0 00:00:00,000 --> 00:00:30,000 Dear viewer, these subtitles were generated by a machine via the service Trint and therefore are (very) buggy. If you are capable, please help us to create good quality subtitles: https://c3subtitles.de/talk/79 Thanks! 1 00:00:11,710 --> 00:00:14,229 OK, now I think we have a picture 2 00:00:14,230 --> 00:00:15,230 here. 3 00:00:16,090 --> 00:00:18,309 Please. We have are paying Kottmann 4 00:00:18,310 --> 00:00:20,529 from the university nightmare here, 5 00:00:20,530 --> 00:00:22,629 who is going to talk to us about some 6 00:00:22,630 --> 00:00:24,669 very interesting developments with a 7 00:00:24,670 --> 00:00:26,829 smartcards and an 8 00:00:26,830 --> 00:00:29,139 attribute based authentication. 9 00:00:29,140 --> 00:00:31,509 So please give it a very warm welcome 10 00:00:31,510 --> 00:00:32,949 to Japan, Kottmann, who is going to 11 00:00:32,950 --> 00:00:35,619 reveal to us the gospel of Elmo. 12 00:00:35,620 --> 00:00:36,620 Thank you. 13 00:00:38,990 --> 00:00:41,359 Yes. So my name is Jarvik Goodman, 14 00:00:41,360 --> 00:00:43,369 I'm from the Rubble University, Nijmegen 15 00:00:43,370 --> 00:00:44,779 in the Netherlands and also from the 16 00:00:44,780 --> 00:00:46,609 Privacy and Identity Labs. 17 00:00:46,610 --> 00:00:48,949 And I'm very grateful to the organizers 18 00:00:48,950 --> 00:00:51,079 of CCC to allow me to give this 19 00:00:51,080 --> 00:00:53,059 presentation about a cool project that we 20 00:00:53,060 --> 00:00:55,339 are doing in animation, in the privacy 21 00:00:55,340 --> 00:00:56,659 and identity lab. 22 00:00:56,660 --> 00:00:58,939 And because of the season, 23 00:00:58,940 --> 00:01:01,009 I thought it was would be good to frame 24 00:01:01,010 --> 00:01:03,229 it as a like a Christmas kind 25 00:01:03,230 --> 00:01:04,729 of story. 26 00:01:04,730 --> 00:01:05,959 The Gospel of Irma. 27 00:01:05,960 --> 00:01:07,849 Irma is our cool project, and I will tell 28 00:01:07,850 --> 00:01:09,379 you later what it means and what it does. 29 00:01:10,910 --> 00:01:13,159 Back in the pre-internet 30 00:01:13,160 --> 00:01:15,289 age, when you had to identify 31 00:01:15,290 --> 00:01:16,999 yourself, you would have, you know, have 32 00:01:17,000 --> 00:01:19,189 a passport or an identity card 33 00:01:19,190 --> 00:01:21,319 and you would, you know, use that 34 00:01:21,320 --> 00:01:23,179 to prove your identity. 35 00:01:23,180 --> 00:01:25,339 You would also use that to prove certain 36 00:01:25,340 --> 00:01:27,229 attributes certain properties about 37 00:01:27,230 --> 00:01:29,629 yourself, like your nationality, 38 00:01:29,630 --> 00:01:31,909 your age or your name. 39 00:01:31,910 --> 00:01:34,339 And in fact, you would actually 40 00:01:34,340 --> 00:01:36,559 have to use that in a physical shop. 41 00:01:36,560 --> 00:01:38,779 You actually have to present your 42 00:01:38,780 --> 00:01:40,549 ID card, for instance, if you would be 43 00:01:40,550 --> 00:01:42,829 slightly younger than me and still look 44 00:01:42,830 --> 00:01:45,169 like about maybe 16 17 45 00:01:45,170 --> 00:01:46,519 and then prove that you were actually 46 00:01:46,520 --> 00:01:49,129 over 18 in order to buy some alcohol. 47 00:01:49,130 --> 00:01:51,259 So, you know, passports were 48 00:01:51,260 --> 00:01:53,180 used a lot and 49 00:01:54,380 --> 00:01:56,749 then internet came and 50 00:01:56,750 --> 00:01:58,009 people thought, OK, we need some 51 00:01:58,010 --> 00:01:59,539 information about these people that use 52 00:01:59,540 --> 00:02:00,540 the internet. 53 00:02:01,310 --> 00:02:03,199 So they basically sort of copied the 54 00:02:03,200 --> 00:02:05,389 passport model of doing 55 00:02:05,390 --> 00:02:07,549 ID and actually also proving, 56 00:02:07,550 --> 00:02:09,439 you know, information about yourself to 57 00:02:09,440 --> 00:02:11,479 the internet world using certificates 58 00:02:13,190 --> 00:02:14,239 x 5.9. 59 00:02:14,240 --> 00:02:16,309 Whatever these things, 60 00:02:16,310 --> 00:02:18,529 you know, contain your name, contain all 61 00:02:18,530 --> 00:02:20,449 information if you have extension fields. 62 00:02:21,890 --> 00:02:23,989 And the good thing of the passport 63 00:02:23,990 --> 00:02:25,969 in the in the physical world was that, 64 00:02:25,970 --> 00:02:27,019 you know, even if you would show your 65 00:02:27,020 --> 00:02:29,299 passport or your identity card to a 66 00:02:29,300 --> 00:02:31,489 shopkeeper, he would usually not have 67 00:02:31,490 --> 00:02:32,689 photographic memory. 68 00:02:32,690 --> 00:02:34,489 So you show the passport, he verifies 69 00:02:34,490 --> 00:02:36,349 your age. And if we get, he forgets about 70 00:02:36,350 --> 00:02:37,339 you. 71 00:02:37,340 --> 00:02:38,779 In the digital world, the digital 72 00:02:38,780 --> 00:02:40,009 merchant never forgets. 73 00:02:40,010 --> 00:02:41,959 He just copies the whole certificate. 74 00:02:41,960 --> 00:02:42,960 That's a problem. 75 00:02:45,260 --> 00:02:47,629 So people thought of like intermediate 76 00:02:47,630 --> 00:02:50,149 steps to smoothen the process. 77 00:02:50,150 --> 00:02:51,889 Also, partly because they didn't want 78 00:02:53,570 --> 00:02:55,099 to store all the information at different 79 00:02:55,100 --> 00:02:57,019 merchants. You want sort of like ease the 80 00:02:57,020 --> 00:02:58,189 experience for the user. 81 00:02:58,190 --> 00:03:00,109 So they thought of something called 82 00:03:00,110 --> 00:03:02,149 identity management, where here in this 83 00:03:02,150 --> 00:03:04,249 picture you have this user that wants to 84 00:03:04,250 --> 00:03:05,659 do some business. 85 00:03:05,660 --> 00:03:07,879 That's what they call a relying party 86 00:03:07,880 --> 00:03:09,919 in these kind of schemes. 87 00:03:09,920 --> 00:03:12,229 And in order to actually access 88 00:03:12,230 --> 00:03:14,149 that service, he will to have identify 89 00:03:14,150 --> 00:03:15,139 himself. 90 00:03:15,140 --> 00:03:16,699 So what would he have to do? 91 00:03:16,700 --> 00:03:18,739 The relying party says, Well, you know, I 92 00:03:18,740 --> 00:03:19,999 have this contract with this identity 93 00:03:20,000 --> 00:03:21,349 provider. So if you have an account 94 00:03:21,350 --> 00:03:23,479 there, just sign in at the identity 95 00:03:23,480 --> 00:03:25,459 provider and then the identity provider 96 00:03:25,460 --> 00:03:27,529 will tell me everything I need to know 97 00:03:27,530 --> 00:03:28,530 about you. 98 00:03:30,170 --> 00:03:32,179 Again, you know, if the ruling party 99 00:03:32,180 --> 00:03:33,709 wanted to, he could ask all kinds of 100 00:03:33,710 --> 00:03:35,809 stuff about yourself, not only your age 101 00:03:35,810 --> 00:03:37,729 or your nationality, because I ask also 102 00:03:37,730 --> 00:03:39,019 your name and other identifying 103 00:03:39,020 --> 00:03:40,339 information. 104 00:03:40,340 --> 00:03:42,439 This is really not so 105 00:03:42,440 --> 00:03:43,440 good. 106 00:03:44,030 --> 00:03:46,249 And that is where enormous steps 107 00:03:46,250 --> 00:03:48,499 in our heroine of the story, where 108 00:03:48,500 --> 00:03:50,300 the gospel, what the gospel is all about. 109 00:03:51,320 --> 00:03:53,779 She is trying to prevent 110 00:03:53,780 --> 00:03:55,099 this situation from happening. 111 00:03:55,100 --> 00:03:56,929 And there is the project that we are. 112 00:03:56,930 --> 00:03:58,699 We are developing in the information 113 00:03:59,890 --> 00:04:01,099 and it's earmuffs stands for. 114 00:04:01,100 --> 00:04:03,439 I reveal my attributes 115 00:04:03,440 --> 00:04:05,209 and it's a call that collaboration 116 00:04:05,210 --> 00:04:07,969 between the my university 117 00:04:07,970 --> 00:04:10,249 and serve that certain that there's a big 118 00:04:10,250 --> 00:04:11,569 network provider for academic 119 00:04:11,570 --> 00:04:12,680 institutions in the Netherlands. 120 00:04:14,090 --> 00:04:15,199 And one of the 121 00:04:16,339 --> 00:04:18,199 important features of of our approach is 122 00:04:18,200 --> 00:04:21,018 that we use actual base credentials 123 00:04:21,019 --> 00:04:23,839 and that allows us to, you know, 124 00:04:23,840 --> 00:04:26,869 only show only prove to certain 125 00:04:26,870 --> 00:04:28,819 relying parties, certain specific 126 00:04:28,820 --> 00:04:30,559 attributes, certain specific pieces of 127 00:04:30,560 --> 00:04:31,969 information about yourself without 128 00:04:31,970 --> 00:04:33,949 revealing everything in one go. 129 00:04:33,950 --> 00:04:34,950 Secondly, 130 00:04:36,050 --> 00:04:38,179 it is smartcard based and 131 00:04:38,180 --> 00:04:40,279 this is what set us apart from a 132 00:04:40,280 --> 00:04:42,049 lot of other attribute based credential 133 00:04:42,050 --> 00:04:44,149 approaches, because we are the first 134 00:04:44,150 --> 00:04:46,459 that actually can implement 135 00:04:46,460 --> 00:04:48,169 a full attribute based credential system 136 00:04:48,170 --> 00:04:49,999 on the smart card with reasonable 137 00:04:50,000 --> 00:04:51,000 performance. 138 00:04:52,400 --> 00:04:54,499 And of course, by Did We Do 139 00:04:54,500 --> 00:04:55,639 This? 140 00:04:55,640 --> 00:04:57,559 A smart card is a more or less secure 141 00:04:57,560 --> 00:04:59,600 container for these kind of credentials. 142 00:05:01,130 --> 00:05:03,199 And by using specific 143 00:05:03,200 --> 00:05:04,759 protocols, we can also make it privacy 144 00:05:04,760 --> 00:05:05,760 friendly. 145 00:05:07,540 --> 00:05:09,249 Everything is open source, actually, all 146 00:05:09,250 --> 00:05:11,079 the sources are on GitHub, I will give 147 00:05:11,080 --> 00:05:12,579 you the link later at the end of the 148 00:05:12,580 --> 00:05:13,839 talks, or you can look 149 00:05:14,980 --> 00:05:16,570 maybe even contribute that we recall 150 00:05:17,950 --> 00:05:20,079 and the the the 151 00:05:20,080 --> 00:05:21,999 main idea of attribute based credentials 152 00:05:22,000 --> 00:05:23,589 in general and also in the project is 153 00:05:23,590 --> 00:05:26,049 that we want to make the user in control. 154 00:05:26,050 --> 00:05:28,299 We want a user to decide 155 00:05:28,300 --> 00:05:30,579 what he shows to a relying party 156 00:05:30,580 --> 00:05:32,109 in order to access a service. 157 00:05:32,110 --> 00:05:33,969 It's not a relying party to decide. 158 00:05:33,970 --> 00:05:36,129 It's the user to decide and sees 159 00:05:36,130 --> 00:05:38,319 and has control of the 160 00:05:38,320 --> 00:05:40,899 infrastructure that we, we envision is 161 00:05:40,900 --> 00:05:41,930 is in principle open. 162 00:05:43,060 --> 00:05:44,889 But there is has to be some kind of 163 00:05:44,890 --> 00:05:46,509 governance, and I will explain later why 164 00:05:46,510 --> 00:05:47,679 that has to be. You have to have 165 00:05:47,680 --> 00:05:49,749 something to decide whether 166 00:05:49,750 --> 00:05:51,279 certain relying parties can be part of 167 00:05:51,280 --> 00:05:53,409 that system, whether certain attribute 168 00:05:53,410 --> 00:05:54,850 issues can be part of the system. 169 00:05:56,170 --> 00:05:57,220 And I'll show you how it works. 170 00:06:00,100 --> 00:06:01,929 The important bit to remember first is 171 00:06:01,930 --> 00:06:04,029 that an attribute based credential 172 00:06:04,030 --> 00:06:06,459 system allows you to prove an attribute 173 00:06:06,460 --> 00:06:07,599 about yourself, your age, your 174 00:06:07,600 --> 00:06:09,699 nationality, some kind of preference, 175 00:06:09,700 --> 00:06:11,319 blood groups, whatever. 176 00:06:11,320 --> 00:06:13,629 Without revealing your full identity, you 177 00:06:13,630 --> 00:06:15,699 each and each and every attribute 178 00:06:15,700 --> 00:06:17,829 is an individual item that you 179 00:06:17,830 --> 00:06:19,689 can individually show and present to 180 00:06:19,690 --> 00:06:20,690 somebody else. 181 00:06:22,750 --> 00:06:25,329 These attributes are stored in so-called 182 00:06:25,330 --> 00:06:26,409 gold credentials. 183 00:06:26,410 --> 00:06:27,849 That's why everything is gold at every 184 00:06:27,850 --> 00:06:31,029 base credentials, and 185 00:06:31,030 --> 00:06:32,769 such a credential is really a secure 186 00:06:32,770 --> 00:06:34,599 container for your attributes. 187 00:06:34,600 --> 00:06:37,029 This is what is stored on the smartcard 188 00:06:38,170 --> 00:06:40,359 mom. In a way, attributes of such 189 00:06:40,360 --> 00:06:42,519 a credential is the key, the key that 190 00:06:42,520 --> 00:06:44,619 is only stored in the smart card 191 00:06:44,620 --> 00:06:46,089 that never leaves a smart card that is 192 00:06:46,090 --> 00:06:47,649 used to prove that you own that 193 00:06:47,650 --> 00:06:48,699 credential. 194 00:06:48,700 --> 00:06:51,039 There's also a expiration 195 00:06:51,040 --> 00:06:52,149 time credential. 196 00:06:52,150 --> 00:06:54,339 I only have a, you know, a 197 00:06:54,340 --> 00:06:56,469 limited validity, 198 00:06:56,470 --> 00:06:58,209 and there are certain attributes. 199 00:06:58,210 --> 00:07:00,309 In case of error, we only have four 200 00:07:00,310 --> 00:07:01,449 attributes per credential. 