Some communities and organizations that share common user bases and transaction types are addressing challenges to users’ privacy and security by allowing users to access multiple services through common login processes. This approach – known as federated identity management – enables users to access multiple online organizations and services through shared authentication processes, instead of authenticating separately with each service provider.
Federated identity management is based on trust, especially between the organizations and service providers that use it. The “rules” for federated identity management are known as “trust frameworks” and the organizations that agree to follow such rules and participate are known as “identity federations.”
Want to know more about trust frameworks?
Check out today’s release of draft NIST Internal Report (NISTIR) 8149: Developing Trust Frameworks to Support Identity Federation. This document provides an informational look at trust frameworks and explains what they are, what their components are, and how they relate to the concept of identity federation. We’re seeking feedback from the stakeholder community on this draft as well and would love to get your feedback—see below for details.
The major end goal is simple: to facilitate the widespread adoption of trust frameworks for organizations and the communities that benefit from them. Trust frameworks aren’t new, so this document doesn’t intend to introduce them to the public. Rather, the draft NISTIR aims to educate communities interested in pursuing federated identity management as they try to establish the agreements that will make up the framework. It includes guidance on determining roles in an identity federation, what to consider from a legal standpoint, and understanding the issues of establishing and recognizing conformance.
Additionally, we hope we can help standardize the language around identity federation and trust frameworks in the future to contribute to a common understanding of the concepts.
What’s the central issue?
Online service providers are struggling more and more to find ways that are secure and protect user privacy to verify that their consumers are who they say they are. The default solution up until now has been to require consumers to register and create an account each time they access a new service, but this requires additional effort from service providers and puts the burden on consumers to keep track of many different accounts and login details. Remembering passwords for every single account is not practical and many consumers are ignoring well-known security best practices that recommend not reusing usernames and passwords between sites. Additionally, convincing users to adopt multi-factor authentication is that much harder when we must ask them to do so across dozens of sites.
Draft NISTIR 8149 covers all the critical topics of trust frameworks, including roles and responsibilities, framework components and rules, legal structures (including risk and liability), and establishing and recognizing conformance. We won’t go into the details here, so please take a look at the draft.
How to comment
Like so many of our documents, it won’t be complete without feedback from our stakeholders; we rely on you telling us what we got wrong and what we outright missed.
Because of the positive feedback we continue to receive on our other documents hosted on GitHub, we’re doing so again via our NISTIR 8149 GitHub page. You can conveniently access the repository’s ‘Issues’ tab, where you can contribute comments via a form. Using that tab, you can summarize your suggested changes and submit them for further discussion in a forum-style format. More instructions on this are available online.
Also, given that this is a more narrative style document, we understand that it might be easier for some to submit comments through a good old fashioned comment matrix. If so, please use this matrix and send it to firstname.lastname@example.org. These comments will likely get added by us to GitHub for maximum transparency and collaboration—so please anticipate that any feedback emailed to us will be made public.
The 30-day open comment period is from October 3rd – November 1st, 2016.
While NIST is better known for its focus on developing standards and technology, we never lose sight of the many enablers of technology that can make or break a market. A sustainable marketplace requires active work to establish the organizational structures and agreements that make room for great technologies; whether a technologist or attorney, policymaker or executive, establishing trust in digital identities isn’t a spectator sport.