Scaling InteroperableTrust through a

Trustmark Marketplace

Georgia Tech Research Institute**Slides extracted from various Presentations

–

With Permission**This work was performed under the following financial assistance award 70NANB13H189 from the U.S. Department of Commerce, National Institute of Standards and Technology

Our Approach: Componentization

…then we get:

If the frameworks were modular…

Greater transparency of trust framework

requirements

Greater ease of comparability

between frameworks

Greater potential for reusability of framework

components

Greater potential for participation in multiple trust frameworks by ID Ecosystem members with incremental effort and cost

And, most importantly:

ID Trust Framework B

ID Trust Framework A

NIST 800-63LOA 3 OAuth

ID Trust Framework C

FIPS 200FICAM SAML SSO FIPPs OpenID

These modular components are called Trustmarks.

A Trustmark-Based ID Ecosystem

IDP AP

RP RPRP

IDP AP

RP RP

IDP

RP

IDP

RP RP

IDP

RP

APIDP

ID Trust Framework B

ID Trust Framework A

ID Trust Framework C

Existing Trust Frameworks could be expressed as a set of components called a TIP.

Trust Interoperability Profile B

Trust Interoperability Profile A

Trust Interoperability Profile C

A Trustmark-Based ID Ecosystem

IDP AP

RP RPRP

IDP AP

RP RP

IDP

RP

IDP

RP RP

IDP

RP

APIDP

Then each member of the community can acquire the necessary Trustmarks based on the TIP.

TIP BTIP A TIP C

Trustmarks can be acquired through a Trustmark Provider.

Trustmark Provider There can be many Trustmark

Providers in the ID Ecosystem.

Trustmark Provider

Trustmark Provider

Trustmark Provider

Trustmark Provider

Trustmark Provider

Trustmark Provider

A Trustmark-Based ID Ecosystem

IDP AP

RP RPRP

IDP AP

RP RP

IDP

RP

IDP

RP RP

IDP

RP

APIDP

Trustmarks can be stored in a searchable Trustmark

Registries or shared directly with partners.

TIP BTIP A TIP C

Trustmark Registry

IDP X:RP Y:Etc.

Trustmark Registry

IDP X:RP Y:Etc.

Trustmark Registry

IDP X:RP Y:Etc.

Scope of the NSTIC Trustmark Pilot

Trustmark Framework

Normative Trustmark Spec

Normative TD SpecNormative

TIP SpecTrustmark Policy

TemplateTrustmark Agreement Template

NIEF Pilot Expanded Pilot via NASCIO/SICAM

Concept MaturationTrustmark Concept

PresentationTrustmark Pilot

Concept WebsiteOutreach to IDESGOutreach to NIEF

MembershipOutreach to SICAM

StakeholdersOutreach to Other

Stakeholders

Sample TDs, TIPs, and Trustmarks

Comm. Protocol TDs & Trustmarks

Identity LOA TDs & Trustmarks

End-User Privacy TDs & Trustmarks

Security Policy TDs & TrustmarksOther TDs & Trustmarks

Sample TIPs for NIEF Community

Sample Tools

Trustmark Assessment Tool

for Trustmark Providers

Trustmark Generating &

Publishing Tool for Trustmark Providers

Trustmark Registry Query Tool

1 2 3 4

5 6

Issue Trustmarks to Current NIEF Members

Modify Tech Framework, Specs, TDs, TIPs, Policies, Agreements, and Tools as Needed

Identify SICAM Use CasesIssue Trustmarks to More IDPs, APs, and RPs via

a New Trustmark ProviderDemonstrate SICAM Use Cases in a

Multiple-Trustmark-Provider Marketplace

Trustmarks

Trustmark

TDO?

Trustmark Defining

Organization

Stakeholder Community

Trustmark Definition

Is Represented By

Defines

Trustmark Recipient

Trustmark Relying Parties

Org. 1

Org. 2

End User

Trust Interop Profile

Trustmark A

Trustmark B

Trustmark C

Is Used By

Is Required By

Is Trusted By

Trustmark Provider

Is Required By

Issues

The Trustmark Framework

Sources of Components

AAM

VA

InCo

mm

on

GFI

PM

FICA

M

NIE

F

Oth

ers

Creating Modular Common Components

TransformationProcess

Step 1: Gather trust and interop requirements

from many frameworks

Step 2: Break down and reassemble requirements into modular, reusable components

Step 3: Express modularized requirements in a standard

format to encourage broad reuse

TrustmarkDefinition

TrustmarkDefinition

TrustmarkDefinition

GTRI NSTIC Pilot Trustmark Analysis

122 distinct

trustmarks identified

(so far)

Covers FICAM,

GFIPM, & NIEF

communities

Also covers FIPPs

(privacy) topics

Trustmarks By Category

Identity Assurance Policy(10 Total, 10 Essential to Pilot)

Privacy Policy(23 Total, 15 Essential to Pilot)

Technical Interoperability(57 Total, 8 Essential to Pilot)

Technical Trust(4 Total, 3 Essential to Pilot)

Attribute Assurance Policy(2 Total, 2 Essential to Pilot)

Organizational Integrity / Bona Fides(6 Total, 3 Essential to Pilot)

Usability(2 Total, 0 Essential to Pilot)

Security Policy(18 Total, 18 Essential to Pilot)

Requirements = Trustmark Component Definitions (TCDs)

TCD Spec

Ensures that all TCDs contain the minimal info required to promote legitimacy and encourage reuse

• Name of TDO / Publisher• Canonical Published Location (URL/URI)• Name of TCD• Description and Intended Purpose• Target Stakeholder Audience of TCD• Date of Publication• Version Number• Visual Icon or Image

Defines a common structure and syntax for all TCDs

• Ensures consistency and machine readability for all TCDs• Allows for greater ease of understanding a TCD• Makes TCDs more likely to be considered for reuse (TCD reuse leads to trustmark reuse)• Allows for standards-based TCD tools to proliferate

XML

HTML

Trustmark Assessment Tool Process Flow

Trustmark Assessment Tool

Database

Trustmark Assessment

Tool

Trustmark Definitions& Profiles

Trustmark Provider

Trustmark Recipient

1. Load TCDs intoAssessment Tool

2. Receive requestfor trustmark fromTrustmark Recipientcandidate

3. Perform assessmentof Trustmark Recipientcandidate

4. Store assessmentartifacts / evidencein database

5. Issue trustmark toTrustmark Recipient