Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

TIIME Proceedings 2017

TIIME Keynote speakers summarize current community topics to inspire further work during the unconference sessions.

Identity management and data protection (day 1)


The General Data Protection Regulation (GDPR) imposes stricter requirements for obtaining the valid consent of the data subject, new rules regarding data breach notifications and introduces the obligation to comply with the principles of privacy by design and privacy by default to name a few of the changes. The new legislation, which will have a direct impact on every entity managing (personal) attributes, will not only apply uniformly across the EU but will have an extraterritorial reach as well. In combination with the invalidation of the so-called Safe Harbor framework and the approval of the Privacy Shield framework for transatlantic exchanges of personal data for commercial purposes, it is high time for every organization processing personal data to comply with new rules. Unsurprisingly, organizations are turning data protection and privacy-friendly practices into a new competitive advantage. “Data protection” has become the new “green”.

Speaker: Enrique Gallego-Capdevila, DLA Piper

Profile Picture Enrique is an IPT lawyer at DLA Piper UK LLP in Brussels. Qualified lawyer in two jurisdictions (Spain and Belgium), he has a unique background in data protection and in intellectual property rights. Furthermore, he has a deep knowledge of the interactions and functioning of the European institutions due to his experience at the Data Protection Office of the European Commission. Enrique is currently assisting numerous multinational companies in order to ensure compliance with the new European data protection framework in several multijurisdictional projets.


Digital identity is now an essential element for our interactions online, bringing with it all the social complications and new norms describing how these new relationships should work. A lot of attention has been garnered by Content and Privacy, although largely as an expression of desire, and a sense of personal invasion, than as a technical enabler. With the rise of GDPR from the EU, and PIPEDA in Canada along with regulations requiring open data, like PSD2 there is a veritable minefield of compliance issues. Regulation is the lowest form of incentive, with compliance being emphasized which ultimately leads to a mindset of lowering expense, and doing the minimum necessary to avoid penalty. I will discuss the business realities of Consent Lifecycle Management, and how they become competition drivers, and how embracing the consent lifecycle leads to increased satisfaction, and consumer adoption. With the GDPR as a backdrop, I will show how Consent Lifecycle Management can enhance the user experience while at the same time satisfying the requirements of regulation. We will also address the implications of consent revocation, and the related privacy and data retention requirements.

Speaker: Allan Foster, Forgerock

Profile Picture Allan Foster is currently VP Global Partner Enablement, Partner CTO. As one of the founders of ForgeRock, he helped build ForgeRock into a multinational Identity software vendor with offices on four continents. Allan’s deep technical knowledge was well used in all aspects of the business while at ForgeRock, with responsiblities in Support, Engineering, Product Management, Federal, Emerging Technology and Sales. Prior to ForgeRock, Allan built a successful consulting business. Allan has also served on the board of several organizations. He is currently President of the Board of Directors at the Kantara Initiative inc.
Allan is a sought after speaker and has spoken at numerous international conferences, and has spoken at RSA, EIC, CIS, DIACC and other Identity related conferences.

The Evolution of Persistent Credentials (day 2)


The latest proposed standardization work on persistent authorisation credentials is that of the W3C Verifiable Claims Task Force. However, this is just one of a long list of technologies that have been proposed for online authorization. This talk will review some of these technologies, starting with Policy Maker by Matt Blaze et al, and covering SUDSI/SPKI, X.509 attribute certificates, and SAML assertions, to name but a few. Their strengths and weaknesses will be highlighted. The talk will end with a demo of a verifiable claims system built for Android smart phones, on top of the FIDO public key authentication system.

Speaker: David Chadwick, University of Kent

Profile Picture David Chadwick is Professor of Information Systems Security at the University of Kent. He has worked on electronic authorization systems for 20 years, and was an editor of the X.509 attribute certificate specification. His research group built the PERMIS authorization system, an open source Java implementation that integrated X.509 ACs, PKCs, passwords as well as SAML assertions. In 2016, after a serious cycling accident, David moved to part time working, and is now enjoying spending time with his grandchildren as much as, if not more than, sitting in front of a PC.