GSWG Trust Assurance Task Force
Background/Context
Trust is defined as the “firm belief in the reliability, truth, ability, or strength of someone or something”. Digital trust is built from three main components: Cryptographic Trust; Human Trust and Referential Trust. Referential Trust is established through a trustworthy entity transferring trust upon a third party.
For a digital world, trust is an essential. As shown in ToIP Governance Stack, human trust is heavily relied upon in layer three – Credential Exchange and is refined in the Ecosystem Governance Layer (Layer Four) with the introduction of the following roles creating a referential trust ecosystem: Goverrned Actor; Credential Registry, Governance Authority, Auditor and Audit Accreditor. The following diagram depicts how these roles interact
Figure A – Referential Trust Assurance Ecosystem
The ecosystem creates assurance to verifiers, credential holders and relying parties that trust anchors are applying generally accepted trust criteria to their methods and practices by the introduction of accreditation and independent third-party audits that act in their interest. Relying parties acquires trust from the ecosystem based on the ability of the players to follow through on its commitments and the integrity of its decisions. Symbols of this trust are stored on publicly accessible credential registry it can be propagated throughout the ecosystem.
The Governance Metamodel includes a Controlled Document section titled "Risk Assessment, Trust Assurance and Certification". The deliverables contributing to this section is derived from this TF.
This task force will further develop the trust assurance roles and processes and will be used in establishing generally accepted roles, responsibilities and standard processes of actors relying upon ToIP ecosystems
Objectives
- To establish the process whereby risk is considered, assessed and properly treated in ToIP ecosystems.
- To embed mechanisms that will add to the reliability of actors and processes within the ToIP Governance Stack
- To develop assurance processes of roles operating at all layers of the ToIP Governance Stack
- To establish sets of criteria for actors in the ToIP ecosystem to assert levels of assurance they convey into the ToIP ecosystem
- To create models for certification schemes that can be deployed by ToIP customer ecosystems
- To align assurance roles and processes with the ToIP Technical Stack
- To align with schemas and semantics being developed in other areas of the ToIP Foundation
- To advocate on these subjects in the broader Internet community.
Conveners
- Scott Perry, Scott S. Perry CPA PLLC
Membership and Joining
Prior to participating in the meetings please ensure that you are a member of the Trust Over IP Foundation. More detail on this can be found at this link.
To indicate your interest in joining this TF, add your name to this list:
Deliverables
The GSWG TA Task Force is an incubator of deliverables on the topic of Risk Assessment, Trust Assurance and Certification on behalf of the Governance Stack Working Group. These deliverables take the form of whitepapers, recommendations, templates and specifications.
intends to create well defined descriptions of roles, responsibilities and process that all actors play in the trust assurance schemes that the ToIP Ecosystems will operate. The focus will be on governance and operational processes and only touch upon technical processes as needed for its purposes. This task force will not focus on technical interoperability processes (deferring to the Technical Stack Working Group). These definitions are critical in the establishment and consistency of applying governance principles for all four ToIP layers.
Key deliverables will include, but are not limited to:
- ToIP Trust Assurance Primer provides an overview of Trust Assurance concepts and why it is an important aspect of ToIP governance. (Google Document version)
- ToIP Risk Assessment Kit is a guide that Governance Authorities can use to develop a a risk assessment enabling a proper control scheme to be implemented
- ToIP List of SSI and Verifiable Credential Risks is an inventory of various risks that affect the Governance Stack for consideration in risk assessments
- ToIP Levels of Assurance defines classes of objects (e.g. credentials) and actors participating in creating, maintaining and using those objects at defined levels of assurance
- ToIP Ecosystem Control Objectives and Practices identifies a set of control requirements and suggested control practices of roles in an ecosystem to address risks in an ecosystem and varying levels of assurance
- ToIP Trust Assurance Framework Implementation Guide is a reference guide to Governance Authorities to assist in creating an appropriate risk-based scheme for an ecosystem
- ToIP Risk Assessment (Google Document version), Trust Assurance, and Certification Controlled Document Template are models for governance framework developers to assist in creating various controlled documents of the Governance Metamodel.
- ToIP Trust Criteria Matrix Template is a model for governance frameworks that want to enact their own assurance criteria for governed roles operating in the ecosystem. (Google Document version)
- ToIP Certification and Trust Marks is a deep dive into enacting a formal certification scheme using Trust Marks
Intellectual Property Rights (Copyright, Patent, Source Code)
As a Task Force (TF) of the Governance Stack WG (GSWG), the GSWG TA TF inherits the IPR terms from the GSWG JDF Charter. These include:
- Copyright mode: Creative Commons Attribution 4.0. For the GSWG TA TF, this is probably the only relevant licensing provision.
- Patent mode: W3C Mode (based on the W3C Patent Policy). The GSWG TA TF is not expected to produce any deliverables subject to patent rights.
- Source code: Apache 2.0, available at http://www.apache.org/licenses/LICENSE-2.0.html. The GSWG TA TF is not expected to produce source code.
Milestones
Key milestones will include, but are not limited to:
- Establishment of GSWG Trust Assurance Task Force
- Issuance of the ToIP Trust Assurance Primer
The work of the GSWG P&R TF will be complete when a baseline set of deliverables are submitted to the GSWG and the ToIP Steering Group. It is likely that the Task Force will morph into its own working group at some point of its maturity
Meeting Schedule and Notes
Bi-Weekly Friday 7-8am PT - See ToIP Calendar for Meeting Link
Please find notes, presentations and recordings on the Meeting Notes page
Mailing List and Communications
This task force uses the following for communications
- Mailing List: Currently this TF will use the mailing list available to the members of the Governance Stack WG. If it reaches sufficient volume, this TF may set up a dedicated mailing list.
- Slack: This TF has its own dedicated Slack channel: #gswg-trust-assurance-tf