Research security and signature standards

[theblockstalk]

Acceptance criteria

• [ ] researched and understand, and we need to figure out what value they would have in our roadmap

Standards and concepts

• GDPR
• eiDas
• QES
• SSI vs WebID
• OCR-MZR
• CIAM

[theblockstalk]

Research: https://docs.google.com/document/d/1BoVvw0wOdxu4zyFwvOcCtFM9i_tvhkL5ogwlhPcY0Xs

[theblockstalk]

Based on the above research I would conclude:

• GDPR, CCPA and CCPR are standards that we generally comply with by default if we continue to use a sovereign architecture
• ISO 27001 is a general standard we will mostly comply with technical requirements by default of the application, but need additional monitoring and employee training to fulfil. Having this standard would give clients more confidence.
• eiDas is a digital signature format that we want to support (but don't support yet)
• QES is a digital signature standard that we will support if we support eiDas
• SSI is a W3C standard we already support
• WebID is an alternative standard that only makes sense to support if a client requests that
• OCR-MZR - Is a way of reading passports. It requires significant AI and is therefore a very non-privacy preserving way of reading it passport. There is also a lot of work into doing this so it makes more sense to use 1/3 party service.
• NFC passports - Reads data directly from a chip on the phone, and only requires minimal third-party involvement. It also takes a lot of work to set up so probably it makes more sense for us to use a third-party service
• CIAM - Is a general term to encompass identity management, which we are doing some of
• SSO - Is a mechanism we already support in the app
• MFA - Is 1/2 built mechanism we already support (only PIN and biometrics, not document/liveness)