What Is an

beansproutscompleteΛογισμικό & κατασκευή λογ/κού

13 Δεκ 2013 (πριν από 3 χρόνια και 10 μήνες)

78 εμφανίσεις

Wildman Harrold
|

225 West Wacker Drive
|

Chicago, IL 60606
|

(312) 201
-
2000
|

wildman.com

Wildman, Harrold, Allen & Dixon LLP


What Is an

Identity Trust Framework?

Addressing the

Legal and Structural Challenges


Thomas J. Smedinghoff

Wildman, Harrold, Allen & Dixon LLP

Chicago


Chair, ABA Identity Management Legal Task Force


Wildman, Harrold, Allen & Dixon LLP.

Many Transactions Involve

Trust Frameworks


Credit card trust framework


ACH electronic funds transfer trust framework


Privacy (e.g., TRUSTe trustmark)



The are a set of specs and rules and legal
obligations that address a specific element or issue
of importance to the transaction


We are addressing an
identity trust framework


Wildman, Harrold, Allen & Dixon LLP.

The Threshold Problem


We’re not all talking about the same thing


What does “identity trust framework” mean to you?


Consider some examples of definitions . . .


Wildman, Harrold, Allen & Dixon LLP.

4

Much Disagreement

Re What a Trust Framework Is


FICAM
: processes and
controls for determining an identity
provider’s compliance to OMB M
-
04
-
04

Levels of Assurance


ISO 29115 Draft
: a
set of requirements and enforcement
mechanisms

for parties exchanging identity information


Kantara
: a complete
set of contracts, regulations or commitments

that enable participating actors to rely on certain assertions by other
actors to fulfill their information security requirements


OIX
:
a certification program

that enables a party who accepts a digital
identity credential (called the
relying party
) to trust the identity, security,
and privacy policies of the party who issues the credential (called the
identity service provider
) and vice versa.


OITF Model
: a
set of technical, operational, and legal requirements

and enforcement

mechanisms

for parties exchanging identity
information


Wildman, Harrold, Allen & Dixon LLP.

5

Much Disagreement

Re What a Trust Framework Is


NSTIC 4/15/2011 Final
:


The
Identity Ecosystem Framework

is the overarching set of
interoperability standards, risk models, privacy and liability
policies, requirements, and accountability mechanisms

that
structure the Identity Ecosystem.


A
Trust Framework

is developed by a community whose members have
similar goals and perspectives. It
defines the

rights and
responsibilities

of that community’s participants in the Identity
Ecosystem; specifies the
policies and standards

specific to the
community; and defines the community
-
specific
processes and
procedures

that provide assurance. . . .
In order to be a part of the
Identity Ecosystem, all trust frameworks must still meet the
baseline standards established by the Identity Ecosystem
Framework
.


Wildman, Harrold, Allen & Dixon LLP.

6

But In All Cases, the Goal Is . . .


Building an identity system
that actually works


E.g., the plane actually flies


Building an identity system
that participants trust



i.e., are willing to participate in and rely on


E.g., we are all willing to fly on the plane


we’re confident
that it will get us there safely, comfortably, on
-
time, etc.



For both of these goals, we need to address all of
the relevant risks in an acceptable manner



Wildman, Harrold, Allen & Dixon LLP.

7

All Trust Frameworks

Consists of Two Parts


Technical and Operational Specifications


Content


Technical specifications, process standards, policies, procedures,
performance rules and requirements, assessment criteria, etc.


Goals


Make it work


Make it trustworthy



Legal Rules



Content


Existing law


Contractual obligations


Goals


Regulate Technical and Operational Specifications


Make Technical and Operational Specifications legally binding on the
participants


Define and govern the legal rights and responsibilities of the participants


Wildman, Harrold, Allen & Dixon LLP.

8

Note How the Operational Specs

and Legal Rules Relate


The Technical and Operational Specifications are
designed to “make it work” from a functional perspective


The Legal Rules




Regulate the content and implementation of the Technical and
Operational Specifications,


Make the Technical and Operational Specifications enforceable,
and


Address rights and obligations of the parties


But note that:


Some legal rules come from existing law


Other legal rules are made up by the parties


Wildman, Harrold, Allen & Dixon LLP.

9

As An Analogy
--

Consider a Construction Contract


There will be many requirements and specifications


Blueprints


Electrical specification


Plumbing specifications


HVAC specifications


The specifications reflect much personal choice, but are
also subject to regulation by existing law


The specs are attached to a contract whereby



The builder agrees to build the building in accordance with the
specifications, and the buyer agrees to pay for it


Both parties agree to numerous rules regarding price, schedule,
warranties, limits on liability, insurance, applicable law, remedies
for breach by the other, etc.


