Open source, digital sovereignty and the pitfalls of passkeys: Dr Johannes Loxen, Head of OSPO at SerNet, discusses these topics in the latest episode of the TeleTrusT podcast series “Open Source and Modern Authentication”, alongside Christian Schorr (keyONE) and presenter Carsten Vossel (CCVOSSEL). (German audio only.)
All the podcast guests agree on one thing: secure software is a matter of engineering effort, whether open or closed – open source alone guarantees nothing, not even security. What counts, they say, is verifiability – and this is becoming increasingly important now that AI can trace binary code right back to the assembler; protection through hidden source code is therefore a thing of the past. This is no trivial matter, particularly when it comes to cryptography: only open code can still be checked in twenty years’ time to determine when a vulnerability first existed. Even if the manufacturer has long since gone out of business.
Loxen measures digital sovereignty by one question: who can switch it off? Nobody needs to be self-sufficient for this – SerNet itself also relies on software from US companies, but always has an alternative ready in case of an emergency that cannot be switched off. Accordingly, its own stack runs almost entirely on free software.
The issue of authentication is a point of controversy: whilst Schorr sees passkeys as a breakthrough for end users, Loxen warns of the price of convenience. For him, it won’t work without a secret in one’s head – anyone who no longer has one is, in principle, vulnerable to compromise. Biometrics, he argues, is no substitute. A fingerprint identifies, but does not authenticate.
Incidentally, Loxen also dismisses the widespread lament about Germany lagging behind in cloud computing and AI during the interview. His reasoning can be heard in the episode. Go directly to the TeleTrusT podcast “Open Source and Modern Authentication”.