U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Cybersecurity Insights

a NIST blog

Interim Identity Ecosystem: “Are we there yet?”

By: Jeremy Grant

Share

This past July, I noted at the IDESG Plenary meeting in Boston that discussions relating to trust frameworks and trustmarks appeared to have splintered into a number of camps, ranging from: accreditation bodies that feel they have already “solved the problem”; vendors who are reluctant to undergo another accreditation; those that believe a brand new accreditation scheme needs to be devised; and stakeholders that prefer market forces alone shape how things evolve without any intervention.  Amidst this diverse range of views, the IDESG in general, and the Trust Framework Trustmark (TFTM) Committee specifically, is attempting to attain consensus on a path forward for the Identity Ecosystem Framework and any associated accreditation schemes.

The NSTIC contemplates that the Identity Ecosystem will “consist of different online communities that use interoperable technology, processes, and policies.  These will be developed over time—but always with a baseline of privacy, interoperability, and security.”   As such, the NSTIC perspective is quite broad in how it envisages the Identity Ecosystem will evolve, but is very clear in its consistent application of the NSTIC guiding principles.

We believe that ongoing discussions of the Identity Ecosystem and its Framework, interim or not, should be firmly grounded in the guiding principles.  We also note that, despite the many rich debates within the IDESG since its inception a little over a year ago, no one has taken a position that the guiding principles were, well…misguided.

In our recent blog, “What Does it Mean to Embrace the Guiding Principles”, we released a set of requirements derived from the NSTIC guiding principles.  

Our two goals in releasing the derived requirements were:

  1. to help level-set discussions regarding implementation of the NSTIC guiding principles, and
  2. to serve as a starting point for the definition of IDESG requirements.

We’re encouraged to see that at least one IDESG Committee (Privacy) is actively working to provide further specificity on the privacy requirements.  If the remainder of the derived requirements is similarly analyzed by the IDESG, then we believe that a full set of guiding principle-related requirements can be developed for the Identity Ecosystem Framework.

In addition to requirements relating to security, privacy, interoperability and ease of use, we would anticipate that the Identity Ecosystem Framework would address considerations such as Operating Rules, Terms of Service and Accountability Mechanisms, as originally envisioned by the NSTIC.   Figure 1 below presents a potential analysis flow that would allow the NSTIC guiding principles to be embodied in the Identity Ecosystem Framework.

Figure 1- Requirements Framework Figure 1- Requirements Framework

 

In our previous blog on Trust Frameworks, we noted that a number of initiatives were either active or were forming, based on commercial communities of interest, federal programs, and existing Trust Framework Provider schemes, and that some common elements of requirements are beginning to emerge.   While such existing schemes may have successfully built trust within their respective communities, it is not clear that such trust is recognized across communities, or that the schemes fully address the requirements derived from NSTIC as described above.   We believe that a requirements mapping, as shown in figure 2 below, could a) provide a means for determining “comparability” of existing trust frameworks with the full set of IDESG requirements, and b) potentially pave the way for “mutual recognition” among those frameworks that meet the IDESG requirements.  Such “mutual recognition” may not realize the full end-state vision of the NSTIC for certification processes and trustmarks, but could lead to the quick win of an “Interim Identity Ecosystem Framework” that is firmly grounded in the NSTIC guiding principles and end-state goals, as has been discussed in the TFTM Committee.

Figure 2- Mapping and Comparability Figure 2- Mapping and Comparability

 

In terms of accreditation, the NSTIC envisages that the (IDESG) steering group would administer the Framework in accordance with the guiding principles and would “ensure that accreditation authorities validate participants’ adherence to the requirements of the Identity Ecosystem Framework.”   Note, however, that NSTIC is not prescriptive on how the validation of adherence to the guiding principles would occur.   With this in mind, we’d suggest that the requirements mapping proposed here would help to clarify the current state of the ecosystem –  and allow the IDESG to better understand how many components of prior art can be leveraged to avoid “recreating the wheel” for its accreditation and trustmark schemes.

This is a tricky topic to navigate; we hope our inputs here suggest a path forward that makes progress a bit easier.  Please let us know your thoughts!

Implementation

About the author

Related posts

Comments

Salvatore D'Agostino (@IDmachines) on November 6, 2013 11:17 PM

Permalink
Why is the focus of the quick win on the Trust Framework. Normally you pick quickly achievable for quick win? So maybe easier to work with existing trust frameworks to measure adoption of principals (most have to in at least some way). This gets you to gaps and then brings focus for IDESG committee work. Privacy, security,, standards, UX, trust framework committee do assessment as stalking horse and develops methodology in process. Present analysis to plenary and iterate. Rather than invent and then try to obtain consensus.

Jeremy Grant on November 8, 2013 10:20 AM | Replied to

Permalink
Thanks Sal. I think that's more or less what we are suggesting here -- the idea being that IDESG should look at existing trust frameworks and measure how closely they align with NSTIC, as well as each other. The purpose of this post is simply to suggest one methodology for doing so. If IDESG members are prompted by this blogpost to come up with something that all parties think is a better approach -- we'll be thrilled.

Michael Schwartz (@gluufederation) on November 7, 2013 2:53 PM

Permalink
The guiding principles are great. However great ideas need equally great execution. As CEO of Gluu, I talk with organizations every day about security and privacy. Gluu's business is quite global: we have customers in Europe, Asia and the Middle East. I am in the frequent position of apologizing or joking about privacy in the US. Let's address the gorilla in the elevator, if the US government is going to get on its high horse about security and privacy, it better stop hacking into corporate systems like Google. This undermines the integrity of your effort to develop a privacy protecting ecosystem that assumes the participants abide by the rules. Mike Hearn's recent blog (http://www.gluu.co/google_to_nsa) sums it up: "In the absence of working law enforcement, we therefore do what internet engineers have always done - build more secure software." In other words, trust no one... not even the government. So perhaps before you try to herd a bunch of cats at great expense, you should take those sacred privacy principles to Obama and ask him to instruct the agencies of the US government to eat our own dog food. If you want to make the Internet a safer place, fix the front door: authentication. Without an Internet infrastructure for authentication, we can't even build the next generation of privacy protecting technologies that will enable the enlightened goals of the NSTIC guiding principles. NSTIC should be doing more to support OpenID Connect and to make affordable open source software available to all Internet domains to protect themselves from hackers (and the NSA).

Add new comment

CAPTCHA
Image CAPTCHA
Enter the characters shown in the image.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
Please be respectful when posting comments. We will post all comments without editing as long as they are appropriate for a public, family friendly website, are on topic and do not contain profanity, personal attacks, misleading or false information/accusations or promote specific commercial products, services or organizations. Comments that violate our comment policy or include links to non-government organizations/web pages will not be posted.