SSIMeetup, profile picture
Uploaded bySSIMeetup
2,952 views

Overview of the Proposed PanCanadian Trust Framework for SSI - Tim Bouma

http://ssimeetup.org/overview-proposed-pan-canadian-trust-framework-ssi-tim-bouma-webinar-19/ Tim Bouma is a Senior Analyst with Government of Canada, specializing in digital identity and the development of the Pan-Canadian Trust Framework. This presentation provides an overview of the Pan-Canadian Trust Framework (PCTF) and the latest iteration, building on policy and standards that have been in development in Canada for more than a decade. Within Canada, there is no national identity program. Rather it is a shared responsibility across all jurisdictions. The PCTF is being developed to enable a pan-Canadian approach – a collective approach that serves the needs for all jurisdictions – federal, provincial and territorial, and in collaboration of the private sector. The PCTF is being designed to work across many contexts (legal, business, program and services) and to provide a consistent method to assess digital identity programs, the integrity of their trusted processes, and enabling solutions. The PCTF is also being designed to take advantage of new and emerging technologies, namely self-sovereign identity, verifiable credentials, and decentralized identifiers.

Embed presentation

Downloaded 40 times
For Discussion Purposes Only SSI Meetup Wednesday January 16, 2019 3-4pm ET (2100 CET) Tim Bouma Senior Analyst, Digital Identity Government of Canada Twitter: @trbouma #GCDigitalID Video is here FWD50 Conference deck is here Consultation deck is here. (pls add your comments to this doc) Trusted Process mapping analysis here. Github repo here (still a work in progress) 2018-12-13 1 Overview of the Proposed Pan-Canadian Trust Framework SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
1. Empower global SSI communities 2. Open to everyone interested in SSI 3. All content is shared with CC BY SA SSIMeetup.org Alex Preukschat @SSIMeetup @AlexPreukschat Coordinating Node SSIMeetup.org https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup objectives
Government of Canada Digital Standards A Set of Guiding Principles Design with users Iterate and improve frequently Work in the open by default Use open standards and solutions Address security and privacy risks Build in accessibility from the start Empower staff to deliver better services Be good data stewards Design ethical services Collaborate widely 2018-12-13 3 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
For Discussion Purposes Only 4 Can I trust this digital identity? 4 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ 4 Digital Identity
For Discussion Purposes Only Context (Goals, Rules, Facts) Basics of a ‘ [Digital] Trust Framework’ 55 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ [Digital] Representation A tool to answer the question: [Within a given context] what do I need to hold true to rely on ?
For Discussion Purposes Only Digital Identity in Canada 2018-12-13 6 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ What is it? Trusted digital identity is an electronic equivalent of who you are as a real person, used exclusively by you, to receive valued services and to carry out transactions with trust and confidence. Digital Identity confirms that ‘you are who you say you are’ in an online context. Why does it matter? Digital Identity is the foundation to moving more services online, where our citizens expect to be. 6
For Discussion Purposes Only Trusted Digital Identity Ecosystem 7 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ Trusted Digital Identity Ecosystem* (*governed by the Pan-Canadian Trust Framework) Other Banks Telcos The GC vision is to build a federated, digital identity ecosystem where trusted digital identities are used to deliver GC services in a seamless manner on any platform, with any partner, on any device. 7
For Discussion Purposes Only Enabled by the Pan-Canadian Trust Framework 2018-12-13 8 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ 8 The Pan-Canadian Trust Framework is a set of criteria and specifications to ensure that all jurisdictions abide by a common, agreed-upon set of rules to trust and accept each other’s digital identities. Pan-Canadian Trusted Infrastructure Component Security, Privacy, User Experience, Communications Trusted Digital Identity This is me! Verified Login Is it the same person? Verified Person Is it a real existing person? Confirmation, Binding, Notice and Consent Has the user given consent? 8
For Discussion Purposes Only Goals of the Pan-Canadian Trust Framework (PCTF) 1. A simple and integrative framework that is easy to understand yet capable of being applied in a complex environment 2. Technology-agnostic: provides flexibility and logical precision in assessing the trustworthiness of digital identity solutions and digital identity providers 3. Complements existing frameworks (security, privacy, service delivery, etc.) 4. Provides clear links to applicable policy, regulation, and legislation by defining conformance criteria that can be easily mapped 5. Normalizes (standardizes) key processes and capabilities to enable cross-sector collaboration and ecosystem development 2018-12-13 9 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ Consultationdeck can be found here.
For Discussion Purposes Only Trusted Digital Representations and Trusted Processes • Currently, the PCTF is composed of: – 3 trusted digital representations – 24 atomic trusted processes • Atomic trusted processes can be grouped together to form various compound trusted processes such as: – Identity Assurance – Credential Assurance – Notification and Consent • The PCTF is extensible and interoperable: – additional trusted processes can be added as required – the trusted processes can be mapped to Vectors of Trust (VoT) 2018-12-13 10 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
For Discussion Purposes Only Foundational Identity Versus Functional Identity All Federation Members Provinces, Territories, Federal Immigration, First Nations, etc. Functional Identity Pan-Canadian Trust Framework Foundational Identity Public Sector Public and Private Sector 2018-12-13 11
