UK Digital Identity and Attributes Trust Framework Gamma 0.4 Structure

This interactive icicle diagram represents the structure of the UK Digital Identity and Attributes Trust Framework (DIATF), illustrating its key sections and requirements. View the official GOV.UK documentation.

Note: For the best viewing experience, we recommend using a desktop device to explore this diagram.
View mode:
DIATF gamma 0.4
DIATF gamma 0.4
5. Rules for identity service providers
DIATF gamma 0.4 / 5. Rules for identity service providers
6. Rules for attribute service providers
DIATF gamma 0.4 / 6. Rules for attribute service providers
7. Rules for holder service providers
DIATF gamma 0.4 / 7. Rules for holder service providers
8. Rules for orchestration providers
DIATF gamma 0.4 / 8. Rules for orchestration providers
9. Rules for component providers
DIATF gamma 0.4 / 9. Rules for component providers
10. Rules for all providers
DIATF gamma 0.4 / 10. Rules for all providers
11. Operational requirements
DIATF gamma 0.4 / 11. Operational requirements
12. Service requirements
DIATF gamma 0.4 / 12. Service requirements
13. Register of services
DIATF gamma 0.4 / 13. Register of services
5.1 Creating a digital identity
DIATF gamma 0.4 / 5. Rules for identity service providers / 5.1 Creating a digital identity
5.2 Accepting expired documents
DIATF gamma 0.4 / 5. Rules for identity service providers / 5.2 Accepting expired documents
6.1 Creating attributes
DIATF gamma 0.4 / 6. Rules for attribute service providers / 6.1 Creating attributes
6.2 Assessing attribute quality
DIATF gamma 0.4 / 6. Rules for attribute service providers / 6.2 Assessing attribute quality
7.1 Holding identities and attributes
DIATF gamma 0.4 / 7. Rules for holder service providers / 7.1 Holding identities and attributes
7.2 Reusing verified identities
DIATF gamma 0.4 / 7. Rules for holder service providers / 7.2 Reusing verified identities
7.3 Managing user accounts
DIATF gamma 0.4 / 7. Rules for holder service providers / 7.3 Managing user accounts
Follow rules in Part 3
DIATF gamma 0.4 / 8. Rules for orchestration providers / Follow rules in Part 3
9.1 GPG Components
DIATF gamma 0.4 / 9. Rules for component providers / 9.1 GPG Components
10.1 Inclusivity
DIATF gamma 0.4 / 10. Rules for all providers / 10.1 Inclusivity
10.2 Accessibility
DIATF gamma 0.4 / 10. Rules for all providers / 10.2 Accessibility
11.1 Business probity
DIATF gamma 0.4 / 11. Operational requirements / 11.1 Business probity
11.3 Staff and resources
DIATF gamma 0.4 / 11. Operational requirements / 11.3 Staff and resources
11.6 Information security
DIATF gamma 0.4 / 11. Operational requirements / 11.6 Information security
12.1 Interoperability
DIATF gamma 0.4 / 12. Service requirements / 12.1 Interoperability
12.3 Encryption
DIATF gamma 0.4 / 12. Service requirements / 12.3 Encryption
12.7 Privacy and data protection
DIATF gamma 0.4 / 12. Service requirements / 12.7 Privacy and data protection
13.1 Register presence
DIATF gamma 0.4 / 13. Register of services / 13.1 Register presence
13.2 Withdrawal and removal
DIATF gamma 0.4 / 13. Register of services / 13.2 Withdrawal and removal
5.1.a Use GPG 45 methodology
DIATF gamma 0.4 / 5. Rules for identity service providers / 5.1 Creating a digital identity / 5.1.a Use GPG 45 methodology
5.1.b Share information with relying parties
DIATF gamma 0.4 / 5. Rules for identity service providers / 5.1 Creating a digital identity / 5.1.b Share information with relying parties
5.1.c Map third-party components to GPG 45
DIATF gamma 0.4 / 5. Rules for identity service providers / 5.1 Creating a digital identity / 5.1.c Map third-party components to GPG 45
5.1.d Agree confidence levels
DIATF gamma 0.4 / 5. Rules for identity service providers / 5.1 Creating a digital identity / 5.1.d Agree confidence levels
5.2.a Follow specific rules for expired documents
DIATF gamma 0.4 / 5. Rules for identity service providers / 5.2 Accepting expired documents / 5.2.a Follow specific rules for expired documents
6.1.a Follow guidance on attribute creation
DIATF gamma 0.4 / 6. Rules for attribute service providers / 6.1 Creating attributes / 6.1.a Follow guidance on attribute creation
6.1.b Link attributes reliably
DIATF gamma 0.4 / 6. Rules for attribute service providers / 6.1 Creating attributes / 6.1.b Link attributes reliably
