Scaling InteroperableTrust through a

Trustmark Marketplace

This presentation was prepared by Georgia Tech Research Institute using Federal funds under award 70NANB13H189 from National Institute of Standards and Technology , U.S. Department of Commerce. The statements, findings, conclusions, and recommendations are those of the author(s) and do not necessarily reflect the view of the National Institute of Standards and Technology or U.S. Department of Commerce.

Georgia Tech Research Institute

April 2015

2

A Perspective from the LE Community

Desire to share data across jurisdictions

Law Enforcement COI has over 1 million people in the US alone

18,000 US LE agencies

LE agencies are autonomous(NOT centrally funded)

Trust between agencies is a fundamental requirement

But must obey applicable access controls when sharing

Includes trusted transactions with private sector participants.

Federal Agencies

State Agencies

Local Agencies

PublicSector

Task Forces

Fusion Centers

LE agencies are highly heterogeneous with legacy investments

Legitimate business need to interact with many other COIs

Desire to reuse their existing credentials if possible

3

Global Information Sharing FACA

• Program started in 2005

• Funded by DOJ, DHS, & PM-ISE, others

• The need for standards, profiles, reference implementations, conformance testing, technical assistance.

• Complete standards-based solution to federated ID and authorization

• Continued evolution and maturation based on operational experience and new technologies

4

National Identity Exchange Federation (NIEF)

Objectives

• Share user identity and attribute information for authentication, identification, authorization, auditing

• Share agency and resource metadata information

• Provide onramp and roadmap other relevant ICAM initiatives

• Provide an operational trust framework for doing the above

• Educate and provide technical assistance

Established in 2008 as an outgrowth of the Global Federated Identity and Privilege Management (GFIPM) Initiative with a focus on justice and public

safety agencies at the federal, state, and local level. Today, NIEF is beginning to expand support other communities of interest.

5

NIEF As a Trust Framework

Technical Interoperability

Technical Trust & Crypto

COI Attribute Vocabulary

Legal Agreement

Certificate Policy

Audit Policy

End-User Privacy Policy

Membership Lifecycle Policy

Bona Fides Policy

6

NIEF Onboarding and Trust Fabric

Common Artifacts• Application Form• Authority to Operate

Doc(s)• Local Security Policy• FIPS 200 Checklist

IDPO Artifacts• Signed IDPO Agreement• Local User Agreement• Local User Vetting Policy• IDPO Attribute Map• IDP Implementation Doc

Form

Publish

7

Scaling Challenges

8

Achieving Cross-Framework Trust

ISE A

IDP AP

RP RP

IDP

RP

FederationB

IDP AP

RP RP

IDP

RP

Community of Interest

C

IDP AP

RP RP

IDP

RP

Suppose this user needs access to this RP.

ID Trust Framework A

ID Trust Framework B

ID Trust Framework C

9

Challenges with “Inter-federation”

Federation

IDP IDPIDP

RP RPRP

Federation

IDP IDPIDP

RP RPRP

1. No two TFs are the same, so mapping trust and interop requirements between them is hard. Think protocols, attributes, policies, etc.

Why?

2. TFs are moving targets, which further complicates the mapping process.

3. Transitive trust is diluted trust, so inter-federation trust cannot be as strong as intra-federation trust.

4. Contractual obligations usually cannot be transferred or assigned to 3rd parties, which makes inter-federation legal agreements difficult or impossible to execute.

(Many other issues exist.)

10

Our Approach: Componentization

…then we get:

If the frameworks were modular…

Greater transparency of trust framework

requirements

Greater ease of comparability

between frameworks

Greater potential for reusability of framework

components

Greater potential for participation in multiple trust frameworks by ID Ecosystem members with incremental effort and cost

And, most importantly:

ID Trust Framework B

ID Trust Framework A

NIST 800-63LOA 3 OAuth

ID Trust Framework C

FIPS 200FICAM SAML SSO FIPPs OpenID

11

A Trustmark Framework

ID Trust Framework B

ID Trust Framework A

NIST 800-63LOA 3

ID Trust Framework C

FICAM SAML SSO FIPPs OAuth OpenID FIPS 200

These modular components are called Trustmarks.

Think of trustmarks as mini reusable certifications.

