Service Provider Accreditation: Enabling and Enforcing Privacy-by-Design in Credential-based Authentication Systems

Aktivität: Vortrag oder PräsentationVortrag bei Konferenz oder FachtagungScience to science

Beschreibung

In credential-based authentication systems (wallets), users transmit personally identifiable and potentially sensitive data to Service Providers (SPs). Here, users must often trust that they are communicating with a legitimate SP and that the SP has a lawful reason for requesting the information that it does. In the event of data misuse, identifying and holding the SP accountable can be difficult.

In this paper, we first enumerate the privacy requirements of electronic wallet systems. For this, we explore applicable legal frameworks and user expectations. Based on this, we argue that forcing each user to evaluate each SP individually is not a tractable solution. Instead, we outline technical measures in the form of an SP accreditation system. We delegate trust decisions to an authorized Accreditation Body (AB), which equips each SP with a machine-readable set of data permissions. These permissions are checked and enforced by the user's wallet software, preventing over-sharing sensitive data. The accreditation body we propose is publicly auditable. By enabling the detection of misconduct, our accreditation system increases user trust and thereby fosters the proliferation of the system.
Zeitraum30 Juli 20242 Aug. 2024
Ereignistitel19th International Conference on Availability, Reliability and Security: ARES 2024
VeranstaltungstypKonferenz
Konferenznummer2024
OrtVienna, ÖsterreichAuf Karte anzeigen
BekanntheitsgradInternational