ID Ecosystem Steering Group
What is this document?
This document provides answers to frequently asked questions regarding the Kantara and the IDEF Working Group’s Self-Assessment Listing Service (“IDEF Registry”) program. The IDEF Registry provides an authoritative source of self-reported contact and basic service information about a select group of companies, government agencies, and other entities that offer trustworthy and reliable online identity-related services.
What is the IDEF Registry?
The IDEF Registry is a publicly-accessible listing service of entities that provide online identity services ( “Service Providers”) that have self-assessed and confirmed their conformity to the IDEF Baseline Requirements. The IDEF Registry helps parties to evaluate the policies and operations of the Service Providers with which they interact, and to compare identity services across multiple Service Providers, to assure that their practices meet their needs for online security, privacy, interoperability and positive user experience.
The IDESG originally developed the IDEF and the IDEF Registry Program to raise the bar for online services as envisioned in the US National Strategy for Trusted Identities in Cyberspace (“NSTIC“). See also “What is the IDESG?” below. The IDEF Registry provides a way for Service Providers to publicly declare their conformity to the IDEF Baseline Requirements, thus providing useful information to individual and institutional consumers of their services in order to make better-informed selections of services that best fit their respective needs.
Why was the IDEF Registry created?
The IDEF Registry program presents an invitation to identity Service Providers to self-assess against the Identity Ecosystem Framework (IDEF) – a set of common, baseline requirements for the performance of identity-related services for privacy, security, interoperability, and user experience for the online Identity Ecosystem. The IDEF Registry Program is intended to provide transparency and information to IDEF Registry Users that the Service Providers listed on the IDEF Registry have asserted conformance to the common requirements.
Who needs this service?
The IDEF Registry is of value to parties that depend on the reliability and integrity of online identity and data services. That includes almost everyone who interacts online. The IDEF Registry helps individuals and entities decide who they want to trust online. It is of use to those parties that want to learn more about the reliability and trustworthiness of online identities and data services offered in the various markets—based on the degree of implementation and conformance to the IDEF Baseline Functional Requirements.
Who is on the IDEF Registry list?
The entities whose information is displayed in the IDEF Registry program have taken the time and effort to publicly confirm their positive self-assessment of their conformity to the IDEF Baseline Requirements. This distinguishes them from other companies and identity service organizations, and demonstrates their commitment to the NSTIC principles of security, privacy, security, ease of use, cost effectiveness, resiliency, interoperability and user choice. These Service Providers have voluntarily taken on additional effort and expense to earn your trust.
Are there any costs for IDEF Registry listings or usage?
Application to the IDEF Registry Program, and access to the IDEF Registry Listing Information, are available at no charge to Service Providers or to the public at this time. Parties that are listed on IDEF Registry are referred to as “Service Providers” and parties that simply access the IDEF Registry listing information are referred to as “IDEF Registry Users.”
What is the IDESG?
The Identity Ecosystem Steering Group (IDESG) was a non-profit, non-governmental organization established to promote secure, user-friendly ways to help provide individuals and organizations confidence in their online interactions. The IDESG was established to advance the National Strategy for Trusted Identities in Cyberspace (NSTIC), an initiative that was launched by the President of the United States in 2011 (PDF link) to establish and sustain an online interaction environment that is secure, broadly interoperable, cost-effective and easy to use and that enhances privacy of the individual and provides greater security for individuals and entities. For additional information on the IDEF Registry program, see the IDEF Registry working group.
To further this mission, the IDESG produced a set of rules, guidelines, standards and processes called the “Identity Ecosystem Framework” (IDEF) to which online identity Service Providers and related parties are invited to use to assess and report on their degree of implementation and conformance through the IDEF Registry Program. When multiple Service Providers commit to the common standard of the IDEF, it results in their being able to better work together to provide more trustworthy, secure services and to enhance the leverage of identity credentials that citizens already possess for multiple purposes.
By registering, they have demonstrated their commitment to privacy, security, user needs and other NSTIC principles by taking on the cost and effort of self-certification and compliance. Their common commitment to the NSTIC goals is a form of policy standardization that, like technical standardization, is a pathway to enhanced risk reduction and leverage for listed Service Providers and IDEF Registry Users.
What is the Identity Ecosystem Framework?
