master thesis - zero trust architecture for legal entities

[synctext]

t.b.d.

• Real code
• Superapp
• government agency? (AFM,DNB,RvIG,Enisa,VWS, ?)
• idea: eidas-high certification of our Trustchain wallet, see commercial vendor details and another guide with info. With a friendly notary, live streaming, and hardware PUF; we should/could comply.

(starting today, but 10 ECTS left)

[Nieuwlaar]

Topic Funneling 1:

Ministerie van Volksgezondheid, Welzijn en Sport:
Project 1:
Improvement of MediTrail (https://repository.tudelft.nl/islandora/object/uuid%3A1774b1e9-3860-4a02-adaa-be9a92557169)

• Encryption of files (when MediTrail files leave the system, all data is unprotected)
• Integration Medic dossier on superapp
• Implement TrustChain transactions
• Connect MediTrail with 2024 EU passport

Project 2:
Improving communication of the health sector

• Integrate TrustChain in communication between hospitals
• Secure document sharing between hospitals

Autoriteit Financiële Markten:
Project 3:

• Integrate music ownership with passport linkage or other SSI

PaperDAO
Project 4

• Make a DAO like MusicDAO for academic research
• Integrate distributed crawling, ML, paper processing and filessharing

Rijksdienst voor Identiteitsgegevens:
Project 5:

• Implement a digital passport infrastructure / EBSI
• Create a personal data vault
• Integrate trusted data communication
  Came across, perhaps not an option (maybe talk with Johan/sjacobino on interesting directions): Digital Basic Identity - EU EBSI gateway and "regie op gegevens" #6023 (comment)

European Union Agency for Cybersecurity (ENISA):
Project 6:

• Tbd (waiting for mail)

De Nederlandsche Bank:
Project 7:

• Experiment with a EuroToken issued by DNB
• Issue an actual authority-backed digital Euro?

Projects still in the funnel of interest: 4, 5, 6, and 7.

[Nieuwlaar]

Status update:

• Applied for ENISA Traineeship

Read:

• General background information of eIDAS, ENISA, digital Euro and SSI.
• ENISA - Trust Services Security Incident 2020 - Annual Report
• ENISA Report - Digital Identity - Leveraging the SSI Concept to Build Trust
• ENISA Report - Remote Identity Proofing - Attacks & Countermeasures
• Industry-Grade Self-Sovereign Identity

[synctext]

• eIDAS high == golden standard.
• Proposal: we take exactly 1 month, until 11 April at 11:11am for a deep-dive into the viability of eIDAS high compliance
• thesis: New Innovations in eIDAS-compliant Trust Services: Blockchain
• Currently unknown regulation with unknown technical component, and unknown reliance on paper-document procedures written in lawyer-speak. Sincere opinion today: too risky to base a Delft master thesis on this, without a plan B.
• afraid of HSM, can a simple FIDO2 key be compliant?
• https://ec.europa.eu/futurium/en/system/files/ged/eidas_supported_ssi_may_2019_0.pdf
  • eIDAS Expert Group - TOWARDS A EUROPEAN DIGITAL IDENTITY FRAMEWORK
  • UZI-pas inside your smartphone with eIDAS-high
  • Driving license inside your smartphone with EU EBSI-compliant wallet at eIDAS high
  • encrypted key storage authentication on server inside Android using FIDO2/Webauthn (BouncyCastle based)

status copied. We now have the following inside the superapp:

• Self-Sovereign Identity
  • ✔️ Key management
  • ✔️ Identity wallet
  • ✔️ Verifiable claims in QR codes
  • ✔️ Zero-knowledge proofs and attestations
  • ✔️ Real-time and offline revocations
  • ✔️ Attribute sharing: name, address, location, and personal data vault entries
  • ✔️ No central point of failure, robust, disaster-proof (fully decentralised)
  • ✔️ European Commission EBSI v2 integration
  • ❌ Personal information is always encrypted and protected
• EuroToken
  • ✔️ Digital wallet
  • ✔️ Send money in real-time chats
  • ✔️ Offline transfers between wallets
  • ✔️ Gateway for Euro to EuroToken conversion
  • ✔️ Existing IBAN integration (TIKKIE)
  • ✔️ No central point of failure, robust, no fragile DiD "central resolver", disaster-proof (fully decentralised)
  • ✔️ Optional central transaction monitoring for compliance with money laundering legislation
  • ❌ Field trail with legal compliance (KYC,ALM)
• Social Networking
  • ✔️ Address book of friend and contacts
  • ✔️ Sharing of verified identities of friends
  • ✔️ Sharing of any data with friends (Unicode, emoji, pictures attestations,location, and Euros)
  • ✔️ Real-time messaging with contacts
  • ❌ Group messaging with multiple contacts
  • ❌ Compatibility with Facebook Instant Messaging
• Ecosystem
  • ✔️ Non-profit open ecosystem on Github
  • ✔️ Open Source without any exceptions
  • ✔️ Permissionless innovation
  • ✔️ Unbounded scalability (e.g. all citizens of European Union)
  • ✔️ Zero cloud infrastructure, GDPR compliant, fully decentralised

current sprint: literature survey.