For Discussion Purposes Only Trusted Digital Representations Trusted Digital Identity (Person) Trusted Digital Identity (Organization) Verified Relationship 2018-12-13 12 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
For Discussion Purposes Only The Trusted Process Model A trusted process is an activity (or set of activities) that results in a state transition in an object that can be relied on by other trusted processes. Trusted Process Object Input State Object Output State Conformance Criteria ensure process integrity An output state that can be relied on as a ‘proof’ (or ‘verifiable claim’) by others Formalizing (and standardizing) the trusted processes, the input states, the output states, and the conformance criteria, is the essence of defining the trust framework! 2018-12-13 13
For Discussion Purposes Only Examples of Atomic Trusted Processes (Modeled) Credential Authentication Issued Credential Authenticated Credential 2018-12-13 14 Identity Validation Unconfirmed Identity Information Confirmed Identity Information Persist Consent One-Time Consent Ongoing Consent SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
For Discussion Purposes Only Atomic Trusted Processes Validate Authorization for Consent Credential Issuance Request Consent Liveness Checking Formulate Notification Requirements Identity-Credential Binding Identity Linking Identity Resolution Identity Verification Identity Establishment Identity Validation Identity Maintenance Signature Credential Authentication Credential Recovery Credential Revocation Credential Maintenance Authentication Session Initiation Authentication Session Termination Credential Suspension Persist Consent Consent Maintenance Review Consent Consent Notification 2018-12-13 15
For Discussion Purposes Only The Identity Confirmation Compound Trusted Process Identity Confirmation Identity Validation Identity Maintenance Liveness and Fraud Detection Identity Verification 2018-12-13 16 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
For Discussion Purposes Only Other Compound Trusted Processes Trusted Digital Identity Creation Identity Creation Identity Confirmation Identity Registration Linking Notification and Consent Binding Credential Creation Credential Authentication Service Enrolment Service Registration 2018-12-13 17
For Discussion Purposes Only Compound Trusted Process: Identity Assurance 2018-12-13 18 Identity Assurance Attributed Claims Authoritative Record Identity Resolution Non-Unique Identity Information Unique Identity Information Confirmed Identity Information Identity PresentationStatic Presence Active Presence Identity Verification Unattributed Claims Identity-Credential Binding Unbound Credential Bound Credential Identity Establishment No Authoritative Record Identity Validation Unconfirmed Identity Information Identity Linking Unlinked Identifier Linked Identifier Identity Maintenance Non-Current Identity Information Current Identity Information Evidence of Identity Proof of Identity
For Discussion Purposes Only Compound Trusted Process: Credential Assurance Credential Assurance Credential Revocation Issued Credential Revoked Credential Credential Recovery Inactive Credential Issued Credential Authentication Session Initiation No Session Authenticated Session Credential Authentication Issued Credential Authenticated Credential Credential IssuanceNo Credential Issued Credential Credential Suspension Issued Credential Inactive Credential Authentication Session Termination Authenticated Session No Session Credential Maintenance Inactive Credential Issued Credential Unknown Actor Authenticated User 2018-12-13 19
For Discussion Purposes Only Notification and Consent Review ConsentConsent Reviewed Consent Persist Consent One-Time Consent Ongoing Consent Consent NotificationNo Notification Notification Issued Formulate Notification Requirements No Notice Notice Provided Validate Authorization for Consent Presumed Authorization Validated Authorization Request ConsentNo Consent Consent Consent Maintenance Consent Updated Consent Compound Trusted Process: Notification and Consent Implicit Consent Active Informed Consent 2018-12-13 20
For Discussion Purposes Only Trusted Digital Identity (Person) Trusted Digital Identity (Person) Trusted Supporting Infrastructure (see detail on later slide) 2018-12-13 21 Identity Assurance Credential Assurance Notification and Consent
For Discussion Purposes Only A trusted digital Identity can be conceptualized as a set of trusted process outputs (or proofs) that are independent of conveyance method. Depending on the ecosystem, some of these trusted processes may be carried out by multiple parties at different points in time. Trusted Digital Identity (Person) – a set of trusted process outputs Liveness and Fraud Checked Attributed Claims Issued Credential Authoritative Record Unique Identity Information Confirmed Identity Information Current Identity Information Authenticated Session Authenticated Credential Consent Validated Authorization Notice Provided Ongoing Consent Updated Consent Reviewed Consent Notification Issued 2018-12-13 22 Bound Credential
For Discussion Purposes Only No. Trusted Process LOA/VoT Requirement Trusted Digital Identity Provider Credential Service Provider Relying Party 1 Identity Resolution … Province/Territory Federal service 2 Identity Establishment 3 Province/Territory Federal service 3 Identity Validation 3 Province/Territory 4 Identity Verification 3 Province/Territory Federal service 5 Identity Maintenance 3 Province/Territory Federal service 6 Liveness and Fraud Detection … Province/Territory Federal service 7 Identity-Credential Binding … Province/Territory 8 Identity Linking … Federal service 9 Credential Issuance 2 Province/Territory 10 Credential Authentication 2 Province/Territory 11 Credential Suspension 2 Province/Territory 12 Credential Recovery 2 Province/Territory 13 Credential Maintenance 2 Province/Territory 14 Credential Revocation 2 Province/Territory 15 Authentication Session Initiation 2 Province/Territory 16 Authentication Session Termination 2 Province/Territory 17 Validate Authorization for Consent … Province/Territory Federal service 18 Formulate Notification Requirements … Province/Territory Federal service 19 Request Consent … Province/Territory Federal service 20 Persist Consent … Province/Territory Federal service 21 Consent Maintenance … Province/Territory Federal service 22 Review Consent … Province/Territory Federal service 23 Consent Notification … Province/Territory Federal service 24 Signature ... Trusted Processes can be carried out by multiple parties (e.g., a Provincial/Territorial Trusted Digital Identity being consumed by a Federal service) 2018-12-13 23