12

FICAM SAML SSO Profile

NIST 800-63 / FICAM LOA 3 Identity

Fair Information Practice Principles (FIPPs)

FIPS 200 Security Practices

GFIPM Metadata Registry (User Attributes)

Scope of Trustmarks

Privacy

BusinessSecurity

TechnicalTrust

LegalTrustmark Policies & Trustmark Agreements

MACHINE READABLE

13

Bundling of Components for Business Context

Components

COI AFederation BTrust Framework C

PrivacySecurityInteroperabilityLegalBusiness ContinuityPersonnelOther

Component Types (Examples)

14

A Trustmark-Based Ecosystem

IDP AP

RP RPRP

IDP AP

RP RP

IDP

RP

IDP

RP RP

IDP

RP

APIDP

ID Trust Framework B

ID Trust Framework A

ID Trust Framework C

Existing Trust Frameworks could be expressed as a set of components called a TIP.

Trust Interoperability Profile B

Trust Interoperability Profile A

Trust Interoperability Profile C

15

A Trustmark-Based Ecosystem

IDP AP

RP RPRP

IDP AP

RP RP

IDP

RP

IDP

RP RP

IDP

RP

APIDP

Then each member of the community can acquire the necessary Trustmarks based on the TIP.

TIP BTIP A TIP C

Trustmarks can be acquired through a Trustmark Provider.

Trustmark Provider There can be many Trustmark

Providers in the ID Ecosystem.

Trustmark Provider

Trustmark Provider

Trustmark Provider

Trustmark Provider

Trustmark Provider

Trustmark Provider

16

A Trustmark-Based Ecosystem

IDP AP

RP RPRP

IDP AP

RP RP

IDP

RP

IDP

RP RP

IDP

RP

APIDP

Trustmarks can be stored in a searchable Trustmark

Registries or shared directly with partners.

TIP BTIP A TIP C

Trustmark Registry

IDP X:RP Y:Etc.

Trustmark Registry

IDP X:RP Y:Etc.

Trustmark Registry

IDP X:RP Y:Etc.

Roles and Responsibilities of the Actors

Stakeholder Community

Requirements

DefinesComplying

Party

Interested Parties

Listing, Certification,Audit Letter, Etc.

Is Used By

Is Required By

Is Trusted By

Requirements Assessor

Is Relied on By

Issues

Trustmark Defining

Organization

Stakeholder Community

Trustmark Definition

Is Represented By

Defines

Trustmark Recipient

Trustmark Relying Parties

Org. 1

Org. 2

End User

Trust Interop Profile

Trustmark A

Trustmark B

Trustmark C

Is Used By

Is Required By

Is Trusted By

Trustmark Provider

Is Required By

Issues

The Trustmark Framework

NormativeSpecsRequired

Trustmark Definitions

Metadata:

• Publisher: U.S. General Services Administration• Name: NIST/FICAM LOA 2 IDPO TD• URL: <URL>• Description and Intended Purpose: …• Target Stakeholder Audience: …• Date of Publication: 15 Apr 2014• Version: 1.0• Visual Icon:

Conformance Criteria:

Conformance to the Identity Provider Organization (IDPO) conformance target of this TD requires the following.

1. The IDPO MUST …2. The IDPO MUST …3. The IDPO MAY …4. …

Assessment Process:

Before issuing a trustmark subject to this TD, a Trustmark Provider MUST complete the following assessment steps.

1. The TP MUST …2. The TP MUST …3. The TP MUST …

Certification as a Trustmark Provider:

Before an entity may issue trustmarks subject to this TD, it MUST complete the following certification process.

1. The entity MUST …2. The entity MUST …3. The entity MUST …

Trustmark Extension Schema:

Trustmarks issued subject to this TD MUST conform to the Trustmark Base Schema, and MUST also conform to the following Trustmark Extension Schema.

XSD

XML

XML

XML?

XML

Sample Trustmark Definition

https://trustmark.gtri.gatech.edu/operational-pilot/trustmark-definitions/

21

Example Conformance Criteria:Registration and Issuance

22

Example Assessment Steps:Registration and Issuance

Trust Interoperability Profile (TIP):Bundling Trustmarks for Business Context

Metadata:

• Publisher: U.S. Dept. of Justice• URL: <URL>• Name: U.S. Law Enforcement Community Info Sharing TIP• Description and Intended Purpose: …• Date of Publication: 15 Jun 2014• Version: 1.0• Digital Signature of Issuer: <SIGNATURE>

Trust and Interoperability Criteria:

Identity Provider Organization (IDPO) Trustmark Requirements:

Service Provider Organization (SPO) Trustmark Requirements:

