Programme

The EUDI Wallet will change the way we interact digitally. It will allow users to securely keep their credentials (e.g. for identity, professional and educational achievements, entitlements as well as prescriptions) and use them at their discretion in a privacy preserving manner in digital and physical processes with public and private entities and other users. This will be the basis for seamless digitization and enables disruptive innovations. However, the EUDI Wallet is an ambitious and complex undertaking and the „how?” might not be as transparent as it should be. This talk will make an attempt to demystify the EUDI Wallet by shedding light on its fundamental concepts and explaining its architecture and the technical standards being employed.

Daniel Fett is co-authoring the new security recommendations RFC for OAuth 2.0 in the IETF OAuth Working Group. In this talk, he will walk you through the MUSTs, MUST NOTs, and SHOULDs of the new recommendations.

OAuth is the most important framework for federated authorization on the web. It also serves as the foundation for federated authentication using OpenID Connect. While RFC6749 and RFC6819 give advice on securing OAuth deployments, many subtle and not-so-subtle ways to shoot yourself in the foot remain. One reason for this situation is that OAuth today is used in much more dynamic setups than originally anticipated. Another challenge is that OAuth today is used in high-stakes environments like financial APIs and strong identity proving.

To address these challenges, the IETF OAuth working group is working towards a new Security Best Current Practice (BCP) RFC that aims to weed out insecure implementation patterns based on lessons learned in practice and from formal security analyses of OAuth and OpenID Connect. The BCP gives concrete advice to defend against attacks discovered recently (like the AS mix-up attack) and discourages the use of less-secure grant types such as the Implicit Grant.

This talk will outline the challenges faced by OAuth in dynamic and high-stakes environments and go into the details of the MUSTs, MUST NOTs, and SHOULDs in the new Security BCP.

In this session, we will delve into the intricate world of identity and access management (IAM), and, more specifically, how identity and access management systems can be leveraged within large organisations to cater to millions of users. The point of focus of this session will be two security building blocks from the Digitalization Agency of the Flemish Government: the Flemish Access Management System (ACM) and the Flemish Identity Management System (IDM). How has the Flemish Government managed to integrate over 2.000 applications with these building blocks and how do we manage to successfully authenticate over 15 million users every single month? Furthermore, how have we managed to achieve this feat within the well-known constraints of the public sector, i.e. with a small, dedicated team and limited resources? Join us as we uncover the origins, history and evolution of our building blocks, along with the various challenges we encountered along the way.