top of page

eGovernment: Do we need to have a radical technology rethink before it is too late?

Updated: Sep 15, 2023


Libor Neumann is well known in the Trust community as a radical and deep thinker on authentication and security. He has kindly given us some of his thoughts on authentication and eIDAS 2.


Current state

A radical change in architecture is needed in the use of authentication in eIDAS2 compared to eIDAS.


In eIDAS (eIDAS Interoperability Architecture - Version 1.2), the national autonomy of the "(notified) eID scheme" was respected. Authentication is the responsibility of the member states, eGovernment interoperability is ensured through "eIDAS-Nodes" which communicate using standard interfaces using SAML. A two-tier federation architecture is used, i.e. a federation of federations with many IdPs, where authentication requests and assertions are standardized and authentication is not standardized.


In contrast, eIDAS2 (European Digital Identity Architecture and Reference Framework – Outline) in ch. 4.4 MUTUAL AUTHENTICATION describes a radical change in architecture. It describes seamless communication and authentication, including the need to use mutual authentication and its standardization, including standardization of the authentication protocol.


"To ensure that the EUDI Wallet can be used in a seamless way by TSPs and relying parties alike, a common authentication protocol shall be specified, ensuring interoperability at least at EU level and considering relevant European or international standards.“


There is no such standard. There is no implementation ready.


And the question is whether it makes sense to create such a standard only for eGovernment or only for EUDI Wallet.


The need for a high-quality generic authentication protocol is universal. A high-quality mutual authentication protocol for seamless use with additional features is needed throughout the Internet. In industry, healthcare, trade, transport, etc., at least throughout the EU.


We need a universal security layer on the internet. This must contain universal authentication means that will be user-centric and long-term sustainable (etc). So, something like routing protocols, IP address management protocols, DNS and TCP/IP or UDP.


The challenges/issues:

  • Compatibility with Zero Trust Architecture – identity management & access management

  • Remote access data channel security – data channel authentication

  • Dynamics – long-term sustainability – cryptographic agility

  • User simplicity – user centric design

  • Privacy protection – dynamic identifiers

  • Availability of target services/assets - complete eID lifecycle, redundancy

  • Remote identity proofing - authenticator proofing

  • Authentication and access control infrastructure

Why hasn't such a solution been created yet?

In my opinion, there are two main reasons why such a security layer has not yet been created.

  1. Lack of respect for the real features of the cyber/digital world. Trying to solve security by analogy with the real world is pointless. The Internet only works with indistinguishable copies of data, and authenticity cannot be verified as in the real world. You need to use randomness, cryptography i.e. computing power and time.

  2. There is a lack of a sponsor for research, development and standardization in this area. That is, activities analogous to DoD for the creation of IP or CERN for the creation of HTML.


Libor Neumann is Senior Architecture Consultant at

Peig | Czech Republic | www.peig.io |


Comments


bottom of page