The word “trust” appears 32 times in the press release announcing the official launch of the Open Identity Exchange (OIX). Normally, I’d be enthusiastic about such dense coverage of a critical topic, but in this case I question the group’s understanding of the term.

A Governance Template, Not a Trust Framework

OIX is a kind of standards body where techies from various industries come together to prescribe satisfactory methods for identification, so that these IDs can be used across websites. From the OIX site, the process is as follows:

… policymakers representing a trust community (e.g., government, industry association, professional society) start by developing a trust framework specification. This document defines the identity proofing, security, and privacy policies that must be followed by identity service providers to reach a specified level of assurance (LOA). In some cases it will also specify the data protection policies that must be followed by both identity service providers and relying parties to reach a specified level of protection (LOP).

Lastly, the trust framework defines the qualifications necessary to be an assessor for the trust framework—a person or a company who has the professional experience necessary to assess whether an identity service provider or relying party is in compliance with the policies specified for a certain LOA or LOP.

Next the policymakers contract with a trust framework provider (TFP) to operate a certification program for the trust framework. A TFP who operates by the OITF model performs the following functions:

1. Publishes the trust framework so it is publicly accessible.
2. Accepts listings from assessors who meet the qualifications specified in the trust framework.
3. Accept listings from identity service providers (and in some cases relying parties) who are successfully certified by a qualified assessor.
4. Publish updates to the trust framework as it is revised, and periodically renew certifications of participants as required by the trust framework.

Lastly, the OITF model includes roles for auditors and dispute resolution service providers to assist in ongoing assessment of trust framework participants and resolution of any disputes that may arise.

(Side Note OIX: also don’t abuse the word “lastly.”)

Apparently OIX just hosts the party and provides the napkins (for sketching), but little else. Defining the standards is up to the policy makers and certifying compliance is up to a Trust Framework Provider (TFP)—whatever that is.

Identification isn’t Trust

I suppose that, if successful, OIX will improve the way digital IDs are used. That’s not altogether a bad thing, but it’s also not trust.

By analogy, imagine that, in order to improve the effectiveness of TSA screeners, the government sets a policy requiring travelers to present both a driver license and passport at the airport. Does it follow that everyone inside the secure area of the airport will trust each other? If the TSA screener clears someone, does that mean the screener trusts the traveler? Or that the screener trusts the ID? Do the IDs foster any kind of trust at all?

If there’s one thing I’d like to get through to techies who work these protocols, it’s this: identification isn’t trust. Please find another word to describe what you’re doing.