6.2.a Have quality assessment method
DIATF gamma 0.4 / 6. Rules for attribute service providers / 6.2 Assessing attribute quality / 6.2.a Have quality assessment method
6.2.b Share quality information
DIATF gamma 0.4 / 6. Rules for attribute service providers / 6.2 Assessing attribute quality / 6.2.b Share quality information
7.1.a Store information securely
DIATF gamma 0.4 / 7. Rules for holder service providers / 7.1 Holding identities and attributes / 7.1.a Store information securely
7.1.b Clear communication with relying parties
DIATF gamma 0.4 / 7. Rules for holder service providers / 7.1 Holding identities and attributes / 7.1.b Clear communication with relying parties
7.2.a Store for repeated assertion
DIATF gamma 0.4 / 7. Rules for holder service providers / 7.2 Reusing verified identities / 7.2.a Store for repeated assertion
7.2.b Show confidence levels
DIATF gamma 0.4 / 7. Rules for holder service providers / 7.2 Reusing verified identities / 7.2.b Show confidence levels
7.3.a Account management processes
DIATF gamma 0.4 / 7. Rules for holder service providers / 7.3 Managing user accounts / 7.3.a Account management processes
7.3.b Account closure rules
DIATF gamma 0.4 / 7. Rules for holder service providers / 7.3 Managing user accounts / 7.3.b Account closure rules
7.3.c Terms violation processes
DIATF gamma 0.4 / 7. Rules for holder service providers / 7.3 Managing user accounts / 7.3.c Terms violation processes
7.3.d Reverify inactive identities
DIATF gamma 0.4 / 7. Rules for holder service providers / 7.3 Managing user accounts / 7.3.d Reverify inactive identities
9.1.1.a Follow identity provider rules
DIATF gamma 0.4 / 9. Rules for component providers / 9.1 GPG Components / 9.1.1.a Follow identity provider rules
9.1.1.b Share failure information
DIATF gamma 0.4 / 9. Rules for component providers / 9.1 GPG Components / 9.1.1.b Share failure information
9.1.2.a Demonstrate GPG 44 mapping
DIATF gamma 0.4 / 9. Rules for component providers / 9.1 GPG Components / 9.1.2.a Demonstrate GPG 44 mapping
9.1.2.b Share quality information
DIATF gamma 0.4 / 9. Rules for component providers / 9.1 GPG Components / 9.1.2.b Share quality information
10.1.a Make service inclusive
DIATF gamma 0.4 / 10. Rules for all providers / 10.1 Inclusivity / 10.1.a Make service inclusive
10.1.b Comply with Equality Act
DIATF gamma 0.4 / 10. Rules for all providers / 10.1 Inclusivity / 10.1.b Comply with Equality Act
10.2.a Follow accessibility requirements
DIATF gamma 0.4 / 10. Rules for all providers / 10.2 Accessibility / 10.2.a Follow accessibility requirements
10.2.b Welsh language compliance
DIATF gamma 0.4 / 10. Rules for all providers / 10.2 Accessibility / 10.2.b Welsh language compliance
10.2.c Ensure service accessibility
DIATF gamma 0.4 / 10. Rules for all providers / 10.2 Accessibility / 10.2.c Ensure service accessibility
11.1.a Maintain framework reputation
DIATF gamma 0.4 / 11. Operational requirements / 11.1 Business probity / 11.1.a Maintain framework reputation
11.1.b Accurate certification status
DIATF gamma 0.4 / 11. Operational requirements / 11.1 Business probity / 11.1.b Accurate certification status
11.1.c Prove legitimate entity status
DIATF gamma 0.4 / 11. Operational requirements / 11.1 Business probity / 11.1.c Prove legitimate entity status
11.3.a Staff competency management
DIATF gamma 0.4 / 11. Operational requirements / 11.3 Staff and resources / 11.3.a Staff competency management
11.3.b Industry standards compliance
DIATF gamma 0.4 / 11. Operational requirements / 11.3 Staff and resources / 11.3.b Industry standards compliance
11.3.c Senior Responsible Officer
DIATF gamma 0.4 / 11. Operational requirements / 11.3 Staff and resources / 11.3.c Senior Responsible Officer
11.6.a Security management system
DIATF gamma 0.4 / 11. Operational requirements / 11.6 Information security / 11.6.a Security management system
11.6.b CIA Triad principles
DIATF gamma 0.4 / 11. Operational requirements / 11.6 Information security / 11.6.b CIA Triad principles
11.6.c Document security controls
DIATF gamma 0.4 / 11. Operational requirements / 11.6 Information security / 11.6.c Document security controls
12.1.1.a Use trust framework schema
DIATF gamma 0.4 / 12. Service requirements / 12.1 Interoperability / 12.1.1.a Use trust framework schema
12.1.2.a Validate message integrity
