elements of a trust framework a conceptual model by jeff stollman 12 jan 2011
TRANSCRIPT
Elements of a Trust Framework
A Conceptual ModelBy Jeff Stollman
12 JAN 2011
A problem well-stated is a problem half solved.– Charles Kettering, inventor (1876-1958)
TRUST AND TRUST FRAMEWORKS
Definitions• TRUST
– Willingness (of a party) to engage in a particular transaction– firm belief in the reliability, truth, or ability of a counterparty to live up to its
commitment– firm belief in the reliability, truth, or ability of someone or something (OED)
• TRUST ELEMENT– A performance commitment by a single party (Object) to a second single party
(Subject) that engenders the trust of the Subject in the performance of the Object.• Trust Elements are uni-directional.
• TRUST FRAMEWORK– A set of verifiable commitments from the various parties of a transaction to the
other parties. These commitments necessarily include • Controls (including regulatory and contractual obligations) to help ensure
commitments are delivered• Remedies for failure to meet such commitments
The Laws of Trust1. For each trust element, there can be trust relationships between
each pair of parties2. Trust relationships are binary
– i.e., each relationship involves only two parties3. Trust relationships are uni-directional
– i.e., trust flows only one way in each relationship– Mutual trust between two parties requires two relationships
4. Trust is not uniform.– i.e., trust that exists for one transaction may not exist for another
5. Trust is not personal.– i.e., trust applies to each commitment a party makes separately
6. The potential number of trust relationships in a Trust Framework is the number of permutations (not combinations) of the parties.– Not all permutations will be valid for each Trust Element.
Further Defining a Trust Framework
• A network of trust relationships (Trust Elements) among all parties to a transaction that addresses the assurances needed by each of them to trust the other relevant parties for each relevant Trust Element.– It is indivisible.
• If all trust relationships are not addressed there is the possibility that insufficient trust will exist to facilitate the transaction. Therefore,
– A viable Trust Framework must be comprehensive.
Trust Framework Problem Space*
Sharing Limits
Oversight
Timely Notice
Attribute Proofing
Durable Notice
Com-plete
Notice Robust Processes
Availability
Reputation
Security
CredentialIssuance
CredentialAuthentica
tion
IdentityProofing
Minimization
Informed Consent
Retention
Limits
Ability to
Correct
Business Processes
Tools
* Partial listing of Trust Elements
PRIVACY FRAMEWORKS
Defining a Privacy Framework• A Privacy Framework is a logical subset of the Trust
Elements in a Trust Framework.– It is not all-inclusive of the Trust Elements in the Trust
Framework.– The selection of Trust Elements to be included in the subset is
not critical.• Good selection can yield more valuable benefits sooner.
– It is critical that the Privacy Framework be supplemented by other subsets of the Trust Framework.
– The value of the Privacy Framework is enhanced as the supplemental frameworks approach the totality of the Trust Framework.
Current approaches to Creating a Privacy Framework A
Sharing Limits
Oversight
Timely Notice
Attribute Proofing
Durable Notice
Com-plete
Notice Robust Processes
Availability
Reputation
Security
CredentialIssuance
CredentialAuthentica
tion
IdentityProofing
Minimization
Informed Consent
Retention
Limits
Ability to
Correct
Business Processes
Tools
Org A Approach
Org B Approach
Current approaches to Creating a Privacy Framework B
Sharing Limits
Oversight
Timely Notice
Attribute Proofing
Durable Notice
Com-plete
Notice Robust Processes
Availability
Reputation
Security
CredentialIssuance
CredentialAuthentica
tion
IdentityProofing
Minimization
Informed Consent
Retention
Limits
Ability to
Correct
Business Processes
Tools
Anna Slomovic’s Matrix
SPECIFYING THE TRUST FRAMEWORK
Classifying Trust Elements*
*Partial listing
A Trust Framework is a System of Systems
• Systems within the Trust Framework include:– Identity Framework– Privacy Framework– Notification Framework– Controls Framework
• Are there other systems left out?– E.g., Data integrity Framework
• IdPs and APs assuring that data used for vetting is current and accurate
• IdPs and APs assuring that data provided to RPs is current and accurate
• Subjects having the ability to review and correct their information
Elements of an Identity Framework*
• Identity proofing• Attribute proofing• Credential generation• Credential issuance• Credential lifecycle management
• *Example listing
Elements of a Privacy Framework*• Informed consent• Restrictions on collection• Restrictions on use• Restrictions on how/to whom it is distributed• Retention limits (minimum and maximum)• Maintain accuracy• Ability to correct• Protection of data
• *Example listing
Elements of a Notification Framework*
• Timely presentation• Informed Consent• What is collected• Why its collected• How it is used• How it is stored• Data retention• How/to whom it is distributed• Remedies
• *Example listing
Elements of a Controls Framework*
• Secure network communication• Secure storage• Secure disposal• Staff vetting• Intra-organization business-process exposure• Inter-organization business-process exposure• Third-party verification• Process monitoring• Management oversight• Remedies
• *Example Listing
ROLES
Parties in a Trust Framework 1
• Primary roles– Those who actual conduct the transaction
• Subject• Identity Provider• Attribute Provider• Relying Party (Service Provider)
Parties in a Trust Framework 2
• Secondary roles– Additional/alternate parties to the primary roles
who may/may not be involved in a particular transaction
