Trust frameworks are one of the more complicated concepts when it comes to identity. If you ask 10 different people what the most important aspect of a trust framework is you will likely get 10 different answers.
It boils down to this: trust frameworks are the rules that those involved in a federated identity scheme must agree to. “The ‘rules’ for federated identity management are known as trust frameworks and the organizations that agree to follow such rules and participate are known as ‘identity federations,’” according to a blog post from David Temoshok, with NIST’s NSTIC national program office.
NIST has released an Internal Report (NISTIR 8149) Developing Trust Frameworks to Support Identity Federation that aims to provides an informational look at trust frameworks and explains what they are, what their components are, and how they relate to the concept of identity federation.
NIST is looking for feedback from the stakeholder community on the draft and is soliciting feedback. The goal is to enable the adoption of trust frameworks for organizations and the communities that benefit from them. Trust frameworks aren’t new, bur rather the draft aims to educate communities interested in pursuing federated identity management as they try to establish the agreements that will make up the framework. The NISTIR includes guidance on determining roles in an identity federation, what to consider from a legal standpoint, and understanding the issues of establishing and recognizing conformance.
NIST is asking for feedback on GitHub. Commenters can access the repository’s Issues tab, where you can contribute comments via a form. The 30-day open comment period is from Oct. 3 – Nov. 1. NIST reviewed SP800-63 on GitHub earlier this year.