For Discussion Purposes Only Trusted Digital Identity Provider Trusted Digital Identity Creation Credential Creation ❑ Credential IssuanceIdentity Creation ❑ Identity Resolution ❑ Identity Establishment In scope for the PCTF assessment process Identity Assurance (Identity Proofing) Identity Registration Notification and Consent ❑ Validate Authorization for Consent ❑ Formulate Notification Requirements ❑ Request Consent ❑ Persist Consent ❑ Consent Maintenance ❑ Review Consent ❑ Consent Notification Identity Confirmation ❑ Identity Validation ❑ Identity Maintenance ❑ Liveness and Fraud Detection ❑ Identity Verification Trusted Supporting Infrastructure Binding ❑ Identity-Credential Binding Credential Authentication ❑ Credential Authentication ❑ Credential Suspension ❑ Credential Recovery ❑ Credential Maintenance ❑ Credential Revocation ❑ Authentication Session Initiation ❑ Authentication Session Termination 2018-12-13 24
For Discussion Purposes Only Relying Party Service Enrolment (without a Trusted Digital Identity) Credential Creation ❑ Credential IssuanceIdentity Creation ❑ Identity Resolution ❑ Identity Establishment Identity Registration Notification and Consent ❑ Validate Authorization for Consent ❑ Formulate Notification Requirements ❑ Request Consent ❑ Persist Consent ❑ Consent Maintenance ❑ Review Consent ❑ Consent Notification Identity Confirmation ❑ Identity Validation ❑ Identity Maintenance ❑ Liveness and Fraud Detection ❑ Identity Verification Trusted Supporting Infrastructure Binding ❑ Identity-Credential Binding Credential Authentication ❑ Credential Authentication ❑ Credential Suspension ❑ Credential Recovery ❑ Credential Maintenance ❑ Credential Revocation ❑ Authentication Session Initiation ❑ Authentication Session Termination 2018-12-13 25 Identity Assurance (Identity Proofing)
For Discussion Purposes Only Relying Party Service Enrolment (with a Trusted Digital Identity) Identity Creation ❑ Identity Resolution ❑ Identity Establishment Service Registration Notification and Consent ❑ Validate Authorization for Consent ❑ Formulate Notification Requirements ❑ Request Consent ❑ Persist Consent ❑ Consent Maintenance ❑ Review Consent ❑ Consent Notification Identity Confirmation ❑ Identity Maintenance ❑ Liveness and Fraud Detection ❑ Identity Verification Trusted Supporting Infrastructure Linking ❑ Identity Linking 2018-12-13 26 Identity Assurance (Identity Proofing)
For Discussion Purposes Only Trusted Supporting Infrastructure Digital Service Delivery Privacy and Security Audit and Logging Federation Interoperability - Standards and Specifications PCTF Endorsements Service Authorization and Access Auditing Logging Security Assessment and Authorization Privacy Impact Assessment Pan-Canadian Endorsement Jurisdictional Endorsement Technical (e.g., SAML, OIDC) Business (e.g., PCIM Standards) Communications User Needs and Experience Service Level Agreements Resource Management Access Control Service Authorization Relying Parties onlyAll Federation Members 2018-12-13 27
For Discussion Purposes Only Trusted Processes and Conveyance Trusted Process Input State Output State Trusted Process Input State Output State Party A Party B Traditional/Centralized Model Trusted process outputs (i.e., proofs) are independent of conveyance model. The proofs (output states) can be conveyed using a traditional/centralized model (e.g., a trusted third party) or a decentralized model (e.g., a distributed ledger, a blockchain) – or both. Trusted Process Input State Output State Party A Distributed Ledger; Blockchain Decentralized Model Trusted Process Input State Output State Party B Conveying proofs between parties Trusted Third Party 2018-12-13 28
For Discussion Purposes Only W3C Verifiable Credentials Ecosystem HolderIssuer Verifier Issues Credential Presents Credential Decentralized Identifiers (DIDs) Public Blockchain or other Decentralized Network Signs Credential Countersigns Credential Verifies Signatures Wallet
Config Layer One: Public Blockchains Pool Main Payment Layer Two: Agent-to-Agent Protocol Issuer Verifier Holder Trust Layer Three: Credential Exchange Verifiable Credential ✔Proof Agent + Wallet Connection External Internal Agent + Wallet CryptographicTrust+HumanTrust Layer Four: Governance Frameworks Trust Anchor Credential Registry Governance Authority Auditor Auditor Accreditor
For Discussion Purposes Only Vectors of Trust • A proposed IETF standard (RFC 8485, October 2018) • Currently, the Standard consists of 4 components: – Identity Proofing (P): describes how likely it is that a given digital identity transaction corresponds to a particular, real-world identity subject – Primary Credential Usage (C): defines how strongly the primary credential can be verified by the TDIP – Primary Credential Management (M): conveys information about the expected lifecycle of the primary credential in use, including its binding, rotation, and revocation – Assertion Presentation (A): defines how well the TDI can be communicated across the network without information leaking to unintended parties and without spoofing 2018-12-13 31
For Discussion Purposes Only Using an Associative Entity Internal and External Many-to-Many Relationships Entities and Relationships Person Organization 0:n0:n 0:n Person Relationship Organization 0:n 0:n 2018-12-13 32
For Discussion Purposes Only 33 www.IdentityBook.info Tim Bouma: The meaning of trust and identity @IdentityBookHQ SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
For Discussion Purposes Only 34 Twitter: @trbouma GitHub: https://canada-ca.github.io/PCTF-CCP/ SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/

