IDESG TFTM Committee1

TFTM 01-02TFTM Committee working call to discuss how to

describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state.

2013 November 06

2013-11-06

NOTE: The notes section of each slide captures the discussion about that slide from the October 30 meeting.

IDESG TFTM Committee2

Contents of this deck

• The Value of establishing an IDESG-Acknowledged ID Ecosystem (interim or long-term)

• Discussion of the nature of “Interim” versus “Longer term”

• Some possible descriptions of the IDESG-Acknowledged ID Ecosystem

* These slides should be modified as needed to circle in on the description of “What” we are working to establish

2013-11-06

October 30 Call

IDESG TFTM Committee3

Some assumptions

• There will be an IDESG-Acknowledged ID Ecosystem

• Participation will grow over time

• Structures will evolve and requirements will become better-defined over time

• Adherence to the NSTIC Guiding Principles is mandatory• The NSTIC Derived Requirements might be used as

a mechanism to demonstrate adherence to the principles

2013-11-06

October 30 Call

IDESG TFTM Committee4

The NSTIC ID Ecosystem*

will consist of different online communities

that use interoperable

technology, processes, and policies

*Source: The NSTIC Strategy Document

* The term “online communities”, while not perfect, should be used until IDESG determines the best replacement term and creates an IDESG Vision statement.

2013-11-06

October 30 Call

IDESG TFTM Committee5

ID Ecosystem?

ID Ecosystem Framework Rules

Arrows = Inter-community

interactions

Online Communiti

es

2013-11-06

October 30 Call

IDESG TFTM Committee6

Rationale and Value

2013-11-06

October 30 Call

IDESG TFTM Committee7

The rationale for

• The rationale for establishing an IDESG-Acknowledged ID Ecosystem (interim or long-term) is:• The same as establishing any Standards-

based program• To acknowledge the conforming participants

from the Internet ID Ecosystem• To influence service providers to use sound

practices• To signal to service consumers that there are

minimum acceptable standards of operation2013-11-06

October 30 Call

IDESG TFTM Committee8

The value in participating

• To enable identity solution and ‘online community’ participants to be recognized as being or strive to become recognized as participating in the IDESG-acknowledged ID Ecosystem

• For the cross-endorsement of participants to instill trusted brand power and the beginnings of a network effect for identity solution trust brands• i.e. The companies would not identify with it if it brings their

brand into disrepute• To assure consumers/citizens/individuals that certain standards

have been met and policies & practices are in place• To act as a finding aid for identity services consumers to locate

‘trustworthy’ service providers• To enable participants to promote participation as a service

differentiator

2013-11-06

October 30 Call

IDESG TFTM Committee9

What is “Interim”

2013-11-06

October 30 Call

IDESG TFTM Committee10

The sense of “Interim”

• An initial group (as identified by IDESG) of ‘online communities’ which demonstrate that they meet the basic requirements of the Interim stage• E.g. have been certified and accredited by an IDESG-vetted

accreditation body• E.g. self-assert that they satisfy the NSTIC Derived

Requirements

• A period of time prior to a declared start date of an IDESG-acknowledged ID Ecosystem in which potential participants can prepare for and receive accreditation

• A period during which any identity solutions can self-assert participation and satisfy requirements• A Transition period would be required to formally verify the

validity of these claims

2013-11-06

October 30 Call

IDESG TFTM Committee11

IDESG-Acknowledged

Interim Ecosystem: Described

2013-11-06

October 30 Call

IDESG TFTM Committee12

What is the Interim thing?

• Consists of a few or several ‘Online Communities’ that are well-defined, well-governed, in operation, appear to be stable, satisfy the NSTIC Derived Requirements and have a positive track record of privacy and security management.

2013-11-06

October 30 Call

IDESG TFTM Committee13

These ‘Online Communities’:

• Have community-defined, documented and enforced:• Interoperability Standards; Shared risk model; Privacy policy, requirements and

accountability mechanisms; Liability policy and requirements

• Have community-defined, documented and enforced:• Policy, standards and processes that govern the activities of community members

• Can demonstrate that they satisfy all of the NSTIC Derived Requirements• Can describe the types of community-member interactions or transactions

that rely on identity- or attribute-related services• Can demonstrate a track record of consistent application of the Community

Rules; and the ability to detect, respond to and repair security and privacy breaches

• Have policies and processes for adding new members and revoking membership in the Community

• Have documented processes for handling interactions with entities that are not community members

• Have a business model that appears to support the activities of the Community

2013-11-06

October 30 Call

IDESG TFTM Committee14

TFTM 01-02TFTM Committee working call to discuss how to

describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state.

