Having spent the last year living and breathing federated identity and credentials, trust frameworks and the like, and the greater part of a decade consulting in the security, privacy and identity management fields, I think I have come up with a few ideas.
This slide deck is an attempt to start describing a Conceptual Model for the NSTIC ID Ecosystem.
The IDESG is working on articulating what the ID Ecosystem and ID Ecosystem Framework actually are – this deck is my opinion of what they are.
This is the first draft of the material – please comment [Ed. it’s the third version now]
I’m particularly keen to hear from those of you who think this is mostly wrong & a mischaracterization of what NSTIC’s Vision is. To me, this feels right – but that’s just me.
There’s a ton of further refinement needed to make this kind of concept model understandable – for example doing ‘user-centric’ walkthroughs to discover the kinds of interactions a person or service would see in a real implementation.
Also, it should be a mechanical exercise to take an existing online community, discover all the relevant structures and objects they use, and label them as ‘Term of Service’, ‘Fulfillment of Term’, ‘Community Rule’ and so on.
If real implementations cannot be broken down and explained using this model, then the model needs to be adjusted. In this way, it may be possible to use the concept model as a ‘Community Dowsing Rod’ – to discover hidden communities in unexpected places and enable us to recognize them and bring them into the wider ecosystem.
I look forward to the discussion.
The PowerPoint deck is here:
(This is actually now v03 of the presentation – thank you all for feedback to improve it)
IDIM Musings 
Responses to a few out of band questions:
* In the model, ‘transaction’ should be taken in the sense of ‘interaction’ or ‘exchange’ not solely as ‘financial transaction’. While many transactions are financial, this is more about the interaction between a ‘provider’ of electronic stuff and a ‘consumer’ of it.
* The model reflects back the language in the NSTIC Strategy document Vision and definitions in a pattern-form or template that could enable organizations to determine if they are ‘ID Ecosystem’-like or if they are potentially missing parts. The idea is that for any ID Solution or Trust Framework implementation, every part shown in the model should have one or more corresponding parts in the real world implementation.
* Perhaps the ‘eProvider’ and ‘eConsumer’ icons should be reversed to make it look more User Centric. This conceptual model embraces user centricity: imagine that a user-centric Online Community makes their rules of membership such that all eProviders MUST abide by user-centric principles. So all possible providers are user-centric and they can only ask for Terms of Service that abide by those principles.
* The next layers of elaboration are the construction of ‘business scenarios’ that describe how this model represents real-world situations. Below that might be Use Cases, Functional Model, Trust Framework criteria and so on.
* An important point shift of perspective is that in this model, the IDP/CSP are not at the centre of the picture. They shift into 3rd Party supporting roles that are the mechanisms by which terms can be expressed and fulfilled.
* As a thought experiment, I encourage you to consider Facebook as an ‘Online Community’ in the model and parse out what the Terms of Service are and how end-users fulfill them.
** Then think of a vendor using a username-password based authentication system.
** Then a credential Federation as the Online Community.
** Then a Government to Citizen interaction where there is or is not a National Identity Card.
** How about a Doctor, the Insurance Company and the Patient? That fits too in a slightly more complex way.
Now think of a categorization and classification scheme with those data points and how you might represent technology interoperability, information exchange, consent-based information flows, anonymity, high identity assurance, and so on between the various Online Communities.
Kudos, needs doing; very tired of a fiery heart buried neath Roberts Rules of Order.
You bring to this charter a very particular view. You’re telling the story from the point of view of an insider trying to build the bridge, who sees all the permitting, subcontracting, architectural plans, engineering stress tests, and future operations. As evidence, you put the identity transaction at the center of this, the exchange of credentials. You also framed those transactions as person-institution-institution (and maybe the trust framework as a fourth party) but the birds’ eye view is only useful to the craftspeople building this NSTIC IDESG bridge.
There are other ways to talk about it, other frames of reference that may be more useful in explaining to non-ID management, to politicians, to constituents.
Marketers. This is a way for your brands to add IdP services as a Facebooky way to deliver new value to your customers, to extend your brand into more parts of their customers’ lives, to reinforce your role as a trusted partner in their digital lives. The Trust Framework is your brand’s trustmark in the ID world, a way for your customers to know you have their backs; think Better Business Bureau.
Bank Customer. You already “sign in with X” every day. Usually just using your Facebook, WordPress, Yahoo! or Google ID. Now you’ll be able to sign in with your most trusted services. Sign in with your new credit union ID when you go shopping. Sign in with your LV ID to fashion sites. Sign in with your workplace ID to check on benefits. When you log in you’ll see two new things: new IDs you can use to sign in and “network partners” that support IDs the way Visa and Mastercard support your credit cards.
Alternate voices let you simplify how much detail to show; highlight how different stakeholders prioritize the ecosystem’s value; and use more natural language than the ID community’s own jargon. My conceptual model of an airplane might not explain how it really flies, but it might be enough for me to board.
Good points all – this deck _is_ for the IDESG community itself – as a frame of reference upon which to hang the work itself. There are certainly other narratives for consumption in the real world: this is not that.
My hope for this is to give the IDESG a way of describing the complexity in the already-extant ID ecosystem – so the ID Ecosystem can see beyond formal Trust Frameworks in the 800-63 pattern & enable the new emerging patterns and different structures that achieve the NSTIC vision but in different ways.