Home An Assertion-Based Approach ABA and the Guiding Principles

ABA and the Guiding Principles

The following table summarizes how the ICIF Assertion-Based Architecture (ABA) satisfies or aligns with the ICIF Guiding Principles.

ICIF Guiding Principle ABA Mapping or Alignment
Align with ISE Requirements from the IRTPA

While the list of 15 ISE requirements in the IRTPA covers a wide range of topics that transcend the scope and focus of the ABA, there is nothing inherent to the design or intended usage of the ABA that contradicts or precludes the ISE from fulfilling any of the requirements listed. The embedded table below addresses a small sample of these 15 requirements in relation to the ABA.

IRTPA Requirement

Relation to the ABA
“connects existing systems, where appropriate, provides no single points of failure, and allows users to share information among agencies, between levels of government, and, as appropriate, with the private sector” The ABA promotes and aligns with a distributed, scalable model of information sharing in which there are no single points of failure and no pre-defined logical boundaries separating “members” from “non-members”.
“builds upon existing systems capabilities currently in use across the Government” As discussed below, the ABA is designed specifically to leverage and reuse existing infrastructure, including standards, policies, and actual information systems.
“facilitates the sharing of information at and across all levels of security” The ABA is agnostic to actual access control policy rules; however, the ABA is an ideal framework in which to express and implement assertion-based and attribute-based access control rules at the levels of organizations and individuals.
“incorporates protections for individuals’ privacy and civil liberties” As with the access control policy requirement above, the ABA is agnostic to any specific rules for protecting privacy and civil liberties. But the ABA is an ideal framework in which to express and implement structured, assertion-based rules related to these topics.
“provides directory services, or the functional equivalent, for locating people and information” The Service Endpoint and Assertion Registry (SEAR), discussed here, provides a foundation upon which to build a wide range of value-added directory services for the benefit of all ISE stakeholders.
Respect the Autonomy of IS&S Stakeholders The ABA is designed specifically to promote autonomy and decentralized trust management among ICIF stakeholders. They can use the various capabilities of the ABA to:

  1. Develop and publish Assertion Definitions (ADs) and Assertion Profiles (APs) to express their trust requirements;
  2. Undergo rigorous assessments and obtain assertions to demonstrate compliance with the published trust requirements of their mission partners; and
  3. Leverage a robust operational infrastructure to make automated trust decisions based on assertions held by their partners.

Nothing about the ABA imposes any type of operational oversight, management, or governance that would compromise the autonomy of existing agencies and stakeholder communities within the ISE.
Leverage Existing Standards, Policies, and Infrastructure The ABA seeks specifically to avoid the development of new standards, policies, and infrastructure to the greatest extent possible. It seeks instead to leverage that which already exists, within an architecture that is based on componentization, harmonization, and reuse.
Provide a Clear Roadmap for Stakeholder Engagement The ABA inherently allows for stakeholders to leverage assertions as little or as much as they choose. Agencies can fully embrace the ABA for expressing and demonstrating compliance with all mission requirements, if and when they are ready to do so, but they need not go “all-in” on Day 1. For example, a set of mission partners may find value in using assertions for demonstrating conformance to each other’s technical protocol requirements, but may not find it necessary to use assertions for demonstrating security or privacy policy compliance, due to pre-existing trust among the partners. Such “partial participation” scenarios are perfectly acceptable and easily supported by the ABA. In addition, since the ABA uses well-defined, discrete artifacts (ADs and APs) to express trust requirements, stakeholders can easily compute the difference, or “gap”, between one set of requirements and another, to effectively compute a very precise “trust elevation roadmap” from where they are today to where they need to be at some future point.
Support Scalability Across Multiple Dimensions The ABA is highly scalable across every critical dimension of scalability.

  • It is inherently borderless in that it does not restrict trust to any predefined set of stakeholders or communities.
  • Its core principle of componentization allows for scalability and reusability of requirements and artifacts (ADs, APs, and assertions) across many different use cases.
  • It provides an ideal foundation for rigorous trust that can underpin many types of federated applications, including scalable federated identity management.
Drive Interoperability through Convergence and Smart Reuse The ABA inherently supports and encourages reuse of ADs, APs, and assertions. In particular, the Assertion Authoring and Publishing Capability (AAPC) facilitates and encourages stakeholders and communities within the ISE to discover and reuse existing componentized requirements (ADs) and existing requirements profiles (APs).
Favor Agility and Flexibility over Brittleness The ABA inherently supports and adheres to the principles of agility and flexibility by encouraging componentization and reuse of requirements to the greatest extent possible across use cases and communities. In addition, as we discuss here, the ABA is based on an underlying technology standard that is open (i.e., non-proprietary) and available free-of-charge for use within the ISE community.
Increase the Speed of Execution The ABA includes two components that are specifically designed to increase the speed of execution for ISE mission participants. The first is the Information Sharing Agreement Builder Capability (ABC), which enables rapid development and execution of information sharing agreements among ISE stakeholders, and the second is the Assertion Operational Infrastructure Capability (AOIC), which provides a robust set of tools and other capabilities to enable more rapid partner discovery and trust decisions through a componentized, assertion-based model of trust.

[previous] [next]