On August 6, SecureIDNews released a new re:ID podcast episode in which Gina Jordan interviewed representatives from five NSTIC pilots about lessons they have learned through their pilots. Among the interviewees was our project director, John Wandelt, who offered several insights from our pilot.
During the 12th IDESG Plenary Meeting in Atlanta, GTRI NSTIC Trustmark Pilot Project Principal Investigator John Wandelt delivered a 25-minute briefing on the trustmark pilot, during which he provided IDESG members with an update on our recent progress, including initial results from the rollout of trustmarks within the NIEF community during the fall of 2014 and winter of 2015. Video of the briefing is available below. Also, slides from the talk (in PDF format) are available for download here.
Today we are excited to announce the publication of our first round of Trustmark Definitions (TDs) here on the trustmark website. These TDs are the result of many months’ work by our team, including analysis of NIEF requirements, reconciliation of NIEF requirements with other trust frameworks (mostly FICAM), and development of a standard normative structure for TDs.
As we discuss on our technical framework page, a TD is much like a normative specification, but with several important differences. First, a TD includes not only a list of conformance criteria that the Trustmark Recipient (TR) must meet, but also a list of assessment steps that an independent 3rd-party Trustmark Provider (TP) must follow to determine whether the TR conforms to the TD as required. Second, a TD is required to be formatted in a standard structure that permits automated processing by software tools.
Today we are publishing 60 TDs, representing the majority of the NIEF trust framework requirements that we will leverage when we begin issuing actual trustmarks as part of our operational pilot later this year. More TDs are likely to come in the next few months, as we refine both the TDs‘ content and the normative specification for TDs, which defines a standard structure to which TDs must conform. Each TD is available in two formats: human-readable HTML and machine-readable XML. All TDs are currently marked as “Version 0.1”, to indicate that they are still somewhat in flux and subject to change.
During the 9th IDESG Plenary Meeting in Gaithersburg, MD, GTRI’s NSTIC Trustmark Pilot Project Principal Investigator John Wandelt delivered an 18-minute webinar briefing on the trustmark pilot, during which he provided IDESG members with an update on the past six months of our progress, including initial lessons learned and our plans to begin rolling out operational trustmarks within the NIEF community during the fall of 2014. Video of the briefing is available below. Also, slides from the talk (in PDF format) are available for download here.
The video from our Birds-of-a-Feather (BOF) session at the 8th IDESG Plenary has been made available on YouTube by the IDESG Secretariat. The session covered the topic of “Machine-Understandable Trustmarks”. The video is available below. Please note that the audio does not seem to be working properly for the first minute of the video, but after that point it is ok.
Last week, at the 8th IDESG Plenary Meeting in Mountain View, CA, GTRI led a Birds-of-a-Feather session on the topic of “Machine-Processable Trustmarks”. During this session, we introduced the session participants to our concepts of a Trustmark, Trustmark Definition (TD), and Trust Interoperability Profile (TIP) at a level of detail somewhat deeper than slide decks and pretty pictures. We highlighted our preliminary requirements documents for trustmarks, TDs, and TIPs, as well as several sample artifacts that we have created during the initial phase of our pilot.. Our overview slide deck from the session is also available for download in PDF format.
During the session, one participant raised a simple but important question: Is “trustmark” the best term to describe what we are creating, or could our use of the term “trustmark” cause undue confusion within the Identity Ecosystem? In light of this question, we did a little research and found the following evidence that we think supports our decision to use this term.
First, page 22 of the NSTIC Strategy Document defines a trustmark as follows.
A trustmark is used to indicate that a product or service provider has met the requirements of the Identity Ecosystem, as determined by an accreditation authority. The trustmark itself, and the way it is presented, will be resistant to tampering and forgery; participants should be able to both visually and electronically validate its authenticity. The trustmark helps individuals and organizations make informed choices about the Identity Ecosystem-related practices of the service providers and identity media they select.
E-commerce trustmark is an electronic commerce badge, image or logo displayed on a website to indicate that the website business has been shown to be trustworthy by the issuing organization. A trustmark gives confidence to customers and indicates to them that it is safe to do business with the web site displaying it.
Both of these definitions differ somewhat from our definition of a trustmark. First, in our trustmark framework, trustmarks can be issued to any organizational entity that participates in the Identity Ecosystem, not just relying parties. Second, our framework supports and encourages the use of multiple trustmarks, each covering a different set of trust or interoperability requirements, rather than a single monolithic trustmark. And third, for obvious security reasons, our concept of a trustmark includes cryptographic signatures that make a trustmark harder to forge than a simple image or logo would be. But on the other hand, both the NSTIC Strategy Doc and Techopedia use the term “trustmark” in a manner that is intended to represent a well-scoped measure of trustworthiness as conveyed by a trusted third party. We believe this to be the core defining characteristic of a trustmark, and for this reason, we believe our choice of the term “trustmark” is appropriate to our pilot.
What do you think? Is “trustmark” the right term for what we are doing in our pilot? Contact us at TrustmarkFeedback@gtri.gatech.edu and let us know!
During last week’s 7th IDESG Plenary Meeting in Atlanta, GTRI NSTIC Trustmark Pilot project Principal Investigator John Wandelt delivered an 18-minute briefing on the trustmark pilot, during which he introduced the rationale and basic concept of our project. Downloadable slides from the talk (in PDF format) are available here. Video of the full briefing is available below.
Following the briefing, Wandelt participated in a 55-minute Q&A session, along with representatives from other NSTIC pilot project grantees. The full video of the Q&A session is available below.
Gina Jordan of re:ID recently interviewed John Wandelt, a GTRI Research Fellow and Division Chief, about GTRI’s NSTIC pilot award for its Trustmark Marketplace pilot project, as part of the SecureIDNews podcast series.
In the interview, Wandelt discusses GTRI’s background in information exchange, including its experience in developing technical specifications such as the National Information Exchange Model (NIEM) and the Global Federated Identity and Privilege Management (GFIPM) suite of specs. He then describes the challenges encountered during the rollout of GFIPM solutions within the U.S. law enforcement community via the National Identity Exchange Federation (NIEF) and other identity federations, and how those challenges led GTRI engineers to develop a trustmark framework approach to wide-scale identity trust across multiple Communities of Interest (COIs). GTRI plans to pilot this concept under its NSTIC award.
The podcast audio is available here.
The U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) has awarded a pilot grant to the Georgia Tech Research Institute (GTRI) in support of the National Strategy for Trusted Identities in Cyberspace (NSTIC).
Under the grant, GTRI will develop and demonstrate a trustmark framework that facilitates cost-effective scaling of interoperable trust across multiple Communities of Interest (COIs) within the Identity Ecosystem and enhances privacy through transparency and third-party validation.
For more information, please see the official GTRI press release.