Page tree

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. There's the 'noise' around Trust Frameworks.  That is good, because Kantara has been promulgating and operating a Trust Framework for conformity assessment and assurance since 2011 when the very first Trust Framework in this space (FICAM (Federal Identity, Credential, and Access Management) ) was launched by the US Federal Government.  By design Kantara's Trust Framework was built to operate both as stand-alone, as it is seen today, or as the conformance and assurance sub-set of another Trust Framework as it was under FICAM (the Trust Framework Solutions portion officially deprecated January 31st).  As folks look at the other Trust Frameworks operating today such as eIDAS (electronic IDentification, Authentication and trust Services) in Europe, or the TDIF (Trusted Digital Identity Framework) in Australia, and they hear about the PCTF (Pan Canadian Trust Framework) in Canada in MVP this year, and the Trust Frameworks being drafted in the United Kingdom, New Zealand and elsewhere, they are better able to understand the crucial role that Kantara's Trust Framework plays.  That role is the crux of a Trust Framework - conformance, governance, responsibilities written into fully executed contracts.  Structured policy, rules and requiring conformance to standards is all very well, but when 'the rubber hits the road', a jurisdiction considering cross recognition looks first and last at the veracity of the service providers' conformance as its baseline confidence indicator.
  2. There's a growing realization that NIST SP 800-63 Rev 3 (and soon revision 4) remains as the de-jure de-facto standard just as its predecessor 800-63 Rev 2 (or in its international guise ISO/IEC 29115 or ITU-T's x.1254 Entity Authentication Assurance) was.  You can find elements of them in the eIDAS Implementing Acts, in the UK's GPGs, in Canada's early work on CATS (Cyber Authentication Technology Solutions) Interface Architecture and Specification, in New Zealand's Authentication standards for online services.  Authentication requirements in Australia's TDIF are pulled straight from 63-3.  Slam dunk.  So what standard are you going to choose to build your product against if you are an international IDaaS brand that is looking for the most cost effective conformance that gets you most of the way, in most jurisdictions, to minimize the incremental lift for in-country conformance? It’s 800-63. It's akin to a prime number or form factor in mathematics, or the US dollar in currency where it's tradeable anywhere.
  3. In the US, there is emerging evidence that those federal agencies charged with obligations under the OMB M 19-17 executive memo - which stipulate the adoption of 63-3 - are actively moving on those obligations.  While we have not yet seen many of these downstream directives published in policy, there seems to be some informal industry chatter that points to a formal position being announced in coming months.
  4. Globally, add the COVID effect where more people are needing more access to more services online - in healthcare, in Education, in Financial Services, in Government services, in essence everywhere.