https://ssimeetup.org/pan-canadian-trust-framework-pctf-ssi-tim-bouma-webinar-59/
We are very proud to release a special webinar to introduce the next chapter of the “Self-Sovereign Identity Book” from two of the most eminent authorities on digital identity in government: Tim Bouma and Dave Roberts, senior public servants with the Government of Canada and major contributors to the Pan-Canadian Trust Framework (PCTF).
In this chapter, Tim and Dave explain the PCTF model and how it maps to the SSI model and the Trust over IP (ToIP) stack.
This webinar describes how a world leader in digital identity (which Canada has been for two decades) sees the opportunity in the new decentralized identity model represented by SSI (Self-Sovereign Identity).
1. The Pan-Canadian Trust Framework
(PCTF) for Self-Sovereign Identity (SSI)
IdentityBook.info special
twitter.com/IdentityBookHQ
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
Tim Bouma
Senior Advisor, Digital Identity
Government of Canada
Dave Roberts
Senior Consultant, Digital Identity
Government of Canada
2. 1. Empower global SSI communities
2. Open to everyone interested in SSI
3. All content is shared with CC BY SA
SSIMeetup.org
Alex Preukschat @SSIMeetup @AlexPreukschat
Coordinating Node SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
SSIMeetup objectives
08 June 2020
4. Canada: Enabling Self-Sovereign Identity
Identity is at the core of most government business processes and is the starting
point for trust and confidence in interactions between people and their
government.
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
5. The Canadian Approach and Policy Framework
● Adoption of the self-sovereign identity model within the Canadian public sector
is still being realized in 2020.
● It is too early to tell how it will change the technological infrastructure or the
institutional infrastructure of Canadian public services.
● This has not been an overnight process but rather, a deliberate, phased, and
incremental approach over the past decade.
● Government of Canada policy outcomes for identity management, developed
long before the emergence of self-sovereign identity, are general enough to
enable the adoption of SSI.
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
6. The Pan-Canadian Trust Framework
The PCTF, in its most current version, supports the acceptance and mutual
recognition of:
● Digital identities of persons and organizations; and
● Digital relationships between persons, between organizations, and between
persons and organizations.
The PCTF is technology-agnostic and is defined in a way that encourages
innovation and participation in the digital ecosystem. It allows for the
interoperability of different platforms, services, architectures, and technologies. It
will facilitate the transition from legacy identity technologies to SSI within the
public sector.
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
7. PCTF Public Sector Profile: Key Milestones and Next Steps
1. Pan-Canadian Trust Framework Consultation Draft Version 1.1
• PCTF Working Group Consultation Draft was finalized on June 2, 2020
• Posted on GitHub for broader consultation and review (June 2020 to ?)
• Re-starting PCTF WG Weekly Series
• Focus on Thematic Issues (e.g., Digital Relationships, Informed Consent, Unregistered
Organizations)
2. PCTF Assessment Worksheet
• Consolidation all Conformance Criteria for each atomic process (400+ in total)
• Integration of Organization Conformance Criteria (may be a separate worksheet)
• Continued refinement and validation of Conformance Criteria
3. PCTF Assessment and Mutual Recognition
• Continued iteration of PTCF assessment processes into a a formalized program.
• Exploring alignment with other frameworks (eIDAS, Digital Nations, etc.)
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
8. The PCTF Model
● A Normative Core component that
encapsulates the key concepts of the PCTF;
● A Mutual Recognition component that outlines
the current methodology that is used to assess
and certify actors in the digital ecosystem;
● A Supporting Infrastructure component that
describes the set of operational and technical
policies, rules, and standards that serve as the
primary enablers of a digital ecosystem; and
● A Digital Ecosystem Roles and Information
Flows component that defines the roles and
information flows within the digital ecosystem.
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
9. PCTF Identity Domains
● A Foundational Identity is an identity that has been established or changed as a result of a foundational
event (e.g., birth, person legal name change, immigration, legal residency, naturalized citizenship, death,
organization legal name registration, organization legal name change, or bankruptcy).
o The Vital Statistics Organizations (VSOs) of the Provinces and Territories;
o The Business Registries of the Provinces and Territories;
o Immigration, Refugees, and Citizenship Canada (IRCC); and
o The Federal Corporate Registry of Corporations Canada.
● A Contextual Identity is an identity that is used for a specific purpose within a specific identity context
(e.g., banking, business permits, health services, drivers licensing, or social media). Depending on the
identity context, a contextual identity may be tied to a foundational identity (e.g., a drivers licence) or
may not be tied to a foundational identity (e.g., a social media profile).
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
10. PCTF Digital Representations
Currently, the PCTF recognizes two types of digital representations:
● Digital Identity: An electronic representation of an entity, used exclusively by that
same entity, to access valued services and to carry out transactions with trust and
confidence.
● Digital Relationship: An electronic representation of the relationship of one entity to
another entity.
As the PCTF evolves these digital representations will be extended to include other types
of entities such as digital assets and smart contracts. It is also anticipated that in the future
the PCTF will be used to facilitate the mutual recognition of digital representations
between countries.
