REMINDER: 8th IDESG Plenary Meeting in Silicon Valley, April 1-3

We cordially invite you to join us at the 8th in-person plenary meeting of the Identity Ecosystem Steering Group (IDESG), hosted by Symantec at their headquarters in Mountain View, Calif., April 1 – April 3.  In-person and virtual participation is free and open to all stakeholders interested in building an environment that ensures transparency, confidence and privacy online in a way that is easy to use and understand for businesses, governments and individuals.

Register to attend here. Review the agenda for the April plenary meeting here.

Three things stood out during the  last plenary meeting in Atlanta:

  1. The National Strategy for Trusted Identities in Cyberspace (NSTIC) pilots are starting to drive the conversation.
  2. Trustmarks matter, and the work being done in some of the NSTIC pilots is helping to drive new concepts for trustmarks forward.
  3. The White House challenge to the IDESG: develop a basic trustmark scheme for the Identity Ecosystem and get backing from a handful of high profile early adopters.

The upcoming April IDESG plenary will further advance progress on these issues and more; stay tuned for more details on what to expect in Mountain View April 1-April 3.

Since the IDESG first launched in August 2012, it has willingly taken on the complex and messy challenges of crafting a framework for identity solutions that can replace passwords, allow individuals to prove online that they are who they claim to be, and enhance privacy. Since that first meeting (more about the very first IDESG meeting here), more than 200 organizations and individual members—your colleagues, your partners and perhaps even your competitors—have joined together to help move the Identity Ecosystem Framework forward.  We look forward to you joining us in April.

Posted in Uncategorized | 1 Comment

Putting the Fed in Federation (Part 3): A New Way to Buy Identity Services

Co-authored by: Dave McClure, Associate Administrator, Office of Citizen Services and Innovative Technologies, GSA; Jeremy Grant, Senior Executive Advisor, Identity Management, NIST; and Randy Miskanic, Vice President Secure Digital Solutions, USPS

As part of the National Strategy for Trusted Identities in Cyberspace (NSTIC), President Obama directed Federal agencies to be early adopters of the Identity Ecosystem – which NSTIC defines as “an online environment where individuals and organizations are able to trust each other because they follow agreed upon standards to obtain and authenticate their digital identities.”  Specifically, NSTIC calls upon agencies to:

“… lead by example and be an early adopter of identity solutions that align with the Identity Ecosystem Framework.  By adopting Identity Ecosystem solutions as a service provider, the Federal government will raise individual’s expectations and thus drive individuals’ demand for interoperability in their transactions with the private sector and other levels of government.   As a subject, the Federal Government must also continue to leverage its buying power as a significant customer of the private sector to motivate the supply of these solutions.”

In simple terms, this means that the Federal government should leverage the benefits of a privately-led Identity Ecosystem to offer better online services for citizens and businesses. To do this, we need:

1. A way for all agencies to leverage their purchasing power to buy standardized identity and authentication services that are interoperable across agencies.

2. A common infrastructure – the Federal Cloud Credential Exchange (FCCX) – that will allow agencies to integrate with these services with minimal effort.

3. A compelling business case that encourages the private sector to get their identity and authentication solutions approved for government use via the GSA Trust Framework Solutions program.

We’ve made good progress in establishing the common infrastructure – the US Postal Service (USPS) awarded a contract last summer to stand up the FCCX.  GSA also recently updated its Trust Framework Solutions program.  Both of these actions will make it easier for government and industry to partner on identity solutions that are standardized, interoperable, and offer value to all parties.

We still have work to do on establishing a way for agencies to buy standardized identity and authentication services.  While FCCX is the infrastructure to enable shared authentication services, we still have a hole in terms of standardizing credentials and how we buy them.  As a result, some agencies that have been moving forward with non-PKI solutions at levels of assurance (LOA) 2 and 3 have been doing so with solutions that do not interoperate with each other.  This is a problem for all of us as taxpayers and as citizens – we should not be asked to obtain and manage multiple credentials to do business with the government online.  As former White House Cybersecurity Coordinator Howard Schmidt noted in a blog post:

“…a citizen who is a veteran, a college student and a taxpayer ought not to have to obtain separate digital credentials at each agency website, but instead should be able to use ones he or she already has…Doing so allows the Federal government to streamline the customer experience and recognize real cost savings just when we need to be tightening our belts.”

