Our Senior Architect, Sebastian Elfors recently participated in a panel discussion on the challenges of balancing privacy with usability when developing the EUDI Wallet. Here he shares his thoughts and concerns.
As the co-author of the ETSI TR 119 476 ‘Analysis of selective disclosure and zero-knowledge proofs applied to Electronic Attestation of Attributes,’ I was recently invited to attend the ‘How far should privacy go? Privacy versus Usability’ panel discussion during October’s EU Digital Identity Wallets Forum in Spielfeld’s Digital Hub in the heart of Berlin.
At the panel I was joined by panelists Steffen Schwalm, Principal Consultant at MSG, Mirko Mollik, Identity Architect at SPRIN-D, and Philippe Rixhon, Chair of the Management Board at Valunode OU; the hour-long panel was moderated by Michal Tabor, partner at Obserwatorium.biz.
Throughout the lively and robust discussion, the panel debated and exchanged opinions on various matters, but there was one topic that panelists were in complete consensus early on: that user privacy would be essential when EUDI Wallets are rolled out across Europe in the coming years.
The panel also agreed that the eIDAS 2.0 regulation contains the relevant articles and recitals that cater for mandatory selective disclosure and unlinkability when the EUDI Wallets are used to present electronic attributes. Simply put, the concept of selective disclosure allows a user to present a minimum of personal information to a verifier. The classic example is to prove that you are of legal drinking age when entering a bar, without revealing any more personal information than just your age. The principle of verifier unlinkability means that one or more verifiers cannot collude to determine if the selectively disclosed attributes describe the same identity subject.
Assessing what has come before.
Earlier this year, I was appointed to co-author the European Telecommunications Standards Institute (ETSI) report ETSI TR 119 476, which provided a comprehensive overview of existing cryptographic schemes for selective disclosure, unlinkability and zero-knowledge proofs (ZKP). It also gives recommendations of data formats and protocols that are suitable for selective disclosure with the EUDI Wallet.
Similarly, the Architecture Reference and Framework (ARF) specifies the ISO mobile driving license (mDL) MSO and IETF SD-JWT VC as credential formats for selective disclosure, which are the same formats as proposed in the ETSI report. The ISO mDL MSO is a selective disclosure standard based on ‘salted hashes’ of attributes, which are CBOR encoded and signed by the issuer. Likewise, the SD-JWT also contains salted hashes of attributes, which are JSON encoded and signed by the issuer. As such, I believe the ETSI report and ARF are aligned with respect to credential formats.
As the ISO mDL MSO and SD-JWT are digitally signed with cryptographic algorithms approved by SOG-IS (Senior Officials Group Information Systems Security), they can therefore be used by the EU public sector. The drawback is that ISO mDL MSOs and SD-JWTs must be issued batchwise to the EUDI Wallets to cater for verifier unlinkability, which adds an operational cost for the Qualified Trust Service Providers (QTSPs) and the PID Providers.
There is, however, also an eIDAS 2.0 article that allows EU Member States to implement more innovative ZKPs on a voluntary basis. By using a ZKP scheme, the user can prove that a given statement is true, while not providing any additional information apart from the fact that the statement is true.
The more advanced ZKP schemes, such as BBS+ (named after its creators Boneh, Boyen, and Shacham) and zk-SNARKs (Zero-Knowledge Succinct Non-Interactive Argument of Knowledge), have the advantages of providing full unlinkability and dynamic predicates, without the additional cost of issuing batches of credentials. There are academic research projects, such as the Cinderella project, which have implemented zk-SNARKs to “pick out” certain elements of a classic X.509 certificate or an ICAO eMRTD (electronic Machine Readable Travel Document according to the International Civil Aviation Organization standard, such as electronic passports), and shared those attributes with a verifier. This approach is also getting some interest from ISO/IEC, which may apply it on a standard for selective disclosure of the ISO mDL attributes.
Certainly, these ZKP schemes need to be standardized before being considered for the EUDI Wallet. The IETF (Internet Engineering Task Force) CFRG (Crypto Forum Research Group) and ISO/IEC (PWI 24843 and CD 27565) are in the process of standardizing BBS+, which may result in BBS+ being referenced by a future version of the ARF.
The challenges of building an EUDI Wallet ecosystem.
Privacy is clearly a complex topic when it comes to the ZKP protocols and related standards that need to be considered for the EUDI Wallet. When it comes to building a complete EUDI Wallet ecosystem, there are even further complexities:
- The eIDAS2 Relying Parties will be registered for specific use cases.
- The QTSPs can issue Qualified Electronic Attestations of Attributes (Q)EAAs) with embedded disclosure policies, which restricts the use of how the EUDI Wallets can share the (Q)EAAs with Relying Parties.
- The EUDI Wallets will implement access control rights, according to a new CEN TC224 draft standard.
- Last but not least, the users must give their consent to share the (Q)EAAs or PIDs with Relying Parties.
All of this creates a significant user experience challenge for the EUDI Wallet ecosystem, which will require it to be designed and tested thoroughly.
Of course, an important topic when it comes to the EUDI Wallet is transactions. The panelists exchanged ideas on how QTSPs will be able to invoice the Relying Parties for (Q)EAA transactions, in case the QTSP is not notified about how the EUDI Wallet is sharing the (Q)EAAs. In other words, how can a QTSP invoice the Relying Parties without knowing who they are?
There are a few potential solutions to this problem. The first is to count and share each EUDI Wallet Provider’s aggregated and anonymized statistics with the QTSPs. A second option could be to insert payment terms in the (Q)EAAs with embedded disclosure policies, which the Relying Parties must accept before processing the (Q)EAAs. A third option could be to extend the OpenID for Verifiable Presentations (OID4VP) with parameters to check for agreements between the QTSPs and Relying Parties. The OID4VP protocol will be used by the EUDI Wallets for presenting PIDs and (Q)EAAs to the Relying Parties, so it could make sense to extend this protocol to make an a-priori “check” with the Relying Party that there is an agreement in place, prior to sharing the (Q)EAAs.
Given the complexity of the EUDI Wallet ZKP protocols, the challenges in creating an ecosystem of QTSPs and Relying Parties that is also a viable business model, we agreed that discussions need to be ongoing. These topics should preferably be considered by the policy makers in the EU Commission DG-CNCT. The EUDI Large Scale Pilots, which are currently underway, should also be encouraged to test the complex scenarios described above.
Considering how important the EUDI Wallet will be to identity management in Europe, it is fundamental for the entire eIDAS 2.0 community to resolve these issues prior to the EUDI Wallets being rolled out at scale in Europe the coming years.
By
Sebastian Elfors
Senior Architect
Connect with Sebastian on LinkedIn