• Subject Delegate• Entity• Entity Agent• Entity Delegate• ISP
– For each Party
•Registration Authority•Verifier•Credential Issuer•Subscriber
Parties in a Trust Framework 3
• Tertiary roles– Those who provide enforcement of and remedies
to agreements among the primary and secondary roles
• Trust Framework Provider• Federation Operator• Assessor• Regional legal system• Referee
Roles of the Parties
• The role of any party can change – even within the conduct of a single transaction. E.g., – An IdP may also be a Credential Provider– A Federation Operator may also act as an Assessor– An RP may be a Subject in having its identity
verified by Subject, IdP, or AP.– An RP who sells something to Subject A, may then
become an AP vouching for Subject A’s conduct in the prior sale (e.g., paid on time)
Example Trust Elements
• Identity Proofing
• Credential Issuance
• Data Collection 1
• Data Collection 2
• Data Protection 3
• Comprehensiveness of process used to verify that a Subject is who he/she/it represents itself to be to Object
• Robustness (resistance to counterfeiting) of process of credential issuance to Subject by Object
• Extent of risk imposed on Subject through the data collected by Object
• Extent to which Object collects only the minimum amount of data from Subject needed to support transaction
• Ease with which Subject can exercise control over release of personal information by Object
Matrix View of Trust Framework MapSubject SUBJECT SUBJECT SUBJECT IdP IdP IdP RP RP RP AP AP AP
Trust Element Object IdP RP AP SUBJECT RP AP SUBJECT IdP AP SUBJECT IdP RPIdentity Proofing IdentityCredential Issuance IdentityAttribute ProofingCredibilityCredential Authentication IdentityAvailability NA NA NA NA NA NAData Collection 1 PrivacyData Collection 2 PrivacyData Protection 1 ControlsData Protection 2 ControlsData Protection 3 Ctrl-PriData Protection 4 ControlsData Protection 5 ControlsData Protection 6 ControlsNotification 1 Notice NoticeNotification 2 Notice NoticeNotification 3 Notice NoticeNotification 4 Notice NoticeNotification 5 Notice NoticeConsent PrivacyUser Controls 1User Controls 2Breach Response
0
Trust Relationship
Roadmap ForwardTrust Relationship
Subject SUBJECT SUBJECT SUBJECT IdP IdP IdP RP RP RP AP AP AP
Trust Element Object IdP RP AP SUBJECT RP AP SUBJECT IdP AP SUBJECT IdP RP
Identity Proofing Identity
Credential Issuance Identity
Attribute Proofing
Credibility
Credential Authentication Identity
Availability NA NA NA ? ? ? NA NA NA ? ? ?
Data Collection 1 Privacy
Data Collection 2 Privacy
Data Protection 1 Controls
Data Protection 2 Controls
Data Protection 3 Ctrl-Priv
Data Protection 4 Controls
Data Protection 5 Controls
Data Protection 6 Controls
Data Protection 7 Controls
Notification 1 Notice Notice NA NA NA? NA NA? NA NA?
Notification 2 Notice Notice NA NA NA? NA NA? NA NA?
Notification 3 Notice Notice NA NA NA? NA NA? NA NA?
Notification 4 Notice Notice NA NA NA? NA NA? NA NA?
Notification 5 Notice Notice NA NA NA? NA NA? NA NA?
Consent Privacy
User Controls 1
User Controls 2
Breach Response NA NA NA
0
Conclusions1. The Trust Framework problem is a System of
Systems issue.2. While in an ideal world all cells need to be complete
for comprehensive trust, practical levels of trust can be obtained by specifying criteria for selective cells.
3. By attaining consensus on the map of the problem space (the trust elements and the roles), we can determine the appropriate categories for major subsystems (e.g., Identity, Privacy, Notification, Controls).
Conclusions cont’d.4. After attaining consensus, we can allocate the cells
among the sub-systems to allow us to work in parallel to more rapidly build a coherent Trust Framework.
5. We can prioritize the order in which we address the cells to maximize our impact.
6. As long as we follow the map, we can shift cells from subsystem to subsystem and reprioritize the order without losing coherence.
Speculation• It is commonly assumed that our Service Assessment Criteria
must follow existing regulatory requirements.• I suggest that this is not so.• If we devise reasonable Service Assessment Criteria that afford
multiple levels of assurance/protection for each subsystem, entities can seek certification at the level needed to meet both their business and regulatory requirements.
• Hopefully, the Criteria levels will afford enough parallelism with major regulations to make this achievable.
• If not, perhaps the maturity of our framework will prompt regulators to have the courage to update their codes, coalescing around a better mix of economy and protection.
BACKUP SLIDES
Parties in a Trust FrameworkParty Description
Trust Framework Provider Sets the rules for operation of the trust framework; Accredits assessors
Federation Operator Operates identity federation in accordance with trust framework
Assessor Verifies compliance of various parties with the rules of the trust framework
Subject Person to whom credential is issued;Person who wishes to have access to a resource controlled by relying party
Subject’s Delegate Person who is authorized by Subject to act on behalf of Subject
Relying Party Controls a resource that users wish to accessDetermines attributes required for access to resources
Identity Provider Verifies identity of Subjects as specified in the trust framework
Credential Provider Issues credentials that meet criteria for content and technical specifications as specified in the trust framework; Verifies validity of credentials when requested by Relying Party
Attribute Provider Verifies attributes associated with Subjects as specified in the trust framework
Definitions 3
• IPSEITY– Your unique carbon life form
• ATTRIBUTE– Everything that is not Ipseity