A government-wide acquisition strategy is vital to realizing this vision – because agencies can only benefit if they are able to leverage a wide pool of interoperable credentials, and because our private sector partners need a clear and consistent understanding of how government will pay for their services.

GSA, NIST and USPS are working on an integrated strategy that creates an approach for government to purchase standardized identity solutions using a government-wide contract.

The approach we will be pursuing is one that is fundamentally different from the way that the government has procured these kinds of services in the past.  Rather than pay for credentials we intend to pay for authentication and attribute validation services.  This is fundamentally different for two reasons:

1. It provides industry flexibility in pricing its service to include elements like identity proofing and token issuance.

2. It allows industry to be compensated for the authentication of – and attribute exchange involving – credentials that were not originally issued for government purposes.  So long as the credentials are approved for government use, credentials issued originally for commercial purposes could also be the source of additional revenues the first time the credential is used at a government site.

This model shifts the government’s acquisition focus to what it needs:  services that provide authentication and attributes. Credentials are of course a necessary element of these services – but that fact alone does not mean the government should embrace a model where it pays for citizen credential issuance. Our strategy enables the NSTIC vision of a vibrant Identity Ecosystem where the same credentials can be used across the public and private sector.

While this long-term strategy is being fleshed out, the GSA’s Federal Acquisition Service (FAS) earlier this month released a Request for Proposals (RFP) under its Alliant vehicle seeking a limited quantity of authentication services to support the first phase of the FCCX pilot.

This RFP is intended solely to support authentications services at LOA 2 and 3 for the FCCX pilot.  It does not represent the government’s long term acquisition strategy for these services.  The next logical step – which we will pursue over the next year – is an acquisition vehicle that can support millions of authentication transactions for government services each year, and that will create a path for newly certified solutions to gain a spot on this acquisition vehicle.  As we seek to benefit from the broadest array of choices in the market, we need to let the marketplace know “if you are certified, you’ll be eligible to sell to us.”

Our long term goal is to have a vibrant ecosystem where citizens can choose to use a credential they already have to access most government sites and services, as well as creating a compelling value proposition for identity providers to meet government requirements and provide identity services.

Our offices are working through this strategy now and intend to develop it further over the next few months through collaboration both with government and industry. There is more to come, so stay tuned!

Posted in Uncategorized | Leave a comment

Join Us NEXT WEEK at RSA to Discuss How Privacy Enhancing Technologies Can Secure Identity Online

Join the National Program Office’s Senior Privacy Policy Advisor Naomi Lefkovitz at the RSA Conference in San Francisco on Wednesday, February 26, from 8AM-9AM PST to discuss enhanced privacy as a critical element of building trusted interaction online, the use of privacy-enhancing technology (PET) solutions, and challenges of commercial viability for PETs in identity systems.

Right click to save .ics file. Once downloaded, double click the file to open as an Outlook calendar item.

For more on the session: Privacy Enhancing Technologies: Pipe Dream or Unfulfilled Promise? Wednesday, February 26, 2014 | 8:00 AM – 9:00 AM | West | Room: 2017

Posted in Uncategorized | Leave a comment

NSTIC.GOV Gets a Makeover

After three years of work on multiple fronts implementing the NSTIC, we are pleased to announce a new look and feel for our website, www.nstic.gov.  With three rounds of pilot funding, facilitating the launch and operations of the Identity Ecosystem Steering Group (IDESG), and getting the federal government in the game as an early adopter of the Identity Ecosystem with the Federal Cloud Credential Exchange (FCCX), we set out to refresh the existing information and provide readers with easy entry points to important information that reflects where we are today and charts our course ahead.   Here are a few highlights:

CONTENT: We have updated content throughout nstic.gov, in particular by adding a new landing page on the Federal Cloud Credential Exchange (FCCX).  The FCCX is an initiative led by the United States Post Office, the General Services Administration – with support from  the NSTIC NPO – that leverages trusted identities to improve security and enhance the privacy of citizen interaction with the federal government.  We’ve also added new content on the core NSTIC guiding principles.