DIATF gamma 0.4 / 12. Service requirements / 12.1 Interoperability / 12.1.2.a Validate message integrity
12.1.3.a Provide identification info
DIATF gamma 0.4 / 12. Service requirements / 12.1 Interoperability / 12.1.3.a Provide identification info
12.3.a Meet minimum requirements
DIATF gamma 0.4 / 12. Service requirements / 12.3 Encryption / 12.3.a Meet minimum requirements
12.3.b Assess implementation risks
DIATF gamma 0.4 / 12. Service requirements / 12.3 Encryption / 12.3.b Assess implementation risks
12.3.c Industry standard controls
DIATF gamma 0.4 / 12. Service requirements / 12.3 Encryption / 12.3.c Industry standard controls
12.7.a Follow data protection laws
DIATF gamma 0.4 / 12. Service requirements / 12.7 Privacy and data protection / 12.7.a Follow data protection laws
12.7.e Meet key requirements
DIATF gamma 0.4 / 12. Service requirements / 12.7 Privacy and data protection / 12.7.e Meet key requirements
13.1.a Comply with OfDIA checks
DIATF gamma 0.4 / 13. Register of services / 13.1 Register presence / 13.1.a Comply with OfDIA checks
13.1.b Follow amendment process
DIATF gamma 0.4 / 13. Register of services / 13.1 Register presence / 13.1.b Follow amendment process
13.2.a Follow withdrawal process
DIATF gamma 0.4 / 13. Register of services / 13.2 Withdrawal and removal / 13.2.a Follow withdrawal process
13.2.b Understand removal conditions
DIATF gamma 0.4 / 13. Register of services / 13.2 Withdrawal and removal / 13.2.b Understand removal conditions
13.2.c Provider removal rules
DIATF gamma 0.4 / 13. Register of services / 13.2 Withdrawal and removal / 13.2.c Provider removal rules
DIATF Structure as JSON
                    {
  "name": "DIATF gamma 0.4",
  "children": [
    {
      "name": "5. Rules for identity service providers",
      "children": [
        {
          "name": "5.1 Creating a digital identity",
          "children": [
            {
              "name": "5.1.a Use GPG 45 methodology"
            },
            {
              "name": "5.1.b Share information with relying parties"
            },
            {
              "name": "5.1.c Map third-party components to GPG 45"
            },
            {
              "name": "5.1.d Agree confidence levels"
            }
          ]
        },
        {
          "name": "5.2 Accepting expired documents",
          "children": [
            {
              "name": "5.2.a Follow specific rules for expired documents"
            }
          ]
        }
      ]
    },
    {
      "name": "6. Rules for attribute service providers",
      "children": [
        {
          "name": "6.1 Creating attributes",
          "children": [
            {
              "name": "6.1.a Follow guidance on attribute creation"
            },
            {
              "name": "6.1.b Link attributes reliably"
            }
          ]
        },
        {
          "name": "6.2 Assessing attribute quality",
          "children": [
            {
              "name": "6.2.a Have quality assessment method"
            },
            {
              "name": "6.2.b Share quality information"
            }
          ]
        }
      ]
    },
    {
      "name": "7. Rules for holder service providers",
      "children": [
        {
          "name": "7.1 Holding identities and attributes",
          "children": [
            {
              "name": "7.1.a Store information securely"
            },
            {
              "name": "7.1.b Clear communication with relying parties"
            }
          ]
        },
        {
          "name": "7.2 Reusing verified identities",
          "children": [
            {
              "name": "7.2.a Store for repeated assertion"
            },
            {
              "name": "7.2.b Show confidence levels"
            }
          ]
        },
        {
          "name": "7.3 Managing user accounts",
          "children": [
            {
              "name": "7.3.a Account management processes"
            },
            {
              "name": "7.3.b Account closure rules"
            },
            {
              "name": "7.3.c Terms violation processes"
            },
            {
              "name": "7.3.d Reverify inactive identities"
            }
          ]
        }
      ]
    },
    {
      "name": "8. Rules for orchestration providers",