More Related Content

PDF
Value proposition of SSI tech providers - Self-Sovereign Identity
bySSIMeetup
 
PDF
PharmaLedger: A Digital Trust Ecosystem for Healthcare
bySSIMeetup
 
PDF
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
bySSIMeetup
 
PDF
Web5 - Open to Build - Block-TBD
bySSIMeetup
 
PDF
Portabl - The state of open banking, regulations, and the intersection of SSI...
bySSIMeetup
 
PDF
ZKorum: Building the Next Generation eAgora powered by SSI
bySSIMeetup
 
PDF
SSI Adoption: What will it take? Riley Hughes
bySSIMeetup
 
PDF
Cheqd: Making privacy-preserving digital credentials fun
bySSIMeetup
 
Value proposition of SSI tech providers - Self-Sovereign Identity
bySSIMeetup
 
PharmaLedger: A Digital Trust Ecosystem for Healthcare
bySSIMeetup
 
Anonymous credentials with range proofs, verifiable encryption, ZKSNARKs, Cir...
bySSIMeetup
 
Web5 - Open to Build - Block-TBD
bySSIMeetup
 
Portabl - The state of open banking, regulations, and the intersection of SSI...
bySSIMeetup
 
ZKorum: Building the Next Generation eAgora powered by SSI
bySSIMeetup
 
SSI Adoption: What will it take? Riley Hughes
bySSIMeetup
 
Cheqd: Making privacy-preserving digital credentials fun
bySSIMeetup
 

More from SSIMeetup

PDF
Decentralized Identifier (DIDs) fundamentals deep dive
bySSIMeetup
 
PDF
PolygonID Zero-Knowledge Identity Web2 & Web3
bySSIMeetup
 
PDF
The Hyperledger Indy Public Blockchain Node
bySSIMeetup
 
PDF
Self-Sovereign Identity: Ideology and Architecture with Christopher Allen
bySSIMeetup
 
PDF
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
bySSIMeetup
 
PDF
Kiva protocol: building the credit bureau of the future using SSI
bySSIMeetup
 
PDF
Building SSI Products: A Guide for Product Managers
bySSIMeetup
 
PDF
Introducing the SSI eIDAS Legal Report – Ignacio Alamillo
bySSIMeetup
 
PDF
Solving compliance for crypto businesses using Decentralized Identity – Pelle...
bySSIMeetup
 
PDF
How to avoid another identity nightmare with SSI? Christopher Allen
bySSIMeetup
 
PDF
The Pan-Canadian Trust Framework (PCTF) for SSI
bySSIMeetup
 
PDF
Blockcerts: The Open Standard for Blockchain Credentials
bySSIMeetup
 
PDF
The SSI Ecosystem in South Korea
bySSIMeetup
 
PDF
The 2nd Official W3C DID Working Group Meeting (The Netherlands)
bySSIMeetup
 
PDF
Explaining SSI to C-suite executives, and anyone else for that matter
bySSIMeetup
 
PDF
eIDAS regulation: anchoring trust in Self-Sovereign Identity systems
bySSIMeetup
 
PDF
Streetcred: Improving the Developer Experience in SSI – Michael Boyd
bySSIMeetup
 
PDF
Learn about the Trust Over IP (ToIP) stack
bySSIMeetup
 
PDF
Internet Identity Workshop #29 highlights with Drummond Reed
bySSIMeetup
 
PDF
Identity-centric interoperability with the Ceramic Protocol
bySSIMeetup
 
Decentralized Identifier (DIDs) fundamentals deep dive
bySSIMeetup
 
PolygonID Zero-Knowledge Identity Web2 & Web3
bySSIMeetup
 
The Hyperledger Indy Public Blockchain Node
bySSIMeetup
 
Self-Sovereign Identity: Ideology and Architecture with Christopher Allen
bySSIMeetup
 