NEW FEATURES:  We added new features such as individual pages for each of the NSTIC pilot projects.  This will enable you to follow the progress of each pilot and the collective effort to “catalyze the marketplace” as the pilots tackle barriers to the Identity Ecosystem and seed the marketplace with “NSTIC-aligned” solutions to enhance privacy, security and convenience in online transactions.

STREAMLINED NAVIGATION:  We’ve streamlined the structure of the website by adding features such as bottom navigation and sortable databases for news stories, resources, and government announcements, providing easier and faster access to NSTIC information.

With twelve NSTIC pilots (and more to come!), this year’s FCCX launch, and the IDESG progressing toward an Identity Ecosystem Framework, the NPO plans to update the page frequently to keep you informed on progress within the government and in the private sectors to help individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity credentials to access online services in a manner that promotes confidence, privacy, choice and innovation.

So go ahead, check it out, and check it often! www.nstic.gov.

 

Posted in Uncategorized | 1 Comment

Atlanta IDESG Plenary Recap: Pilots, Progress, and the Value of Trustmarks

In just 18 months, the IDESG has come a long way from its chaotic first meeting in Chicago.  The phrase of the week for over 200 total in-person and virtual attendees this month at the Identity Ecosystem Steering Group (IDESG) plenary in Atlanta: keep your foot on the gas. With this in mind, attendees set their sights on a challenge laid down by and a senior White House cyber security official in the opening keynote: develop a trustmark scheme by the end of 2014, backed by a handful of high profile early adopters.

Responding to this challenge, the newest round of NSTIC pilots made their presence known, work on the Identity Ecosystem Framework moved forward, and the IDESG has taken a major step forward toward becoming self-sustaining, with members voting to incorporate IDESG as a not-for-profit corporation, governed by a Board of Directors.  It has established a handful of core committees that are making progress each week on components of the Identity Ecosystem Framework.  And it is starting to integrate ideas and results from NSTIC pilots.

Looking back at the plenary, three things stood out:

NSTIC pilots are starting to drive the conversation.

The IDESG and the NSTIC pilots were always envisioned as complementary efforts– with pilot outcomes and deliverables directly feeding work on the Identity Ecosystem Framework in the IDESG, and with IDESG deliverables being used to assist the pilots.  We’d already seen good examples of the latter – with each of the NSTIC pilots using the IDESG Privacy Committee’s Privacy Evaluation Methodology (PEM) to assess and refine their own adherence to the NSTIC’s privacy guiding principle– but there were fewer examples of the pilots driving IDESG activities.

That seemed to change at this most recent plenary; the work the pilots are doing is now directly informing and influencing work in IDESG committees.  This should not be a surprise – 12 NSTIC pilots are now active, and many of them are directly tackling some of the hairy policy issues that identified in committees.  In some cases, the pilots are moving forward with new and innovative approaches that the committees have not contemplated – and as they share their work and lessons learned, it is helping to drive the committee work in new directions.

Trustmarks matter

As pilots have proceeded, an issue that has come up time and time again with interested relying parties is branding.  Most federated identity solutions today require RP’s to display the logos of the different identity providers that they accept– but many companies have bristled at the notion of displaying the logos of other firms on their homepage.  We’ve seen this in two NSTIC pilots, where the “identity guys” in major firms that wanted to participate could not persuade their marketing and branding teams to allow it – the teams would not stand for other logos on their website.

Yet these same sites do have other logos that are not company names but rather trustmarks – think VISA or BBBOnline – that tell customers how payment cards will be handled or whether a firm complies with the Better Business Bureau’s code of business practices.  It’s not a new logo that is an issue, it’s that logos tied to specific brands may be off-putting.

A company-neutral trustmark for online identity that is recognized by consumers and businesses may go a long way toward enabling consumers and businesses to more readily reap the benefits of the identity ecosystem. NSTIC itself discussed the importance of this trustmark – but progress has been elusive.

