[Meta] Authentication and device verification

This issue helps organizing the different issues around this topic.

We should clearly distinguish between authentication and device verification.

Authentication includes:

• A) authentication of private individuals via BundID-IdP against Matrix homeserver
  • Modelling BundID authentication flow against Matrix home server: #36
  • iOS App: Modelling eID authentication flow: #212
  • iOS App: Login via eID #225
  • Using the iOS app as eID client to login into web app ("device switch"): #159
  • Web App: Login via eID #226
  • Create UX-concept for device switch: #208
• B) authentication of public agencies against our Matrix backend
• C) authentication of private individuals via eID against online service

Device verification includes:

• D) mutal device verification between private individuals and public agencies (resulting in the establishment of a cryptographically authenticated channel between private individuals and public agencies)
  • [Requirements] Analyse requirements for authentication of communication partners: #242
  • [Requirements] Requirements for the eID Server zero trust solution: #168
  • D1) eID-based device verification by end users: private individual proofs possession of their devices
    • Define basics for eID verification of Matrix devices: #186
  • D2) X509-based device verification by Fachbehörden: public agency proofs possession of their devices: #2
    • Keep in sync with gematik on sharing x509 signatures over Matrix: #191
    • Define MSC for X509 Verification of Matrix devices: #190
• E) cross-signing devices (in case private individuals or public agencies use multiple devices)
  • Create an ADR and flow diagram for cross signing of new logins using eID (own devices, not Fachverfahren): #146

References:

Requirements uIDs: OZG_1; OZG_2; OZG_3; ZaPuK_57; Zapuk_60; Zapuk_108