The IDESG’s Identity Ecosystem Framework (IDEF) defines the set of minimum, baseline requirements for Service Providers in the Identity Ecosystem. The IDEF contains rules, reference models, processes and policies that describe how entities in the Identity Ecosystem are expected to operate. The purpose of the IDEF is to lay the foundation for a thriving Identity Ecosystem that operates in accordance with the NSTIC guiding principles of increased security, interoperability, ease of use and enhanced privacy. The IDESG has developed the IDEF, and the IDEF Registry Program, to meet the principles that all participants in a broad, open, safe community of federated identity should voluntarily follow.
Are there plans to expand the IDEF Registry to include third party assessment and certification marks?
Yes. Initially the program calls for the self-assessment and conformance confirmation of Service Providers to the IDEF Baseline Requirements. The IDESG is building future capability for third-party assessment and conformance attestation as well.
What is the self-assessment process for IDEF Registry listing?
The self-assessment is a responding party’s evaluation of its performance in implementing each of the Baseline Requirements, using a structured checklist format (the IDEF Registry Matrix), in a form that enables applicant Service Providers easily to assess, confirm and express their conformance to the IDEF Baseline Requirements. IDEF Registry applicant Service Providers will need to assess their organization’s policies, procedures, systems and operations against the IDEF Baseline Requirements to determine the degree to which they have implemented and conform to those requirements. The self-assessment results are recorded on the IDEF Registry Matrix and submitted to Kantara’s concierge, along with a statement reporting on the applicants’ status of implementation (if not fully conformant) or attesting to its full conformance to the applicable requirements. Kantara will post organizational information and the IDEF Registry Matrix for all accepted Service Providers.
The IDESG does not validate the substance of the self-assessment information it receives from applicant Service Providers. Rather, the IDESG publicly posts the completed IDEF Registry Matrix self-report for each responding Service Provider.
What types of entities can be listed in the IDEF Registry?
There are a variety of different entities that might be interested in distinguishing themselves in markets and service settings as offering the risk reduction and leverage advantages of conformity to the IDEF Baseline Requirements. This includes any entity providing “identity services” in an existing online Identity system (Service Providers) and institutional parties that handle and consume identity information from such Service Providers (Relying Parties). Such services include, but are not limited to, the following:
- Identity account enrollment, registration, and/or maintenance;
- Identity proofing and/or verification;
- Credential issuance and/or management; and
- Authentication and authorization services that rely on identity authentication from others, for access authorization and/or transactions, such as online retail sites, cloud service providers, or online government benefits programs. Sometimes called “Relying Parties.”
See the “Functional Model” for more information and discussion of those roles. (PDF link)
The types of services listed above reflect different stages of the processes through which identities of people, entities and things are established and maintained online in networked information systems. They are separated out for IDEF Registry purposes because each listed stage of the identity process involves different types of data-related actions and each has a different risk profile, and because many of the listed subservices are provided by different parties, even within a single online identity system.
How do the “Relying Parties” (role #4 above) differ from 1 through 3?
Relying Parties include the businesses and governments that rely upon the online identity systems offered by the Service Providers described by the previous three categories. Even though they rely on the credentials in the ordinary course of their respective businesses, many of these Service Providers also have a role in protecting the integrity of the systems that enhance IDESG principles.
“Relying Parties” may be the largest category of potential reporting entity, since there are many more Relying Parties than there are Service Providers in the first 3 categories. The “authorization” role in the last category of provider is roughly analogous to the role of restaurants or retail stores in the credit card system. In credit card networks, there are many more retail establishments that accept and rely on cards than there are banks that issue the cards and handle payments and payment processors that facilitate the information flows. Consider that restaurants rely on the integrity of the information systems maintained by the credit card companies, banks and other stores and restaurants (so that they don’t end up giving away free meals), AND they also have a role to play as part of that system in maintaining its integrity.
For example, restaurants and stores have to make certain that their employees don’t misuse credit card information since that would harm the system and the many parties that rely on its integrity. In order to similarly reflect the entire Identity Ecosystem, the IDEF Registry includes both traditional identity service providers (roles 1-3) and other service providers that rely on online identity systems (role 4) in the listing in an effort to assure that there is a single place where stakeholders can check to confirm that all transactional parts of the online Identity Ecosystem are working in harmony with respect to the NSTIC principles.
Why are identity services subdivided into defined classes, in the IDEF and IDEF Registry materials?
In today’s distributed online identity systems, multiple parties typically work together to provide identity services in a given system. In fact, technical and policy standards upon which all stakeholders can rely enable these networks of relationships to grow without the parties having to deal directly with one another. This is the case in credit card systems, for example, and other similar existing networks of relationships that rely upon technical and policy standards to help guide their participants to work better together to provide the consistency and reliability needed to earn trust in both economic transactions and social and political interactions in various distinct settings.