Existing law supplies legal rules not covered in contract


Wildman, Harrold, Allen & Dixon LLP.

10

ABA Proposed Definition of

Identity Trust Framework

A
Trust Framework

is the governance structure for a specific identity
system consisting of:


the
Technical and

Operational Specifications
that have been
developed




to define requirements for the proper operation of the identity system (i.e.,
so that it works),


to define the roles and operational responsibilities of participants
,

and


to provide adequate assurance regarding the accuracy, integrity, privacy
and security of its processes and data (i.e., so that it is trustworthy); and


the
Legal Rules

that govern the identity system and that
--



regulate the content of the Technical and Operational Specifications,


make the Technical and Operational Specifications legally binding on and
enforceable against the participants, and


define and govern the legal rights, responsibilities, and liabilities of the
participants of the identity system.


Wildman, Harrold, Allen & Dixon LLP.

11

Note that . . .


The Trust Framework is NOT LIMITED to the rules
and requirements the participants agree upon



A Trust Framework is a COMBINATION of



The rules and requirements that the participants (or trust
framework provider) write down and agree to,
AND


Existing law



We have to consider the impact of both


Both need to work in harmony


Wildman, Harrold, Allen & Dixon LLP.

12

Technical and Operational Specifications:

Components Necessary to “Make it Work”

Partial listing of
Technical and
Operational
Specifications

Privacy

Standards

Credential

Issuance

Authentication

Requirements

Reliance

Rules

Audit &

Assessment

Oversight

Credential
Management

Security

Standards

Identity

Proofing

Technical

Specifications

Enrolment


Wildman, Harrold, Allen & Dixon LLP.

13

Technical and Operational Specifications:

Regulated by Existing Law

Partial listing of
Technical and
Operational
Specifications

NOTE: Must comply with
any existing law;

Also supplemented by
existing law

Existing Law

Privacy

Standards

Credential

Issuance

Authentication

Requirements

Reliance
Rules

Audit &

Assessment

Oversight

Credential
Management

Security

Standards

Identity

Proofing

Technical

Specifications

Enrolment


Wildman, Harrold, Allen & Dixon LLP.

14

Legal Rules

To
Govern Legal Rights of the Parties

Existing Law as Supplemented
and/or Modified by Contract

Existing Law

Warranties

Dispute
Resolution

Measure of
Damages

Enforcement
Mechanisms

Termination
Rights

Liability for
Losses

Partial listing of
Legal Rules


Wildman, Harrold, Allen & Dixon LLP.

The Legal Rules


Are a Combination of . . .


Public Law

(statutes, regulations, common law)




Existing
IdM
-
specific

law, if any


Existing
generally applicable

law


Privacy law, warranty law, tort law (negligence), e
-
transaction law, defamation law, etc.



Supplanted / Revised by
Private Law

(created
via)




Contractual agreements among the parties


Standards adopted by the parties


Self
-
asserted undertakings


Wildman, Harrold, Allen & Dixon LLP.

16

Identity Trust Framework:

Putting It All Together

Contract:

“I Agree” to . . .

Existing Law

Warranties

Dispute
Resolution

Measure of
Damages

Enforcement
Mechanisms

Termination
Rights

Liability for
Losses

Existing Law

Privacy

Standards

Credential

Issuance

Authentication

Requirements

Reliance
Rules

Audit &

Assessment

Oversight

Credential
Management

Security

Standards

Identity

Proofing

Technical
Specifications

Enrolment

Technical and Operational Specifications

Legal Rules

Enforcement Element


Wildman, Harrold, Allen & Dixon LLP.

17

Common Legal Problems to Be
Addressed By a Trust Framework


Legal Uncertainty


(i) Lack of legal rules and (ii) lack of clarity re applicable legal rules


Liability Risk / Liability Allocation


Uncertainty over potential liability is a key issue!


Legal Compliance


E.g., privacy law requirements; security law requirements, etc.


Legal Barriers


Some laws may adversely impact Identity systems;


Can they be altered by agreement?


Contract Enforceability


How can we bind all participants (and affected non
-
parties) in an
enforceable Trust Framework?


Cross
-
Jurisdiction Issues


Regulatory law in one jurisdiction may differ from another


Wildman, Harrold, Allen & Dixon LLP.

18

Status of Industry Work to Date (1):

Limited to Operational Specifications


Technical and Operational Specifications


Much work being done by many groups and governments


Groups: Kantara Initiative, Open Identity Foundation, EURIM,
STORK, OIX, WS
-
Federation, etc.


