# ONCE Risk Assessment ###### tags: `ONCE` ---- ## Scenarios - Identity theft: Unauthorized acting under an identity - Identity leakage: Unauthorized obtaining of an Identity - Loss of control of Identity: Access and usability of the identity is no longer possible for the authorized person - Violation of the GDPR: Disclosure of personal data ---- ## Notes - "level of assurance" of the identity data signals to the service provider what kind of service is safe to provide - what are the usecases we are looking at? - hotel checkin - car rental - open a bank account - register mobile phone number (anti-terrorist) - open question about whether managing service provider risk is responsibility of the identity provider (operator) - i.e. is the operator accountable for service provider issues? - what data is stored and transmitted? - identity data - Personally Identifying Information - Cryptographic keys - Transaction data ## Data flow diagrams