On Chickens and Trust Frameworks…. the writing of a whitepaper
Esther Makaay
[email protected] OIX Workshop, Amsterdam, 9 March 2017
Breeders
Layers
Broilers
Dinosaurs
???
Trust Framework Identity
• FICAM: processes and controls for determining an identity provider’s compliance to OMB M-04-04 Levels of Assurance
• ISO 29115 Draft: a set of requirements and enforcement mechanisms for parties exchanging identity information • Kantara: a complete set of contracts, regulations or commitments that enable participating actors to rely on certain
assertions by other actors to fulfill their information security requirements • OIX: a certification program that enables a party who accepts a digital identity credential (called the relying party) to trust
the identity, security, and privacy policies of the party who issues the credential (called the identity service provider) and vice versa.
• OITF Model: a set of technical, operational, and legal requirements and enforcement mechanisms for parties exchanging identity information
• NSTIC 4/15/2011 Final: – The Identity Ecosystem Framework is the overarching set of interoperability standards, risk models, privacy and
liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem. – A Trust Framework is developed by a community whose members have similar goals and perspectives. It defines the
rights and responsibilities of that community’s participants in the Identity Ecosystem; specifies the policies and standards specific to the community; and defines the community-specific processes and procedures that provide assurance. . . . In order to be a part of the Identity Ecosystem, all trust frameworks must still meet the baseline standards established by the Identity Ecosystem Framework.
Existing Definitions of Identity Trust Frameworks
Thanks to Tom Smedinghoff
OITF Model
Existing Identity Trust Frameworks
Words on Paper
UNCITRAL WG.IV WP.120 Identity System: An online environment for identity management transactions governed by a set of system rules where individuals, organizations, services, and devices can trust each other because authoritative sources establish and authenticate their identities. An identity system involves
i. a set of rules, methods, procedures and routines, technology, standards, policies, and processes,
ii. applicable to a group of participating entities, iii. governing the collection, verification, storage, exchange, authentication, and reliance
on identity attribute information about an individual person, a legal entity, device, or digital object,
iv. for the purpose of facilitating identity transactions.
OITF Model
Trust Framework
What Words on Which Papers?
OITF Model
Trust Framework
Exis
ting
Law
& R
egul
atio
ns
Common Elements
Authentication Request
Identity Provisioning
Governance
Attribute Verification
Consent Management
Policy Enforcement
Identity System
Trust Framework
End Users
Common Elements
On-boarding/Assessment
Policy Development Policy Enforcement
Network Evolvement
Central Services
Participant Participant Participating entities Participant Participant Participating entities Service
Service Service Service Service
Participant Participant Participating entities
Identity Provisioning Authentication Requests
Attribute Verification
Consent Management
Authorisation Management
Trust Framework Provider/Authority/Operator
Too many words for this paper! Exis
ting
Law
& R
egul
atio
ns
Paper Ambitions
A Trust Framework Model For Identity Systems
• Introductory, providing the context
• Coming to a theatre near you quite soon
Followed by an RFC-style cook-book
• With all sorts of nitty gritty details
• If we can raise enough community effort to fill it
Over To The Panel
Does this help? • Is this in any way beneficiary to the community? Or merely interesting as an academic exercise?
Are trust frameworks … • Relevant? Can we deal with current issues through existing terms-of-service agreements, either
bilaterally or loosely coupled?
• Evil? Do they bring unnecessary overhead costs to the ecosystem? Does regulation burden
business cases?
• The only way to go? If you want to truly ‘open up’ digital identities for usage across domains,
organisations and nations?