[Nieuwlaar]

Draft literature survey on eIDAS compliance:
survey_eidas_high_compliance_1.pdf

[Nieuwlaar]

Status update:
Contacted Jean-Paul Bakkers from BZK, Geert-Jon Jepkes, IT architect eHerkenning and involved in DigiD eIDAS notification, and Bob Hulsebosch, process manager during DigiD hoog notification. From research and this contact, it can be concluded that creating a decentralized eIDAS high compliant standard and implementation is infeasible in a master thesis project, because of the following reasons:

• Most failed eIDAS level of assurance requests are kept secret (the applicant can choose to keep the eIDAS request secret).
• Self-assessment of TrustChain with respect to assurance levels indicates an overall level of assurance of ‘none’.
• The notification procedure requires a lot of communication and paperwork toward EC and Cooperation Network (peer review commission, consisting of around 15 to 25 members from all EU Member States).
• The notification procedure (pre-notification, peer review, notification, publication, and mandatory recognition) takes at least a year.
• Peer review process tends to take longer when innovative ideas are requested. Storing data in a SE or TEE on mobile phones is considered as innovative and requires a lot of proofing that the data is handled secure.
• No decentral eIDAS ‘high’ compliant service currently exists. Sovrin has a roadmap to comply to eIDAS ‘high’ which started from January 2019 and should have been finished before 2022, but as of today Sovrin is not eIDAS ‘high’. Furthermore, another decentral SSI from Catalan, Spain (IdentiCAT, with 550.000 euro budget) was expected in early 2020, but at the moment is nowhere to be found.
• eIDAS level of assurance requirements require central control (e.g., central revocation of keys)
• Many unforeseen problems are expected when creating a standard for decentral eIDAS ‘high’ services and applying for eIDAS ‘high’ without the supervision of someone (BZK, ENISA, DigiD, eHerkenning) who has eIDAS compliance experience.

[synctext]

Goal:

• get a government position (or EU level)
• get a minimal viable wallet operational from our Superapp efforts (strip&doc ?)
• Remove all decentralisation and replace with "offline disaster-mode", no-Internet-needed, always-works storyline, in-case-of-central-server failure, critical infrastructure reliability, backup mode.
• Explore adopting use-case stakeholders, digital drivers license, UZI pas, digital Euro, stable coin is now dollar dominated, Euro DAO, and a operational KYC with machine learning; innovation-on-top.
• prepare for a 3-year long project with mandatory EU-wide acceptance of TUDelft technology. Open source critical infrastructure with end-to-end verifiable security 🍷 🥇 🍻

[Nieuwlaar]

• Contacted potential use-case stakeholders, following have my CV, are interested, and know I need assistance in eIDAS compliance (I have sent them this issue as well); RDW, VWS, CIBG, BZK, ENISA, Logius, RvIG, ICTU, and more. No concrete collaboration has emerged from this for now.
• Created a new app called IDelft within the superapp
• Currently working on adding functionality from the valuetransfer app into IDelft, specifically the onboarding of IDs and passports (not functional yet)

[synctext]

• 100% certain we can get you into .GOV (afm,kvk,rvig, etc.)
• Prior work by Tim on access and legal entity matters: https://repository.tudelft.nl/islandora/object/uuid%3Aaab1f3ff-da54-47f7-8998-847cb78322c8
• after 9 weeks you are now getting the required knowledge on what is novel and whats done before.
• Only question is of direction and full re-usage of eIDAS expertise
• token route: FIDO Recognition for European Digital Identity Systems and eIDAS Grows
• biometrics route: https://hackernoon.com/6-best-open-source-projects-for-real-time-face-recognition-vr1w34x5
  • novelty: local-first biometrics, signed vector of hashed biometrics
• DAO route, KYC: https://www.eema.org/wp-content/uploads/2021/03/ANNUAL-CONFERENCE-2018-LONDONKEYNOTES2-BARTHA.pdf Europe: Mission: to explore how to facilitate the cross-border use of electronic identification (eID) and Know-Your-Customer (KYC) portability based on identification and authentication tools under the eIDAS Regulation to enable financial institutions to identify customers digitally. EBSI and DBI re-usage and production-ready.
• Notary signature (commercial)?
• open source FIDO2 NFC eIDAS high key storage https://github.com/solokeys/solo1

[Nieuwlaar]

Brief summary of the findings in these four directions:

• The token route is the previous idea of creating an eIDAS high compliant implementation (identity proofing at 'high' level of assurance), creating such a token is infeasible in a MSc thesis.
• Biometrics route: For eIDAS 'high', only facial/fingerprint recognition can be used for ID proofing (facial is preferred). Facial recognition requires a lot of proofing of security in eIDAS peer review. Seems like a very nice next step once there is a basis for eIDAS ID proofing.
• DAO route: Difficult to find bridging information on DAO and KYC. However, an interesting use case may be a decentralized cryptoexchange complying to Dutch law (Wet ter voorkoming van witwassen en financieren van terrorisme en Sanctiewet 1977) which implies ID proofing.
• Signature route: 3 different types of electronic signatures: Simple, advanced and qualified. Seems like a nice use case where each type can be implemented gradually. Goal TU Delft having a qualified signature creation device (QSCD)(required for generating a qualified signature). Even better: TU Delft being able to provide QSCDs by obtaining rights to issue QSCD certificates, in other words become a qualified trust service provider (QTSP, current Dutch QTSPs: https://esignature.ec.europa.eu/efda/tl-browser/#/screen/tl/NL) (unsure about feasibility, however, if TU Delft = QTSP, all TrustChain peers QSCDs?). Qualified signatures are legally equal to so called 'wet' signatures.

