In digital identity systems, a trust framework is a certification program that enables the party who accepts a digital identity credential (called the relying party) to trust the identity, security, and privacy policies of the party who issues the credential (called the identity service provider).
The open identity industry, led by members of the OpenID Foundation (OIDF) and Information Card Foundation (ICF), developed the Open Identity Trust Framework (OITF) model to bring open market dynamics to trust frameworks.
[insert Fig 3 from the OIX white paper ]
In the OITF model, policymakers representing a trust community (e.g., government, industry association, professional society) start by developing a trust framework specification. This document defines the identity proofing, security, and privacy policies that must be followed by identity service providers to reach a specified level of assurance (LOA). In some cases it will also specify the data protection policies that must be followed by both identity service providers and relying parties to reach a specified level of protection (LOP).
Lastly, the trust framework defines the qualifications necessary to be an assessor for the trust framework—a person or a company who has the professional experience necessary to assess whether an identity service provider or relying party is in compliance with the policies specified for a certain LOA or LOP.
Next the policymakers contract with a trust framework provider (TFP) to operate a certification program for the trust framework. A TFP who operates by the OITF model performs the following functions:
Lastly, the OITF model includes roles for auditors and dispute resolution service providers to assist in ongoing assessment of trust framework participants and resolution of disputes that may arise.
Visit our white papers page for two papers on this topic: one on the OITF model for market-driven identity assurance and a second on how OIX implements this model.