Skip to main content
All Posts By

trustoverip

Achieving trusted digital transactions across the globe: OIX and ToIP align to make it happen

By News

Two of the most influential global membership organisations in the digital ID space have aligned to forge a faster and more secure route to a shared and trusted digital future.

Both The Open Identity Exchange (OIX) and Trust over IP Foundation (ToIP) have driven key development and made significant progress in their respective communities towards addressing the challenges around establishing ‘trust’ in users via digital means.

They have now committed to aligning their efforts, having realised the synergies in the work they were doing and the vast potential of working more closely together to drive their common agenda across the globe.

With a combined worldwide membership of over 400 organisations and individuals, including some of the world’s largest stakeholders in a digital ID future, this is a crucial development in the journey towards full digital ID adoption and a digital future that will work for everyone involved.

Born from the self-sovereign identity movement, ToIP’s widely recognised ToIP Stack is defining a complete architecture for internet-scale digital trust that combines the technical requirements for cryptographic trust at the machine layer with the governance requirements for human trust at the business, legal, and social layers.

Equally, the OIX’s comprehensive work around the governance of digital ID has been highly influential and widely accepted. It complements the governance elements of the ToIP stack. A prime example is OIX’s recently launched Guide to Trust Frameworks for Smart Digital ID that encompasses over 10 years of research and in-depth evaluation of existing Trust Frameworks around the world.

The Guide outlines how a both a simple digital ID (i.e., digitised credentials within a wallet) and a smart digital ID (i.e., one that understands rules to “to selectively disclose, derivate a specific attribute and aggregate several single attributes” per the EU’s new eIDAS2 ARF) can meet the needs of all the parties involved in a digital relationship or transaction. With a specific focus on placing the needs of the end users at the forefront (also a key driver for ToIP), the Guide defines the roles, responsibilities, principles, policies, procedures and standards needed.While remaining technology agnostic, a particular feature of the Guide is its alignment with the self-sovereign paradigm of decentralized identifiers (DIDs) and verifiable credentials stored in individual digital wallets. The Guide includes a mapping of OIX Trust Framework roles to SSI Roles as illustrated in the infographics below.

Roles mapping diagram

While this first infographic illustrates the relatively straightforward mapping of the SSI issuer/holder/verifier “trust triangle”, the Guide also shows how to map more complex SSI scenarios such as the one below, in which a holder submits proofs of one set of credentials to a rules engine to obtain a new derived level-of-assurance credential.

More complex SSI scenarios diagram

John Jordan, Executive Director of ToIP, said: “The lack of globally interoperable digital trust infrastructure has presented an urgent and widely acknowledged need for both technical standards and governance that ensure trust can be established quickly and safely across all sectors and borders. Our two organisations have a common vision – building trust online, and simplifying and standardising how trust is established. Our collective knowledge, expertise and research will be a powerful force ensuring the benefits of digital ID are realised by everyone involved – the end consumers, governments, relying parties and ID providers.”

Nick Mothershaw, Chief Identity Strategist at OIX, said: “Various initiatives around the world are trying to address the same issue with differing approaches. It is a highly complex global challenge that needs a united global response, and one that ensures the needs of all parties are met. To achieve it, governance must be generic and technology agnostic, and smart digital ID will need to play a significant role. The goals and strategies of both organisations highly complement each other. We have both already made significant progress, which has been reflected in the growth of our memberships, and the Self-sovereign alignment of the new OIX trust framework. By further aligning our efforts, we can have a greater impact.”

ENDS

For more information, please contact Serj Hallam 

E: communications@openidentityexchange.org 

T: 07789372771

About The Open Identity Exchange (OIX)

The OIX is a non-profit trade organisation on a mission to create a world where everyone can prove their identity and eligibility anywhere through a universally trusted ID. OIX is a community for all those involved in the ID sector to connect and collaborate, developing the guidance needed for inter-operable, trusted identities. Through our definition of, and education on Trust Frameworks, we create the rules, tools and confidence that will allow every individual a trusted, universally accepted, identity.

