To celebrate that, I have decide to attend the opening session this year. We started by an enthusiastic eID spporter from European Union, promising us all regulations and standards ready for 2014, which sounds interesting. After all, there are very interesting deployment in countries like Belgium and Estonia, which could be extended.

Then, we get a panel, with the question below. Speakers are Christian van der Valk, from TrustWeaver, Herrmann Sterzinger, from G&D, Massimo Cappelli, from Global CyberSecurity Center, and Marie Figarella, from Gemalto.

Why has eIAS services not been a success to date?

• Is it really the case? There haven’t been failures, there are many services ready to,use, and a lack of recognition, with a common perception that digital signature ismore difficult than it actually is.
• Citizen certificates are too expensive, and the use cases are not compelling enough. Thisis changing in some places, like in Austria, where the state pays the citizen certificate.
• Market fragmentation and lack of trust and confidence are the two main issues. They may even be linked because the fragmentation does not allow the development of global solutlons, deployed across Europe.
• Issues have been legal and societal, not technical. Fragmentation and lacking use case are the most important,

How would the new electronic identification and trust services regulation improve on this situation?

• Moving from directive to regulation is important
• Making it global would be good, but also hittin some limits, in particular regarding discrepancies in privacy requirements.
• Moving to a regulation will limit fragmentation, the scope will be larger, going beyond signatures to seals, timestamps, and more. Mobility between states will also be greatly improved. Finally, supervision should be improved.

What additional key actions would be necessary to make eIAS a success?

• Sharing identity and authentication between public and private spheres would help. Also,aligning with the global market with help, including private support, like Adobe. Also, the recognition of non-PKI solutions would be required (that sounds interesting)
• Moving beyond web authentication is required. Moving to global regulation loses things, such as already deployed eIDs, which do not comply to the new regulation, and also existing standads and existing profiles.
• Bureaucratic simplification associated to eIAS would be great help. We are also missing a common framework of expertise, with collaboration between national agencies. Thereisalso a digital and cultural divide, which hurts wide adoption. Finally, including soft identity would increase the use of strong identity, if it can be used in our everyday life.
• Associate reliable digital identity with a portable secure elemnt, to allow 2-factor authentication. Build an open and interoperale secure Internet. Privacy by design. Push digital identity on all SIM cards to benefit from NFC

Now, that’s quite interesting. The views from the panelists are quite consistent. The question that puzzles me most is the relationship between national and private identity. I am left wondering what opportunities will be given to private companies and web providers to leverage this eID. Making this happen would be a great boost to eIAS.

I also liked Gemalto’s analysis and proposals, which was short and to the point, except the last point, of course; mandating SIM-based identity for NFC is ludicrous and pure lobbying, at least because the SIM is not the only way to access NFC.

So, an interesting first panel, although there haven’t been many suprises and illuminating discussions.

The technology is now ready, and it has not evolved greatly in the past few years. Java Card and GlobalPlatform are mature, widely deployed technologies; many companies are able to develop and deploy cards. Of course, there are a few technical challenges remaining, to keep engineers busy. One of the most challenging tasks is the establishment of trust between the various actors of the industry; today, formal security certification is at the heart of this, but something a bit more innovative will most likely be required here.

The new frontier for cards and secure elements are applications. This is much harder than implementing technology, and requires a lot of innovation. Will we be able to differentiate smart cards from tags? Will we find a room for card applications between basic SIM authentication and TEE applications? Will there at some point be a way to work on this? That’s the Chip-to-Cloud challenge, and I hope to get a few interesting answers next September.

The Call for Papers is out now, so go ahead, propose things. I am convinced that this conference will remain one of the places where academics, industrial R&D, and technical marketing people are able to meet and exchange. See you there!