201 00:07:03,640 --> 00:07:05,889 These credentials are 202 00:07:05,890 --> 00:07:07,480 issued by a credential issuer, 203 00:07:08,530 --> 00:07:10,689 typically after showing that you 204 00:07:10,690 --> 00:07:12,759 have you have the 205 00:07:12,760 --> 00:07:14,829 right or you actually have the 206 00:07:14,830 --> 00:07:16,509 properties that the credential claims 207 00:07:16,510 --> 00:07:18,729 that you have, the credential issuer 208 00:07:18,730 --> 00:07:20,260 will issue you that credential. 209 00:07:21,340 --> 00:07:23,079 Of course, it's very important that 210 00:07:23,080 --> 00:07:24,969 whoever issues the credential has, you 211 00:07:24,970 --> 00:07:27,609 know, anything meaningful to say 212 00:07:27,610 --> 00:07:29,769 about you and is actually trusted 213 00:07:29,770 --> 00:07:30,940 to say something about you. 214 00:07:33,140 --> 00:07:35,389 And also that many other people 215 00:07:35,390 --> 00:07:37,429 trust that is sure to say something about 216 00:07:37,430 --> 00:07:39,529 you, it doesn't really help anybody 217 00:07:39,530 --> 00:07:40,579 here in this room. 218 00:07:40,580 --> 00:07:42,679 If my father would say that my name 219 00:07:42,680 --> 00:07:43,999 is shopping, whom you don't know my 220 00:07:44,000 --> 00:07:45,230 father, so why would you trust him? 221 00:07:46,850 --> 00:07:49,399 Similarly, it wouldn't really help if 222 00:07:49,400 --> 00:07:51,949 my son would go to the liquor store 223 00:07:51,950 --> 00:07:54,290 and say, my father says that I'm 25. 224 00:07:55,520 --> 00:07:57,049 The liquor store said, Yeah, OK, that's 225 00:07:57,050 --> 00:07:59,779 fine. But you know, I want a 226 00:07:59,780 --> 00:08:01,609 proper authority to say this like in a 227 00:08:01,610 --> 00:08:03,529 passport. You know, you need a proper 228 00:08:03,530 --> 00:08:05,089 identity card, a property, proper 229 00:08:05,090 --> 00:08:06,559 passport to do that. 230 00:08:06,560 --> 00:08:07,560 Same goes here. 231 00:08:09,510 --> 00:08:10,979 I already said the provincial contains 232 00:08:10,980 --> 00:08:12,629 attributes and these attributes you can 233 00:08:12,630 --> 00:08:14,339 selectively disclose. 234 00:08:14,340 --> 00:08:16,589 So even though there's always for 235 00:08:16,590 --> 00:08:18,839 at least four slots for attributes 236 00:08:18,840 --> 00:08:21,059 in a credential, that does not mean 237 00:08:21,060 --> 00:08:23,009 that if you want to use the credential, 238 00:08:23,010 --> 00:08:25,199 you have to show all the four 239 00:08:25,200 --> 00:08:26,969 attributes at the same time. 240 00:08:26,970 --> 00:08:28,679 During the show and protocol, you can 241 00:08:28,680 --> 00:08:31,169 decide which attributes to reveal 242 00:08:31,170 --> 00:08:32,399 and which not to reveal. 243 00:08:39,000 --> 00:08:41,009 And what can you use this for? 244 00:08:41,010 --> 00:08:43,739 Notice that I'm calling this 245 00:08:43,740 --> 00:08:45,780 consistently attribute based credentials 246 00:08:47,250 --> 00:08:49,499 when these systems were designed. 247 00:08:49,500 --> 00:08:51,029 They were a first called anonymous 248 00:08:51,030 --> 00:08:52,469 credentials. 249 00:08:52,470 --> 00:08:54,119 So the people from IBM who designed this 250 00:08:54,120 --> 00:08:55,830 called this anonymous credential systems. 251 00:08:57,600 --> 00:08:59,739 But, you know, whether 252 00:08:59,740 --> 00:09:01,229 a conventional is anonymous or not really 253 00:09:01,230 --> 00:09:02,429 depends on the information that's in 254 00:09:02,430 --> 00:09:03,430 there. 255 00:09:03,870 --> 00:09:05,549 If I put my name as an attribute in a 256 00:09:05,550 --> 00:09:07,169 credential that's highly identifying, if 257 00:09:07,170 --> 00:09:09,029 I put a Social Security number in a 258 00:09:09,030 --> 00:09:10,859 attribute in a credential, then this 259 00:09:10,860 --> 00:09:12,719 thing is highly identifying, not 260 00:09:12,720 --> 00:09:13,720 anonymous at all. 261 00:09:16,160 --> 00:09:17,389 That is an important distinction to 262 00:09:17,390 --> 00:09:19,099 remember, because what we're doing here 263 00:09:19,100 --> 00:09:21,409 is to make a system that gives you full 264 00:09:21,410 --> 00:09:24,109 privacy in the infrastructure. 265 00:09:24,110 --> 00:09:26,209 But you can totally put identifying 266 00:09:26,210 --> 00:09:28,309 information in an attribute and use 267 00:09:28,310 --> 00:09:29,310 it that way. 268 00:09:31,450 --> 00:09:32,889 So if you if you look at, for instance, 269 00:09:32,890 --> 00:09:35,169 anonymous uses of these things want 270 00:09:35,170 --> 00:09:37,269 one. Well, simple stuff is like 271 00:09:37,270 --> 00:09:39,579 age verification, like the typical 272 00:09:39,580 --> 00:09:41,199 and almost boring example of the liquor 273 00:09:41,200 --> 00:09:43,419 store where you have to provide proof 274 00:09:43,420 --> 00:09:44,420 your age. 275 00:09:45,520 --> 00:09:47,559 Slightly more interesting, especially 276 00:09:47,560 --> 00:09:49,509 because this is something that started 277 00:09:49,510 --> 00:09:51,969 many, many years ago after 278 00:09:51,970 --> 00:09:54,009 hour of a chip card hacking stuff and 279 00:09:54,010 --> 00:09:55,719 thinking about, OK, how could we improve 280 00:09:55,720 --> 00:09:57,369 that system? One of the things that we 281 00:09:57,370 --> 00:09:59,529 thought of was actually, OK, maybe we can 282 00:09:59,530 --> 00:10:01,079 use attribute based credentials for like 283 00:10:01,080 --> 00:10:03,250 a train ticket system. 284 00:10:05,640 --> 00:10:07,139 And you can't, for instance, encode the 285 00:10:07,140 --> 00:10:09,329 fact that you have a a track 286 00:10:09,330 --> 00:10:11,519 pass that you're free travel on a certain 287 00:10:11,520 --> 00:10:13,589 track or you have free travel for a 288 00:10:13,590 --> 00:10:15,719 month or a year on the Deutsche Bank or 289 00:10:15,720 --> 00:10:16,720 anywhere else. 290 00:10:17,490 --> 00:10:19,109 Another interesting application about to 291 00:10:19,110 --> 00:10:21,569 be best credentials is, for instance, 292 00:10:21,570 --> 00:10:22,619 concert tickets. 293 00:10:22,620 --> 00:10:23,879 I don't know how the situation is here in 294 00:10:23,880 --> 00:10:26,129 Germany, but at least in the Netherlands, 295 00:10:26,130 --> 00:10:28,199 there's a huge black market of popular, 296 00:10:28,200 --> 00:10:29,909 popular shows. 297 00:10:29,910 --> 00:10:31,859 So when a show opens, the ticket sale 298 00:10:31,860 --> 00:10:33,119 opens. 299 00:10:33,120 --> 00:10:35,219 Many people want 300 00:10:35,220 --> 00:10:36,179 to get tickets. 301 00:10:36,180 --> 00:10:37,979 But of course, there's also like 302 00:10:37,980 --> 00:10:39,839 companies that try to get a lot of 303 00:10:39,840 --> 00:10:42,029 tickets, buy them first 304 00:10:42,030 --> 00:10:43,529 and then try to sell them later for 305 00:10:43,530 --> 00:10:44,530 double the price. 306 00:10:46,500 --> 00:10:48,569 Did that you can easily do 307 00:10:48,570 --> 00:10:49,829 that because you basically get the paper 308 00:10:49,830 --> 00:10:51,179 ticket that you can just sell again and 309 00:10:51,180 --> 00:10:52,649 again and again. 310 00:10:52,650 --> 00:10:54,539 Now if you would encode a concert ticket 311 00:10:54,540 --> 00:10:57,509 essay attributes in a credential, 312 00:10:57,510 --> 00:10:59,649 it will be bound to your card. 313 00:10:59,650 --> 00:11:01,589 You will not be able to transfer it to 314 00:11:01,590 --> 00:11:02,849 anybody else. 315 00:11:02,850 --> 00:11:04,979 So by just using and with basic attention 316 00:11:04,980 --> 00:11:07,049 for this kind of systems, for these kind 317 00:11:07,050 --> 00:11:09,419 of applications, you, you, you basically 318 00:11:09,420 --> 00:11:11,099 kill the possibility for having a black 319 00:11:11,100 --> 00:11:12,149 market. Of course, you have to think 320 00:11:12,150 --> 00:11:13,559 about, OK, what do you do if you want to 321 00:11:13,560 --> 00:11:14,849 return your ticket or whatever? 322 00:11:14,850 --> 00:11:16,109 You have to have some exception 323 00:11:16,110 --> 00:11:17,039 processing. 324 00:11:17,040 --> 00:11:19,829 But you get the point. 325 00:11:19,830 --> 00:11:22,109 There's, of course, also an enormous 326 00:11:22,110 --> 00:11:23,669 applications of of credentials. 327 00:11:23,670 --> 00:11:25,559 For instance, loyalty cards like if you 328 00:11:25,560 --> 00:11:26,560 go to your shop, 329 00:11:28,650 --> 00:11:30,629 a subscription to a newspaper. 330 00:11:32,120 --> 00:11:34,039 Online, if I want to access my online 331 00:11:34,040 --> 00:11:36,799 newspaper, I have an account that 332 00:11:36,800 --> 00:11:38,719 can just be anonymous. 333 00:11:38,720 --> 00:11:40,429 They don't have to know who actually 334 00:11:40,430 --> 00:11:41,809 reached that paper. They just want to 335 00:11:41,810 --> 00:11:43,909 know that the person has a subscription 336 00:11:43,910 --> 00:11:45,289 and you can even argue. 337 00:11:45,290 --> 00:11:47,749 But that should be not totally anonymous, 338 00:11:47,750 --> 00:11:48,750 right? 339 00:11:49,690 --> 00:11:51,609 And there's full identifying applications 340 00:11:51,610 --> 00:11:53,589 like using it for passport like stuff 341 00:11:53,590 --> 00:11:55,809 like your address, 342 00:11:55,810 --> 00:11:57,939 your Social Security number or a 343 00:11:57,940 --> 00:11:59,979 student card, or even something like 344 00:11:59,980 --> 00:12:02,079 emergency health information where you 345 00:12:02,080 --> 00:12:04,779 know, attributes in gold, your blood type 346 00:12:04,780 --> 00:12:07,029 and very vital 347 00:12:07,030 --> 00:12:08,030 medical information. 348 00:12:11,280 --> 00:12:12,280 So how does it work? 349 00:12:13,500 --> 00:12:14,669 So here have you. 350 00:12:14,670 --> 00:12:17,099 It's important to realize that in 351 00:12:17,100 --> 00:12:19,229 with basic credentials, the issuing of 352 00:12:19,230 --> 00:12:21,329 a credential is separate from using it. 353 00:12:21,330 --> 00:12:22,769 This is also different from the 354 00:12:22,770 --> 00:12:25,079 transitional model of identity 355 00:12:25,080 --> 00:12:26,429 management that I showed for all the 356 00:12:26,430 --> 00:12:27,779 parties have to be online. 357 00:12:27,780 --> 00:12:29,519 You know, if you go to your line party, 358 00:12:29,520 --> 00:12:31,079 the identity provider also has to be 359 00:12:31,080 --> 00:12:32,819 online. In the case of actual best 360 00:12:32,820 --> 00:12:34,349 credentials, this is not the case. 361 00:12:34,350 --> 00:12:36,449 You first go 362 00:12:36,450 --> 00:12:38,639 to a credential issuer and ask 363 00:12:38,640 --> 00:12:40,799 to issue to get issued a credential 364 00:12:40,800 --> 00:12:42,929 to your card that you hold as 365 00:12:42,930 --> 00:12:43,930 a user. 366 00:12:45,310 --> 00:12:47,199 And then later on, you can use it as a 367 00:12:47,200 --> 00:12:49,539 relying party, and I already 368 00:12:49,540 --> 00:12:51,129 drew the scheme, authorities are in the 369 00:12:51,130 --> 00:12:53,289 corner, too, to 370 00:12:53,290 --> 00:12:55,359 highlight the fact that the scheme 371 00:12:55,360 --> 00:12:57,519 authority has certain rules 372 00:12:57,520 --> 00:12:59,639 about who can be a credential issue or 373 00:12:59,640 --> 00:13:01,929 who cannot be a credential issuer. 374 00:13:01,930 --> 00:13:04,539 In the end, the overall trust, 375 00:13:04,540 --> 00:13:06,729 the overall trust that 376 00:13:06,730 --> 00:13:08,889 users of the system and uses are in this 377 00:13:08,890 --> 00:13:11,259 case, not only ordinary users but also 378 00:13:11,260 --> 00:13:13,839 relying parties depend on 379 00:13:13,840 --> 00:13:16,209 the trust rating of trustworthiness of 380 00:13:16,210 --> 00:13:17,949 individual credential issuers. 381 00:13:17,950 --> 00:13:19,659 In that sense, the situation is a bit 382 00:13:19,660 --> 00:13:21,759 like what you see in the 383 00:13:21,760 --> 00:13:23,679 certificates for four four websites. 384 00:13:24,860 --> 00:13:26,689 If there's one rotten Apple, the whole 385 00:13:26,690 --> 00:13:28,849 trust falls apart. 386 00:13:28,850 --> 00:13:29,850 So that's an issue. 387 00:13:32,480 --> 00:13:34,699 And so, you know, once you have convinced 388 00:13:34,700 --> 00:13:36,379 the credential issuer that you actually 389 00:13:36,380 --> 00:13:38,419 are a person that actually has certain 390 00:13:38,420 --> 00:13:40,369 attributes, he will issue you that 391 00:13:40,370 --> 00:13:42,559 credential. Now, if you want to use 392 00:13:42,560 --> 00:13:44,809 that credential disclosing 393 00:13:44,810 --> 00:13:45,810 some attributes 394 00:13:47,360 --> 00:13:48,470 as a relying party, 395 00:13:49,520 --> 00:13:50,690 another protocol runs. 396 00:13:52,170 --> 00:13:53,219 And in this case, 397 00:13:54,450 --> 00:13:57,509 the relying party has a so-called 398 00:13:57,510 --> 00:13:59,579 relying party certificate 399 00:13:59,580 --> 00:14:01,829 that encodes the access rights 400 00:14:01,830 --> 00:14:03,630 to things that the ruling party can see. 401 00:14:05,190 --> 00:14:07,319 This is important because you can 402 00:14:07,320 --> 00:14:09,389 you can either let the 403 00:14:09,390 --> 00:14:11,549 user decide all by himself 404 00:14:11,550 --> 00:14:13,079 whether he should reveal certain 405 00:14:13,080 --> 00:14:15,839 attributes. But it's even stronger if you 406 00:14:15,840 --> 00:14:17,909 by default restrict the access of 407 00:14:17,910 --> 00:14:19,260 the ruling party anyway. 