All people, processes, and technology must have declared and transparent levels of trust for any transaction to take place.

• Trust in this context is establishing understanding between contracting parties to conduct a transaction, and the obligations this assigns on each party involved.
• Trust models should encompass people and  organizations and devices and infrastructure.
• Trust level may vary by location, transaction type, user role, and transactional risk.
• Mutual trust assurance levels must be determinable.
• Devices and users must be capable of appropriate levels of (mutual) authentication for accessing systems and data.
• Authentication and authorization frameworks must support the trust model.

Identity, Management, and Federation

Authentication, authorization, and accountability must interoperate / exchange outside of your locus / area of control.

• People / systems must be able to manage permissions of resources and rights of users they don’t control.
• There must be capability of trusting an organization, which can authenticate individuals or groups, thus eliminating the need to create separate identities.
• In principle, only one instance of person / system / identity may exist, but privacy necessitates the support for multiple instances, or one instance with multiple facets.
• Systems must be able to pass on security credentials / assertions.
• Multiple locations (areas) of control must be supported.

Access to Data

Access to data should be controlled by security attributes of the data itself.

• Attributes can be held within the data (DRM / metadata) or could be a separate system.
• Access / security could be implemented by encryption.
• Some data may have “public, non-confidential” attributes.
• Access and access rights have a temporal component. Data privacy (and security of any asset of sufficiently high value) requires a segregation of duties / privileges.
• Permissions, keys, privileges, etc. must ultimately fall under independent control, or there will always be a weakest link at the top of the chain of trust.
• Administrator access must also be subject to these controls. By default, data must be appropriately secured when stored, in transit, and in use.
• Removing the default must be a conscious act.
• High security should not be enforced for everything; “appropriate” implies varying levels with potentially some data not secured at all.