Trust.

It’s not a protocol (yet) or a piece of software (yet), but Mike Neuenschwander is certain it is one of the missing elements in the identity infrastructure cloud or otherwise.
 
Neuenschwander, a senior manager with Accenture, thinks there is not enough focus on trust right now and without that focus the emerging cloud identity infrastructure and protocols will suffer from the same gaps that exist now with enterprise-based systems.
 
“We know we can’t prevent bad things from happening ever, but we know for sure we can have a better rate of security when certain conditions are met,” said Neuenschwander. “If we can figure out how to code five or six important elements of a trust relationship than that will be a more stable model than randomly hoping that people won’t screw each other over.”
 
What is needed is a game changing moment, says Neuenschwander, a witty presenter whose take on things leaves audiences thinking outside their comfort zone. He will  be pondering some game-changer suggestions at July’s Cloud Identity Summit when he leads a session entitled “Accenture’s Best Practice for Cloud Security.”
 
“We need to stop laying new asphalt on the same old highways,” he says. “There needs to be a focus on trust; what creates trust in situations where you have partners that are collaborating and don’t know each other that well going into it.”
 
Neuenschwander says security is one issue, but the challenge is also trying to improve the trustworthiness of the transaction. “Identity protocols by and large assume you have all that worked out somewhere else.”
 
He wants to explore the questions about what happens when something goes wrong. Something off the script. “That stuff is not worked into the protocols right now,” he says. “It would be interesting to figure out how to do some of that stuff as matter of protocol rather than having to get lawyers on the phone.”
 
Says Neuenschwander, "If we are going to have an environment of any-to-any and not repave existing partnerships, the industry has to develop a systematic approach to trust."
 

Register for the Cloud Identity Summit, July 20-22, 2010 at Colorado's Keystone Resort.

Follow John on Twitter and check out our Identity-Conversation Tweet list

 

 


John,

The industry HAS developed a systematic approach to trust. It's called the Open Identity Trust Framework Model, and it's been implemented by the Open Identity Exchange (OIX -- http://www.openidentityexchange.org/).

I know Mike knows about it, so I'm not sure why he didn't mention it. But I look forward to briefing you and Mike on it in much more detail -- the trust frameworks that OIX is beginning to work on now will be a major step forward for mass-market Internet identity and data sharing.

Best,

=Drummond
Executive Director
Open Identity Exchange


Drummond,
I think Mike is great at stirring the pot so I look forward to his session and his thought and I look forward to hearing from you and getting deeper into OIX. It's something I would like to write more about. Let's talk.
Are you going to be at the Cloud Identity Summit?
You could do an entire session during the UnConference portion


Hi Drummond,

Thanks for the comments. I like what I've seen from OIX, and I think it's an important and useful framework. For one thing, OIX has put the spotlight on the issue of trust, which is greatly needed. But I don't feel OIX quite fits the bill for "social trust online" or a "trust protocol." Have a look at my post on the subject:

http://hybridvigor.org/2010/03/29/oix-please-dont-abuse-the-word-trust/

"Trust" is a loaded term, and so semantics is half the battle here. I think of trust in terms of social devices that enable "multilateral, durable collaborative action" (per Elinor Ostrom). Social Trust Online requires building online systems that incorporate such devices. Maybe we should debate this at the unconference?


The kind of “trust” that I think we are talking about with regard to identity assurance is whether one party can trust an identity claim made by another party. And by “trust” I specifically mean whether there is sufficient reason to believe that the claim is true. When two parties don’t know anything about each other, there is no reason to believe that such claims are true. So trust frameworks like OIX and IAF solve this problem by introducing a third party that is “trusted” to act as a verifier of claims. But why would either party believe that an identity claim issued by this third party identity provider is true? The relying party trusts the claim if it believes that the identity provider conforms to a certain set of criteria for things such as identity proofing, credential issuance and management, etc. But most likely the relying party hasn’t examined those criteria in depth to decide whether conformance to those criteria is sufficient to merit its trust. And even so, how does the relying party really know that the identity provider is in conformance? Now it must “trust” that an independent auditor has confirmed that conformance. And why does the relying party believe the auditor?

Ultimately I think trust boils down to having a certain degree of faith. You can’t verify everything yourself, so at some point, you have to have faith that others have done what they’re supposed to do.

So I don’t believe that OIX equates identification with trust, but that OIX instead provides a basis for claims of identity to be trusted by specifying the criteria on which that trust is based.


To address the line of comments here I ended up writing a bit of a rant. In this post, I think it is very important to underline that trustworthiness goes very much beyond what is trusted technically. OIX Frameworks brings the issue forward and importantly the last line of the OITF document by Mary Rundle states
"The ?authors? want? to? make? it ?clear? that? trust ?frameworks ?for ?identity? information? portend? to? be? so ?important? for ?the? future ?information ?society ?that? they ?warrant ?extensive ?scrutiny,? participation, ?and ?feedback? from? a ?wide? representation ?of? stakeholders.?"

Without reading too much into this it is clear that even the authors of this framework put this significant caveat in as the conclusions of the framework for a big reason. Clearly, the authors here know there are issues of identity trust in this framework that goes beyond what is the 'technically trusted' context of identity management and Open Id.

I think the fact that the same word trusted mean different things socially and technically is not even the tip of the ice burg as far as the scope of the issue is here. The tip is that this issue isnt already clearly called out. (especially in something called a trust framework)

I agree with Mike that some of these issues are so important that they shouldn't be confused when building Identity Management Systems.

Personally, the only type of trust I want is the type that puts me (the individual) in control of my own information so that there is no possibility of my identity being used without my consent or legitimate process. This is more aptly called control. In this context institutions can then become trustworthy as they dont have a choice. Unlike interpersonally, as Bob mentions above, where "you have to have faith that others have done what they’re supposed to do." This quote is an apt cliche for the issue at hand, as the leap of faith referred to here is operationally between people, not between a person and a company. Dig a bit deeper and the successful company is first a relationship for a profit not for the benefit of the person. Between the law and economics of these stakeholders there is layer upon layer of complexity divorcing the individual from transparency and ways to act on it. In the end, my personal opinion is that, the OIX trust framework is obviously biased as it provides a more 'trusted' way for an individual to make themselves more transparent but does not provide a way for the institutions to act transparently (e.g. current notice to the individual (PP, TOSA) is still in the dark ages). Critically, the OITF is Increasing the usability and security of an identity but seriously lacking in usable notice and consent. Necessary for an individual to make contextual decisions on trustworthiness (this is a significant gap). My point being, the claim that Identity Assurance and the OIX Trust frameworks are trusted, at a minimum, needs much better clarification. e.g. This OIX Trust framework states that this authority is in control of authenticating an identity, this control provides assurance, which reduces the risk to all parties, therefore this Level of Identity Assurance can be more trusted than what exists now, for these reasons. (list reasons)

* Required Fields