OIX follows the Open Identity Trust Framework (OITF) model for Internet-scale identity assurance developed by members of the OpenID Foundation and the Information Card Foundation. Under the OITF model, OIX as an OITF trust framework provider neither “makes the rules,” (specifies trust frameworks), nor “makes the judgments” (assesses trust framework participants).
Instead, as described in the OIX white paper, OIX’s role is to “make the market” by harnessing market forces to satisfy the demand for identity assurance services. This process begins with the policymakers for a trust community developing the specification for a trust framework. See the US ICAM TFPAP and OIX US ICAM LOA 1 trust framework as examples.
Next the policymakers enter into a contract with OIX as a trust framework provider. OIX then officially lists the trust framework and begins the following certification process.
Before a participant (either an identity service provider or, if applicable, a relying party) may be certified for a Listed Trust Framework, assessors must first be qualified for it. In OIX, that job is performed by a Special Assessor: a party who both OIX and the policymakers agree has the qualifications and experience to evaluate other Assessors for that trust framework. Note that, to avoid conflicts, a Special Assessor may not also serve as a Listed Assessor for the same trust framework.
Once a trust framework has Listed Assessors, OIX members may apply for certification. To do this, the member:
Once the assessment is successful, the member submits a Membership Listing Application Form to OIX. Once OIX verifies the information with the assessor, the listing is published in the OIX Listing Service.
A trust framework specification also covers ongoing maintenance of a certification. OIX as a trust framework provider enforces this requirement, whether it is periodic recertification, spot checks, ongoing audits, etc.