About The Trust over IP Foundation (ToIP)

As a Joint Development Foundation project of the Linux Foundation, the mission of the ToIP Foundation is to simplify and standardise how trust is established over a digital network or using digital tools. The ToIP model is a complete architecture for decentralized digital trust infrastructure that combines cryptographic verifiability at the machine layers with human accountability at the legal, business, and social layers. ToIP is a collaborative community of international experts working together to design the specifications, recommendations, guides, and tools for using the ToIP four-layer dual stack of technology and governance.

Key ToIP Takeaways from the European Identity Conference

By Blog
EIC logo and dates

EIC 2022, held May 10-13 at the the Berlin Conference Center, had a strong ToIP presence, including Director of Strategic Engagements Judith Fleenor and Steering Committee members André Kudra (esatus), Bryn Robinson-Morgan (Mastercard), Christine Leong (Accenture), Drummond Reed (Avast), Mike Vesey (IDRamp), and Scott Perry (Schellman). Other ToIP members in attendance included Trinsic, IDunion, and Sezoo.

Our first collective takeaway was that identity conferences are back! This was the first full-scale EIC since 2019, and although still in hybrid form, in-person attendance was very strong. Vendor booths and conference sessions were quite busy, and there were four full tracks on content from midday Tuesday through Friday. “EIC was a wonderful opportunity to connect with colleagues old and new, with a shared mission to advance digital trust.” remarked Bryn “I was impressed by the interest in the ToIP stack and the recognition that to achieve interoperability on a global scale we must address both technology and governance issues.”

Our second major takeaway was that decentralized identity is a very hot topic. One of the four conference session tracks was devoted entirely to this new branch of the industry, and references to SSI and verifiable credentials were sprinkled throughout the keynotes. André noted: “Federated identity solutions are broadly used globally today and it’s great that there’s now such huge interest to infuse SSI to it. To ultimately arrive at a truly decentralized online identity world, embracing what’s already out there is inevitable.”

On that note, Judith spotted numerous examples of SSI terminology being “co-opted” to describe products and services that did not in fact follow SSI and ToIP design principles. This is both a good thing (because the speakers wanted to be associated with SSI) and a bad thing (because they are mis-using the terms).

A third major takeaway was that the world of federation wants to join the world of decentralization. One of the major announcements from the conference was the OpenID Foundation white paper entitled OpenID for Verifiable Credentials. To quote from the OpenID website:

The goal of this whitepaper is to inform and educate the readers about the work on the OpenID for Verifiable Credentials (OpenID4VC) specifications family. It addresses use-cases referred to as Self-Sovereign Identity, Decentralized Identity, or User-Centric Identity.

This theme was further reinforced by a series of sessions on GAIN, the Global Assured Identity Network, whose original white paper described it as an OpenID “federation of federations” that aims to bring “roaming” to existing bank ID networks around the world. At EIC, GAIN was working hard to “broaden the tent”, inviting Judith to join their final panel with 11 different speakers talking about the GAIN vision of a globally interoperable network for high-value digital identity credentials. 

Judith did a wonderful job speaking to how that vision aligns with ToIP’s mission while advocating that, while federation technologies like OpenID are fine for enterprise usage, true global interoperability can best be achieved with a network of networks based on the ToIP protocol stack. She summarized the benefits of using standardized protocols rather than technical API specifications as: “OIDC for the enterprise, ToIP for the Internet”.From a ToIP perspective, the highlight was our 40-minute panel called “The Stack, the Stack, the Stack: How ToIP is Enabling Internet-Scale Digital Trust”. Judith moderated the panel consisting of André, Bryn, Christine, and Drummond sitting in front of a full-screen image of the ToIP stack.

People watching a presentation that has the ToIP stack as the current slide

The session drew a packed audience, and this panel format proved to be a very effective way to share the ToIP vision. At the close of the panel, we were swamped with many more questions than we had time for. We spent the next 45 minutes outside the room talking with attendees about the ToIP stack, the ToIP Foundation, and how our solution to interoperability can be applied to the European Digital Identity Wallets initiative.

This strong interest in ToIP reflects our final major takeaway from the conference: the European Digital Identity Wallets initiative is generating intense interest in interoperability. Many EIC sessions touched on different facets of the interoperability questions facing the “toolbox teams” from each of the 27 EU member states working to develop their own digital wallets. Furthermore, these questions are not limited to technical interoperability—governance is also a major concern.

“The privacy-preserving and citizen-empowering advantages of decentralized identity and verifiable credentials are clearly what is driving the EU initiative,” said Governance Stack Working Group co-chair Scott Perry. “However much of their thinking on governance is still rooted in federation technologies, so this is an area where ToIP’s work on governance frameworks can really help.”

As a final highlight, Italian digital identity company Monokee, whose Solutions Architect Dr. Mattia Zago presented on “Hybrid Central/Decentralized Identity: Deployment strategies for SSI”, was impressed enough by the ToIP presence at EIC that by the end of the conference Monokee had joined as our newest Steering Committee member. 

“Joining the ToIP SC represents a significant milestone for me as a researcher and us as an identity company,” said Dr. Zago. “Seeing that the community is aligned with our view of a hybrid integration between federated enterprises’ services and decentralized identities further increases our motivation to pursue it. Indeed, we will keep pushing forward our identity orchestrator to provide seamless (and codeless) integration experiences for security engineers.” 

Welcome Monokee!

Decentralized Identity: Keys to mainstream adoption

By Blog

by Mike Vesey, CEO, IdRamp, and Karl Kneis, COO, IdRamp

idRamp logo

A cityscape at night, with a globe above it of interconnected lines

Understanding the decentralized identity (DCI) market can be challenging. Inspiring C-level decision makers and IT executives to adopt decentralized identity technology is even more difficult. Current research publications provide limited insight with inconsistent ideas and terminology. Anyone interested in DCI adoption can quickly get lost in an ocean of information that raises more questions than answers. What is the solution? Decentralized ID, Self-sovereign ID, Blockchain ID, Web 3.0 ID, Personal ID, Verifiable Credentials, DID or are they all the same thing? Is the technology production-ready or a next-generation innovation to be considered in the future? 

After spending a great deal of time working with enterprise C-level teams on complex digital identity problems, one thing seems clear. When it comes to decentralized identity solutions, many business sponsors do not yet understand how DCI can provide practical answers to immediate frontline business problems. This climate creates the impression that decentralized identity is interesting but not ready for prime time adoption.

Business leaders want to know

Business leaders want to know: 

  • How can I use decentralization to make identity management easy to deploy and operate? 
  • Is it possible to add new features and business requirements without investing in long, expensive projects? 
  • How do I adapt this new technology without re-platforming every few years? 
  • Is it possible to enable decentralized identity with the systems I have to grow it at a speed and cost I can afford?

Prominent decentralized identity initiatives are often presented as pilots or innovation projects. Popular decentralized identity community discussions prioritize solving large social problems over business solutions that drive mass adoption. Understandable for a new bleeding edge technology, but the good news is DCI technology is ready for mainstream adoption now. With careful listening, collaboration and education, we can dispel misunderstanding and help business sponsors understand that decentralized identity is the best possible solution for problems they have today. 

Most C-level executives do not understand the complexities of SAML or OIDC, but they do understand that solutions using these protocols help solve their business problems. We need decentralized identity to reach that same level of understanding in terms of reliability, comfort, and adoption. 

Decentralized Identity needs to become ID

Shifting the conversation to the perspective of people who actually buy technology is an effective way to speed up adoption. Business leaders need proof of value, battle testing, and technical maturity. Decentralization will prevail based on measurable business results. DCI is not in battle with centralized systems; it is simply a better business solution for modern problems.

Focusing on familiar business performance indicators goes a long way in moving DCI out of the innovation lab and into mainstream adoption. Does decentralized identity help me save or make money? Is it more expensive than what I have today? When a business spends millions per year on centralized SSO and learns how decentralized identity based authentication can solve the same problem with stronger protection at less cost. That business will find value and interest in DCI adoption.

Ultimately, decentralized identity needs to become digital ID in the minds of business leaders. Trust architecture needs to be easy to understand and use. Businesses do not have time to navigate the ideology and technical complexities. They need education that speaks directly to their business problems today. Trust Over IP (TOIP) models, guides,and specifications are powerful business tools to help drive learning, transformation and adoption. You can use the growing list of free information published on the TOIP Deliverables page to help educate and transform your organization through DCI.