More information can be found in Section 4:
survey_eidas_high_compliance (1).pdf

[synctext]

• Doing SSI after DigiD is too ambitious
• Grand challenge for government will be digitisation, they dont have the people and are obsessively focused on legal matters.
• Blockchain and AI are going at "warp-speed", compared to government pace of innovation.
• Government is resilient to change (e.g. innovation)
• Investments in AI, machine learning and robotic process automation (RPA) technology are set to reach $232 billion by 2025, a new report from KPMG has shown. A skills shortage and lack of common infrastructure is dampening progress.
• Delft University has 50 master student / year as "production". We are highly ranked. Simply combining Top100 universities AI and blockchain output rough estimate (with guesstimating classes of 200 students max.): $232 billion / ((Top-)100 x 200 students ) = 11.6 million US$ per new top-educated senior engineer yearly. So there is a clear imbalance.
• Direction:
  • The DAO has a Sybil problem! Fake identity is essential to prevent a hostile take-over, governance issue. DAO has now nice outlook/fantasy/vision paper by Vitalik and others: decentralised society
  • Can your thesis be the grounding of this: Government policy, as communicated to parliament. Fundamentals for digitisation... e.g. EIDAS
  • qualified signature creation device (QSCD) combines with DAO?
    • Be like Let's Encrypt! Single-handily re-define an entire ecosystem.
    • eIDAS Conformity Certificate, https://www.aangetekendmailen.nl/wp-content/uploads/2021/07/QTSP-Aangetekend-B.V..pdf
    • we can certify open source providers, we provide a reference implementation + documents.
    • Peer-to-peer biometrics in a DAO for identity proofing? Like prior fingerprints without Android permissions portable biometric-based trust #2812 We can remotely read the machine readable zone and obtain a photo, this can be validated manually and assisted with biometric software. No government, no notary, and zero-banking institutions needed to prevent fake identities in systems. Stops all bots. Secured proof of humanity, see insecure version.
      • Superapp with ID-proofing ability within DAO, proof-of-principle level.
      • Identity document remote NFC reading {danger ⚠️ to privacy, random picked witness}
      • live streaming added to the operational remote chat app
      • Witness provides a trustchain-based "proof-of-identity-verification"? zero-knowledge proof?
      • analyse the legal standing of your proof-of-principle within eIDAS legal framework of EU. Document in IETF trustchain addition?
      • RDW embedding of master thesis in an ideal world: test app to scan existing RDW MRZ, make a photo suitable with rules for putting on your renewed driving license, compare the embedded photos with a selfie, request approval from RDW, pay the cost of a new driving license, and select the pickup location. EDIT: entry of signature to print on the plastic.
      • Tikkie experience from Superapp Euro i team.
• Sprint focus: (take DAO Sybils as tentative focus??????; "remote ID-proofing: an open source library - GDPR-compliant, EBSI-integration, and eIDAS checked") compile from source, understand id scan code, chat app by Bambacht, and binary transfer EVA protocol (Python+Kotlin code).
  • ensia requirements https://www.enisa.europa.eu/publications/remote-identity-proofing-attacks-countermeasures
  • etsi Technical Standard 119 461 V1.1.1

[Nieuwlaar]

• Applied for an internship at Logius in the eIDAS team (expected response: This week)
• Build a working app (based on valuetransfer) with ID boarding (not included in the video due to ID details):
  

[Nieuwlaar]

Update:

• Spoke with Ka-Kin Fung from the eIDAS team of Logius, he finished 7 peer reviews of eIDAS compliance. If TU Delft were to go for an official eIDAS 'high' peer review, interesting to learn from his and his team's findings (Some of these peer reviews he did with the aforementioned Geert-Jon Jepkes). They did the whole process for DigiD. Pilots are never peer reviewed. Decentralized eIDAS identification has never been peer reviewed before. All public peer reviews here.
• Identification is one of the pillars of trust in many use case, also at the KVK. Hence I think it would be nice to dedicate a chapter to identification with an outline of the current eIDAS situation, a look into the 'futuristic' eIDAS2 legislation and other upcoming laws, and a strong focus on the ultimate goal of a decentralized eIDAS 'high' compliant solution.
• Started at the KVK, enjoying it very much. Currently, having meetings with many people to get into the KVK ambiance.
• KVK has a very interesting SSI and Proof of Attorney (Machtiging) use case that can be developed. It concerns RDW's numberplate addition/suspension machtiging which is recorded in the KVK Handelsregister. KVK InnovationLab wants to build a SSI solution to learn from Proofs of Attorney in a SSI environment. So far the topic has been discussed within the team and RDW, and they decided they want Microsoft's SSI wallet to be used. I think this use case is more interesting than a Sligro one, this use case considers an actual legal binding machtiging! Would very much like to do this, wondering if that is ok?
• I wrote the introduction and draft problem description (Introduction is pretty ok, the problem description will be redone completely, I will repost once finished) Here is my work so far.
• Wondering what you think of below's schematic overview as "het rode draad" of my thesis?:
  

[synctext]

inspirational update, good efforts.

"Deploying pillars of trust: eIDAS2, Trustchain, IPv8, and EBSI"
That is worthy of a solid master thesis focus! Linking various sources-of-legal-truth, tamper-proof ledger storage, quantum-proof IPv8 communication, and root-of-trust from EBSI.
Uncompromising open source.

