Over the last year, I’ve been thinking about the nature, structure and governance models of Trust Frameworks.
The work that I do with IDESG focused on establishing an ‘Identity Ecosystem’. Which, in effect, means finding ways for existing and new Identity federations, Trust Frameworks and standalone Identity Solutions (the Ecosystem Participants) to exchange information (assertions) with their partners. Ecosystem Participants need to evaluate the risks of accepting the information for use in their decision making processes.
I have closely examined the FICAM Trust Framework Solutions Trust Criteria, NIST standards, the Trust Framework Provider Acceptance Program and Approved Trust Framework Providers’ frameworks, to seek understanding of different approaches to evaluate transaction partners who might become Identity Federation partners. At root, these approaches define requirements that must be met, criteria for conformity evaluation, risk evaluation methods and assessment rules which must be considered when conducting Identity-related online transactions.
A couple years ago, I decided to examine the relationships between components of online Identity Solutions using a very particular lens: the Information Sharing lens. That analysis helped shape conversations with FICAM and Government of Canada about reference architectures and mechanisms to assign roles and responsibilities for identity-related transactions.
I have recently started to immerse myself in the InterPares Trust project:
“InterPARES Trust (ITrust 2013-2018) is a multi-national, interdisciplinary research project exploring issues concerning digital records and data entrusted to the Internet. Its goal is to generate theoretical and methodological frameworks to develop local, national and international policies, procedures, regulations, standards and legislation, in order to ensure public trust grounded on evidence of good governance, a strong digital economy, and a persistent digital memory.” These projects are researching ways to determine digital record authenticity, and other related information management subjects.
What if we look at Trust Frameworks through the information lens?
For this thought experiment, treat everything as an information transmission, processing or storage event. For example, if a user authenticates their credential/token with a verifier, information from the credential/token could be processed, an assertion of ‘logged in’ could be transmitted, and logs stored about the events.
When attempting to transact, subscribers to a Trust Framework seek to:
- Understand what information is needed of them in order to perform the transaction
- Do the functions needed to prepare that information and transmit it as needed
- Specify what information they need, in a way that includes metadata about quality, source, encoding, etc.
- Acquire the information they need to make transaction or risk decisions
- Determine the authenticity and sufficiency of the information received, to the degree needed
- Complete the transaction based on decisions made about the information processed
What if we use the paradigm of Information Sharing Agreements to codify the determinations and statements of ‘need’ in the bullets above?
In my next posts, I will try to look at the sequences of the overall transaction as it relates to information sharing. The information sharing to occur pairwise, under known terms and conditions. In this way, I hope to learn new things about the nature and structure of information sharing agreements covering these transactions.
In this way, I will try to lead the thought experiment through to what Federation Agreements do for participants today, and what model agreements would be of use in an ‘Ecosystem’ trust arrangement.