Perception is reality

A few common misunderstandings that come up in our business adoption conversations include:

  • Decentralized identity is not just a solution for social issues, it is pain relief for front line business problems. Decentralized identity will provide superior results if you need Zero Trust, Password elimination or fraud prevention.
  • Decentralized identity does not equal loss of control. It is a more effective way to manage and protect digital business.
  • Decentralized identity adoption does not require re-platforming and heavy investment in line with past ID platforms. We can quickly deploy it with incremental adoption and easily combine it with all other ID services.
  • Decentralized identity governance complements existing IT operation models and standards. It does not require a total change to current procedures.
  • Decentralized identity service management does not require significant HR changes, custom development skills, or advanced technology resources. Existing IT teams can easily deploy and operate DCI systems with the people they have today.

That all sounds simple enough to explain, but how do you make it happen? Business sponsors need evidence to justify the investment. They need to see it in action. Our next post will focus on how we help overcome decentralized identity adoption through decentralized orchestration. This simple but powerful strategy provides an easy path for adoption and innovation.

Stay tuned.

Schellman Joins Trust Over IP Foundation as Steering Committee Member

By News
Schellman. Quality, above all.

Tampa-based Schellman, a leading provider of attestation and compliance services, announced today that it is joining the Trust over IP Foundation (ToIP) as a Steering Committee member. As the first IT audit firm to join the leadership of ToIP, this move represents Schellman’s belief in the growing suite of digital governance specifications and tools being developed by ToIP Working Groups.

Representing Schellman on the Steering Committee will be Scott Perry, whose firm Scott S. Perry CPA, PLLC, was recently acquired by Schellman. Scott was a founding Contributing Member of ToIP and has served as co-chair of the ToIP Governance Stack Working Group since its inception in May 2020.

“This is the culmination of work that began over six years ago when I started collaborating with Timothy Ruff, co-founder of Evernym and of the Sovrin Foundation, on audit and compliance in the emerging SSI space,” said Scott. “We realized that this could revolutionize how digital trust works everywhere on the Internet, and out of that was born the ToIP Foundation. So it is very gratifying for me to now join the Steering Committee and contribute directly to the success of the ToIP model.”

Scott has authored or co-authored a number of deliverables from the ToIP Governance Stack WG including:

Scott saw the acquisition of his firm as a means of harnessing a well-established delivery capability of digital trust audit services from a top CPA Firm; Schellman saw this as a quick entry into an important emerging segment of the compliance marketplace and wanted to cement this commitment by joining the ToIP Steering Committee.

“Holding digital trust actors accountable in any or all layers of the ToIP stack will require independent audit skills and experience in a variety of compliance frameworks,” said Avani Desai, CEO at Schellman. “The deliverables already published by ToIP serve as an audit methodology for trust assurance, so they will nicely complement the services we currently offer as a WebTrust CPA firm, an ISO Certification Body, a PCI Qualified Security Assessor Company, a HITRUST assessor, a FedRAMP 3PAO, and as one of the first CMMC Authorized C3PAOs.”

“I am very happy to see this recognition of the ToIP Foundation’s groundbreaking work in digital governance frameworks,” said Judith Fleenor, ToIP Director of Strategic Engagements. “Scott has been a leader in this work from the start, and the acquisition of his firm and the support of Schellman signals that the ToIP governance metamodel is starting to see serious traction in the market. Look for more evidence coming from several new digital trust ecosystems later this year.”

Visit the Schellman website to learn more about their new Crypto and Digital Trust Service practice.

The Trust Over IP Foundation Publishes New Introduction and Design Principles

By Blog

When it was launched in May 2020, the ToIP Foundation summarized its mission in a single 20-page white paper called “Introduction to Trust Over IP”. This paper was based on an article called The Trust Over IP Stack published in the December 2019 special issue of IEEE Communications Standards Magazine called The Dawn of the Internet Identity Layer and the Role of Decentralized Identity.

Two years later, with ten times more members and double the original number of working groups, the Foundation is a much more mature organization. Despite this growth, we are very pleased that the original vision of the ToIP stack has stood the test of time.