408 00:14:21,650 --> 00:14:24,049 If a an online 409 00:14:24,050 --> 00:14:26,329 video rental store only needs to verify 410 00:14:26,330 --> 00:14:28,489 whether you are a member or whether 411 00:14:28,490 --> 00:14:29,959 and whether you are a certain age, 412 00:14:29,960 --> 00:14:31,669 because certain age restrictions apply to 413 00:14:31,670 --> 00:14:33,139 certain online material, 414 00:14:34,220 --> 00:14:36,139 you just give him only the right to 415 00:14:36,140 --> 00:14:37,879 verify those attributes. 416 00:14:37,880 --> 00:14:39,889 You don't give him the right to access 417 00:14:39,890 --> 00:14:42,439 name, address, 418 00:14:42,440 --> 00:14:43,440 whatever. 419 00:14:44,830 --> 00:14:46,809 So this is encoded in these ruling party 420 00:14:46,810 --> 00:14:47,980 certificates, and if 421 00:14:49,300 --> 00:14:51,259 a user goes to relying party to access 422 00:14:51,260 --> 00:14:52,499 the service now first, they're relying 423 00:14:52,500 --> 00:14:53,919 upon the certificate is transferred to 424 00:14:53,920 --> 00:14:54,920 the card. 425 00:14:55,900 --> 00:14:57,219 Together with a request for certain 426 00:14:57,220 --> 00:14:59,289 attributes and a card verifies 427 00:14:59,290 --> 00:15:00,879 that the attributes they're relying party 428 00:15:00,880 --> 00:15:02,829 ask for are actually permitted by the 429 00:15:02,830 --> 00:15:03,830 scheme authority. 430 00:15:05,660 --> 00:15:07,879 And then still, the user has a choice 431 00:15:07,880 --> 00:15:10,039 to say, OK, I will actually 432 00:15:10,040 --> 00:15:11,449 reveal these attributes or not. 433 00:15:11,450 --> 00:15:13,849 In any case, you see these like 434 00:15:13,850 --> 00:15:15,739 darker boxes in the in the in the 435 00:15:15,740 --> 00:15:17,359 credential for the attributes that are 436 00:15:17,360 --> 00:15:18,409 not revealed. 437 00:15:22,100 --> 00:15:24,169 Important properties for for these kind 438 00:15:24,170 --> 00:15:26,329 of systems are the following 439 00:15:26,330 --> 00:15:28,429 you. Of course, credentials should not be 440 00:15:28,430 --> 00:15:30,409 or should not be forcible because 441 00:15:30,410 --> 00:15:31,459 otherwise the whole system will be 442 00:15:31,460 --> 00:15:32,460 useless. 443 00:15:33,590 --> 00:15:35,569 And you want to make sure that whenever a 444 00:15:35,570 --> 00:15:37,159 credential contains certain attributes, 445 00:15:37,160 --> 00:15:38,719 then this is something that a credential 446 00:15:38,720 --> 00:15:41,269 issuer issued and not a user generated 447 00:15:41,270 --> 00:15:42,169 all by himself. 448 00:15:42,170 --> 00:15:44,239 Secondly, and this is the 449 00:15:44,240 --> 00:15:46,459 privacy preserving property. 450 00:15:46,460 --> 00:15:47,870 It should be unthinkable. 451 00:15:49,380 --> 00:15:52,109 And unsinkable means that if you 452 00:15:52,110 --> 00:15:54,299 actually has two aspects, first of all, 453 00:15:54,300 --> 00:15:56,429 it should mean that the if you 454 00:15:56,430 --> 00:15:58,529 get a credential issued from an 455 00:15:58,530 --> 00:16:00,209 issuer, the issuer should not be able to 456 00:16:00,210 --> 00:16:02,279 detect the use of that credential 457 00:16:02,280 --> 00:16:04,620 at an at an arbitrary relying party. 458 00:16:05,920 --> 00:16:08,109 So this is totally disconnected 459 00:16:08,110 --> 00:16:10,629 issuer from the use of the credentials. 460 00:16:10,630 --> 00:16:12,159 He has no way of following you 461 00:16:14,230 --> 00:16:15,309 looking at the credentials 462 00:16:16,360 --> 00:16:17,929 in the technical sense, of course. 463 00:16:17,930 --> 00:16:19,689 And again, remember this is in the 464 00:16:19,690 --> 00:16:21,639 technical infrastructure if the 465 00:16:21,640 --> 00:16:24,519 attributes themself contain a 466 00:16:24,520 --> 00:16:25,779 identifying number. 467 00:16:25,780 --> 00:16:27,460 Of course, he will be able to track that. 468 00:16:29,660 --> 00:16:31,759 Secondly, there's also 469 00:16:31,760 --> 00:16:34,189 a unlink ability between 470 00:16:34,190 --> 00:16:36,139 several showings of the same credential 471 00:16:36,140 --> 00:16:37,849 to different relying parties or even to 472 00:16:37,850 --> 00:16:39,049 the same ruling party. 473 00:16:39,050 --> 00:16:41,779 I would go to my online newspaper with my 474 00:16:41,780 --> 00:16:43,459 credential showing that I have a 475 00:16:43,460 --> 00:16:45,649 subscription there than that online 476 00:16:45,650 --> 00:16:47,269 newspaper would not be able to tell that 477 00:16:47,270 --> 00:16:49,039 I was the same person coming there again 478 00:16:49,040 --> 00:16:50,029 and again and again. 479 00:16:50,030 --> 00:16:52,339 So he does not know how much 480 00:16:52,340 --> 00:16:54,409 time I spent on that site or 481 00:16:54,410 --> 00:16:56,269 how many times I go to that site. 482 00:16:57,770 --> 00:16:59,689 So these are very, very strong privacy 483 00:16:59,690 --> 00:17:00,690 guarantees. 484 00:17:01,880 --> 00:17:03,949 Third of all, an important property, but 485 00:17:03,950 --> 00:17:05,838 the hard property is revoke ability. 486 00:17:05,839 --> 00:17:07,429 You want to be able to revoke certain 487 00:17:07,430 --> 00:17:09,259 credentials, for instance, if they are 488 00:17:09,260 --> 00:17:11,649 abused, if they expire. 489 00:17:11,650 --> 00:17:13,729 This you can do by setting the expiry 490 00:17:13,730 --> 00:17:15,828 time of each credential, you know, at 491 00:17:15,829 --> 00:17:16,829 the right time. 492 00:17:17,660 --> 00:17:19,608 But sometimes things, you know, things 493 00:17:19,609 --> 00:17:21,709 change if you encode certain access 494 00:17:21,710 --> 00:17:24,259 rights, for instance, and 495 00:17:24,260 --> 00:17:26,179 you forget to pay for something or 496 00:17:26,180 --> 00:17:28,399 whatever you want to revoke that access, 497 00:17:28,400 --> 00:17:30,679 right? If that is encoded in a 498 00:17:30,680 --> 00:17:31,789 credential, so you want to be able to 499 00:17:31,790 --> 00:17:34,729 revoke credentials, of course. 500 00:17:34,730 --> 00:17:36,439 And you know, if you're paying attention, 501 00:17:36,440 --> 00:17:38,389 you realize that if you want to do that 502 00:17:38,390 --> 00:17:40,009 in an attribute based credential system 503 00:17:40,010 --> 00:17:42,859 that has these unknowability guarantees, 504 00:17:42,860 --> 00:17:44,389 you should already start wondering how 505 00:17:44,390 --> 00:17:45,589 can you do that? 506 00:17:45,590 --> 00:17:47,539 Because you know, I just told you that if 507 00:17:47,540 --> 00:17:50,179 you, you know, if I present a 508 00:17:50,180 --> 00:17:52,009 credential to a to a relying party and I 509 00:17:52,010 --> 00:17:53,419 come back again, he will not be able to 510 00:17:53,420 --> 00:17:54,679 tell that this is the same credential. 511 00:17:54,680 --> 00:17:56,419 So how do I revoke? 512 00:17:56,420 --> 00:17:57,769 This is a challenge. We have some ideas 513 00:17:57,770 --> 00:17:59,689 for that, but that's that's a challenging 514 00:17:59,690 --> 00:18:00,889 thing to do. 515 00:18:00,890 --> 00:18:01,999 Of course, things should be 516 00:18:02,000 --> 00:18:03,859 nontransferable and should not be 517 00:18:03,860 --> 00:18:05,599 possible for somebody else to use my 518 00:18:05,600 --> 00:18:06,600 credentials. 519 00:18:08,210 --> 00:18:10,339 In a technical sense, this is 520 00:18:10,340 --> 00:18:12,499 guaranteed by using this, this key that 521 00:18:12,500 --> 00:18:14,419 is embedded in as one of the attributes 522 00:18:14,420 --> 00:18:16,489 in each and every credential because that 523 00:18:16,490 --> 00:18:18,139 binds it to the card. 524 00:18:18,140 --> 00:18:20,419 Yet, you know, there is not really 525 00:18:20,420 --> 00:18:23,059 that much stopping me from using 526 00:18:24,320 --> 00:18:25,429 my card somewhere else. 527 00:18:32,930 --> 00:18:34,909 We did have we do have certain features 528 00:18:34,910 --> 00:18:37,039 to prevent that the more in the in the in 529 00:18:37,040 --> 00:18:39,199 the online and offline world, sorry 530 00:18:39,200 --> 00:18:40,139 than in the online world. 531 00:18:40,140 --> 00:18:42,829 So you see in there my card. 532 00:18:42,830 --> 00:18:44,269 These are the cards we produce. 533 00:18:44,270 --> 00:18:46,609 We we classify them and lemonade them 534 00:18:46,610 --> 00:18:48,819 and issue them at the moment. 535 00:18:48,820 --> 00:18:50,959 As for testing purposes? 536 00:18:50,960 --> 00:18:53,269 There's mine and you see my picture 537 00:18:53,270 --> 00:18:55,879 on the front and you see some, some 538 00:18:55,880 --> 00:18:57,409 generic information or back saying that 539 00:18:57,410 --> 00:18:59,899 this is a member of is a 540 00:18:59,900 --> 00:19:02,239 property of the IMA project. 541 00:19:02,240 --> 00:19:04,399 So you find it, please return it and 542 00:19:04,400 --> 00:19:06,589 there is a unique 543 00:19:06,590 --> 00:19:08,719 number at the bottom. 544 00:19:08,720 --> 00:19:10,219 Now I said that this was a privacy 545 00:19:10,220 --> 00:19:11,539 friendly tool. So why is this unique 546 00:19:11,540 --> 00:19:12,949 number there? 547 00:19:12,950 --> 00:19:14,449 This unique number is only on the outside 548 00:19:14,450 --> 00:19:16,729 of the card or on the side 549 00:19:16,730 --> 00:19:18,649 of the card. You typically do not present 550 00:19:18,650 --> 00:19:20,509 in the shop, you only show the front. 551 00:19:20,510 --> 00:19:22,579 And this is for if you as a user, want 552 00:19:22,580 --> 00:19:24,949 to revoke your card. 553 00:19:24,950 --> 00:19:25,849 That's what the number is for. 554 00:19:25,850 --> 00:19:27,199 It's not inside the card, it's only on 555 00:19:27,200 --> 00:19:29,509 the outside of the card, inside 556 00:19:29,510 --> 00:19:30,510 the card. 557 00:19:30,980 --> 00:19:32,239 That's a contactless card. 558 00:19:32,240 --> 00:19:34,939 So that means that you can use NFC 559 00:19:34,940 --> 00:19:37,369 phones or NFC tablets as as readers. 560 00:19:38,550 --> 00:19:40,019 Which is a huge advantage, because I 561 00:19:40,020 --> 00:19:42,059 mean, many more and more and more devices 562 00:19:42,060 --> 00:19:43,919 start getting them more smartphones, more 563 00:19:43,920 --> 00:19:45,150 tablets, having that kind of stuff 564 00:19:46,380 --> 00:19:48,689 inside the cars, we implement the filter, 565 00:19:48,690 --> 00:19:50,580 we implement it it makes. 566 00:19:51,860 --> 00:19:52,860 On a maltose card, 567 00:19:54,170 --> 00:19:56,089 we initially started off using a Java 568 00:19:56,090 --> 00:19:58,429 card that was in a very slightly 569 00:19:58,430 --> 00:20:00,589 similar to two to two program. 570 00:20:00,590 --> 00:20:03,139 However, we didn't have the 571 00:20:03,140 --> 00:20:05,179 full access to the crypto hardware that 572 00:20:05,180 --> 00:20:07,399 we really required to do the complex 573 00:20:07,400 --> 00:20:09,559 crypto operations that we have to do in 574 00:20:09,560 --> 00:20:11,689 order to implement this IDMC system 575 00:20:11,690 --> 00:20:13,789 that originally, I think now 10, 15 years 576 00:20:13,790 --> 00:20:15,109 ago, was designed by IBM. 577 00:20:18,050 --> 00:20:20,749 And we use a thousand seventy four bit 578 00:20:20,750 --> 00:20:22,849 keys, which is a bit low, but 579 00:20:22,850 --> 00:20:24,499 otherwise we do not get the performance 580 00:20:24,500 --> 00:20:25,500 that we want. 581 00:20:26,120 --> 00:20:28,879 So this picture on the outside 582 00:20:28,880 --> 00:20:30,949 is needed to ensure 583 00:20:30,950 --> 00:20:33,199 that you, uh, that you are bound 584 00:20:33,200 --> 00:20:34,549 to your credentials, to your car. 585 00:20:34,550 --> 00:20:36,769 So in a in an offline world, in 586 00:20:36,770 --> 00:20:38,839 a shop kind of world, uh, 587 00:20:38,840 --> 00:20:40,969 you can still use this in the 588 00:20:40,970 --> 00:20:42,679 online world. 589 00:20:42,680 --> 00:20:44,089 Of course, the picture is meaningless. 590 00:20:44,090 --> 00:20:45,989 The Reliant party doesn't see it. 591 00:20:45,990 --> 00:20:48,169 So the only thing that we can do then is 592 00:20:48,170 --> 00:20:50,299 using pinkos or something to prevent 593 00:20:50,300 --> 00:20:52,339 somebody who stole your card to use your 594 00:20:52,340 --> 00:20:54,289 card. But it still does not prevent you 595 00:20:54,290 --> 00:20:55,849 from, you know, giving your card to your 596 00:20:55,850 --> 00:20:57,919 little brother and then allowing him 597 00:20:57,920 --> 00:20:59,499 to buy liquor. 598 00:20:59,500 --> 00:21:01,609 This is, but I should add, is something 599 00:21:01,610 --> 00:21:03,799 that happens in all, uh, 600 00:21:03,800 --> 00:21:04,909 online systems anyway. 