We’ve been asked whether all of the rules in the gamma (0.4) trust framework apply in the trust framework or supplementary codes when the rules say “must”.
Different rules apply to different “roles”
The trust framework is written around the concept of “roles”. A service can be certified as a:
- identity service provider (IDSP)
- holder service provider (HSP)
- attribute service provider (ASP)
- component service provider (CSP)
- orchestration service provider (OSP)
Each service must be at least one of these roles but a service might also perform more than one of these roles.
All certified services must comply with the rules in Part 3 of the 0.4 trust framework regardless of what role they perform and even if there are no other rules specific to that role. These rules set the baseline level of quality for every service.
Additional rules might apply depending on the role your service plays in the ecosystem. The rules are in Part 2 of the 0.4 trust framework. As an example, if you are an IDSP only, under 0.4 of the trust framework, you must conform to the rules in Section 5 and Section 10, but not the rules in Sections 6, 7, 8 or 9.
All the rules apply in relevant sections
All of the rules in the trust framework and supplementary codes are described using the terms:
- “must” – which indicates that a rule is a mandatory requirement
- “could” – which indicates that a rule is a recommendation and not a mandatory requirement
If a Part or Section in the trust framework applies to your role, then all of the rules in that Part or Section apply to your service. Your service must conform with all of the “must” rules, and service providers can choose whether or not to implement any “could” rules.
There are no opt-outs
All the rules apply if they include the word “must”. As a service provider, you cannot opt-out or descope a rule that includes the word “must”. As the trust framework is outcome-focused and technology-agnostic, you can seek to conform to these rules in any appropriate way; but your service is, nonetheless, required to conform.
If you cannot demonstrate that your service conforms, it cannot be certified against the gamma (0.4) trust framework.
Of course, if you disagree with the existence of a rule, we review the trust framework regularly and we welcome your feedback! Where we believe a rule is unclear – whether it is a “must” or “could” rule – we may publish additional guidance to clarify it for providers and CABs (for example, in a blog post), and may revise it in future versions of the framework.
Leave a comment