OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation) Technical Committee

The Trust Elevation Technical Committee will identify methods being used currently to authenticate electronic identities by online relying parties and service providers, and similar methods in development or identified in theoretical models. By comparison and factoring of those methods, the TC will propose and describe a set of standardized protocols that service providers may use to elevate the trust in an electronic identity credential presented to them for authentication, at levels of identity assurance or risk mitigation, representing increasing degrees of authentication certainty.

The Trust Elevation TC will collect information on trust elevation techniques, or risk mitigation techniques, being standardized, marketed and implemented in the public or private sector and will perform analyses of them and their approaches, assessing their effectiveness at assuring the identity of the electronic claimant, and working towards creating a general model of how effective the trust elevation / risk mitigation efforts are in creating trusted online transactions. Once the initial collection and analyses have been completed, the TC will correlate the results with various other trusted credential and trusted transaction models. The more widely-recognized and adopted these standardized protocols are, the more useful they will be to governments, businesses and individuals engaged in eGovernment and eCommerce.

The Trust Elevation TC is intended to respond to the suggestions of several governments, including the US government's NSTIC strategy document [3] that national and global identity infrastructures can be developed and supported by private sector cooperation among providers, users and subjects of trusted identity systems. The EIC-TEM documentation from this TC should promote interoperability among multiple identity providers, and among multiple identity federations & frameworks, by facilitating clear communication about common and comparable operations to present, evaluate and apply identity [data/assertions] to sets of declared authorization levels.

[1] Office of Management and Budget Memorandum M-04-04, E-Authentication Guidance for Federal Agencies, Dec. 2003.
[2] NIST Special Publication (SP) 800-63, Rev. 1, Electronic Authentication Guidelines, Dec. 2008.
[3] Office of the President, National Strategy for Trusted Identities in Cyberspace (NSTIC), April 2011: http://www.nist.gov/nstic/

Work within the TC's scope includes descriptions of the process steps and component services necessary to confirm a conclusion of trust elevation between each pair of levels. Those descriptions and analysis may include catalogs of data services (or types of service), taxonomies or functional definitions of the types of identity and assertion data on which those services operate, substantive data exchanges or models, and model message exchange patterns.

The TC may include functional data security/integrity requirements in its process descriptions, e.g., certain trust elevation methods may only be recommended if conducted within certain minimum levels of data integrity protection.

Where possible, the TC generally will rely on existing widely-used definitions and data categories. The TC may also make functional comparisons of alternative assurance level schemes, so as to map its trust elevation processes to a variety of regulatory frameworks.

The following work will be out of scope for the TC:

• Mandates of specific message formats or schema. The TC will provide process and data requirements that can be equally applied regardless of transport method or data schema encoding. No one data format or schema will be mandated. The TC may provide detailed instances of assurance & elevation message exchanges, as examples, but its output should be generally applicable regardless of schema encoding.

The Trust Elevation TC will create the following deliverables:

1. The initial deliverable is a comprehensive list of methods being used currently to authenticate identities online to the degree necessary to transact business where material amounts of economic value or personally identifiable data are involved. First Public Review Draft to be completed by six months after the first meeting.
2. The second deliverable is an analysis of the identified methods to determine each one's ability to provide a service provider with assurance of the submitter's identity sufficient for elevation between each pair of assurance levels, to transact business where material amounts of economic value or personally identifiable data are involved. First Public Review Draft to be completed by [nine] months after the first meeting.
3. The third deliverable will be an "Electronic Identity Credential Trust Elevation Methods Protocol" specification that recommends particular methods as satisfying defined levels of assurance for elevating trust in an electronic identity credential to assure the submitter's identity sufficiently to support elevation between each pair of assurance levels to transact business where material amounts of economic value or personally identifiable data are involved. Alternative and optional methods may be included. The description of each recommended method shall include functional definitions of the types of identity and assertion data employed by each method, and may include specification of the data services required in each elevation, substantive data exchange patterns or models, message exchange patterns or models, and such other elements as the TC deems useful. The first Public Review Draft will be completed by [fifteen] months after the first meeting.
4. Other deliverables may be identified over time as the TC engages in its work.

The TC may re-factor the deliverables above as it sees fit into fewer, more, or differently combined documents. In any case, the deliverables shall:

• Be vendor-neutral and product-agnostic. (The TC may also elect to provide proof-of-concept instances, but will strive to facilitate ease of implementation regardless of data schema choices.)
• To the extent feasible, re-use rather than re-invent suitable existing definitions of policy concepts such as identity tokens and personally-identifiable data.
• To the extent feasible, be consistent with generally accepted definitions of service-oriented architectural principles.
• Describe with specificity their application to established US NIST levels of assurance.
• Include a catalog or list of common types of services and functions.
• Include a set of definitions or sources of definitions for common functional types of data elements.

The Trust Elevation TC will operate under the RF on Limited Terms mode of the OASIS IPR Policy.

The Trust Elevation TC is intended for the following audiences: Architects, designers and implementers of providers and consumers of enterprise identity management services.

Work group business and proceedings will be conducted in English.