The Pan-Canadian Trust Framework (PCTF) for Self-Sovereign Identity (SSI)

IdentityBook.info special

https://creativecommons.org/licenses/by-sa/4.0/

twitter.com/IdentityBookHQ

SSIMeetup.org

Tim Bouma�Senior Advisor, Digital Identity

Government of Canada

Dave Roberts�Senior Consultant, Digital Identity

Government of Canada

• Empower global SSI communities
• Open to everyone interested in SSI
• All content is shared with CC BY SA

SSIMeetup objectives

Alex Preukschat @SSIMeetup @AlexPreukschat

Coordinating Node SSIMeetup.org

​

https://creativecommons.org/licenses/by-sa/4.0/

08 June 2020

SSIMeetup.org

https://www.manning.com/books/self-sovereign-identity and IdentiyBook.info

Released under a Creative Commons license. (CC BY-SA 4.0).

SSIMeetup.org

Canada: Enabling Self-Sovereign Identity

https://creativecommons.org/licenses/by-sa/4.0/

Identity is at the core of most government business processes and is the starting point for trust and confidence in interactions between people and their government.

SSIMeetup.org

The Canadian Approach and Policy Framework

​

https://creativecommons.org/licenses/by-sa/4.0/

• Adoption of the self-sovereign identity model within the Canadian public sector is still being realized in 2020.
• It is too early to tell how it will change the technological infrastructure or the institutional infrastructure of Canadian public services.
• This has not been an overnight process but rather, a deliberate, phased, and incremental approach over the past decade.
• Government of Canada policy outcomes for identity management, developed long before the emergence of self-sovereign identity, are general enough to enable the adoption of SSI.

SSIMeetup.org

The Pan-Canadian Trust Framework

https://creativecommons.org/licenses/by-sa/4.0/

The PCTF, in its most current version, supports the acceptance and mutual recognition of:

• Digital identities of persons and organizations; and
• Digital relationships between persons, between organizations, and between persons and organizations.

The PCTF is technology-agnostic and is defined in a way that encourages innovation and participation in the digital ecosystem. It allows for the interoperability of different platforms, services, architectures, and technologies. It will facilitate the transition from legacy identity technologies to SSI within the public sector.

SSIMeetup.org

PCTF Public Sector Profile: Key Milestones and Next Steps

https://creativecommons.org/licenses/by-sa/4.0/

• Pan-Canadian Trust Framework Consultation Draft Version 1.1
• PCTF Working Group Consultation Draft was finalized on June 2, 2020
• Posted on GitHub for broader consultation and review (June 2020 to ?)
• Re-starting PCTF WG Weekly Series
• Focus on Thematic Issues (e.g., Digital Relationships, Informed Consent, Unregistered Organizations)
• PCTF Assessment Worksheet
• Consolidation all Conformance Criteria for each atomic process (400+ in total)
• Integration of Organization Conformance Criteria (may be a separate worksheet)
• Continued refinement and validation of Conformance Criteria�
• PCTF Assessment and Mutual Recognition
• Continued iteration of PTCF assessment processes into a a formalized program.
• Exploring alignment with other frameworks (eIDAS, Digital Nations, etc.)

​

​

​

​

​

​

​

​

SSIMeetup.org

The PCTF Model

https://creativecommons.org/licenses/by-sa/4.0/

• A Normative Core component that encapsulates the key concepts of the PCTF;�
• A Mutual Recognition component that outlines the current methodology that is used to assess and certify actors in the digital ecosystem;�
• A Supporting Infrastructure component that describes the set of operational and technical policies, rules, and standards that serve as the primary enablers of a digital ecosystem; and�
• A Digital Ecosystem Roles and Information Flows component that defines the roles and information flows within the digital ecosystem.

