Er… what is a trust framework, actually?
In my role as analyst at SIDN, I often get asked to explain things. How the DNS works, for example. Or exactly what a domain name is, how ICANN is organised, or whether things can be done on the blockchain. In recent times, SIDN’s involvement in Trusttester, Simplerinvoicing and Connectis has meant that more and more of the questions are about digital identities. What's the difference between identification, authentication and authorisation? What's the score with Idensys? How important is eIDAS? And, recently, what is a trust framework, actually? A simple enough question on the face of it.
'Trust framework': an increasingly well-used term
In the world of on-line or digital identities, it's increasingly common to come across references to trust frameworks, platforms and public-private schemes. The terms are used to refer to collaborative initiatives, where various parties work together to provide services in areas such as identification, authentication and trust. For example:
The Medmij trust framework - for the exchange of medical data
The Belgian Mobile ID platform – an open platform linked to a smartphone app for on-line identification
The public-private scheme for electronic access services – which regulates Idensys and eHerkenning
The term 'trust framework' is widely used, then. But what exactly does it mean? How does a trust framework differ from an (identity) federation, for example? What makes something a trust framework, as opposed to, say, a conventional arrangement under which services are provided on the basis of end-user agreements? Is it about parties collaborating or the ability to use a variety of identities? Idensys is a trust framework, through which various identities are provisioned by various providers. So does that make DigiD a trust framework too? With DigiD, an identity is made available by a single provider, but there will ultimately be DigiD identities. And what about iDIN? A single identity is involved there, but various providers can offer services on the basis of that identity. So, what exactly is a trust framework?
In search of a definition
Fortunately, we've got the internet, where you can find the answer to pretty much anything. Including the question of what a trust framework is. Unfortunately, there are countless knowledge sources on the internet, and they rarely offer consensus. Depending on the context, a trust framework may be a set of requirements, a collection of contracts, a defined form of collaboration, a framework of standards, a system of enforcement mechanisms, a certification scheme, a regulated assessment system... or some mixture of those things. Or, indeed, something quite different. In what was becoming a personal quest for a definite answer, I came into contact with the authors of a white paper published in 2010, which defined a trust framework model. They welcomed my questions enthusiastically. And responded with questions of their own... and still more questions. That white paper had been an initial attempt to define what was then a new phenomenon, but the authors were already aware that a better definition was urgently needed (and not only by me). And they thought that maybe I'd like to come up with one.
White paper definition
With highly appreciated assistance and after considerable time and debate, a new white paper has been produced: Trust Frameworks for Identity Systems. It provides the following precise yet simple definition: "A trust framework is a legally enforceable set of specifications, rules and agreements regulating an identity system." It goes on to define the relationship between a trust framework and the underlying, regulated identity system, as well as the context in which the trust framework exists. The paper is the first of what will hopefully become a series, because many questions remain unanswered in this field. What constitutes an identity system? How should a trust framework be governed? What trust frameworks are currently in existence? At least the issue of what a trust framework is has now been resolved, and I can move on to the next question on my list…
The Open Identity Exchange (OIX) is a technology-agnostic, non-profit organisation focused on accelerating the introduction of digital identity services on the basis of open standards. Its members are leaders from competing business sectors, who cooperate on pilot projects and undertake joint research. The results of these efforts are published via OIX white papers and shared publically via OIX workshops.