Identity Trust Framework


Identity Trust Framework is a Trust Framework which attempts to "build" Trust by defining the rights and responsibilities of that community's participants within that community's Identity Ecosystem.

Identity Trust Framework are the "rules" or Policies for Federated Identity Management and the organizations that agree to follow such rules and participate are known as an Identity Federation.

Identity Trust Framework Policies #

Identity Trust Framework is the set of rules and Policies that govern how the Identity Federation members will operate and interact, including: Identity Trust Framework serve as the basis for the multilateral agreements among all of a federation’s members that enable the trust and governance of a Identity Federation’s operations.

National Strategy for Trusted Identities in Cyberspace Definition#

Identity Trust Framework are developed by a community whose members have similar goals and perspectives. A trust framework defines:
  • the rights and responsibilities of that community's participants
  • specifies the policies and standards specific to the community
  • defines the community-specific processes and procedures that provide assurance.

A Identity Trust Framework should address the level of risk associated with the transaction types of its participants; for example, for regulated industries, it could incorporate the requirements particular to that industry.

Different Identity Trust Framework can exist within the Identity Ecosystem, and communities of interest can tailor trust frameworks to meet their particular needs. In order to be a part of the Identity Ecosystem, all trust frameworks must still meet the baseline standards established by the Identity Ecosystem Framework.

A possible Direction.[1]#

An Identity Trust Framework is the governance structure for a specific Identity Ecosystem consisting of two major areas:
  • the Technical and Operational Specifications that have been developed:
    • to define requirements for the proper operation of the identity system (i.e., so that it works),
    • to define the roles and operational responsibilities of participants
    • to provide adequate assurance regarding the accuracy, integrity, privacy and security of its processes and data (i.e., so that it is trustworthy); and
  • the Legal Rules that govern the identity system and that:
    • regulate the content of the Technical and Operational Specifications,
    • make the Technical and Operational Specifications legally binding on and enforceable against the participants
    • define and govern the legal rights, responsibilities, and liabilities of the participants of the identity system.

Examples of Identity Trust Framework#

Although there is conflicting views on what a Identity Trust Framework is, these are some commonly used industry Examples:
  • FICAM: processes and controls for determining an identity provider’s compliance to OMB M-04-04 Level of Assurance (LOA)
  • ISO 29115 Draft: a set of requirements and enforcement mechanisms for parties exchanging identity information
  • Kantara Trust Framework: a complete set of contracts, regulations or commitments that enable participating actors to rely on certain assertions by other actors to fulfill their information security requirements
  • OIX: a certification program that enables a party who accepts a digital identity credential (called the relying party) to trust the identity, security, and privacy policies of the party who issues the credential (called the identity service provider) and vice versa.
  • OITF Model: a set of technical, operational, and legal requirements and enforcement mechanisms for parties exchanging identity information
  • NATE
  • DirectTrust
  • SAFE-BioPharma
  • CertiPath
  • IdenTrust
  • InCommon

More Information#

There might be more information for this subject on one of the following: