Elements of a Trust Framework

A Conceptual ModelBy Jeff Stollman

12 JAN 2011

A problem well-stated is a problem half solved.– Charles Kettering, inventor (1876-1958)

TRUST AND TRUST FRAMEWORKS

Definitions• TRUST

– Willingness (of a party) to engage in a particular transaction– firm belief in the reliability, truth, or ability of a counterparty to live up to its

commitment– firm belief in the reliability, truth, or ability of someone or something (OED)

• TRUST ELEMENT– A performance commitment by a single party (Object) to a second single party

(Subject) that engenders the trust of the Subject in the performance of the Object.• Trust Elements are uni-directional.

• TRUST FRAMEWORK– A set of verifiable commitments from the various parties of a transaction to the

other parties. These commitments necessarily include • Controls (including regulatory and contractual obligations) to help ensure

commitments are delivered• Remedies for failure to meet such commitments

The Laws of Trust1. For each trust element, there can be trust relationships between

each pair of parties2. Trust relationships are binary

– i.e., each relationship involves only two parties3. Trust relationships are uni-directional

– i.e., trust flows only one way in each relationship– Mutual trust between two parties requires two relationships

4. Trust is not uniform.– i.e., trust that exists for one transaction may not exist for another

5. Trust is not personal.– i.e., trust applies to each commitment a party makes separately

6. The potential number of trust relationships in a Trust Framework is the number of permutations (not combinations) of the parties.– Not all permutations will be valid for each Trust Element.

Further Defining a Trust Framework

• A network of trust relationships (Trust Elements) among all parties to a transaction that addresses the assurances needed by each of them to trust the other relevant parties for each relevant Trust Element.– It is indivisible.

• If all trust relationships are not addressed there is the possibility that insufficient trust will exist to facilitate the transaction. Therefore,

– A viable Trust Framework must be comprehensive.

Trust Framework Problem Space*

Sharing Limits

Oversight

Timely Notice

Attribute Proofing

Durable Notice

Com-plete

Notice Robust Processes

Availability

Reputation

Security

CredentialIssuance

CredentialAuthentica

tion

IdentityProofing

Minimization

Informed Consent

Retention

Limits

Ability to

Correct

Business Processes

Tools

* Partial listing of Trust Elements

PRIVACY FRAMEWORKS

Defining a Privacy Framework• A Privacy Framework is a logical subset of the Trust

Elements in a Trust Framework.– It is not all-inclusive of the Trust Elements in the Trust

Framework.– The selection of Trust Elements to be included in the subset is

not critical.• Good selection can yield more valuable benefits sooner.

– It is critical that the Privacy Framework be supplemented by other subsets of the Trust Framework.

– The value of the Privacy Framework is enhanced as the supplemental frameworks approach the totality of the Trust Framework.

Current approaches to Creating a Privacy Framework A

Sharing Limits

Oversight

Timely Notice

Attribute Proofing

Durable Notice

Com-plete

Notice Robust Processes

Availability

Reputation

Security

CredentialIssuance

CredentialAuthentica

tion

IdentityProofing

Minimization

Informed Consent

Retention

Limits

Ability to

Correct

Business Processes

Tools

Org A Approach

Org B Approach

Current approaches to Creating a Privacy Framework B

Sharing Limits

Oversight

Timely Notice

Attribute Proofing

Durable Notice

Com-plete

Notice Robust Processes

Availability

Reputation

Security

CredentialIssuance

CredentialAuthentica

tion

IdentityProofing

Minimization

Informed Consent

Retention

Limits

Ability to

Correct

Business Processes

Tools

Anna Slomovic’s Matrix

SPECIFYING THE TRUST FRAMEWORK

Classifying Trust Elements*

*Partial listing

A Trust Framework is a System of Systems

• Systems within the Trust Framework include:– Identity Framework– Privacy Framework– Notification Framework– Controls Framework

• Are there other systems left out?– E.g., Data integrity Framework

• IdPs and APs assuring that data used for vetting is current and accurate

• IdPs and APs assuring that data provided to RPs is current and accurate

• Subjects having the ability to review and correct their information

Elements of an Identity Framework*

• Identity proofing• Attribute proofing• Credential generation• Credential issuance• Credential lifecycle management

• *Example listing

Elements of a Privacy Framework*• Informed consent• Restrictions on collection• Restrictions on use• Restrictions on how/to whom it is distributed• Retention limits (minimum and maximum)• Maintain accuracy• Ability to correct• Protection of data

• *Example listing

Elements of a Notification Framework*

• Timely presentation• Informed Consent• What is collected• Why its collected• How it is used• How it is stored• Data retention• How/to whom it is distributed• Remedies

• *Example listing

Elements of a Controls Framework*

• Secure network communication• Secure storage• Secure disposal• Staff vetting• Intra-organization business-process exposure• Inter-organization business-process exposure• Third-party verification• Process monitoring• Management oversight• Remedies

• *Example Listing

ROLES

Parties in a Trust Framework 1

• Primary roles– Those who actual conduct the transaction

• Subject• Identity Provider• Attribute Provider• Relying Party (Service Provider)

Parties in a Trust Framework 2

• Secondary roles– Additional/alternate parties to the primary roles

who may/may not be involved in a particular transaction

• Subject Delegate• Entity• Entity Agent• Entity Delegate• ISP

– For each Party

•Registration Authority•Verifier•Credential Issuer•Subscriber

Parties in a Trust Framework 3

• Tertiary roles– Those who provide enforcement of and remedies

to agreements among the primary and secondary roles

• Trust Framework Provider• Federation Operator• Assessor• Regional legal system• Referee

