Diary day 3 of an EIC22 passenger

Follow André Koot as he attends EIC2022 in this miniseries called ‘diary of an EIC22 passenger’. First-hand accounts, observations, reporting, and pictures. Sharing here: Day 3 of EIC22.

This was a memorable day. Not in the least because of how Ingo Schubert (RSA SecureID) presented how gaming theory could help defend agaist the dark art. A great presentation, but what struck the audience… Well you can form your own opinion :D

And the next presentation made us, Dutchies, proud. Annet Steenbergen from the island of Aruba (an autonomous country in the Dutch kingdom) lectured us about the progress made in facilitating travel by using all kinds of electronic dcuments and verifiable credentials. There was a lot of that around, VC’s I mean. Many presentation addressed the topic, VC’s are relevant.

Gain

And then GAIN. The concept of GAIN, the global assured identity network, is an initiative that was launched by the OpenID foundation, some 8 months ago. The goal is to connect trust frameworks so that identities from identity providers in different trust frameworks can work together.

A trust framework can be anything, from a corporate or industry alliance, to a national ID schema. In the internet of now, these different frameworks hardly know one another, leave alone that they allow to use an identity from an IdP from a different trust framework to connect.

The third day multiple presentations and workshops covered GAIN. And that’s very special, since it only came about 8 months ago.

One of the developments covers interconnectivity of APIs. Why would APIs need to exist in one trust framework, wouldn’t it be easier to make it possible to connect to an API in a different trust framework? At this moment the biggest hurdle is not technology, we’ve got the technology. In fact, we are working in a project where we will add a policy engine to allow trust according to a predefined and configured policy in the policy engine, making fine grained access accross contexts possible, exciting stuff. We will discuss this with the GAIN working groups. Expect more progress later.

Different topics

A nice introduction about IAM and M&A by Jon Lehtinen about recent events: Okta and Auth0 merged. This event was the basis for an entertaining presentation of issues that arise during mergers and acquisitions. An interesting overview of the issues by Jon showed what to take into account when performing the merger. And especially differences in size and culture cannot be overstated.

And here again, technology is hardly ever the problem.

For the techies here, George Fletcher presented how to secure and assure the integrity of mobile apps. It looks simpke. And is may well be simple, as long as you know the threats and how to mitigate the risks. Here’s a howto:

Dinosaur

Looking back at some of these presentations, I cannot ignore the fact that these topics are not new. And in fact, I did cover a number of these issues in blogs, long ago.

Some relevant links:

Trust frameworks

Verifiable credentials

Trust

And last but not least: In his presentation about Access Control, Allan Foster from Forgerock repeatedly mentioned ‘Who can have access to What’. I always add ‘and Why’. That is also the topic mentioned often these days: policies. Who can have access to what, is in a policy. The key question now is: who is accountable for defining the access policy?

That question is answered in our whitepaper. There are multiple stakeholder, each accountable for part of the access decision. There is not just one person who is accountable. You can download our whitepaper without registering your identity :) here.

This was my last contribution about IEC2022. Thanks for following this diary, hope you enjoyed it.