In summer of 2021, we put out a call to all ToIP members to participate in a series of “community writing workshops” to collaboratively produce two new Foundation-wide deliverables:

  1. Introduction to ToIP V2.0 (PDF)
    This is the second-generation version of our original introductory white paper that would go more deeply into the origin and purpose of the ToIP stack and how it addresses the key challenges of decentralized digital trust infrastructure.
  2. Design Principles for the ToIP Stack V1.0 (PDF)
    This is an articulation of the key design principles we must follow in the design and development of all aspects of the ToIP stack.

We were thrilled that over two dozen members took us up on this challenge to participate over four months to produce these two documents, both of which have just been approved by the ToIP Steering Committee.

Introduction to ToIP V2.0

Our primary goal with this second-generation white paper was to make the vision and mission of ToIP accessible to a general audience—literally anyone who cares about the future of the Internet and how we can deal with the myriad security, privacy, data protection, and data sovereignty issues that have emerged as “the world’s greatest information utility” passes its first half-century of growth.

Our second goal was a “plain English” explanation of the overall structure of the four-layer, two-half sided ToIP stack using new graphics based on the wonderful interactive version developed by Peter Stoyko of Elanica. Here is the new static version of the diagram:

Diagram of the four-layer Trust Over IP Stack.

Our third goal was to provide a more complete introduction to the ToIP Foundation as a collaborative organization devoted to the design, development, adoption, and promotion of the ToIP stack—a guide to helping prospective members understand how and why to engage.

The resulting document is divided into the following sections:

  • ToIP in a Nutshell
  • Why Has Digital Trust Become Such a Major Problem?
  • The ToIP Model for Digital Trust
  • Applying This Model to the Digital World
  • The ToIP Stack
  • The ToIP Foundation
  • How to Engage with the ToIP Foundation
  • The Road Ahead

It is available as a PDF document here and on the homepage of the ToIP Foundation website

Design Principles for the ToIP Stack V1.0

To establish a truly interoperable decentralized digital trust layer for the Internet as a whole, meticulous attention must be paid to the design of the ToIP stack. Given the tremendous growth of the ToIP Foundation—from 27 original founding member organizations to over ten times as many today—it was critical to form a strong consensus among the new members about the principles governing this design.

Another key reason to establish design principles for the development of a system is summarized in this quote from the start of the document:

The goal of any design principle is to provide guidance to the designers of a product, service, or system so they can take advantage of lessons learned from the success or failure of previous designs. Design principles represent accumulated wisdom that falls in between the generality of scientific laws and the specialization of best practices.

When it comes to a layered architecture for both technology and governance of decentralized digital trust infrastructure, the “lessons learned from the success or failure of previous designs” is prodigious. Thus the writing workshops for this document continued for four months in order to bring all the relevant design principles together.

To organize the final set of 17 principles into a logical progression, we followed a rubric suggested by co-editor Victor Syntez based on a 2006 blog post by cryptography pioneer Nick Szabo. Szabo distinguished between two types of “code”:

  1. Code written in a computer language expected to be executed by a machine (“dry code”), and
  2. Code written in a human language, i.e., laws, regulations, rules, policies and other forms of governance expected to be followed by humans (“wet code”).

Accordingly, we divided the principles into three categories:

  1. Principles of computer network architecture—these “dry code” principles represent fundamental lessons learned about the design of large-scale computer networked systems, especially the Internet:

#1: The End-to-End Principle

#2: Connectivity Is Its Own Reward

#3: The Hourglass Model

#4: Decentralization by Design and Default

#5: Cryptographic Verifiability

#6: Confidentiality by Design and Default

#7: Keys at the Edge

  1. Principles of human network architecture—these “wet code” principles represent fundamental truths about how trust relationships operate between humans—either individually or in groups:

#8: Trust is Human

#9: Trust is Relational

#10: Trust is Directional

#11: Trust is Contextual

#12: Trust has Limits

#13: Trust can be Transitive

#14: Trust and Technology have a Reciprocal Relationship

  1. Overall design principles—these three remaining principles apply to the overall design of the ToIP stack, “wet or dry”:

#15: Design for Ethical Values

#16: Design for Simplicity

#17: Design for Constant Change

Care was taken to not only explain each principle in plain English, but to analyze how it applies to the design of the ToIP stack at each layer. We summarized those recommendations using this table format:

LayerRelevanceExplanation
Layer 4 The ecosystem symbol represents the purpose of Layer 4 to support the applications needed to develop and sustain entire digital trust ecosystems.
Layer 3 The triangle symbol represents the Layer 3 verifiable credential “trust triangle” of issuer, holder, and verifier that enables parties using the ToIP stack to establish transitive trust.
Layer 2 The symbol of two connected mobile phones represents the purpose of Layer 2 as a universal peer-to-peer secure privacy-routing DID-to-DID communications protocol.
Layer 1 The anchor symbol represents the purpose of Layer 1 public key utilities to provide strong anchors for Decentralized Identifiers (DIDs) and their associated public keys.

