Last month, we pre-released the gamma (0.4) publication of the trust framework. One of the main changes in this publication is the introduction of two new roles: the holder service provider and component service provider.
This blog post takes a closer look at what these new roles do, why we introduced them, and how they support providers looking to get certified against this new publication.
Roles in the trust framework
To be certified against the trust framework, a service must fulfil at least one of the high-level ‘roles’ that OfDIA has defined. The range of roles reflects the diversity of products and services in the digital identity market, and providers need only demonstrate that their services follow the rules that apply to the role or roles that they fulfil.
This flexibility helps the trust framework support innovative approaches while remaining outcomes-focused and technology-agnostic.
In the gamma trust framework, there are now five different roles:
- Identity service providers (IDSPs) prove and verify a user’s identity at a single point in time, such as when a user creates a one-off proof that they have the Right to Work in the UK.
- Attribute service providers (ASPs) collect, create, check, or share a single piece of information about a user, for example that they are over a certain age.
- Orchestration service providers (OSPs) act as the ‘pipes’ between different parts of the digital identity market to support secure data sharing between different participants. A relying party might, for example, use an orchestration service provider so that they can receive information from a variety of IDSPs.
- Holder service providers (HSPs) allow users to store and manage their identity and attribute information for future reuse. Digital wallets and personal data stores are both types of holder services.
- Component service providers (CSPs) specialise in just part of the various identity verification or authentication processes, such as fraud checks or biometric face scans. Other providers might contract with one or more of these specialist component services to help them build-out a full service.
Better reflecting the shape of the market
In previous versions of the trust framework, only the first three of these roles existed. Services offering holder and component functions were still accommodated, but as sub-types of the old IDSP role, which was more broadly defined.
However, given the breadth of the old IDSP role, we heard it was not always clear which rules applied to some kinds of providers.
For instance, requirements around managing users’ accounts didn’t make sense for IDSPs offering a ‘one and done’ service. Similarly, certification as IDSPs didn’t suit providers that offered only component parts of a wider service, such as a specialist fraud monitoring function.
By splitting-out the holder and component service provider roles in the gamma publication, our primary aim was to provide greater clarity for these kinds of providers. This should make it easier to ensure that services are meeting the right certification requirements.
The CSP role, in particular, should also help increase supply chain transparency. Many end-to-end services already contain elements sourced from specialist third-party providers, like the fraud checks and face scans mentioned above.
And, while there will be no need for every one of those parts to be certified under the gamma trust framework, end-to-end services that work with certified CSPs may find it easier and cheaper to prove compliance during their own certifications, as these parts will already have met the trust framework’s standards.
Certification and multiple roles
Services will still be able to be certified against multiple roles under the trust framework, as they always have done. The gamma publication just makes the distinctions clearer. For example, a digital wallet that derives a new attribute from identity information it was holding, such as a user’s age from their date of birth, would be both an ASP and HSP.
Where an end-to-end service like this fulfils multiple roles, it will continue to need to be certified against all requirements for those roles.
Conformity Assessment Bodies will work with providers to understand the scope of the evaluations they need to perform, including which role(s) a provider is fulfilling. Certificates from Conformity Assessment Bodies will also continue to specify which role(s) a service has been certified against, so that relying parties and users can be sure exactly what services providers offer.
Do you have questions or feedback?
The introduction of these two new roles is a big step for the trust framework, and we want to know what you think. If you any have feedback or questions, please get in touch.
Sign up to email alerts to receive an update whenever we publish a new blog post.
Leave a comment