This past July, I noted at the IDESG Plenary meeting in Boston that discussions relating to trust frameworks and trustmarks appeared to have splintered into a number of camps, ranging from: accreditation bodies that feel they have already “solved the problem”; vendors who are reluctant to undergo another accreditation; those that believe a brand new accreditation scheme needs to be devised; and stakeholders that prefer market forces alone shape how things evolve without any intervention. Amidst this diverse range of views, the IDESG in general, and the Trust Framework Trustmark (TFTM) Committee specifically, is attempting to attain consensus on a path forward for the Identity Ecosystem Framework and any associated accreditation schemes.
The NSTIC contemplates that the Identity Ecosystem will “consist of different online communities that use interoperable technology, processes, and policies. These will be developed over time—but always with a baseline of privacy, interoperability, and security.” As such, the NSTIC perspective is quite broad in how it envisages the Identity Ecosystem will evolve, but is very clear in its consistent application of the NSTIC guiding principles.
We believe that ongoing discussions of the Identity Ecosystem and its Framework, interim or not, should be firmly grounded in the guiding principles. We also note that, despite the many rich debates within the IDESG since its inception a little over a year ago, no one has taken a position that the guiding principles were, well…misguided.
In our recent blog, “What Does it Mean to Embrace the Guiding Principles”, we released a set of requirements derived from the NSTIC guiding principles.
Our two goals in releasing the derived requirements were:
We’re encouraged to see that at least one IDESG Committee (Privacy) is actively working to provide further specificity on the privacy requirements. If the remainder of the derived requirements is similarly analyzed by the IDESG, then we believe that a full set of guiding principle-related requirements can be developed for the Identity Ecosystem Framework.
In addition to requirements relating to security, privacy, interoperability and ease of use, we would anticipate that the Identity Ecosystem Framework would address considerations such as Operating Rules, Terms of Service and Accountability Mechanisms, as originally envisioned by the NSTIC. Figure 1 below presents a potential analysis flow that would allow the NSTIC guiding principles to be embodied in the Identity Ecosystem Framework.
In our previous blog on Trust Frameworks, we noted that a number of initiatives were either active or were forming, based on commercial communities of interest, federal programs, and existing Trust Framework Provider schemes, and that some common elements of requirements are beginning to emerge. While such existing schemes may have successfully built trust within their respective communities, it is not clear that such trust is recognized across communities, or that the schemes fully address the requirements derived from NSTIC as described above. We believe that a requirements mapping, as shown in figure 2 below, could a) provide a means for determining “comparability” of existing trust frameworks with the full set of IDESG requirements, and b) potentially pave the way for “mutual recognition” among those frameworks that meet the IDESG requirements. Such “mutual recognition” may not realize the full end-state vision of the NSTIC for certification processes and trustmarks, but could lead to the quick win of an “Interim Identity Ecosystem Framework” that is firmly grounded in the NSTIC guiding principles and end-state goals, as has been discussed in the TFTM Committee.
In terms of accreditation, the NSTIC envisages that the (IDESG) steering group would administer the Framework in accordance with the guiding principles and would “ensure that accreditation authorities validate participants’ adherence to the requirements of the Identity Ecosystem Framework.” Note, however, that NSTIC is not prescriptive on how the validation of adherence to the guiding principles would occur. With this in mind, we’d suggest that the requirements mapping proposed here would help to clarify the current state of the ecosystem – and allow the IDESG to better understand how many components of prior art can be leveraged to avoid “recreating the wheel” for its accreditation and trustmark schemes.
This is a tricky topic to navigate; we hope our inputs here suggest a path forward that makes progress a bit easier. Please let us know your thoughts!