For each principle, in the “Relevance” column we assigned star ratings for each layer as follows:

★★★★★Highly relevant to the design of this layer
★★★★Very relevant to the design of this layer
★★★Moderately relevant to the design of this layer
★★Somewhat relevant to the design of this layer
Only slightly relevant to the design of this layer

Once all 17 principles had been compiled into a document with this format, the contributors felt that we had identified the “center of gravity” of the design of the ToIP stack that could now guide our work in completing it.

We strongly recommend this document for anyone who wants to deeply understand the rationale for our work at the ToIP Foundation. It is available as a PDF document here and on the homepage of the ToIP Foundation website

Acknowledgments

Our thanks to Victor Syntez and Drummond Reed for serving as co-editors for these two documents and to the following ToIP members who contributed their time and expertise:

Introduction to ToIP V2.0Design Principles for the ToIP Stack 1.0
Carly Huitema
Daniel Bachenheimer — Accenture
Darrell O’Donnell — Continuum Loop
Jacques Bikoundou
Judith Fleenor — Trust Over IP Foundation
Kaliya Young — COVID-19 Credential Initiative
Karen Hand — Precision Strategic Solutions
Karl Kneis — IdRamp
John Jordan — Province of British Columbia
Lynn Bendixsen — Indicio
P. A. Subrahmanyam — CyberKnowledge
Sankarshan Mukhopadhyay — Dhiway Networks
Scott Perry — Scott S. Perry CPA, PLLC
Vikas Malhotra — WOPLLI Technologies
Wenjing Chu — Futurewei
Antti Kettunen
Daniel Bachenheimer — Accenture
Daniel Hardman — SICPA
Darrell O’Donnell — Continuum Loop
Jacques Bikoundou
Jo Spencer — 460degrees
John Jordan — Province of British Columbia
Jonathan Rayback — Evernym
Judith Fleenor — Trust Over IP Foundation
Lynn Bendixsen — Indicio
Mary Lacity — University of Arkansas
Michel PlanteNeil Thomson — QueryVision
P. A. Subrahmanyam — CyberKnowledge
Rieks Joosten — TNO
Sankarshan Mukhopadhyay — Dhiway Networks
Scott Perry — Scott S. Perry CPA, PLLC
Steven McCown — Anonyome Labs
Thomas Cox
Vikas Malhotra — WOPLLI Technologies
Vinod Panicker — Wipro Ltd
Wenjing Chu — Futurewei

Data Governance Act meets ToIP framework

By Blog

by Jan Lindquist, Neil Thomson, Burak Serdar, Paul Knowles, Christoph Fabianek, Phil Wolff

Introduction

Europe’s Data Governance Act (DGA) reached a milestone. The European Parliament announced it “…reached a provisional agreement on a new law to promote the availability of data and build a trustworthy environment to facilitate its use for research and the creation of innovative new services and products.”

What does the Data Governance Act mean to the ToIP framework and the SSI community?

Background

The DGA defines an “intermediary” that facilitates processing and sharing of data for individuals and organizations to “…increase trust in data intermediation services and foster data altruism across the EU”. In the MyData framework for user-controlled data sharing, intermediaries are called MyData Operators and there is a certification program in place. (See references at the end of this blog post.)

The DGA intermediary has a trusting relationship with the individual. There cannot be any conflict of interest in sharing the data from the individual. In the eyes of the Act, the sharing of the data shall foster “data altruism” across the EU.

To achieve this goal, DGA provisions a certification program and rules for some public-sector data.

SSI Data Sharing Models

The Data Governance Act introduces new roles into data sharing and will set up the necessary governance for a more transparent and accountable data economy. Two main actors are introduced called Data Sharing Service or Intermediaries [refer to chapter III, Requirements Applicable to Data Sharing Service in Data Governance Act] and Data Altruistic Organizations [refer to chapter IV, Data Altruistic in same reference].

