Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Pan-Canadian Trust Framework (PCTF) for SSI


Published on
We are very proud to release a special webinar to introduce the next chapter of the “Self-Sovereign Identity Book” from two of the most eminent authorities on digital identity in government: Tim Bouma and Dave Roberts, senior public servants with the Government of Canada and major contributors to the Pan-Canadian Trust Framework (PCTF).

In this chapter, Tim and Dave explain the PCTF model and how it maps to the SSI model and the Trust over IP (ToIP) stack.

This webinar describes how a world leader in digital identity (which Canada has been for two decades) sees the opportunity in the new decentralized identity model represented by SSI (Self-Sovereign Identity).

Published in: Internet
  • Be the first to comment

  • Be the first to like this

The Pan-Canadian Trust Framework (PCTF) for SSI

  1. 1. The Pan-Canadian Trust Framework (PCTF) for Self-Sovereign Identity (SSI) special SSIMeetup.org Tim Bouma Senior Advisor, Digital Identity Government of Canada Dave Roberts Senior Consultant, Digital Identity Government of Canada
  2. 2. 1. Empower global SSI communities 2. Open to everyone interested in SSI 3. All content is shared with CC BY SA Alex Preukschat @SSIMeetup @AlexPreukschat Coordinating Node SSIMeetup objectives 08 June 2020
  3. 3. and Released under a Creative Commons license. (CC BY-SA 4.0).
  4. 4. Canada: Enabling Self-Sovereign Identity Identity is at the core of most government business processes and is the starting point for trust and confidence in interactions between people and their government.
  5. 5. The Canadian Approach and Policy Framework ● Adoption of the self-sovereign identity model within the Canadian public sector is still being realized in 2020. ● It is too early to tell how it will change the technological infrastructure or the institutional infrastructure of Canadian public services. ● This has not been an overnight process but rather, a deliberate, phased, and incremental approach over the past decade. ● Government of Canada policy outcomes for identity management, developed long before the emergence of self-sovereign identity, are general enough to enable the adoption of SSI.
  6. 6. The Pan-Canadian Trust Framework The PCTF, in its most current version, supports the acceptance and mutual recognition of: ● Digital identities of persons and organizations; and ● Digital relationships between persons, between organizations, and between persons and organizations. The PCTF is technology-agnostic and is defined in a way that encourages innovation and participation in the digital ecosystem. It allows for the interoperability of different platforms, services, architectures, and technologies. It will facilitate the transition from legacy identity technologies to SSI within the public sector.
  7. 7. PCTF Public Sector Profile: Key Milestones and Next Steps 1. Pan-Canadian Trust Framework Consultation Draft Version 1.1 • PCTF Working Group Consultation Draft was finalized on June 2, 2020 • Posted on GitHub for broader consultation and review (June 2020 to ?) • Re-starting PCTF WG Weekly Series • Focus on Thematic Issues (e.g., Digital Relationships, Informed Consent, Unregistered Organizations) 2. PCTF Assessment Worksheet • Consolidation all Conformance Criteria for each atomic process (400+ in total) • Integration of Organization Conformance Criteria (may be a separate worksheet) • Continued refinement and validation of Conformance Criteria 3. PCTF Assessment and Mutual Recognition • Continued iteration of PTCF assessment processes into a a formalized program. • Exploring alignment with other frameworks (eIDAS, Digital Nations, etc.) SSIMeetup.org
  8. 8. The PCTF Model ● A Normative Core component that encapsulates the key concepts of the PCTF; ● A Mutual Recognition component that outlines the current methodology that is used to assess and certify actors in the digital ecosystem; ● A Supporting Infrastructure component that describes the set of operational and technical policies, rules, and standards that serve as the primary enablers of a digital ecosystem; and ● A Digital Ecosystem Roles and Information Flows component that defines the roles and information flows within the digital ecosystem.
