[WG-TFMM] Trust Framework limited to trust in identities?

Rainer Hörbe rainer at hoerbe.at
Sun May 22 08:58:55 EDT 2011


I was too late for the discussion regarding federation governance, but I liked to see the good explanation of the relationship between legal and operational levels in <_Draft Trust Framework-7.doc>. I agree mostly to this document, but I would like to question one issue: Should the scope of TFs be limited to identity-related rules? The draft implies that its scope is limited to confidence in identity, like IAF, 800-63 and others do as well.

My considerations to go beyond this limitation:
a) From a system modeling view the trust infrastructure is a service that is provided to some business functions. The trust infrastructure (legal/operational) shall guarantee the common information security and privacy objectives that are not specific to certain business cases. The ritual view (with slight variations) in enterprise IT is that infosec's objectives are confidentiality, integrity availability and accountability; privacy has notification, data minimization and the other principles listed in the PF. Most of these objectives are related to identity, but not all. Clean modeling - minimizing complex dependencies, overlaps and gaps - would not take identity as the salient factor to structure or delimit the trust infrastructure or split the TF into subcomponents, because it would only reduce the topic by a small fraction without providing a clean interface.

b) Trust Frameworks need to be aligned with other policies when federations are linked with enterprise systems or cloud services. In this context it is essential to ease mapping by using the approved approach of enterprise security frameworks, with the objectives at the top level as listed previously. Otherwise the interoperability would suffer. Differences between HIPPA, PCI DSS, 2700x, ITIL, SOX and others are difficult enough to bridge.

c) There are areas that are indirectly or partially related to identity:
- Data collection: Data may be collected that is anonymous or pseudonymous, but will be become identifiable to some degree later due to aggregation and business intelligence. It has nothing to do with confidence into the identity of a remote user in the traditional sense.
- Availability: Data loss prevention in the user-to-self scenario, long-term availability of CSPs, availability of audit repositories etc. are related to identity, but only a part of comprehensive SLA.
- Authorization: The user's entitlement is an essential part of a trust infrastructure and add value to an identity. The processes for (delegated) provisioning need to be considered as well.

To converge to sustainable common definition of "Trust Framework" I suggest to encompass the extended view that puts infosec and privacy on the top and considers identity as a key component, but not the pivot point.

- Rainer


Am 18.05.2011 um 21:39 schrieb Anna Slomovic/Equifax:

> Rainer,
>  
> Please see the message string below. Would love to have your reactions.
>  
> Thanks.
>  
> Anna
> 
>  
> From: Smedinghoff, Tom [mailto:Smedinghoff at wildman.com] 
> Sent: Wednesday, May 18, 2011 2:15 PM
> To: Anna Slomovic/Equifax; Anna Ticktin; Dervla O'Reilly
> Cc: Mark Lizar
> Subject: RE: Federation governance
>  
> Anna,
>  
> I agree that federation governance is a key issue.  I view a trust framework as a structure that binds, and is enforceable against, all participants regardless of role.  What rules apply to which roles, which roles should be certified/accredited, as well as how the rules of the trust framework should be made enforceable against all participants, are key questions.  But whether or not RPs/DRs are certified, I certainly agree that there has to be a set of enforceable rules that governs their use of federated credentials.  Thus, if the Kantara work re rules, accreditation, etc. is limited to the IdP roles, my sense is that the resulting product will constitute only part of the overall trust framework.
>  
> One of the key initial challenges we are struggling with is how to ensure that the rules apply to all participants in a legally binding way.  This presents major hurdles, especially to the extent we are dealing with a large scale identity system that should be interoperable. 
>  
> For whatever value it may be, I’m attaching the current version of our short draft on the concept of a Trust Framework.  Your comments suggest that we may need to further edit it to expressly clarify that it should apply to all participants.
>  
> Thanks,
>  
> Tom
> 
>  
> From: Anna Slomovic/Equifax [mailto:anna.slomovic at equifax.com] 
> Sent: Tuesday, May 17, 2011 2:56 PM
> To: Anna Ticktin; Dervla O'Reilly
> Cc: Mark Lizar; Smedinghoff, Tom
> Subject: Federation governance
> 
> Anna and Dervla,
>  
> I was mulling on this morning’s conversation in the IAWG meeting and wondered whether there is a group within Kantara that is worrying about federation governance. I looked at the listing of groups on the web site and could not find one.
>  
> As you may recall, this came up when we talked about whether or not RPs/DRs need to be certified to participate in a Kantara-certified federation, and how privacy rules might fit into the certification process. Even if there is no certification for RPs/DRs, there has to be a set of rules that governs the use of federated credentials. For example, when a site uses Facebook credentials (“login with Facebook”), it must accept Facebook Platform Policies, including what information the site can ask for and what it can and cannot do with the information it receives from Facebook. I would expect that if an organization wants to integrate Kantara-certified credentials into its processes, it will also need to accept a set of operating policies or terms for the federation.
>  
> Is this something that Kantara is working on? I thought so based on the desire to cover the full Trust Framework, but perhaps not. If not, it raises the question for me about the way in which the area that Kantara addresses would fit into a full set of operating rules—which pieces can be lifted and plugged in from Kantara, which pieces need to come from elsewhere, and how the “plug and play” would work. I am copying Tom Smedinghoff, who might have thoughts on how this would work with the federation governance infrastructure that his ABA group is putting together.
>  
> Thanks.
>  
> Anna
>  
> <_Draft Trust Framework-7.doc>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kantarainitiative.org/pipermail/wg-tfmm/attachments/20110522/e2b1699d/attachment.html 


More information about the WG-TFMM mailing list