The Identity Ecosystem will consist of different online communities that use interoperable technology, processes, and policies. These will be developed over time—but always with a baseline of privacy, interoperability, and security. The different components include:
- The Identity Ecosystem Framework is the overarching set of interoperability standards, risk models, privacy and liability policies, requirements, and accountability mechanisms that structure the Identity Ecosystem.
- A steering group will administer the process for policy and standards development for the Identity Ecosystem Framework in accordance with the Guiding Principles in this Strategy. The steering group will also ensure that accreditation authorities validate participants’ adherence to the requirements of the Identity Ecosystem Framework.
- A trust framework is developed by a community whose members have similar goals and perspectives It defines the rights and responsibilities of that community’s participants in the Identity Ecosystem; specifies the policies and standards specific to the community; and defines the community-specific processes and procedures that provide assurance A trust framework considers the level of risk associated with the transaction types of its participants; for example, for regulated industries, it could incorporate the requirements particular to that industry. Different trust frameworks can exist within the Identity Ecosystem, and sets of participants can tailor trust frameworks to meet their particular needs. In order to be a part of the Identity Ecosystem, all trust frameworks must still meet the baseline standards established by the Identity Ecosystem Framework.
- An accreditation authority assesses and validates identity providers, attribute providers, relying parties, and identity media, ensuring that they all adhere to an agreed-upon trust framework. Accreditation authorities can issue trustmarks to the participants that they validate.
- A trustmark scheme is the combination of criteria that is measured to determine service provider compliance with the Identity Ecosystem Framework.
The Identity Ecosystem Framework provides a baseline set of standards and policies that apply to all of the participating trust frameworks. This baseline is more permissive at the lowest levels of assurance, to ensure that it does not serve as an undue barrier to entry, and more detailed at higher levels of assurance, to ensure that participants have adequate protections.
The Identity Ecosystem Framework will not be developed overnight. It will take time for different participants to reach agreement on all of the policy and technical standards necessary to fulfill the Strategy’s vision. Initially, the Identity Ecosystem Framework is likely to contain a fairly minimal set of commonly agreed upon standards. The Identity Ecosystem Framework will become more robust over time as participants are able to come to agreement on different standards.
Trust frameworks enable communities to elaborate upon the baseline standards and policies from the Identity Ecosystem Foundation. For example, there may be a trust framework for the identification of computer network cards. As another example, mobile phone providers have specific technical needs. Carriers may thus join a trust framework to enable individuals to authenticate using their cell phones as a credential.
One or more private-sector accreditation authorities may be necessary to implement a trust framework. Accreditation authorities validate identity providers, attribute providers, and relying parties, ensuring that they meet the policies and standards set by the trust framework. Existing private-sector organizations already serve in this role in some sectors and can participate in the Identity Ecosystem if they so choose. A public-private steering group will ensure that accreditation authorities maintain the minimum requirements of the Identity Ecosystem Framework when they issue trustmarks.
Figure 4 illustrates multiple trust frameworks built upon the foundation of the Identity Ecosystem Framework. This baseline ensures underlying interoperability such that credentials can be relied upon even when the participants are in different trust frameworks.
The accreditation process and trustmarks can foster trust among all Identity Ecosystem participants. The trustmark is a mechanism for efficiently communicating the policies and technologies that a participant supports. For individuals, the trustmark is a simple alternative to reading documents like terms of service or detailed privacy policies: it can provide an easy means of identifying service providers who abide by a set of uniform policies.