Trust Frameworks? Standards Matter.
Note: This post is the author’s opinion only and does not represent the opinion of the author’s employer, or any organizations with which the author is involved.
Over the past few years, and especially in the face of the COVID-19, there has been a proliferation of activity of developing digital identity trust frameworks. Trust frameworks are being developed by the private sector and the public sector, as collaborative or sector-specific efforts. Trust mark and trust certification programs are also emerging alongside trust framework development efforts.
These trust framework development efforts are worthy undertakings and the results of these efforts should automatically engender trust. But the problem that we are now faced with, all good intentions aside, is — how do we truly trust a trust framework?
The answer is simple — with standards.
Trust frameworks need standards to be trusted.
“a document that provides a set of agreed-upon rules, guidelines or characteristics for activities or their results. Standards establish accepted practices, technical requirements, and terminologies for diverse fields.”
This standard definition might sound straightforward — making a ‘standard” might sound easy but the hard part is all the work leading up to agreeing on those things that are part of a standard — an agreed-upon rules, guidelines or characteristics for activities or their results.
That’s where trust frameworks come into play. Much of the work that eventually ends up in a standard is years if not decades in the making. For years I have been part of developing the Public Sector Profile of the Pan-Canadian Trust Framework. This work had started in earnest in early 2015, and building on work that goes as far as back as 2007 (you can find a lot of the historical material in the docs folder in the PCTF repository on GitHub)
What has come out of all of this work is a trust framework — a set of agreed on principles, definitions, standards, specifications, conformance criteria, and assessment approach.
This definition of a trust framework, sounds pretty much like a standard, doesn’t it? Yes and no. What the trust framework has not gone through is a standards development process that respects and safeguards the interests of all stakeholders affected by the standard. Within the Canadian context, that’s where Standards Council of Canada comes into play by specifying how standards should be developed and how to accredit certain bodies to be standards development organizations.
So trust frameworks, however good and complete they are, still need to go through the step of becoming an official standard. Fortunately, this is the case in Canada, where the Public Sector Profile of the Pan-Canadian Trust Framework was used to develop CAN/CIOSC 103–1:2020 Digital trust and Identity — Part 1: Fundamentals. This standard was developed by the CIO Strategy Council, a standards development organization accredited by the Standards Council of Canada.
In closing, there are lots of trust frameworks being developed today. But to be truly trusted, a trust framework needs to either apply existing standards or become a standard itself. In Canada, we have been extremely fortunate to see the good work that we have done in the public sector to be transformed into a national standard that serves the interests of all Canadians.