Trust and Internet Identity Meeting Europe
Feb 2020: Workshops and Unconference

IdPro certification program

(Heather Flannigan)

Attendee count: 15 ppl.

Notes in a nutshell, transcript below:

Helpful content

Discussion started with current Table of Content on the body of knowledge

How the body of knowledge is curated:

  • Each committee member will take a section and shepherd that section.

  • The body of knowledge will be public

Questions and some answers from discussion

Body of knowledge for IdPro is intended to be gathered from community.

Q: Terms for collaboration? See readme in IPR statement

Origin of idPro: asks for certification programs in higher ed space,

Q: Robin W: Body of Knowledge – very large set of knowledge

  • see 3 emergent audiences

  • Vendor implementers

  • Architects

  • Implementers (?)

Should the content be geared to these audiences?

Heather: drawing from the Project Management Program (PMP designation) their body of knowledge is set up in a role based model.

Colin: Privacy has a small footprint – H: acknowledged, TOC still a work in progress.

Chris: content serves the community in different ways

  • Credibility of credential for organizations

  • Credibility of credential for those who possess it

Slavik?: Pillars of identity will be helpful. (no deeper elaboration yet)

Robin W: what does IdPro see as it’s mission?

Aims to reflect current reality ?

Mission to improve current reality ?

Consensus: build on competencies and establish what a base set and upper levels would look like

Competency –

Not how we are doing it:

  • Publishing


  • Feb 2019 – expect annotated bibliography to come out.

  • section headers by June (in progress now)

  • 6 months runway editorially

Suggestion: can we go to respective NRENs or REFEDS to to advocate to attract content to to reduce duplication and consolidate viewpoints?

Next steps: get into communication with Heather.


P1: I wanted to know what the process is like; participating and joining

Heather: Right now it’s pretty simple, I have been finding shepherds for it. If it happens to be… if it’s something you want to write, then let me know.

Mathew: I know LaTeX.

Heather: That’s part of the fun. Being the editor, I will be the one correcting grammar and making sure that everything is in the proper structure. The gentleman who has been the committee chair person. He knows tools like DOC and Sent and he knows LaTeX, so that’s the tool that he uses to make all of this happen because that’s what he knows and feels comfortable with.

Mathew: What are the terms for collaboration? Does it just cover the legal stuff?

Heather: The legal bits…there is an IPR policy, if you look in that same GitHub ID Pro repository, if you go up a level and there is a read me in there and it is a very short read me. There is one other piece of work that is going to come out sooner, probably later this month, and that is a bibliography. So several ID Pro members getting together and saying if I had to point people to just 1-2 things that would really help them you know here are book to read, articles to look at, videos to watch, things that we found really useful in our careers, here’s a list. So the bibliography, the only reason why it’s still not published because it’s still being formatted. Did I mention the mechanics look really fascinating in my head. Material is very, very good.

P4: So are you looking to get questions?

Heather: I am looking to get questions. This was more like hey I know about this thing, I know there is this gap in industry of getting consistent education. I know there has been asks, at least in the US, for certification programs in IM and …. And I can at least answer some questions about it and some questions about the output and if people have thoughts, ideas, you know comments, questions what not, anything I can do to help them.

P5: There still the meta thing about the border knowledge, looking at it it’s gonna end up being quite a big book and all the stuff in there looks relevant, but when you look at the identity management professionals that both of us encountered, they turn to form into 3 categories. One is the people that work for vendors, the people who are designing and developing products. The people who end up putting those products into real working practice are the operational folks and in between those there are people who don’t do either of those things but have to know, so like the architecting folks. So at some point in the future, it might be worth cryptone offering roots into that huge body of knowledge that are those 3 kinds of person… otherwise they would have to go through 200 pages of content and work out for themselves which text applies most to them.

Heather: I would do something very similar to …I don’t know how many of you are familiar with the Project Management Institute and the Project Management Body Account, it’s also known as PinBoc, but they’ve been doing something roughly like this for quite a long time and they have their main Body of Knowledge. But then they also have more specialized components that are separate, and I can see us going in this direction. For the generalist, here is the body of knowledge. For the implementors, here is this and for the policy makers, there is that.

Collin: Way too small piece on privacy. It’s way too much for the amount of privacy…This is way too rough for the announcement of privacy…

P5: I kind of understand why… it will explain such a number of things

P1: Does anyone have some other presentations, out of curiosity? You mentioned Project Management. I have other presentation in other venues and there is some perspective that might help the laddering here. Does anyone here have CISE or any of the Cisco accreditations?

Mathew: Used to. I have taken the CSSP exam 3 times and passed it 3 times.