601 00:21:04,910 --> 00:21:07,279 I mean, I can always, you know, give my 602 00:21:07,280 --> 00:21:09,379 access credentials to somebody 603 00:21:09,380 --> 00:21:10,380 else and he can use it. 604 00:21:13,580 --> 00:21:15,109 About performance, because this is really 605 00:21:15,110 --> 00:21:17,629 the the most interesting 606 00:21:17,630 --> 00:21:19,459 or that was the most challenging thing 607 00:21:19,460 --> 00:21:20,899 that we did. 608 00:21:20,900 --> 00:21:23,119 And that actually allowed us to do it to 609 00:21:23,120 --> 00:21:24,799 to do the whole project in the first 610 00:21:24,800 --> 00:21:26,869 place. And that is that we were able to 611 00:21:26,870 --> 00:21:28,939 do a full card implementation 612 00:21:28,940 --> 00:21:30,109 of it, a mix 613 00:21:31,220 --> 00:21:33,019 on, I think in this case and Infineon 614 00:21:33,020 --> 00:21:34,069 actually does. 615 00:21:34,070 --> 00:21:35,449 These figures are probably from the sixty 616 00:21:35,450 --> 00:21:38,569 six I think we now use to seven 77. 617 00:21:38,570 --> 00:21:41,299 And you see that issuing still takes 618 00:21:41,300 --> 00:21:42,799 depending on the number of attributes 619 00:21:42,800 --> 00:21:44,929 that you want to issue a considerable 620 00:21:44,930 --> 00:21:45,930 amount of time. 621 00:21:46,800 --> 00:21:49,249 But showing 622 00:21:49,250 --> 00:21:51,469 some attributes is 623 00:21:51,470 --> 00:21:52,939 depending on the number of attributes you 624 00:21:52,940 --> 00:21:53,940 want to show. 625 00:21:54,920 --> 00:21:57,029 If you have to attribute 626 00:21:57,030 --> 00:21:58,789 stored and you want to show one 627 00:21:58,790 --> 00:22:01,849 attribute. You'll see that it's almost 628 00:22:01,850 --> 00:22:03,019 a second. 629 00:22:03,020 --> 00:22:04,789 And if you want to show two attributes, 630 00:22:04,790 --> 00:22:06,979 it's zero point eight nine 631 00:22:06,980 --> 00:22:09,229 seconds. But if you have five stored 632 00:22:09,230 --> 00:22:11,299 attributes and you want to disclose 633 00:22:11,300 --> 00:22:13,579 five of them, it's zero 634 00:22:13,580 --> 00:22:15,739 point nine seconds 635 00:22:15,740 --> 00:22:16,740 below a second. 636 00:22:17,660 --> 00:22:19,759 This is usable. 637 00:22:19,760 --> 00:22:21,889 This is not usable for all kinds of 638 00:22:21,890 --> 00:22:23,089 applications, so for instance, the 639 00:22:23,090 --> 00:22:24,559 application that I mentioned that 640 00:22:24,560 --> 00:22:25,879 inspired this research in the first 641 00:22:25,880 --> 00:22:27,769 place, namely public transport. 642 00:22:29,420 --> 00:22:31,069 That's a no go because then people will 643 00:22:31,070 --> 00:22:32,449 have to wait one second before they could 644 00:22:32,450 --> 00:22:34,309 actually go through the tunnel. 645 00:22:34,310 --> 00:22:35,269 That doesn't work. 646 00:22:35,270 --> 00:22:37,099 But for certain online stuff, it works. 647 00:22:37,100 --> 00:22:39,529 And later on in the afternoon, 648 00:22:39,530 --> 00:22:41,359 I'm around to give demos so you can see 649 00:22:41,360 --> 00:22:42,920 how the performance actually feels. 650 00:22:44,580 --> 00:22:46,679 And this is really I think we 651 00:22:46,680 --> 00:22:48,779 are beholders in 652 00:22:48,780 --> 00:22:49,949 a way, a world record in this. 653 00:22:49,950 --> 00:22:51,419 We are the fastest implementation of this 654 00:22:51,420 --> 00:22:53,009 stuff on smart cars. 655 00:22:53,010 --> 00:22:54,989 But before that, we need to have really 656 00:22:54,990 --> 00:22:56,669 good access to the critical pressure, and 657 00:22:56,670 --> 00:22:57,929 we're actually talking to smart card 658 00:22:57,930 --> 00:23:00,089 providers now to actually give 659 00:23:00,090 --> 00:23:02,969 us that access even on other platforms, 660 00:23:02,970 --> 00:23:04,319 because that would really, you know, help 661 00:23:04,320 --> 00:23:06,599 us get this speed even 662 00:23:06,600 --> 00:23:07,600 better. 663 00:23:09,540 --> 00:23:11,609 I read told you that we use 664 00:23:11,610 --> 00:23:13,739 NFC contactless card, and that means that 665 00:23:13,740 --> 00:23:15,059 we have all kinds of terminals that we 666 00:23:15,060 --> 00:23:17,389 can use to, uh, 667 00:23:17,390 --> 00:23:19,679 as terminals in the in the 668 00:23:19,680 --> 00:23:20,819 MRI system. 669 00:23:20,820 --> 00:23:23,339 So we have like Nexus tablets that run 670 00:23:23,340 --> 00:23:24,749 verifiers. 671 00:23:24,750 --> 00:23:26,849 We have you can use NFC 672 00:23:26,850 --> 00:23:29,129 phones and we even at some 673 00:23:29,130 --> 00:23:31,229 points are asked a 674 00:23:31,230 --> 00:23:33,689 point of sale manufacturer 675 00:23:33,690 --> 00:23:35,789 to implement Irma on one of 676 00:23:35,790 --> 00:23:38,579 these phone to sell 677 00:23:38,580 --> 00:23:41,099 dominos. So those are usually used for 678 00:23:41,100 --> 00:23:44,159 Ben or Max Stripe payments. 679 00:23:44,160 --> 00:23:45,389 That one is horribly slow, though, 680 00:23:45,390 --> 00:23:47,159 because it runs on Java and stuff, but it 681 00:23:47,160 --> 00:23:48,160 works. 682 00:23:51,690 --> 00:23:52,859 So I told you about the card, this 683 00:23:52,860 --> 00:23:53,759 contains the credentials. 684 00:23:53,760 --> 00:23:55,649 Now I'm going to tell you about the 685 00:23:55,650 --> 00:23:57,839 application. What, how, how do we make 686 00:23:57,840 --> 00:23:59,069 sure that you can actually use that 687 00:23:59,070 --> 00:24:02,189 system as a relying party? 688 00:24:02,190 --> 00:24:03,479 So first of all, of course, the most 689 00:24:03,480 --> 00:24:05,889 important bit is the the the 690 00:24:05,890 --> 00:24:08,129 the application that allows you to verify 691 00:24:08,130 --> 00:24:09,130 certain attributes. 692 00:24:10,080 --> 00:24:11,399 There was already a picture on the on the 693 00:24:11,400 --> 00:24:13,829 previous slide on the on the 694 00:24:13,830 --> 00:24:14,939 on the left. 695 00:24:14,940 --> 00:24:16,379 This this tablet shows you an error, my 696 00:24:16,380 --> 00:24:17,609 verifier. 697 00:24:17,610 --> 00:24:19,769 And basically, it has a 698 00:24:19,770 --> 00:24:21,989 hardcoded set of attributes that it wants 699 00:24:21,990 --> 00:24:23,489 to verify in this case. 700 00:24:23,490 --> 00:24:25,649 And then if you present your card, 701 00:24:25,650 --> 00:24:27,059 this is an implicit acknowledgment, 702 00:24:27,060 --> 00:24:28,799 acknowledgment that you want to show. 703 00:24:28,800 --> 00:24:30,809 Reveal your attributes there, and then it 704 00:24:30,810 --> 00:24:32,219 verifies whether those attributes are 705 00:24:32,220 --> 00:24:33,569 actually present on the card. 706 00:24:35,190 --> 00:24:36,959 There's also a card proxy because, like I 707 00:24:36,960 --> 00:24:39,029 said, you want to use this also in 708 00:24:39,030 --> 00:24:41,129 all my scenarios, but most 709 00:24:41,130 --> 00:24:43,439 PCs or devices don't really have 710 00:24:43,440 --> 00:24:45,239 a smart card reader. 711 00:24:45,240 --> 00:24:46,769 So we implemented something that we call 712 00:24:46,770 --> 00:24:48,899 the card proxy that allows a I'm sorry 713 00:24:48,900 --> 00:24:51,059 mobile phone to be used as a 714 00:24:51,060 --> 00:24:52,619 card reader for the attributes 715 00:24:53,730 --> 00:24:55,329 while signing in to a 716 00:24:56,700 --> 00:24:58,919 website with a visual browser on 717 00:24:58,920 --> 00:25:01,289 your ordinary PC 718 00:25:01,290 --> 00:25:02,789 imprints. I'm not going to show you here 719 00:25:02,790 --> 00:25:04,019 how it works. The idea is basically that 720 00:25:04,020 --> 00:25:06,209 your mobile phone scans a QR code only 721 00:25:06,210 --> 00:25:08,879 on the screen of the ordinary PC, 722 00:25:08,880 --> 00:25:10,679 and that handles then the authentication 723 00:25:10,680 --> 00:25:12,059 with the session that is basically 724 00:25:12,060 --> 00:25:13,859 encoded in this QR code. 725 00:25:13,860 --> 00:25:15,659 So then the backend can decide, OK, this 726 00:25:15,660 --> 00:25:17,549 is OK. Now I can show you the content on 727 00:25:17,550 --> 00:25:19,679 the on the normal channel, on the on 728 00:25:19,680 --> 00:25:21,839 the browser, and there's something 729 00:25:21,840 --> 00:25:23,909 that we call the card management app. 730 00:25:23,910 --> 00:25:25,499 There's an application that the user 731 00:25:25,500 --> 00:25:27,749 typically uses for himself to see what 732 00:25:27,750 --> 00:25:29,699 credentials are on there on the card to 733 00:25:29,700 --> 00:25:31,769 delete credentials, to maybe change pin 734 00:25:31,770 --> 00:25:34,499 code. And something very important, 735 00:25:34,500 --> 00:25:36,599 we think, is the ability 736 00:25:36,600 --> 00:25:39,059 to view the log file. 737 00:25:39,060 --> 00:25:41,129 The log file maintains all the 738 00:25:41,130 --> 00:25:42,509 actions that have been performed with 739 00:25:42,510 --> 00:25:44,309 this card. So this means that the user 740 00:25:44,310 --> 00:25:46,119 can see which credentials were verified, 741 00:25:46,120 --> 00:25:47,609 that with time, which time by which 742 00:25:47,610 --> 00:25:49,319 relying party. 743 00:25:49,320 --> 00:25:51,059 So this is like a second channel to 744 00:25:51,060 --> 00:25:53,279 verify that shouldn't relying parties 745 00:25:53,280 --> 00:25:55,499 actually did ask for stuff 746 00:25:55,500 --> 00:25:57,629 that they they claimed they were doing? 747 00:25:57,630 --> 00:25:59,429 And you can see after the fact that they 748 00:25:59,430 --> 00:26:01,589 may be over if they so 749 00:26:01,590 --> 00:26:02,549 if that happens. 750 00:26:02,550 --> 00:26:04,319 So this is a second way of verifying and 751 00:26:04,320 --> 00:26:05,849 keeping relying parties in check. 752 00:26:09,610 --> 00:26:11,529 If you if you want to look at the whole 753 00:26:11,530 --> 00:26:13,329 system already, basically we see card 754 00:26:13,330 --> 00:26:15,249 holders and relying parties as users. 755 00:26:16,390 --> 00:26:18,189 Then there's providers that provide all 756 00:26:18,190 --> 00:26:19,629 these kind of services that are essential 757 00:26:19,630 --> 00:26:21,879 for the functioning of the system. 758 00:26:21,880 --> 00:26:23,499 So this is credential issuers, card 759 00:26:23,500 --> 00:26:26,289 issuers and a revocation authority. 760 00:26:26,290 --> 00:26:28,869 The scheme authority basically decides 761 00:26:28,870 --> 00:26:31,149 who gets into the respective 762 00:26:31,150 --> 00:26:33,369 roles and gets certificates to do that. 763 00:26:33,370 --> 00:26:36,219 So, for instance, a credential issuer 764 00:26:36,220 --> 00:26:38,289 needs to have a keeper with which 765 00:26:38,290 --> 00:26:40,569 he can sign the credentials, and that 766 00:26:40,570 --> 00:26:41,739 needs to be stored in a central 767 00:26:41,740 --> 00:26:43,449 repository so that the relying parties 768 00:26:43,450 --> 00:26:45,549 can later use those keys to verify 769 00:26:45,550 --> 00:26:46,779 that the credential is in fact, 770 00:26:46,780 --> 00:26:47,949 authentic. 771 00:26:47,950 --> 00:26:49,629 And then there are certain services at 772 00:26:49,630 --> 00:26:51,909 the sides that you also need to get 773 00:26:51,910 --> 00:26:52,910 the system running. 774 00:26:54,460 --> 00:26:56,619 Like I said, so this is this is 775 00:26:56,620 --> 00:26:59,199 the basically what we have here. 776 00:26:59,200 --> 00:27:01,089 We are currently running a pilot with 777 00:27:01,090 --> 00:27:02,199 students. 778 00:27:02,200 --> 00:27:04,989 We really want to do this in a more 779 00:27:04,990 --> 00:27:07,059 in a larger, slightly 780 00:27:07,060 --> 00:27:09,249 less tech savvy audience. 781 00:27:09,250 --> 00:27:11,439 So if you have ideas come, please come 782 00:27:11,440 --> 00:27:13,239 forward later after the talk. 783 00:27:13,240 --> 00:27:14,779 But there are certain limitations still. 784 00:27:14,780 --> 00:27:16,089 So one of the things I already mentioned, 785 00:27:16,090 --> 00:27:18,219 there's a thousand only four bit RSA key 786 00:27:18,220 --> 00:27:20,049 used, which is really too low 787 00:27:21,190 --> 00:27:22,929 because of the computational limitations 788 00:27:22,930 --> 00:27:24,379 of the card. We cannot do anything with 789 00:27:24,380 --> 00:27:26,949 the quality proofs and 790 00:27:26,950 --> 00:27:28,479 we cannot do parallel proofs. 791 00:27:29,640 --> 00:27:31,019 So typically, normally speaking, 792 00:27:31,020 --> 00:27:32,189 engagement basically answer you can 793 00:27:32,190 --> 00:27:33,929 basically show one credential, then 794 00:27:33,930 --> 00:27:36,119 another. And in the way the proof 795 00:27:36,120 --> 00:27:37,859 is constructed, you can be sure that 796 00:27:37,860 --> 00:27:39,179 those two proofs actually belong 797 00:27:39,180 --> 00:27:40,229 together. 798 00:27:40,230 --> 00:27:42,869 This is something that we cannot do 799 00:27:42,870 --> 00:27:45,059 in order to remedy the 800 00:27:45,060 --> 00:27:46,729 situation, because otherwise you would 801 00:27:46,730 --> 00:27:49,259 maybe be able to fool credentials 802 00:27:49,260 --> 00:27:52,229 and prove, for instance, that your 803 00:27:52,230 --> 00:27:53,159 eye could be able. 804 00:27:53,160 --> 00:27:54,269 I could, for instance, prove that I'm 805 00:27:54,270 --> 00:27:56,459 over 18 and German if somebody 806 00:27:56,460 --> 00:27:58,379 in the room is German without me doing 807 00:27:58,380 --> 00:27:59,699 that proof. 