[Nieuwlaar]

• Rewrote the draft document and mainly the problem description into a more holistic SSI view. My work should provide an answer to most of the challenges provided in the problem description. Question: Wondering if this thesis blueprint and problem description are good?
• Met with Tim Speelman and Sharif Jacobino.
• RDW seems to be okay with a TU Delft SSI implementation 🎉 , so far no further contact with RDW.
• Will now focus on eIDAS regulation (eIDAS 1 and 2, State-of-the-'Art' and 'glimpse into the future') to provide literary guidance for eIDAS 'high' certification with a focus on distributed identification and authorization (such that TU Delft has somewhere to start in becoming level of assurance eIDAS 'high').

[Nieuwlaar]

• Wondering which journals would be interested in publishing my work, if everything works out. At the moment I thought Elsevier Blockchain, IEEE Blockchain, ACM Digital Government, Inderscience or ACM Distributed Ledger might be interesting.
• Is it perhaps interesting to have an (associate/assistant)-professor from TPM in my graduation committee, as a part of my work implies law and society? (I did a decentralized identity management literary project under the supervision of Jolien Ubacht last year, she has expertise in regulatory practice, SSI and governance of personal data. Furthermore, she is very kind. Hence I would most likely ask her in case you like this idea)
• Would like to complete my thesis committee. I am curious how this normally goes.
• Did a progress update at KVK, slides here. (this is slightly outdated by now)
• Did TU Delft bid on the European Digital Identity Wallet tender?
• Or will TU Delft (try to) be the reference wallet mentioned in van Huffelen's kamerbrief. The "speelveld" requirements seem aligned with TU Delft's ambition.
• Met Chantal van der Wijst in a session with the Dutch Blockchain Coalition. The Belastingsdienst, KVK, ABN, KNB and DBC are working on an 'ondernemerspaspoort' which will be SSI based. I will attend coming meetings and provide input where needed. I am thinking this might be the right project/place to advise the KVK to become a QTSP.
• Finalized the first complete version of eIDAS literature. Project manager from Logius eIDAS team will most likely peer review this section (chapter 5; "Identification") 😄
• First meeting with RDW developer is planned for this Wednesday 🥳
• Goal is to start implementing after Wednesday's RDW meeting.
• My current thesis status can be seen here.

[synctext]

Dutch government already has trouble keeping up with the pace of innovation in Europe. Sadly we even want to have a "Dutch flavour" to the European Identity and eIDAS 2.0 legal framework.

Programma EDI Stelsel NL
Om dit te realiseren moet er een stelsel voor Europese digitale identiteit in Nederland worden ingericht. Hiervoor zet
het Programma EDI Stelsel NL van het ministerie van BZK nu de eerste stappen. Veel moet nog worden uitgezocht,
maar 1 ding is zeker: het stelsel wordt ingericht op basis van een open houding en zoveel mogelijk co-creatie.

Current methodology is to try to avoid these fragile "grand visions" and meticulously use a small "use-case" based approach. By limiting the scope we ensure realisation. Use-case: natural person whom is listed as authorised inside the registry of chamber of commerce to add or suspend car registrations inside the Netherlands vehicle authority registry. Problem is that recent query to chamber of commerce registry is currently required. This does not make the citizens self-sovereign and against European once-and-only-once spirit. Warning: keep this use-case small, ensure viability, guard feasibility, and protect implementability. Exploration track: work with Rowdy credentials, test Jacobino EBSI code, and explore use-case by showing non-functional screens in superapp (obtain minimal viable happy flow).

Keep the thesis at highest scientific level: "Deploying pillars of trust: eIDAS2, Trustchain, IPv8, and EBSI" (repeated)

ToDo: the IEEE writing style pointers

• New master thesis format is similar to bachelor thesis format with merely 1 page of front-matter, see example
• More examples. master thesis core: 10-pages IEEE format with max. 6 figures. (14 figure example https://arxiv.org/pdf/2203.00398.pdf) (15 figure example https://arxiv.org/pdf/2110.11006.pdf). Student report (5 ECTS): "Double spending prevention of digital Euros using a web-of-trust". "industry-grade self-sovereign identity" by Rowdy.

Thesis goal: work towards 1 field trail of merely 1 hour working with your app. Make 1 grand photo, this become your master thesis final figure: it really happened. Graduate 🎈

[Nieuwlaar]

• Fixed crashing dialogs in Superapp #118
• Changed some appearance of ValueTransferapp/ConfIDapp. Introduced IDelft (also in #118)
• Created happy flow. Prerequisite of happy flow: KVK credentials are already written on EBSI:
  
• Working on getting the right access from KVK and RDW to use their data. Trying to get access to actual production data from KVK (very uncommon; KVKs own implementation uses pre-production), RDW will never provide production data access for PoCs/MVPs, will use RDW pre-production or public data

[synctext]

• solid progress
• You now have the beginnings of a use-case to build your entire master thesis on
• Identified the key stakeholders within both RDW and KvK
• Photo opportunity and first happy flow identified
• What about performance analysis and solid deployment evaluation? When has this succeeded (e.g. it compiles so its OK 😁 )?
• RDW is using Microsoft exclusively for software development. Including wallet, Azure, etc.
• What is your core technical challenge? Science challenge? Now its merely playing with a database of 92 columns and EU hyperledger stuff called EBSI. Enrolment of natural person for EBSI with company ID, pre-requisite!
• Within the academic community people have presented visions of integrating legal registries of persons, companies, and objects. We are the first to attempt to realise this. Our first integrated solution is founded upon a prototype of the upcoming European passport-grade digital identity. Our work is grounded in the complexity of real-world production usage. Therefore we take the existing 92-column database of legal registry and designed a first implementation for the critical infrastructure for persons, companies, and objects which should last for 20-30 years. Our first implementation is designed to discuss, provoke thinking outside current technology, and thinking beyond existing legal frameworks.
• The GDI forms the basis of our digital critical infrastructure. The "enterprise architecture" of our kingdom is very broad, not agile, and not using electronic signatures or any other modern element.

