Respect Trust Framework

From IIW

Session Topic:RESPECT TRUST Framework (T1E)

Convener:Drummond Reed, Scott David


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Intro to Trust Framework: tools and rules; what technology is used? What rules apply in a legal and technical sense? Technical, legal, and Product scope.

OpenIdentity Exchange OIX):

-neutral home for open identity trust framework construction

-opened to be used by federal agencies

-not based on Nat’l ID cards

-industry identity providers certified to be IdPs that GAO approves.

-Gov’t doesn’t bless any IdP

-Kantara, inCommon: trust framework providers created open identity exchange (ICAM)

Consider the trust triangle:

Identity Provider - Relying Party - User

User registers and authenticates with IdP; RP relies on the IdP for these assertions; user relies on the RP for essential services.

3 Metrics describe the Trust Framework:

  • IDP Perspective: Std Levels of Assurance were created for RPs to describe the degrees of identity and authentication that RPs can expect from IdPs.
  • RP perspective - Level of Protection: what will RPs do to protect any identity information that the IDPs provide to the RPs?
  • User perspective on the triangle: what privacy and Level of Control do I have as a user?

The 3 metrics operate independently. However, data can be tagged such that they affect one of the metrics or another.

After experience in trust frameworks focused on Authentication and technology, a legal framework and business framework was seen as a need.

OIX is a way for trust frameworks to publish how they operate in a neutral territory. The metadata registry that describes how the trust framework operates is published in a stable and durable location.

Think of ICAM as a procurement specification for Identity Services.

Assurance, Protection, and Control are soft concerns. LoA is machine readable expressions.

Trillions of identity operations are performed every day. Each interaction is governed by rights and duties; there aren’t enough resources to enforce the rights and duties involved. This mandates the creation of a contract of sorts. Since each party has balancing duties, the relationship seems to be viable as a contract relationship.

Some alternative to a monetization relationship is needed. A market to allow businesses to adopt trust frameworks that address specific needs is the ultimate outcome of the OIX effort. Can’t solve all concerns at once.

The RESPECT Trust Framework introduces a Level of Control Metric that’s user centered as a opposed to IdP or RP-centered.

-- build incentives to do the right thing.

Principles:  Promise, Permission, Protection, Portability, and Proof

Data breaches about every 2 weeks over the last 2 years.

Promise: Respecting digital boundaries – this is a respect for the limits of the scope for anyone to act. “Your right to swing your arm end where my nose begins.” (This is the fundamental principle of the trust framework.)

Permission: we don’t steal or fool each other online.

Protection: maintain confidences entrusted in us. First duty commitment to protect against 3rd party harm. (Commercially reasonable protections or legally reasonable?)

Portability: we don’t hold each other hostage. Don’t hold users to any one participant in the trust framework – share identity information.

Proof: Reasonably cooperate for the good of all members. Protect user and peer reputation. Scalable enforcement is by participation in a reputation system.

Trust anchors – people who will vouch for others reputation. Prevent Sybil Attacks. This could be based on Social Networks or other peer-to-peer systems.

Those who want to serve as Trust Anchors should contact Dean Landsman at IIW.

(All duties- no rights so far. Just as we all stop at red lights, participants in this trust framework operate with these principles. These principles don’t respond to every problem, but solutions to common problems are consistent with these principles.)

link to external blog post with video