These services are the “nuts and bolts” of online trusted systems. If they are properly operated with attention to the NSTIC principles, they can result in trusted online identity systems, and trustworthy relationships and interactions that are more reliable, predictable, consistent and less risky.
How do I provide a report as a Service Provider for posting in the IDEF Registry Program?
Questions from Providers
What is the value of the IDEF Registry for Identity Service Providers and Relying Parties?
By qualifying for listing in the IDEF Registry, Service Providers and Relying Parties gain:
- Risk reduction through the clarification of duties offered by the IDEF Baseline Requirements;
- Competitive differentiation from parties not listed in the IDEF Registry;
- Marketing exposure to IDEF Registry Users;
- Identification of potential joint offerings and collaborations with other Service Providers;
- Reputation enhancement for online policy leadership and customer care innovation;
- Permission to reference their listing as listed Identity Service Provider in advertising and promotional materials; and
- Benefit of timely access to IDEF Working Group publications and research into emerging customer needs and market trends as reflected in the IDEF and discussion forums.
What is required for a Service Provider to be listed in the IDEF Registry?
To be listed in the IDEF Registry, Service Providers must be bona fide service providers in the Identity Ecosystem and must self-assess and report on the degree that their identity-related services conform to the IDEF Baseline Requirements.
What is the Self-Assessment Matrix, and how do I use it for my own self-assessment?
The Self-Assessment Matrix provides a standard structure for Service Providers to report the results of their assessment of their operations based on the IDEF Baseline Requirements. The Matrix lists all applicable baseline requirements for the Service Providers’ functions under assessment and links to Supplemental Guidance for each requirement to assist in the self-assessment process. The Matrix allows IDEF Registry Applicants to report the status of implementation for each requirement in one of four ways: fully conformant, implementation underway, implementation considered and implementation not considered/applicable. The Matrix allows IDEF Registry Applicants to provide additional information to support the reported status of implementation.
What is the process for getting listed on IDESG IDEF Registry?
Before you get started, you will need to:
- create a login/registration to IDESG – COMING SOON
- determine the person who should complete this report (see Who Assesses)
- preview the Baseline Requirements
- decide how many and which services you plan to register; have the URL and a brief (200-character) description for each service
- decide which of the 5 core operation categories (Registration, Authentication, Credentialing, Authorization, Transaction Intermediation, each service covers (see IDEF Functional Model)
- have your organization’s DUNS Number, or other government-assigned registration number
How can I get help with my questions about the application process?
Questions and/or requests for information or assistance can be sent to firstname.lastname@example.org.
Questions from IDEF Registry Users
What is the value of the IDEF Registry for individuals and entities?
By using the IDESG IDEF Registry to help select their online service providers, IDEF Registry Users can gain:
- Greater privacy, security, and transparency when conducting business online,
- Easier-to-use online systems,
- Cost savings and resource savings through simpler identity controls,
- Relevant identity information to help inform online transaction decisions,
- Improved service consistency, reliability, and predictability across various online services, and
- Greater engagement with future Identity Ecosystem developments.
Is Kantara providing independent verification of the Provider self-assessment?
No. Kantara does not validate the Service Provider self-assessment information it receives. Rather, the IDEF Registry Program uses crowdsourcing and reputation to ensure the accuracy of IDEF Registry Self-Assessment entries.
Does the IDEF Registry automatically update IDEF Registry entries when the provider changes its policies or operations?
How can I convince my Identity Service Provider to get on the IDEF Registry?
Let your Service Providers know that the NSTIC principles and requirements are important to you, and affect your decisions about who you want to associate with online. You can vote with the choices you make online. If you are either an Identity Service Provider that is currently not on the IDEF Registry, or you are working with one who is not, ask yourself why. Please encourage your organization to review the IDEF Registry Baseline Requirements to increase the transparency and integrity of their customers’ online interactions.
What prevents Service Providers from providing false or misleading information about their self-assessment results?
This site is maintained by the Identity Ecosystem Steering Group, Inc. with the support of the National Strategy for Trusted Identities in Cyberspace (NSTIC) National Institute of Standards and Technology (NIST). The views expressed do not necessarily reflect the official policies of the NSTIC or NIST; nor does mention of trade names, commercial practices, or organizations imply endorsement by the U.S. Government.