Peer DIDs: a secure and scalable method for DIDs that’s entirely off-ledger –...
bySSIMeetup
 
Kiva protocol: building the credit bureau of the future using SSI
bySSIMeetup
 
Building SSI Products: A Guide for Product Managers
bySSIMeetup
 
Introducing the SSI eIDAS Legal Report – Ignacio Alamillo
bySSIMeetup
 
Solving compliance for crypto businesses using Decentralized Identity – Pelle...
bySSIMeetup
 
How to avoid another identity nightmare with SSI? Christopher Allen
bySSIMeetup
 
The Pan-Canadian Trust Framework (PCTF) for SSI
bySSIMeetup
 
Blockcerts: The Open Standard for Blockchain Credentials
bySSIMeetup
 
The SSI Ecosystem in South Korea
bySSIMeetup
 
The 2nd Official W3C DID Working Group Meeting (The Netherlands)
bySSIMeetup
 
Explaining SSI to C-suite executives, and anyone else for that matter
bySSIMeetup
 
eIDAS regulation: anchoring trust in Self-Sovereign Identity systems
bySSIMeetup
 
Streetcred: Improving the Developer Experience in SSI – Michael Boyd
bySSIMeetup
 
Learn about the Trust Over IP (ToIP) stack
bySSIMeetup
 
Internet Identity Workshop #29 highlights with Drummond Reed
bySSIMeetup
 
Identity-centric interoperability with the Ceramic Protocol
bySSIMeetup
 

Recently uploaded

PDF
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
PDF
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
PDF
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
PDF
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
PPTX
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
PPTX
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
PPT
html-forms in web development-courseICT.
bymadz33
 
PPTX
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
PPTX
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
PPT
Memory Organization In Assembly Language
byumairmuhammad0409
 
PDF
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
PPT
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
PPT
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
PPTX
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
PPTX
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
PPTX
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PPTX
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
PPTX
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
PPTX
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
PPTX
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 
ARTIFICIAL INTELLIGENCE DEVELOPMENT SERVICE
bydavidjohansen1597
 
Design For Test - Getting Test Automation value from Design Expressions.
byDavid Harrison
 
Key Duties and Roles of an Ecommerce Developer Singapore
byHachi Web Solution
 
Here are the winners of KALIDASA SAMMAN.
byglcppro
 
Types of Cryptograph Symmetric Ceaser cipher and also about Assymetric
byhamzaabdulqadeer11
 
Bibhav Singh.pptx it's very useful for us it's in very good and very nice
byabhishekjaiswal5th33
 
html-forms in web development-courseICT.
bymadz33
 
Abhishek Jaiswal.ppt.pptx for you it is very useful for me and I am sharing w...
byabhishekjaiswal5th33
 
Introduction Digital Signal Processing.pptx
byumairmuhammad0409
 
Memory Organization In Assembly Language
byumairmuhammad0409
 
Beacon Kit slides tech framework for world game (s) pdf
bySteven McGee
 
Lecture_3 Network Securityyyeyeyyeeyyeywy.ppt
bysawsan202
 
Lecture_3 Network Securityeyeyggegeg.ppt
bysawsan202
 
mc l2 Overview of Computer and Web-Technology.pptx
byavanikharde
 
COĞRAFYA ödevi 70 sayfa güzeldir hayırlı olsun
bydtilter
 
SriLank SLT LTE Network Sharing V2.pptx
bynthuang
 
PRITHVI theater, A true artist. Newzfeaturez.pptx
bysc05digital
 
Lesson 5 - Cyber attack Pt 3 - Matsuhashi.pptx
byOmar Fernandez
 
Lesson 3 - Methodology of Green Computing - part2 - dela cruz.pptx
byOmar Fernandez
 
Artificial Intelligence (AI) Technology Project Proposal _ by Slidesgo.pptx
byadhyaadi804
 

