A Twittorial on Trust Frameworks

(Updated to reflect provisional status of OIX approval per this – thanks to Brett for telling me)

I just got back home from the RSA Conference in San Francisco this week, where the topic of Trust was second only to all things Cloud. While sessions on Identity Management were few and far between, there was lots of interesting news coming out of the conference (like the U-Prove announcement). I tweeted about the announcements that concern Trust Frameworks, a way for one site (Relying Party) to trust the identity, security, and privacy assertions/claims from a different site (Identity Provider) acting on behalf of a user.

The first announcement was on the launch of the Open Identity Exchange (OIX), a (yet another) non-profit organization (coming out of the OpenID Foundation and Information Card Foundation) that is dedicated to building trust in the exchange of online identity credentials across public and private sectors. The second announcement was regarding the US Federal Government’s Identity, Credential, and Access Management (ICAM) Trust Framework Evaluation Team (TFET) provisionally approving both OIX and Kantara Initiative as a Trust Framework Provider to certify online identity management providers to U.S. federal standards for identity assurance (read more here).

Trying to digest all of this was a little difficult, so as I was stuck in traffic on my way home from the airport, I found myself riveted by a twitter exchange that was flying fast and furious between Paul Madsen (everyone’s favorite source for biting identity musings) and Brett McDowell (till recently Executive Director of the Kantara Initiative, and now technology evangelist at Paypal, one of the first IdPs certified by OIX – so you can see he has unique insight). I have reproduced it here for everyone’s benefit (with their permission, of course).

paulmadsen ICAM is one federation willing to deal with multiple trust frameworks. Will others?

brettmcdowell @paulmadsen ICAM isn’t actually dealing with multiple trust frameworks. It’s all just NIST SP800-63 w/ various means to prove you comply.

paulmadsen @brettmcdowell ICAM is ‘accepting’ OIX, KI-IAF, InCommon . To me those are all trust frameworks (ie certification programs)

brettmcdowell @paulmadsen ah, but what is a “trust framework”? The criteria for trust itself (M04-04 & 800-63) or the method for demonstrating compliance?

brettmcdowell @paulmadsen P.S., in the Kantara case, IAF has criteria as well, but it’s been “mapped” to prove comparability to US Federal requirements.

paulmadsen Components of a trust framework – policies, accreditation, certification, admin, metadata infrastructure, keg parties….

paulmadsen @brettmcdowell if everybody agrees on 800 63 for the former, trust frameworks are distinguished by the latter

brettmcdowell @paulmadsen IAF/OITF (frameworks) differentiated by criteria, KI/OIX (.org’s who certify) differentiated by due diligence on applicant

paulmadsen @brettmcdowell thus KI (conditionally) approved for up to non-crypto LOA3 …

brettmcdowell @paulmadsen M04-04 & SP800-63 is like the “spec”, IAF is like the SCR, and OIX is a registry of those asserting compliance to the spec

brettmcdowell @paulmadsen “non-crypto” is another misleading term/issue. It rules out “pure PKI” but not “signed” assertions (SAML) or claims (IMI)

paulmadsen @brettmcdowell but IAF is more than an extra level of policy detail on top of 800 63 criteria. And OIX is more than a registry

brettmcdowell @paulmadsen for KI to be approved for AL3 PKI & AL4 in US Gov, it needs to cross-certify with the Federal Bridge

brettmcdowell @paulmadsen re: “but IAF is more than” and “OIX is more than” Paul, cut me some slack, this is Twitter, some nuances are going to be lost!

paulmadsen @brettmcdowell point was less about the ‘crypto’ part, and more that diff frameworks may target different parts of ‘assurance space’

paulmadsen @brettmcdowell that’s why I avoid all subtleties & nuances

brettmcdowell @paulmadsen I wouldn’t draw conclusions (or battle lines) regarding trust frameworks just yet. Remember the OIX RFI dialog w/KI is ongoing

paulmadsen @brettmcdowell as I complained to @ve7jtb , want to see matrix laying out components of a generic framework, specific instances mapped on

brettmcdowell @paulmadsen that sounded like a proposal not a complaint. I accept your matrix proposal. Looking forward to reading it when you finish

And of course, Paul had to have the last word, and it was typically Madsen-istic.

paulmadsen @brettmcdowell you know, my wife made that same interpretation 16 years ago. Must be more precise

Hopefully that exchange was illuminating, and gave you enough pointers to standards and topics that might help deepen your understanding of Trust Frameworks. It certainly has given me a lot to think about. While RSA may have been weak on identity related discussions, these announcements are likely to have a huge impact on the identity landscape going forward.