Neither of these actors shall have a financial incentive that conflicts with representing a Data Subject when personal data is made available to Third-parties or Data Using Service. The following diagram has three SSI data sharing models.

A business or organization collects personal data and shares it with a third-party often in proprietary and closed interfaces. A non-proprietary health care data exchange interface is FHIR from HL7 which created an open interoperable standard.

A cooperative or intermediary represents the individual when sharing personal data. The sharing shall be standardized and interoperable between different suppliers.

A non-profit organization, acting altruistically, facilitates sharing of data that are in the public institution’s domain. The public institutions may, for example, be health care systems.

Data Governance Act Architecture Overview
Figure 1: Data Governance Act Architecture Overview

Some similarities can be drawn with the Verifiable Credential model where the Data Subject is a Holder, an organization is the Issuer and a third-party is a Verifier.

The DGA adds intermediaries to the ToIP framework

The key difference is addition of the Intermediary. The Intermediary represents an agent for the Holder (Data Subject) which has direct control of processing of personal data through a policy engine. Figure 1 shows the ToIP framework with the actors introduced in the Data Governance Act.

ToIP control and data planes overview
Figure 2: ToIP control and data planes overview

Two layers or paths when performing data exchange are described in the diagram.

  • A data path (yellow arrows) composed of Verified Credentials (VCs) and interfaces to a data repository.
  • A control path (green arrows) that sets the conditions for personal data usage, given through a data subject consenting to collecting, processing or sharing of personal data.

Each actor in the diagram has three different role types: a data role, a Distributed Ledger Technology (DLT) role, and a privacy role.

  • The data role represents Data Subject who the collected data relates to, the Data Source that collects the data, the Data Sharing Service that processes the data prior to sharing the data, and Data Using Service which provides services based on the shared data.
  • In addition to the standard DLT roles an additional role called Intermediary is introduced. As described before, the Intermediary facilitates the processing of data on behalf of the Data Subject prior to sharing with a third party.
  • The privacy roles are the standard Data Controller/Processor, Data Subject, and Third-party. To better understand the Data Subject, it is split into two, a client and an agent. The Data Subject has direct control via the Client. The Agent allows the Data Subject to delegate control to the Agent (as a proxy).

The final aspect to understand are the key functions to enable the Intermediary to act on behalf of the Data Subject. The Intermediary requires a privacy function that applies the transformation and the privacy control selected by the Data Subject. For example the Data Subject may give consent to processing anonymized personal data that would be controlled by the privacy engine. The storage function may be in a wallet or a pseudonymized database with restricted access.

Summary

While it may look like most of the work in ToIP relate to VC’s, there is also the work from Inputs and Semantics work group that look at standardizing the storage, portability of the personal data, and creating a layered schema that helps with setting the policy engine when preparing and sharing of the data.

The Data Governance Act can be supported based on the technology being promoted in ToIP Working Groups. The work underway in ToIP Working Groups are aligned with the specific requirements of the Data Governance Act. Both ToIP and the DGA are avoiding a pervasive data ecosystem that promotes the surveillance economy. We both put a data exchange with humans at the center of any data transfer.

A future blog post will look at the Digital Markets Act in relation to ToIP. When an organization exceeds a threshold of users and net income, they are required to adhere to the rules of a Gateway stipulated by the Digital Markets Act. More in the next post.

References

🎄 ToIP Helps Santa with His Toughest Choices

By News

The Trust over IP (ToIP) Foundation announced a critical governing framework (PDF) to assist Santa in making his toughest choices during Christmas Eve.

For generations, Santa used many information sources, potentially unreliable, to choose gifts. However, with the advent of verifiable credential standards, systems, and governance, a more trustworthy ecosystem is being built which will issue NAUGHTY and NICE verifiable credentials based upon trustworthy evidence and accountability standards for all participants.