XML

Trustmark Requirement Approved Trustmark Providers

FICAM SAML SSO IDP

MUST HAVE NIEF or IJIS

NIEF/FICAM LOA 2 IDPO

MUST HAVE NIEF or Kantara

NIEF Attribute Profile IDPO

MUST HAVE (ANY)

XYZ Privacy Policy IDPO

SHOULD HAVE (ANY)

Trustmark Requirement Approved Trustmark Providers

FICAM SAML SSO SP

MUST HAVE NIEF or IJIS

NIEF Attribute Profile SPO

MUST HAVE (ANY)

XYZ Privacy Policy SPO

MUST HAVE (ANY)

Trustmark Assessment Tool Process Flow

Trustmark Assessment Tool

Database

Trustmark Assessment

Tool

Registration and Issuance

Requirements TD

Trustmark Provider

Trustmark Recipient Candidate

TrustmarkDefinitions

1. Load TDs intoAssessment Tool

2. Receive requestfor trustmark fromTrustmark RecipientCandidate

3. Perform assessmentof Trustmark RecipientCandidate

4. Store assessmentartifacts / evidencein database

5. Issue trustmark toTrustmark Recipient

Sample Screen Shot fromTrustmark Assessment Tool

Trustmark Binding

Trustmark 1

Trustmark 2

Trustmark N

Endpoint Metadata

TM1 Attr

TM2 Attr

TMN Attr

[3rd Party] Issued Trustmarks

Trustmark Relying Party

(TRP)

Trustmark Definition 1

Attribute Definition

Trustmark Definition 2

Attribute Definition

Trustmark Definition N

Attribute Definition

Other Attrs

Trustmark Attributes expressed in Endpoint Metadata- We do this today in SAML- Metadata structure could be that

of [OIDC Disc], [OIDC DCR], or [OAuth DCR]

Trustmark Attribute values are URLs of locations of issued Trustmarks

Trustmark Attributes defined by Trustmark Definitions

“Levels” of Trustmark Reliance

Trustmark 1

Trustmark 2

Trustmark N

Endpoint Metadata

TM1 Attr

TM2 Attr

TMN Attr

Trustmark Relying Party

(TRP)

Trustmark Definition 1

Attribute Definition

Trustmark Definition 2

Attribute Definition

Trustmark Definition N

Attribute Definition

Other Attrs

0. TRP does not have to rely on Trustmarks (backwards-compatibility).

1. TRP can check for presence of appropriate Trustmark Attributes according to TDs it cares about.

2. TRP can follow Trustmark links and verify Trustmark legitimacy and Binding legitimacy.

NIEF Trustmark Issuance and Binding

NIEFTrust Fabric

Registry

NIEF Trustmark Assessment Processes

Trustmark 1

Trustmark 2

Trustmark N

NIEF Trust Fabric Entry

Trustmark 1

Trustmark 2

Trustmark N

Signed by NIEF

NIEF Member Agency

(Trustmark Recipient)

Trustmark Assessment Tool

Trust Fabric Entry Editor

Trust Fabric RegistryManager Tool

NIEF Trustmark Usage by TRPs

NIEFTrust Fabric

Registry

Trustmark Relying Party

1. Query for trust fabric entrieswith required trustmarks,in accordance with local TIP

Trust Interoperability

Profile (TIP)

2. Receive matching trust fabric entries

3. Installentriesin localproduct

Trustmark Legal Framework

Trustmark Provider

Trustmark Recipient

Trustmark Relying Party

Trustmark Policy

Trustmark

Trustmark Recipient

Agreement

Trustmark Relying Party Agreement

Explicit

RelationshipExplicit

Relationship

Implicit Relationship

Explicit Reference

Explicit ReferenceExplicit Reference

Explicit Reference

• Development & Refinement of Trustmark Concept

• Technical Framework 1.0• https://trustmark.gtri.gatech.edu/specifications/trustmark-framework/1.0/

• NIEF Trustmark (Component) Definitions (62)• https://trustmark.gtri.gatech.edu/operational-pilot/trustmark-definitions/

• NIEF Trust Interoperability Profiles (10)• https://trustmark.gtri.gatech.edu/operational-pilot/trust-interoperability-pr

ofiles/

• Development of Software Tools• Trustmark Assessor Tool, Trust Fabric Registry, & Others

• Socialization of Trustmark Concept• Trustmark Pilot Website: https://trustmark.gtri.gatech.edu

• Conducting Operational Pilots

Progress to Date

https://trustmark.gtri.gatech.edu

To Learn More…