tftm 01-02 tftm committee working call to discuss how to describe the “idesg-acknowledged identity...
TRANSCRIPT
IDESG TFTM Committee1
TFTM 01-02TFTM Committee working call to discuss how to
describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state.
2013 November 06
2013-11-06
NOTE: The notes section of each slide captures the discussion about that slide from the October 30 meeting.
IDESG TFTM Committee2
Contents of this deck
• The Value of establishing an IDESG-Acknowledged ID Ecosystem (interim or long-term)
• Discussion of the nature of “Interim” versus “Longer term”
• Some possible descriptions of the IDESG-Acknowledged ID Ecosystem
* These slides should be modified as needed to circle in on the description of “What” we are working to establish
2013-11-06
October 30 Call
IDESG TFTM Committee3
Some assumptions
• There will be an IDESG-Acknowledged ID Ecosystem
• Participation will grow over time
• Structures will evolve and requirements will become better-defined over time
• Adherence to the NSTIC Guiding Principles is mandatory• The NSTIC Derived Requirements might be used as
a mechanism to demonstrate adherence to the principles
2013-11-06
October 30 Call
IDESG TFTM Committee4
The NSTIC ID Ecosystem*
will consist of different online communities
that use interoperable
technology, processes, and policies
*Source: The NSTIC Strategy Document
* The term “online communities”, while not perfect, should be used until IDESG determines the best replacement term and creates an IDESG Vision statement.
2013-11-06
October 30 Call
IDESG TFTM Committee5
ID Ecosystem?
ID Ecosystem Framework Rules
Arrows = Inter-community
interactions
Online Communiti
es
2013-11-06
October 30 Call
IDESG TFTM Committee6
Rationale and Value
2013-11-06
October 30 Call
IDESG TFTM Committee7
The rationale for
• The rationale for establishing an IDESG-Acknowledged ID Ecosystem (interim or long-term) is:• The same as establishing any Standards-
based program• To acknowledge the conforming participants
from the Internet ID Ecosystem• To influence service providers to use sound
practices• To signal to service consumers that there are
minimum acceptable standards of operation2013-11-06
October 30 Call
IDESG TFTM Committee8
The value in participating
• To enable identity solution and ‘online community’ participants to be recognized as being or strive to become recognized as participating in the IDESG-acknowledged ID Ecosystem
• For the cross-endorsement of participants to instill trusted brand power and the beginnings of a network effect for identity solution trust brands• i.e. The companies would not identify with it if it brings their
brand into disrepute• To assure consumers/citizens/individuals that certain standards
have been met and policies & practices are in place• To act as a finding aid for identity services consumers to locate
‘trustworthy’ service providers• To enable participants to promote participation as a service
differentiator
2013-11-06
October 30 Call
IDESG TFTM Committee9
What is “Interim”
2013-11-06
October 30 Call
IDESG TFTM Committee10
The sense of “Interim”
• An initial group (as identified by IDESG) of ‘online communities’ which demonstrate that they meet the basic requirements of the Interim stage• E.g. have been certified and accredited by an IDESG-vetted
accreditation body• E.g. self-assert that they satisfy the NSTIC Derived
Requirements
• A period of time prior to a declared start date of an IDESG-acknowledged ID Ecosystem in which potential participants can prepare for and receive accreditation
• A period during which any identity solutions can self-assert participation and satisfy requirements• A Transition period would be required to formally verify the
validity of these claims
2013-11-06
October 30 Call
IDESG TFTM Committee11
IDESG-Acknowledged
Interim Ecosystem: Described
2013-11-06
October 30 Call
IDESG TFTM Committee12
What is the Interim thing?
• Consists of a few or several ‘Online Communities’ that are well-defined, well-governed, in operation, appear to be stable, satisfy the NSTIC Derived Requirements and have a positive track record of privacy and security management.