To that end, the work being done in some of the NSTIC pilots is helping to drive new concepts for trustmarks forward.  GTRI and Internet2 teamed up on a “Future of Trust” session on Day 2 of the plenary that discussed some new and novel approaches for applying the trustmark concept to the identity ecosystem.

 

The White House challenge

It’s not just the pilots that are driving the trustmark conversation.  On the first day, the IDESG heard a keynote from Andy Ozment, Senior Director for Cybersecurity on National Security Staff at the White House, where Andy reinforced the importance of NSTIC not only to the nation’s efforts to improve cybersecurity, but also as a keystone to efforts to ensure the openness, freedom and interoperability of the Internet.

When asked by an audience member what single task he wanted the IDESG to tackle in 2014, Andy had a simple answer: he challenged the IDESG to develop a basic trustmark scheme for the Identity Ecosystem and get backing from a handful of high profile early adopters.

This may not be a simple task, but we believe it is achievable.  The IDESG Trust Framework and Trustmark (TFTM) committee has been hard at work over the last year, and its efforts – combined with some of the new thinking emerging from the pilots – offer plenty of elements that can move this task forward.  The challenge over the next few months is to reconcile these different approaches on how a trustmark scheme can be created, and put a roadmap in place that will allow it to advance.

To that end, the next IDESG plenary is set for April 1-3 in Silicon Valley; details are at http://www.idecosystem.org/.  We expect a great discussion and continued progress – both in the weeks leading up to it, as well as at the event – on how to drive a trustmark for the Identity Ecosystem Framework forward.

Posted in Uncategorized | Leave a comment

Building the Future of Identity Privacy

On Data Privacy Day, the NSTIC National Program Office is taking some time to reflect on our own efforts to improve privacy online. Fulfilling the promise of enhanced privacy is a critical element of building trusted interaction online. The first of the Strategy’s guiding principles, finding new solutions that are privacy-enhancing and voluntary has been a key driver of pilot project selection and the NPO’s work to drive innovative approaches to online identity. One of the primary methods for improving privacy we have been encouraging is the use of privacy-enhancing technologies (PETs) – a topic I will be discussing at the upcoming RSA Conference, in a P2P session – Privacy-enhancing Technologies: Pipe Dream or Unfulfilled Promise?

The NSTIC envisions an “Identity Ecosystem” that curbs unneeded sharing of personal data and helps limit comprehensive tracking of people through their identity transactions, while still providing for a robust marketplace of trustworthy and secure digital credentials. Trusted identities can provide a variety of benefits: enhanced security, improved privacy, new types of transactions, reduced costs, easier to use credentials, and better customer service. Minimizing the data transmitted in transactions not only protects consumers’ privacy, it can enhance businesses’ ability to protect their reputation. However, there are high-value services that require effectively validating that customers are who they claim to be – such as in the financial and health care sectors as they move into the mobile economy.

Certain types of PETs employ well-researched methods of cryptography and can provide strong assurances about users’ credentials without the need for detailed exchanges of personal information. Imagine a customer providing a valid driver’s license to prove her age without actually revealing her full birth date or other unnecessary information. Moreover, privacy-enhancing cryptography can prevent the credential issuer from tracking service providers while still providing valid identification. In other words, service providers can realize the benefits of outsourcing identity management without also enabling credential issuers to build profiles of their customers to sell to competitors.

While PETs that can provide the fundamental cryptographic support for anonymous transactions online have existed for some time, private sector adoption of these technologies has been almost non-existent. Despite growing demand for enhanced privacy online, online service providers have failed to provide solutions that would give users the ability to authenticate for privilege escalation with, for example, “zero-knowledge.” As a result, users often must disclose a large amount of personal information unrelated to purpose of their request in order to realize their desired transactional outcome. The use and storage of this personal information creates a fundamental and unnecessary barrier to building trusted transactions online.