​

SSIMeetup.org

PCTF Identity Domains

https://creativecommons.org/licenses/by-sa/4.0/

• A Foundational Identity is an identity that has been established or changed as a result of a foundational event (e.g., birth, person legal name change, immigration, legal residency, naturalized citizenship, death, organization legal name registration, organization legal name change, or bankruptcy).
• The Vital Statistics Organizations (VSOs) of the Provinces and Territories;
• The Business Registries of the Provinces and Territories;
• Immigration, Refugees, and Citizenship Canada (IRCC); and
• The Federal Corporate Registry of Corporations Canada.�
• A Contextual Identity is an identity that is used for a specific purpose within a specific identity context (e.g., banking, business permits, health services, drivers licensing, or social media). Depending on the identity context, a contextual identity may be tied to a foundational identity (e.g., a drivers licence) or may not be tied to a foundational identity (e.g., a social media profile).

SSIMeetup.org

PCTF Digital Representations

https://creativecommons.org/licenses/by-sa/4.0/

Currently, the PCTF recognizes two types of digital representations:

• Digital Identity: An electronic representation of an entity, used exclusively by that same entity, to access valued services and to carry out transactions with trust and confidence.
• Digital Relationship: An electronic representation of the relationship of one entity to another entity.

As the PCTF evolves these digital representations will be extended to include other types of entities such as digital assets and smart contracts. It is also anticipated that in the future the PCTF will be used to facilitate the mutual recognition of digital representations between countries.

​

SSIMeetup.org

PCTF Atomic Process Model

https://creativecommons.org/licenses/by-sa/4.0/

• Atomic processes are crucial building blocks to ensuring the overall integrity of the digital identity supply chain and therefore, the integrity of digital services.
• Atomic processes have been defined in a way that they can be implemented as modular services and be separately assessed for certification. �
• Once an atomic process has been certified, it can be relied on or “trusted” and integrated into other digital ecosystem platforms. �
• This digital ecosystem is intended to interoperate seamlessly across different organizations, sectors, and jurisdictions, and to be interoperable with other trust frameworks.

SSIMeetup.org

Examples of PCTF Atomic Processes

https://creativecommons.org/licenses/by-sa/4.0/

PCTF Assessment Worksheet

SSIMeetup.org

PCTF Dependencies

https://creativecommons.org/licenses/by-sa/4.0/

The PCTF model recognizes two types of dependencies:

• The first type is those dependencies that exist between atomic processes. Although each atomic process is functionally discrete, to produce an acceptable output an atomic process may require the successful prior execution of another atomic process.
• For example, although Identity Establishment of a person or organization can be performed independently at any time, it is logically correct to do so only after Identity Resolution for that person or organization has been achieved.�
• The second type is dependencies on external organizations for the provision of atomic process outputs
• Examples include: a commercial service provider or a credential authentication service.

SSIMeetup.org

Supporting Infrastructure

https://creativecommons.org/licenses/by-sa/4.0/

SSIMeetup.org

Conveyance of Process Output States

https://creativecommons.org/licenses/by-sa/4.0/

SSIMeetup.org

Digital Ecosystem and Information Flows

https://creativecommons.org/licenses/by-sa/4.0/

• The model makes no assumption on any asymmetric power relationship between parties.�
• Anyone can be subjects, issuers, holders, and verifiers, using many different methods. �
• The digital ecosystem roles can be carried out by many different entities who perform specific roles under a variety of labels.

SSIMeetup.org

Methods

https://creativecommons.org/licenses/by-sa/4.0/

• Methods encompass the sets of rules that govern such things as data models, communications protocols, cryptographic algorithms, databases, distributed ledgers, verifiable data registries, and similar schemes; and combinations of these. �
• Methods also include systems that are isolated or have intermittent connectivity. Within the context of the digital ecosystem, Methods enable actors to interact directly or indirectly with one another without either party being bound to a particular solution or technology.

​

SSIMeetup.org

Mapping to Existing Roles

https://creativecommons.org/licenses/by-sa/4.0/

SSIMeetup.org

Mapping to Emerging Technology Stacks

https://creativecommons.org/licenses/by-sa/4.0/

19

2020-03-05

SSIMeetup.org

Federal Digital ID

Directives

• TB Directive on Identity Management

Standards

• Standard on Identity and Credential Assurance

Policies

• TB Policy on Government Security

Legislation

• Financial Administration Act

Public Sector Profile

Pan-Canadian Trust Framework

​

Guidelines and Technical Standards

• Guideline of Identity Assurance, Authentication Requirements
• CATS, ITSP.030.31

Conformance Criteria

Assessment and Approval

Prov/Terr Digital ID

Directives

Standards

Policies

Guidelines and Technical Standards

​

Conformance Criteria

Legislation

For discussion purposes only

National / International Standards

(national in scope with potential for international)

Legislation , Agreements, Treaties, etc.

