Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
A Conceptual Model for the NSTIC ID Ecosystem - Discussion Draft
1. NSTIC ID Ecosystem
A Conceptual Model
Andrew Hughes
September 2013
AndrewHughes3000@gmail.com - September 2013 1
2. This slide deck was created September 2013 by Andrew Hughes – please contact for more information or
comments. This deck builds upon material in the presentation deck originally presented to IDESG
Committees at the July 2013 IDESG Plenary meeting at MIT.
AndrewHughes3000@gmail.com
www.idimmusings.com
This work is licensed under the Creative Commons Attribution 3.0 Unported License. To view a copy of
this license, visit http://creativecommons.org/licenses/by/3.0/ or send a letter to Creative Commons, 444
Castro Street, Suite 900, Mountain View, California, 94041, USA.
AndrewHughes3000@gmail.com - September
2013
2
3. Introduction
• The IDESG is seeking a way to represent the ID
Ecosystem and ID Ecosystem Framework
concepts
• Currently, there is no simple image that captures
what the ID Ecosystem is as envisioned in the
NSTIC Strategy document
• This deck is an attempt to build a conceptual
model that shows the nature of the ID Ecosystem
and its essential aspects
AndrewHughes3000@gmail.com - September
2013
3
4. Objectives
• To describe the ID Ecosystem from the point of
view of an “Online Community”, its Transactions
and the role of the IDESG
• To demonstrate a conceptual model of the ID
Ecosystem that can be used as a tool to discover
potential ecosystem participants and to explain
what it means to be part of the ecosystem
AndrewHughes3000@gmail.com - September
2013
4
5. Design Considerations
• The transaction between Online Community Members is the
central concern: all else exists to support the transaction
• Must embody the NSTIC Guiding Principles
• ID Solutions will be: privacy-enhancing and voluntary; secure
and resilient; interoperable; cost-effective and easy to use
• The conceptual model must be able to explain all possible
ID Ecosystem candidate members
• The conceptual model must predict flexibility in design of the
ID Ecosystem
• Start the conceptual model at the highest level of abstraction
and slowly increase the specificity
AndrewHughes3000@gmail.com - September
2013
5
6. NSTIC Vision*
Individuals and organizations
utilize secure, efficient, easy-to-use and
interoperable identity solutions
to access online services
in a manner that
promotes confidence, privacy, choice, and
innovation.
AndrewHughes3000@gmail.com - September
2013
6
*Source: The NSTIC Strategy
Document
7. The ID Ecosystem*
will consist of
different online communities
that use
interoperable
technology, processes, and policies
AndrewHughes3000@gmail.com - September
2013
7
*Source: The NSTIC Strategy
Document
8. Trust Framework*
• developed by a community
• defines the rights and responsibilities of that
community‟s participants
• specifies the policies and standards specific to the
community
• defines the community-specific processes and
procedures that provide assurance
• considers the level of risk associated with the
transaction types of its participants
AndrewHughes3000@gmail.com - September
2013
8
*Source: The NSTIC Strategy
Document
9. The Central Concern
• The relationship and transactions that drive most (not all!) of
the requirements and use cases:
The transaction between the
e-Service Provider
and their Customer
• The e-Service Provider tells the Customer the Terms of
Service for the transaction
• The Customer fulfills the Terms of Service in order to receive
service
• All else exists to support, facilitate, and secure these
interactions!
AndrewHughes3000@gmail.com - September
2013
9
10. The View From The Moon
AndrewHughes3000@gmail.com - September
2013
10
e-Service
Provider
e-Service
Consumer
Transaction
Terms of Service
Fulfillment of Terms
The Online
Community
11. Where‟s the IdP?
• For that matter, where‟s the CSP, CA, IDPV, RP?
• This conceptual model does not need them at the
highest levels of abstraction
• Wait for it – it‟s coming up in a few slides
AndrewHughes3000@gmail.com - September
2013
11
12. The View From Voyager 1
AndrewHughes3000@gmail.com - September
2013
12
THE NSTIC ID ECOSYSTEM!