The Federal Cloud Credential Exchange (FCCX), a cloud-based identity federation pilot being implemented by the United States Post Office, the General Administration Services and the NPO, is a developing example of how we can manage the privacy of identity interactions between citizens and the Federal government. Currently, the FCCX supports “unlinkable” interactions through the system – meaning that a broker in the middle prevents credential providers from knowing at which agencies citizens are using their credentials and prevents agencies from knowing which credential provider citizens are using. But more work must be done, and the FCCX team is currently investigating PETs to support truly unobservable transactions, so citizens can access government services without fear of outside tracking or exposure of their identities.

So why aren’t PETs more widespread? I’ll be exploring how to achieve commercial viability for PETs in identity systems at the upcoming RSA Conference in San Francisco. If you’re in the Bay Area for the conference, please grab a seat at my session, in the Peer2Peer track on February 26th. It’s time to fulfill the promise of privacy-enhancing technologies.

Posted in Uncategorized | Leave a comment

REMINDER: NSTIC Pilot Applicants’ Conference January 31

The NSTIC National Program Office is pleased to announce the kickoff of a third round of NSTIC pilot projects – providing another opportunity for stakeholders to support the President’s strategy to improve the privacy, security, and convenience of online transactions through innovation in the emerging Identity Ecosystem. The new Federal Funding Opportunity (FFO) announcement has been posted; for details, click here.

NIST will hold an Applicants’ Conference in the Washington, D.C. area on January 31st from 1:30 to 3:30 Eastern Time at NIST’s Main Campus, 100 Bureau Drive, Gaithersburg, MD 20899. This Applicants’ Conference will also be available as a webinar. The conference will be in Lecture Room A on the first floor of the Administration Building (Building 101). Pre-registration for the Washington Applicants’ Conference is required by 5:00 PM EST January 27, 2014. Due to increased security at NIST, all attendees MUST be pre-registered; NO on-site registrations will be accepted. No registration fee will be charged. Registration for both the public meeting and the webinar is at: http://www.nist.gov/itl/nstic-public-meeting.cfm. NPO staff will be on hand to review the FFO and take questions.

Posted in Uncategorized | Leave a comment

NSTIC 2014 Pilot Opportunity Underway!

The NSTIC National Program Office is pleased to announce the kickoff of a third round of NSTIC pilot projects – providing another opportunity for stakeholders to support the President’s strategy to improve the privacy, security, and convenience of online transactions through innovation in the emerging Identity Ecosystem. The new Federal Funding Opportunity (FFO) announcement has been posted; for details, click here.

Pilots have been an integral part of the NSTIC implementation plan, with NIST looking to fund pilot solutions that can demonstrate material advances in identity and authentication and build a stronger foundation for the Identity Ecosystem. The NSTIC 2014 pilot funding opportunity builds on the successful launch in 2012 and 2013 of twelve NSTIC pilot projects, cumulatively awarded over $18 million in funding.  For more information on previous year winners, click here.

NIST will hold an Applicants’ Conference in the Washington, D.C. area on January 31st from 1:30 to 3:30 Eastern Time at NIST’s Main Campus, 100 Bureau Drive, Gaithersburg, MD 20899. This Applicants’ Conference will also be available as a webinar. The conference will be in Lecture Room A on the first floor of the Administration Building (Building 101). Pre-registration for the Washington Applicants’ Conference is required by 5:00 PM EST January 27, 2014. Due to increased security at NIST, all attendees MUST be pre-registered; NO on-site registrations will be accepted. No registration fee will be charged. Registration for both the public meeting and the webinar is at:  http://www.nist.gov/itl/nstic-public-meeting.cfm. NPO staff will be on hand to review the FFO and take questions.

We were thrilled by the overwhelming show of interest in the NSTIC Pilots opportunity last year, as well as the wide array of innovative ideas that were submitted. We look forward to reviewing your proposals!

 - The NSTIC National Program Office

Posted in Uncategorized | Leave a comment

Don’t Miss: New 2013 NSTIC Pilots Update Webcast from the IDESG Atlanta Plenary January 16

Please join us Thursday, January 16 at 9:00am eastern for an Identity Ecosystem Steering Group (IDESG) plenary webcast featuring updates from the new 2013 round of NSTIC pilot projects.  Learn more about how these innovative pilots are helping to catalyze a marketplace of trusted identity solutions.