2013 November 06 Call

2013-11-06

NOTE: The notes section of each slide captures the discussion about that slide from the October 30 meeting.

November 6 Call Starts

Here

IDESG TFTM Committee15

A Few Quick Points

• Rationale for Interim state: • To influence Online Communities & Participants

towards conformance with IDESG Requirements• To start a virtuous cycle of association of IDESG brand

with highly visible companies, brands and associations• To demonstrate elements of the Value Proposition for

participating in the IDESG-Acknowledged ID Ecosystem

• To learn and fine tune tactics for the longer term

• Consider using “Initial” instead of “Interim” to keep evolution/maturity concepts

2013-11-06

November 6 Call

IDESG TFTM Committee16

IDESG-Acknowledged ID Ecosystem – Interim/Initial State

Description

• Consists of a few or several ‘Online Communities’ that are well-defined, well-governed, in operation, appear to be stable, satisfy the NSTIC Derived Requirements and have a positive track record of privacy and security management.

• ‘Online Communities’ have documented & self-defined ‘Trust Frameworks’ and use one or more ‘ID Solutions’: Federated Authentication/Credentials; Web Single Sign On; Centralized/Directory Authentication

2013-11-06

November 6 Call

IDESG TFTM Committee17

Requirements Gathering

1. Start with the NPO NSTIC Derived Requirements (as a proxy for the Guiding Principles)

2. Determine Legal Requirements: What contracts needed? Is IDESG liable or providing implicit warranty? What Trust Mark licensing is needed for Interim state?

3. Determine Operational Requirements

4. ???2013-11-06

November 6 Call

IDESG TFTM Committee18

Selecting The Initial Participants

• Use ‘Online Communities’ as the granularity of participant selection

• Pick which interaction/transaction types should be showcased in the first group of ‘Online Communities’: C2G; G2C; B2B; B2C (hopefully mostly on the ‘B’ and ‘C’ end)

• Select ‘Online Communities’ that have strong brand power and high visibility to non-Identity-Focused companies, individuals and organizations

• Select ‘Online Communities’ that use 3rd party Certification & Accreditation of their participants

• Select based on large total number of Individuals, Businesses and Organizations in the ‘Online Community’?

• All viable NSTIC Pilot Grant Awardees plus ‘big name’ Federations?

2013-11-06

November 6 Call

IDESG TFTM Committee19

Feature Preferences?

• If you had to pick one or two of…• Non-password credentials only• Credential/Authentication portability/interoperability

between initial group of ‘Online Communities’• i.e. The Individual observes that they can use a single

credential to access a range of services that previously had their own unique credentials/user accounts

• Multiple or Single Industry Sector focus?• Public sector-verified attributes available for private

sector transactions?• Improvements to security, privacy, usability and

interoperability that result in real but ‘Invisible’ benefits?• ???

2013-11-06

November 6 Call

IDESG TFTM Committee20

Business Scenario Preferences?

• Do we describe (and choose initial participants based on) a single scenario that is difficult to do using non-IDESG-Acknowledged ID Solutions, but would be less frustrating from end to end?

• Do we choose initial ‘Online Communities’ that are mature and sound at the expense of interoperability between those ‘Online Communities’?

• Do we choose based on a preferred outcome?• E.g. fraud reduction; seamless user experience; retail experience

efficiency; proof that stronger credentials are possible and easy to use; proof that externalization of authentication is good for business

• Do we choose to emphasize added value for one or several primary Participants (e.g. the Individual, the IDP/CSP, the eService Provider/RP) or do we value balanced benefit more?

2013-11-06

November 6 Call

IDESG TFTM Committee21

Next Steps?

• Andrew to start writing up the document

• And…?

2013-11-06

November 6 Call