Trust and Internet Identity Meeting Europe
2013 - 2020: Workshops and Unconference

TIIME 2015 Session 24: Strategies for mapping trust frameworks + Incentives for Harmonisation

Conveners: Brook Schofield, Joni Brennan

Tags: Federation Policy, Trust Frameworks


Brook, David G, Scott, Joni, PGP Guy, Peter, Lalla, Nick, Ruth, Frank, Christos, STFS guy, Anders, Daniella, Roland, xxx, OCLC guy, Patrick, Hannah, Maarten, Richard, Alicja.



Brook: What incentive (positive or negative) are available to encourage the IDP/SP admins and their machinery to ensure harmonisation.

Joni: How do we move from "country first" to "interfederation first" harmonisation practices.

Main issues discussed

eIDAS only focuses on inter-country collaboration and does not concern itself of the activities within a country. There are policy decisions where possible and in the technical space there are gateways between the countries.

Is it the possibility that then only incentive is €$£ ?

"We" don't have authority over most of these decisions. So how do we make sure our agenda is covered?

1. Sneaky partnerships are great way of getting our agenda presented by those partners that have a seat at the table for higher level discussions.

2. Utilising the services of these partners as a sign of faith in their participation.

Scott works in the research side - not necessary specific to a single country - reputation is an important mark - and "groups" are willing to shop around for a federation that meets the reputation level that they want. There might not be a need to shop around in future - but if there is - it is an option on the table.

Commercial - Money

R&E - Reputation

Govt - Cyber Security

Joni's notes:

Incentivize federations (eduGain) to comply with best practices

Mapping of national / market trust frameworks

One report preliminary was that eIDAS and US ICAM were nearly ~90% identical.

NSTIC (good not so good)

Yubikey is a good example of a > sneaky for good collaboration that works to create gravity

Motivators vary based on some context >>>

Private Sector > Money

Academia > Reputation

Governments > Security and GDP

Perhaps >> Killer App >> Access to resources >>> the cool factor

Example --- retirement portfolio, benefits etc.

Evangelists for the communications of benefits and risks

Austria – discount for students to hardware

Students forced their universities to join that program to get the discount to force IOP

ORCID >> SAML single-sign-on for universities

Incentivize killer apps developers to use standards protocols (SAML etc.)


Identity portability across cloud is critical but there is not interoperability right now

Standardized adoption tools should be more readily available

Giant Cloud IDPs will drive the standardize

  • Developing of unique frameworks (they want to build their own tools)
  • World where we could map frameworks with each other
  • What could make them valuable for the admin?
  • Why is the federation for scaling of this system
  • How can we incentivise this collaboration first?

The aim is to convince national programs that it something they should do.

aud1: what IDs is?

Providing technical mechanism, eIDAS doesn’t care about what happens in the country - this is the problem. Mix of policies at the level it is possible to apply.


In the private sector business a global connectivity is a must


Trust frameworks seems to be monolithically.

Taking a trust framework and breaking apart the strong credentialing from the strong authentication to make it composable and achievable (this pattern applies to other parts of a trust framework as well)

Separating out the jurisdictionally-required parts from the globally-applicable parts so cross-jurisdictional implementation is possible. Making the jurisdictionally-required parts abstract enough so that they can be mapped to similar requirements in other jurisdictions, and documenting those mappings.

Aud 2: the necessity of doing the business is going to drive alive.

The European requirements are much stricter than US.

Aud 4: question about the documents about the mapping

Aud 2: there are on our website - Peter Alterman, Ph.D Chief Operating Officer - SAFE-BioPharma Association.

There is a line toward where the money is.

Joni: so the incentive is money

Aud 3: we get people working around with stuff - organic solutions are starting to emerge

Aud 4: is it better to have a common frameworks or individual?

Joni: I worry about the fact that we don't have the authority about these things. Sneaky partnerships are important! We want to get the people involved (like John Bradly?) and come back to a larger community to review.

Aud3: Example of sneaky collaboration: talking with Yubico to get stuff like PIV implemented in Yubikeys, other things that we need. Diversity is important, there need to be other vendors we can work with besides Yubico on things like that.

Scott: Reputation goes a long way, risk analysis on reputation. We are afraid of security attacks on our reputation. I think that service providers (especially large providers) have the ability to shop around the federations. If one fed doesn’t give us what we need, we will go to another.

Sum up:

  • Incentivisation comes down to contact:
  • Private sectors – money
  • Academia – reputation
  • Government - GDP+money
  • Killer app is a driver
  • Another driver in the US: TIAA/CREF - in higher education. That would be a driver for schools to implement federated strong authentication.

: the ‘coolness factor’

“Kind of competition: which country is cooler?”

Brook: an on boarding accomplishment (used on every level of education in Taiwan)

Peter: the digital device doesn’t exist because there are multiple devices, they cannot cooperate with the banking sites and that is a problem

  • Proposition of having thousands of mini killer apps
  • There are killer apps with massive audience
  • Joni: Gaining knowledge from different countries and showing its incentives
  • the problem of cloud - lack of portability (identity against cloud)

We want to see the value in putting the effort - its money.

Aud: what about the availability of standard tools?

Many of the snowflakes (the administration of it) is coming to having an argument why they are keeping the luxury snowflake instead of the standard one? You need to create a market - nobody is actually taking this step

Aud3: not having the identity on its place is a deal breaker - again organic evolution against ‘good things’. You could get a situation where a lot IDPs don’t have a way to create another snowflakes.


There is no one simple solution.

The issue is that the killer app always works slightly different in each country.