FIA Madrid

Trust & Identity SessionPanel 1: Trust

Introduction by Jim Clarke

• High-level introduction to the position paper• the concept of lanes• session focuses on lane 1 (Trust) and 2

(Identity and Privacy)

Keynote Sachar Paulus

• Trust definition close to “business trust”: – willingness to take risk– necessary prerequisite: “get back or blame”– trust vs. faith

• achieve trust by providing recovery options (“contract”)

• accountability

Keynote Sachar Paulus (2)

• Trust into the FI for businesses– Measurability

• Trust into the FI for individuals– right to be left alone– right to time and memory loss– but legal environment needed in consumer role– multi-party security requirements

Keynote Sachar Paulus (3)• Trust in the FI

– trust cannot be outsourced– but: trust management can be outsourced (cf. PKI)

• Scenario: Cloud Computing– Business:

• where is data located?• who runs the services?• who runs the servers?• accountability

– Individuals:• privacy, roll-back option, etc.• transparency, multi-party security

• Security, Privacy and Trust are essential non-functional design properties– no way to outsource them

Position Paper Syed Naqvi (Services)

• how to establish trust in Services• trust: A believes that B behaves exactly as

expected and required• can services be modeled as generic entity• many concepts that are difficult to converge• introduces convergence areas of trust– e.g., resilient services: possible to restore the level of

trust?• RESERVOIR overview: grid, virtualisation, services

Position Paper Syed Naqvi (Services) (2)

• RESERVOIR security requirements– separation of services running in the same virtual

environment– trust: interoperation of service vendors– protect the management interfaces– policies upon migration: only allow migration to

domains with same policy

Position Paper Theodore Zahariadis (Content)

• “Prosumer”• relation to – identity, authentication trust– usage – business (payment)– social context (children)– etc.

• Requirements scale to network issues (cf. slides)• Identity requirements

Position Paper Mirko Presser (RWI)

• there is no single representative scenario• billions of nodes meet billions of consumers• behaviour changes in real-time• Trust starts at the elementary point, i.e., the

node• authentication, authorisation, payment,

accuracy, quality of service

Discussion (1)

• Peter S(?) Eurescom: need for an trustworthy entity (was government, banks etc. before)– Sachar: there will never be one single entity spread

across different entities. Who will be the entities? – Michel: real-time trust necessary, important to design

and measure trust in real-time, build up trust scenarios

– Theodore: different application layers will have different means for establishing trust (cf. payment vs. sensor network usage), we need different methods

Discussion (2)

• real-time trust:– Michel: based on recommendation– or the availability of history (we will need to have

logs immediately raises privacy issues)– Sachar: not a new concept, but the context has

changed in the FI– Theodore: trust without history based on

reputation metrics

Discussion (3)• ? (Uni Vienna): importance of different means,

compartementalisation, how to manage this?– Michel: big difference between trust and security– Syed: trust is a multilateral notion in the FI, – trust based on certification, assurance– Jacques: chained services, liability of software and service

providers, one partner for the customer: the provider of the service consumed by the end user, how does trust propagate through the chain? It will just happen, no way to discuss away the complexity

– Caspar: pointer to InfoCard, usability of trust, privacy, people have different aptitudes, motivation for response (cf. response time of banks for phishing attacks), systematic response only when critical situation occur

Discussion (4)

• activities of GT 2009

Discussion (5)

• ? end-point trust (t-shirt example: we have means to evaluate and impose trust based on the evaluation), need for new models for building reputation, responsibility at multiple levels– Sachar: to which extent do we need to regulate?

regulations can be helpful, but don’t over-regulate

Discussion (6)• Nick: individuals will likely not be willing to take risk, how

to tell them– Michel: depends on the respective trust model, model trust in

terms of behaviour– Theodore: example of reading terms and conditions when

entering a web site, they are never read– Jacques: normally no absolute freedom in offers and service to

customers consumer protection law that provides some trust, need for similar regulation in the FI

– Mirko: ignorance (of the detailed conditions) is a blessing, need only if things go wrong

– is there a higher percentage of bad guys in the FI than in the real world

– Caspar: it will be impossible to provide complete transparency

After Lunch, Volkmar Lotz

Volkmar Lotz, SAP LabsPresentation of Position Paper

What is an identity?Considerations– Privacy-friendly identity– Usability and flexibility– Usage Control Enforcement

Caspar Bowden

Caspar Bowden, Chief Privacy Advisor Microsoft EMEAAn Example of a Strategic Privacy Technology and Implications

for Policy

– Privacy V Security– The trouble with PKI, “Minimum Disclosure Tokens”– Authentication ≠ Identification, Privacy Friendly revocation– Aligning Technology with Policy– Strategic PETs in a Legal Framework

Phil Jansen

Phil Jansen, Manager Security ad Cryptography, IBM Security Lab, Zurich.

– Problem: Digital world never forgets.– Challenges: Controlling Access (security), Accuracy and Usage

(privacy)– Privacy V. Accountability, Anonymity V Traceability– Role of Identity Provider– Research Directions

Discussion (7)

Panel Discussion– Joao Girao, NEC (SWIFT, Daidalos)

Virtual ID defined in Daidalos. Separation of one person’s different IDs (Joao Girao from work and Joao Girao from home want a different ID. One should not be traceable to the other.)