Sprint: kennisoverdracht Sharif, later: happy flow implementation!

[Nieuwlaar]

• Met with Sharif, he showed his progress. His VC EBSI compliance is different than the Credential Issuance compliance which I would need. KVK schould become a Trusted Issuer (have not looked too much into detail of this yet). Looking forward to his PR.

• Want to create EBSI's first layer 2 network using IPv8, TrustChain and Rowdy's work (world's first legal backed layer 2 network?). Overview is given in Figure 1, and happyflow in Figure 2.
  Figure 1:
  
  Figure 2:
  

• Currently busy with merging Rowdy's work regarding IPv8 and superapp to make the EBSI layer 2 possible. This will take some time, current progress here.

Preliminary answers to issues mentioned in previous meeting (performance analysis, deployment and thesis challenge):
Performance analysis:

• Evaluate how large the chain of attestations be
• Evaluate time to revocation of n-size-attestation-chain

Deployment evaluation:

• Create KVK attestation on EBSI and use this as trust anchor for layer 2 chained attestations
• Ability to revoke the whole chain

Technical challenge solved:

• Not everyone can be an EBSI Trusted Issuer, but in layer 2 you can with an anchor to a Trusted Issuer
• Formulier 13 which can be used for this but is highly inefficient becomes obsolete with regard to attestations (KVK centralized)
• Privacy by design attestations with EBSI anchored trust

Next sprint: Hopefully merge Rowdy's work and start EBSI credential issuance compliance.

[synctext]

• Concrete critical issues (Dutch context)
  • is dit aanbod-gedreven ICT? Of lost dit een bestaand, echt probleem op?
  • is dit een stelselverandering? Can you claim in your thesis that this is a first step within the transition from locked, government-exclusive central data warehouses, towards decentral real-time economy with government facilitating source-of-trust? (from form 13 of weeks to 3 minutes?)
  • This thesis build alternative for (part of) eHerkenning! (delegation part) 😮
  • With a more ambitious follow-up project: alternative for 90% of Chamber of Commerce 😮 😲 😮
• Is TUDelft the first to build protocols on top of EBSI? Very likely! (IPv8, Trustchain-request message, cryptographic proof-of-power-of-attorney)
• EU Large Scale Pilot, NL EDI view
• https://www.digital-identity-wallet.eu/
• Upcoming sprint focus: EBSI, Rowdy code. (later: write Problem Description)

[Nieuwlaar]

• Perhaps an interesting (EBSI) tender for TU Delft
• In the process of adding KVK to EBSI Trusted Issuer Registry
• Looked at Sharif's code, the code has merging conflicts. Cherry-picking from his code and implementing EBSI by myself. Implementing EBSI will be time-consuming.
• PR is created to merge Rowdy's attestations (with both updated IPv8 and superapp). Rowdy needed the superapp to be functional this week, so he took no risk in merging my PR. PR is currently for a separate superapp branch. End of this or the beginning of next week merge will most likely happen.
  Goal next sprint: Finish Rowdy's merge, implement EBSI DIDs for wallet, and have KVK added to Trusted Issuer Registry

[Nieuwlaar]

• Requested eHerkenning
• LSP is currently finalizing the Consortium Agreement
• KVK will have a DID in the EBSI Trusted Issuer Register (expected this week)
• Building upon the PR/work of Rowdy's attestations
• So far nobody has a published protocol on EBSI. However, NETIS, University of Maribor and Walt.ID are currently most likely in the process of having their paper peer reviewed with respect to an attestation protocol based on EBSI (very little details are known as it is not published yet)
• A possible interesting master thesis (or blockchain engineering group exercise) might be to create
  this (TU Delft created) revocation method in the superapp
• Communicating with EBSI to resolve issues I am having with regard to authorization and authentication (most likely an outdated documentation issue)
• Working on EBSI functionality, currently able to create and bind DIDs in console:

- Getting used to the EBSI structure (quite a lot of possibilities). The API structure:

Next sprint: Create and bind DID documents within superapp.

[Nieuwlaar]

• KVK DID is added to the EBSI Trusted Issuer Registry 😄: did:ebsi:zgbNBgEqAwNMYV1T9MtUmSk
  

[Nieuwlaar]

