Operationalizing Trust Frameworks: Who’s Going to Keep the Lights On?

Operationalizing Trust Frameworks: Who’s Going to Keep the Lights On?

Given my recent posts on digital wallets and the future of academic identity federation, you might be able to tell I’m on a bit of a rant. These topics share a common thread: we have a lot of experience building trust frameworks but significantly less experience in operationalizing those trust frameworks and making them sustainable.

What’s a Trust Framework?

Backing up a bit, let’s discuss a trust framework in this post’s context. According to NIST IR 8149, a trust framework is “the ‘rules’ underpinning federated identity management, typically consisting of system, legal, conformance, and recognition.” It’s about applying a whole set of technical and governance rules to the protocols, contracts, and regulations that let you use a digital identity from one organization to sign-in to another organizations services. A trust framework the backbone of how federated identity functions effectively—at least in theory.

For those who care about ensuring safe and effective interoperability, though, the rules defined in a trust framework are critical and everyone should apply them in their federations. Operationalizing trust frameworks means doing more than ‘just’ defining the policies and rules (as if that’s not hard enough). It also means creating the practical mechanisms and governance structures to make those rules measurable, enforceable, and part of daily operations. It means moving from theoretical planning to real-world execution, with a way to know when the frameworks are being correctly applied and when an entity is out of conformance.

The Funding Crisis Nobody Wants to Talk About

This is where the real problem lies. Who funds this infrastructure? A trust framework involves a ridiculous number of different organizations. They are all supported in various ways, and the identity federation part of their services is rarely the primary reason they exist. (University IdPs are not the reason that universities exist. Identity and access management services are not why publishers sell journal subscriptions.)

The federation operators themselves are often underfunded and overstretched. Out of all the global federations, only a handful have the resources to innovate. The rest? They’re in survival mode—keeping old systems running and sticking with SAML because it works well enough. They can’t afford to migrate. How can they require their federation members to pay to comply with a trust framework when the benefits are intangible to their core missions?

Lessons from the R&E Space: We Can’t Just Ignore the Underfunded Parts

The worlds of commerce and government, while buzzing about digital wallets and verifiable credentials, need to wake up to the realities that the R&E federations have lived with for decades. Trust isn’t just a tech problem; it’s a governance problem, a funding problem, a sustainability problem. Right now, too many organizations are excited about issuing credentials without thinking about how to manage them when things go wrong.

The Research and Education (R&E) federations have been there, done that, and frankly, are still wondering if it’s worth doing again. They’ve experienced the growing pains that come with scaling trust across borders and organizations, but they’re also exhausted—financially and operationally. It’s not that they don’t want to help; they can’t afford to.

R&E federations have the trust frameworks. They don’t have the resources necessary to operationalize those frameworks in a way that reaches all parties involved.

What’s the Future for Trust Frameworks?

So, where does that leave us? If we want federated identity to work sustainably across sectors and borders, we need to figure out the support model(s). We need a governance structure that doesn’t just sound good in theory but works in practice without requiring federations to burn themselves out.

And yes, some of this may come from government backing. However, we also need to think about models that work where government involvement isn’t the answer—where decentralized, community-driven approaches, like REFEDS SIRTFI for incident response, are more appropriate. We need to build bridges between these different types of frameworks and find a way for them to coexist, or else we’re just going to keep reinventing the wheel.

Ultimately, operationalizing trust frameworks is about more than technology or policies. It’s about ensuring that the people running the systems have the support they need, that the lights stay on, and that we don’t lose trust simply because we can’t afford to maintain it. The R&E sector has valuable lessons to offer, but without a more collaborative and well-funded approach, the rest of the identity world might find itself learning those same lessons the hard way.

A Call to Action Without All the Answers

I recognize that I’m shouting about a problem for which I don’t have an answer. But that’s exactly why I’m getting all rant-y about this. I hope we can collectively develop more effective ideas—better than the grassroots community efforts of the past—so that every organization involved finally recognizes the infrastructure underpinning our trust frameworks as critical. This effort isn’t just about keeping federated identity afloat; we must support, value, and encourage it to evolve, so it can deliver on its promise for the long haul.

Previous Article
Next Article

Heather Flanagan

Principal, Spherical Cow Consulting Founder, The Writer's Comfort Zone Translator of Geek to Human

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Discover more from Spherical Cow Consulting

Subscribe now to keep reading and get access to the full archive.

Continue reading