FIA Madrid Trust & Identity Session Panel 1: Trust

Introduction by Jim Clarke High-level introduction to the position paper the concept of lanes session focuses on lane 1 (Trust) and 2 (Identity and Privacy)

Keynote Sachar Paulus Trust definition close to “business trust”: – willingness to take risk – necessary prerequisite: “get back or blame” – trust vs. faith achieve trust by providing recovery options (“contract”) accountability

Keynote Sachar Paulus (2) Trust into the FI for businesses – Measurability Trust into the FI for individuals – right to be left alone – right to time and memory loss – but legal environment needed in consumer role –  multi-party security requirements

Keynote Sachar Paulus (3) Trust in the FI – trust cannot be outsourced – but: trust management can be outsourced (cf. PKI) Scenario: Cloud Computing – Business: where is data located? who runs the services? who runs the servers?  accountability – Individuals: privacy, roll-back option, etc.  transparency, multi-party security Security, Privacy and Trust are essential non-functional design properties – no way to outsource them

Position Paper Syed Naqvi (Services) how to establish trust in Services trust: A believes that B behaves exactly as expected and required can services be modeled as generic entity many concepts that are difficult to converge introduces convergence areas of trust – e.g., resilient services: possible to restore the level of trust? RESERVOIR overview: grid, virtualisation, services

Position Paper Syed Naqvi (Services) (2) RESERVOIR security requirements – separation of services running in the same virtual environment – trust: interoperation of service vendors – protect the management interfaces – policies upon migration: only allow migration to domains with same policy

Position Paper Theodore Zahariadis (Content) “Prosumer” relation to – identity, authentication trust – usage – business (payment) – social context (children) – etc. Requirements scale to network issues (cf. slides) Identity requirements

Position Paper Mirko Presser (RWI) there is no single representative scenario billions of nodes meet billions of consumers behaviour changes in real-time Trust starts at the elementary point, i.e., the node authentication, authorisation, payment, accuracy, quality of service

Discussion (1) Peter S(?) Eurescom: need for an trustworthy entity (was government, banks etc. before) – Sachar: there will never be one single entity  spread across different entities. Who will be the entities? – Michel: real-time trust necessary, important to design and measure trust in real-time, build up trust scenarios – Theodore: different application layers will have different means for establishing trust (cf. payment vs. sensor network usage), we need different methods

Discussion (2) real-time trust: – Michel: based on recommendation – or the availability of history (we will need to have logs  immediately raises privacy issues) – Sachar: not a new concept, but the context has changed in the FI – Theodore: trust without history based on reputation metrics

Discussion (3) ? (Uni Vienna): importance of different means, compartementalisation, how to manage this? – Michel: big difference between trust and security – Syed: trust is a multilateral notion in the FI, – trust based on certification, assurance – Jacques: chained services, liability of software and service providers, one partner for the customer: the provider of the service consumed by the end user, how does trust propagate through the chain? It will just happen, no way to discuss away the complexity – Caspar: pointer to InfoCard, usability of trust, privacy, people have different aptitudes, motivation for response (cf. response time of banks for phishing attacks), systematic response only when critical situation occur

Discussion (4) activities of GT 2009

Discussion (5) ? end-point trust (t-shirt example: we have means to evaluate and impose trust based on the evaluation), need for new models for building reputation, responsibility at multiple levels – Sachar: to which extent do we need to regulate? regulations can be helpful, but don’t over-regulate

Discussion (6) Nick: individuals will likely not be willing to take risk, how to tell them – Michel: depends on the respective trust model, model trust in terms of behaviour – Theodore: example of reading terms and conditions when entering a web site, they are never read – Jacques: normally no absolute freedom in offers and service to customers  consumer protection law that provides some trust, need for similar regulation in the FI – Mirko: ignorance (of the detailed conditions) is a blessing, need only if things go wrong – is there a higher percentage of bad guys in the FI than in the real world – Caspar: it will be impossible to provide complete transparency

After Lunch, Volkmar Lotz Volkmar Lotz, SAP Labs Presentation of Position Paper What is an identity? Considerations – Privacy-friendly identity – Usability and flexibility – Usage Control Enforcement

Caspar Bowden Caspar Bowden, Chief Privacy Advisor Microsoft EMEA An Example of a Strategic Privacy Technology and Implications for Policy – Privacy V Security – The trouble with PKI, “Minimum Disclosure Tokens” – Authentication ≠ Identification, Privacy Friendly revocation – Aligning Technology with Policy – Strategic PETs in a Legal Framework

Phil Jansen Phil Jansen, Manager Security ad Cryptography, IBM Security Lab, Zurich. – Problem: Digital world never forgets. – Challenges: Controlling Access (security), Accuracy and Usage (privacy) – Privacy V. Accountability, Anonymity V Traceability – Role of Identity Provider – Research Directions

Discussion (7) Panel Discussion – Joao Girao, NEC (SWIFT, Daidalos) Virtual ID defined in Daidalos. Separation of one person’s different IDs (Joao Girao from work and Joao Girao from home want a different ID. One should not be traceable to the other.) – Kajetan Dolinar, Privacy Protection Cycle, A concept for a systemic privacy protection (PERSIST) Peer-to-Peer security backed-up with the infrastructure defined in PERSIST. PERSIST Privacy Protection Cycle.