• irrefutable legal validity:
  • There are three categories to obtain rights and obligations (R&O) with regard to authorizing (machtigen); attribution, mandating, and delegation.
  • Attribution: R&O obtained from law
  • Mandating: R&O obtained from legal/natural person mandating. Responsibility remains at the person mandating.
  • Delegation: R&O obtained from legal/natural person delegating. Responsibility goes to the delegated. The delegates (he/she who delegated) can no longer exercise authority.
  • Within a company, mostly mandating is done (not delegation).
  • As well as the KVK RDW use case as the replacement of eHerkenning concerns mandating. Therefore, will focus on legally bound mandating for now (adding legally binding delegation later is not a big step. Technologically, delegating is easier. The difference is who consents to the delegation/mandate. Most incentives focus on delegation while mandating seems to be much more applicable in the real world)
• Getting very close to writing VCs to EBSI v2 (pre-production)
• As someone working with EBSI, documentation and API overview is overly complex and a spaghetti.
• Fixed confidapp crashes
• New logo/name: confidapp -> IDelft
• Soon to start with actual thesis writing
• The whole chain of trust is implemented by December/January
• Assuming KVK issues credentials to certified wallets
• Note for master thesis "Problem Description" story line:
  • General "Joost Problem": the legal truth and trust of the KVK should be portable. For this portability currently, eHerkenning is needed.
  • Specific "Erwin Problem": RDW use case (see images above)
  • Potential photo of deployment: Sligro/Makro (non-supermarket), RDW
• KVK future: onbeprijsd gebruik van eigen gegevens
• All economic activity by any legal entity can now be supported by irrefutable cryptographic claims
• Foundation of the zero trust architecture for legal entities
• Master thesis title: zero trust architecture for legal entities

[Nieuwlaar]

The previously mentioned statements regarding rights and obligations are all true, but concern public law. In the eHerkenning, RDW, and Makro/Sligro use case the legal basis is private law (as it concerns machtigingen within a company). The previous wrong statements have been striked through. The correct notion of machtigen within a company is "power of attorney", in case this power is limited it becomes a "special power of attorney". As I want my work to be legally irrefutable, I found it useful to correct and explain this.

[Nieuwlaar]

• Integrated KVK HR database service
• Superapp is now able to receive/store KVK-signed truth (talks to actual pre-production server KvK 🎉 🎉 🎉)
• Loaded the first Powers of Attorney in superapp (see .gif)
• Created PoA structure
• Started with backend communication of PoAs for sharing (doormachtigen) between peers
• Stumbled on more issues with EBSI.
• To implement EBSI correctly you need to be in the Trusted Schemas Registry and create your own credential which is compatible with information retrieved from Chambers of Commerce. Creating such credential and implement it with superapp, is a lot of work (I now understand why everyone copies the work of Walt.ID).
• EBSI has credentials for diplomas, but not a credential which is suitable for Powers of Attorney. This should be made with the Trusted Schema Registry.
• Implementation of EBSI in superapp is a master thesis in itself. Perhaps very interesting for TU Delft and KVK with an eye on GLEIF and Eurochambres
• Focussing on making a decentralized alternative of eHerkenning with irrefutable truth from KVK
• With this system, all authorizations can be managed decentrally, causing a huge system change (if desired, all roles/powers/authorizations within any organization can be defined within the superapp, endless possibilities)

Next sprint:

• Create presentation of PoAs (in QR format, for easy sharing)
• Create visualization of complete PoA (in the same dialog as PoA presentation)
• Enable verification of PoA (QR scanner integration)
• Add a pop-up to approve a receiving PoA
• Solve the RDW issue/use case
• Design how all communication will be cryptographically secure (confidentiality, data integrity, authentication, and non-repudiation/irrefutability)
• write problem description

Thereafter:

• Implement peer to peer issueing of PoA
• Implement cryptographic security
• Implement revocation
• Brief thoughts on system change and social impact (from calling to clicking)
  • We are in the middle of a system change in society.
  • The digital transformation is altering your paper passport, your paper money, and where you do business.
  • Erosion of trust and a high level of expertise are needed to understand these technologies.
• Finish thesis

This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License

Costs of KVK HR dataservice:

updated gif (now fake PoA is truly fake)

apk_poa

[synctext]

Wow, it took me minutes to understand how many pieces have come together this sprint. 🥇 Great Work Sir! Now into Wrapping up phase! Trying to understand broad scope of your thesis:

1. EBSI works. New schema added
2. KvK QR codes, irrefutable digital proofs of PowerOfAttorney (e.g. machtiging case)
3. RDW use-case fixed
4. Photo of an actual field experiment with your actual running code
5. Brief and broad societal perspective

Next sprint fit the above into 8-10 IEEE 2-column master thesis format:

1. intro Zero Trust Architecture for legal entities
2. Problem Description zero-trust: Making Trust Portable ('Jansen from Jansen Inc.' 1st use-case: its all about PoE)
3. System Architecture Local-First {Figure1: system Architecture; KvK handelsregister 1040 Euro cost, EBSI, wallets with zero-knowledge WaltID, RDW,...}
4. Zero Trust realisation and prototyping
5. Field Trail and Performance Analysis

Can you give some advise for the future for us as a lab?
What has long-term future? Empower citizens, give them control over their digital lives or help businesses with new digital government services, which are still immature. The Chamber of Commerce has 48 products (roughly), yet the inherent system complexity is limited. The digital transformation of this organisation is not yet as far as RDW? EBSI alternative for parts of expensive eHerkenning?

ToDo: what is your 1 year dream assignment {external phd???,LSP}?

[Nieuwlaar]

Mashed my previous work survey_eidas_high_compliance (2).pdf and
MSc_Erwin_Nieuwlaar (36).pdf into a few sentences. They are now included in the current document: MSc_final (53).pdf

• Wrote Problem Description
• Wrote System Architecture
• Tried to be as brief as possible (maybe too brief?)

Can you give some advice for the future for us as a lab?

