Identity Ecosystem Functional Model DISCUSSION GUIDE

1. Identity Ecosystem Functional ModelDISCUSSION GUIDE IDESG Security Committee September 19, 2013 Adam Madlin

2. Today’s Agenda • NSTIC requirements • Our approach • Starting point functional model • Identify key characteristics • Next steps

3. DRAFT Functional Model Goals • Create the Identity Ecosystem functional model • Define and differentiate IDE functional model vs. framework. • Support the NSTIC guiding principles • Privacy-­enhancing and voluntary • Secure and resilient. (includes scalability) • Interoperable • Cost-­effective and easy to use • Phased releases to support ecosystem evolution • Initial release within 6 months, synchronized with initial Trust Framework release • Identify gaps to be addressed • Other Goals? Functional Model High Level Plan Sept 5, 2013

4. DRAFT High Level Plan • Review existing accepted functional models and catalogue them • Agree on overall goals • Identify key requirements and characteristics • Develop our functional model • … Functional Model High Level Plan Sept 5, 2013

5. Basic Definitions of Roles • Attribute Authority - An entity recognized as having the authority to verify the association of attributes to an identity. • Attribute Manager • Attribute Provider • Attribute Verifier • Credential Manager - The process of issuing, maintaining, and authenticating a credential is fulfilled by a Credential Manager. • Credential Service Provider (CSP) -  A Credential Service Provider comprises an Identity Provider and Credential Manager. • Identity Proofer - An Identity Proofer verifies people’s identities before an enterprise issues them accounts and credentials. • Identity Provider (IdP) – An Identity Provider is an entity which issues identifiers to other entities or An entity or system that creates, maintains, and manages identity information and provides principal authentication to other service providers. • Intermediary – There can be an operational layer between the Identity Providers, Attribute Providers and Relying Parties in an identity ecosystem, which may be known as an Intermediary.   The Intermediary may be a passive pass-through transactional layer, or it may have logic to process transactions in accordance with policy. • Relying Party (RP) - A Relying Party is an organization relies on an identity validation to ensure that the individual is who they claim to be. • Service Provider - An organization or system that wishes to provide a commercial service (in the private sector), or is mandated to support a government entitlement (in the public sector).

6. NSTIC Derived Requirements

7. Functional Models

8. OITF Model

9. FMAHG Model (based on OITF model)

10. Based on Kantara IAF Model Entity may possess may possess Token Manager Token Identity Record Attribute Manager manages manages Credential Manager manages Token-Identity Link Manager uses Online Services Provider Sources: Anil John, GSA TSF Functional Model High Level Plan Sept 5, 2013

11. 800-63 Model

12. InCommon Model

13. NSTIC Model Functional Model High Level Plan Sept 5, 2013

14. ABA IDM Trust Framework Model

15. Functional ModelCharacteristics / Requirements • Value add to participant as a result of existence of ecosystem • New added value to participant • Ability to federate between and among other networks • Widely supported • Interoperable • Scalable • Support NSTIC guiding principles • Identification – disambiguate entities within a set scope • E-authentication • Structure information sharing • Verification of issuer • Privacy protected storage of information • Privacy protected collection of information • Function for linking and matching disparate records

16. Characteristics