  9. 9. PCTF Identity Domains ● A Foundational Identity is an identity that has been established or changed as a result of a foundational event (e.g., birth, person legal name change, immigration, legal residency, naturalized citizenship, death, organization legal name registration, organization legal name change, or bankruptcy). o The Vital Statistics Organizations (VSOs) of the Provinces and Territories; o The Business Registries of the Provinces and Territories; o Immigration, Refugees, and Citizenship Canada (IRCC); and o The Federal Corporate Registry of Corporations Canada. ● A Contextual Identity is an identity that is used for a specific purpose within a specific identity context (e.g., banking, business permits, health services, drivers licensing, or social media). Depending on the identity context, a contextual identity may be tied to a foundational identity (e.g., a drivers licence) or may not be tied to a foundational identity (e.g., a social media profile).
  10. 10. PCTF Digital Representations Currently, the PCTF recognizes two types of digital representations: ● Digital Identity: An electronic representation of an entity, used exclusively by that same entity, to access valued services and to carry out transactions with trust and confidence. ● Digital Relationship: An electronic representation of the relationship of one entity to another entity. As the PCTF evolves these digital representations will be extended to include other types of entities such as digital assets and smart contracts. It is also anticipated that in the future the PCTF will be used to facilitate the mutual recognition of digital representations between countries.
  11. 11. PCTF Atomic Process Model ● Atomic processes are crucial building blocks to ensuring the overall integrity of the digital identity supply chain and therefore, the integrity of digital services. ● Atomic processes have been defined in a way that they can be implemented as modular services and be separately assessed for certification. ● Once an atomic process has been certified, it can be relied on or “trusted” and integrated into other digital ecosystem platforms. ● This digital ecosystem is intended to interoperate seamlessly across different organizations, sectors, and jurisdictions, and to be interoperable with other trust frameworks.
  12. 12. Examples of PCTF Atomic Processes PCTF Assessment Worksheet
  13. 13. PCTF Dependencies The PCTF model recognizes two types of dependencies: ● The first type is those dependencies that exist between atomic processes. Although each atomic process is functionally discrete, to produce an acceptable output an atomic process may require the successful prior execution of another atomic process. ○ For example, although Identity Establishment of a person or organization can be performed independently at any time, it is logically correct to do so only after Identity Resolution for that person or organization has been achieved. ● The second type is dependencies on external organizations for the provision of atomic process outputs ○ Examples include: a commercial service provider or a credential authentication service.
  14. 14. Supporting Infrastructure
  15. 15. Conveyance of Process Output States
  16. 16. Digital Ecosystem and Information Flows ● The model makes no assumption on any asymmetric power relationship between parties. ● Anyone can be subjects, issuers, holders, and verifiers, using many different methods. ● The digital ecosystem roles can be carried out by many different entities who perform specific roles under a variety of labels.
  17. 17. Methods ● Methods encompass the sets of rules that govern such things as data models, communications protocols, cryptographic algorithms, databases, distributed ledgers, verifiable data registries, and similar schemes; and combinations of these. ● Methods also include systems that are isolated or have intermittent connectivity. Within the context of the digital ecosystem, Methods enable actors to interact directly or indirectly with one another without either party being bound to a particular solution or technology.
  18. 18. Mapping to Existing Roles Role Examples Issuer Authoritative Party, Identity Assurance Provider, Identity Proofing Service Provider, Identity Provider, Credential Assurance Provider, Credential Provider, Authenticator Provider, Credential Service Provider, Digital Identity Provider, Delegated Service Provider Subject Person, Organization, Device Holder Digital Identity Owner, Card Holder Verifier Relying Party, Authentication Service Provider, Digital Identity Consumer, Delegated Service Provider Methods Infrastructure Provider, Network Operator