Governmental: Australia, Belgium, Finland, EU, Germany, India,
Scotland, Sweden, U.S., etc.


Intergovernmental: ITU, OECD, etc.



Legal Rules


Largely unaddressed
!



Some private (closed) identity systems such as IdenTrust, SAFE
-
BioPharma, CertiPath, etc.


Some groups, such as OIX and American Bar Association Identity
Management Legal Task Force


Wildman, Harrold, Allen & Dixon LLP.

19

Status of Industry Work to Date (2):

Most Existing Docs Are Just Components


Most existing work focuses only on a subset of the of
Technical and Operational Specifications, and thus are
only components of an Identity Trust Framework, such
as:


NIST SP 800
-
63, Electronic Authentication Guideline


Kantara Privacy Framework (being developed??)


FICAM Security Assertion Markup Language (SAML) 2.0 Profile


NASPO National Identity Proofing and Verification Standards


Entity Authentication Assurance Framework, ISO/IEC 29115:2010 (draft)


Kantara Identity Assurance Framework: Assurance Assessment


FIPS 201, Personal Identity Verification


Examples of complete Trust Frameworks might include
SAFE
-
BioPharma, CertiPath, and IdenTrust


Wildman, Harrold, Allen & Dixon LLP.

20




A Few Thoughts on
Addressing Liability

Via a Trust Framework


Wildman, Harrold, Allen & Dixon LLP.

21

Three
-
Part Concern


Risk of loss



risk of incurring one’s own losses (that
cannot be shifted to someone else)



Risk of liability



risk of being held responsible for
losses of others



Risk of non
-
compliance



risk of fines or other
penalties for regulatory non
-
compliance


Wildman, Harrold, Allen & Dixon LLP.

22

Basic Rule re Liability


When a party suffers a loss or damage



That party must bear its own losses


UNLESS there is a basis for shifting the loss from the person
that suffered it to someone else



Approaches often used to shift responsibility for
losses



Fault
-
based approaches


Intentional act or omission of 3
rd

party caused the loss


Negligent act or omission of 3
rd

party caused the loss


Strict liability approaches


3
rd

party did not cause loss, but still held responsible for the loss
based on policy reasons


Wildman, Harrold, Allen & Dixon LLP.

23

The Default Rule

Is Key Starting Point


Sources of approaches often used to shift responsibility
for losses
--


Existing law


Contract



We need to know the rule under existing law, and then
we can determine whether/how to modify it by contract



But we can’t address the issue unless we know the
source of the duty


e.g., warranty, antitrust, tort,
contract, duty to authenticate, etc.


Wildman, Harrold, Allen & Dixon LLP.

24

Consider an Example . . .


Assume an Identity Assertion is inaccurate and a Relying
Party and/or Subject suffers a loss


If negligence law applies



Liability depends on
fault

of IdP


Relative to the standard that applies (by law)


Depends on nature of loss, the jurisdiction involved, etc.


If warranty law applies



Liability does
NOT

depend on fault of IdP


Depends on nature of warranty that applies (by contract
or

law)


If both apply???


Wildman, Harrold, Allen & Dixon LLP.

25

Some Potential Liability Models


Warranty model


focus on stated or implied guarantees


Tort model


focus on standards of conduct; negligence


DMV model


no IdP liability; other roles bear all risk


Credit card model


no Subject liability; others bear risk


Contractual model


negotiated risk allocation (in theory)


Strict liability


regardless of fault


Liability caps model


EV SSL model


restricts ability of IdP to limit its liability



But recognize that
--


Liability model unlikely to be a one
-
size fits all approach


Liability is a zero
-
sum game


Wildman, Harrold, Allen & Dixon LLP.

26

The Overall Trust Framework Goal


Develop an acceptable Trust Framework that



Provides enforceable rules for a workable and trustworthy
identity ecosystem that are binding on all participants


Adequately protects the rights of the parties


Fairly allocates risk and responsibilities among the parties


Provides legal certainty and predictability to the participants


Complies with / works in conjunction with existing law


Works cross
-
border (state or country)


Wildman, Harrold, Allen & Dixon LLP.

27

The Next Steps


Agree on a general Trust Framework definition


Identify the topics to be addressed for the Technical
Operational Specifications and Legal Rules


Wildman, Harrold, Allen & Dixon LLP.

28

Further Information



Thomas J. Smedinghoff

Wildman, Harrold, Allen & Dixon LLP

225 West Wacker Drive

Chicago, Illinois 60606

312
-
201
-
2021

smedinghoff@wildman.com