While the National Strategy for Trusted Identities in Cyberspace (NSTIC) was issued by the White House, it calls for the private sector to lead development of a trust framework that can replace passwords, allow individuals to prove online that they are who they claim to be, and enhance privacy. The Identity Ecosystem Steering Group (IDESG) is the private sector-led organization created to achieve this mission by administering the development of policy, standards and accreditation processes for the Identity Ecosystem Framework (IDEF).
The IDEF provides a baseline set of standards and policies that apply to all of the participating trust frameworks. This baseline is more permissive at the lowest levels of assurance, to ensure that it does not serve as an undue barrier to entry, and more detailed at higher levels of assurance, to ensure that participants have adequate protections.
The IDEF is a living document, and will evolve in order to reach the agreed upon policies and technical standards necessary to fulfill the NSTIC’s vision. Currently, the IDEF contains a minimal set of commonly agreed upon recommendations, best practices and standards, but will become more robust over time as participants are able to come to agreement on different aspects of the Identity Ecosystem, not only in general but for key communities of interest and industry segments such as healthcare, financial services and education.
Trust frameworks enable communities to elaborate upon the baseline standards and policies from the IDEF. For example, a trust framework may be established for the identification of smart cards used for both physical and logical access. Another trust framework may be developed by mobile phone providers that will enable consumers and businesses to use mobile devices for secure, privacy-enhancing identity and access management.
One or more private-sector accreditation authorities may be necessary to implement a trust framework. Accreditation authorities validate identity providers, attribute providers and relying parties, ensuring that they meet the policies and standards set by the trust framework. Existing private-sector organizations already serve in this role in some sectors and can participate in the Identity Ecosystem if they so choose. The IDESG, as a public-private steering group will ensure that accreditation authorities maintain the minimum requirements of the IDEF when they issue trustmarks.
Figure 4 (above) illustrates multiple trust frameworks built upon the foundation of the IDEF. The baseline requirements, policies and processes ensures underlying interoperability such that credentials can be relied upon even when the participants are in different trust frameworks, a key NSTIC requirement
The accreditation process and trustmarks is designed to foster trust among all Identity Ecosystem participants. The IDESG trustmark will be a mechanism for efficiently communicating the policies and technologies that an Identity Ecosystem participant supports. For individuals, the trustmark is a simple alternative to reading documents like terms of service or detailed privacy policies: it can provide an easy means of identifying service providers who abide by a set of uniform policies.