31 March, 14:00-15:30 Identity Management, Authentication, and Authorisation in Solid A session comprising talks by Ross Horne, Christoph Braun, Beatriz Esteves and Christian Esposito Overview: Access to data within a data pod by Solid apps is standardized by the Solid protocol, which defines authentication mechanisms, access control policies, and a RESTful API. Currently, identities are expressed using WebID, and authentication and authorization protocols are defined by the OpenID Connect standard, which defines how a client and pod interact with the trusted third-party IdM. The aim of this session is to present the concepts and protocols underlying these standards, to point out pros and cons, and to highlight possible future evolutions leveraging on blockchain, verifiable credentials, policy ontologies, and other enabling technologies. =================== Talk 1: 14:00-14:40 ====================================================================== Title: Towards Authentication Protocols based on Verifiable Credentials for Solid Speaker1: Christoph Braun, Karlsruher Institute of Technology Speaker2: Ross Horne, University of Luxembourg Abstract: Verifiable Credentials (VC) allow agents to directly authenticate themselves with systems such as Solid, by using a credential issued by a some recognised authority (e.g., Government, Employers, Hospitals, etc.). A VC based authentication method, improves data sovereignty and GDPR compliance compared to popular authentication solutions such as OpenID Connect, since the Issuer of the credential need not be an active party in the authentication process; and hence the Issuer cannot exploit their position to profile agents based on how they use applications. Instead, authentication using a VC can be achieved via a carefully designed cryptographic protocol. We examine authentication protocols built using the recently emerging Web standards of the W3C Verifiable Credential data model W3C Decentralised Identifiers (DIDs), that may be incorporated into the Solid Protocol. We analyse underlying use cases of VCs and review current implementation guidelines, in order to extract an exemplary authentication protocol based on Verifiable Credentials. We verify that the protocol is robust against man-in-the-middle attacks. This approach yields us precisely evaluated guidelines for implementing authentication protocols employing the latest standards for VCs, DIDs and related proposals notably Hyperledger Aries. We also explain in what sense existing guidelines are not sufficiently tight to ensure that, when implemented, credentials cannot be exploited by attackers for unintended purposes. Bios: This is joint work between Dr. Ross Horne and Prof. Sjouke Mauw at University of Luxembourg, and Christoph Braun and Dr.-Ing. Tobias Käfer at Karlsruher Institute of Technology. This research is funded by a grant in the framework of the COST Action on Distributed Knowledge Graphs. Horne and Mauw are specialists in authentication protocols and methods used to formally verify that such protocols are secure against attacks. Braun and Käfer are experts in the dynamics of Knowledge Graphs with a focus on engineering. This combination of expertise is necessary to build genuinely secure systems. =================== Talk 2: 14:40-15:05 ======================================== Title: Policies in Solid: The Road Ahead Speaker: Beatriz Esteves, Universidad Politécnica de Madrid Currently, there are two specifications for access control in the Solid protocol specification [1]. However, these solutions lack an alignment with GDPR regulatory requirements, e.g., there is no clear way to specify restrictions on the purpose for access to the data or the used legal basis. Previous work [2], using the Open Digital Rights Language (ODRL) and the Data Privacy Vocabulary (DPV) to create an ODRL profile for Access Control (OAC), will be used to deal with these shortcomings by introducing a policy layer to the Solid ecosystem, which currently is lacking and will be used to derive access control to the stored data. By using such policies, Solid users can actually specify what, why, when, where and how their data will be used. In addition, presently, Solid specifications do not provide the necessary terms to express metadata related to the entities, roles, processes or infrastructure necessary to provide accountability and transparency to its data handling practices. The establishment of a metadata language for Solid (PLASMA) [3] enables this by providing consistent taxonomies to describe the entities, infrastructure, legal roles, policies, notices, registries and logs necessary to understand and establish responsibilities within the Solid ecosystem. [1] https://solidproject.org/TR/protocol [2] Beatriz Esteves, Harshvardhan J. Pandit, Víctor Rodríguez-Doncel, "ODRL Profile for Expressing Consent through Granular Access Control Policies in Solid", 2021. [3] https://harshp.com/plasma/ Bio: Beatriz Esteves is an Artificial Intelligence Ph.D. candidate at the Universidad Politécnica de Madrid. Her research interests cover semantic web technologies, data protection, digital rights management, and decentralisation. Her Ph.D. project discusses the representation of GDPR-aligned policies to determine the access to decentralised personal datastores and the management of data subjects' rights in these decentralised environments. Her project is part of the Marie Skłodowska-Curie Innovative Training Network PROTECT, funded by the European Commission's Horizon 2020 program. Within PROTECT, she works on the modelling of privacy terms to achieve an interoperable Privacy Paradigm for both data controllers and data subjects. =================== Talk 3: 15:05-15:30 =============================================================== Title: Authentication in Solid: Moving towards decentralization Speaker: Christian Esposito, University of Salerno Solid aims at realizing a decentralised data management, where users have full control of their data within the pods; however, authentication is centralised at a given provider according to the Open ID Connect standard [1]. Despite being mature and widely exploited, this standard has the main flaw in that it may violate the GDPR demands and may trace the navigation habits of users. To this aim, it is required to move towards a more decentralized approach, where users can authenticate without requiring a trusted third-party entity and can manage their identity attributes. A promising solution for this is represented by the Self Sovereignty Identity scheme [2], which leverage on the blockchain for the verification of Decentralized Identifiers (DID) [3] held by them and exposed when authentication is needed. SSI needs to be integrated within Solid so as to provide the required decentralized authentication, and this talk presents a proposal in this direction. [1] https://openid.net/developers/specs/ [2] https://doi.org/10.1109%2FACCESS.2019.2931173 [3] https://www.w3.org/TR/did-core/ Bio: Prof. Christian Esposito is currently an Associate Professor at the University of Salerno since December 2022. He was a Tenured Assistant Professor at the University of Salerno, an Assistant Professor at the University of Napoli “Federico II”, and a two-year Research Fellow and short-term Researcher at the Institute of High Performance Computing and Networking (ICAR) of the Italian National Research Council (CNR) from 2011 to 2015. He graduated in Computer Engineering in 2006 and got his PhD in 2009, both at the University of Naples “Federico II”, in Italy. He has published about 100 papers in international journals and conferences and has been a PC member or involved in the organization of about 60 international conferences/workshops. He regularly serves as a reviewer in journals and conferences in the field of distributed and dependable systems and is a member of the editorial board of the International Journal of Computational Science and Engineering and the International Journal of High-Performance Computing and Networking, both by Inderscience. He is an Associate Editor of the IEEE Access, and has served as guest editor for various special issues at international journals. His interests include positioning systems, reliable and secure communications, game theory and multi-objective optimization.