      "children": [
        {
          "name": "Follow rules in Part 3"
        }
      ]
    },
    {
      "name": "9. Rules for component providers",
      "children": [
        {
          "name": "9.1 GPG Components",
          "children": [
            {
              "name": "9.1.1.a Follow identity provider rules"
            },
            {
              "name": "9.1.1.b Share failure information"
            },
            {
              "name": "9.1.2.a Demonstrate GPG 44 mapping"
            },
            {
              "name": "9.1.2.b Share quality information"
            }
          ]
        }
      ]
    },
    {
      "name": "10. Rules for all providers",
      "children": [
        {
          "name": "10.1 Inclusivity",
          "children": [
            {
              "name": "10.1.a Make service inclusive"
            },
            {
              "name": "10.1.b Comply with Equality Act"
            }
          ]
        },
        {
          "name": "10.2 Accessibility",
          "children": [
            {
              "name": "10.2.a Follow accessibility requirements"
            },
            {
              "name": "10.2.b Welsh language compliance"
            },
            {
              "name": "10.2.c Ensure service accessibility"
            }
          ]
        }
      ]
    },
    {
      "name": "11. Operational requirements",
      "children": [
        {
          "name": "11.1 Business probity",
          "children": [
            {
              "name": "11.1.a Maintain framework reputation"
            },
            {
              "name": "11.1.b Accurate certification status"
            },
            {
              "name": "11.1.c Prove legitimate entity status"
            }
          ]
        },
        {
          "name": "11.3 Staff and resources",
          "children": [
            {
              "name": "11.3.a Staff competency management"
            },
            {
              "name": "11.3.b Industry standards compliance"
            },
            {
              "name": "11.3.c Senior Responsible Officer"
            }
          ]
        },
        {
          "name": "11.6 Information security",
          "children": [
            {
              "name": "11.6.a Security management system"
            },
            {
              "name": "11.6.b CIA Triad principles"
            },
            {
              "name": "11.6.c Document security controls"
            }
          ]
        }
      ]
    },
    {
      "name": "12. Service requirements",
      "children": [
        {
          "name": "12.1 Interoperability",
          "children": [
            {
              "name": "12.1.1.a Use trust framework schema"
            },
            {
              "name": "12.1.2.a Validate message integrity"
            },
            {
              "name": "12.1.3.a Provide identification info"
            }
          ]
        },
        {
          "name": "12.3 Encryption",
          "children": [
            {
              "name": "12.3.a Meet minimum requirements"
            },
            {
              "name": "12.3.b Assess implementation risks"
            },
            {
              "name": "12.3.c Industry standard controls"
            }
          ]
        },
        {
          "name": "12.7 Privacy and data protection",
          "children": [
            {
              "name": "12.7.a Follow data protection laws"
            },
            {
              "name": "12.7.e Meet key requirements"
            }
          ]
        }
      ]
    },
    {
      "name": "13. Register of services",
      "children": [
        {
          "name": "13.1 Register presence",
          "children": [
            {
              "name": "13.1.a Comply with OfDIA checks"
            },
            {
              "name": "13.1.b Follow amendment process"
            }
          ]
        },
        {
          "name": "13.2 Withdrawal and removal",
          "children": [
            {
              "name": "13.2.a Follow withdrawal process"
            },
            {
              "name": "13.2.b Understand removal conditions"
            },
            {
              "name": "13.2.c Provider removal rules"
            }
          ]
        }
      ]
    }
  ]
}