In just 18 months, the IDESG has come a long way from its chaotic first meeting in Chicago. The phrase of the week for over 200 total in-person and virtual attendees this month at the Identity Ecosystem Steering Group (IDESG) plenary in Atlanta: keep your foot on the gas. With this in mind, attendees set their sights on a challenge laid down by and a senior White House cyber security official in the opening keynote: develop a trustmark scheme by the end of 2014, backed by a handful of high profile early adopters.
Responding to this challenge, the newest round of NSTIC pilots made their presence known, work on the Identity Ecosystem Framework moved forward, and the IDESG has taken a major step forward toward becoming self-sustaining, with members voting to incorporate IDESG as a not-for-profit corporation, governed by a Board of Directors. It has established a handful of core committees that are making progress each week on components of the Identity Ecosystem Framework. And it is starting to integrate ideas and results from NSTIC pilots.
Looking back at the plenary, three things stood out:
NSTIC pilots are starting to drive the conversation.
The IDESG and the NSTIC pilots were always envisioned as complementary efforts– with pilot outcomes and deliverables directly feeding work on the Identity Ecosystem Framework in the IDESG, and with IDESG deliverables being used to assist the pilots. We’d already seen good examples of the latter – with each of the NSTIC pilots using the IDESG Privacy Committee’s Privacy Evaluation Methodology (PEM) to assess and refine their own adherence to the NSTIC’s privacy guiding principle– but there were fewer examples of the pilots driving IDESG activities.
That seemed to change at this most recent plenary; the work the pilots are doing is now directly informing and influencing work in IDESG committees. This should not be a surprise – 12 NSTIC pilots are now active, and many of them are directly tackling some of the hairy policy issues that identified in committees. In some cases, the pilots are moving forward with new and innovative approaches that the committees have not contemplated – and as they share their work and lessons learned, it is helping to drive the committee work in new directions.
As pilots have proceeded, an issue that has come up time and time again with interested relying parties is branding. Most federated identity solutions today require RP’s to display the logos of the different identity providers that they accept– but many companies have bristled at the notion of displaying the logos of other firms on their homepage. We’ve seen this in two NSTIC pilots, where the “identity guys” in major firms that wanted to participate could not persuade their marketing and branding teams to allow it – the teams would not stand for other logos on their website.
Yet these same sites do have other logos that are not company names but rather trustmarks – think VISA or BBBOnline – that tell customers how payment cards will be handled or whether a firm complies with the Better Business Bureau’s code of business practices. It’s not a new logo that is an issue, it’s that logos tied to specific brands may be off-putting.
A company-neutral trustmark for online identity that is recognized by consumers and businesses may go a long way toward enabling consumers and businesses to more readily reap the benefits of the identity ecosystem. NSTIC itself discussed the importance of this trustmark – but progress has been elusive.
To that end, the work being done in some of the NSTIC pilots is helping to drive new concepts for trustmarks forward. GTRI and Internet2 teamed up on a “Future of Trust” session on Day 2 of the plenary that discussed some new and novel approaches for applying the trustmark concept to the identity ecosystem.
The White House challenge
It’s not just the pilots that are driving the trustmark conversation. On the first day, the IDESG heard a keynote from Andy Ozment, Senior Director for Cybersecurity on National Security Staff at the White House, where Andy reinforced the importance of NSTIC not only to the nation’s efforts to improve cybersecurity, but also as a keystone to efforts to ensure the openness, freedom and interoperability of the Internet.
When asked by an audience member what single task he wanted the IDESG to tackle in 2014, Andy had a simple answer: he challenged the IDESG to develop a basic trustmark scheme for the Identity Ecosystem and get backing from a handful of high profile early adopters.
This may not be a simple task, but we believe it is achievable. The IDESG Trust Framework and Trustmark (TFTM) committee has been hard at work over the last year, and its efforts – combined with some of the new thinking emerging from the pilots – offer plenty of elements that can move this task forward. The challenge over the next few months is to reconcile these different approaches on how a trustmark scheme can be created, and put a roadmap in place that will allow it to advance.
To that end, the next IDESG plenary is set for April 1-3 in Silicon Valley; details are at http://www.idecosystem.org/. We expect a great discussion and continued progress – both in the weeks leading up to it, as well as at the event – on how to drive a trustmark for the Identity Ecosystem Framework forward.