  19. 19. Mapping to Emerging Technology Stacks Trust over IP Stack PCTF Model Layer 4: Governance Frameworks Normative Core Mutual Recognition Layer 3: Credential Exchange Digital Ecosystem Roles Layer 2: DIDComm Supporting Infrastructure Layer 1: DID Registries
  20. 20. Federal Digital ID Directives ● TB Directive on Identity Management Standards ● Standard on Identity and Credential Assurance Policies ● TB Policy on Government Security Legislation ● Financial Administration Act Public Sector Profile Pan-Canadian Trust Framework Guidelines and Technical Standards ● Guideline of Identity Assurance, Authentication Requirements ● CATS, ITSP.030.31 Conformance Criteria Assessment and Approval Prov/Terr Digital ID Directives Standards Policies Guidelines and Technical Standards Conformance Criteria Legislation For discussion purposes only National / International Standards (national in scope with potential for international) Legislation , Agreements, Treaties, etc. (e.g. ISO, OECD, WEF, World Bank, etc.) National / International Digital ID Assessment and Approval Focus: Program Integrity ● Public Interest: specialized to needs of Public Sector to ensure trust and confidence. ● Has been tested and revised based on AB and BC assessments ● Version 1.1 now available Focus: Products & Services ● Private Sector-driven: goal is to encourage standardized commercial products and services. ● Remains to be tested ● Version 1.0 pending. DIACC Pan-Canadian Trust Framework Other Trust Frameworks EIDAS (EU) TDIF (Australia) Kantara ● There are multiple international and industry specific trust frameworks ● Participating in Digital Nations Thematic Group on Digital Identity Alignment Assessment
  21. 21. PCTF Public Sector Profile Assessments: Conducted to Date Province of Alberta • April-August 2018 Initial Assessment • September 2018: Letter of Acceptance Issued • August 2019: Go-Live on My Service Canada Account Province of British Columbia • August-December 2019 Initial Assessment • Q1 2020: Letter of Acceptance Issued (Jan 2020) • Q1 2020: Go-Live on My CRA Login (Feb 2020) My Service Canada Account (Est.) Rest of Canada • 2020-202X (Est.) SSIMeetup.org
  22. 22. Public Sector Profile of the PCTF: Lessons Learned So Far 1. Requires collaborative team effort with experts on the ground. • Kick-off involved in-person visit to i) gain direct knowledge of program and ii) establish close working relationship between team members. • Regular calls (and videoconferencing) between teams. • Gathered and compiled evidence using conformance criteria templates submitted for assessment. • Assessment is a discrete work stream, however tightly coupled to other work streams (technical integration, MOU, agreements etc.) • Engage legal counsel early in the process, as there will be implications for agreements and authorities. 2. Assessment process is iterative and continuously improving. • Applying best practices from other frameworks (e.g., security assessment and authorization) • Development of master spreadsheet to assess evidence against conformance criteria with traceability to policy requirements. • Evidence collected in separate documents and filed for subsequent analysis, review and audit. Final review results in a Letter of Acceptance. 3. Next Steps: PCTF is evolving for fit and purpose (we are defining the ‘state of the art’) • Continue to clarify distinction of responsibilities between departments and jurisdictions. Identifying dependencies with processes in existing programs (e.g. vital statistics, motor vehicle licensing) and other jurisdictions (e.g., federal immigration). • Maintain focus of PCTF as a business process integrity framework that complements (not replaces) existing technical interoperability standards and frameworks (e.g., SAML, Open ID Connect, Verifiable Credentials). PCTF also complements existing assessment processes or agreements (e.g., Privacy Impact Assessment, Security Assessment and Authorization, SOC2 Trust Principles). • Ensure PCTF is alignment with global frameworks, World Bank, European Union, Financial Action Task Force (customer due diligence) SSIMeetup.org
  23. 23. More Info: Public Sector Profile of the PCTF is available on GitHub: Open Government Licence - Canada: Twitter (Tim Bouma): @trbouma SSIMeetup.org
  24. 24. and Released under a Creative Commons license. (CC BY-SA 4.0).
  25. 25. 25 @IdentityBookHQ SSIMeetup.org