SecAppDev 2025 lecture details
PKI and eIDAS
This talk covers PKI technologies, their role in web security, key failures and fixes (e.g., EV, pinning, transparency), and the impact of eIDAS 2.0 on EU PKI services and upcoming European Digital Identity Wallets.
Download handoutsWednesday June 4th, 09:00 - 10:30
Room Lemaire
Abstract
This talk describes PKI technologies and explains how they are integrated in the web ecosystem. It also covers a history of security failures and attempts to resolve them (examples: extended validation, certificate pinning, certificate transparency). The eIDAS 2.0 regulation (approved in May 2024) has introduced new rules for PKI services in the EU, including strong powers for EU member states to interfere with their operation. It has also set out the rules for the European Digital Identity Wallets that should go live by November 2026.
Key takeaway
PKI is a core technology that are essential to secure large open systems; surprisingly, it is technically complex and presents governance challenges.
Content level
Introductory
Target audience
Anyone who wants to learn how modern PKI works and what the challenges are
Prerequisites
None

Bart Preneel
Full professor, COSIC - University of Leuven
Expertise: Applied cryptography, privacy, cybersecurity policy
Related lectures
Verifiable Credentials: Concepts to Practice
Introductory lecture by Kristina Yasuda in room Lemaire
Monday June 2nd,
14:00 - 15:30
Also available as a recorded session on
Tuesday June 3rd,
11:00 - 12:30
A technical introduction to Verifiable Credentials, highlighting use cases, implementation lessons, interoperability profiles, and recent updates to the related specifications.
Key takeaway: Interoperability in the wallet model requires aligned choices across the stack that meet use case requirements in terms of UX, security, privacy, etc.
Germany’s EUDI Wallet Ecosystem Development
Deep-dive lecture by Kristina Yasuda in room West Wing
Tuesday June 3rd, 16:00 - 17:30
Explore the architecture, governance, and real-world implementation of Germany’s EUDI Wallet ecosystem within the EU Digital Identity Framework.
Key takeaway: National-scale digital identity is built on both compliance and collaboration - Germany’s EUDI Wallet shows how strategy meets technical execution.
My Name Is Not Cassandra: AppSec and "I Told You So"
Advanced lecture by Izar Tarandach in room Lemaire
Wednesday June 4th, 16:00 - 17:15
Lack of authority, an outsider's view of the development process and a faulty language of risk. Are security practitioners fated to point at risk and not be heard?
Key takeaway: "Raw" security can be fun, but does not lead to change. We must adapt our ways in order to impact the environment we want to protect.