tftm 01-06 interim trust mark/listing approach paper analysis of current industry trustmark programs...
TRANSCRIPT
IDESG TFTM Committee 1
TFTM 01-06Interim Trust Mark/Listing Approach Paper
Analysis of Current Industry Trustmark Programsand GTRI PILOT Approach
Discussion Deck
TFTM CommitteeMarch 12, 2014
3-12-2014
IDESG TFTM Committee 23-12-2014
Key terms for this discussionNSTIC/IDESG GTRI
TrustmarkA form of visual or digital certification to indicate that a product or service provider has been certified to meet the requirements of a specific trust framework. (Source: NSTIC- Slightly modified)
TrustmarkStatement of conformance to a well-scoped set of identity trust and/or interoperability requirements. (Source: GTRI)
Trust FrameworkDefines the rules, rights and responsibilities of a specific community of interest participants in the Identity Ecosystem; specifies the policies , rules and standards specific to the community; and defines the community-specific processes and procedures that provide assurance. (Source: NSTIC)
Trust FrameworkA trust framework is any structure that builds trust among autonomous actors for the purpose of sharing and reusing identities.
Trustmark Definition The conformance criteria that must be met in order to be issued a trust mark AND the assessment steps that an independent 3rd-party must follow to determine conformance to the criteria. (Source: GTRI)
IDESG TFTM Committee 33-12-2014
Key terms for this discussionNSTIC/IDESG GTRI
Trust Framework Provider An organization that defines or adopts a trust framework and then, certifies participants that are in compliance with the requirements of that framework. (Source: FICAM TFPAP-slightly modified for context)
Trustmark Defining Organization An organization that develops and maintains Trustmark Definitions to represent the interests of one or more Stakeholder Communities.
Trustmark Provider An organization that issues a trustmark to a Service Provider (AKA “Trustmark Recipient”) based on a formal assessment process. (Source: GTRI)
Certification The processes of assessing, validating, and determining that a product or service provider meets the defined requirements of a specific trust framework. (Source: FICAM TFPAP-slightly modified for context)
Accreditation Program
Certification Program
Service Provider
Service Provider
Administrative Responsibilities:• Document and maintain :
• Policies and participation rules• Requirements• Application/Onboarding processes • Standard agreement for accredited entities
• Maintain public trust list/registry of accredited entities
Operational Responsibilities:• Evaluate the capability of applicant entities for
certification activities• Perform policy mapping, as appropriate, for
entity certification policies/requirements conformance/comparability to Accreditation Program requirements
Administrative Responsibilities:• Document and maintain:
• Requirements• Assessment Processes• Assessment Criteria• Application/onboarding processes • Standard agreement for certified entities• Formal recognition of certified services
• Maintain public trust list/registry of certified entities
Operational Responsibilities:• Perform and document assessments• Validate conformance to Certification Program
requirements• Provide formal recognition for
approved/validated identity services• Monitor continued conformance for certified
entities
Administrative Responsibilities:• Document and maintain Trust Mark issuance
and usage policies and participation rules• Document and maintain Trust Mark (Usage)
Agreement• Document and maintain security and
controls for Trustmark monitoring.
Operational Responsibilities:• Execute and maintain Trust Mark (Usage)
Agreements for certified entities• Monitor continued conformance to
Trustmark usage requirements for certified entities
• Establish and maintain security and controls for issued trust marks
Trust Mark Issuance
Accr
edit
Certi
fy/I
ssue
Certify/Issue
Certification
Accreditation
3-12-2014 IDESG TFTM Committee 4
IDESG TFTM Committee 5
Certifies TF Conformity
Issues Trust marks
3-12-2014
StakeholderCommunity
Is Represented By
Defines
Trust Framework
RelyingParties
Trustmark Recipient
(e.g., IDP, CSP, AA)
Assessment Rules/Criteria End
Users
IssuesIdentity Assertions
Required By
Required By
Current Industry Model GTRI Pilot Model (Trustmark Concept Map)
IE Roles Current Industry and GTRI Pilot Models
Source : GTRI
Trust Framework
Provider
Assessor/Auditor
IDESG TFTM Committee3-12-2014 6
Modular Trust Components (AKA “Trust Marks”)= Sets of defined requirements for trust in specific areas
GTRI Examples of Modular Trust Components
Examples of Modular Trust Components that may be defined requirements for trust marks.
Source : GTRI
IDESG TFTM Committee 8
• GTRI pilot seeks to define “modular trust components “ (AKA “Trustmarks”) that can be used/reused by multiple organizations. Need to define common, core requirements for trust components that are/should
be common to different stakeholder communities – e.g., business, legal, security, privacy, etc.
• TFTM 01-05: Requirements Mapping and Analysis Paper Requirements analysis and mapping of trust framework components to assess their
alignment with NSTIC/IDESG Guiding Principles. Could inform the process of establishing core requirements and trustmarks based
on TF components most aligned with IDESG/NSTIC Guiding Principles Could support reuse of framework components within the identity ecosystem.
• The NPO issued “derived requirements” from NSTIC strategy to articulate requirements for NSTIC guiding principles (strategy, privacy, interoperability, ease of use) that should be a starting point for common, core requirements for the Identity Ecosystem Framework.
3-12-2014
The Need for NSTIC Core Requirements
The following activities seek to define common, core requirements for trust and are directly related:
IDESG TFTM Committee 93-12-2014
Building the Identity Ecosystem Framework
See NSTIC NPO 11/26/2013 Blog: Interim Identity Ecosystem: “Are we there yet?”
IDESG TFTM Committee3-12-2014 10
NSTIC Guiding Principle Core Requirement IDP RP AP
1 Privacy Enhancing Organizations shall limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements. X X X
2 Privacy Enhancing Organizations shall limit the use of the individual’s data that is collected and transmitted to specified purposes. X X X
3 Privacy Enhancing Organizations shall provide appropriate mechanisms to allow individuals to access, correct, and delete personal information. X X X
16 Secure and Resilient Confidentiality, Integrity, and Availability shall be maintained. Where appropriate, non-repudiation shall also be supported. X X X
17 Secure and Resilient Organizations shall have auditable security processes. X X X
16 Secure and Resilient Organizations shall utilize credentials which have been issued based on sound criteria for verifying individuals and devices. X X
26 Interoperable Organizations shall accept external users authenticated by third parties. X X
27 Interoperable Organizations shall issue credentials capable of being utilized by multiple different service providers. X
28 Interoperable Organizations shall utilize technologies that communicate and exchange data based upon well-defined and testable interface standards. X X X
32 Cost Effective and Easy-to-use
Organizations shall utilize identity solutions that are simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training. X X X
33 Cost Effective and Easy-to-use
Organizations shall utilize identity solutions that are available to all individuals, and accessible to the disadvantaged and disabled. X X X
34 Cost Effective and Easy-to-use Organizations shall, wherever possible, build identity solutions into online services. X X X
Examples of 34 NSTIC Derived Requirements