13. ID Ecosystem
Framework*
the overarching set of
interoperability standards,
risk models,
privacy and liability policies,
requirements, and
accountability mechanisms
that structure the Identity Ecosystem
AndrewHughes3000@gmail.com - September
2013
13
*Source: The NSTIC Strategy
Document
14. The View From The 757
• The next three slides:
• The Online Community
• “Terms of Service”
• Fulfillment of Terms
• Keep in mind:
• The elements listed on the next few slides, constrained by
and driven by IDESG designated interoperability
standards, risk models, privacy and liability policies,
requirements, and accountability mechanisms
ARE the ID Ecosystem Framework
AndrewHughes3000@gmail.com - September
2013
14
15. The “Online Community”
AndrewHughes3000@gmail.com - September
2013
15
The Community
• Shared values, beliefs,
principles
• Common goals and objectives
• Has „tools‟ for joining
• Has „tools‟ for locating
• Could be mandated by law
The Transaction
• A particular set of commercial,
social, „social contract‟,
information exchanges that
exist for the community, in
support of their common goals
Business
• Shared need to
perform transactions
in the context of the
community
Legal
• Trust Framework
agreements
• Commercial
contracts
• Legal Framework
Technical
• Protocol suites &
capability
• Network Connectivity
• Shared Standards
The Online Community
16. “Terms of Service”
AndrewHughes3000@gmail.com - September
2013
16
Business
• Payment / Money
• Information
• Eligibility
Legal
• Contract / Agreement
• Terms and Conditions
• Lawfulness
Technical
• Protocols & Standards
• Crypto capability
• Electronic Tokens &
Credentials
• Other technical capabilities
17. IdP, IDPV, Credentials,
Tokens
• Imagine some likely Terms of Service:
• Give me these attributes, cryptographically signed by an
Attribute Provider I recognize, so I can verify your eligibility
• Prove that you have authenticated successfully with an
IdP I have a trust relationship with
• Prove that you did the authentication with a Level 4
Credential
• That’s where they are – the „typical‟ federation entities
are support mechanisms to enable Terms that
leverage „outsourced/externalized/federated‟ services
AndrewHughes3000@gmail.com - September
2013
17
18. Fulfillment of Terms
AndrewHughes3000@gmail.com - September
2013
18
Business
• Payment / Money
• Information
• Eligibility Proof
Legal
• Contract / Agreement
• Terms and Conditions
• Lawfulness
Technical
• Protocols & Standards
• Crypto capability
• Electronic Tokens &
Credentials
• Other technical capabilities
20. A Question of Trust
• Question:
Who should the Online Community trust?
• Answer:
Community participants accredited by an Accreditation
Authority
• Question:
Whose Trust Framework does the Accreditation
Authority assess against?
• Answer:
The Community‟s Trust Framework, of course
AndrewHughes3000@gmail.com - September
2013
20
21. Accreditation Authority*
assesses and validates
identity providers,
attribute providers,
relying parties,
and identity media,
ensuring that they all adhere
to an agreed-upon trust framework
(the community’s trust framework)
AndrewHughes3000@gmail.com - September
2013
21
*Source: The NSTIC Strategy
Document
22. Trust Framework*, redux
• developed by a community
• defines the rights and responsibilities of that
community‟s participants
• specifies the policies and standards specific to the
community
• defines the community-specific processes and
procedures that provide assurance
• considers the level of risk associated with the
transaction types of its participants
AndrewHughes3000@gmail.com - September
2013
22
*Source: The NSTIC Strategy
Document
23. Who Do You Trust?
• IDESG, via the Accreditation Authority:
• Assesses the Online Community and its participants
against that Online Community‟s Trust Framework
(Operating Rules)
• Confers Trustmarks to signal to participants that
Assessments and Accreditation has been done to a
known standard
AndrewHughes3000@gmail.com - September
2013
23
24. Interoperate Me
• Interoperability within an Online Community is a
defining feature of Online Communities
• IDESG could foster technology, process and
policy interoperability between Online
Communities by defining common Accreditation
Patterns for the inter-Community interactions
• IDESG, via the Accreditation Authority, could
assess and issue Trustmarks for the inter-
Community interactions
AndrewHughes3000@gmail.com - September
2013
24
25. Now What?
• Starting with the conceptual model rationale in this
presentation, to build the ID Ecosystem:
• IDESG must search for and find the Online Communities
that resemble and are compatible with the conceptual
model of the ID Ecosystem
• Analyze the Online Community participants according to
the parameters described in the conceptual model
• That is: identify the transaction types, terms of service,
mechanisms to fulfill terms, the archetypal e-Service
Providers and e-Service Consumers
• Document the ID Ecosystem Framework in concert with
the discovery and analysis activities
AndrewHughes3000@gmail.com - September
2013
25
26. These Slides
• These slides attempt to capture the concept and
pattern of the ID Ecosystem and ID Ecosystem
Framework as set out in the NSTIC Strategy
document
• Further work is needed to refine and expand on
the entities described in this deck, in order to
achieve a more directly pragmatic level of detail
AndrewHughes3000@gmail.com - September
2013
26