nstic id ecosystem a conceptual model v03 andrew hughes october 2013 [email protected] -...
TRANSCRIPT
[email protected] - October 2013 - IDESG Version
1
NSTIC ID EcosystemA Conceptual Model
v03
Andrew HughesOctober 2013
[email protected] - October 2013 - IDESG Version
2
This version of the slide deck has been contributed to the IDESG.
This slide deck was originally created September 2013 by Andrew Hughes – please contact for more information or comments. This deck builds upon material in the presentation deck originally presented to IDESG Committees at the July 2013 IDESG Plenary meeting at MIT.
The content of this slide deck is the opinion of the author based on many discussions, experience, analysis and received feedback. The concepts have not been formally approved or endorsed by the IDESG Plenary.
This work is licensed under the Creative Commons Attribution 3.0 Unported License. To view a copy of this license, visit http://creativecommons.org/licenses/by/3.0/ or send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
[email protected] - October 2013 - IDESG Version
3
Objectives
• To describe the NSTIC ID Ecosystem focusing on the interactions between members of an “online community”*
• To describe how major NSTIC Strategy Document elements work together to define an NSTIC ID Ecosystem and its participants
* The “Online Community” is central to the NSTIC ID Ecosystem concept
and comes directly from the NSTIC Strategy document.
[email protected] - October 2013 - IDESG Version
4
Context
• This ‘conceptual model’ sits above items such as standards, use cases, functional models
• The intent is to offer a view of what the target state NSTIC ID Ecosystem might look like and give structure to the components of the NSTIC ID Ecosystem
[email protected] - October 2013 - IDESG Version
5
The NSTIC ID Ecosystem*
will consist of different online communities
that use interoperable
technology, processes, and policies
*Source: The NSTIC Strategy Document
[email protected] - October 2013 - IDESG Version
6
Take-away Concepts
• A defining characteristic of the NSTIC ID Ecosystem is that it is comprised of “online communities”* interacting in a variety of ways
* The term “online communities”, while not perfect, should be used until IDESG determines the best replacement term and creates an IDESG Vision statement.
[email protected] - October 2013 - IDESG Version
7
NSTIC Vision*
Individuals and organizations
utilize secure, efficient, easy-to-use and interoperable identity solutions
to access online services
in a manner that promotes confidence, privacy, choice, and
innovation.
*Source: The NSTIC Strategy Document
[email protected] - October 2013 - IDESG Version
8
Take-away Concepts
• Access to online services is the central concept of the Vision
• “Identity Solutions” enable access to online services
• The online services and identity solutions must have features and capabilities that encourage adoption and use, and mitigate concerns and barriers to acceptance
[email protected] - October 2013 - IDESG Version
9
Trust Framework*
• developed by a community
• defines the rights and responsibilities of that community’s participants
• specifies the policies and standards specific to the community
• defines the community-specific processes and procedures that provide assurance
• considers the level of risk associated with the transaction types of its participants
*Source: The NSTIC Strategy Document
[email protected] - October 2013 - IDESG Version
10
Take-away Concepts
• The “online community” sets their own policies, standards and rules around the transactions and interactions of their members
[email protected] - October 2013 - IDESG Version
11
In A Nutshell(these bullets capture the essence of an NSTIC ID
Ecosystem)
• “Online communities” set their own rules according to their members’ needs
• “Online communities” interact with each other in the NSTIC ID Ecosystem
• The rules of different “online communities” might be different
• Access to online services enabled by identity solutions is at the heart of the NSTIC ID Ecosystem
[email protected] - October 2013 - IDESG Version
12
NSTIC ID Ecosystem?
