Trust Frameworks

Introduction

Trust frameworks are a foundational component of the web of trust. A trust framework is a common set of best practice standards-based rules that ensure minimum requirements are met for security, privacy, identification management and interoperability through accreditation and governance. These operating rules provide a common framework for ecosystem participants, increasing trust between them.

As digital service delivery models mature, it is essential that information is protected as it travels across jurisdictional and organizational boundaries. Trust frameworks define and bring together the otherwise disparate set of best practice principles, processes, standards that apply when it comes to collecting and sharing information on the web. As individuals and entities increasingly share their information cross contextually, across industry boundaries, trust frameworks provide the common set of rules that apply regardless of such differences. For example, service providers ranging from government agencies, banks and telecommunication companies, to health care providers could all follow the same set of data sharing practices under one trust framework. This macro application serves to reduce the need for bilateral agreements and fragmentation across industry. Ultimately trust frameworks serve to increase trust, improve efficiencies, and deliver significant economic and social benefits.

Some use-cases will require more detailed rules to be established than those set out in a trust framework with broad scope. Where this is the case, more detailed rules around specific hierarchies and roles can be established within the context of the higher order trust framework. The goal is always for the components of the framework to be transparent, and adherence to those components to be public. This enables entities to rely on the business or technical process carried out by others with trust and confidence. If done correctly, a trust framework is invisible to those who rely on it every day. It allows individuals and entities to conduct digital transactions knowing that the trust frameworks underpin, create accountability, and support the decisions they’re making.

Trust Framework concept

Use Cases for Trust Frameworks

Historically speaking, trust frameworks have been extraordinarily complex and only worth the investment for high-value, high-volume transactions, such as the ones established by credit card companies. Now, with the introduction of decentralized technologies, there is a need to create digital trust frameworks that work for a much broader variety of transactions. Realizing the scope of this work comes with the recognition that there will be many different trust frameworks, both small and large in scope, for different federations across the web. Given that context, it is important to preserve end-user agency as much as possible as trust frameworks are developed and adoption and mutual recognition increases.

Looking at the ecosystem today, we can broadly group trust frameworks into three categories:

Categories of trust frameworks

Domain-specific Trust Frameworks

  • These are typically developed to serve a specific use-case, for example within a particular industry
  • Often driven by industry and/or NGOs
  • These have been able to develop faster than national trust frameworks (which are based in legislation), and as such may inform the development of national trust frameworks

National Trust Frameworks

  • Typically broad in application and to facilitate a policy objective (for example, increased trust in data sharing)
  • Driven by individual governments to address the needs of their citizens and residents
  • Based in legislation, with more enforcement powers than either Domain-specific Trust Frameworks or International Trust Frameworks
  • Likely to be informed by both Domain-specific Trust Frameworks and International Trust Frameworks

International Trust Frameworks

  • These are typically broad in nature and developed to serve many countries, much like a model law
  • Typically driven by governments, industry, or NGOs but geographically agnostic
  • Likely to inform National Trust Frameworks

Accreditation and Assurance

An important part of satisfying the operational components of a trust framework is the ability to accredit ecosystem participants against the trust framework. This is a logical extension of the rules, requirements, and regulations trust frameworks set out. Trust frameworks typically include an accreditation scheme and associated ongoing compliance testing.

One aspect of accreditation in the identity context is compliance with standards. In the context of identity related trust frameworks, there are several kinds of assurance that relying parties will typically seek. These can include binding, information, authentication, and federation and identity assurance. Each standard may define their own distinct levels of assurance. The NIST Digital Identity Requirements and New Zealand Identification Management Standards are a good example of how this works in practice.

The process of accreditation and a successful certification is a core part of trust frameworks as it proves to the wider ecosystem (including auditors) that the entity, solution, or piece of software meets the business and technical requirements defined. Digital identity systems are increasingly modular, and one solution might involve a variety of different components, roles and providers. These should be developed and defined as part of the process of standing up a trust framework, testing its capabilities and defining processes around accreditation.

Technical Interoperability

Trust frameworks help to improve interoperability between entities by defining a common set of operating rules. In addition to setting out business and legal rules, it is important that high level technical rules are specified as well. Trust frameworks must clearly define expectations around the technical standards to be used, as well as what aspects of these standards are normatively required, optional, or somewhere in between. When it comes to digital identity trust frameworks, this may mean building on open-source code or evaluating against open test suites.

Test suites allow for normative testing around standards requirements and offer a way for parties to audit and ensure the processes being used throughout the identity lifecycle. They can be incredibly useful not only for entities using the trust framework, but for mutually recognized trust frameworks to understand and interpret the requirements coming from a particular set of rules.

Ongoing development of several digital identity trust frameworks based on the emerging decentralized web of trust can be found at industry organizations such as the Kantara Initiative and Trust Over IP Foundation as well as government-driven initiatives such as the Pan-Canadian Trust Framework.