– Kajetan Dolinar, Privacy Protection Cycle, A concept for a systemic privacy protection (PERSIST)Peer-to-Peer security backed-up with the infrastructure defined in PERSIST.PERSIST Privacy Protection Cycle.

Discussion (8)

Panel DiscussionNeeli Prasad, Aalbourg University (ASPIRE)

Real world scenarios• Tracking your children. Who else can see? How to validate the

correct user?• Tracking the food you eat. Where does it come from? How long

did it take to get to me?• Am I paying my bill to the right person?

What does identity really mean?

Discussion (9)Chair

– What are user expectations?, Management of Identity.– What are the gaps? Use these to driver our research roadmap?

Caspar“Blinding” developed 19 years ago but not seen as a

priority. Now we have a problem. Phishing attacks were predicted by some but ignored. Currently have a unique window of opportunity.

Identity V. Anonymity.Prediction rise of traffic analysis attacks by attaacking the

router.

Discussion (10)Caspar“Onion Routing” (?) where packets are bounced off multiple router

randomly to avoid traffic analysis so web server doesn’t know where packets are coming from.

Interface between transport layer and application layer not well understood by most.

Phil JansonGaps are:

– Key players need to get together (like IBM and MS). Need to be able to use either technology interchangeability. Requires Standards

– Deliberate decision by key stakeholders to start deploying. Firstly in s/w eventually in chips.

Discussion (11)ChairWhat’s the delay implementing this?

Kajetan DolinarLegislation

Joao GiraoNeed to rewrite some code already out there. The current Internet is

not optimal.

Neeli PrasadMaybe the pieces are not yet ready. Have to understand what we

need. We have nice solutions, now these protocols should be modified for what we need.

Discussion (12)CasparEconomics is the issue. Most professional don’t even know the

problem exists, never mind a typical user. Market has failed to take care of this issue.

Legal situation is confusion with a clutter of many laws, forcing companies to keep data.

PhilPrivacy is user-centric. Only the user cares. Stakeholders have to push

service providers. Users are not prepared to pay for security/privacy so no business case.

FloorOpenness and privacy. User awareness is missing. Technology cannot

catch up with law. Also need for international laws.

Discussion (13)Floor 2.Reiterate previous speaker.

Floor 3.German Awareness initiative for raising awareness among users of security. “What is missing from security learning?” Q to IT students. Their only concern was the availability of their computer.People will always choose comfort over privacy.

Discussion (14)FloorPublic Sector procurement policies, panel to discuss.

Phil – Switzerland is working on this for citizens’ interaction with the govt.Caspar – Lobbyist shooting down ideas. “Most liberal environment is best for the market” is the thinking.Neeli – Denmark is quite a safe environment. Danish people typically put a lot of information on-line.Jacques (Commission) – Some initiatives already exist like health card in UK. Still societal discussions to take place. Some projects like STORK leading to the possibility for EU govts to come to a policy definition to allow them to start thinking about procurement.Kajetan – Each service provider should be forced to use a Hypocratic database.

Discussion (15)Jacques (Commission) – Standardisation will be introduced.

Chair – summary- Some pieces are available and can be deployed.- Lawyers are 20 years behind- Kids don’t care- Users won’t pay.

Martin PottsMartin Pots – Martel (FEDERICA)FEDERICA is a FIRE project. A large open test bed that can be used for

many things.Federica similar to GENI. Based on GEANT network.Onelab is European part of PlanetLab. Federica is looking into

becoming part of OneLab.Federica can be used by anyone but not for commercial purposes.

Usually a timeframe limit of about 3 months but open for all ideas.

Jacques – Who pays for accessMartin – Federica funded under FP7, only expense is to get connected.

Martin PotsLatif Ladid - Which ideas are of particular interest.Martin – Virtualisation, Security. Federica is IPv6-ready.

Floor – Security testing usually involves negative testing.Martin – Mechanisms will be in place to stop people going outside the

slice allocated to them.Floor (PII project) – Panlabs network can be used for security testing

also. Apply through PII office.

Discussion (16)(New Panel)Jim Clarke – Moving from Trust and Identity/Privacy to Security.Panel member (France) – not talked enough about governance of the

process. Identity of things and virtual services. How to design the management framework.

Volkmar – Lots of dependencies. How to break it into manageable pieces.Chair (UK) – Need to think about pilots. What kind of pilots should we be

deploying.Panel member (France) – Hard to simulate what we need to test – need a real

user.

Floor – a lot of discussion today on privacy, assuming one overall authority. Not as much discussion on user-management of identity.

Panel member (France) – Identity is a vague term (e.g. RFID) treat IP address in different ways in different cases – it is just a pointer.

Discussion (17)Panel member (France) – Need to monitor P2P communications. How to

measure all activity on the network.

Floor – Hard to test across multiple networks.Jim – Should be taken into consideration.

Conclusion Trust Panel

• Real-time• compartementalisation, different means in

place, multiple levels of responsibility• multi-lateral• transitivity of trust, liability• usability• motivation for response• the proper level of regulation