Policy Frameworks for Trust & Identity

Government authentication policy

There are several policy approaches to authentication, in principle, which tend to vary from one jurisdiction to another according to political philosophy.

A common governmmental approach to establishing groundrules for trust and identity in support of e-commerce is to lay out a risk-based framework that maps generaic authentication solutions against the intrionsic security requirements of different types or classes. Several governments around the world have established generally technology neutral policy frameworks to assist in the selection and implementation of identity management and authenticaton solutions. Preeminent examples include the US, New Zealand and Australia; see Authentication Frameworks.

Many governments have invested further effort in establishing particular PKI based frameworks for authentication and trust (without going so far as to mandate PKI, thus leaving the way pen for other technologies); see for example Canada's Policy for Public Key Infrastructure Management and Australia's Project Gatekeeper.

Yet some jurisdictions do enact technology-specific authentication regulations (at this time, they're always PKI based); examples include Malaysia, India, and the state of Utah (historically important as the first legislature to pass a prescriptive digital signature statute). See also Regulatory approaches to trust and identity.

Industry policy & frameworks

Industry specific policy frameworks tend to be focused on a particular authentication technlogy, usually PKI.

The Australian IT Security Forum published a generalised security idustry position on PKI in 2003.

See also our wiki page on vertical PKI schemes and associations.




Authentication frameworks

Several comprehensive authentication infrastructures have been established around the world, in both the government and private sector, of varying degrees of comprehensiveness. Some are policy frameworks which seek to provide guidance to e-business implementers, while other infrastructures provide live services to help with authentication. Most of the latter today use PKI.

The frameworks mentioned below differ from vanilla commercial Certificate Authorities insofar as they seek to provide comprehensive support for transactions and for the implementation of transaction systems, usually in the specific context of a jurisdiction or industry sector.

Identity Management and Authentication Policy Frameworks

The US Government's main framework for selecting authentication technologies to match transaction requirements is its Electronic Authentication Guideline: Recommendations of NIST, Version 1.0.2

The US Personal Identity Verification (PIV) is more than a policy framework - it is a comprehensive new identity card system and suite of standards for federal government employees and contractors, driven by Homeland Security Presidential Directive HSPD-12. The peak standard is FIPS 201. See also About PIV and HSPD-12.

Australian Government Authentication Framework (AGAF)

Australian Government AUthentication Framework for Individuals (AGAF-I)

New Zealand Authentication Programme

"Live" authentication services -- Government

US Federal Bridge CA

Estonia runs a comprehensive national PKI based around its smart identity card, and supporting many worlds best practice G2C applications including document lodgement and e-voting.


"Live" authentication services -- Private Sector

Identrust (formerly "Identrus") is a PKI program and shared infrastructure service for the global banking sector. The level of "full service" PKI offerings from Identrust is continuously evolving; they offer more than a policy framework.

Pan Asia Alliance is a consortium of Certification Authorities operating according to a common set of policies and procedures that specifically support online documentation for cross border trade between member jurisdictions.

CableLabs is a peak body for the Cable TV industry, which operates a PKI for embedded device certificates.