# 30.06.2021 Risk Assessment Meeting Notes ###### tags: `risk assessment` ## Damage Scenarios - Identity theft: Unauthorized acting under an identity - seperate this scenario for all supported assurance classes as the damage is application specific - Identity leakage: Unauthorized obtaining of an Identity - Loss of control of Identity: Access and usability of the identity is no longer possible for the authorized person - Violation of the GDPR: Disclosure of personal data - to take the user and operator viewpoint into account we shall use three levels: - 1 identity affected - a subgroup of identites affected (more than one but less than 20%) - all identities affected (everything above 20%) ## Notes - "level of assurance" of the identity data signals to the service provider what kind of service is safe to provide - what are the usecases we are looking at? - hotel checkin - car rental - open a bank account - register mobile phone number - open question about whether managing service provider risk is responsibility of the identity provider (operator) - i.e. is the operator accountable for service provider issues? - how much responsibility/risk from the service provider is transfered to the ONCE ecosystem/operator? - what data is stored and transmitted? - identity data - Personally Identifying Information - Cryptographic keys - Transaction data - tokens (not PII or keys but still valuable)