a description of concepts and plans may 14, 2014 a. hughes for tftm 01-02 the identity ecosystem...
TRANSCRIPT
A DESCRIPTION OF CONCEPTS AND PLANS
MAY 14, 2014A . HUGHES FOR TFTM 01-02
The Identity Ecosystem
2014-05-14DISCUSSION DRAFT
1
A Note on Role Names
Role names are used to keep the entities and their functions separate
Any entity or organization could play one or more Role in the ID Ecosystem Online Services Supplier
The Relying Party, Service Provider Online Services Client
The consumer or customer or recipient of the Supplier’s services
Online Trust Provider All roles associated with establishing facts, provisioning
credentials/tokens, verifying conformance, testing, audit Common names IdP, TM, CM, CSP, TFP, CA, RA
2014-05-14DISCUSSION DRAFT
3
The Online Interaction
The goal of NSTIC is to improve the state of online interactions
The interaction or transaction between online service supplier and their client is the primary source of requirements for security, privacy and ease of use
Describing a coherent ID Ecosystem is possible by extending the ‘Interaction-centric’ concept
2014-05-14DISCUSSION DRAFT
4
The Central Pattern
Central tenet:Supplier and Clientengage in an onlineinteraction only if certain Conditions arepresented, potentiallynegotiated and fulfilled.
(Arrows should probablybe bi-directional)
2014-05-14DISCUSSION DRAFT
5
The Central Pattern: ‘Conditions’
‘Conditions’ might be: Provide the username and
password associated withyour account
Provide payment information Produce a validated
electronic authentication token issued by a trustedCredential Service Provider
Accept these Terms of Service
Possess these Trustmarks
2014-05-14DISCUSSION DRAFT
6
The Central Pattern: Suppliers
The Online ServiceSupplier wishes to control access to the service and provide the right service to the correct Client
‘Conditions’ are used to gather the informationneeded to make theservice access decision
<Conditions in the future could go the other way>
2014-05-14DISCUSSION DRAFT
7
The Central Pattern: ID Risk
The Online Service Supplier must guardagainst misidentification,fraud, impersonation,inability to distinguishone client from another
The stringency and number of Conditionsincrease with greater transaction risks
2014-05-14DISCUSSION DRAFT
8
The Central Pattern: Requirements
The Interaction, Conditions and Fulfillmentdrive all requirements System, transaction,
technical, policy, interoperability, trust,assurance, operations,data formats, security,privacy, user experience
2014-05-14DISCUSSION DRAFT
9
Trust Infrastructure: Trust Providers
Online Trust Provider box Intended to represent any
security, trust or privacyservice available to theSupplier-Client
Entirely determined by theTransaction requirements Might be standard & shared Might be custom & secret Might deliver high certainty
or low certainty Might be reliable or not
2014-05-14DISCUSSION DRAFT
10
‘Trust’ Infrastructure
The Trust Infrastructure is secondary to the transactions and exists to support the supplier-client interaction Credentials, tokens,
certificates, secrets Identity information,
relationship/membership Federations,
Trust Frameworks, Assurance Frameworks
2014-05-14DISCUSSION DRAFT
11
Trust Infrastructure: Community
NSTIC ‘Online Community’ NSTIC defines ‘online
communities’ which haveshared risks, a stable set oftransactions, common rules,common trust requirements
Community Governance Indicates the operator and
manager of the communityrules, their implementationand enforcement
Sometimes named the Federation Operator or Trust Framework Provider
2014-05-14DISCUSSION DRAFT
12
Rationale for Transaction-Centric
Why focus on thetransaction instead of the normal focus on Trust Infrastructure? Clarifies the value of
the ID Ecosystem The Transaction drives all
requirements, not the TrustProviders
Each element can be brokendown and mapped to realand future implementations
2014-05-14DISCUSSION DRAFT
13
The ID Ecosystem
Online communitiesusing this pattern arecandidate participantsin the NSTIC-envisionedID Ecosystem
NSTIC requires certainthings of the CommunityRules and othercommunity features
2014-05-14DISCUSSION DRAFT
14
Compare to the NSTIC Definition
A Trust Framework Is developed by a community Defines the rights and responsibilities of that
community’s participants Specifies the policies and standards specific to the
community Defines the community-specific processes and
procedures that provide assurance Considers the level of risk associated with the
transaction types of its participants
- NSTIC Strategy Document
2014-05-14DISCUSSION DRAFT
15
The Central Concern
2014-05-14DISCUSSION DRAFT
17
The Interaction is central Trust Providers exist to
express and satisfy ‘conditions’
All activity must fall within the rules of the Community
Many Transactions in a Community
2014-05-14DISCUSSION DRAFT
18
Within the Community context many transaction types are possible
The picture shows a single trust infrastructure supporting all community transaction types
All activity must fall within the rules of the Community
Many Trust Providers in Community
2014-05-14DISCUSSION DRAFT
19
The picture shows two trust infrastructures within the same community
The trust infrastructures are federated
All activity must fall within the rules of the Community
ID Ecosystem Perspective A
Many ‘communities’ exist today Some are verified by 3rd party assessors Some are closed/walled gardens Some are Enterprise-Enterprise federations Some involve Trust Framework Providers and Trust
Frameworks Some are multi-party federations
Some happen to follow the NSTIC Guiding Principles
Next slide is a sketch of this state
2014-05-14DISCUSSION DRAFT
20
ID Ecosystem Perspective A
One perspective of the path forward is to increase the number and type of Ecosystem Communities that follow the NSTIC Guiding Principles And, as a consequence, end-users will begin to
experience NSTIC-oriented services
This might be characterized as the path to building a Compliance/Conformance Program
2014-05-14DISCUSSION DRAFT
22
ID Ecosystem Perspective B
One perspective of the path forward is to build on the GTRI Trustmark ideas Define Trust Interoperability Profiles (TIP) for
participating Stakeholder Communities Establishing Trustmark Defining Organizations (TDO) Trustmark Definitions and Trustmarks: statement of
conformance to identity trust/interoperability requirements plus its formal assessment process
2014-05-14DISCUSSION DRAFT
24