• Remote identifying at eIDAS level of assurance (LoA) high is gold (potentie om alle fysieke balies in de EU te vervangen) (PhD level)
• Combining the above with a LoA high authentication to local private keys (secure element integration), creating a tamperproof protocol that incorporates: "something you know (PIN), something you have (Phone), something you are (Biometrics/something centralized)" including loss of 1 of these. This is a problem EDI will have to deal with and is not solved yet.
• EU reference wallet will soon be available, adding EU-wide Legal Entities to this wallet would be nice for TU Delft. Proving that brokers and QTSPs may not be needed in the new digital identity era. Alternatively, let a master student hack/exploit this wallet.
• KVK will most likely partake in 2 LSPs regarding EDI (POTENTIAL and EWC), an annual graduation project at the KVK is interesting to keep updated regarding EDI and the legal entity perspective thereof.

what is your 1 year dream assignment {external phd???,LSP}?

Do LSP at KVK. If turns out not challenging enough: add external PhD

[synctext]

Review of thesis draft:

• Your scientific contribution: portable trust. Put the science first within abstract. Get to the point a bit more quickly. Like: our architecture is build around a new primitive irrefutable cryptographic proof that a natural person is a legal representative of a company.
• Select a single central element of your story:
  • zero trust architecture
  • portable trust
  • European Blockchain Services Infrastructure
  • Trusted Issuer Registry API
  • legal entity representation
  • Power of Attorney (PoA)
    • is this your core master thesis
    • just a use-case we required to confront our ideas with the real world and infinite complexities
  • zero-trust architecture {copied}
• Still a narrow focus, zero trust and cryptographic proof is (overly) broad.
  • NIST Special Publication 800-207
  • "BeyondCorp is an implementation, by Google, of zero-trust computer security concepts creating a zero trust network."
• "These institutions serve as an anchor for legal certainty for Dutch persons and businesses." Swap this general remark with the details you provided before.
• "Fig. 1. System Architecture of the Zero Trust open standard for Legal Entities" nice explaining picture, please put 1 page earlier.
• Section "Problem Description" more scientific, start with explaining 'the problem of trust'.

[Nieuwlaar]

• EBSI early adopters programme re-opened, perhaps interesting for funding / new MSc project
• Rewrote abstract and introduction: MSc_final_E_Nieuwlaar.pdf
• Will rewrite Problem Description based on trust for legal entities, will argue that current trust/verification is very unportable (and many other issues). Figure to show current legal entity representation (fig 1 of thesis):

• Implemented PoA verification:
  
• Implemented Chained PoAs including revocation (video too lengthy for gif):
  https://user-images.githubusercontent.com/34306523/215063555-385b5ba7-00a0-4a0d-b9c5-e02800036a6c.mp4

Current idea for Performance Analysis:

• Measure speed of calls to KVK pre-prod server (for multiple devices on wifi and 4G)
• Measure speed of PoA issuance (for multiple devices on wifi and 4G)
• Measure speed of PoA revocation (for multiple devices on wifi and 4G)

APK:
https://drive.google.com/file/d/1FNVI3ZXOEldXIoqtPJQe9fvTNJ8NWbW_/view?usp=sharing

[synctext]

• Please motivate the importance of your problem. How much identity fraud and "natural person-legal identity fraud" is committed. Societal impact of zero-trust architecture and fixing all these identity assurances?
• thesis writing: 3 weeks to polish?
• Thesis performance analysis: 1 week to finalise?
  • See Quinten Figure 4 for inspiration conducted nearly 5 years ago
  • encrypt/decrypt timings, (EBSI) server response time experiment
  • end-to-end latency analysis (camera capture, nfc, QR display, wait for server login, packet parsing, etc.)
• also claim your console-level operational prototype with EBSI integration. Legal root of ultimate authority/trust of identity.
  • not a registered schema
  • Operational prototype
  • Walt-ID role of open source
• Consider a more scientific intro: a primitive for a new economy. zero-trust computer security concept is not explained. Could be the whole intro. Zero trust architecture in US context not mentioned. Dream: security based on the laws of physics (e.g. PUF) and mathematics (hashing, crypto). Fraud is astronomical unlikely.
• Fig. 1. Current situation of organization representation, this is engineering. Lacks scientific grandeur.
• field trail. Very powerful to have a "store setting" picture of your work in real-world. Single photo showing the maturity of your ideas and work. You work could replace existing "plastic membership cards".

[Nieuwlaar]

• Gave a live demo at the KVK, everyone at the live demo was very enthousiastic
• Joost is currently looking in his network to get a verifier that would like to use IDknip, for the field trial
• Met with Jolien, she would like to be on my graduation committee. She would like to have the graduation assessment criteria, can I send her this?
• Wondering what I should do with the Green Light Evaluation and First Stage Evaluation in MaRe
• Shall I contact Stefanie Roos to ask her to be on my graduation committee?
• Should have dived into the US Zero Trust Architecture earlier, it is indeed a nice way to introduce my work and outline the problem
• Hence figured out that writing the intro and problem description is the hardest part of writing the article. In my current progress I have left out these parts as I am far from satisfied before it being reviewed
• Had a tooth removed last week, barely sleeping due to pain
• My goal for next sprint is a complete thesis draft including all chapters

[synctext]

