I had an Irma card for a while, with a supporting Android app, must've been about 7 or 8 years ago now. Seemed to work ok'ish then (as a proof of concept). You could use it at some places in the university, although I can't remember what the use case was exactly (it was definitely the same thing though).
Anyway, since they already had that 8 years ago, I don't really understand what the roadmap for this project is. I see it popping up every now and again.
Some Dutch healthcare institutions are using it, but as far as I know that's about it.
There's some development effort and every now and then a new demo pops up, but I don't think the project advertises itself enough when it comes to uptake.
I can see massive benefits to all kinds of businesses, especially now that restricted items such as alcohol and cigarettes are being ordered online because of COVID measures, but sadly the uptake has been minimal so far.
Here [0] is a list of projects that use IRMA. Indeed there are several healthcare institutions, but there is also https://irma-meet.nl which features authenticated video calling, and there are several municipalities that are planning to allow their citizens to log in using IRMA.
In addition, we are cooperating with several institutions and governments, including the Dutch national government, on future IRMA projects. Given the differences of IRMA from other mainstream authentication mechanisms, however, getting parties and their end users ready to use IRMA can be complicated and takes time.
Is IRMA still going to be relevant for healthcare in the Netherlands with the Wet Digitale Overheid law making authentication by means of the government issued DigiD credentials mandatory and all but making access via the ToegangsVerleningsService (TVS) authentication platform offered by the government a requirement for any citizen accessing their medical data?
It seems only a matter of time before municipalities will face the same requirement for authentication. Where does that leave IRMA?
Although developments have slowed down due to the pandemic and now the collapse of the dutch cabinet, the Privacy by Design Foundation and SIDN, who jointly develop and run IRMA, have been in talks and developing pilots with the Ministry of the Interior of the Netherlands to become an accepted party ("toegelaten partij") under the WDO. That would mean that when the WDO comes into effect, the ministry issues basic personal data to IRMA apps, and IRMA becomes one of the ways in which citizens can authenticate to services alongside DigiD.
Good to hear. Availability via the TVS is a must for vendors though, but you are probably aware of this.
I also wonder how something like IRMA will work when not only DigiD is used via the TVS, but also DigiD Machtigen to grant others permission to act on your behalf.
Since then we have mainly moved from smart cards to a mobile app [0], and focused on getting the IRMA server and frontend software production-ready and developer friendly. Additionally we have worked on connecting existing institutions and companies on IRMA; you have to have parties that issue and verify IRMA attributes before the project can be of use to end users.
As to development, we have a public roadmap here [1].
The privacy properties. With OpenID connect you have traceability - for example if it was used for a vaccine passport, and said passport was required to enter shops, bars, sports venues.. then it would be very easy for the companies implementing the "point of check" devices to track your movements.
Attribute-based credentials refers to cryptographic systems where someone can produce a proof that they fulfill a certain attribute. Canonical examples are things like an employee ID card, where the ID card can produce a proof that they're an employee, have clearance level X or are part of group Y without the proof containing any information beyond that. Another example would be things like national ID cards, where you could make a check for "is older than 18 years" and the system only receives a cryptographically-verifiable answer to that question, without being able to infer anything else.
Indeed the attribute-based nature of IRMA makes it more general than OpenID Connect. Users can collect all sorts of attributes in their IRMA app, and then selectively disclose any subset of those attributes, as appropriate to the use case. This includes authentication like OpenID Connect (e.g. the user could disclose a username attribute), but also other use cases such as indeed proving that you are older than 18, or anonymously proving membership of a group (using unlinkability, see below), or providing authenticated personal data such as your address or date of birth.
It doesn't serve the exact same intention openID does. Authentication is part of the spec, but its real power lies in the privacy properties IRMA provides.
I don't like IRMA because it makes it too easy for sites to verify identity (even though they don't get more information than what they ask for, and in some cases only proof that the attribute exists rather than the information itself).
I just think it provides a 'sliding scale'. With IRMA it becomes much easier to validate identity. Right now sites have to ask for a payment or ID card which people are obviously very hesitant to provide. So websites only do it if it's really necessary.
With IRMA it becomes too accessible. I don't want to ID myself every time I sign up for some hobbyforum or whatever. The internet should remain as anonymous as possible. IRMA makes it possible for websites to ask for identity information in a quick and painless way and that makes the actual asking more prevalent ("drempelverlagend" as we say in the Netherlands). More and more sites will add ID validation as a result.
Personally I like the internet as it is.. There used to be a saying "On the internet nobody knows if you're a dog". We shouldn't strive to change this IMO. The problem isn't just that I want to ID myself in a privacy-conscious way. I just don't want to ID myself at all.
I understand what you are saying, and I agree that this is a risk that we will have to be very aware of.
