Overview#Trust Model defines the Trust Policy of a Community of Interest Entity that acts as Identity Provider (IDP) and Relying Party (RP) for itself. Such an entity issues all identities that it recognizes, and only trusts identities that it has issued. entities want to trust identities issued by one another, but there is no outside governance or policy framework for them to do so. They negotiate a specific agreement that covers only the two of them. Each institution trusts the other to properly manage the identities that it issues.
Peer-to-peer Identity Trust Model #When no central Identity Provider (IDP) or governance agreement is present, participants assert their own identities and each individual decides who they trust and who they do not. Each participant is a peer with equal standing and each can communicate with anyone else in the network. Identity Provider (IDP) provides identities to both the requester and Service Provider. In order to interact with one another, both must agree to trust the same Identity Provider (IDP)s.
Federation Trust Model #A single, standard contract defines a limited set of roles and technologies, allowing similar types of institution to trust identities issued by one another.
- Mesh Federations - These share a common legal agreement at the contract that creates permissible interoperability.
- Technical Federations - These share a common technical hub responsible for making the interoperability happen.
- Inter-Federation Federations - This is what happens when one federation actually inter-operates with another federation.
Individual Contract Wrappers#When providing information to a service, the requester also provides terms for how that information can be used. Service Providers agree to honor those terms in exchange for access to the data, and compliance is enforced through contract law. Terms might include an expiration date, limits on whether the data can be re-sold, or whether it can be used in aggregate form. This model is the mirror image of the Sole Source.
Open Trust Frameworks Trust Model#A Trust Framework is a specification that describes a set of identity proofing, security, and privacy policies. The Trust Framework is authored by subject matter experts, and is written with the intent that compliance can be assessed. The framework also lists the qualifications that an assessor must have in order to judge compliance.
A Framework Listing Service Provides a publicly visible location where Trust Frameworks can be published and tracked. The listing service sets guidelines for acceptable frameworks and accredits assessors to verify that services implement the frameworks properly.