# 21.10.2021 Risk Assessment Meeting Notes ###### tags: `risk assessment` ## Agenda - hotel checkin - other use cases - any other news ### Hotel Checkin - how is the initial Wallet process triggered? - see hackmd.io/3Y9_o_FAQfq0K6wRyrqbXg. This document was composed by Jolocom and Governikus, and shared with relevant parties, i.e. HelloGuest. - helloGuest: They would make use of Deep Links or QR Codes to communicate the tcTokenURL to the ONCE wallet. - does the wallet know about all use cases? Or is it just a uri (how does it relate to the eID)? - eID Client gets tcTokenURL and returns ACCESS RIGHTS (requested data) and Certificate about requester - how is the Certificate verified (origin, corresponding to requester) -> eID Client is trusted - to generate tcTokenURL the ServiceProvider needs to interact with the ID-Gateway (static at registration) - how does the service retrieve the data (redirect URL) - wallet calls redirect URL, service Provider gets data from ID-Gateway, Wallet does not get the data - ID Gateway controls endpoint through tcTokenURL (predefined) no leakage of data to impersonating Service Provider - ID Gateway interface description - OpenID Authentication Requests Exchanges TODO look for controls (TLS, Origin and Receiver Authentication; User Info Endpoint) ### Other Use Cases - drivers license - UX considerations, no implementation ideas yet - Bosch "perfectly keyless" - vc to unlock the door - delegation of credentials, restraints, chaining of credentials - still at the conceptional level - student card (regio IT) - next iteration of SSI-Stack might be required, would take time, will use existing stack first ### Other news - Trust propagation (Fraunhofer-Institut für Arbeitswirtschaft und Organisation IAO) - definition of roots of trust and rights in the SSI ecosystem - The relevant gitlab repository, including a project summary, as well as the code-base can be found here https://gitlab.grnet.gr/essif-lab/infrastructure/fraunhofer/train_project_summary. The repository should further contain an interface specification document, as well as a doc describing relevant data structures (not available unless logged in and granted permissions, perhaps these could be dissiminated further). ### Open Points/TODOs - TODO KB to contact MW (social engineering threats) - TODO KB in 2 weeks (4.11.) first Damage potential estimation with CW for "perfectly keyless" USE CASE