NSTIC pilot presenters will share with webinar attendees an update on the launch of their respective solutions, including how they plan to contribute to the emerging Identity Ecosystem Framework currently being developed in various IDESG committees. Jeremy Grant of the NSTIC National Program Office will moderate, including leading a question and answer period after the presentations.

The NSTIC pilots presenting are:

Exponent.  The Exponent pilot will issue secure, easy-to-use and privacy-enhancing credentials to users to help secure applications and networks at a leading social media company, a health care organization and the U.S. Department of Defense.

Georgia Tech Research Corporation.  The GTRC pilot will develop and demonstrate a “Trustmark Framework” that seeks to improve trust, interoperability and privacy within the Identity Ecosystem. Trustmarks are a badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization.

Privacy Vaults Online, Inc. (PRIVO) Children represent a unique challenge when it comes to online identity. PRIVO will pilot a solution that provides families with COPPA-compliant, secure, privacy-enhancing credentials that will enable parents and guardians to authorize their children to interact with online services in a more privacy-enhancing and usable way.

ID.me, Inc..  ID.me, Inc.’s Troop ID will develop and pilot trusted identity solutions that will allow military families to access sensitive information online from government agencies, financial institutions and health care organizations in a more privacy-enhancing, secure and efficient manner.

Transglobal Secure Collaboration Participation, Inc.  The TSCP pilot will deploy trusted credentials to conduct secure business-to-business, government-to-business and retail transactions for small and medium-sized businesses and financial services companies, including Fidelity Investments and Chicago Mercantile Exchange.

To access the IDESG plenary webcast, visit http://trustedfederal.omnovia.com/room1. When selecting to login as an attendee during the webcast, only an email address will be required.  IDESG members may also login with their preferred online accounts at www.idecosystem.org/webinar.

To add an entry to your calendar, click here:  https://www.idecosystem.org/sites/default/files/New%202013%20NSTIC%20Pilots%20Update%20Webcast%20from%20the%20IDESG%20Atlanta%20Plenary%20January%2016.ics

For support related issues, please email idecosystem@trustedfederal.com

Posted in Uncategorized | Leave a comment

Creating Trustmark Compounds from Trust Elements

Authored by: Kat Megas, Senior Pilot Programs Manager, NSTIC; and Ken Klingenstein, Internet2

Recently, there has been considerable discussion within the Identity Ecosystem Steering Group (IDESG) and elsewhere regarding trust frameworks, trustmarks, accreditation criteria, and identity ecosystems. “Traditional” trust frameworks and trustmark models – which were historically developed within monolithic schemes with a requirement for accountability to a single enterprise program – are starting to evolve to accommodate a broader extent of trust federation. Cross-federation trust is also emerging, not only as a natural evolution of trust frameworks, but also as a logical next step towards standardization of services and business drivers for participants. As we look to advance the National Strategy for Trusted Identities in Cyberspace (NSTIC), this sort of cross-federation trust is essential to a vibrant Identity Ecosystem.

In an attempt to offer some structure to these evolving discussions, Internet2, as part of the work being conducted under its NSTIC pilot, recently presented a list of identified trust elements from existing identity ecosystem trust frameworks. These trust elements are organized into a “periodic table” which shows the subject (legal, privacy, operational, etc.) that each element addresses and indicates the layers that deal with them.

Much as molecular compounds are created by joining individual atoms, Internet2 proposes that “trustmark compounds” can be built by combining several of these trust elements, and arranging them in concert with one another. Such compound trustmarks could be issued to identity ecosystem participants in recognition of specific ecosystem aspects such as accessibility, security, privacy, or compliance with regulations such as HIPPA (Health Insurance Portability and Accountability Act) and COPPA (Children’s Online Privacy Protection Act), or as defined by a community of interest.

