A debate continues to simmer in IDESG about the nature of an Identity Ecosystem; there are many points of view and opinions. For an organization like IDESG, a unified concept must emerge.
Approaches to define the Identity Ecosystem include: setting a baseline of requirements that must be met by ecosystem participants; definition of trust marks; Internet nutrition labels; establishing a formal certification process; creating the ability for ecosystem participants to advertise their security, privacy and other capabilities; functional models; interaction models; protection levels; assurance levels; self-selection; independent attestation; and the list goes on.
Let me suggest and explore another way to perceive and describe an ID Ecosystem aligned with the NSTIC Guiding Principles.
A common thread that links the above-listed approaches together is that each one declares one or more Authorities that determine if the prospective ecosystem participant’s policies, technologies and operations are compatible with the NSTIC Vision.
Following this line of thought, envision a governance structure that seeks to influence the behaviour of the Authorities that grant rights of access and recognition to ecosystem participants. Rather than IDESG attempting to define and quantify every action, implementation or intent in the entire ecosystem, why not define the rules of being an Authority and certify those entities wishing to be Authorities?
What would an Authorities-driven Identity Ecosystem look like?
(and, remember that what follows is a rosy view biased to my ways of conceptualizing the ecosystem)
- Authorities exist that can certify or recognize ecosystem participants that adhere to that Authority’s rules
- Authorities create and manage rules that are compatible with NSTIC Principles
- Authorities become authoritative when a) they demonstrate rule compatibility to an IDESG Authority and b) entities decide to follow their rules and ‘join’
- Each Authority would decide how to certify or recognize their participants – some might use formal Trust Framework Provider methods, others might allow self-declaration: the choices would be defined in their rules
- Each ecosystem participant, including the Authorities, is accountable to the Authorities whose rules they follow
Some issues remain:
- Who sez that the IDESG Authority has any sway over any other entity?
Is this description simply a description of the current internet using different words?
I think it is a new thing because it focuses on approaches to make the IDESG organization and members credible and influential in the internet space.
In order for an IDESG Authority to have any value, a critical mass of significant influential entities must join and put their weight behind the organization. If a critical mass of interesting organizations choose to acknowledge this web of authorities and ways to align to the NSTIC Principles, we begin the positive cycle.
It’s a big ‘IF’. And it’s one of the key assumptions under which IDESG, Inc. was formed.
My opinion: focus the work of IDESG on making it easy for organizations and individuals to demonstrate support for NSTIC. NSTIC’s vision is a good one. Build on existing goodwill to build a source of co-recognition. Reinforce the positive actions that IDESG members take: by getting certifications; by doing regular assessments; by actively protecting privacy and security. IDESG should use inclusive selection methods to increase membership and to create a self-enforcing or peer-enforcing environment:
- Delegate and distribute ‘authority’ to the communities, federations and other self-identifying groups
- Avoid over-specification, bureaucracy, self-limiting approaches, command-and-control centralization
- Educate participants, develop and give them the tools to make informed decisions about the agreements and interactions they wish to use. Make it easier for others to educate about good practices and dangers. Make the safest options easiest.
- Minimize barriers to entry
- Reinforce positive behaviours
- Build goodwill and peer value