nstic id ecosystem a conceptual model v03 andrew hughes october 2013 [email protected] -...

[email protected] - October 2013 - IDESG Version

1

NSTIC ID EcosystemA Conceptual Model

v03

Andrew HughesOctober 2013


2

This version of the slide deck has been contributed to the IDESG.

This slide deck was originally created September 2013 by Andrew Hughes – please contact for more information or comments. This deck builds upon material in the presentation deck originally presented to IDESG Committees at the July 2013 IDESG Plenary meeting at MIT.

The content of this slide deck is the opinion of the author based on many discussions, experience, analysis and received feedback. The concepts have not been formally approved or endorsed by the IDESG Plenary.

[email protected]

This work is licensed under the Creative Commons Attribution 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.


3

Objectives

• To describe the NSTIC ID Ecosystem focusing on the interactions between members of an “online community”*

• To describe how major NSTIC Strategy Document elements work together to define an NSTIC ID Ecosystem and its participants

* The “Online Community” is central to the NSTIC ID Ecosystem concept

and comes directly from the NSTIC Strategy document.


4

Context

• This ‘conceptual model’ sits above items such as standards, use cases, functional models

• The intent is to offer a view of what the target state NSTIC ID Ecosystem might look like and give structure to the components of the NSTIC ID Ecosystem


5

The NSTIC ID Ecosystem*

will consist of different online communities

that use interoperable

technology, processes, and policies

*Source: The NSTIC Strategy Document


6

Take-away Concepts

• A defining characteristic of the NSTIC ID Ecosystem is that it is comprised of “online communities”* interacting in a variety of ways

* The term “online communities”, while not perfect, should be used until IDESG determines the best replacement term and creates an IDESG Vision statement.


7

NSTIC Vision*

Individuals and organizations

utilize secure, efficient, easy-to-use and interoperable identity solutions

to access online services

in a manner that promotes confidence, privacy, choice, and

innovation.



8

Take-away Concepts

• Access to online services is the central concept of the Vision

• “Identity Solutions” enable access to online services

• The online services and identity solutions must have features and capabilities that encourage adoption and use, and mitigate concerns and barriers to acceptance


9

Trust Framework*

• developed by a community

• defines the rights and responsibilities of that community’s participants

• specifies the policies and standards specific to the community

• defines the community-specific processes and procedures that provide assurance

• considers the level of risk associated with the transaction types of its participants



10

Take-away Concepts

• The “online community” sets their own policies, standards and rules around the transactions and interactions of their members


11

In A Nutshell(these bullets capture the essence of an NSTIC ID

Ecosystem)

• “Online communities” set their own rules according to their members’ needs

• “Online communities” interact with each other in the NSTIC ID Ecosystem

• The rules of different “online communities” might be different

• Access to online services enabled by identity solutions is at the heart of the NSTIC ID Ecosystem


12

NSTIC ID Ecosystem?

ID Ecosystem Framework Rules

Arrows = Inter-community

interactions

Online Communiti

es


13

Take-away Concepts

• “Online communities” ‘inside the line’ have been evaluated against the ID Ecosystem Framework policies, standards and rules• These communities meet the conditions of inclusion

• The nature of the inter-community interactions is currently not standardized or regularized – they are custom built

• Although there are “online communities” outside the NSTIC ID Ecosystem, they are not shown here


14

“Online Community”

• Take a closer look at the internal structure of an NSTIC-y “online community”


15

A Proposed Point of View

• Within an “online community”, think of ‘Access to Online Services’ as an interaction or transaction between a provider and receiver of that online service

• The provider, receiver and service must abide by the rules of the “online community” – the Trust Framework rules

• (Now, and in the future) The online service receiver can choose which providers and services (and Communities!) meet their needs, including privacy, security, reliability, ease of use, confidence, etc.

• The online service provider defines what an online service consumer must do in order to receive service – the “Terms of Service”• Some terms might be satisfied by presenting third-party credentials

or tokens; or by payment; or by group affiliation or membership


16

The ‘Transaction’ Point of View

In this point of view the working unit is

the interaction-transaction between provider and receiverplus the ‘Terms of Service’ plus the Fulfillment’ of those terms meeting the community’s Trust Framework rules

– everything else exists to support this interaction


17

A “Community” Unit

e-Service Provider

e-Service Consumer

Transaction

Interaction

Terms of Service

Fulfillment of Terms

Community Trust Framework Rules

e-Service Provider

e-Service Consumer

Transaction

Interaction

Terms of Service

Fulfillment of Termse-Service

Provider

e-Service Consumer

Transaction

Interaction

Terms of Service


Provider

e-Service Consumer

Transaction

Interaction

Terms of Service


Provider

e-Service Receiver

Transaction Type-Interaction Type

Terms of Service



18

Where’s the IdP?

• For that matter, where’s the CSP, CA, IdP/V, RP and all the other Assurance, Trust and Identity bits?

