In principle, I consider the implementation of the self-sovereign identity principles such as inclusion, access, transparency, security, privacy and minimization to be desirable for both digital identities and certificates. However, the solutions currently implemented are still not fully developed from a security perspective.
Criticisms of existing SSI solutions
One major criticism is the lack of distinction between digital identities and certificates (e.g., diplomas). With a digital identity, I can prove that I am Marian Margraf; with my degree certificate, I can only prove that Marian Margraf has a degree. The technical security requirements are therefore different. For example, the holder’s certificates may be copied. However, digital identities linked to the respective person must under no circumstances be copied. Furthermore, I consider the unilateral focus on blockchain technologies to be ineffective. SSI should be researched and developed following a technology-neutral approach.
Other valid criticisms of current SSI solutions are that
a) no security proofs exist for the cryptographic protocols in place;
b) services do not have to authenticate themselves to users;
c) services obtain data including additional information so that it can be proven to third parties that the data is genuine; and
d) there is hitherto no technical solution for implementing digital identities on smartphones that implements the device binding security requirement (to prevent digital identities being copied) without using a unique characteristic (a public key) that is always sent to the service.
However, users can be tracked across different services using this unique characteristic; for example, even if provider A only verifies their age, provider B is sent other identity data such as name and address. This undermines the principles of privacy and minimization.
The aforementioned problems do not exist for the online ID function introduced in 2010.
Implementation of digital identities on mobile end devices
The secure implementation of digital identities on smartphones remains a great challenge. In this respect, the German Federal Office for Information Security (BSI) has already laid the preparatory groundwork and, for example, has set out in Technical Guideline TR-03159 the security requirements for digital identities on mobile end devices that will ensure the assurance level ‘substantial’ in line with the EU eIDAS Regulation on electronic identification and trust services, which is sufficient for most use cases. Specifically, security elements that securely store cryptographic key material and that enable cryptographic algorithms to be carried out securely must be used for this purpose. These are included in most mid- to high-range smartphones and would also be installed in low-range smartphones if appropriate business models are established for smartphone manufacturers (security elements themselves are not expensive). However, it is currently difficult to predict whether smartphone manufacturers would actually allow security elements (including eSIMs) to be used for digital identities. I therefore think that it is sensible to implement digital identities on the basis of the security functions already provided on smartphones and to work with manufacturers to improve their functionality for the use of digital identities. A good example of this is the implementation of the standard for mobile driving licenses (ISO 18013-5) in Apple and Google’s smartphone operating systems.
Vulnerability management for mobile end devices
In contrast to the card-based online ID function for which only a very limited number of security elements (with the corresponding operating system and software) are used, the number of hardware and software versions for mobile end devices is significantly higher. As a result, the possibility of security vulnerabilities being introduced in the future cannot be ruled out, thereby threatening the security of digital identities implemented on mobile end devices. Vulnerability management should therefore be established for these devices, enabling the operator of the overall system to identify and evaluate security vulnerabilities and to introduce appropriate countermeasures, such as excluding individual devices from further use in serious cases.
Prerequisites for the widespread use of digital identities
German citizens will use digital identities if the respective processes are greatly simplified. However, this is also dependent on a wide range of services being available. In this respect, one driver could be the German Online Access Act (OZG), which requires the federal, state and local governments to also provide their administrative services in digital form, although its implementation is significantly delayed. Our studies in this field also support this conclusion: German citizens have a very positive attitude towards digital identities, but they criticize the lack of use cases.
Another essential prerequisite is the harmonization of regulatory requirements regarding digital identities for different sectors, for example healthcare, insurance, finance and public administration. This is the only way to ensure that a great many services can be used with a single digital identity. Harmonization also includes the unambiguous interpretation of attributes. For example, mutual recognition of authenticated digital identities under the eIDAS Regulation is legally binding for all Member States. Databases are planned for semantic definitions of individual attributes. This should be implemented not only for digital identities within the scope of eIDAS but for all digital identities and additionally where certificates are used in an SSI context (e.g., through a voluntary commitment by the solutions provider).
Early involvement of civil society
Parts of civil society are skeptical of the German federal government’s major digitalization projects, partly because the government is pursuing divergent interests. That is why, for example, the introduction of the online ID function in 2010 received a very negative response from the Chaos Computer Club (CCC). Above all, there were fears that the government could use the online ID function to spy on citizens and that it was not capable of designing a secure, privacy-friendly solution. However, critical feedback on such projects should be viewed as an opportunity to involve citizens at an early stage and improve the solution, thereby increasing overall social acceptance, particularly with a view to security and data protection issues.
The entire development process as well as subsequent maintenance and further development should therefore be completely transparent and heavily involve civil society. This means that all implementation concepts (e.g., architecture, crypto and security concepts as well as guidelines for secure software development) must be discussed with the public and made accessible to them from the very start. Proposed amendments should be evaluated and, most importantly, any rejected amendments should be clearly justified. In addition, software development should be structured as an open-source project under a suitable open-source license and the community should be invited to contribute to it. This includes the software components developed as part of the project, smartphone apps and secure element applets.
To that end, an internet portal should be provided — or existing services (e.g., GitHub or GitLab) used — on which all information on the development process, documents and software are listed and the opportunities for participation presented. A key feature of the portal would be the ability of the community to process proposed amendments to documentation and software and the public evaluation of these by project management and the community (acceptance/rejection including justification).
The aforementioned processes and open-source publication in general should meet the standards and best practices of the open-source community (see the publication strategy of the Corona-Warn-App, for example).
Further information
Author
Marian Margraf
Marian Margraf is a professor of information security at Freie Universität Berlin and a department head at Fraunhofer AISEC. He has more than 15 years of experience in the field of information security. He first started his IT security career as a cryptologist at the German Federal Office for Information Security (BSI), where he worked from 2003 to 2008. He then took up the position of senior government official at the German Federal Ministry of the Interior (BMI) in 2008 and contributed to developing the German federal government’s key strategies for information security. He has been a professor since 2013. His research focuses on cryptography, mobile security and information security management. Marian Margraf heads the Secure Systems Engineering department at Fraunhofer AISEC, which specializes in electronic identities, post-quantum cryptography and the development of secure IT systems as well as the increasingly important topic of usable privacy and security. He is often invited to the German Bundestag as a subject expert, educating members of parliament on different issues concerning information security.
Contact: marian.margraf@aisec.fraunhofer.de