OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation) TC


  1. What is the motivation behind the Trust Elevation TC?

    Governments and standards organizations around the world have developed extensive electronic identity trust frameworks, policies and models for use in e-gov and e-commerce venues. At the same time, in the business-to-business e-commerce sector, service providers have adopted alternative, transaction-based tools that specifically mitigate risks of false positives. The trust model based on credential strength (exemplified by the U.S. FICAM model) and the transaction trust model (exemplified by many online e-commerce providers) need to be reconciled in a value-neutral way to extend interoperability among service providers and make e-transactions easier and more friendly for end users.

  2. What is the scope of this effort?

    The scope of the Trust Elevation TC includes descriptions of the process steps and component services necessary to confirm a conclusion of trust elevation between each pair of trust or risk mitigation levels. Those descriptions and analyses may include catalogs of data services (or types of services), taxonomies or functional definitions of the types of identity and assertion data on which those services operate, substantive data exchanges or models, and model message exchange patterns. The TC may include functional data security/integrity requirements in its process descriptions, e.g., certain trust elevation methods may only be recommended if conducted within certain minimum levels of data integrity protection. Where possible, the TC generally will rely on existing widely-used definitions and data categories. The TC may also make functional comparisons of alternative assurance level schemes, so as to map its trust elevation processes to a variety of regulatory frameworks.

  3. Who should participate in this TC and why?

    This Committee seeks to bring together the variety of stakeholders involved in electronic credentials.

    • Government and private sector identity management policymakers, analysts, fraud and cybersecurity specialists who focus on enabling trusted e-commerce and e-government solutions. These constituents are key as the Trust Elevation TC seeks to close a fundamental gap between credential-based trust approaches and transaction risk mitigation-based trust approaches to authenticating to online applications and services.
    • Businesses marketing hardware and software tools and/or services in the identity management sector that provide solutions that satisfy one or more of the online trust models noted above.
    • Online services and/or applications that implement either or both methods of assuring that trusted identity credentials are sufficient to authenticate to their services. They are the end recipients of the value of the deliverables of this work and so should participate in discussions of what is satisfactory to their needs.
    • Auditors and audit firms that perform USG FISMA C&A and Federal PKI-related PKI assurance assessments, ISO ISMS security assessments and related assessment services.
    • Other Standards Development Organizations that address in policy and/or practice determinations of trust for electronic identities.
    • SSO, portal and credential validation providers and niche software providers in the IdM space.
    • Credential issuers and Trust Framework Providers.
    • Software vendors that develop and use trusted identity credentials or that build and market software for particular industries such as financial services including fraud detection services.
    • Health IT including billing modules, electronic health records, electronic prescription services.
    • Hardware vendors who implement standards-based methods for trusted electronic identities.
  4. How does the work of the Trust Elevation TC relate to similar efforts underway?

    There are rafts of government, quasi-government, industry, consortia, standards body and ad hoc standards or standardization efforts in place--many of which are generic and many of which are use-specific. While the Trust Elevation TC emphatically includes all legitimate and relevant existing efforts in its analyses, the focus of our efforts are on online risk mitigation services, how they work and how well they work as risk mitigation strategies and how that aligns with existing models and frameworks.

  5. What will the main output of this TC be?

    The primary products of the Trust Elevation TC are analyses and studies, not standards per se. That said, it is expected that the knowledge amassed by the TC will lead online service providers to adopt standardization of risk mitigation strategies that will correlate to credential strength strategies.

  6. Can you offer an example of an application that would benefit from the work of this TC?

    An example would be: A veteran accesses a U.S. government site to view and download a copy of his electronic health record with an electronic identity credential that is only recognized by the portal as satisfying NIST Level 1. In compliance with NIST standards, the online application requires credential strength of Level 3 or comparable risk mitigation alternatives. By using recognized trust elevation practices, the service provider may raise its trust that the credential used is transmitted by the person it claims to be to a level sufficient for it to allow the untrustworthy credential to be trusted for access to personal medical data online. This demonstrates the interplay between a credential-strength model and a transaction risk-mitigation model in a real-world use case.

  7. Is this TC responding to a real need in the marketplace?

    We anticipate that the deliverables of the Trust Elevation TC will be broadly used and that widespread deployments will benefit from deeper understanding of the mechanisms and deliverables of risk mitigation based transactional trust methods and services.

    The work of the Trust Elevation TC directly serves at least two of the guiding principles of the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC), increasing and improving interoperability and enable identity solutions that are cost-effective and easy to use. However, the work of this TC is also targeted at complementing international and industry-specific specifications.

  8. Who should be involved in this TC?

    Hardware and software vendors, service providers, standards bodies, and industry associations should all be represented in this TC.