• Solid progress. Some {draft} section of previous thesis are now removed.
• System architecture (Fig 3): has 7 boxes of "users", just make this a circular arrow, point to yourself.
• Try to merge Figure 3 with Figure 1: add the delegation of authority and authorisation into the overall zero-trust architecture. Do not remove the essence of zero-trust by just zooming into this legal obsession
• The Figure 1 architecture contains a block called architecture: circular definition. non-ideal fix: call it simply "zero-trust zone"?? {Users, Applications and Infrastructure} {applications, users, infra: nothing is trusted and subject to continuous monitoring} {Fig 1 + users, authorisation registries, mandates, Power of Attorney}
• Scientific essence: The Joost Principle making the trust of the governmental business registry portable. Power of Attorney is merely a legal thingie to make this happen.
• eIDAS2 and PoA relation? {natural person - mandate}
• performance analysis: nfc and pasport are different from the various networking measurements. Split?
  • matrix of emulator+phones with the resulting networking performance.
  • Example performance analysis using flame graphs. Work from my glory days with Netflix co-author.
  • Grand final figure; example, interactive: https://queue.acm.org/downloads/2016/Gregg4.svg

[Nieuwlaar]

• Thesis draft
• Makro live demo will be on the 20th of March at their HQ
• Thought of removing Figure 4 or 5, but I think both figures really add to my thesis and should be in it. It makes my story much clearer, shows the important role of trusted issuers, and displays the decentralized nature of the system.
• Met with Jolien, and incorporated her feedback into my draft thesis
• Made flame charts (one of them in the draft)

Things that I think are left to do:

• Add Makro demo picture
• Polish text/layout of thesis
• Final presentation

[synctext]

• EBSI and draft eIDAS2 legal constructs for parliament are notoriously difficult to us as foundational material for a computer science crypto hacking thesis. Lawyers can bring great coding fun projects to a halt. You succeeded!
• In this thesis, keep neutral for possible arXiv upload: "we present"
• re-ordered: Power-of-Attorney is an essential legal primitive. Our Zero Trust Architecture making trust portable and secure by changing the way we represent legal entities and delegate authorizations.
• will provide a mainly self-sovereign digital identity to its citizens by 2025.
• Fig. 3. "Zero trust architecture for delegation"
• Please add Web3 for complete buzzword bingo In this Chapter, we present the outcomes of implementing the Zero Trust Architecture for Legal Entities on top of TU Delft’s Decentralized Societal Infrastructure [56], further called the IDknip.
• We name our Internet-deployed prototype: IDKnip. goofy name btw, not SanFran VC compliant
• step from system architecture Section to Evaluation needs another section. "?Realisation and Evaluation"
• After the done a in-depth evaluation we do : "VI. Performance Analysis"???
• Missing the goal of VI. Performance Analysis. After our broad evaluation we now specifically measure of our zero- trust realisation is fit-for-purpose. The following requirements are analysed in detail.

[Nieuwlaar]

• Processed provided feedback and acquaintances proofread the thesis as well. Latest version: thesis_E_Nieuwlaar.pdf
• Live demo with Makro postponed due to illness at Makro. The demo will be held coming week
• Draft slides final presentation
• BoE approved Thesis Committee

[synctext]

• Our reference implementation focuses on creating a peer-to-peer protocol while integrating the Member State Chamber of Commerce Company Register of the Netherlands (KVK) to serve as the root of trust and the Makro as a verifier.. too complex. With government assistance we conducted a pilot deployment of our prototype with live connectivity to the legal source of truth, the chamber of commerce. A commercial retailer acted as the verifier of the PoA with EBSI acting as the legal root-of-trust.
• Accomplishing a legally binding delegation that is cross-border, decentralized, verifiable, has revocation, and enables management of legal delegation of authority for all EU Member States in a matter of seconds instead of weeks. We shorten legally binding delegation that is cross-border, decentralized, verifiable, and has revocation from a week-long process to mere seconds.
• Section 2. identity of users and entities natural users and legal entities
• Figure 4: remove the lost white space on sides and in-between.
• Alternative in Figure 5 read (evil) and green (good). For instance, use a black border and black underline for Device 1.
• "Business only supermarket"
• Either: a trained professional did the NFC scan 10 times, see results. Or 6 semi-random novice users fiddled with our strange app and here are the NFC scan numbers. NFC Scan time is defined as the time interval between screen start and write to SSD???
• Logical ordering? design with screens, performance analysis, real networking performance and latencies, and finally a real-user in end-to-end pilot. ???

[Nieuwlaar]

• Current status: MSc_final.pdf
• Makro demo on the 14th of April

[synctext]

• Nearly done 🎉
• ✔️ all forms ready for 26 April defence.
• Fig. 7. Flame Chart of retrieving PoA from the KVK now comes after "Conclusions"
• Your thesis draft does not explain the importance of your work. Zero trust architecture may touch all EU economic activity, from passport-level identity to all invoices. Its a blueprint for the digital EU economy. Possibly an industrial revolution is coming with this digital-native infrastructure for trust boosted by the emerging artificial abundance of intelligence (e.g. machine learning). You storyline "Code breakers". {end-of-roast}

[Nieuwlaar]

draftslides5.pdf

MSc_Erwin_Nieuwlaar.12.pdf

[synctext]

• 9 pages with screenshots of every app screen you build 😄
• 1 page introduction about zero-trust, cryptographic proof, self-sovereign identity, Power-of-attorney, true P2P using local-first superapp, and all other prior knowledge you need to understand your Problem Statement
• what is your scientific contribution ???
• submit your thesis!