Santa on his cellphone

ToIP, working closely with the Santa-led Meaningful Gift Alliance (MEGA), applied its ground-breaking Metamodel Specification to define the ecosystem whereby trustworthy NAUGHTY and NICE credentials will be made available to Santa on Christmas Eve. This effort is expected to save Santa and his elves around 3.14159 million elf-hours per Christmas event which translates into a minimum of 742,000 additional toy deliveries for the 2.2 billion children of the world. #logistics #supplychain

Santa is thrilled. “Those NAUGHTY and NICE lists are just too difficult to scroll through when I’m out all-night delivering presents. I get acid reflux worrying that I’ll get my lists mixed up! This new ecosystem delivers all the information I need right to my satellite smartphone with the confidence I need to sail through the night!” #UXdesign

MEGA - Meaningful Gift Alliance

The Governance Framework (PDF) sets nuanced and contextual rules for the privacy protection of BAD and GOOD life events for children, used as input to the quantum-computer generated algorithm that issues NAUGHTY and NICE credentials. It also allows for parents, guardians, and child-advocates to petition on a child’s behalf.  The Glossary of Terms for uses for the MEGA Governance Framework (PDF) is supported by a Trust Over IP terms community using the Trust Over IP terms wiki tool.

“While we want to save Santa some stress, the main focus is ensuring every child gets a meaningful gift each gift-giving season.” says Nichola Hickman, Secretariat for the Meaningful Gift Alliance. “We consulted with many meaningful gift-givers, including representatives for Wookie Life Day, Mother Earth, the IFFF (International Federation of Fairy Godmothers & Tooth Fairies) and the Free Magi-Sons. They all had experienced fraud from grown-ups claiming to be children, so we are delighted with this new method of ensuring that every child gets exactly what they deserve.” 

Bids will be announced shortly for vendors for MEGA’s technical infrastructure. 

MEGA also joined the Good Elf Pass Initiative whose “interoperability blueprint” supports its crucial role as issuers of these credentials. The ground-breaking “Hypersleigh” blockchain standard will also support rapid delivery and high security for all Meaningful Gifts. #hypersleigh

For more information on these emerging ecosystems and the Trust Over IP Foundation, contact us at https://trustoverip.org/contact/.  Happy Holidays and Happy New Year!

ToIP Releases Additional Tools for Governance and Trust Assurance in Digital Trust Ecosystems

By News

Following the September announcement of its first tools for managing risk in digital trust ecosystems, today the ToIP Foundation announced three more pairs of tools to assist in the task of generating digital governance and trust assurance schemes:

  1. The ToIP Governance Framework Matrix and Companion Guide.
  2. The ToIP Trust Assurance and Certification Template and Companion Guide.
  3. The ToIP Trust Criteria Matrix Template and Companion Guide.

“These three new tools—each with its accompanying Companion Guide—are explicitly designed to simplify and streamline the process of developing robust governance for any digital trust community building on ToIP infrastructure,” said Scott Perry, co-chair of the ToIP Governance Stack Working Group (GSWG) and a certified WebTrust auditor. “They can help turn a job that often takes years into one that takes weeks or months.”

The physical credentials we use today, such as credit card and driver’s licenses, have governance frameworks and trust assurance schemes built by governments and industry associations over many years. Now we are moving to digital credentials verified using cryptography, we need to make the process of adapting these existing governance frameworks—or creating new ones explicitly tailored for digital life—much easier and faster.

“Governance is both simple and complex. Everyone has their own ideas of what Governance is and should be. The complexity comes when multiple parties need to agree on what it is and should be,” said Savita Farooqui, GSWG member and primary author of the Governance Framework Matrix. “The Governance Framework Matrix divides the problem in small chunks and provides a flexible framework to define governance and seek agreements.”

Screenshot of the Governance Framework Matrix

The Governance Framework Matrix is a recipe for setting the process of governance in motion.  Without a starter set of governance topics to drive discussion and consensus, governing bodies stall in its formation.

Trust Registry diagram, with flow arrows between various components.

The Trust Assurance Companion Guide explains in detail, in plain language, how accountability is generated from community participation in a governance framework.

“The Trust Assurance Template and Companion Guide is akin to the ‘Cliff Notes of Accountability’,” said Drummond Reed, GSWG co-chair. “When you combine it with the Trust Criteria Matrix, it means you don’t need to be a cybersecurity audit professional to grasp what is needed to meet the accountability requirements of your digital trust ecosystem.”