808 00:27:59,700 --> 00:28:02,099 So this is this is limited 809 00:28:02,100 --> 00:28:04,169 by constructing 810 00:28:04,170 --> 00:28:05,909 a channel between the card and the 811 00:28:05,910 --> 00:28:07,649 relying party and ensuring that only 812 00:28:07,650 --> 00:28:09,689 authentic cards talk to the relying 813 00:28:09,690 --> 00:28:10,690 parties. 814 00:28:11,260 --> 00:28:13,569 We are implementing replication, 815 00:28:13,570 --> 00:28:15,039 and I already told you there's weak 816 00:28:15,040 --> 00:28:16,479 binding of the card to the cardholder. 817 00:28:18,580 --> 00:28:19,900 So there are some issues. 818 00:28:23,050 --> 00:28:24,789 But let's get back to the original theme 819 00:28:24,790 --> 00:28:25,790 of the story. 820 00:28:26,740 --> 00:28:28,629 So there we have this Irma, there's this 821 00:28:28,630 --> 00:28:30,399 heroine of the story that's trying to 822 00:28:30,400 --> 00:28:31,899 protect her privacy by implementing 823 00:28:31,900 --> 00:28:33,279 attribute based credentials. 824 00:28:33,280 --> 00:28:35,919 But the powers that be the powers that 825 00:28:35,920 --> 00:28:37,989 you know, we're 826 00:28:37,990 --> 00:28:40,119 there already before the internet was 827 00:28:40,120 --> 00:28:42,459 existed at some points figured 828 00:28:42,460 --> 00:28:44,529 out how the internet works and trying 829 00:28:44,530 --> 00:28:46,569 to exert their powers also onto the 830 00:28:46,570 --> 00:28:49,209 internet, and therefore 831 00:28:49,210 --> 00:28:51,459 they will also exert their powers 832 00:28:51,460 --> 00:28:52,510 onto their mom. 833 00:28:53,590 --> 00:28:56,079 And you know, there's 834 00:28:56,080 --> 00:28:58,809 a general discussion that in 835 00:28:58,810 --> 00:29:00,999 the fields of and this depends 836 00:29:01,000 --> 00:29:02,050 a bit on the country where you live, 837 00:29:03,070 --> 00:29:04,749 whether you should have like identity 838 00:29:04,750 --> 00:29:05,799 systems in the first place. 839 00:29:07,340 --> 00:29:08,779 So why are we building an identity 840 00:29:08,780 --> 00:29:11,029 management identity infrastructure? 841 00:29:11,030 --> 00:29:12,799 If there are these risks and what are 842 00:29:12,800 --> 00:29:13,800 these risks? 843 00:29:14,420 --> 00:29:16,489 Well, one of the 844 00:29:16,490 --> 00:29:18,410 most important risks is function creep. 845 00:29:20,070 --> 00:29:22,199 Because once you show some 846 00:29:22,200 --> 00:29:24,329 attributes to some ruling parties, 847 00:29:24,330 --> 00:29:27,029 to some services, if you, uh, 848 00:29:27,030 --> 00:29:28,469 if you're used to showing that you're 849 00:29:28,470 --> 00:29:30,779 over 18 at a liquor store, 850 00:29:30,780 --> 00:29:32,699 if you're used to showing this and this 851 00:29:32,700 --> 00:29:34,019 and this, and if at some point you use 852 00:29:34,020 --> 00:29:35,249 your image card everywhere and 853 00:29:35,250 --> 00:29:36,839 everywhere, it becomes more and more 854 00:29:36,840 --> 00:29:39,119 natural to show even more articles 855 00:29:39,120 --> 00:29:40,529 everywhere. 856 00:29:40,530 --> 00:29:42,839 And what is stopping these service 857 00:29:42,840 --> 00:29:43,840 providers? 858 00:29:44,980 --> 00:29:47,159 Um, asking for whatever 859 00:29:47,160 --> 00:29:48,959 they want, because that's what they're 860 00:29:48,960 --> 00:29:50,009 doing now, anyway, right? 861 00:29:52,760 --> 00:29:54,229 So and now we're giving them an 862 00:29:54,230 --> 00:29:56,929 infrastructure that is 863 00:29:56,930 --> 00:29:58,579 giving them authentic attributes. 864 00:30:03,030 --> 00:30:05,189 So before you could maybe, you 865 00:30:05,190 --> 00:30:07,259 know, lie about your name 866 00:30:07,260 --> 00:30:09,419 to evade a real name 867 00:30:09,420 --> 00:30:10,619 policy. 868 00:30:10,620 --> 00:30:13,379 Maybe you could lie about your address 869 00:30:13,380 --> 00:30:14,789 where you live if you want to shop 870 00:30:14,790 --> 00:30:16,229 abroad. I mean, there's like services 871 00:30:16,230 --> 00:30:17,489 like border links or whatever that allow 872 00:30:17,490 --> 00:30:19,709 me to shop in Germany or in the U.K. 873 00:30:19,710 --> 00:30:22,529 or the U.S. and they just ship it to me 874 00:30:22,530 --> 00:30:24,329 in a way I'm lying right because it's not 875 00:30:24,330 --> 00:30:25,330 my address. 876 00:30:26,400 --> 00:30:28,319 More fundamentally, maybe, is the fact 877 00:30:28,320 --> 00:30:30,599 that the service provider 878 00:30:30,600 --> 00:30:32,879 sets age restrictions now. 879 00:30:32,880 --> 00:30:35,219 Typically, service providers are 880 00:30:35,220 --> 00:30:37,379 American and their restrictions 881 00:30:37,380 --> 00:30:38,380 are ridiculous. 882 00:30:39,350 --> 00:30:41,509 So, you know, typically parents 883 00:30:41,510 --> 00:30:43,669 in Europe will say, OK, you too there 884 00:30:43,670 --> 00:30:45,829 to judge their children or you can go on 885 00:30:45,830 --> 00:30:48,019 Facebook and in some cases 886 00:30:48,020 --> 00:30:49,549 the children just go on Facebook and live 887 00:30:49,550 --> 00:30:50,869 other agencies themselves. I mean, 888 00:30:50,870 --> 00:30:52,099 they're they're good. 889 00:30:52,100 --> 00:30:54,199 But you know, this is no 890 00:30:54,200 --> 00:30:56,749 longer possible if you have a system 891 00:30:56,750 --> 00:30:58,819 like Irma that would allow Facebook 892 00:30:58,820 --> 00:31:00,919 to verify the age of whoever tries to 893 00:31:00,920 --> 00:31:02,899 sign in using Irma. 894 00:31:02,900 --> 00:31:04,309 You will not be able to lie about your 895 00:31:04,310 --> 00:31:05,310 age anymore. 896 00:31:12,940 --> 00:31:15,699 And attributes our cookies, 897 00:31:15,700 --> 00:31:16,700 really. 898 00:31:19,240 --> 00:31:21,579 If a 899 00:31:21,580 --> 00:31:22,580 big 900 00:31:24,130 --> 00:31:27,009 drop or a big company like DoubleClick 901 00:31:27,010 --> 00:31:29,619 would register as a credential issuer 902 00:31:29,620 --> 00:31:32,019 and whenever I visit the sites 903 00:31:32,020 --> 00:31:33,789 that is affiliated to DoubleClick would 904 00:31:33,790 --> 00:31:36,219 issue a credential with an attribute that 905 00:31:36,220 --> 00:31:38,409 is identifying and 906 00:31:38,410 --> 00:31:39,640 issues that to my card. 907 00:31:41,110 --> 00:31:43,269 And then when I visit an arbitrary 908 00:31:43,270 --> 00:31:44,270 other site. 909 00:31:45,400 --> 00:31:47,499 That is affiliated to DoubleClick that 910 00:31:47,500 --> 00:31:49,749 asks for that credential 911 00:31:49,750 --> 00:31:51,999 and that attributes to be revealed. 912 00:31:52,000 --> 00:31:54,039 I'm tracked all over the place. 913 00:31:55,300 --> 00:31:56,799 And again, it's very authentic, I cannot 914 00:31:56,800 --> 00:31:58,719 play with this stuff, I cannot even try 915 00:31:58,720 --> 00:32:00,909 to taint the database or do anything. 916 00:32:00,910 --> 00:32:02,890 It's, you know, that's a problem. 917 00:32:04,690 --> 00:32:05,799 And I told you about the scheme 918 00:32:05,800 --> 00:32:07,899 authority, which has 919 00:32:07,900 --> 00:32:09,969 a very important role to play 920 00:32:09,970 --> 00:32:11,709 defending against the things that I just 921 00:32:11,710 --> 00:32:12,710 talked about. 922 00:32:13,530 --> 00:32:15,629 But the problem is that who is 923 00:32:15,630 --> 00:32:17,130 the scheme authority going to be? 924 00:32:19,930 --> 00:32:21,680 This is really a hard problem because we 925 00:32:22,700 --> 00:32:23,959 we talked, for instance, in the 926 00:32:23,960 --> 00:32:25,519 Netherlands, they are thinking about 927 00:32:25,520 --> 00:32:27,169 implementing an electronic identity card 928 00:32:27,170 --> 00:32:28,819 as well, like the German system. 929 00:32:30,050 --> 00:32:31,969 And we talk to them and then at some 930 00:32:31,970 --> 00:32:33,799 points we thought, OK, suppose that at 931 00:32:33,800 --> 00:32:35,089 some point the Dutch government would 932 00:32:35,090 --> 00:32:36,769 decide, which I think would be very, very 933 00:32:36,770 --> 00:32:39,139 cool actually to allow 934 00:32:39,140 --> 00:32:41,359 Airmar to be on this Dutch identity 935 00:32:41,360 --> 00:32:42,360 card. 936 00:32:42,700 --> 00:32:44,079 Then the question comes up, who is going 937 00:32:44,080 --> 00:32:45,279 to be the scheme authority, is it going 938 00:32:45,280 --> 00:32:46,929 to be the government? 939 00:32:46,930 --> 00:32:48,759 Is it going to be an independent party? 940 00:32:48,760 --> 00:32:50,499 Is it going to be a company whose that's 941 00:32:50,500 --> 00:32:52,569 going to be because that that 942 00:32:52,570 --> 00:32:54,699 has huge ramifications for the 943 00:32:54,700 --> 00:32:56,829 potential of abuse of 944 00:32:56,830 --> 00:32:59,319 such a system and especially 945 00:32:59,320 --> 00:33:01,089 if, you know, attribute based credentials 946 00:33:01,090 --> 00:33:03,969 are used to prevent the government 947 00:33:03,970 --> 00:33:06,039 from tracking you all over the place. 948 00:33:06,040 --> 00:33:07,119 There may be nothing. 949 00:33:07,120 --> 00:33:08,649 The government being the scheme authority 950 00:33:08,650 --> 00:33:09,650 is not a very good idea. 951 00:33:15,150 --> 00:33:17,399 The underlying theme of 952 00:33:17,400 --> 00:33:19,829 attitude of at least the earmark system 953 00:33:19,830 --> 00:33:21,719 is that we want to put the user in 954 00:33:21,720 --> 00:33:24,509 control, which I think is a 955 00:33:24,510 --> 00:33:26,639 valid point 956 00:33:26,640 --> 00:33:28,139 of departure. 957 00:33:28,140 --> 00:33:29,639 However, you have to be very, very 958 00:33:29,640 --> 00:33:31,859 careful by not making the user 959 00:33:31,860 --> 00:33:34,199 responsible for everything 960 00:33:34,200 --> 00:33:35,819 because the user can screw things up 961 00:33:35,820 --> 00:33:36,809 horribly. 962 00:33:36,810 --> 00:33:39,029 And you really have to think about 963 00:33:39,030 --> 00:33:40,739 these things. And I must admit that this 964 00:33:40,740 --> 00:33:43,169 is hard and we don't 965 00:33:43,170 --> 00:33:44,670 we don't really know yet 966 00:33:46,140 --> 00:33:48,269 how we can help the user making the right 967 00:33:48,270 --> 00:33:49,410 decisions in all cases. 968 00:33:51,220 --> 00:33:52,390 So this is this is also a problem. 969 00:33:55,240 --> 00:33:56,830 Finally, also what I mentioned is 970 00:33:58,030 --> 00:33:59,499 there is this carte management app that 971 00:33:59,500 --> 00:34:00,819 allows you to see all the credentials 972 00:34:00,820 --> 00:34:01,839 that are on your card. 973 00:34:02,890 --> 00:34:04,569 Of course, this card management app is 974 00:34:04,570 --> 00:34:06,129 protected by PIN code. 975 00:34:06,130 --> 00:34:07,629 But you know, if there's some malware on 976 00:34:07,630 --> 00:34:10,448 my my mobile device that I use to verify 977 00:34:10,449 --> 00:34:11,709 you and I'll do something with this card 978 00:34:11,710 --> 00:34:13,779 management app, it's trivial for that 979 00:34:13,780 --> 00:34:15,579 malware to intercept my pin code and then 980 00:34:15,580 --> 00:34:17,379 later, you know, access these credentials 981 00:34:17,380 --> 00:34:18,909 and do whatever it wants. 982 00:34:20,050 --> 00:34:22,269 So this is really a way to pickpocket my, 983 00:34:22,270 --> 00:34:24,399 my, my, my, my, 984 00:34:24,400 --> 00:34:25,480 my card, my credentials. 985 00:34:26,770 --> 00:34:29,198 And there's many, many more, many more. 986 00:34:29,199 --> 00:34:31,479 There's no auditability, which 987 00:34:31,480 --> 00:34:33,309 actually, I mean, this was this is the 988 00:34:33,310 --> 00:34:35,319 purpose of the system, right? 989 00:34:35,320 --> 00:34:36,789 But in certain use cases, this is a 990 00:34:36,790 --> 00:34:38,499 problem for relying parties that want to 991 00:34:38,500 --> 00:34:39,500 use that system. 992 00:34:41,170 --> 00:34:43,059 OK? Told you about the cards many months 993 00:34:43,060 --> 00:34:44,380 after the implements that API. 994 00:34:46,810 --> 00:34:48,759 Of course, a very important issue is also 995 00:34:48,760 --> 00:34:49,869 the fact that attribute based 996 00:34:49,870 --> 00:34:51,999 credentials, if you and 997 00:34:52,000 --> 00:34:53,709 these kind of privacy preserving systems 998 00:34:53,710 --> 00:34:55,809 really go against current business 999 00:34:55,810 --> 00:34:56,810 models. 1000 00:34:57,760 --> 00:34:59,649 And the underlying question is perhaps 1001 00:34:59,650 --> 00:35:01,539 that OK, of course, we should build price 1002 00:35:01,540 --> 00:35:02,829 enhancing technologies, but maybe we 1003 00:35:02,830 --> 00:35:04,269 should also try to counter the business 1004 00:35:04,270 --> 00:35:06,439 models that, you know, go in, go against 1005 00:35:06,440 --> 00:35:07,440 this. 1006 00:35:08,930 --> 00:35:11,449 People want to share and 1007 00:35:11,450 --> 00:35:14,689 and for for, uh, for, uh, 1008 00:35:14,690 --> 00:35:17,869 uh, say, more government kind of people. 