Overview of the Proposed PanCanadian Trust Framework for SSI - Tim Bouma

  • 1.
    For Discussion PurposesOnly SSI Meetup Wednesday January 16, 2019 3-4pm ET (2100 CET) Tim Bouma Senior Analyst, Digital Identity Government of Canada Twitter: @trbouma #GCDigitalID Video is here FWD50 Conference deck is here Consultation deck is here. (pls add your comments to this doc) Trusted Process mapping analysis here. Github repo here (still a work in progress) 2018-12-13 1 Overview of the Proposed Pan-Canadian Trust Framework SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
  • 2.
    1. Empower globalSSI communities 2. Open to everyone interested in SSI 3. All content is shared with CC BY SA SSIMeetup.org Alex Preukschat @SSIMeetup @AlexPreukschat Coordinating Node SSIMeetup.org https://creativecommons.org/licenses/by-sa/4.0/ SSIMeetup objectives
  • 3.
    Government of CanadaDigital Standards A Set of Guiding Principles Design with users Iterate and improve frequently Work in the open by default Use open standards and solutions Address security and privacy risks Build in accessibility from the start Empower staff to deliver better services Be good data stewards Design ethical services Collaborate widely 2018-12-13 3 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
  • 4.
    For Discussion PurposesOnly 4 Can I trust this digital identity? 4 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ 4 Digital Identity
  • 5.
    For Discussion PurposesOnly Context (Goals, Rules, Facts) Basics of a ‘ [Digital] Trust Framework’ 55 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ [Digital] Representation A tool to answer the question: [Within a given context] what do I need to hold true to rely on ?
  • 6.
    For Discussion PurposesOnly Digital Identity in Canada 2018-12-13 6 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ What is it? Trusted digital identity is an electronic equivalent of who you are as a real person, used exclusively by you, to receive valued services and to carry out transactions with trust and confidence. Digital Identity confirms that ‘you are who you say you are’ in an online context. Why does it matter? Digital Identity is the foundation to moving more services online, where our citizens expect to be. 6
  • 7.
    For Discussion PurposesOnly Trusted Digital Identity Ecosystem 7 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ Trusted Digital Identity Ecosystem* (*governed by the Pan-Canadian Trust Framework) Other Banks Telcos The GC vision is to build a federated, digital identity ecosystem where trusted digital identities are used to deliver GC services in a seamless manner on any platform, with any partner, on any device. 7
  • 8.
    For Discussion PurposesOnly Enabled by the Pan-Canadian Trust Framework 2018-12-13 8 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ 8 The Pan-Canadian Trust Framework is a set of criteria and specifications to ensure that all jurisdictions abide by a common, agreed-upon set of rules to trust and accept each other’s digital identities. Pan-Canadian Trusted Infrastructure Component Security, Privacy, User Experience, Communications Trusted Digital Identity This is me! Verified Login Is it the same person? Verified Person Is it a real existing person? Confirmation, Binding, Notice and Consent Has the user given consent? 8
  • 9.
    For Discussion PurposesOnly Goals of the Pan-Canadian Trust Framework (PCTF) 1. A simple and integrative framework that is easy to understand yet capable of being applied in a complex environment 2. Technology-agnostic: provides flexibility and logical precision in assessing the trustworthiness of digital identity solutions and digital identity providers 3. Complements existing frameworks (security, privacy, service delivery, etc.) 4. Provides clear links to applicable policy, regulation, and legislation by defining conformance criteria that can be easily mapped 5. Normalizes (standardizes) key processes and capabilities to enable cross-sector collaboration and ecosystem development 2018-12-13 9 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/ Consultationdeck can be found here.
  • 10.
    For Discussion PurposesOnly Trusted Digital Representations and Trusted Processes • Currently, the PCTF is composed of: – 3 trusted digital representations – 24 atomic trusted processes • Atomic trusted processes can be grouped together to form various compound trusted processes such as: – Identity Assurance – Credential Assurance – Notification and Consent • The PCTF is extensible and interoperable: – additional trusted processes can be added as required – the trusted processes can be mapped to Vectors of Trust (VoT) 2018-12-13 10 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
  • 11.
    For Discussion PurposesOnly Foundational Identity Versus Functional Identity All Federation Members Provinces, Territories, Federal Immigration, First Nations, etc. Functional Identity Pan-Canadian Trust Framework Foundational Identity Public Sector Public and Private Sector 2018-12-13 11
  • 12.
    For Discussion PurposesOnly Trusted Digital Representations Trusted Digital Identity (Person) Trusted Digital Identity (Organization) Verified Relationship 2018-12-13 12 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
  • 13.
    For Discussion PurposesOnly The Trusted Process Model A trusted process is an activity (or set of activities) that results in a state transition in an object that can be relied on by other trusted processes. Trusted Process Object Input State Object Output State Conformance Criteria ensure process integrity An output state that can be relied on as a ‘proof’ (or ‘verifiable claim’) by others Formalizing (and standardizing) the trusted processes, the input states, the output states, and the conformance criteria, is the essence of defining the trust framework! 2018-12-13 13
  • 14.