Discussion (8) Panel Discussion Neeli Prasad, Aalbourg University (ASPIRE) Real world scenarios Tracking your children. Who else can see? How to validate the correct user? Tracking the food you eat. Where does it come from? How long did it take to get to me? Am I paying my bill to the right person? What does identity really mean?

Discussion (9) Chair – What are user expectations?, Management of Identity. – What are the gaps? Use these to driver our research roadmap? Caspar “Blinding” developed 19 years ago but not seen as a priority. Now we have a problem. Phishing attacks were predicted by some but ignored. Currently have a unique window of opportunity. Identity V. Anonymity. Prediction rise of traffic analysis attacks by attaacking the router.

Discussion (10) Caspar “Onion Routing” (?) where packets are bounced off multiple router randomly to avoid traffic analysis so web server doesn’t know where packets are coming from. Interface between transport layer and application layer not well understood by most. Phil Janson Gaps are: – Key players need to get together (like IBM and MS). Need to be able to use either technology interchangeability. Requires Standards – Deliberate decision by key stakeholders to start deploying. Firstly in s/w eventually in chips.

Discussion (11) Chair What’s the delay implementing this? Kajetan Dolinar Legislation Joao Girao Need to rewrite some code already out there. The current Internet is not optimal. Neeli Prasad Maybe the pieces are not yet ready. Have to understand what we need. We have nice solutions, now these protocols should be modified for what we need.

Discussion (12) Caspar Economics is the issue. Most professional don’t even know the problem exists, never mind a typical user. Market has failed to take care of this issue. Legal situation is confusion with a clutter of many laws, forcing companies to keep data. Phil Privacy is user-centric. Only the user cares. Stakeholders have to push service providers. Users are not prepared to pay for security/privacy so no business case. Floor Openness and privacy. User awareness is missing. Technology cannot catch up with law. Also need for international laws.

Discussion (13) Floor 2. Reiterate previous speaker. Floor 3. German Awareness initiative for raising awareness among users of security. “What is missing from security learning?” Q to IT students. Their only concern was the availability of their computer. People will always choose comfort over privacy.

Discussion (14) Floor Public Sector procurement policies, panel to discuss. Phil – Switzerland is working on this for citizens’ interaction with the govt. Caspar – Lobbyist shooting down ideas. “Most liberal environment is best for the market” is the thinking. Neeli – Denmark is quite a safe environment. Danish people typically put a lot of information on-line. Jacques (Commission) – Some initiatives already exist like health card in UK. Still societal discussions to take place. Some projects like STORK leading to the possibility for EU govts to come to a policy definition to allow them to start thinking about procurement. Kajetan – Each service provider should be forced to use a Hypocratic database.

Discussion (15) Jacques (Commission) – Standardisation will be introduced. Chair – summary -Some pieces are available and can be deployed. -Lawyers are 20 years behind -Kids don’t care -Users won’t pay.

Martin Potts Martin Pots – Martel (FEDERICA) FEDERICA is a FIRE project. A large open test bed that can be used for many things. Federica similar to GENI. Based on GEANT network. Onelab is European part of PlanetLab. Federica is looking into becoming part of OneLab. Federica can be used by anyone but not for commercial purposes. Usually a timeframe limit of about 3 months but open for all ideas. Jacques – Who pays for access Martin – Federica funded under FP7, only expense is to get connected.

Martin Pots Latif Ladid - Which ideas are of particular interest. Martin – Virtualisation, Security. Federica is IPv6-ready. Floor – Security testing usually involves negative testing. Martin – Mechanisms will be in place to stop people going outside the slice allocated to them. Floor (PII project) – Panlabs network can be used for security testing also. Apply through PII office.

Discussion (16) (New Panel) Jim Clarke – Moving from Trust and Identity/Privacy to Security. Panel member (France) – not talked enough about governance of the process. Identity of things and virtual services. How to design the management framework. Volkmar – Lots of dependencies. How to break it into manageable pieces. Chair (UK) – Need to think about pilots. What kind of pilots should we be deploying. Panel member (France) – Hard to simulate what we need to test – need a real user. Floor – a lot of discussion today on privacy, assuming one overall authority. Not as much discussion on user-management of identity. Panel member (France) – Identity is a vague term (e.g. RFID) treat IP address in different ways in different cases – it is just a pointer.

Discussion (17) Panel member (France) – Need to monitor P2P communications. How to measure all activity on the network. Floor – Hard to test across multiple networks. Jim – Should be taken into consideration.

Conclusion Trust Panel Real-time compartementalisation, different means in place, multiple levels of responsibility multi-lateral transitivity of trust, liability usability motivation for response the proper level of regulation