[ID4me Governance] Trust framework

Thomas Keller thomas.keller at 1und1.de
Fri Oct 5 08:02:54 UTC 2018


And one more thing.

I guess it is very important that we allow for it but do not force people into it. So no mandatory accreditation but rather a self-certification type of model.

tom

Von: Governance_wg [mailto:governance_wg-bounces at lists.id4me.org] Im Auftrag von Thomas Keller
Gesendet: Freitag, 5. Oktober 2018 10:01
An: Matthias Pfeifer | dotBERLIN GmbH & Co. KG <pfeifer at dot.berlin>; Vittorio Bertola <vittorio.bertola at open-xchange.com>; ID4me Governance WG <governance_wg at lists.id4me.org>
Betreff: Re: [ID4me Governance] Trust framework

Hi Matthias,

>[>]I am looking from this perspective: The Relaying party have to decide if the authority for >the user(data) has a sufficient “Level of Trust”. Not shure whether ID4me have or should to >be in a role to list (and manage in some way)  accreditations but of course ID4me can list >self-described profiles of authorities.

But how are they going to do this. If we don’t provide them with any kind of indication we will have a hard time convincing them to onboard our standard.

tom

Von: Governance_wg [mailto:governance_wg-bounces at lists.id4me.org] Im Auftrag von Matthias Pfeifer | dotBERLIN GmbH & Co. KG
Gesendet: Donnerstag, 4. Oktober 2018 16:28
An: Vittorio Bertola <vittorio.bertola at open-xchange.com<mailto:vittorio.bertola at open-xchange.com>>; Thomas Keller <thomas.keller at 1und1.de<mailto:thomas.keller at 1und1.de>>; ID4me Governance WG <governance_wg at lists.id4me.org<mailto:governance_wg at lists.id4me.org>>
Betreff: Re: [ID4me Governance] Trust framework

Hello Vittorio,


Von: Governance_wg <governance_wg-bounces at lists.id4me.org<mailto:governance_wg-bounces at lists.id4me.org>> Im Auftrag von Vittorio Bertola
Gesendet: Donnerstag, 4. Oktober 2018 12:43
An: Thomas Keller <thomas.keller at 1und1.de<mailto:thomas.keller at 1und1.de>>; ID4me Governance WG <governance_wg at lists.id4me.org<mailto:governance_wg at lists.id4me.org>>
Betreff: Re: [ID4me Governance] Trust framework


Il 4 ottobre 2018 alle 11.12 Thomas Keller <thomas.keller at 1und1.de<mailto:thomas.keller at 1und1.de>> ha scritto:

Hi again,



Seems like I need to work on my Google docs skills a bit ;)



I hope this link finally works



https://docs.google.com/presentation/d/1cy3N-OjqpTpypvdv2CWv439QXTk7y2t0ZVyR7-AAid8/edit?usp=sharing
Ok, here are some comments.

The general concept is fine, also I think it's fine to limit the association's activity to authorities and validators and let each authority deal with their agent; it makes the system thinner and more effective especially in the startup phase. I would like to hear other comments, though; especially, in the ICANN model the "registrars" are accredited by the central organization, while we wouldn't be doing the same here, so I am wondering whether there is any reason that we can give for this difference when we will be asked.

I would find a different word/acronym to define the levels of accreditation, as "LoA" in the identity world is generally used to identify the standardized levels of assurance on the end user's identity. Maybe just "accreditation level". Also, I think we can agree that it will be up to each relying party to decide what to do with the accreditation level of the authority/validator used by the final user.

I assume that the interaction models you enumerate are just meant to be descriptive, i.e. we are not limiting the possible relationships or the possible mergers of the various roles into a single company - right?

The next question would be how to make this happen in practice. There is not much work involved in maintaining a database of companies, but there is a lot of work involved in actually auditing them to give them higher accreditation levels. I have no familiarity with setting up this kind of business, so I am wondering how do you do it - do you subcontract the actual verification to specialized third parties? Who bears the cost? Is it included with the membership fee, or would it be unrelated to membership and paid separately by each applicant?

[>]I am looking from this perspective: The Relaying party have to decide if the authority for the user(data) has a sufficient “Level of Trust”. Not shure whether ID4me have or should to be in a role to list (and manage in some way)  accreditations but of course ID4me can list self-described profiles of authorities.

Ciao,
--
Vittorio Bertola | Head of Policy & Innovation, Open-Xchange
vittorio.bertola at open-xchange.com<mailto:vittorio.bertola at open-xchange.com>
Office @ Via Treviso 12, 10144 Torino, Italy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.id4me.org/pipermail/governance_wg/attachments/20181005/c8b77069/attachment-0001.html>


More information about the Governance_wg mailing list