When it comes to the digital identity space there are many abstract, complex topics. Near the top of that list would be trust frameworks.
At a high level, trust frameworks are the rules by which a group of organizations agree to in order to participate in a federated identity system. There are business, legal and technical rules of the agreement that cover aspects of digital identity.
There are many trust frameworks in existence – there doesn’t have to be just one. Five-years ago when the National Strategy for Trusted Identities in Cyberspace was created it envisioned an identity ecosystem with multiple identity federations bound by different trust frameworks, says David Temoshok, senior policy advisor for Applied Cybersecurity in the Information Technology Laboratories at NIST.
But that vision has not become a reality. For that reasoning NIST released Internal Report (NISTIR) 8149: Developing Trust Frameworks to Support Identity Federation. The goal is to try and engage those outside of the identity industry to get involved and start thinking about trust frameworks. “We want to hear from organizations who want to get into identity federation,” Temoshok explains.
The NISTIR is focused for companies and organizations outside of the federal government, Temoshok says. “It’s not helpful to have a 100-page document saying: ‘this is what you put into a trust framework,’” he explains.
The report give organizations a starting point for what they need to consider when creating a trust framework for federated identity and what has been done before, Temoshok says. “In the end it’s really a business and risk management strategy for organizations,” he adds.
The NISTIR is a draft for now and NIST is accepting comments on Github. Comments, which are due to close on October 18, will then be reviewed and another NISTIR incorporating those comments will be released.