Roles of the Parties

• The role of any party can change – even within the conduct of a single transaction. E.g., – An IdP may also be a Credential Provider– A Federation Operator may also act as an Assessor– An RP may be a Subject in having its identity

verified by Subject, IdP, or AP.– An RP who sells something to Subject A, may then

become an AP vouching for Subject A’s conduct in the prior sale (e.g., paid on time)

Example Trust Elements

• Identity Proofing

• Credential Issuance

• Data Collection 1

• Data Collection 2

• Data Protection 3

• Comprehensiveness of process used to verify that a Subject is who he/she/it represents itself to be to Object

• Robustness (resistance to counterfeiting) of process of credential issuance to Subject by Object

• Extent of risk imposed on Subject through the data collected by Object

• Extent to which Object collects only the minimum amount of data from Subject needed to support transaction

• Ease with which Subject can exercise control over release of personal information by Object

Matrix View of Trust Framework MapSubject SUBJECT SUBJECT SUBJECT IdP IdP IdP RP RP RP AP AP AP

Trust Element Object IdP RP AP SUBJECT RP AP SUBJECT IdP AP SUBJECT IdP RPIdentity Proofing IdentityCredential Issuance IdentityAttribute ProofingCredibilityCredential Authentication IdentityAvailability NA NA NA NA NA NAData Collection 1 PrivacyData Collection 2 PrivacyData Protection 1 ControlsData Protection 2 ControlsData Protection 3 Ctrl-PriData Protection 4 ControlsData Protection 5 ControlsData Protection 6 ControlsNotification 1 Notice NoticeNotification 2 Notice NoticeNotification 3 Notice NoticeNotification 4 Notice NoticeNotification 5 Notice NoticeConsent PrivacyUser Controls 1User Controls 2Breach Response

0

Trust Relationship

Roadmap ForwardTrust Relationship

Subject SUBJECT SUBJECT SUBJECT IdP IdP IdP RP RP RP AP AP AP

Trust Element Object IdP RP AP SUBJECT RP AP SUBJECT IdP AP SUBJECT IdP RP

Identity Proofing Identity

Credential Issuance Identity

Attribute Proofing

Credibility

Credential Authentication Identity

Availability NA NA NA ? ? ? NA NA NA ? ? ?

Data Collection 1 Privacy

Data Collection 2 Privacy

Data Protection 1 Controls

Data Protection 2 Controls

Data Protection 3 Ctrl-Priv

Data Protection 4 Controls

Data Protection 5 Controls

Data Protection 6 Controls

Data Protection 7 Controls

Notification 1 Notice Notice NA NA NA? NA NA? NA NA?

Notification 2 Notice Notice NA NA NA? NA NA? NA NA?

Notification 3 Notice Notice NA NA NA? NA NA? NA NA?

Notification 4 Notice Notice NA NA NA? NA NA? NA NA?

Notification 5 Notice Notice NA NA NA? NA NA? NA NA?

Consent Privacy

User Controls 1

User Controls 2

Breach Response NA NA NA

0

Conclusions1. The Trust Framework problem is a System of

Systems issue.2. While in an ideal world all cells need to be complete

for comprehensive trust, practical levels of trust can be obtained by specifying criteria for selective cells.

3. By attaining consensus on the map of the problem space (the trust elements and the roles), we can determine the appropriate categories for major subsystems (e.g., Identity, Privacy, Notification, Controls).

Conclusions cont’d.4. After attaining consensus, we can allocate the cells

among the sub-systems to allow us to work in parallel to more rapidly build a coherent Trust Framework.

5. We can prioritize the order in which we address the cells to maximize our impact.

6. As long as we follow the map, we can shift cells from subsystem to subsystem and reprioritize the order without losing coherence.

Speculation• It is commonly assumed that our Service Assessment Criteria

must follow existing regulatory requirements.• I suggest that this is not so.• If we devise reasonable Service Assessment Criteria that afford

multiple levels of assurance/protection for each subsystem, entities can seek certification at the level needed to meet both their business and regulatory requirements.

• Hopefully, the Criteria levels will afford enough parallelism with major regulations to make this achievable.

• If not, perhaps the maturity of our framework will prompt regulators to have the courage to update their codes, coalescing around a better mix of economy and protection.

BACKUP SLIDES

Parties in a Trust FrameworkParty Description

Trust Framework Provider Sets the rules for operation of the trust framework; Accredits assessors

Federation Operator Operates identity federation in accordance with trust framework

Assessor Verifies compliance of various parties with the rules of the trust framework

Subject Person to whom credential is issued;Person who wishes to have access to a resource controlled by relying party

Subject’s Delegate Person who is authorized by Subject to act on behalf of Subject

Relying Party Controls a resource that users wish to accessDetermines attributes required for access to resources

Identity Provider Verifies identity of Subjects as specified in the trust framework

Credential Provider Issues credentials that meet criteria for content and technical specifications as specified in the trust framework; Verifies validity of credentials when requested by Relying Party

Attribute Provider Verifies attributes associated with Subjects as specified in the trust framework

Definitions 3

• IPSEITY– Your unique carbon life form

• ATTRIBUTE– Everything that is not Ipseity