Service Provider Accreditation: Enabling and Enforcing Privacy-by-Design in Credential-based Authentication Systems

Research output: Chapter in Book/Report/Conference proceedingConference paperpeer-review

Abstract

In credential-based authentication systems (wallets), users transmit personally identifiable and potentially sensitive data to Service Providers (SPs). Here, users must often trust that they are communicating with a legitimate SP and that the SP has a lawful reason for requesting the information that it does. In the event of data misuse, identifying and holding the SP accountable can be difficult.

In this paper, we first enumerate the privacy requirements of electronic wallet systems. For this, we explore applicable legal frameworks and user expectations. Based on this, we argue that forcing each user to evaluate each SP individually is not a tractable solution. Instead, we outline technical measures in the form of an SP accreditation system. We delegate trust decisions to an authorized Accreditation Body (AB), which equips each SP with a machine-readable set of data permissions. These permissions are checked and enforced by the user's wallet software, preventing over-sharing sensitive data. The accreditation body we propose is publicly auditable. By enabling the detection of misconduct, our accreditation system increases user trust and thereby fosters the proliferation of the system.
Original languageEnglish
Title of host publicationARES 2024 - 19th International Conference on Availability, Reliability and Security, Proceedings
Subtitle of host publicationInternational Workshop on Emerging Digital Identities
Place of PublicationNew York, NY, USA
PublisherAssociation of Computing Machinery
ISBN (Electronic)9798400717185
DOIs
Publication statusPublished - 30 Jul 2024
Event19th International Conference on Availability, Reliability and Security: ARES 2024 - Vienna, Austria
Duration: 30 Jul 20242 Aug 2024
Conference number: 2024
https://www.ares-conference.eu

Publication series

NameACM International Conference Proceeding Series

Conference

Conference19th International Conference on Availability, Reliability and Security
Abbreviated titleARES 2024
Country/TerritoryAustria
CityVienna
Period30/07/242/08/24
Internet address

Keywords

  • E-ID
  • eIDAS
  • Privacy
  • Self-sovereign Identity
  • Trust
  • Wallet

ASJC Scopus subject areas

  • Software
  • Human-Computer Interaction
  • Computer Vision and Pattern Recognition
  • Computer Networks and Communications

Cite this