IDESG TFTM Committee 1

TFTM 01-06Interim Trust Mark/Listing Approach Paper

Analysis of Current Industry Trustmark Programsand GTRI PILOT Approach

Discussion Deck

TFTM CommitteeMarch 12, 2014

3-12-2014

IDESG TFTM Committee 23-12-2014

Key terms for this discussionNSTIC/IDESG GTRI

TrustmarkA form of visual or digital certification to indicate that a product or service provider has been certified to meet the requirements of a specific trust framework. (Source: NSTIC- Slightly modified)

TrustmarkStatement of conformance to a well-scoped set of identity trust and/or interoperability requirements. (Source: GTRI)

Trust FrameworkDefines the rules, rights and responsibilities of a specific community of interest participants in the Identity Ecosystem; specifies the policies , rules and standards specific to the community; and defines the community-specific processes and procedures that provide assurance. (Source: NSTIC)

Trust FrameworkA trust framework is any structure that builds trust among autonomous actors for the purpose of sharing and reusing identities.

Trustmark Definition The conformance criteria that must be met in order to be issued a trust mark AND the assessment steps that an independent 3rd-party must follow to determine conformance to the criteria. (Source: GTRI)

IDESG TFTM Committee 33-12-2014

Key terms for this discussionNSTIC/IDESG GTRI

Trust Framework Provider An organization that defines or adopts a trust framework and then, certifies participants that are in compliance with the requirements of that framework. (Source: FICAM TFPAP-slightly modified for context)

Trustmark Defining Organization An organization that develops and maintains Trustmark Definitions to represent the interests of one or more Stakeholder Communities.

Trustmark Provider An organization that issues a trustmark to a Service Provider (AKA “Trustmark Recipient”) based on a formal assessment process. (Source: GTRI)

Certification The processes of assessing, validating, and determining that a product or service provider meets the defined requirements of a specific trust framework. (Source: FICAM TFPAP-slightly modified for context)

Accreditation Program

Certification Program

Service Provider

Service Provider

Administrative Responsibilities:• Document and maintain :

• Policies and participation rules• Requirements• Application/Onboarding processes • Standard agreement for accredited entities

• Maintain public trust list/registry of accredited entities

Operational Responsibilities:• Evaluate the capability of applicant entities for

certification activities• Perform policy mapping, as appropriate, for

entity certification policies/requirements conformance/comparability to Accreditation Program requirements

Administrative Responsibilities:• Document and maintain:

• Requirements• Assessment Processes• Assessment Criteria• Application/onboarding processes • Standard agreement for certified entities• Formal recognition of certified services

• Maintain public trust list/registry of certified entities

Operational Responsibilities:• Perform and document assessments• Validate conformance to Certification Program

requirements• Provide formal recognition for

approved/validated identity services• Monitor continued conformance for certified

entities

Administrative Responsibilities:• Document and maintain Trust Mark issuance

and usage policies and participation rules• Document and maintain Trust Mark (Usage)

Agreement• Document and maintain security and

controls for Trustmark monitoring.

Operational Responsibilities:• Execute and maintain Trust Mark (Usage)

Agreements for certified entities• Monitor continued conformance to

Trustmark usage requirements for certified entities

• Establish and maintain security and controls for issued trust marks

Trust Mark Issuance

Accr

edit

Certi

fy/I

ssue

Certify/Issue

Certification

Accreditation

3-12-2014 IDESG TFTM Committee 4

IDESG TFTM Committee 5

Certifies TF Conformity

Issues Trust marks

3-12-2014

StakeholderCommunity

Is Represented By

Defines

Trust Framework

RelyingParties

Trustmark Recipient

(e.g., IDP, CSP, AA)

Assessment Rules/Criteria End

Users

IssuesIdentity Assertions

Required By

Required By

Current Industry Model GTRI Pilot Model (Trustmark Concept Map)

IE Roles Current Industry and GTRI Pilot Models

Source : GTRI

Trust Framework

Provider

Assessor/Auditor

IDESG TFTM Committee3-12-2014 6

Modular Trust Components (AKA “Trust Marks”)= Sets of defined requirements for trust in specific areas

GTRI Examples of Modular Trust Components

Examples of Modular Trust Components that may be defined requirements for trust marks.

Source : GTRI

IDESG TFTM Committee 73-12-2014

Potential Sources for Modular Trust Components

Source : GTRI

IDESG TFTM Committee 8

• GTRI pilot seeks to define “modular trust components “ (AKA “Trustmarks”) that can be used/reused by multiple organizations. Need to define common, core requirements for trust components that are/should

be common to different stakeholder communities – e.g., business, legal, security, privacy, etc.

• TFTM 01-05: Requirements Mapping and Analysis Paper Requirements analysis and mapping of trust framework components to assess their

alignment with NSTIC/IDESG Guiding Principles. Could inform the process of establishing core requirements and trustmarks based

on TF components most aligned with IDESG/NSTIC Guiding Principles Could support reuse of framework components within the identity ecosystem.

• The NPO issued “derived requirements” from NSTIC strategy to articulate requirements for NSTIC guiding principles (strategy, privacy, interoperability, ease of use) that should be a starting point for common, core requirements for the Identity Ecosystem Framework.

3-12-2014

The Need for NSTIC Core Requirements

The following activities seek to define common, core requirements for trust and are directly related:

IDESG TFTM Committee 93-12-2014

Building the Identity Ecosystem Framework

See NSTIC NPO 11/26/2013 Blog: Interim Identity Ecosystem: “Are we there yet?”

IDESG TFTM Committee3-12-2014 10

NSTIC Guiding Principle Core Requirement IDP RP AP

1 Privacy Enhancing Organizations shall limit the collection and transmission of information to the minimum necessary to fulfill the transaction’s purpose and related legal requirements. X X X

2 Privacy Enhancing Organizations shall limit the use of the individual’s data that is collected and transmitted to specified purposes. X X X

3 Privacy Enhancing Organizations shall provide appropriate mechanisms to allow individuals to access, correct, and delete personal information. X X X

16 Secure and Resilient Confidentiality, Integrity, and Availability shall be maintained. Where appropriate, non-repudiation shall also be supported. X X X

17 Secure and Resilient Organizations shall have auditable security processes. X X X

16 Secure and Resilient Organizations shall utilize credentials which have been issued based on sound criteria for verifying individuals and devices. X X

26 Interoperable Organizations shall accept external users authenticated by third parties. X X

27 Interoperable Organizations shall issue credentials capable of being utilized by multiple different service providers. X

28 Interoperable Organizations shall utilize technologies that communicate and exchange data based upon well-defined and testable interface standards. X X X

32 Cost Effective and Easy-to-use

Organizations shall utilize identity solutions that are simple to understand, intuitive, easy-to-use, and enabled by technology that requires minimal user training. X X X

33 Cost Effective and Easy-to-use

Organizations shall utilize identity solutions that are available to all individuals, and accessible to the disadvantaged and disabled. X X X

34 Cost Effective and Easy-to-use Organizations shall, wherever possible, build identity solutions into online services. X X X

Examples of 34 NSTIC Derived Requirements