1009 00:35:17,870 --> 00:35:19,069 They always have this argument that 1010 00:35:19,070 --> 00:35:22,279 anonymous, anonymous anonymity is abused 1011 00:35:22,280 --> 00:35:23,629 by people that don't want to show what 1012 00:35:23,630 --> 00:35:25,099 they're doing. So for them, this is a 1013 00:35:25,100 --> 00:35:26,689 disadvantage. I'm not saying that it's 1014 00:35:26,690 --> 00:35:28,789 for me, isn't that disadvantage, but this 1015 00:35:28,790 --> 00:35:29,989 is certainly for certain people a 1016 00:35:29,990 --> 00:35:31,399 disadvantage to these kind of systems. 1017 00:35:32,900 --> 00:35:33,949 So the question is, 1018 00:35:35,630 --> 00:35:36,889 I've been telling you about the school 1019 00:35:36,890 --> 00:35:38,689 program, and I still think it's cool, but 1020 00:35:38,690 --> 00:35:41,179 I'm also telling you about these problems 1021 00:35:41,180 --> 00:35:43,369 that we see with a system 1022 00:35:43,370 --> 00:35:46,579 like this. So how can we reconcile 1023 00:35:46,580 --> 00:35:48,109 good and evil? 1024 00:35:48,110 --> 00:35:50,449 Can we reconcile good and evil? 1025 00:35:50,450 --> 00:35:51,680 Should we reconcile? 1026 00:35:54,360 --> 00:35:55,360 Well, I think. 1027 00:35:56,610 --> 00:35:58,829 And we need to we need 1028 00:35:58,830 --> 00:36:00,959 to think about how to make identity 1029 00:36:00,960 --> 00:36:03,419 and identity systems 1030 00:36:03,420 --> 00:36:05,099 more privacy friendly because they are 1031 00:36:05,100 --> 00:36:07,199 out there, they're in Belgium, they're in 1032 00:36:07,200 --> 00:36:09,329 Estonia, they're in Germany. 1033 00:36:09,330 --> 00:36:11,429 The German system is slightly 1034 00:36:11,430 --> 00:36:13,079 privacy friendly. I should say they allow 1035 00:36:13,080 --> 00:36:15,359 you to approve certain attributes 1036 00:36:15,360 --> 00:36:17,909 about yourself, but they are. 1037 00:36:17,910 --> 00:36:19,589 It's limited and their security features 1038 00:36:19,590 --> 00:36:20,590 are different. 1039 00:36:21,570 --> 00:36:23,309 Different talk all by itself, actually. 1040 00:36:23,310 --> 00:36:25,319 If you want to know more, please discuss 1041 00:36:25,320 --> 00:36:26,320 Come up, come up. 1042 00:36:27,180 --> 00:36:29,669 So you know, these things happen. 1043 00:36:29,670 --> 00:36:31,769 And if these things are built, then 1044 00:36:31,770 --> 00:36:33,419 I'd rather have a system that has the 1045 00:36:33,420 --> 00:36:36,109 technology that allows you to 1046 00:36:36,110 --> 00:36:37,409 to make it more privacy friendly 1047 00:36:38,850 --> 00:36:39,850 from the start. 1048 00:36:40,950 --> 00:36:43,109 And not make it totally trackable, like a 1049 00:36:43,110 --> 00:36:45,209 belching system or 1050 00:36:45,210 --> 00:36:46,680 a different duchess system. 1051 00:36:49,890 --> 00:36:51,359 But I think the more fundamental point 1052 00:36:51,360 --> 00:36:53,909 here, and that's the the 1053 00:36:53,910 --> 00:36:55,709 message that I also want to send here is 1054 00:36:55,710 --> 00:36:58,049 that, you know, technology alone 1055 00:36:58,050 --> 00:37:00,239 doesn't help, is useless, is helpless. 1056 00:37:00,240 --> 00:37:01,240 It's whatever less. 1057 00:37:03,090 --> 00:37:05,519 It's one thing you do together 1058 00:37:05,520 --> 00:37:06,520 with. 1059 00:37:08,190 --> 00:37:10,559 You know, legal safeguards, 1060 00:37:10,560 --> 00:37:11,560 together with 1061 00:37:12,720 --> 00:37:14,849 economic principles, business models, 1062 00:37:14,850 --> 00:37:16,169 whatever, think about these things as 1063 00:37:16,170 --> 00:37:18,629 well and in general, 1064 00:37:18,630 --> 00:37:20,699 think as a society about how you want 1065 00:37:20,700 --> 00:37:22,530 to use this system, these systems. 1066 00:37:23,640 --> 00:37:25,319 Because even if we would implement a 1067 00:37:25,320 --> 00:37:27,059 totally privacy friendly attack with 1068 00:37:27,060 --> 00:37:28,679 presidential system like Irma and 1069 00:37:28,680 --> 00:37:30,809 implement this on a national 1070 00:37:30,810 --> 00:37:33,059 ID card, if people 1071 00:37:33,060 --> 00:37:35,069 really want to abuse that system for 1072 00:37:35,070 --> 00:37:36,959 total surveillance, they will be able to 1073 00:37:36,960 --> 00:37:37,960 do that. 1074 00:37:38,820 --> 00:37:41,099 But at least 1075 00:37:41,100 --> 00:37:43,079 in this kind of way, you make it much 1076 00:37:43,080 --> 00:37:44,099 harder to do it. 1077 00:37:44,100 --> 00:37:46,289 And if you would have the proper controls 1078 00:37:46,290 --> 00:37:48,149 in terms of a good scheme authority that 1079 00:37:48,150 --> 00:37:50,009 has it independence, if you would have 1080 00:37:50,010 --> 00:37:51,929 proper legal safeguards, if you would 1081 00:37:51,930 --> 00:37:54,089 have proper incentives to use 1082 00:37:54,090 --> 00:37:56,219 these systems in the right way, then we 1083 00:37:56,220 --> 00:37:57,869 actually would have a world that is much 1084 00:37:57,870 --> 00:37:58,870 more privacy friendly. 1085 00:38:00,300 --> 00:38:02,939 And that concludes my talk. 1086 00:38:02,940 --> 00:38:05,399 Thank you for your patience. 1087 00:38:05,400 --> 00:38:07,529 And are you listening 1088 00:38:07,530 --> 00:38:09,869 this early hour here in Hamburg? 1089 00:38:11,520 --> 00:38:13,829 If there are any questions, please, 1090 00:38:13,830 --> 00:38:16,499 please feel free to use the microphones 1091 00:38:16,500 --> 00:38:18,809 I'm told I. 1092 00:38:27,640 --> 00:38:28,959 You know, thanks for the presentation, 1093 00:38:28,960 --> 00:38:30,639 also touching on some of the more 1094 00:38:30,640 --> 00:38:32,019 challenging aspects. 1095 00:38:32,020 --> 00:38:33,669 I've heard similar talks about these 1096 00:38:33,670 --> 00:38:35,949 attributes. Credentials are focusing 1097 00:38:35,950 --> 00:38:38,139 specifically on the crypto, which 1098 00:38:38,140 --> 00:38:39,879 researchers get totally excited about. 1099 00:38:41,200 --> 00:38:43,269 But as you stated, the real 1100 00:38:43,270 --> 00:38:44,829 problem solve of the incentives into 1101 00:38:44,830 --> 00:38:47,259 business models. And so I'm curious 1102 00:38:47,260 --> 00:38:49,509 like, what's your take 1103 00:38:49,510 --> 00:38:51,699 on the way 1104 00:38:51,700 --> 00:38:53,079 the system is out there? 1105 00:38:53,080 --> 00:38:54,789 Or does the technology exist for many 1106 00:38:54,790 --> 00:38:56,799 years already and hasn't been really been 1107 00:38:56,800 --> 00:38:58,899 deployed in in the 1108 00:38:58,900 --> 00:39:00,639 way other than in research labs 1109 00:39:02,170 --> 00:39:04,239 and the two companies who 1110 00:39:04,240 --> 00:39:06,399 had been spearheading this effort, 1111 00:39:06,400 --> 00:39:08,859 IBM and Microsoft even themself 1112 00:39:08,860 --> 00:39:10,269 are not using that technology. 1113 00:39:10,270 --> 00:39:12,039 In fact, they are doing standardization 1114 00:39:12,040 --> 00:39:14,079 on completely different technologies. 1115 00:39:14,080 --> 00:39:16,389 And if you look at 1116 00:39:16,390 --> 00:39:18,459 the marketplace and you mentioned the 1117 00:39:18,460 --> 00:39:20,469 practices on, for example, mobile phone 1118 00:39:20,470 --> 00:39:22,659 applications illustrate that 1119 00:39:22,660 --> 00:39:23,660 there's obviously 1120 00:39:24,790 --> 00:39:26,919 huge reluctance to just ask for 1121 00:39:26,920 --> 00:39:27,999 a limited number of. 1122 00:39:29,380 --> 00:39:31,599 Data elements, but instead, people ask 1123 00:39:31,600 --> 00:39:33,729 for everything, even your most 1124 00:39:33,730 --> 00:39:35,710 stupid, the stupidest game 1125 00:39:36,790 --> 00:39:38,889 does that. Yeah, and nobody enforces 1126 00:39:38,890 --> 00:39:41,199 that. So like how do we actually 1127 00:39:41,200 --> 00:39:43,779 get from where we are today to 1128 00:39:43,780 --> 00:39:46,599 anything that is better, even if it's not 1129 00:39:46,600 --> 00:39:48,819 like all these fancy crypto 1130 00:39:48,820 --> 00:39:50,029 around it? 1131 00:39:50,030 --> 00:39:51,579 Yeah, that's a that's a very good 1132 00:39:51,580 --> 00:39:52,580 question. 1133 00:39:53,350 --> 00:39:54,969 Actually, you're asking many different 1134 00:39:54,970 --> 00:39:56,439 questions in one question, which is a 1135 00:39:56,440 --> 00:39:57,459 challenge to answer. 1136 00:39:57,460 --> 00:39:58,419 But thanks anyway. 1137 00:39:58,420 --> 00:39:59,420 It's good. 1138 00:40:00,490 --> 00:40:02,799 I think your observation about people 1139 00:40:02,800 --> 00:40:04,749 not using this kind of technology is 1140 00:40:04,750 --> 00:40:06,579 actually much is not even limited to 1141 00:40:06,580 --> 00:40:07,689 attribute based credentials. 1142 00:40:07,690 --> 00:40:10,149 I think it's limited to its extensive 1143 00:40:10,150 --> 00:40:12,849 identity management systems in general. 1144 00:40:12,850 --> 00:40:14,919 I mean, we still use username password 1145 00:40:14,920 --> 00:40:17,049 systems almost everywhere. 1146 00:40:17,050 --> 00:40:18,909 And this has to do with the fact that in 1147 00:40:18,910 --> 00:40:21,009 a in any identity management system 1148 00:40:21,010 --> 00:40:22,269 and this includes attribute based 1149 00:40:22,270 --> 00:40:24,639 credential systems, the the 1150 00:40:24,640 --> 00:40:27,009 there is a two sided market, 1151 00:40:27,010 --> 00:40:29,169 unique users that are able 1152 00:40:29,170 --> 00:40:31,329 to use the system and you need 1153 00:40:31,330 --> 00:40:33,609 relying parties that accept that form 1154 00:40:33,610 --> 00:40:36,219 of identity assurance, 1155 00:40:36,220 --> 00:40:37,479 so to speak. 1156 00:40:37,480 --> 00:40:38,829 And the problem is, of course, if there's 1157 00:40:38,830 --> 00:40:40,389 no use, there's no ruling party is going 1158 00:40:40,390 --> 00:40:41,829 to implement that interface. 1159 00:40:41,830 --> 00:40:43,089 And if there's no ruling party 1160 00:40:43,090 --> 00:40:44,379 implementing that interface, there's not 1161 00:40:44,380 --> 00:40:46,119 going to be a user wanting to use those 1162 00:40:46,120 --> 00:40:48,279 systems. So that's that is in itself 1163 00:40:48,280 --> 00:40:49,539 a challenge. 1164 00:40:49,540 --> 00:40:51,819 But you have, I think I disagree 1165 00:40:51,820 --> 00:40:53,170 with you on that. But 1166 00:40:55,180 --> 00:40:57,129 there are many identity management 1167 00:40:57,130 --> 00:40:58,899 systems used today in different in 1168 00:40:58,900 --> 00:41:01,239 different industries and for 1169 00:41:01,240 --> 00:41:03,369 consumer based web services like 1170 00:41:03,370 --> 00:41:05,589 if you think of course this one, you 1171 00:41:05,590 --> 00:41:06,999 find out all over the place. 1172 00:41:07,000 --> 00:41:09,189 Yeah, but the challenge has been 1173 00:41:09,190 --> 00:41:11,709 and you hinted slightly to that is 1174 00:41:11,710 --> 00:41:14,379 the choice of the technology. 1175 00:41:14,380 --> 00:41:15,669 So you had these smart cards. 1176 00:41:15,670 --> 00:41:17,259 Obviously, if you want to use smart cards 1177 00:41:17,260 --> 00:41:19,029 with your regular web browser, you would 1178 00:41:19,030 --> 00:41:21,309 be you basically cut 95 1179 00:41:21,310 --> 00:41:23,499 percent of your audience away, 1180 00:41:23,500 --> 00:41:24,849 which is for many of the internet 1181 00:41:24,850 --> 00:41:26,889 services. Obviously an issue, even if 1182 00:41:26,890 --> 00:41:28,749 they if they kill three percent of the 1183 00:41:28,750 --> 00:41:29,979 audience. So 1184 00:41:31,150 --> 00:41:33,879 how you actually get to this 1185 00:41:33,880 --> 00:41:36,249 have an incremental deployment stories 1186 00:41:36,250 --> 00:41:37,209 is sort of the challenge. 1187 00:41:37,210 --> 00:41:39,129 Yeah, sure. And that's why we why we 1188 00:41:39,130 --> 00:41:41,469 said, OK, we're going to use a 1189 00:41:41,470 --> 00:41:42,609 contactless cards. 1190 00:41:42,610 --> 00:41:43,539 That's what we said. We're going to 1191 00:41:43,540 --> 00:41:45,969 implement stuff on NFC phones 1192 00:41:45,970 --> 00:41:48,219 and tablets, which at least allows 1193 00:41:48,220 --> 00:41:50,259 you to use these things on on tablets. 1194 00:41:50,260 --> 00:41:51,369 And we even have thought about 1195 00:41:51,370 --> 00:41:53,679 integration integrating that stuff with 1196 00:41:53,680 --> 00:41:55,449 PCs. But yes, this is a challenge, 1197 00:41:56,620 --> 00:41:57,819 but we're taking it on. 1198 00:41:57,820 --> 00:41:59,109 What else can I say? 1199 00:41:59,110 --> 00:42:01,509 But more questions? 1200 00:42:01,510 --> 00:42:03,929 OK. I wonder if you have 1201 00:42:03,930 --> 00:42:05,919 if you go, for example, to a shop with 1202 00:42:05,920 --> 00:42:07,019 your card? 1203 00:42:07,020 --> 00:42:09,169 Yeah. And how you make sure that 1204 00:42:09,170 --> 00:42:12,219 that the shopkeeper really only requests 1205 00:42:12,220 --> 00:42:14,319 the attributes that you want to reveal. 