Abstract
We investigate the combined use of eIDAS-based electronic identity and Verifiable Credentials for remote onboarding and contracting, and provide a proof-of-concept implementation based on SAML authentication. The main non-trivial value derived from this proposal is a higher degree of assurance in the contract offering phase for the Contracting Service Provider.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Identity proofing is the process of establishing that an unknown applicant really is who they claim to be, and is performed during customer onboarding (e.g. opening a new bank account); after onboarding, accounts are associated with an authenticator, and subsequently authentication is required for a remote claimant to access an enrolled identity’s resources (e.g. online banking). See [18].
- 2.
Each vertical line in an MSC represents an entity, and horizontal arrows represent messages from one component to another. Identity management protocols are often expressed as MSC to identify any flaws.
- 3.
https://www.openbankingeurope.eu/qtsps-and-eidas/.
- 4.
- 5.
In our simple nodejs-based proof-of-concept implementation, this is localhost followed by a port identifying the service provider.
References
Armando, A., Carbone, R., Compagna, L., Cuéllar, J., Pellegrino, G., Sorniotti, A.: An authentication flaw in browser-based single sign-on protocols: impact and remediations. Comput. Secur. 33, 41–58 (2013). https://doi.org/10.1016/j.cose.2012.08.007
Banca d’Italia: Disposizioni in materia di adeguata verifica della clientela per il contrasto del riciclaggio e del finanziamento del terrorismo, July 2019. https://www.bancaditalia.it/compiti/vigilanza/normativa/archivio-norme/disposizioni/20190730-dispo/index.html. (in Italian)
BankID. https://www.bankid.com/en/
Berlin Group: NextGenPSD2 Access to Account Interoperability Framework - Implementation Guidelines, July 2019. https://www.berlin-group.org/nextgenpsd2-downloads
Bisegna, A., Carbone, R., Martini, I., Odorizzi, V., Pellizzari, G., Ranise, S.: Micro-Id-Gym: identity management workouts with container-based microservices. Int. J. Inf. Secur. Cybercrime 8(1), 45–50 (2019). https://doi.org/10.19107/IJISC.2019.01.06
Deloitte: Value proposition of eIDAS-based eID - banking sector, July 2018. https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Study+on+the+opportunities+and+challenges+of+eID+for+Banking
Commission implementing regulation (EU) 2015/1502 of 8 September 2015 on setting out minimum technical specifications and procedures for assurance levels for electronic identification means pursuant to Article 8(3) of Regulation (EU) no 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (text with EEA relevance). http://data.europa.eu/eli/reg_impl/2015/1502/oj
eIDAS guidance documents on Level of Assurance and Notification. https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Guidance+documents
Overview of pre-notified and notified eID schemes under eIDAS. https://ec.europa.eu/cefdigital/wiki/display/EIDCOMMUNITY/Overview+of+pre-notified+and+notified+eID+schemes+under+eIDAS
Regulation 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. http://data.europa.eu/eli/reg/2014/910/oj
eIDAS interoperability architecture v1.2, September 2019. https://ec.europa.eu/cefdigital/wiki/download/attachments/82773108/eIDAS%20Interoperability%20Architecture%20v.1.2%20Final.pdf
eIDAS eID Technical Subgroup: eIDAS SAML Attribute Profile, July 2014. https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/eIDAS+eID+Profile
Engelbertz, N., Erinola, N., Herring, D., Somorovsky, J., Mladenov, V., Schwenk, J.: Security analysis of eIDAS – the cross-country authentication scheme in Europe. In: 12th USENIX Workshop on Offensive Technologies (WOOT). USENIX Association, August 2018. https://www.usenix.org/conference/woot18/presentation/engelbertz
ENISA: eIDAS compliant eID solutions, March 2020. https://www.enisa.europa.eu/publications/eidas-compliant-eid-solutions
ETSI: Electronic Signatures and Infrastructures (ESI); Sector Specific Requirements; Qualified Certificate Profiles and TSP Policy Requirements under the payment services Directive (EU) 2015/2366, November 2019. https://www.etsi.org/standards-search#page=1&search=TS119495
Financial-grade api (FAPI) working group. https://openid.net/wg/fapi/
White paper: Using FIDO with eIDAS services, April 2020. https://fidoalliance.org/white-paper-using-fido-with-eidas-services/
Grassi, P.A., et al.: Digital Identity Guidelines: Authentication and Lifecycle Management. NIST, June 2017. https://doi.org/10.6028/NIST.SP.800-63b, https://csrc.nist.gov/publications/detail/sp/800-63b/final
IETF RFC 5755: An Internet Attribute Certificate Profile for Authorization, January 2010. https://tools.ietf.org/html/rfc5755
IPZS: Accesso ai servizi in rete mediante la CIE 3.0 - Manuale operativo per gli erogatori di servizi, April 2020. https://www.cartaidentita.interno.gov.it/identificazione-digitale/entra-con-cie/. (in Italian)
Laborde, R., et al.: Know your customer: opening a new bank account online using UAAF. IEEE, January 2020. https://doi.org/10.1109/CCNC46108.2020.9045148
Laborde, R., et al.: A user-centric identity management framework based on the W3C verifiable credentials and the FIDO universal authentication framework. IEEE, January 2020. https://doi.org/10.1109/CCNC46108.2020.9045440
Ministero dell’Interno: Carta d’Identità Elettronica CIE 3.0 - Specifiche Chip, November 2015. https://www.cartaidentita.interno.gov.it/wp-content/uploads/2016/07/cie_3.0_-_specifiche_chip.pdf. (in Italian)
OASIS: SAML V2.0 Tech. Overview, March 2008. http://www.oasis-open.org/committees/download.php/27819/sstc-saml-tech-overview-2.0-cd-02.pdf
SSI eIDAS bridge. https://joinup.ec.europa.eu/collection/ssi-eidas-bridge
W3C: Verifiable Credentials Data Model, November 2019. https://www.w3.org/TR/vc-data-model/
Acknowledgments
The authors would like to thank Istituto Poligrafico e Zecca dello Stato (IPZS) for the collaboration on the development of the authentication solution based on the CIE 3.0 carried out in the context of the joint laboratory DigimatLab between FBK and IPZS.
The research has been partly supported by CherryChain S.r.l. in the context of a research and innovation project funded by Autonomous Province of Trento non-refundable contribution under PAT - APIAE agency resolution n. 333 of 18/12/2019.
This work has been partly developed in the context of the Integrated Framework for Predictive and Collaborative Security of Financial Infrastructures (FINSEC) project, which receives funding from the European Union’s Horizon 2020 Research and Innovation Programme under Grant agreement 786727.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Listings
A Listings
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Nóbrega Gonçalves, S.M., Tomasi, A., Bisegna, A., Pellizzari, G., Ranise, S. (2020). Verifiable Contracting. In: Boureanu, I., et al. Computer Security. ESORICS 2020. Lecture Notes in Computer Science(), vol 12580. Springer, Cham. https://doi.org/10.1007/978-3-030-66504-3_8
Download citation
DOI: https://doi.org/10.1007/978-3-030-66504-3_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-66503-6
Online ISBN: 978-3-030-66504-3
eBook Packages: Computer ScienceComputer Science (R0)