a description of concepts and plans may 14, 2014 a. hughes for tftm 01-02 the identity ecosystem...

A DESCRIPTION OF CONCEPTS AND PLANS

MAY 14, 2014A . HUGHES FOR TFTM 01-02

The Identity Ecosystem

2014-05-14DISCUSSION DRAFT

1

DRIVERS, CORE STRUCTURE, REQUIREMENTS

Ecosystem From The Inside


A Note on Role Names

Role names are used to keep the entities and their functions separate

Any entity or organization could play one or more Role in the ID Ecosystem Online Services Supplier

The Relying Party, Service Provider Online Services Client

The consumer or customer or recipient of the Supplier’s services

Online Trust Provider All roles associated with establishing facts, provisioning

credentials/tokens, verifying conformance, testing, audit Common names IdP, TM, CM, CSP, TFP, CA, RA


3

The Online Interaction

The goal of NSTIC is to improve the state of online interactions

The interaction or transaction between online service supplier and their client is the primary source of requirements for security, privacy and ease of use

Describing a coherent ID Ecosystem is possible by extending the ‘Interaction-centric’ concept


4

The Central Pattern

Central tenet:Supplier and Clientengage in an onlineinteraction only if certain Conditions arepresented, potentiallynegotiated and fulfilled.

(Arrows should probablybe bi-directional)


5

The Central Pattern: ‘Conditions’

‘Conditions’ might be: Provide the username and

password associated withyour account

Provide payment information Produce a validated

electronic authentication token issued by a trustedCredential Service Provider

Accept these Terms of Service

Possess these Trustmarks


6

The Central Pattern: Suppliers

The Online ServiceSupplier wishes to control access to the service and provide the right service to the correct Client

‘Conditions’ are used to gather the informationneeded to make theservice access decision

<Conditions in the future could go the other way>


7

The Central Pattern: ID Risk

The Online Service Supplier must guardagainst misidentification,fraud, impersonation,inability to distinguishone client from another

The stringency and number of Conditionsincrease with greater transaction risks


8

The Central Pattern: Requirements

The Interaction, Conditions and Fulfillmentdrive all requirements System, transaction,

technical, policy, interoperability, trust,assurance, operations,data formats, security,privacy, user experience


9

Trust Infrastructure: Trust Providers

Online Trust Provider box Intended to represent any

security, trust or privacyservice available to theSupplier-Client

Entirely determined by theTransaction requirements Might be standard & shared Might be custom & secret Might deliver high certainty

or low certainty Might be reliable or not


10

‘Trust’ Infrastructure

The Trust Infrastructure is secondary to the transactions and exists to support the supplier-client interaction Credentials, tokens,

certificates, secrets Identity information,

relationship/membership Federations,

Trust Frameworks, Assurance Frameworks


11

Trust Infrastructure: Community

NSTIC ‘Online Community’ NSTIC defines ‘online

communities’ which haveshared risks, a stable set oftransactions, common rules,common trust requirements

Community Governance Indicates the operator and

manager of the communityrules, their implementationand enforcement

Sometimes named the Federation Operator or Trust Framework Provider


12

Rationale for Transaction-Centric

Why focus on thetransaction instead of the normal focus on Trust Infrastructure? Clarifies the value of

the ID Ecosystem The Transaction drives all

requirements, not the TrustProviders

Each element can be brokendown and mapped to realand future implementations


13

The ID Ecosystem

Online communitiesusing this pattern arecandidate participantsin the NSTIC-envisionedID Ecosystem

NSTIC requires certainthings of the CommunityRules and othercommunity features


14

Compare to the NSTIC Definition

A Trust Framework Is developed by a community Defines the rights and responsibilities of that

community’s participants Specifies the policies and standards specific to the

community Defines the community-specific processes and

procedures that provide assurance Considers the level of risk associated with the

transaction types of its participants

- NSTIC Strategy Document


15

THE ID ECOSYSTEM FROM ABOVE

Ecosystem From 30k


The Central Concern


17

The Interaction is central Trust Providers exist to

express and satisfy ‘conditions’

All activity must fall within the rules of the Community

Many Transactions in a Community


18

Within the Community context many transaction types are possible

The picture shows a single trust infrastructure supporting all community transaction types


Many Trust Providers in Community


19

The picture shows two trust infrastructures within the same community

The trust infrastructures are federated


ID Ecosystem Perspective A

Many ‘communities’ exist today Some are verified by 3rd party assessors Some are closed/walled gardens Some are Enterprise-Enterprise federations Some involve Trust Framework Providers and Trust

Frameworks Some are multi-party federations

Some happen to follow the NSTIC Guiding Principles

Next slide is a sketch of this state


20



21


One perspective of the path forward is to increase the number and type of Ecosystem Communities that follow the NSTIC Guiding Principles And, as a consequence, end-users will begin to

experience NSTIC-oriented services

This might be characterized as the path to building a Compliance/Conformance Program


22



23

ID Ecosystem Perspective B

One perspective of the path forward is to build on the GTRI Trustmark ideas Define Trust Interoperability Profiles (TIP) for

participating Stakeholder Communities Establishing Trustmark Defining Organizations (TDO) Trustmark Definitions and Trustmarks: statement of

conformance to identity trust/interoperability requirements plus its formal assessment process


24

The GTRI Trustmark Concept Map


25

ID Ecosystem Perspective B


26

ID Ecosystem Perspective C

Suggestions for other alternative views are welcome


27

a description of concepts and plans may 14, 2014 a. hughes for tftm 01-02 the identity ecosystem...

Documents

discussion draft1drivers

discussion drafta

trust frameworks

right service

requirementsthe interaction

distinguishone client

assurance frameworks

coherent id ecosystem