2013-11-06
October 30 Call
IDESG TFTM Committee13
These ‘Online Communities’:
• Have community-defined, documented and enforced:• Interoperability Standards; Shared risk model; Privacy policy, requirements and
accountability mechanisms; Liability policy and requirements
• Have community-defined, documented and enforced:• Policy, standards and processes that govern the activities of community members
• Can demonstrate that they satisfy all of the NSTIC Derived Requirements• Can describe the types of community-member interactions or transactions
that rely on identity- or attribute-related services• Can demonstrate a track record of consistent application of the Community
Rules; and the ability to detect, respond to and repair security and privacy breaches
• Have policies and processes for adding new members and revoking membership in the Community
• Have documented processes for handling interactions with entities that are not community members
• Have a business model that appears to support the activities of the Community
2013-11-06
October 30 Call
IDESG TFTM Committee14
TFTM 01-02TFTM Committee working call to discuss how to
describe the “IDESG-Acknowledged Identity Ecosystem” in its interim or long term state.
2013 November 06 Call
2013-11-06
NOTE: The notes section of each slide captures the discussion about that slide from the October 30 meeting.
November 6 Call Starts
Here
IDESG TFTM Committee15
A Few Quick Points
• Rationale for Interim state: • To influence Online Communities & Participants
towards conformance with IDESG Requirements• To start a virtuous cycle of association of IDESG brand
with highly visible companies, brands and associations• To demonstrate elements of the Value Proposition for
participating in the IDESG-Acknowledged ID Ecosystem
• To learn and fine tune tactics for the longer term
• Consider using “Initial” instead of “Interim” to keep evolution/maturity concepts
2013-11-06
November 6 Call
IDESG TFTM Committee16
IDESG-Acknowledged ID Ecosystem – Interim/Initial State
Description
• Consists of a few or several ‘Online Communities’ that are well-defined, well-governed, in operation, appear to be stable, satisfy the NSTIC Derived Requirements and have a positive track record of privacy and security management.
• ‘Online Communities’ have documented & self-defined ‘Trust Frameworks’ and use one or more ‘ID Solutions’: Federated Authentication/Credentials; Web Single Sign On; Centralized/Directory Authentication
2013-11-06
November 6 Call
IDESG TFTM Committee17
Requirements Gathering
1. Start with the NPO NSTIC Derived Requirements (as a proxy for the Guiding Principles)
2. Determine Legal Requirements: What contracts needed? Is IDESG liable or providing implicit warranty? What Trust Mark licensing is needed for Interim state?
3. Determine Operational Requirements
4. ???2013-11-06
November 6 Call
IDESG TFTM Committee18
Selecting The Initial Participants
• Use ‘Online Communities’ as the granularity of participant selection
• Pick which interaction/transaction types should be showcased in the first group of ‘Online Communities’: C2G; G2C; B2B; B2C (hopefully mostly on the ‘B’ and ‘C’ end)
• Select ‘Online Communities’ that have strong brand power and high visibility to non-Identity-Focused companies, individuals and organizations
• Select ‘Online Communities’ that use 3rd party Certification & Accreditation of their participants
• Select based on large total number of Individuals, Businesses and Organizations in the ‘Online Community’?
• All viable NSTIC Pilot Grant Awardees plus ‘big name’ Federations?
2013-11-06
November 6 Call
IDESG TFTM Committee19
Feature Preferences?
• If you had to pick one or two of…• Non-password credentials only• Credential/Authentication portability/interoperability
between initial group of ‘Online Communities’• i.e. The Individual observes that they can use a single
credential to access a range of services that previously had their own unique credentials/user accounts
• Multiple or Single Industry Sector focus?• Public sector-verified attributes available for private
sector transactions?• Improvements to security, privacy, usability and
interoperability that result in real but ‘Invisible’ benefits?• ???
2013-11-06
November 6 Call
IDESG TFTM Committee20
Business Scenario Preferences?
• Do we describe (and choose initial participants based on) a single scenario that is difficult to do using non-IDESG-Acknowledged ID Solutions, but would be less frustrating from end to end?
• Do we choose initial ‘Online Communities’ that are mature and sound at the expense of interoperability between those ‘Online Communities’?
• Do we choose based on a preferred outcome?• E.g. fraud reduction; seamless user experience; retail experience
efficiency; proof that stronger credentials are possible and easy to use; proof that externalization of authentication is good for business
• Do we choose to emphasize added value for one or several primary Participants (e.g. the Individual, the IDP/CSP, the eService Provider/RP) or do we value balanced benefit more?
2013-11-06
November 6 Call
IDESG TFTM Committee21
Next Steps?
• Andrew to start writing up the document
• And…?
2013-11-06
November 6 Call