1. Trust in Trust Frameworks, the missing link  Abbie Barbir, Ph.D  OASIS Board of Directors, http://www.oasis-open.org/board http://www.oasis-open.org/board

2. OASIS Overview  Organization for the Advancement of Structured Information Standards (OASIS) Mission is to promote and encourage the use of structured information standards such as XML  Development, convergence and adoption of e-business standards  Development of vertical industry applications, conformance tests, interoperability specifications  Lightweight, open process designed to promote consensus  Not-for-profit consortium  Founded in 1993 as SGML Open  Global representation  5,000+ participants representing  600+ organizations and individual members in 100+ countries

3. Current Board of Directors

4. Global Coverage Europe in OASIS  OASIS has become increasingly European  European Office established at AFNET OASIS Member Section Program  Offering a unique advantage for independent groups interested in advancing and promoting the intelligent use of open standards  maintain their own identities as distinct organizations while gaining access to OASIS infrastructure, resources, reputation, administrative support, and expertise  Current Member Sections

5. Current Member Sections 1/2  OASIS AMQP  Advances business messaging interoperability within middleware, mobile, and Cloud-based environments.  OASIS CGM  Web graphics standards  OASIS Blue  Open standards for smart energy grids  OASIS eGov  Focal point for discussions of governmental and public administration requirements for e-business standardization.  OASIS Emergency Interoperability  Accelerates development, adoption, application, and implementation of emergency interoperability and communications standards

6. Current Member Sections 2/2  OASIS Idtrust  Development and adoption of standards for identity and trusted infrastructure technologies, policies, and practices  OASIS LegalXML  Unites legal and technical experts in a common forum to create standards for the electronic exchange of legal data.  OASIS Open CSA  Advances open standards that simplify SOA application development via the Service Component Architecture (SCA) and Service Data Objects (SDO) families of specifications.  OASIS Web Services Interoperability (WS-I)  Advances Best Practices for selected groups of standards, across platforms, operating systems, and programming languages.

7. 7 The threat: Cyber crime

8. Cyber crime losses are growing 8

9. Identity crime affects all sectors

10. Identity Management Drivers Financial Institutions Identity Theft Drivers

11.  Joint work with ISO JTC1/SC 27/WG5 and ITU-T SG 17/Q10  Standardizes four Levels of Assurance (LoAs)  to promote trust,  improve interoperability, and  facilitate identity federation across organizations and borders  Why Work on Authentication Assurance  Provides a consistent basis for trust and Promotes identity federation  Enables credential re-use in different contexts  Promotes efficiency and reduces costs  Enables cross-organization and cross-border services  Provides framework for further standardization  Establish foundation for liability and other legal aspects  Brings together existing work in this area and will not “re-invent the wheel”:  Kantara Initiative, ITU-T, NIST standards efforts, OASIS  New Zealand, Australian, U.S., European, and Canadian e-government efforts  EU research efforts (STORK, IDABC, etc Entity Authentication Assurance

12. Case Study The Problem  Most U.S. government agencies want to offer more online applications to citizens:  Research, grant proposals, taxes, benefits, data sharing  Authentication is a large barrier to deployment:  There is no universal citizen credential  Application-specific credentials are difficult and expensive:  Identity proofing  Forgotten passwords from infrequent usage  Help desks and other maintenance overhead  Multiple collections of personally identifiable information (PII) Possible Solutions  Government agencies can act as the Relying Party (RP) rather than the Identity Service Provider (IdSP) and accept credentials issued by “trusted” external organizations  X.eaa Standard can be used to develop trust framework and adoption process, that defines IdsP requirements for the LoAs  IdsP certification program based on a trust framework  In Canada BC government is doing pilot studies to use open standards credentials from several certified IdsPs

13. 13 Current Model: 4 Levels of Assurance LevelDescription 1 - Low Little or no confidence in the asserted identity 2 - Medium Some confidence in the asserted identity 3 - High High confidence in the asserted identity 4 – Very High Very high confidence in the asserted identity

14. OASIS Trust Elevation TC  OASIS Electronic Identity Credential Trust Elevation Methods (Trust Elevation) TC  http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trust-el http://www.oasis-open.org/committees/tc_home.php?wg_abbrev=trust-el  Works to define a set of standardized protocols that service providers may use to elevate the trust in an electronic identity credential presented to them for authentication  Respond to suggestions from the public sector, including the U.S. National Strategy for Trusted Identities in Cyberspace (NSTIC).  Promotes interoperability among multiple identity providers--and among multiple identity federations and frameworks--by facilitating clear communication about common and comparable operations to present, evaluate and apply identity [data/assertions] to sets of declared authorization levels

15. Towards Trust Frameworks Some Pain Points  Internet transactions are anonymous (low trust)  Value transactions are identity based o Anonymous  to identity enabled  Enable Identity based systems  while protecting privacy (PII)  Isolation of Issuer and target Identity  Enable the right to forget  Identity dashboard for user to keep control identity and related data (Data Ownership)  Consumer Protection  Identity Service Provider Liabilities  Audit, compliance and policy enforcement  Simple to use system

16. Current Basic “Trust Triangle”  User has direct trust relationship with IDSP and RP  How can the IDSP and RP trust each other? * Source OIX

17. Where trust Frameworks Fit Technology Interoperability (Identity Protocols) Usability (User Experience Ceremonies) Market Expansion & Adoption Hardware Devices (Security Capabilities) Internet Identity Layer Policy Interoperability (Trust Frameworks) * Source OIX

18. Should we have Trust in Trust Frameworks Key question how much do we trust the identity enrolment stage Do we Trust Breeder Documents and verification process? The Elephant in the room; The rise of Synthetic ID So what are Synthetic ID? Synthetic identity happens when a criminal steals bits and pieces of info from different people and creates a new identity with No Carbon Copy. A social security number is used with a different name and date of birth. Difficult to detect because of all the mismatched pieces of information. Criminals are getting bold Trend to claim ID Theft as opposed to account busting Need better means of validating breeder documents Not all breeder documents are Trustable

19. Standards are like parachutes. They work best when they're open. Q&A