# Trust Framework Policy (TFP) **Version:** 1.0 **Date:** November 10, 2025 **Status:** Draft --- ## Overview This Trust Framework Policy (TFP) defines the trust posture, Levels of Assurance (LOA), and assurance events for the Decentralized Sovereign Body (DSB) identity system. ## Trust Posture The DSB operates as an **Assured Identity Provider** with defined Levels of Assurance (LOA 1-3) and assurance events (onboard, renew, recover). ## Levels of Assurance (LOA) ### LOA 1 - Basic Identity Verification **Description:** Basic identity verification with minimal evidence requirements. **Requirements:** * Email verification * Self-declared identity information * Optional: Social media verification **Use Cases:** * Honorary membership * Basic service access * Community participation **Evidence:** * Email verification * Self-declared information ### LOA 2 - Enhanced Identity Verification **Description:** Enhanced identity verification with document check and liveness verification. **Requirements:** * Government-issued identity document (passport, national ID, driver's license) * Document authenticity verification * Liveness check (selfie with document) * Sanctions screening * PEP screening **Use Cases:** * eResidency * Service roles * Professional orders **Evidence:** * Document verification * Liveness check * Sanctions screen * Address attestation (optional) ### LOA 3 - Highest Level Verification **Description:** Highest level verification with in-person or video interview. **Requirements:** * All LOA 2 requirements * Video interview with trained interviewer * Multi-source corroboration * Background attestations * Oath ceremony * Service contribution verification **Use Cases:** * eCitizenship * Governance roles * Public offices * Honors **Evidence:** * Video interview * Sponsorship * Residency tenure * Background attestations * Oath ceremony ## Assurance Events ### Onboarding **Process:** 1. Application submission 2. Identity verification (LOA-appropriate) 3. KYC/AML screening 4. Risk assessment 5. Approval/rejection 6. Credential issuance **Timeline:** * LOA 1: < 24 hours * LOA 2: < 48 hours (median) * LOA 3: < 7 days ### Renewal **Process:** 1. Renewal application 2. Identity re-verification (LOA-appropriate) 3. Status check (good standing, compliance) 4. Credential renewal **Timeline:** * LOA 1: < 24 hours * LOA 2: < 48 hours * LOA 3: < 7 days ### Recovery **Process:** 1. Recovery request 2. Identity verification 3. Security checks 4. Credential recovery or re-issuance **Timeline:** * LOA 1: < 24 hours * LOA 2: < 48 hours * LOA 3: < 7 days ## Incident Handling ### Security Incidents **Classification:** * **Critical:** Key compromise, data breach, systemic fraud * **High:** Individual credential compromise, unauthorized access * **Medium:** Suspicious activity, policy violations * **Low:** Minor issues, false positives **Response:** 1. Immediate containment 2. Investigation 3. Remediation 4. Notification (if required) 5. Post-incident review ### Credential Compromise **Process:** 1. Immediate revocation 2. Investigation 3. Re-issuance (if appropriate) 4. Security enhancements ## Audit ### Internal Audit **Frequency:** Quarterly **Scope:** * Identity verification procedures * Credential issuance processes * Security controls * Compliance with policies ### External Audit **Frequency:** Annually **Scope:** * PKI infrastructure * Issuance processes * Privacy compliance * Security posture ## Compliance ### Privacy * GDPR compliance * Data minimization * Purpose limitation * Individual rights ### Security * ISO 27001 alignment * SOC 2 Type II (future) * Penetration testing * Bug bounty program ### Legal * KYC/AML compliance * Sanctions screening * Data protection * Consumer protection --- ## Revision History | Version | Date | Author | Changes | |---------|------|--------|---------| | 1.0 | 2025-11-10 | CISO | Initial draft | --- ## Approval **CISO:** _________________ Date: _________ **Founding Council:** _________________ Date: _________ **External Reviewer:** _________________ Date: _________