As a next step, the periodic table of trust elements was modified to include designation of the applicable NSTIC guiding principles, based on the set of requirements that were derived from the NSTIC guiding principles as published by NSTIC National Program Office (NPO). This annotation of the trust elements with the guiding principles can help categorize elements as they are newly discovered, as well as indicate which elements could be assigned to compound trustmarks that relate to the guiding principles.

Complementary identity ecosystem “building blocks” are also being explored by a second pilot awarded by the NSTIC NPO to Georgia Tech Research Institute (GTRI). As part of this pilot, GTRI is developing a trustmark meta-framework to facilitate effective scaling of interoperable identity solutions, defining a trustmark as “a rigorously defined, machine-readable statement of compliance with a specific set of technical or business/policy rules”.  This meta-framework aims to enable mutual recognition of like trustmarks/compound trustmarks across communities of interest and dynamic mapping between federations.

Several examples of compound trustmarks exist today across the identity ecosystem. For example, research and education (R&E) federations assess applications for their “research and scholarship” characteristics, and issue trustmarks for sites that pass an audit. In turn, that trustmark is relied upon today, by hundreds of identity providers around the globe, to manage the release of attributes. Similar trustmarks exist within the National Identity Exchange Federation (NIEF), an operational identity federation that GTRI has developed and manages on behalf of the U.S. Justice and Law Enforcement community. Under another pilot funded by the NSTIC NPO, PRIVO is developing a “Minors Trust Framework” that will issue a trustmark to their framework members that satisfy Federal Trade Commission (FTC) Childrens’ Online Privacy Protection Act (COPPA) requirements for minor’s access to online content and services. Other compound trustmarks are just starting to be seen across the horizon. For example, an accessibility trustmark also seems quite feasible – many of the elements, such as the necessary schema and assessment tools, already exist.

In terms of the relationship between compound trustmarks and existing trust frameworks, it is interesting to look at a few examples, such as InCommon, NIEF, and SafeBioPharma, which are primarily designed to provide a trust infrastructure for a specific community of interest (COI). It can be seen that there is some variation in the trust elements that these existing trust frameworks incorporate. This is not surprising, as the COI’s behind these trust frameworks have quite different business purposes (e.g. academia versus law enforcement) and they accordingly opt for differences in which elements they address. With the limited number of trustmarks available today – as well as the relatively early state of the market – the notion of them all being comprised of “modular” trustmark components is not likely.

However, in the future, one can imagine that, as interoperable trustmarks are defined at a “reasonably” granular level, trust frameworks could incorporate them by reference instead of developing all the constituent requirements themselves. Thus, building trustmarks from these common elements would greatly enhance identity ecosystem interoperability by providing mutual recognition of those trustmarks that are common between different federations.

It is important to note that this work is new and is evolving rapidly as the identity ecosystem landscape becomes clearer. The work is largely empirical, driven by the experiences of some of the NSTIC pilots that have long been active in the operational identity infrastructure space. We believe that ultimately the practical experience that was reflected in the table of trust elements may help the IDESG as it continues to work through the challenges of trust frameworks and trustmarks, and, as with previous NSTIC NPO blogs, the intent here is to invite additional inputs and development. There are still gaps in understanding the trust elements – much as there were in early versions of the Periodic Table of Elements. But while it took more than a hundred years to sort out the issues around chemical properties, we are confident that in a much shorter period, the identity ecosystem will evolve and fill in these trust element gaps! As noted above, we propose that this process of identifying trust elements and defining compound trustmarks will ultimately lead to the mutual recognition (and interoperability) between trust frameworks of trust aspects that are generic (such as alignment the NSTIC Guiding Principles), without the need for incorporation of sector-specific considerations and requirements.   This will enhance the ability for trust frameworks across different disciplines to interoperate and thus provide individual users with the ability to re-use credentials, which supports convenience and data minimization.   To achieve these goals, clear and effective definition of trustmarks will be required, so that individual users are fully aware of the consequences of their interactions in the ecosystem, while the incentives for adoption by identity, attribute, and service providers are all clearly articulated. All in all, we believe that this subject poses an interesting set of challenges and questions for all participants in the identity ecosystem, and we look forward to further dialog.

Posted in Uncategorized | 1 Comment