On the 11th of October, ENISA in collaboration with the European Commission organized the 9th consecutive year the Trust Services and eID Forum, renamed and on the 12th of October, D-TRUST in cooperation with TÜViT held the 15th CA-Day.
I was visiting the event physically on both days and was very satisfied. Agenda was great, location and organization was great and even more importantly almost everyone in the industry was there. It was like a high school reunion and seeing friends and partners also in person instead of talking through the screens.
Everything about Trust Services was discussed during these 2 days. I wrote down following learnings:
- EUDI Wallet wider adoption can be expected only at 2026 with first wallets might become available in 2025. Right now it is not yet sure how the wallets exactly will be working.
- The Austrian ecosystem with ID-Austria (previously called handy-Signatur) is very advanced. eID is notified on the LoA high, it can do Qualified Electronic Signatures and has wallet functionalities with mDL (mobile drivers license) and other use cases
- NIS2 has special clauses for trust services and there is one more year to get compliant
- There is a big risk of fragmentation for the upcoming EUDI Wallet. How to make sure that all 27 member states can certify wallets on all mobile devices?
- EUDI Wallets can have private keys in 3 locations, device HSM, detached HSM (e.g. Smart card with NFC) or remote HSM.
- Making apps secure is a challenge as devices have unknown security levels. For example camera video feed, sensors etc can be intercepted. Key elements of device level security: Secure hardware, secure boot, strong authentication, encryption, regular updates, security testing / validation, attestation, 3 rd party evaluation
- EBSI based on blockchains can be used as alternative technology for PKI and x509 certificates and supports many use cases
- AI and deep fakes are a big risk for identity verification and onboarding.
- Having free QES does not mean increased usage, services around it to improve the UX should have higher effect on the uptake.
- Electronic seals are a perfect way to issue “verifiable credentials” already. It is possible to have a claim and be sure who has issued it.
- Running QTSP operations purely on cloud does not necessarily fulfill all the security requirements. Possible solution is to audit cloud service provider CSP on a higher level
- If EUDI Wallet onboarding requires a manual step, the costs will be enormous
- ARF 1.0 (Architecture and Reference Framework) has chosen IETF SD-JWT and ISO Mobile Security Object (MSO), part of the ISO-18013 5 mDL standard, for possible solutions to EUDI selective disclosure (sending only this verifiable data that is needed form a larger dataset)
- Post quantum signature algorithms are coming, better look up what are “lattices”
- “Verifiable mark certificates” for e-mails are cool, these improve deliverability and show sender logos in the e-mail inboxes.
You can find more information including all the slides from https://www.enisa.europa.eu/events/tsf-2023/trust-services-eid-forum-ca-day-2023