Trust in Trust Frameworks, the missing link Abbie Barbir, Ph.D OASIS Board of Directors,
OASIS Overview Organization for the Advancement of Structured Information Standards (OASIS) Mission is to promote and encourage the use of structured information standards such as XML Development, convergence and adoption of e-business standards Development of vertical industry applications, conformance tests, interoperability specifications Lightweight, open process designed to promote consensus Not-for-profit consortium Founded in 1993 as SGML Open Global representation 5,000+ participants representing 600+ organizations and individual members in 100+ countries
Current Board of Directors
Global Coverage Europe in OASIS OASIS has become increasingly European European Office established at AFNET OASIS Member Section Program Offering a unique advantage for independent groups interested in advancing and promoting the intelligent use of open standards maintain their own identities as distinct organizations while gaining access to OASIS infrastructure, resources, reputation, administrative support, and expertise Current Member Sections
Current Member Sections 1/2 OASIS AMQP Advances business messaging interoperability within middleware, mobile, and Cloud-based environments. OASIS CGM Web graphics standards OASIS Blue Open standards for smart energy grids OASIS eGov Focal point for discussions of governmental and public administration requirements for e-business standardization. OASIS Emergency Interoperability Accelerates development, adoption, application, and implementation of emergency interoperability and communications standards
Current Member Sections 2/2 OASIS Idtrust Development and adoption of standards for identity and trusted infrastructure technologies, policies, and practices OASIS LegalXML Unites legal and technical experts in a common forum to create standards for the electronic exchange of legal data. OASIS Open CSA Advances open standards that simplify SOA application development via the Service Component Architecture (SCA) and Service Data Objects (SDO) families of specifications. OASIS Web Services Interoperability (WS-I) Advances Best Practices for selected groups of standards, across platforms, operating systems, and programming languages.
7 The threat: Cyber crime
Cyber crime losses are growing 8
Identity crime affects all sectors
Identity Management Drivers Financial Institutions Identity Theft Drivers
Joint work with ISO JTC1/SC 27/WG5 and ITU-T SG 17/Q10 Standardizes four Levels of Assurance (LoAs) to promote trust, improve interoperability, and facilitate identity federation across organizations and borders Why Work on Authentication Assurance Provides a consistent basis for trust and Promotes identity federation Enables credential re-use in different contexts Promotes efficiency and reduces costs Enables cross-organization and cross-border services Provides framework for further standardization Establish foundation for liability and other legal aspects Brings together existing work in this area and will not “re-invent the wheel”: Kantara Initiative, ITU-T, NIST standards efforts, OASIS New Zealand, Australian, U.S., European, and Canadian e-government efforts EU research efforts (STORK, IDABC, etc Entity Authentication Assurance
Case Study The Problem Most U.S. government agencies want to offer more online applications to citizens: Research, grant proposals, taxes, benefits, data sharing Authentication is a large barrier to deployment: There is no universal citizen credential Application-specific credentials are difficult and expensive: Identity proofing Forgotten passwords from infrequent usage Help desks and other maintenance overhead Multiple collections of personally identifiable information (PII) Possible Solutions Government agencies can act as the Relying Party (RP) rather than the Identity Service Provider (IdSP) and accept credentials issued by “trusted” external organizations X.eaa Standard can be used to develop trust framework and adoption process, that defines IdsP requirements for the LoAs IdsP certification program based on a trust framework In Canada BC government is doing pilot studies to use open standards credentials from several certified IdsPs
13 Current Model: 4 Levels of Assurance LevelDescription 1 - Low Little or no confidence in the asserted identity 2 - Medium Some confidence in the asserted identity 3 - High High confidence in the asserted identity 4 – Very High Very high confidence in the asserted identity
OASIS Trust Elevation TC OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation) TC Works to define a set of standardized protocols that service providers may use to elevate the trust in an electronic identity credential presented to them for authentication Respond to suggestions from the public sector, including the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC). Promotes interoperability among multiple identity providers--and among multiple identity federations and frameworks--by facilitating clear communication about common and comparable operations to present, evaluate and apply identity [data/assertions] to sets of declared authorization levels
Towards Trust Frameworks Some Pain Points Internet transactions are anonymous (low trust) Value transactions are identity based o Anonymous to identity enabled Enable Identity based systems while protecting privacy (PII) Isolation of Issuer and target Identity Enable the right to forget Identity dashboard for user to keep control identity and related data (Data Ownership) Consumer Protection Identity Service Provider Liabilities Audit, compliance and policy enforcement Simple to use system
Current Basic “Trust Triangle” User has direct trust relationship with IDSP and RP How can the IDSP and RP trust each other? * Source OIX
Where trust Frameworks Fit Technology Interoperability (Identity Protocols) Usability (User Experience Ceremonies) Market Expansion & Adoption Hardware Devices (Security Capabilities) Internet Identity Layer Policy Interoperability (Trust Frameworks) * Source OIX
Should we have Trust in Trust Frameworks Key question how much do we trust the identity enrolment stage Do we Trust Breeder Documents and verification process? The Elephant in the room; The rise of Synthetic ID So what are Synthetic ID? Synthetic identity happens when a criminal steals bits and pieces of info from different people and creates a new identity with No Carbon Copy. A social security number is used with a different name and date of birth. Difficult to detect because of all the mismatched pieces of information. Criminals are getting bold Trend to claim ID Theft as opposed to account busting Need better means of validating breeder documents Not all breeder documents are Trustable
Standards are like parachutes. They work best when they're open. Q&A