(e.g. ISO, OECD, WEF, World Bank, etc.)

National / International Digital ID

Assessment and Approval

Focus: Program Integrity

• Public Interest: specialized to needs of Public Sector to ensure trust and confidence.
• Has been tested and revised based on AB and BC assessments
• Version 1.1 now available

Focus: Products & Services

• Private Sector-driven: goal is to encourage standardized commercial products and services.
• Remains to be tested
• Version 1.0 pending.

DIACC

Pan-Canadian Trust Framework

​

Other Trust Frameworks

EIDAS (EU)

​

TDIF (Australia)

Kantara

• There are multiple international and industry specific trust frameworks
• Participating in Digital Nations Thematic Group on Digital Identity

Alignment

Assessment

PCTF Public Sector Profile Assessments: Conducted to Date

https://creativecommons.org/licenses/by-sa/4.0/

Province of Alberta

• April-August 2018 Initial Assessment
• September 2018: Letter of Acceptance Issued
• August 2019: Go-Live on My Service Canada Account

Province of British Columbia

• August-December 2019 Initial Assessment
• Q1 2020: Letter of Acceptance Issued (Jan 2020)
• Q1 2020: Go-Live on My CRA Login (Feb 2020) My Service Canada Account (Est.)

Rest of Canada

• 2020-202X (Est.)

SSIMeetup.org

Public Sector Profile of the PCTF: Lessons Learned So Far

https://creativecommons.org/licenses/by-sa/4.0/

• Requires collaborative team effort with experts on the ground.
• Kick-off involved in-person visit to i) gain direct knowledge of program and ii) establish close working relationship between team members.
• Regular calls (and videoconferencing) between teams.
• Gathered and compiled evidence using conformance criteria templates submitted for assessment.
• Assessment is a discrete work stream, however tightly coupled to other work streams (technical integration, MOU, agreements etc.)
• Engage legal counsel early in the process, as there will be implications for agreements and authorities.
• Assessment process is iterative and continuously improving.
• Applying best practices from other frameworks (e.g., security assessment and authorization)
• Development of master spreadsheet to assess evidence against conformance criteria with traceability to policy requirements.
• Evidence collected in separate documents and filed for subsequent analysis, review and audit. Final review results in a Letter of Acceptance.
• Next Steps: PCTF is evolving for fit and purpose (we are defining the ‘state of the art’)
• Continue to clarify distinction of responsibilities between departments and jurisdictions. Identifying dependencies with processes in existing programs (e.g. vital statistics, motor vehicle licensing) and other jurisdictions (e.g., federal immigration).
• Maintain focus of PCTF as a business process integrity framework that complements (not replaces) existing technical interoperability standards and frameworks (e.g., SAML, Open ID Connect, Verifiable Credentials). PCTF also complements existing assessment processes or agreements (e.g., Privacy Impact Assessment, Security Assessment and Authorization, SOC2 Trust Principles).
• Ensure PCTF is alignment with global frameworks, World Bank, European Union, Financial Action Task Force (customer due diligence)

​

​

​

​

​

SSIMeetup.org

More Info:

https://creativecommons.org/licenses/by-sa/4.0/

Public Sector Profile of the PCTF is available on GitHub:

https://canada-ca.github.io/PCTF-CCP/

Open Government Licence - Canada:

https://open.canada.ca/en/open-government-licence-canada

Twitter (Tim Bouma):

@trbouma

SSIMeetup.org

https://www.manning.com/books/self-sovereign-identity and IdentityBook.info

Released under a Creative Commons license. (CC BY-SA 4.0).

SSIMeetup.org

https://creativecommons.org/licenses/by-sa/4.0/

25

www.IdentityBook.info

​

​

​

​

​

​

@IdentityBookHQ

SSIMeetup.org