    For Discussion PurposesOnly Examples of Atomic Trusted Processes (Modeled) Credential Authentication Issued Credential Authenticated Credential 2018-12-13 14 Identity Validation Unconfirmed Identity Information Confirmed Identity Information Persist Consent One-Time Consent Ongoing Consent SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
  • 15.
    For Discussion PurposesOnly Atomic Trusted Processes Validate Authorization for Consent Credential Issuance Request Consent Liveness Checking Formulate Notification Requirements Identity-Credential Binding Identity Linking Identity Resolution Identity Verification Identity Establishment Identity Validation Identity Maintenance Signature Credential Authentication Credential Recovery Credential Revocation Credential Maintenance Authentication Session Initiation Authentication Session Termination Credential Suspension Persist Consent Consent Maintenance Review Consent Consent Notification 2018-12-13 15
  • 16.
    For Discussion PurposesOnly The Identity Confirmation Compound Trusted Process Identity Confirmation Identity Validation Identity Maintenance Liveness and Fraud Detection Identity Verification 2018-12-13 16 SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
  • 17.
    For Discussion PurposesOnly Other Compound Trusted Processes Trusted Digital Identity Creation Identity Creation Identity Confirmation Identity Registration Linking Notification and Consent Binding Credential Creation Credential Authentication Service Enrolment Service Registration 2018-12-13 17
  • 18.
    For Discussion PurposesOnly Compound Trusted Process: Identity Assurance 2018-12-13 18 Identity Assurance Attributed Claims Authoritative Record Identity Resolution Non-Unique Identity Information Unique Identity Information Confirmed Identity Information Identity PresentationStatic Presence Active Presence Identity Verification Unattributed Claims Identity-Credential Binding Unbound Credential Bound Credential Identity Establishment No Authoritative Record Identity Validation Unconfirmed Identity Information Identity Linking Unlinked Identifier Linked Identifier Identity Maintenance Non-Current Identity Information Current Identity Information Evidence of Identity Proof of Identity
  • 19.
    For Discussion PurposesOnly Compound Trusted Process: Credential Assurance Credential Assurance Credential Revocation Issued Credential Revoked Credential Credential Recovery Inactive Credential Issued Credential Authentication Session Initiation No Session Authenticated Session Credential Authentication Issued Credential Authenticated Credential Credential IssuanceNo Credential Issued Credential Credential Suspension Issued Credential Inactive Credential Authentication Session Termination Authenticated Session No Session Credential Maintenance Inactive Credential Issued Credential Unknown Actor Authenticated User 2018-12-13 19
  • 20.
    For Discussion PurposesOnly Notification and Consent Review ConsentConsent Reviewed Consent Persist Consent One-Time Consent Ongoing Consent Consent NotificationNo Notification Notification Issued Formulate Notification Requirements No Notice Notice Provided Validate Authorization for Consent Presumed Authorization Validated Authorization Request ConsentNo Consent Consent Consent Maintenance Consent Updated Consent Compound Trusted Process: Notification and Consent Implicit Consent Active Informed Consent 2018-12-13 20
  • 21.
    For Discussion PurposesOnly Trusted Digital Identity (Person) Trusted Digital Identity (Person) Trusted Supporting Infrastructure (see detail on later slide) 2018-12-13 21 Identity Assurance Credential Assurance Notification and Consent
  • 22.
    For Discussion PurposesOnly A trusted digital Identity can be conceptualized as a set of trusted process outputs (or proofs) that are independent of conveyance method. Depending on the ecosystem, some of these trusted processes may be carried out by multiple parties at different points in time. Trusted Digital Identity (Person) – a set of trusted process outputs Liveness and Fraud Checked Attributed Claims Issued Credential Authoritative Record Unique Identity Information Confirmed Identity Information Current Identity Information Authenticated Session Authenticated Credential Consent Validated Authorization Notice Provided Ongoing Consent Updated Consent Reviewed Consent Notification Issued 2018-12-13 22 Bound Credential
  • 23.
    For Discussion PurposesOnly No. Trusted Process LOA/VoT Requirement Trusted Digital Identity Provider Credential Service Provider Relying Party 1 Identity Resolution … Province/Territory Federal service 2 Identity Establishment 3 Province/Territory Federal service 3 Identity Validation 3 Province/Territory 4 Identity Verification 3 Province/Territory Federal service 5 Identity Maintenance 3 Province/Territory Federal service 6 Liveness and Fraud Detection … Province/Territory Federal service 7 Identity-Credential Binding … Province/Territory 8 Identity Linking … Federal service 9 Credential Issuance 2 Province/Territory 10 Credential Authentication 2 Province/Territory 11 Credential Suspension 2 Province/Territory 12 Credential Recovery 2 Province/Territory 13 Credential Maintenance 2 Province/Territory 14 Credential Revocation 2 Province/Territory 15 Authentication Session Initiation 2 Province/Territory 16 Authentication Session Termination 2 Province/Territory 17 Validate Authorization for Consent … Province/Territory Federal service 18 Formulate Notification Requirements … Province/Territory Federal service 19 Request Consent … Province/Territory Federal service 20 Persist Consent … Province/Territory Federal service 21 Consent Maintenance … Province/Territory Federal service 22 Review Consent … Province/Territory Federal service 23 Consent Notification … Province/Territory Federal service 24 Signature ... Trusted Processes can be carried out by multiple parties (e.g., a Provincial/Territorial Trusted Digital Identity being consumed by a Federal service) 2018-12-13 23
