6 THE TRUST FRAMEWORK
6.1 Contents of The Trust Framework
A trust framework comprises:
Governance approach. How is the framework established, evolved and operated? How are parties certified to the framework?
Principles. Key principles that the framework must support
Trust mark. How is the trust framework communicated and to end users and relying to parties? What are the user experience rules around the Trust mark.
Interoperability requirements. How is multi use case ID interoperability going to be achieved, within and across frameworks.
The different Roles within the trust framework.
The Rules of the trust framework.
In this guide the rules of a trust framework are deliberately organised as follows:
- From the top down we start with the user led Principles required, then the Trustmark required to communicate the framework to the user.
- Then come the Trust Rules in the framework, the fundamental elements of ID credential issuance and management, deriving credentials, authenticators, and identity assurance.
- Next come the services required by the Users of a Digital ID, followed by the Organization, or Relying Party. If we get these two keys endpoints of user and Relying Party right, the framework is more likely to be a success.
- Then, General, and legal rules applying to all parties are then covered: fraud controls, liability, record keeping, audit and MI.
- Finally, the technical and security rules to ensure the framework is managed securely, delivers data in a consistent format and can be held to account.
A key objective OIX is seeking to achieve is interoperability across frameworks. This is referenced throughout the guide but is also called out as a separate contents section for specific consideration.
The contents suggested in the guide are a super-set of the contents any individual framework might need to implement. Each framework is likely to implement a sub-set of these contents suitable to meet its own specific needs.
This trust framework diagram shows the more detailed contents at the rule area level:
Subsequent sections of this document explore, at a high level, these rule level contents and roles.
Within each content area the appropriate policies, procedures, rules and standards need to be defined. These have been identified and listed in a table for each framework content area.
The obligations defined by these documents then need to be mapped to each role within the ecosystem. This can then be used to formulate a contract for each actor within the ecosystem.
Note that this OIX guide to trust frameworks does not address many purely commercial matters between the parties, in particular pricing. It is expected that each framework implementation will address commercial matters in a way that suits the parties and the implementation structure of that particular framework.
The identity community uses a plethora of specialist terminology. In order to try and standardise the vernacular OIX has created a separate Glossary of Identity Terms.
The glossary identifies common synonyms for the terms used by OIX. It also includes the rationale for choosing to use some key terms and the list of alternatives considered.
Throughout this guide all terminology used is consistent with this glossary.
Terms used this this document that are defined in the glossary are shown in bold italics.