The Linux Foundation on Tuesday announced that it will host the Trust over IP Foundation, a cross-industry effort to ensure more secure data handling over the Internet.
This new foundation is an independent project enabling trustworthy exchange and verification of data between any two parties on the Internet.
The ToIP Foundation will provide a robust common standard to give people and businesses the confidence that data is coming from a trusted source. The new protocol will allow them to connect, interact and innovate at a speed and scale not possible today.
The LF is pushing its sponsorship of the ToIP Foundation in order to grow membership, with global pan-industry support from leading organizations with sector-specific expertise.
Founding members include Cloudocracy, Continuum Loop, CULedger, Esatus, Evernym, The Human Colossus Foundation, IBM Security, IdRamp, Kiva, Mastercard, MITRE, the Province of British Columbia and SICPA.
This could be a significant development spurred in part by the COVID-19 pandemic, according to the LF. The pandemic is pushing companies worldwide to deal with an increasingly virtual world relying on the Internet and the world’s digital infrastructure more than ever.
Forming the ToIP Foundation underscores the importance of open source and open standards in building an infrastructure for the effective exchange of or access to information, observed Charles King, principal analyst at Pund-IT.
The list of founding members, including IBM, is significant in that they are organizations that have a long association with, and support for, open source, he noted.
“Something COVID-19 is highlighting is just how deeply interconnected businesses, industries, and markets really are,” King told LinuxInsider. “An effort of this sort that failed to incorporate multiple industries would be dead in the water.”
Addresses Enterprise Struggles
Businesses are struggling to protect and manage digital assets and data — a struggle made more difficult in an increasingly complex enterprise environment that includes the Internet of Things, edge computing, artificial intelligence, and much more, according to the LF.
This is compounding the already low consumer confidence in the use of personal data. The result is slowing innovation in areas like digital identity and the adoption of new services that can support humanity.
“In today’s digital economy, businesses and consumers need a way to be certain that data being exchanged has been sent by the rightful owner, and that it will be accepted as truth by the intended recipient,” said Dan Gisolfi, chief technical officer for decentralized identity at IBM Security.
Many privacy-focused innovations are being developed to solve this challenge, but there is no recipe book for the exchange of trusted data across multiple vendor solutions, he asserted.
“The new Trust over IP Foundation marks an evolutionary step which goes beyond standards, specs and code, with the goal of creating a community-driven playbook for establishing ecosystems of trust,” Gisolfi said.
IBM believes that the next wave of innovation in identity access management will be for credential issuers and verifiers to partake in these ecosystems. This process is where trusted relationships are built upon cryptographic proofs, he added.
Crucial Development Need
The level of collaboration around ToIP is significant. These organizations all have much to gain from the ToIP Foundation, and their actions represent a significant push in this area, according to Thomas Hatch, CTO of SaltStack.
“ToIP has the potential to establish a new trust-based fabric. I am good friends with a few of the technical minds behind this protocol, and it has been very difficult to establish,” he told LinuxInsider.
The current state of ToIP is the culmination of years of work. Bringing together these groups to develop and support the new initiative gives it the potential to establish new ways to create and ensure greater trust online, Hatch added.
Other endeavors have not been as ambitious. This is a culmination of many concepts built into earlier efforts. The goals of the project are to build a new fabric of online trust that can be universally used. Other similar endeavors are not built to cover the broad use case of ToIP, he explained.
Highlighting the Trust Plan
Without a global standard for how to ensure digital trust, trends towards digital distrust are bound to continue, noted the LF. The ToIP Foundation will use digital identity models that leverage interoperable digital wallets and credentials and the new W3C Verifiable Credentials standard to address these challenges.
This approach will enable consumers, businesses and governments to manage risk better, to improve digital trust, and to protect all forms of identity online. The LF’s open governance model enables the ToIP Foundation to advance a combination of technology and governance standards for digital trust in a neutral forum that supports pan-industry collaboration.
“The ToIP Foundation has the promise to provide the digital trust layer that was missing in the original design of the Internet and to trigger a new era of human possibility,” said Jim Zemlin, executive director at the Linux Foundation.
An open governance model that can be integrated into the development of the standards for digital trust is essential where the business, legal and social guidelines for technology adoption impact human trust and behavior. The combination of open standards and protocols, pan-industry collaboration, and LF’s neutral governance structure will support this new category of digital identity and verifiable data exchange, he explained.
The ToIP Foundation initially will host four working groups. The Technical Stack Working Group and the Governance Stack Working Group will focus on building out and hardening the technical and governance halves of the ToIP stack, respectively.
The Utility Foundry Working Group and the Ecosystem Foundry Working Group will serve as communities of practice for projects that wish to collaborate on the development of ToIP utility networks or entire ToIP digital trust ecosystems.
Continuation in the Works
The LF had much of the architecture of the Trust over IP stack in play internally. So it was only natural to propose that The Linux Foundation host this new project dedicated to “open, open, open” (open standard, open source, open governance) digital trust infrastructure, a Linux Foundation spokesperson said in comments provided to LinuxInsider by company rep Beth Handoll.
A significant portion of the architecture was generated via developers and contributors to the Linux Foundation Hyperledger projects (specifically Hyperledger Indy, Hyperledger Ursa, and Hyperledger Aries projects). Also, working groups at the Decentralized Identity Foundation, which is also a Linux Foundation project, were involved, the LF source said.
It is absolutely essential — in fact, the ToIP stack is designed to be as cross-industry as the TCP/IP stack that enabled the Internet itself. In fact, the primary purpose of the ToIP stack is to enable cross-domain trust across any two domains — countries, industries, companies, schools, cities, communities, families — noted the LF spokesperson.
The two most closely related LF projects are Hyperledger and the Decentralized Identity Foundation, but there are many more LF projects that already have become interested in the ToIP stack.
One example is the LF Energy project, which is looking at ToIP and digital credentials for verifying each link in a supply chain. This is what John Jordan, executive director of BC Digital Trust Service, Province of British Columbia, calls “verifiable origins.” His team is working on that usage of the ToIP stack, the LF spokesperson said.
Yet Another Internet Standard
Enterprises clearly can benefit from the results of ToIP efforts. Opportunities and challenges never stop changing, so industries and businesses should be in a state of positive evolution, noted Pund-IT’s King.
“As we move toward a future where business IT is driven by hybrid cloud computing, and robust 5G wireless technologies enhance the velocity and volume of data resources, we’re going to need to think about and work with security and related issues in new ways. That’s exactly what the Trust over IP Foundation aims to do,” he said.
This standard provides a new way to communicate over the WAN. It is not just another protocol, remarked SaltStack’s Hatch.
“I see it instead as forging ahead in an area where TCP, TLS and SSL have grown old and new considerations are needed,” he said.
What the Stack Is
The ToIP stack is not a single standard. Rather, it is a definition of a whole stack of standards — at four distinct layers — that are needed not just for technology but also for governance, according to LF.
The first two layers are standards and best practices for governing and implementing the technology needed to establish technical trust — gor example, how to implement cryptography, and protocols for how two machines can talk to each other safely and securely.
The third and fourth layers are standards and best practices for governing and implementing the technology needed to establish human trust — for instance, what is needed for one person or organization to trust another person or organization in the context of a specific relationship or transaction.
Since the ToIP stack is not a single standard, no set timelines for completion or adoption exist. Instead, it will be an evolving set of interoperability specifications, governance templates, and best practices recommendations. In May, the new foundation will formally launch the first four working groups.