1206 00:42:14,320 --> 00:42:16,539 So say the shopkeeper tells you, Oh, I'm 1207 00:42:16,540 --> 00:42:19,149 only asking for your age, but how do you 1208 00:42:19,150 --> 00:42:20,559 keep it on your card? 1209 00:42:20,560 --> 00:42:22,359 How do you verify that that's what you're 1210 00:42:22,360 --> 00:42:24,069 selling asking for? 1211 00:42:24,070 --> 00:42:26,709 Yeah, that's the principal way to prevent 1212 00:42:26,710 --> 00:42:28,689 that kind of stuff from happening is by 1213 00:42:28,690 --> 00:42:30,969 giving the shopkeeper, in this case, 1214 00:42:30,970 --> 00:42:33,159 a certificate that restricts 1215 00:42:33,160 --> 00:42:35,409 him to only ask 1216 00:42:35,410 --> 00:42:36,309 for the H. 1217 00:42:36,310 --> 00:42:37,989 He cannot ask for anything else because 1218 00:42:37,990 --> 00:42:39,609 the card will just see that he does not 1219 00:42:39,610 --> 00:42:41,459 have a certificate for it. 1220 00:42:41,460 --> 00:42:42,989 That's how you basically prevent that, 1221 00:42:42,990 --> 00:42:44,279 because otherwise you run into issues 1222 00:42:44,280 --> 00:42:46,199 with, OK, who's a user interface? 1223 00:42:46,200 --> 00:42:48,359 Am I using where I actually see what 1224 00:42:48,360 --> 00:42:49,889 he's asking? And is this actually what 1225 00:42:49,890 --> 00:42:51,449 he's actually asking through the card 1226 00:42:51,450 --> 00:42:52,679 because the card doesn't have to have a 1227 00:42:52,680 --> 00:42:53,680 user interface? 1228 00:42:55,850 --> 00:42:56,850 Thanks. 1229 00:42:57,200 --> 00:42:58,639 Yeah. Number three, maybe because. 1230 00:42:58,640 --> 00:42:59,640 OK. 1231 00:43:00,170 --> 00:43:02,269 So when a shopkeeper says, OK, 1232 00:43:02,270 --> 00:43:04,339 give me your car, I'll check your age 1233 00:43:04,340 --> 00:43:07,069 with it, and then 1234 00:43:07,070 --> 00:43:09,139 you said the shopkeepers some 1235 00:43:09,140 --> 00:43:11,149 little gifts, the card, a certificate 1236 00:43:11,150 --> 00:43:12,679 that proves that the shopkeeper is 1237 00:43:12,680 --> 00:43:14,419 authorized by the scheme authority, 1238 00:43:14,420 --> 00:43:16,639 right? Yeah, but that's a long 1239 00:43:16,640 --> 00:43:19,519 process that doesn't involve the 1240 00:43:19,520 --> 00:43:21,469 same authority and kind of an online way, 1241 00:43:21,470 --> 00:43:23,389 right? So there's no way to revoke that 1242 00:43:23,390 --> 00:43:25,609 certificate. So if someone 1243 00:43:25,610 --> 00:43:28,039 stole the shopkeepers 1244 00:43:28,040 --> 00:43:30,289 certificate for, let's say, reading 1245 00:43:30,290 --> 00:43:31,789 of my name or something like that, you 1246 00:43:31,790 --> 00:43:34,009 could just put it in its own device, walk 1247 00:43:34,010 --> 00:43:35,689 around with it and steal people's 1248 00:43:35,690 --> 00:43:37,789 information until the shopkeeper 1249 00:43:37,790 --> 00:43:40,159 certificates validity date runs out. 1250 00:43:40,160 --> 00:43:41,719 That's a thing you even have a way to 1251 00:43:41,720 --> 00:43:43,790 validate what the current status. 1252 00:43:45,470 --> 00:43:46,429 Yeah, that's a good point. 1253 00:43:46,430 --> 00:43:47,430 Yes. 1254 00:43:48,560 --> 00:43:50,299 Actually, we use a standard trick that 1255 00:43:50,300 --> 00:43:53,029 also is used in the electronic passports 1256 00:43:53,030 --> 00:43:55,159 where, of course, the smart card cannot 1257 00:43:55,160 --> 00:43:56,629 maintain its own time. 1258 00:43:56,630 --> 00:43:58,519 Right. It doesn't know the date, but it 1259 00:43:58,520 --> 00:44:00,799 does know the last time it saw a trustful 1260 00:44:00,800 --> 00:44:03,829 reader. And then it records the date 1261 00:44:03,830 --> 00:44:06,259 of the truthful reader as a best 1262 00:44:06,260 --> 00:44:07,729 approximation of now. 1263 00:44:07,730 --> 00:44:09,769 So but that's, you know, that's at least 1264 00:44:09,770 --> 00:44:10,669 increasing. 1265 00:44:10,670 --> 00:44:12,709 And then at some point the credentials 1266 00:44:12,710 --> 00:44:14,839 expire. But definitely that is an 1267 00:44:14,840 --> 00:44:16,489 issue. This is how we tackle it. 1268 00:44:16,490 --> 00:44:18,859 You can always add revocation to standard 1269 00:44:18,860 --> 00:44:21,739 credentials sort of certificates 1270 00:44:21,740 --> 00:44:22,999 because these are just basic 1271 00:44:23,000 --> 00:44:23,899 certificates. 1272 00:44:23,900 --> 00:44:24,889 You can add that. 1273 00:44:24,890 --> 00:44:26,749 So that's always a possibility to revoke 1274 00:44:26,750 --> 00:44:27,750 eternal. 1275 00:44:29,450 --> 00:44:31,889 But lots of different cards 1276 00:44:31,890 --> 00:44:33,799 have lots of different vendors, and 1277 00:44:33,800 --> 00:44:35,539 there's lots of mechanisms below the 1278 00:44:35,540 --> 00:44:37,099 level where you operate, there's the 1279 00:44:37,100 --> 00:44:39,049 anti-collision stuff, the serial numbers, 1280 00:44:39,050 --> 00:44:41,539 there's no different protocol versions, 1281 00:44:41,540 --> 00:44:44,029 so there's many ways to identify 1282 00:44:44,030 --> 00:44:46,129 the users of this card long before 1283 00:44:46,130 --> 00:44:48,229 any of your beautiful software 1284 00:44:48,230 --> 00:44:50,929 has has ways of preventing that 1285 00:44:50,930 --> 00:44:52,089 drew. 1286 00:44:52,090 --> 00:44:54,259 That, of course, is that that 1287 00:44:54,260 --> 00:44:56,659 depends on the kind of car you use that 1288 00:44:56,660 --> 00:44:58,459 depends on the on whether you use a 1289 00:44:58,460 --> 00:45:00,919 random random identifiers 1290 00:45:00,920 --> 00:45:02,129 instead of a fixed identifier. 1291 00:45:02,130 --> 00:45:03,769 So you have to be very, very careful. 1292 00:45:03,770 --> 00:45:05,689 But even then, even our own research and 1293 00:45:05,690 --> 00:45:07,189 our group shows that even if you put all 1294 00:45:07,190 --> 00:45:08,899 that kind of stuff, you could even 1295 00:45:08,900 --> 00:45:10,759 distinguish different kind of silicon. 1296 00:45:10,760 --> 00:45:12,379 But just the way that the hardware 1297 00:45:12,380 --> 00:45:14,669 performs. So in the end, yes, 1298 00:45:14,670 --> 00:45:15,589 that does. 1299 00:45:15,590 --> 00:45:17,629 That is a possibility. 1300 00:45:17,630 --> 00:45:19,280 But you have to do much more work this. 1301 00:45:22,160 --> 00:45:23,449 How are we on time or? 1302 00:45:26,900 --> 00:45:28,829 So we still have 10 minutes left. 1303 00:45:28,830 --> 00:45:29,279 There are 1304 00:45:29,280 --> 00:45:30,280 question 1305 00:45:31,400 --> 00:45:33,049 number four, maybe 1306 00:45:33,050 --> 00:45:35,149 I'm in a physical 1307 00:45:35,150 --> 00:45:36,369 shop too. 1308 00:45:36,370 --> 00:45:39,169 Does the shopkeeper use NFC? 1309 00:45:39,170 --> 00:45:40,429 Can he? 1310 00:45:40,430 --> 00:45:41,430 I think he shouldn't. 1311 00:45:42,500 --> 00:45:44,599 OK, explain why he shouldn't. 1312 00:45:44,600 --> 00:45:46,639 Well, I could take my card, put it in a 1313 00:45:46,640 --> 00:45:48,769 microwave, steal your hat and 1314 00:45:48,770 --> 00:45:50,509 show your card with a picture. 1315 00:45:50,510 --> 00:45:51,510 And 1316 00:45:53,060 --> 00:45:54,829 I didn't know was that take your card, 1317 00:45:54,830 --> 00:45:57,409 put it in the microwave and 1318 00:45:57,410 --> 00:45:59,479 show shall not put my card 1319 00:45:59,480 --> 00:46:01,309 in the microwave and put your cat behind 1320 00:46:01,310 --> 00:46:02,269 it so it can read it. 1321 00:46:02,270 --> 00:46:02,539 Yeah. 1322 00:46:02,540 --> 00:46:03,559 Oh yeah, sure. Oh, sure. 1323 00:46:03,560 --> 00:46:05,119 But yeah, yeah, sure. I mean, if you but 1324 00:46:05,120 --> 00:46:06,769 I mean, if you would, if you would steal 1325 00:46:06,770 --> 00:46:08,899 my card, you could use 1326 00:46:08,900 --> 00:46:10,789 that. Maybe you would have to eliminate 1327 00:46:10,790 --> 00:46:12,289 it over and put your picture on it. 1328 00:46:12,290 --> 00:46:13,459 And then that would be possible. 1329 00:46:13,460 --> 00:46:15,439 But that's depending on the kind of 1330 00:46:15,440 --> 00:46:16,789 security features that you have on the 1331 00:46:16,790 --> 00:46:19,129 card that will be easier 1332 00:46:19,130 --> 00:46:20,549 or not so easy. 1333 00:46:20,550 --> 00:46:22,339 Well, I like the independence of using 1334 00:46:22,340 --> 00:46:23,119 NFC, right? 1335 00:46:23,120 --> 00:46:25,009 I could use my smart phone and just have 1336 00:46:25,010 --> 00:46:27,259 a high powered sender so I could 1337 00:46:27,260 --> 00:46:29,329 have your card somewhere in 1338 00:46:29,330 --> 00:46:31,459 the vicinity and just put my card right 1339 00:46:31,460 --> 00:46:33,469 on the device and say, Yeah, that's me 1340 00:46:33,470 --> 00:46:35,869 here. My picture, right? 1341 00:46:35,870 --> 00:46:37,399 Yeah. These are yeah, of course. 1342 00:46:37,400 --> 00:46:38,929 I mean, this is this is in general with 1343 00:46:38,930 --> 00:46:40,279 contactless cards. So you have really 1344 00:46:40,280 --> 00:46:42,169 kind of attacks, which are an issue. 1345 00:46:42,170 --> 00:46:43,170 Yes. 1346 00:46:46,310 --> 00:46:48,469 I have two quick two questions. 1347 00:46:48,470 --> 00:46:50,419 The first one is you said that you use 1348 00:46:50,420 --> 00:46:52,819 pins to manage the credentials. 1349 00:46:52,820 --> 00:46:54,679 How to prevent brute forcing of pin 1350 00:46:54,680 --> 00:46:55,680 codes. 1351 00:46:59,540 --> 00:47:01,649 Yeah, OK. You a long pink 1352 00:47:01,650 --> 00:47:03,709 pinkos. I mean, this is, I mean, in 1353 00:47:03,710 --> 00:47:05,809 general, I mean, I guess 1354 00:47:05,810 --> 00:47:07,339 the the underlying principle, the 1355 00:47:07,340 --> 00:47:09,619 underlying idea is that you keep your 1356 00:47:09,620 --> 00:47:12,319 your your in my car to yourself, 1357 00:47:12,320 --> 00:47:13,689 you're not supposed to give it. 1358 00:47:13,690 --> 00:47:15,799 If you lose it, you should revoke 1359 00:47:15,800 --> 00:47:16,800 it. 1360 00:47:17,380 --> 00:47:19,689 And in that way, avoid abuse 1361 00:47:19,690 --> 00:47:21,819 of that. But, you know, once you 1362 00:47:21,820 --> 00:47:23,919 lose a card, in this case, 1363 00:47:23,920 --> 00:47:25,329 this is a problem we have been thinking 1364 00:47:25,330 --> 00:47:27,699 actually for the card management app 1365 00:47:27,700 --> 00:47:30,129 to to do something slightly more 1366 00:47:30,130 --> 00:47:32,409 advanced by not 1367 00:47:32,410 --> 00:47:34,359 only using a pin code to access all the 1368 00:47:34,360 --> 00:47:35,659 credentials in the card with friends and 1369 00:47:35,660 --> 00:47:37,509 binding the card to one specific user 1370 00:47:37,510 --> 00:47:38,649 device. 1371 00:47:38,650 --> 00:47:40,449 So you would have to have at least the 1372 00:47:40,450 --> 00:47:42,759 corresponding device to actually read 1373 00:47:42,760 --> 00:47:44,050 the full contents of the card. 1374 00:47:45,370 --> 00:47:46,009 OK. 1375 00:47:46,010 --> 00:47:48,639 That address your concern somewhat. 1376 00:47:48,640 --> 00:47:50,619 And how many credentials can you store on 1377 00:47:50,620 --> 00:47:51,489 one card? 1378 00:47:51,490 --> 00:47:52,490 Not so many. 1379 00:47:54,430 --> 00:47:57,759 I think about between 10 or 20. 1380 00:47:57,760 --> 00:47:58,779 So this is limited. 1381 00:47:58,780 --> 00:48:00,369 So actually, one of the things we also 1382 00:48:00,370 --> 00:48:01,599 want to think about is, OK, can you 1383 00:48:01,600 --> 00:48:03,969 somehow do kind of like caching 1384 00:48:03,970 --> 00:48:06,129 of credentials in any 1385 00:48:06,130 --> 00:48:07,929 meaningful way while still being pretty 1386 00:48:07,930 --> 00:48:09,669 friendly if you store this stuff either 1387 00:48:09,670 --> 00:48:11,709 on your own PC or on the cloud or 1388 00:48:11,710 --> 00:48:13,179 somewhere because at some point? 1389 00:48:13,180 --> 00:48:15,639 Actually, we do believe that, you know, 1390 00:48:15,640 --> 00:48:17,289 you know, the basic credentials, the 1391 00:48:17,290 --> 00:48:19,089 basic attributes, you want to prove fit 1392 00:48:19,090 --> 00:48:21,279 in like five or six credentials. 1393 00:48:21,280 --> 00:48:22,839 But as soon as you want to do special 1394 00:48:22,840 --> 00:48:24,699 applications, phone applications, the 1395 00:48:24,700 --> 00:48:26,079 number of credentials you could collect 1396 00:48:26,080 --> 00:48:27,579 is going to be huge. 1397 00:48:27,580 --> 00:48:28,749 So then you have to think about these 1398 00:48:28,750 --> 00:48:29,769 issues. 1399 00:48:29,770 --> 00:48:31,149 OK, thanks. Thanks for the questions. 1400 00:48:33,880 --> 00:48:35,260 I've got a question about 1401 00:48:37,120 --> 00:48:38,829 whoever the authority is storing all of 1402 00:48:38,830 --> 00:48:40,539 this data. 1403 00:48:40,540 --> 00:48:43,269 Have you thought about how 1404 00:48:43,270 --> 00:48:45,549 you can distribute that data among many 1405 00:48:45,550 --> 00:48:47,889 authorities so that no one authority 1406 00:48:47,890 --> 00:48:50,349 has ever knows everything? 