  • 24.
    For Discussion PurposesOnly Trusted Digital Identity Provider Trusted Digital Identity Creation Credential Creation ❑ Credential IssuanceIdentity Creation ❑ Identity Resolution ❑ Identity Establishment In scope for the PCTF assessment process Identity Assurance (Identity Proofing) Identity Registration Notification and Consent ❑ Validate Authorization for Consent ❑ Formulate Notification Requirements ❑ Request Consent ❑ Persist Consent ❑ Consent Maintenance ❑ Review Consent ❑ Consent Notification Identity Confirmation ❑ Identity Validation ❑ Identity Maintenance ❑ Liveness and Fraud Detection ❑ Identity Verification Trusted Supporting Infrastructure Binding ❑ Identity-Credential Binding Credential Authentication ❑ Credential Authentication ❑ Credential Suspension ❑ Credential Recovery ❑ Credential Maintenance ❑ Credential Revocation ❑ Authentication Session Initiation ❑ Authentication Session Termination 2018-12-13 24
  • 25.
    For Discussion PurposesOnly Relying Party Service Enrolment (without a Trusted Digital Identity) Credential Creation ❑ Credential IssuanceIdentity Creation ❑ Identity Resolution ❑ Identity Establishment Identity Registration Notification and Consent ❑ Validate Authorization for Consent ❑ Formulate Notification Requirements ❑ Request Consent ❑ Persist Consent ❑ Consent Maintenance ❑ Review Consent ❑ Consent Notification Identity Confirmation ❑ Identity Validation ❑ Identity Maintenance ❑ Liveness and Fraud Detection ❑ Identity Verification Trusted Supporting Infrastructure Binding ❑ Identity-Credential Binding Credential Authentication ❑ Credential Authentication ❑ Credential Suspension ❑ Credential Recovery ❑ Credential Maintenance ❑ Credential Revocation ❑ Authentication Session Initiation ❑ Authentication Session Termination 2018-12-13 25 Identity Assurance (Identity Proofing)
  • 26.
    For Discussion PurposesOnly Relying Party Service Enrolment (with a Trusted Digital Identity) Identity Creation ❑ Identity Resolution ❑ Identity Establishment Service Registration Notification and Consent ❑ Validate Authorization for Consent ❑ Formulate Notification Requirements ❑ Request Consent ❑ Persist Consent ❑ Consent Maintenance ❑ Review Consent ❑ Consent Notification Identity Confirmation ❑ Identity Maintenance ❑ Liveness and Fraud Detection ❑ Identity Verification Trusted Supporting Infrastructure Linking ❑ Identity Linking 2018-12-13 26 Identity Assurance (Identity Proofing)
  • 27.
    For Discussion PurposesOnly Trusted Supporting Infrastructure Digital Service Delivery Privacy and Security Audit and Logging Federation Interoperability - Standards and Specifications PCTF Endorsements Service Authorization and Access Auditing Logging Security Assessment and Authorization Privacy Impact Assessment Pan-Canadian Endorsement Jurisdictional Endorsement Technical (e.g., SAML, OIDC) Business (e.g., PCIM Standards) Communications User Needs and Experience Service Level Agreements Resource Management Access Control Service Authorization Relying Parties onlyAll Federation Members 2018-12-13 27
  • 28.
    For Discussion PurposesOnly Trusted Processes and Conveyance Trusted Process Input State Output State Trusted Process Input State Output State Party A Party B Traditional/Centralized Model Trusted process outputs (i.e., proofs) are independent of conveyance model. The proofs (output states) can be conveyed using a traditional/centralized model (e.g., a trusted third party) or a decentralized model (e.g., a distributed ledger, a blockchain) – or both. Trusted Process Input State Output State Party A Distributed Ledger; Blockchain Decentralized Model Trusted Process Input State Output State Party B Conveying proofs between parties Trusted Third Party 2018-12-13 28
  • 29.
    For Discussion PurposesOnly W3C Verifiable Credentials Ecosystem HolderIssuer Verifier Issues Credential Presents Credential Decentralized Identifiers (DIDs) Public Blockchain or other Decentralized Network Signs Credential Countersigns Credential Verifies Signatures Wallet
  • 30.
    Config Layer One: Public Blockchains Pool Main Payment LayerTwo: Agent-to-Agent Protocol Issuer Verifier Holder Trust Layer Three: Credential Exchange Verifiable Credential ✔Proof Agent + Wallet Connection External Internal Agent + Wallet CryptographicTrust+HumanTrust Layer Four: Governance Frameworks Trust Anchor Credential Registry Governance Authority Auditor Auditor Accreditor
  • 31.
    For Discussion PurposesOnly Vectors of Trust • A proposed IETF standard (RFC 8485, October 2018) • Currently, the Standard consists of 4 components: – Identity Proofing (P): describes how likely it is that a given digital identity transaction corresponds to a particular, real-world identity subject – Primary Credential Usage (C): defines how strongly the primary credential can be verified by the TDIP – Primary Credential Management (M): conveys information about the expected lifecycle of the primary credential in use, including its binding, rotation, and revocation – Assertion Presentation (A): defines how well the TDI can be communicated across the network without information leaking to unintended parties and without spoofing 2018-12-13 31
  • 32.
    For Discussion PurposesOnly Using an Associative Entity Internal and External Many-to-Many Relationships Entities and Relationships Person Organization 0:n0:n 0:n Person Relationship Organization 0:n 0:n 2018-12-13 32
  • 33.
    For Discussion PurposesOnly 33 www.IdentityBook.info Tim Bouma: The meaning of trust and identity @IdentityBookHQ SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
  • 34.
    For Discussion PurposesOnly 34 Twitter: @trbouma GitHub: https://canada-ca.github.io/PCTF-CCP/ SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/