Cisco Logo


This is part of an ongoing series on the National Strategy for Trusted Identities in Cyberspace. The introduction to this series can be found here.

The National Strategy for Trusted Identities in Cyberspace (NSTIC) proposes a large ecosystem of identity providers, attribute providers, and relying parties that must establish trust with each other in various ways. NSTIC requires various types of trust within the identity ecosystem. These include:

The term “federated identity” is widely used to refer to identity systems that span multiple organizations, each of which maintains its own identity information. That arrangement is typically used between an enterprise and its business partners, such as contract manufacturers, channel partners, and consulting firms. Trust is established individually with each. A fully meshed federation of n participants would require n(n-1) such agreements, which does not scale well beyond small federations, especially considering that these agreements often take the form of contractual negotiation between each party.

The anticipated scale of NSTIC makes this form of federation wildly impractical. This is where the accreditation model proposed in the NSTIC has a real advantage. To differentiate it from the pairwise-federation model, I often refer to the model used by the NSTIC as accredited identity. These are also sometimes referred to as trust frameworks.

One of the biggest problems with accreditation historically has been communicating clearly the meaning (semantics) of the accreditation. In the context of the NSTIC, the semantics of accreditations should include:

For Identity Providers:

For Attribute Providers:

For Relying Parties:

For Accreditors:

All this granularity is intended to make it easier for parties to participate in the Identity Ecosystem. If they are only going to support low levels of assurance, it should not be necessary to bear the burden and cost of being accredited at the highest possible level. Similarly, it is easier to accredit an attribute provider to be a trustable source of certain types of information than it is for all possible assertions.

Another important requirement that is all too often overlooked is the ability to revoke the accreditation of both accreditors and other Identity Ecosystem participants. Without the ability for revocation to be revoked, it means little. Revocation needs to be possible on both a technical and practical basis. From a technical standpoint, it needs to be possible to quickly communicate the revocation to those that are dependent on the accreditation, or for the accreditation to be evaluated in real time. From a practical standpoint, it needs to be possible to revoke an accreditation without causing an excessive amount of collateral damage; no accreditation can be allowed to become so important that it is “too big to fail.” This means that the structure of accreditations isn’t a tree, but a bunch of trees with intertwined branches, as participants are likely to have several accreditations that are applicable for different purposes, to increase their breadth of trust, and as backups.

While the trust framework for the NSTIC Identity Ecosystem is critical to its success, it will take considerable care and attention to build it properly.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 90 days. Please visit the Cisco Blogs hub page for the latest content.


  1. This is the kind of substantive and constructive commentary that helps government (FICAM and NSTIC) and private sector efforts.

  1. Return to Countries/Regions
  2. Return to Home
  1. All Security
  2. All Security
  3. Return to Home