1407 00:48:50,350 --> 00:48:52,509 Because if I'm imagining in if 1408 00:48:52,510 --> 00:48:54,759 this were to take off in 10 years, 1409 00:48:54,760 --> 00:48:56,769 20 years, something like that, you might 1410 00:48:56,770 --> 00:48:58,149 have all of the information about 1411 00:48:58,150 --> 00:48:59,979 everybody in the world and you don't want 1412 00:48:59,980 --> 00:49:02,079 that on in one big, 1413 00:49:02,080 --> 00:49:03,399 it becomes a honeypot. 1414 00:49:03,400 --> 00:49:05,199 Sure. No. And that's that's a good 1415 00:49:05,200 --> 00:49:07,159 question, because actually, that is what 1416 00:49:07,160 --> 00:49:09,259 airmen try to prevent, because it 1417 00:49:09,260 --> 00:49:11,369 actually it actually, 1418 00:49:11,370 --> 00:49:13,629 uh, the idea is that you store your 1419 00:49:13,630 --> 00:49:15,280 credentials on your card. 1420 00:49:16,480 --> 00:49:18,369 So not anywhere else credentials. 1421 00:49:18,370 --> 00:49:19,989 Sorry. So it doesn't have the 1422 00:49:19,990 --> 00:49:20,829 credentials. 1423 00:49:20,830 --> 00:49:21,879 No, no, no. 1424 00:49:21,880 --> 00:49:23,469 The scheme authority only managers who 1425 00:49:23,470 --> 00:49:25,689 can has access to the infrastructure, 1426 00:49:25,690 --> 00:49:27,339 let's say it doesn't store it, only the 1427 00:49:27,340 --> 00:49:29,739 card source. And this is a big difference 1428 00:49:29,740 --> 00:49:32,319 from, say, Irma and the more traditional 1429 00:49:32,320 --> 00:49:33,819 identity management systems that I showed 1430 00:49:33,820 --> 00:49:34,959 in the beginning. 1431 00:49:34,960 --> 00:49:35,919 Well, thanks for the question, because I 1432 00:49:35,920 --> 00:49:36,940 think it's clear. Yeah. 1433 00:49:38,610 --> 00:49:41,089 The person in the back three, yeah. 1434 00:49:41,090 --> 00:49:43,529 Um, can you do the 1435 00:49:43,530 --> 00:49:45,809 age verification that I'm older 1436 00:49:45,810 --> 00:49:48,389 than 18 without revealing my actual 1437 00:49:48,390 --> 00:49:49,390 age? 1438 00:49:50,600 --> 00:49:51,600 Yeah. 1439 00:49:52,130 --> 00:49:54,349 OK. But yes, yes, 1440 00:49:54,350 --> 00:49:55,999 the answer is yes, but we use a trick 1441 00:49:56,000 --> 00:49:58,399 here because one of the things that we 1442 00:49:58,400 --> 00:50:00,889 I told you we can only do equality proves 1443 00:50:00,890 --> 00:50:03,979 in it makes the 1444 00:50:03,980 --> 00:50:05,689 crypto library. The full implementation 1445 00:50:05,690 --> 00:50:07,969 actually allows you to ask an arbitrary 1446 00:50:07,970 --> 00:50:09,379 question like, OK, where is this person 1447 00:50:09,380 --> 00:50:11,449 over x years and then based 1448 00:50:11,450 --> 00:50:13,099 on your date of birth? 1449 00:50:13,100 --> 00:50:14,599 The system would actually compute to 1450 00:50:14,600 --> 00:50:16,459 prove that yes or no. 1451 00:50:16,460 --> 00:50:17,869 In our case, we cannot do that because 1452 00:50:17,870 --> 00:50:19,369 the card is way too slow for us. 1453 00:50:19,370 --> 00:50:22,099 So we basically slow store a bit 1454 00:50:22,100 --> 00:50:24,529 and we have predefined age ranges 1455 00:50:24,530 --> 00:50:25,530 that we store. 1456 00:50:27,590 --> 00:50:30,379 And then a lot of question, if 1457 00:50:30,380 --> 00:50:32,869 I buy something online from a physical 1458 00:50:32,870 --> 00:50:35,029 shop, would it be possible that 1459 00:50:35,030 --> 00:50:36,409 my name and address 1460 00:50:37,430 --> 00:50:39,589 get revealed to the mail carrier, but 1461 00:50:39,590 --> 00:50:41,719 not to the actual shop? 1462 00:50:43,040 --> 00:50:45,169 Not because I mean the the the 1463 00:50:45,170 --> 00:50:46,669 holes, you know? 1464 00:50:46,670 --> 00:50:48,269 In a way, whenever you use the email 1465 00:50:48,270 --> 00:50:50,539 system a a session, a secure 1466 00:50:50,540 --> 00:50:52,159 channel is set up between the card. 1467 00:50:52,160 --> 00:50:54,169 Really, the cards is the endpoint and a 1468 00:50:54,170 --> 00:50:55,489 relying party on the other end. 1469 00:50:55,490 --> 00:50:57,199 Of course, if the ruling party at the 1470 00:50:57,200 --> 00:50:58,999 other end is going to do whatever it 1471 00:50:59,000 --> 00:51:01,249 wants with those things that he gets, 1472 00:51:01,250 --> 00:51:02,809 I mean, that is something that we cannot 1473 00:51:02,810 --> 00:51:04,459 stop. Except that at some point a scheme 1474 00:51:04,460 --> 00:51:05,569 authority is going to say, OK, you're 1475 00:51:05,570 --> 00:51:06,919 going to you're abusing the system, 1476 00:51:06,920 --> 00:51:07,920 you're out. 1477 00:51:09,330 --> 00:51:10,330 Yeah. 1478 00:51:10,620 --> 00:51:11,620 Thank you. 1479 00:51:11,930 --> 00:51:13,639 Last question, I guess 1480 00:51:13,640 --> 00:51:14,989 I have a question regarding purpose 1481 00:51:14,990 --> 00:51:17,089 limitation in in 1482 00:51:17,090 --> 00:51:19,069 in the scheme of things in general with 1483 00:51:19,070 --> 00:51:21,439 the assistance today, you 1484 00:51:21,440 --> 00:51:23,809 basically the idea was of the 1485 00:51:23,810 --> 00:51:26,029 data protection regulation that provided 1486 00:51:26,030 --> 00:51:28,640 stem cells or bio through regulation 1487 00:51:30,050 --> 00:51:32,179 get incentives to ask for 1488 00:51:32,180 --> 00:51:33,180 as little as possible. 1489 00:51:34,310 --> 00:51:36,439 And you mentioned that it's a shortcoming 1490 00:51:36,440 --> 00:51:38,089 or challenge for your system as well. 1491 00:51:38,090 --> 00:51:40,189 Mm-Hmm. And that 1492 00:51:40,190 --> 00:51:42,469 is indeed tricky because think about 1493 00:51:42,470 --> 00:51:44,209 Angry Angry Birds who ask for your 1494 00:51:44,210 --> 00:51:46,309 location and obviously don't 1495 00:51:46,310 --> 00:51:47,869 give you a choice. You can't say, no, I 1496 00:51:47,870 --> 00:51:49,159 don't want to give him location. 1497 00:51:49,160 --> 00:51:51,049 The game is still supposed to work. 1498 00:51:51,050 --> 00:51:53,419 So someone 1499 00:51:53,420 --> 00:51:54,949 would have to look at the purpose of the 1500 00:51:54,950 --> 00:51:57,079 application and then decide on 1501 00:51:57,080 --> 00:51:59,749 what would be legitimate and what not. 1502 00:51:59,750 --> 00:52:02,329 Apparently, that doesn't happen today, so 1503 00:52:02,330 --> 00:52:04,369 I wonder how you would imagine this to 1504 00:52:04,370 --> 00:52:06,439 work in the future. Like who would 1505 00:52:06,440 --> 00:52:08,539 check regularly, ideally 1506 00:52:08,540 --> 00:52:10,549 with every software update, whether the 1507 00:52:10,550 --> 00:52:12,679 new feature is actually 1508 00:52:12,680 --> 00:52:14,389 reasonable for that application or it's 1509 00:52:14,390 --> 00:52:16,249 not because obviously application 1510 00:52:16,250 --> 00:52:18,439 providers themself would argue 1511 00:52:18,440 --> 00:52:20,209 I need the location for location based 1512 00:52:20,210 --> 00:52:21,859 advertising, period. 1513 00:52:21,860 --> 00:52:23,089 They they are in the control. 1514 00:52:23,090 --> 00:52:25,279 The users are not putting the 1515 00:52:25,280 --> 00:52:27,169 the user in the control doesn't help 1516 00:52:27,170 --> 00:52:28,879 because the user has no voice in that 1517 00:52:28,880 --> 00:52:29,729 game. 1518 00:52:29,730 --> 00:52:30,760 True. And that is that 1519 00:52:32,300 --> 00:52:34,489 you're sketching the scenario of, for 1520 00:52:34,490 --> 00:52:35,929 instance, installing an application on a 1521 00:52:35,930 --> 00:52:37,999 mobile phone or whatever 1522 00:52:38,000 --> 00:52:39,529 or anywhere else. 1523 00:52:39,530 --> 00:52:41,209 And that in that case, there is not 1524 00:52:41,210 --> 00:52:43,639 really a a third party 1525 00:52:43,640 --> 00:52:45,769 that sort of protects the individual 1526 00:52:45,770 --> 00:52:48,019 user against basically the big power 1527 00:52:48,020 --> 00:52:49,729 of the application, provided that 1528 00:52:49,730 --> 00:52:52,639 basically sets the rules of the game. 1529 00:52:52,640 --> 00:52:54,769 And here in at least in in the email 1530 00:52:54,770 --> 00:52:56,959 scheme, the scheme authority has to issue 1531 00:52:56,960 --> 00:52:58,489 a certificate to the ruling party, 1532 00:52:58,490 --> 00:53:00,449 allowing him to access attribution in the 1533 00:53:00,450 --> 00:53:01,999 first place. So if he does not get a 1534 00:53:02,000 --> 00:53:04,429 certificate, he does not get anything. 1535 00:53:04,430 --> 00:53:06,499 Now, of course, it depends on the 1536 00:53:06,500 --> 00:53:08,749 on the on the spine of the 1537 00:53:08,750 --> 00:53:10,849 of the scheme authority, whether 1538 00:53:10,850 --> 00:53:12,859 this is going to make any difference in 1539 00:53:12,860 --> 00:53:14,929 the real world, yes or no, but 1540 00:53:14,930 --> 00:53:17,089 at least the default is 1541 00:53:17,090 --> 00:53:19,669 that the ruling party gets nothing 1542 00:53:19,670 --> 00:53:21,919 and this is different from the situation 1543 00:53:21,920 --> 00:53:22,909 now. 1544 00:53:22,910 --> 00:53:24,769 But it well, 1545 00:53:24,770 --> 00:53:26,299 it depends on, of course, the application 1546 00:53:26,300 --> 00:53:27,300 you have today. But 1547 00:53:28,980 --> 00:53:31,009 it it doesn't seem that there's a story 1548 00:53:31,010 --> 00:53:32,209 on who would actually do that. 1549 00:53:32,210 --> 00:53:33,889 I don't think the identity provider will 1550 00:53:33,890 --> 00:53:36,199 go off and will talk 1551 00:53:36,200 --> 00:53:38,719 and look at the app to every application 1552 00:53:38,720 --> 00:53:40,909 and then say, OK, now this is this 1553 00:53:40,910 --> 00:53:42,649 is useful practice. 1554 00:53:42,650 --> 00:53:45,259 Like if I have my identity provided 1555 00:53:45,260 --> 00:53:47,749 a fast moving German 1556 00:53:47,750 --> 00:53:49,939 government, they will then look 1557 00:53:49,940 --> 00:53:51,469 at all the applications and internet, and 1558 00:53:51,470 --> 00:53:53,629 we'll figure out on whether that's a fair 1559 00:53:53,630 --> 00:53:55,399 use. I don't think that's particularly 1560 00:53:55,400 --> 00:53:57,169 realistic and also like they don't even 1561 00:53:57,170 --> 00:53:58,539 have the manpower to do that. 1562 00:54:00,120 --> 00:54:01,279 That is that is an issue. 1563 00:54:01,280 --> 00:54:02,539 And that's why I said and this is the 1564 00:54:02,540 --> 00:54:04,189 discussion about OK, who is going to be 1565 00:54:04,190 --> 00:54:06,019 the scheme authority and is this going to 1566 00:54:06,020 --> 00:54:07,489 be trust? Is it really going to be 1567 00:54:07,490 --> 00:54:09,049 trustworthy and is it really going to do 1568 00:54:09,050 --> 00:54:10,129 that kind of checks? 1569 00:54:10,130 --> 00:54:11,629 And why totally agree with you this and 1570 00:54:11,630 --> 00:54:13,069 what their business model is because 1571 00:54:13,070 --> 00:54:14,509 obviously they would have to have lots of 1572 00:54:14,510 --> 00:54:16,399 people to actually check it out each and 1573 00:54:16,400 --> 00:54:17,989 every application, whether they do the 1574 00:54:17,990 --> 00:54:19,179 right thing. 1575 00:54:19,180 --> 00:54:20,180 Sure. 1576 00:54:20,660 --> 00:54:21,660 I agree. 1577 00:54:22,490 --> 00:54:23,479 OK, OK. Thank you. 1578 00:54:23,480 --> 00:54:25,799 We still have one very short question. 1579 00:54:25,800 --> 00:54:27,319 I have been assured from the internet, 1580 00:54:27,320 --> 00:54:28,519 OK, from the internet. 1581 00:54:28,520 --> 00:54:30,649 Call the 1582 00:54:30,650 --> 00:54:31,549 voice of the internet. 1583 00:54:31,550 --> 00:54:32,959 Yeah. 1584 00:54:32,960 --> 00:54:35,029 One question from the ISC 1585 00:54:35,030 --> 00:54:37,129 was, do you thought about 1586 00:54:37,130 --> 00:54:38,809 and display on the cards? 1587 00:54:38,810 --> 00:54:41,689 So maybe you can check which 1588 00:54:41,690 --> 00:54:44,749 information the shopkeeper wants? 1589 00:54:44,750 --> 00:54:45,889 Yeah, that would be cool. 1590 00:54:45,890 --> 00:54:47,959 And actually, I mean, I think I've 1591 00:54:47,960 --> 00:54:50,329 even seen pictures from the 70s 1592 00:54:50,330 --> 00:54:52,399 of these are having these kind of 1593 00:54:52,400 --> 00:54:53,329 cards with displays. 1594 00:54:53,330 --> 00:54:56,299 So this is definitely a possibility, 1595 00:54:56,300 --> 00:54:59,029 but we haven't experimented 1596 00:54:59,030 --> 00:55:00,199 with that yet. 1597 00:55:00,200 --> 00:55:01,129 OK, thanks. 1598 00:55:01,130 --> 00:55:03,139 Thank you, internet for the question. 1599 00:55:03,140 --> 00:55:05,479 Let me just point you to the website 1600 00:55:05,480 --> 00:55:07,069 for more information if you want to see 1601 00:55:07,070 --> 00:55:07,969 the the. 1602 00:55:07,970 --> 00:55:10,579 There's also lists the the GitHub 1603 00:55:10,580 --> 00:55:12,709 link, where the sources are for 1604 00:55:12,710 --> 00:55:14,959 all the calls and anybody interested 1605 00:55:14,960 --> 00:55:16,969 in demos. At two o'clock at the noisy 1606 00:55:16,970 --> 00:55:19,159 square, I will be around to give demos. 1607 00:55:19,160 --> 00:55:20,539 I still have to find where the noisy 1608 00:55:20,540 --> 00:55:21,469 squares. 1609 00:55:21,470 --> 00:55:23,029 I have no idea. 1610 00:55:23,030 --> 00:55:24,379 Let's see. I will find it. 1611 00:55:24,380 --> 00:55:25,639 Maybe see you there. Thank you very much.