[ID4me Governance] Trust framework

Matthias Pfeifer | dotBERLIN GmbH & Co. KG pfeifer at dot.berlin
Thu Oct 4 14:27:40 UTC 2018

Hello Vittorio,

Von: Governance_wg <governance_wg-bounces at lists.id4me.org> Im Auftrag von Vittorio Bertola
Gesendet: Donnerstag, 4. Oktober 2018 12:43
An: Thomas Keller <thomas.keller at 1und1.de>; ID4me Governance WG <governance_wg at lists.id4me.org>
Betreff: Re: [ID4me Governance] Trust framework

Il 4 ottobre 2018 alle 11.12 Thomas Keller <thomas.keller at 1und1.de<mailto:thomas.keller at 1und1.de>> ha scritto:

Hi again,

Seems like I need to work on my Google docs skills a bit ;)

I hope this link finally works

Ok, here are some comments.

The general concept is fine, also I think it's fine to limit the association's activity to authorities and validators and let each authority deal with their agent; it makes the system thinner and more effective especially in the startup phase. I would like to hear other comments, though; especially, in the ICANN model the "registrars" are accredited by the central organization, while we wouldn't be doing the same here, so I am wondering whether there is any reason that we can give for this difference when we will be asked.

I would find a different word/acronym to define the levels of accreditation, as "LoA" in the identity world is generally used to identify the standardized levels of assurance on the end user's identity. Maybe just "accreditation level". Also, I think we can agree that it will be up to each relying party to decide what to do with the accreditation level of the authority/validator used by the final user.

I assume that the interaction models you enumerate are just meant to be descriptive, i.e. we are not limiting the possible relationships or the possible mergers of the various roles into a single company - right?

The next question would be how to make this happen in practice. There is not much work involved in maintaining a database of companies, but there is a lot of work involved in actually auditing them to give them higher accreditation levels. I have no familiarity with setting up this kind of business, so I am wondering how do you do it - do you subcontract the actual verification to specialized third parties? Who bears the cost? Is it included with the membership fee, or would it be unrelated to membership and paid separately by each applicant?

[>]I am looking from this perspective: The Relaying party have to decide if the authority for the user(data) has a sufficient “Level of Trust”. Not shure whether ID4me have or should to be in a role to list (and manage in some way)  accreditations but of course ID4me can list self-described profiles of authorities.

Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola at open-xchange.com<mailto:vittorio.bertola at open-xchange.com>
Office @ Via Treviso 12, 10144 Torino, Italy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.id4me.org/pipermail/governance_wg/attachments/20181004/1d3fc41d/attachment.html>

More information about the Governance_wg mailing list