The Trust Framework in lay terms
Last year the Department for Digital, Culture, Media & Sport (DCMS) launched the Trust Framework. Their aim was to establish principles, policies, and procedures for securely managing identities in the digital age. The beta phase is now live and gaining traction, with innovative companies moving quickly to certify against the standards and help shape the space.
But what does the Trust Framework really do, and how will different companies engage with it? Never keen on unnecessary complexity, we’ve tried to boil it down below in an effort to get everyone up to speed.
What’s its purpose?
The Trust Framework creates rules and standards against which companies are certified and processes are built. It establishes what ‘good’ looks like in regards to digital ID and data protection. It also creates an oversight function to determine whether these new standards are fit for purpose and are being followed. And, importantly for companies like Konfir, it helps industry navigate the changing technical and regulatory landscape, so we can get on with building solutions.
Why do we need it?
Although the concept of your identity becoming digitised sounds undeniably sci-fi, it’s overwhelmingly practical. Don’t have a driver’s licence and don’t fancy bringing your passport on a night out? Well, now you can demonstrate that you’re over 18 through your phone. Opening a bank account, but don’t have the recognised physical documents or unable to travel? Soon you’ll be sharing the relevant proof securely, at the touch of a button. While these examples may sound trivial, the big picture is clear; digitising different elements of who you are and what you do saves time, reduces fraud, and empowers the UK to become a more competitive, modern economy.
Perhaps the single most perplexing part of the framework are the different parties involved, their names, and what they do. Fear not, we’ve got you covered:
Identity Service Providers: As the name suggests, ISPs are in the game of proving someone’s identity. They can do this in a narrow context (e.g a company that validates fingerprints), or more broadly (e.g by providing a ‘wallet’ that combines multiple elements including your personal details, biometrics, and certifications)
Attribute Service Providers: ASPs collect, check, and share information that relates to an individual (e.g their credit score, driver’s licence number, or employment status). Typically these attributes will be shared with an ISP or a relying party.
Relying party: this is any who ‘consumes’ information from others in the framework. For example, a bank that receives a credit score to make a decision on a loan, or an airline that requests your passport number to book a flight.
Orchestration Service Providers: OSPs are the infrastructure through which the data is transported. Their aim is to enable secure sharing of information among different participants of the framework.
Scheme Owners: these folks set the rules for, and oversee, a particular area. That area may be a sector, industry, or region, and contain a mix of ISPs, ASPs, and OSPs. For example, this could be an aerospace company who wants to establish standards that airlines, passengers, and airports follow.
It’s important to note that the Trust Framework is continually growing and evolving. For now, we hope we’ve helped demystify things slightly. We’ll be watching the space closely, and look forward to sharing more insights soon.Back to blog home