The Open Identity Trust Framework model, illustrated below, starts with a group of policymakers defining a trust framework for a trust community. A trust community is any population of sites and users that share a common need for trusted interactions online: a government, an industry association, a professional society, a non-profit network, etc.

The policymakers perform this function by creating a trust framework specification. This specification begins by defining two types of metrics (or referencing them from other specifications):

• Levels of assurance (LOA). These are ratings of the degree of assurance a relying party can have in the identity credentials issued by an identity service provider. A common example is the four levels (LOA 1, 2, 3, and 4) defined by the US NIST 800-63 standard. There are comparable standards in many other countries.
• Levels of protection (LOP). These are ratings of the degree of data protection that either an identity service provider or a relying party provides for identity information entrusted to them by a user. LOP is a newer concept (see the Open Identity Trust Framework Model white paper) and does not yet have widely published standard metrics; this is expected to evolve in the next few years.

The specification then defines (or references in other specifications) the policies necessary to achieve the LOA or LOP it defines. These policies generally fall into four areas:

1. Identity proofing policies that establish the degree of certainty an identity service provider has about a user’s legal identity.
2. Security policies establish the degree to which the integrity and confidentiality of identity information is protected.
   
3. Privacy policies establish the degree of control a user has over how their identity information is used and shared.
4. Survivability policies establish the degree to which a user’s identity data remains both portable and protected if an identity provider ceases to offer service.

As an example, see Tables 4 and 7 of the US ICAM LOA 1 Trust Framework.

Third, the specification defines (or references) one or more technical profiles -- descriptions of the technical requirements participants to which participants must conform in order to achieve interoperability. For examples see the OpenID 2.0 profile and the IMI Information Cards 1.0 profile published by ICAM.

Fourth, the specification defines the qualifications required of an assessor who wishes to certify identity service providers and/or relying parties as compliant with the trust framework at one or more LOA and/or LOP. As an example see Table 4 of the US ICAM LOA 1 Trust Framework.

Lastly, the specification defines the basic bona fides and other representations a participant must be able to make in order to be accountable to all other participants. For examples see Table 2 and Table 3 of the US ICAM LOA 1 Trust Framework.

As an Open Identity Trust Framework model provider, OIX works with policymakers to help them draft OITF-compliant trust framework specifications. Please contact us if you are interested in developing a trust framework for your trust community.