[ID4me Governance] Trust framework

Thomas Keller thomas.keller at 1und1.de
Thu Oct 4 12:19:39 UTC 2018

Hi  Vittorio,

The general concept is fine, also I think it's fine to limit the association's activity to authorities and validators and let each authority deal with their agent; it makes the system thinner and more effective especially in the startup phase. I would like to hear other comments, though; especially, in the ICANN model the "registrars" are accredited by the central organization, while we wouldn't be doing the same here, so I am wondering whether there is any reason that we can give for this difference when we will be asked.

# This is based on the ccTLD model which is not requiring any accreditation by ICANN.

I would find a different word/acronym to define the levels of accreditation, as "LoA" in the identity world is generally used to identify the standardized levels of assurance on the end user's identity. Maybe just "accreditation level". Also, I think we can agree that it will be up to each relying party to decide what to do with the accreditation level of the authority/validator used by the final user.

# I totally agree. We definitely should find another “unbiased” term. Lets list “accreditation level” as first suggestion.

I assume that the interaction models you enumerate are just meant to be descriptive, i.e. we are not limiting the possible relationships or the possible mergers of the various roles into a single company - right?

# Yes, these are just some examples on how we could juggle roles around. There was a big wish for flexibility and I believe this model is allowing for it.

The next question would be how to make this happen in practice. There is not much work involved in maintaining a database of companies, but there is a lot of work involved in actually auditing them to give them higher accreditation levels. I have no familiarity with setting up this kind of business, so I am wondering how do you do it - do you subcontract the actual verification to specialized third parties? Who bears the cost? Is it included with the membership fee, or would it be unrelated to membership and paid separately by each applicant?

# I assume we should agree on the basic concept first. Once we done so we can tackle these questions one by one (including a definition of the real LoA for data).


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.id4me.org/pipermail/governance_wg/attachments/20181004/bf7a2dda/attachment-0001.html>

More information about the Governance_wg mailing list