Right now we are aware of the majority of the websites/institutions that use IRMA, so we can keep track of who ask what attributes for which reasons, and advise them on it. As IRMA usage grows this will probably become unfeasible; but we are planning to see if we can build a button in the IRMA app that, when a website asks for too much information, you can use to send a report to the Authoriteit Persoonsgegevens (AP) or ourselves.
In addition I would like to point out that this:
> I don't want to ID myself every time I sign up for some hobbyforum or whatever.
is now against the law (GDPR) - or at least the point you are I think trying to make: websites may request only personal data that is relevant and necessary for their purposes. Most parties seem to want to abide by this law, and perhaps it is just me, but it seems that consumers are slowly becoming more and more aware of the necessity and importance of privacy.
> There used to be a saying "On the internet nobody knows if you're a dog".
That has since long stopped being true. Nowadays many websites have a very clear idea of who you are, even without IRMA, by tracking you across the internet. Probably many of the website you know already exactly know your name and interests, by using Google Analytics or Facebook trackers - unless you take steps to prevent that from happening, which the vast majority of people don't.
The difference with learning who you are by requesting IRMA attributes is that then the website would receive personal data about you that it knows it can trust (in as far as it trusts the issuer who signed the attributes). That is, it becomes more difficult or even impossible to lie about your identity. That could indeed become a problem that we will have to try to prevent from happening as much as we can.
17 comments
[ 3.5 ms ] story [ 43.8 ms ] threadAnyway, since they already had that 8 years ago, I don't really understand what the roadmap for this project is. I see it popping up every now and again.
There's some development effort and every now and then a new demo pops up, but I don't think the project advertises itself enough when it comes to uptake.
I can see massive benefits to all kinds of businesses, especially now that restricted items such as alcohol and cigarettes are being ordered online because of COVID measures, but sadly the uptake has been minimal so far.
In addition, we are cooperating with several institutions and governments, including the Dutch national government, on future IRMA projects. Given the differences of IRMA from other mainstream authentication mechanisms, however, getting parties and their end users ready to use IRMA can be complicated and takes time.
[0]: https://privacybydesign.foundation/usage/
It seems only a matter of time before municipalities will face the same requirement for authentication. Where does that leave IRMA?
I also wonder how something like IRMA will work when not only DigiD is used via the TVS, but also DigiD Machtigen to grant others permission to act on your behalf.
Since then we have mainly moved from smart cards to a mobile app [0], and focused on getting the IRMA server and frontend software production-ready and developer friendly. Additionally we have worked on connecting existing institutions and companies on IRMA; you have to have parties that issue and verify IRMA attributes before the project can be of use to end users.
As to development, we have a public roadmap here [1].
[0]: https://irma.app/
[1]: https://irma.app/roadmap.html
With IDE mix that isn't possible.
You can find a better global overview of the protocol and why it was created on this page: https://privacybydesign.foundation/irma-explanation/
I just think it provides a 'sliding scale'. With IRMA it becomes much easier to validate identity. Right now sites have to ask for a payment or ID card which people are obviously very hesitant to provide. So websites only do it if it's really necessary.
With IRMA it becomes too accessible. I don't want to ID myself every time I sign up for some hobbyforum or whatever. The internet should remain as anonymous as possible. IRMA makes it possible for websites to ask for identity information in a quick and painless way and that makes the actual asking more prevalent ("drempelverlagend" as we say in the Netherlands). More and more sites will add ID validation as a result.
Personally I like the internet as it is.. There used to be a saying "On the internet nobody knows if you're a dog". We shouldn't strive to change this IMO. The problem isn't just that I want to ID myself in a privacy-conscious way. I just don't want to ID myself at all.
Right now we are aware of the majority of the websites/institutions that use IRMA, so we can keep track of who ask what attributes for which reasons, and advise them on it. As IRMA usage grows this will probably become unfeasible; but we are planning to see if we can build a button in the IRMA app that, when a website asks for too much information, you can use to send a report to the Authoriteit Persoonsgegevens (AP) or ourselves.
In addition I would like to point out that this:
> I don't want to ID myself every time I sign up for some hobbyforum or whatever.
is now against the law (GDPR) - or at least the point you are I think trying to make: websites may request only personal data that is relevant and necessary for their purposes. Most parties seem to want to abide by this law, and perhaps it is just me, but it seems that consumers are slowly becoming more and more aware of the necessity and importance of privacy.
> There used to be a saying "On the internet nobody knows if you're a dog".
That has since long stopped being true. Nowadays many websites have a very clear idea of who you are, even without IRMA, by tracking you across the internet. Probably many of the website you know already exactly know your name and interests, by using Google Analytics or Facebook trackers - unless you take steps to prevent that from happening, which the vast majority of people don't.
The difference with learning who you are by requesting IRMA attributes is that then the website would receive personal data about you that it knows it can trust (in as far as it trusts the issuer who signed the attributes). That is, it becomes more difficult or even impossible to lie about your identity. That could indeed become a problem that we will have to try to prevent from happening as much as we can.