• This conceptual model considers them to be the means by which Terms of Service are expressed and fulfilled – so they do not appear at this level of abstraction


19

An “Online Community”

The Community• Shared values, beliefs,

principles• Common goals and objectives• Has ‘tools’ for joining• Has ‘tools’ for locating• Could be mandated by law

The Transaction• A particular set of commercial,

social, ‘social contract’, or information exchanges that exist for the community, in support of their common goals

Business• Shared need to perform

transactions in the context of the community

Legal• Trust Framework

agreements• Commercial contracts• Legal Framework

Technical• Protocol suites &

capability• Network Connectivity• Shared Standards

An “Online Community”

Trust Framework Rules


20

• The provider states the “Terms of Service” for transacting or interacting with their online service• The Terms must comply with the “online

community” Trust Framework Rules, including accessibility, privacy, security, etc.

• The individual/receiver/consumer chooses which providers to interact with, in part based on the Terms offered

“Terms of Service”


21

Identity Solutions

• Imagine some possible Terms of Service:• “Give me these attributes, cryptographically signed by

an Attribute Provider I recognize, so I can verify your eligibility”

• “Prove that you have authenticated successfully with an IdP I have a trust relationship with”

• “Prove that you did the authentication with a Level 4 Credential”

• That’s where they are – the ‘typical’ Identity Solutions and services are support mechanisms to enable Terms that leverage third party identity and credential services


22

Some Examples of “Terms”

Business

• Payment / Money

• Information

• Eligibility

Legal

• Contract / Agreement

• Terms and Conditions

• Lawfulness

Technical

• Protocols & Standards

• Crypto capability

• Electronic Tokens & Credentials

• Other technical capabilities


23

Entering the Ecosystem

• An “online community” becomes a formal participant in the NSTIC ID Ecosystem through an Accreditation Program

• The Accreditation Program is being designed by teams in the IDESG

• The Accreditation Program will be documented within the ID Ecosystem Framework


24

ID Ecosystem Framework*

the overarching set of

interoperability standards, risk models,

privacy and liability policies, requirements, and

accountability mechanisms

that structure the Identity Ecosystem



25

Accreditation

• IDESG, via the Accreditation Authority:• Assesses an “online community” and its

participants against the Trust Framework (Operating Rules) defined by that particular “online community”

• Confers Trustmarks to signal to participants that Assessments and Accreditation has been done to a known standard


26

Accreditation Authority*

assesses and validates

identity providers, attribute providers,

relying parties, and identity media,

ensuring that they all adhere to an agreed-upon trust framework

(the community’s trust framework)



27

Trust Framework*, redux

• developed by a community

• defines the rights and responsibilities of that community’s participants

• specifies the policies and standards specific to the community

• defines the community-specific processes and procedures that provide assurance

• considers the level of risk associated with the transaction types of its participants



28

Interoperable?

• Interoperability within an “online community” is a defining feature of “online communities”

• IDESG could foster technology, process and policy interoperability between “online communities” by defining common Accreditation Patterns for the inter-Community interactions

• IDESG, via the Accreditation Authority, could assess and issue Trustmarks for the inter-Community interactions


29

Recap

• “Online communities” set their own rules according to their members’ needs

• “Online communities” interact with each other in the NSTIC ID Ecosystem

• The rules of different “online communities” may be different

• Access to online services enabled by identity solutions is at the heart of the NSTIC ID Ecosystem

• IDESG serves to establish the ID Ecosystem Framework and Programs needed to identify and evaluate “online communities” seeking to participate in the NSTIC ID Ecosystem


30

NSTIC ID Ecosystem?

ID Ecosystem Framework Rules

Arrows = Inter-community

interactions


31

A “Community” Unit

e-Service Provider

e-Service Consumer

Transaction

Interaction

Terms of Service


Community Trust Framework Rules

e-Service Provider

e-Service Consumer

Transaction

Interaction

Terms of Service


Provider

e-Service Consumer

Transaction

Interaction

Terms of Service


Provider

e-Service Consumer

Transaction

Interaction

Terms of Service


Provider

e-Service Receiver

Transaction Type-Interaction Type

Terms of Service



32

Next Steps

• Develop narrative scenarios that explain what an individual might experience when seeking services or engaging with a provider of services

• Refine the concept of ‘Terms of Service’ • Develop examples that explain how this new concept relates to

real-world implementations

• Define the nature of ‘interoperable interactions’ between “online communities”• What policy, protocol, technology or practice conditions must

exist in order to be considered ‘interoperable’?

• Relate the conceptual model to other IDESG work products• How does this model fit the work already completed in Standards,

Security, Privacy, Functional Model, etc?


33

Your Feedback

• Please consider commenting on this slide deck at www.idimmusings.com

• Feedback, questions, concerns are welcome, please direct to [email protected]

nstic id ecosystem a conceptual model v03 andrew hughes october 2013 [email protected] -...

Documents

idesg version

slide deck

nstic strategy document

nstic vision

nstic id ecosystem concept

idesg committees

online services

online community