A structured approach to proofing and identity trust is required to ensure consistency and interoperability within a trust framework, and for interoperability across trust frameworks.
The framework should consider rules around proofing, identity assurance, authentication, and eligibility assurance. Keeping trust up to date for a user’s identity and eligibility is also a key consideration.
The following diagram shows the process of achieving and presenting trust in the user. Additionally, it shows the roles involved in this part of the process:
Once the user is trusted, they may present that trust, along with trusted evidence and trusted eligibilties to the relying party.
Proofing is the process of establishing trust in identity evidence gathered by, or about, the user. Evidence comes from an evidence issuer.
Inclusion must be considered by trust frameworks to ensure the maximum number of users can access identity services. Techniques such as vouching and manual evidence checking should be considered.
There are three techniques generally used in the proofing process. A process for scoring the different data and methods used within each technique should also be considered:
A single piece of evidence might have one or more of the proofing techniques applied to it. For example, as passport might be used for both validation and verification. Evidence used for identity risk assessments might be deliberately independent from evidence used for validation or verification.
The result of the proofing process is a collection of trusted evidence. This can then be shared with, or presented to, relying parties. It can also be used in an identity assurance process to achieve a level of trust, or assurance, to be presented to a relying party.
From trusted evidence, trusted claims can be drawn. For example, trust in a person’s name address and date of birth can the drawn from a passport.
Interoperability between frameworks might be achieved by aligning proofing scores or determining equivalence between proofing scores across different frameworks.
Identity Assurance is the process of establishing trust in the user themselves.
Different use cases will demand different levels of trust in a user’s identity. The level of trust required is often dependent on the risk and value of the transaction. For example, more surety in a user’s identity is required to allow them to board a plane than to deliver a low value retail item to their address.
The level of trust achieved in an identity is a function of the amount and quality (proofing score) of the evidence collected about the user.
For example, a basic level of trust might be established by checking the user’s self-declared address against a database of known addresses by an evidence verifier. This might be a sufficient level of trust to deliver goods to this person’s address.
To board a plane however, trust in the user’s identity must be more strongly established:
- A passport or ID card might be needed, along with another separate proof of the user’s address to validate the user.
- Verification that the user is the genuine holder of the passport or ID card would be required.
- A comprehensive Identity Risk check must be undertaken to mitigate against ID fraud.
The trust framework, or a trust scheme, might define the level of identity trust that relying parties in a particular sector are required to achieve in order to meet certain regulatory requirements. This is called a Level of Assurance.
As the level of assurance increases, then the quality and mix of authenticators used to allow re-assertion of that level of assurance should increase.
The following table describes the identity assurance process:
The result of this process is a trusted user, with an assured identity. In some implementations of trust frameworks the level of assurance achieved is recorded against the user and can be presented to the relying party as an indicator of trust in the user.
Interoperability between frameworks might be achieved by aligning levels of assurance or determining equivalence between levels of assurance across different frameworks.
Authentication happens when the user wants to:
- use their Digital Identity to present a level of trust, evidence or eligibility to a relying party,
- maintain thier Digital Identity.
The user uses the authenticators that are bound to their Digital Identity that allow them to re-recognized to use the Digital Identity.
Eligibility Assurance is the process of assessing whether the user is able, or is allowed, to access the relying party’s services.
This might be by presentation of a passport to board a flight, presentation of qualifications to gain employment, or proof of living alone to gain access to benefits.
All these may be achieved through the collection, validation and verification of eligibility evidence, by the user.
From trusted eligibility, further trusted claims can be drawn. For example, trust in a person’s passport number, nationality or inoculation date.
Trust Framework Rules Documents
The following are required to support the Trust Rules: