Identity and Trust : Strategic Issues and Policy

Browse, edit, or add to this section of the IDtrust Wiki Knowledgebase. (If you're unsure where to place your information, see Contribute Content.)

Fundamentals of Identity & Authentication

The OASIS IDtrust Member Section was formed in 2006, partly on top of the erstwhile PKI Forum and OASIS PKI Member Section, in response to an intensifying yet broadening interest amongst businesses and vendors in the tpics of "identity" and "trust". In this we are probably paralleling the "Identity 2.0" movement.

Many organisations will feel the need to study or re-examine the deeper Fundamentals of Identity & Authentication, before moving onto specific project or implementation issues. This page sets out some of those fundamentals.

Some especially useful materials have been developed by commentators that have experienced the highs and lows (mostly lows) or PKI. See for example PKIX Chair Stephen Kent's presentations on PKI Directions and Challenges to PKI Development, which include deep insights into "trust" and the adequacy of a single identifier.





Policy Frameworks for Trust & Identity

Government authentication policy

There are several policy approaches to authentication, in principle, which tend to vary from one jurisdiction to another according to political philosophy.

A common governmmental approach to establishing groundrules for trust and identity in support of e-commerce is to lay out a risk-based framework that maps generaic authentication solutions against the intrionsic security requirements of different types or classes. Several governments around the world have established generally technology neutral policy frameworks to assist in the selection and implementation of identity management and authenticaton solutions. Preeminent examples include the US, New Zealand and Australia; see Authentication Frameworks.

Many governments have invested further effort in establishing particular PKI based frameworks for authentication and trust (without going so far as to mandate PKI, thus leaving the way pen for other technologies); see for example Canada's Policy for Public Key Infrastructure Management and Australia's Project Gatekeeper.

Yet some jurisdictions do enact technology-specific authentication regulations (at this time, they're always PKI based); examples include Malaysia, India, and the state of Utah (historically important as the first legislature to pass a prescriptive digital signature statute). See also Regulatory approaches to trust and identity.

Industry policy & frameworks

Industry specific policy frameworks tend to be focused on a particular authentication technlogy, usually PKI.

The Australian IT Security Forum published a generalised security idustry position on PKI in 2003.

See also our wiki page on vertical PKI schemes and associations.




Authentication frameworks

Several comprehensive authentication infrastructures have been established around the world, in both the government and private sector, of varying degrees of comprehensiveness. Some are policy frameworks which seek to provide guidance to e-business implementers, while other infrastructures provide live services to help with authentication. Most of the latter today use PKI.

The frameworks mentioned below differ from vanilla commercial Certificate Authorities insofar as they seek to provide comprehensive support for transactions and for the implementation of transaction systems, usually in the specific context of a jurisdiction or industry sector.

Identity Management and Authentication Policy Frameworks

The US Government's main framework for selecting authentication technologies to match transaction requirements is its Electronic Authentication Guideline: Recommendations of NIST, Version 1.0.2

The US Personal Identity Verification (PIV) is more than a policy framework - it is a comprehensive new identity card system and suite of standards for federal government employees and contractors, driven by Homeland Security Presidential Directive HSPD-12. The peak standard is FIPS 201. See also About PIV and HSPD-12.

Australian Government Authentication Framework (AGAF)

Australian Government AUthentication Framework for Individuals (AGAF-I)

New Zealand Authentication Programme

"Live" authentication services -- Government

US Federal Bridge CA

Estonia runs a comprehensive national PKI based around its smart identity card, and supporting many worlds best practice G2C applications including document lodgement and e-voting.


"Live" authentication services -- Private Sector

Identrust (formerly "Identrus") is a PKI program and shared infrastructure service for the global banking sector. The level of "full service" PKI offerings from Identrust is continuously evolving; they offer more than a policy framework.

Pan Asia Alliance is a consortium of Certification Authorities operating according to a common set of policies and procedures that specifically support online documentation for cross border trade between member jurisdictions.

CableLabs is a peak body for the Cable TV industry, which operates a PKI for embedded device certificates.

Regulatory Approaches to Trust & Identity


A taxonomy of e-signature regulatory models


There are three different types of electronic signature legislation worldwide, offering different degrees of legal certainty with respect to security technology, and fundamental trade-offs with respect to freedom of choice.

  • Technology-neutral (aka Light Touch) laws have little or nothing to say on the merits of particular security technologies, but instead tend to bestow broad equivalence on documents, whether in electronic or paper form. Technology neutrality puts the onus on users, designers and service providers to select authentication technology on a risk-managed basis, agreeing on what is fit for purpose. The United Nations Commission on International Trade Law (UNCITRAL) drafted a model Electronic Commerce law which has informed technology-neutral legislation around the world. Some analysts bemoan a lack of legal certainty under these types of laws, although in most jurisdictions, contract law allows for 'scheme rules' to adequately manage e-commerce risks. Examples include the U.S., Canada and Australia.

  • Two-tier laws recognize that the intrinsic characteristics of some authentication technologies provide for better risk management; these laws, therefore, provide stronger legal presumptions to users of approved technologies. UNCITRAL's Uniform Rules on Electronic Signatures characterize 'enhanced signature' technologies in terms of their ability to ensure integrity of content as well as identity of origin. Today, only public key technologies qualify. Users under these laws remain free to agree on any other authentication technology that suits their purposes, and to manage their legal risks via contract. Two-tier laws have been enacted by the European Commission, Japan, Hong Kong and Singapore.

    It should be noted that UNCITRAL's deliberations on the pros and cons of enshrining 'special treatmen' for enhanced signatures have been long and hard. See also the Guide to Enactment.
  • Prescriptive legislation goes so far as to deny legal rights to electronic transactions unless they are secured using an approved technology, typically government-licensed PKI. Further, there can be legal sanctions against operating unlicensed certificate authorities in these places. Critics say prescriptive legislation can stifle innovation and restrict free trade. Examples include the U.S. state of Utah, Malaysia, Italy, South Korea and India.

See also Survey of International Electronic and Digital Signature Initiatives by the Internet Law and Policy Forum (quite old now but an excellent starting point) and the excellent directory of e-commerce initiatives at the law firm McBride Baker & Coles.


Information Privacy

Add content on information privacy issues to this page

PKI and Privacy


While PKI has been feared by many as being inherently privacy invasive (see for example some of Roger Clarke's work), much work has been done to either manage and design PKIs to be safe with regards to privacy (see e.g. Australian Government PKI Privacy Guidelines) or to proactively enhance privacy using PKI technology (e.g. Privacy Positive Aspects).





Interoperability in general

"Interoperability" in authentication has come to be understood in terms of "tiers" variously described as ranging from low level "technical" interoperability to high level "business" or "application" interoperability. The idea of tiers and of an interoperability stack appeals to the very mature and almost universally adopted 7 level communications model of OSI.

While seamless interoperability may be a long way off, much good preparatory work has been done in the form of surveys and analyses of legal and other impediments.  See: 


OECD Authentication Survey - OECD "Summary of Responses to the Survey of Legal and Policy Frameworks for Electronic Authentication Services and E-Signatures in OECD Member Countries" Organisation for Economic Cooperation and Development 3 August 2004


PKI interoperability

Most activity so far has expended in PKI circles.

See International Harmonization of Policy Requirements for CAs issuing Certificates of the European standards body ETSI.

A simple discussion of interoperability layers acan be found at PKI Interoperability.

The Australian Payments Clearing Association has published its experience in Internet Based Payments Application - Trust and Digital Certificates which includes this gem:

“[PKI] interoperability is something of a will-o’-the-wisp. You think you understand what people mean by it, and then quickly realise that you don’t. In my experience, it’s possible when discussing interoperability to be at cross-purposes for all of the time. Interoperability between members of the same PKI is axiomatic. Certificates issued by one bank should be recognisable by another. Interoperability becomes an issue when it is between different PKIs … But this still leaves the basic question of interoperable in respect of what?


The Asia PKI Forum and the APEC eSecurity Task Group have investigated interperability extensively. Several publications are available:





Cross-border trust

Add content here

Cross recognition arrangements

Cross certification

Attempts to create cross border trust within PKI frameworks has historically been attempted through "Cross Certification" which aims to demonstrate that two different CAs are producing certificates unde comparable conditions so that their certificates may be regarded as equivalent.  

The major challenge in cross certification is that the policy mapping involved is labor intensive and time consuming.  

Bridge CAs 

More recently, Bridge CA initiatives have catalysed  the standardisation of key aspects of Certificate Policies, such as identification benchmarks.  This has faciliated policy mapping to some extent, and now there are increasing numbers of PKI domains that have achieved cross certification. 


See e.g.

Link to aerospace Bridge?

Cross Recognition

Cross-certification establishes the equivalence of certificates from different PKIs, yet two users on either end of a transaction often assert different types of credentials (one might be a lawyer while the other is  a doctor) in which case equivalence is moot.  Moreover, one of the parties -- the receiver -- might not even have their own certificate and yet will still need to be able to ascertain the fitness for purpose of the sender's certificate.




Novel approcahes to cross border recognition



Add content here

Cryptographic challenges




Cryptographic algorithms are -- and should be -- subjectto continuous, robust challenge.  The ongoing integrity of today's algorithms must never be taken for granted. 

As computers grow more powerful, brute force attacks on standard algorithms such as DES and RSA become more and more feasible within reasonable times and resource limits.  Some years ago, the original DES algorithm with its effective key length of 56 bits was superceded, bu Triple DES (still popular in banking) and eventually by the "Advanced Encryption Algorithm" AES. 

It is possible to put an upper limit on the useful longevity of cryptographic key lengths based on forecasting the growth in computing strength, assuming brute force is the only way to breach an algorithm.  See and the work by Lenstra and Verheul published at that site. 

Of course, if "cryptanalysis" detects a flaw on an algorithm, then an attack by cleverer means than brute force becomes possible.  Or more subtley, brute force attacks might be expedited by being able to restrict the search space.

The most topical cryptanalysis in recent years has been the work by Chinese researchers on the SHA-1 hash algorithm that is so central to most digital signatures today.  See the presentation Cryptanalysis on SHA-1 and NIST's comments

The state of SHA-1 is a crucial issue, and a work in progress.  Few commentators have recommended any drastic action, but a measured transition to algorithms like SHA-512 and SHA-1024 seems prudent, in line with NIST advice.  

Interested parties should keep an eye on the NIST SHA-1 project website.

Return on Investment


Modelling, forecasting and measuring reasonable ROI is one of the most important challenges in any technology project. ROI in "security" related endeavours like identity management and "trust" is a notorious problem. Some like to consider security as a form of insurance and as such could be a cost of doing business (or even a cost of staying in business!) rather than an active contributer to profitablity. Others point to tangible business benefits enabled by identity management and seek to model those to establish ROI.

Certainly there are a range of approaches to evaluating ROI.

The OASIS PKI Technical Committee developed a detailed PKI ROI model and whitepaper which includes a novel digital certificate supply chain.

The OASIS PKIA TC work built on the preceding PKI Forum ROI whitepaper.  


The Verisign and Blue Bridge whitepaper of 2002, ROI for PKI investment includes a particularly good, detailed examination of digital signature applications.

Assorted individual ROI casestudies for PKI may be found on the web, including the very elegant experience of the US Patent Office PKI.


Application integration



The following links were carried over form the old PKI Forum Resources.  

Using Oracle/IAS with PKI - Dartmouth PKI Labs

Setting up the Cisco VPN 3000 Concentrator for PKI Authentication - Dartmouth PKI Labs