ID Ecosystem Framework Rules
Arrows = Inter-community
interactions
Online Communiti
es
[email protected] - October 2013 - IDESG Version
13
Take-away Concepts
• “Online communities” ‘inside the line’ have been evaluated against the ID Ecosystem Framework policies, standards and rules• These communities meet the conditions of inclusion
• The nature of the inter-community interactions is currently not standardized or regularized – they are custom built
• Although there are “online communities” outside the NSTIC ID Ecosystem, they are not shown here
[email protected] - October 2013 - IDESG Version
14
“Online Community”
• Take a closer look at the internal structure of an NSTIC-y “online community”
[email protected] - October 2013 - IDESG Version
15
A Proposed Point of View
• Within an “online community”, think of ‘Access to Online Services’ as an interaction or transaction between a provider and receiver of that online service
• The provider, receiver and service must abide by the rules of the “online community” – the Trust Framework rules
• (Now, and in the future) The online service receiver can choose which providers and services (and Communities!) meet their needs, including privacy, security, reliability, ease of use, confidence, etc.
• The online service provider defines what an online service consumer must do in order to receive service – the “Terms of Service”• Some terms might be satisfied by presenting third-party credentials
or tokens; or by payment; or by group affiliation or membership
[email protected] - October 2013 - IDESG Version
16
The ‘Transaction’ Point of View
In this point of view the working unit is
the interaction-transaction between provider and receiverplus the ‘Terms of Service’ plus the Fulfillment’ of those terms meeting the community’s Trust Framework rules
– everything else exists to support this interaction
[email protected] - October 2013 - IDESG Version
17
A “Community” Unit
e-Service Provider
e-Service Consumer
Transaction
Interaction
Terms of Service
Fulfillment of Terms
Community Trust Framework Rules
e-Service Provider
e-Service Consumer
Transaction
Interaction
Terms of Service
Fulfillment of Termse-Service
Provider
e-Service Consumer
Transaction
Interaction
Terms of Service
Fulfillment of Termse-Service
Provider
e-Service Consumer
Transaction
Interaction
Terms of Service
Fulfillment of Termse-Service
Provider
e-Service Receiver
Transaction Type-Interaction Type
Terms of Service
Fulfillment of Terms
[email protected] - October 2013 - IDESG Version
18
Where’s the IdP?
• For that matter, where’s the CSP, CA, IdP/V, RP and all the other Assurance, Trust and Identity bits?
• This conceptual model considers them to be the means by which Terms of Service are expressed and fulfilled – so they do not appear at this level of abstraction
[email protected] - October 2013 - IDESG Version
19
An “Online Community”
The Community• Shared values, beliefs,
principles• Common goals and objectives• Has ‘tools’ for joining• Has ‘tools’ for locating• Could be mandated by law
The Transaction• A particular set of commercial,
social, ‘social contract’, or information exchanges that exist for the community, in support of their common goals
Business• Shared need to perform
transactions in the context of the community
Legal• Trust Framework
agreements• Commercial contracts• Legal Framework
Technical• Protocol suites &
capability• Network Connectivity• Shared Standards
An “Online Community”
Trust Framework Rules
[email protected] - October 2013 - IDESG Version
20
• The provider states the “Terms of Service” for transacting or interacting with their online service• The Terms must comply with the “online
community” Trust Framework Rules, including accessibility, privacy, security, etc.