P1: Okay, so there is a method to the madness and what happens is there is the Body of Knowledge and then you figure out where you are on that story and that area. And the accreditation organization is trying to test and become credible in the accreditation to say if you have ID Pro level 1, then you minimally know these things, or you cover those things. And so the structure of the material is geared towards this coverage storage of how fully functional are you in all the areas, and some people may be more fully functional in things like cryptography, privacy for instance or policy as you described before. When you assemble the material it’s also useful to look at it through the lens of what is that accreditation to me… The mission of ID Pro is to have excellent ID practitioners and you can have a ladder of progression and it’s never gonna end. Three’s people that are very good at it and there;s people very early stages at it and so there is that growth story. When you have CSSP or the other ones, you get the thing and go. You get it and you do actually have to do some credits, you have to have speaking engagements, you have to maintain it and so…

Mathew: Yeah, I like that about…I simultaneously love and hate that about the CSSP. I could see that being very useful.

P1: So at the same time there is a…about CSSP. Because it’s either.. how longer did you get it, what’s the refresh rate. You are supposed to stay current. And people do those other things because it’s career growth. The mission in ID Pro’s model has some business service to do and that is to people to respect the accreditation. It shouldn’t be very difficult but also shouldn’t be very easy to get. Level 3 of ID professional would mean having 10 years of experience…

Mathew: Speaking as a long-term information security, I have taken and passed the CSSP exam 3 times now and I would not do it again… The reason why I haven’t been able to maintain it because…but if ID Pro had that… I could see me getting that certification, using that to prove my value to my customers…and I see the value in those kind of maintenance requirements.

P1: It’s gonna be very challenging if we think about some of the people who really want to have the accreditation, it would be great to say every university identity management person should have Number 1. That should be very easily attained, or appropriately attainable. All those minimal pieces within… Architect solutions, you need to do this at this height to get here. We should strive for our community to have that kind of credibility on the street. But I think it’s challenging to have the credits that we are talking about. I don’t like that if I am not presenting I will lose my accreditation.

Slavik?: I like the idea of having several pillars or several areas of growth. What I have seen from…which was basically administrative and development and to gain the 1st administrative level, you also had to do some tests in basic development stuff. So developers understand administrators and administrators understand developers and I would love to see something similar. IF you area practitioner in implementing, you should at least have a basic understanding of privacy implications of what we are doing here or the architecture application. So a little bit of mix and match should be helpful.

P3: That raises a very interesting question for ID Pro, and that is what is it’s mission. At a very basic level you might say that access management folks have seen people going … they have a Body of Expertise themselves and that is not formally recognized in any way. The base line would be that ID Pro aims to represent current reality, however the mission should actually be to improve the current reality. ID Pro could include that as a pre-requisite for you achieving a certain level.

Slavik?: If you look at the table of contents, that would have been there 2 years ago.

P1: There would be yes to the changing but there should be caution on the rapid changing…but the next one or two layers higher…How does ID Pro assess a certain identity in contrast with its improved architectures.

Slavik?: It would be a higher level topic but the base should be rock-solid.

P1: I didn’t quite get what are those pillars of identity.

Robin: What occurred to me is I’ve been describing starts at looking at a 2-axis graph of level of expertise and areas of expertise. That said, if you stop there with that picture…

P1: it’s assessible though, you can assess it … 10 questions of privacy … do you understand GDPR…

Robin: Is there a profile-based approach where you say here are 10 of expertise and if you hit 6 of those then you are probably an architect.

P1: I have 2 competing interests. One is a personal one, the other is a larger one. The wisdom that we have within the Tiime community and the common identity people is deep. It came through my relationship with Cacti…there is an opportunity there to draw as the Internet 2 space goes through stuff…the other one is that there is an absence of common architectures. How does one look at those things like Blueprint, those are some common architectures and so I think aloud those common architectures people go to that trustworthy person and ask for accreditation… when is the moment when it becomes a part of the canon. Rapid assessment of just that could be considered a duty of ID Pro body of ingesting what is that stay current for an ID professional…In our profession we need to stay contemporary.

Slavik: New technologies pop up and it changes quite rapidly.

P1: This is where we’re gonna be able to help people scale up…How do I sort through this stuff? Is that the right thing for my organization?… ID Pro is a real good opportunity.

Heather: Another really great thing about ID Pro is it’s so great field right now. All those designs, all those ideas about certification, and we can be ones that say how it’s going to be. Let’s do this the right way.

P1: What is the resource?

Heather: It’s a non-profit organization. They’ve got enough to fund me for 6 months. They are looking for new corporate members, that’s where the money comes from. It’s a constant round of fund raising. The body of knowledge itself is going to be built by volunteers for as long as possible.

Slavik: Is there a time line to get that book started?

Heather: Well, getting the book started…I had a call on Feb 1st when I started assigning shepherds to different sections. There will be a call next Tuesday where we talk about a style guide for how the content and the sections be structured… I would love to have a 1st pass of at least the first two levels done by June, which may be optimistic.