Latest comments that Bo Harald has shared on Finextra

Join the Community

23,999

Expert opinions

40,624

Total members

318

New members (last 30 days)

197

New opinions (last 30 days)

29,268

Total comments

Join Sign in

Bo Harald

Chairman/Founding member, board member

Trust Infra for Real Time Economy Prgrm & MyData,

Member since

04 Nov 2008

Location

Helsinki Region

View Bo Harald's full profile

Bo's comments

Zero Trust in Europe

There isn’t a single, standalone protocol that everyone calls “Zero Trust Authorisation Protocol.” Zero Trust is a security architecture and mindset—“never trust, always verify”—rather than a formal RFC-defined wire protocol. What you’ll actually see in production are protocol stacks and policy engines built to enforce Zero Trust principles:

Authentication & Federation:
- OIDC / OAuth 2.0 – Used for delegated auth with continuous verification.
- SAML 2.0 – Older but still used in enterprises.
- FIDO2/WebAuthn – Phishing-resistant, passwordless auth for Zero Trust endpoints.
Policy Decision/Enforcement:
- XACML or OPA (Open Policy Agent) – Express fine-grained, attribute-based access control (ABAC).
- SPIFFE/SPIRE – Secure workload identities in service meshes.
- gRPC/Envoy + mTLS – For microservice-to-microservice trust with certificate rotation.
Zero Trust Frameworks/Specs:
- NIST SP 800-207 – The de facto reference for Zero Trust architecture.
- CNCF Zero Trust Working Groups – Define patterns for cloud-native stacks.
- Google BeyondCorp – A reference implementation (not a protocol) showing continuous verification of user, device, and context.

So if you’re looking for one standardised “Zero Trust authorisation protocol,” it doesn’t exist. The industry achieves Zero Trust by composing existing protocols (OAuth 2.0 + OIDC + mTLS + ABAC/RBAC engines) under strict “verify every access, every time” policies. If you need a starting point:

NIST SP 800-207 – for architecture principles.
OAuth 2.0 + OIDC with continuous re-auth and device posture checks.
OPA or XACML for dynamic, context-aware authorisation decisions.
mTLS/SPIFFE for workload identities inside your network.

That’s the current state of play—Zero Trust is a design pattern, not a new protocol.

14 Sep 2025 17:28 Read comment

BankID credentials paving the way for EU Business Wallet

Valuable wider view: https://www.linkedin.com/posts/bo-harald-4768b51_from-ai-slop-to-signal-verifiable-provenance-activity-7362832443499773953-jdHY?utm_source=share&utm_medium=member_desktop&rcm=ACoAAABPj1oB9_D7YNYACmHvY9HioUqpuULqZCo

20 Aug 2025 05:58 Read comment

Two Paradigm Shifts: Trust Infrastructure and AI-Agentics

Google Notebook crystallized here: https://www.linkedin.com/posts/bo-harald-4768b51_google-notebook-in-the-know-activity-7355968433387192321-d_ix?utm_source=share&utm_medium=member_desktop&rcm=ACoAAABPj1oB9_D7YNYACmHvY9HioUqpuULqZCo

30 Jul 2025 18:37 Read comment

Reading books - rather than writing a book

I have taken notes - and posted over 500 times here - about the e-stations on my journey..https://www.linkedin.com/posts/bo-harald-4768b51_jamie-a-journey-it-will-be-my-own-e-stations-activity-7344415704764289024-dAkR?utm_source=share&utm_medium=member_desktop&rcm=ACoAAABPj1oB9_D7YNYACmHvY9HioUqpuULqZCo

30 Jun 2025 11:16 Read comment

Mobey Forum 25 years

Thank you, Viacheslav. You crystallize it perfectly. In the Zurich meeting it was - discussed how modules like MCP Clients and intranet MCP servers will work togehter with the IDwallets for AI-agents. I will post your comment on Mobey's LinkedIN.

13 Jun 2025 06:50 Read comment

The ice-hockey effect now with organisation wallets

Identity building wallets in organisations should be the starting point everywhere. How could you otherwise get the data flowing to business and life events? And how could you otherwise efficiently and safely deploy AI-agents?

Is India, UK and others now advancing with organisation wallets from the market while EU is losing time with state issued wallets instead of starting the heavy lifting - using market wallets to get the heavy lifting with public sector credential issuing and verifying process started? While soon all attention is lost to AI-agents and the like? Talking about 2027 now sounds like 10 years..

03 Mar 2025 03:08 Read comment

My e-Journey - over 40 years. Part 1. e-banking started with payments.

continues in part 2

25 Feb 2025 03:17 Read comment

How often should you doubt?

Screenshot 2025-02-19 at 10.25.42

21 Feb 2025 06:33 Read comment

The evolution of identity verification and what’s next

Should we make a clearer difference between identification credentials and the wide collection of verifed credentials that build the identity of citizens, organisations, domestic animals and things?

12 Feb 2025 18:54 Read comment

UK marks progress on creating digital ID for businesses

Put an end to this nightmare in enterprises by deploying EUDI-interoperable organisation wallets as general purpose tools and interfaces to be able to send and receive verified data from all sources to all organisations and citizens - without need for technical integration and contracts between the parties - as easy as e-,mail. Wallets becoming the browsers of the new age - and speed up the safe adoption and use of organisation and personal AI-agents

https://www.linkedin.com/posts/bo-harald-4768b51_about-time-to-address-this-worsening-nightmare-activity-7288819992492412930-EO4c?utm_source=share&utm_medium=member_desktop

29 Jan 2025 18:42 Read comment