared screen with speaker view
Dan Bachenheimer (Accenture)
15:52
is this the eIDAS 2 arch to which you refer? https://ec.europa.eu/transparency/expert-groups-register/screen/meetings/consult?lang=en&meetingId=37639&fromExpertGroups=true
Bart S
17:51
@Dan - yes
Bart S
18:01
some more context here: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021SC0124&rid=3
Tim Bouma
19:45
good analogy - car vs roads. That's why we in Canada are focusing on 'digital credentials', i.e., the roads.
Samuel Smith
20:19
+1 non-zero-trust approaches are problematic
Tim Bouma
20:30
I agree with Bart. Need to focus on end-to-end verifiabilty first.
Samuel Smith
22:01
It is reverting to something analogous to the perimeter security model. Build certified wallets with certified code instead of adopting interoperble protocols for verifiable proofs
Samuel Smith
22:42
The former assumes incorrectly that a cerified wallet will produce verifiable proofs. This is a false assumption.
Isaac Henderson
22:50
https://ec.europa.eu/digital-building-blocks/wikis/display/EBSI/Become+conformant
Samuel Smith
24:50
Breaches of control is yet another "perimeter security" mindset
vlad (SICPA)
25:22
The are defining the wallet as a combination of several products and services that as a whole provide the user these capabilities. Which I read as there won't be single wallet application that enables this but that they leave the space for the existing PKI infrastructure for electronic signatures to coexist with the notion of the digital wallet
vlad (SICPA)
27:08
Also the paper defines that it will be required the mutual authentication of the wallet with the 3rd parties (issuers of PID, QEAA but also relying parties)
Bart S
27:36
@Antti - it's almost an ask for the community to make up their minds ;)
Samuel Smith
27:43
There is nothing wrong with building a better secure code delivery mechanism but it is getting the cart before the horse. End-verifiability should be the requirement and a certified wallet may be a way to deliver that.
Bart S
29:44
https://github.com/sicpa-dlab/essif-bridge links SSI to different trust frameworks
Bart S
33:35
@Drummond: https://essif-lab.eu/essif-train-by-fraunhofer-gesellschaft/
Bart S
37:24
Personal data relating to the provision of European Digital Identity Wallets shall be kept physically and logically separate from anyother data held
vlad (SICPA)
37:36
@Dan - Integrate the functionality to request and obtain PID of the user during onboarding through an interface with electronic identifications means of assurance level high
Dan Bachenheimer (Accenture)
40:02
@Vlad - thanks... I saw that but don't understand how that translates from IAL to AAL
Bart S
42:55
shout out to Fraunhofer! Glad to have you already in the room :D
Isaac Henderson
44:31
Thank you @Bart.
Bart S
45:00
Like SSI, 'wallets' is another thing the community got wrong in their naming practice ;)
Bart S
46:07
To Vlad's point, I feel the naming in the EU document is also very much about being cautious to existing markets of Qualified providers
Bart S
46:50
Another 'cautious' ambition: "EUDI Wallet Issuers are Member States or organisations either mandated or recognized by Member States making the EUDI Wallet available for end users. The terms and conditions of the mandate or recognitionwould be for each Member State to determine.".
Dan Bachenheimer (Accenture)
46:52
my read was that the bar to get qualified is non-trivial as well
Antti Kettunen
47:40
Dan, becoming a QTSP is not easy or cheap.
Antti Kettunen
47:47
"Recurring costs for governance are limited and mainly linked to ensuring compliance; QTSPs spent an average of EUR 800.000 to obtain and maintain the qualified status”
Dan Bachenheimer (Accenture)
47:50
RIGHT!
Antti Kettunen
48:28
“Trust Service Providers would see a modest increase in compliance costs including for qualification, particularly those that already fulfil many of the QTSPs requirements. Based on the costs borne by QTSPs for existing services and excluding the economies of scale that would be achieved by already qualified TSPs, the average cost would be around €545,000 per provider for initial qualification and €255,000 on a recurrent basis.”
Antti Kettunen
48:35
Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021SC0124&rid=3
Bart S
01:09:15
thx all