• The individual/receiver/consumer chooses which providers to interact with, in part based on the Terms offered
“Terms of Service”
[email protected] - October 2013 - IDESG Version
21
Identity Solutions
• Imagine some possible Terms of Service:• “Give me these attributes, cryptographically signed by
an Attribute Provider I recognize, so I can verify your eligibility”
• “Prove that you have authenticated successfully with an IdP I have a trust relationship with”
• “Prove that you did the authentication with a Level 4 Credential”
• That’s where they are – the ‘typical’ Identity Solutions and services are support mechanisms to enable Terms that leverage third party identity and credential services
[email protected] - October 2013 - IDESG Version
22
Some Examples of “Terms”
Business
• Payment / Money
• Information
• Eligibility
Legal
• Contract / Agreement
• Terms and Conditions
• Lawfulness
Technical
• Protocols & Standards
• Crypto capability
• Electronic Tokens & Credentials
• Other technical capabilities
[email protected] - October 2013 - IDESG Version
23
Entering the Ecosystem
• An “online community” becomes a formal participant in the NSTIC ID Ecosystem through an Accreditation Program
• The Accreditation Program is being designed by teams in the IDESG
• The Accreditation Program will be documented within the ID Ecosystem Framework
[email protected] - October 2013 - IDESG Version
24
ID Ecosystem Framework*
the overarching set of
interoperability standards, risk models,
privacy and liability policies, requirements, and
accountability mechanisms
that structure the Identity Ecosystem
*Source: The NSTIC Strategy Document
[email protected] - October 2013 - IDESG Version
25
Accreditation
• IDESG, via the Accreditation Authority:• Assesses an “online community” and its
participants against the Trust Framework (Operating Rules) defined by that particular “online community”
• Confers Trustmarks to signal to participants that Assessments and Accreditation has been done to a known standard
[email protected] - October 2013 - IDESG Version
26
Accreditation Authority*
assesses and validates
identity providers, attribute providers,
relying parties, and identity media,
ensuring that they all adhere to an agreed-upon trust framework
(the community’s trust framework)
*Source: The NSTIC Strategy Document
[email protected] - October 2013 - IDESG Version
27
Trust Framework*, redux
• developed by a community
• defines the rights and responsibilities of that community’s participants
• specifies the policies and standards specific to the community
• defines the community-specific processes and procedures that provide assurance
• considers the level of risk associated with the transaction types of its participants
*Source: The NSTIC Strategy Document
[email protected] - October 2013 - IDESG Version
28
Interoperable?
• Interoperability within an “online community” is a defining feature of “online communities”
• IDESG could foster technology, process and policy interoperability between “online communities” by defining common Accreditation Patterns for the inter-Community interactions
• IDESG, via the Accreditation Authority, could assess and issue Trustmarks for the inter-Community interactions
[email protected] - October 2013 - IDESG Version
29
Recap
• “Online communities” set their own rules according to their members’ needs
• “Online communities” interact with each other in the NSTIC ID Ecosystem
• The rules of different “online communities” may be different
• Access to online services enabled by identity solutions is at the heart of the NSTIC ID Ecosystem
• IDESG serves to establish the ID Ecosystem Framework and Programs needed to identify and evaluate “online communities” seeking to participate in the NSTIC ID Ecosystem
[email protected] - October 2013 - IDESG Version
30
NSTIC ID Ecosystem?
ID Ecosystem Framework Rules
Arrows = Inter-community
interactions
[email protected] - October 2013 - IDESG Version
31
A “Community” Unit
e-Service Provider
e-Service Consumer
Transaction
Interaction
Terms of Service
Fulfillment of Terms
Community Trust Framework Rules
e-Service Provider
e-Service Consumer
Transaction
Interaction
Terms of Service
Fulfillment of Termse-Service
Provider
e-Service Consumer
Transaction
Interaction
Terms of Service
Fulfillment of Termse-Service
Provider
e-Service Consumer
Transaction
Interaction
Terms of Service
Fulfillment of Termse-Service
Provider
e-Service Receiver
Transaction Type-Interaction Type
Terms of Service
Fulfillment of Terms
[email protected] - October 2013 - IDESG Version
32
Next Steps
• Develop narrative scenarios that explain what an individual might experience when seeking services or engaging with a provider of services
• Refine the concept of ‘Terms of Service’ • Develop examples that explain how this new concept relates to
real-world implementations
• Define the nature of ‘interoperable interactions’ between “online communities”• What policy, protocol, technology or practice conditions must
exist in order to be considered ‘interoperable’?
• Relate the conceptual model to other IDESG work products• How does this model fit the work already completed in Standards,
Security, Privacy, Functional Model, etc?
[email protected] - October 2013 - IDESG Version
33
Your Feedback
• Please consider commenting on this slide deck at www.idimmusings.com
• Feedback, questions, concerns are welcome, please direct to [email protected]