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
11. PCTF Atomic Process Model ● Atomic processes are crucial building
blocks to ensuring the overall integrity of
the digital identity supply chain and
therefore, the integrity of digital services.
● Atomic processes have been defined in a
way that they can be implemented as
modular services and be separately
assessed for certification.
● Once an atomic process has been
certified, it can be relied on or “trusted”
and integrated into other digital
ecosystem platforms.
● This digital ecosystem is intended to
interoperate seamlessly across different
organizations, sectors, and jurisdictions,
and to be interoperable with other trust
frameworks.
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
13. PCTF Dependencies
The PCTF model recognizes two types of dependencies:
● The first type is those dependencies that exist between atomic processes. Although
each atomic process is functionally discrete, to produce an acceptable output an
atomic process may require the successful prior execution of another atomic process.
○ For example, although Identity Establishment of a person or organization can be
performed independently at any time, it is logically correct to do so only after
Identity Resolution for that person or organization has been achieved.
● The second type is dependencies on external organizations for the provision of
atomic process outputs
○ Examples include: a commercial service provider or a credential authentication
service.
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
15. Conveyance of Process Output States
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
16. Digital Ecosystem and Information Flows
● The model makes no assumption
on any asymmetric power
relationship between parties.
● Anyone can be subjects, issuers,
holders, and verifiers, using many
different methods.
● The digital ecosystem roles can be
carried out by many different
entities who perform specific roles
under a variety of labels.
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
17. Methods
● Methods encompass the sets of rules that govern such things as data
models, communications protocols, cryptographic algorithms, databases,
distributed ledgers, verifiable data registries, and similar schemes; and
combinations of these.
● Methods also include systems that are isolated or have intermittent
connectivity. Within the context of the digital ecosystem, Methods enable
actors to interact directly or indirectly with one another without either party
being bound to a particular solution or technology.
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
18. Mapping to Existing Roles
Role Examples
Issuer Authoritative Party, Identity Assurance Provider, Identity
Proofing Service Provider, Identity Provider, Credential Assurance
Provider, Credential Provider, Authenticator Provider, Credential
Service Provider, Digital Identity Provider, Delegated Service
Provider
Subject Person, Organization, Device
Holder Digital Identity Owner, Card Holder
Verifier Relying Party, Authentication Service Provider, Digital Identity
Consumer, Delegated Service Provider
Methods Infrastructure Provider, Network Operator
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
19. Mapping to Emerging Technology Stacks
Trust over IP Stack PCTF Model
Layer 4: Governance Frameworks
Normative Core
Mutual Recognition
Layer 3: Credential Exchange Digital Ecosystem Roles
Layer 2: DIDComm
Supporting Infrastructure
Layer 1: DID Registries
SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
20. Federal Digital ID
Directives
● TB Directive on Identity
Management
Standards
● Standard on Identity and
Credential Assurance
Policies
● TB Policy on
Government Security
Legislation
● Financial Administration
Act
Public Sector Profile
Pan-Canadian Trust
Framework
Guidelines and
Technical Standards
● Guideline of Identity
Assurance, Authentication
Requirements
● CATS, ITSP.030.31
Conformance Criteria
Assessment and
Approval
Prov/Terr Digital ID
Directives
Standards
Policies
Guidelines and
Technical Standards
Conformance Criteria
Legislation
For discussion purposes only
National / International Standards
(national in scope with potential for international)
Legislation , Agreements, Treaties, etc.
(e.g. ISO, OECD, WEF, World Bank, etc.)
National / International Digital ID
Assessment and
Approval
Focus: Program Integrity
● Public Interest: specialized
to needs of Public Sector to
ensure trust and confidence.
● Has been tested and revised
based on AB and BC
assessments
● Version 1.1 now available
Focus: Products & Services
● Private Sector-driven: goal
is to encourage
standardized commercial
products and services.
● Remains to be tested
● Version 1.0 pending.
DIACC
Pan-Canadian Trust
Framework
Other Trust
Frameworks
EIDAS (EU)
TDIF (Australia)
Kantara
● There are multiple
international and
industry specific
trust frameworks
● Participating in
Digital Nations
Thematic Group on
Digital Identity
Alignment
Assessment
21. PCTF Public Sector Profile Assessments: Conducted to Date
Province of Alberta
• April-August 2018 Initial
Assessment
• September 2018: Letter of
Acceptance Issued
• August 2019: Go-Live on My
Service Canada Account
Province of British Columbia
• August-December 2019 Initial
Assessment
• Q1 2020: Letter of Acceptance
Issued (Jan 2020)
• Q1 2020: Go-Live on My CRA
Login (Feb 2020) My Service
Canada Account (Est.)
Rest of Canada
• 2020-202X (Est.)
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
22. Public Sector Profile of the PCTF: Lessons Learned So Far
1. Requires collaborative team effort with experts on the ground.
• Kick-off involved in-person visit to i) gain direct knowledge of program and ii) establish close working relationship between team
members.
• Regular calls (and videoconferencing) between teams.
• Gathered and compiled evidence using conformance criteria templates submitted for assessment.
• Assessment is a discrete work stream, however tightly coupled to other work streams (technical integration, MOU, agreements etc.)
• Engage legal counsel early in the process, as there will be implications for agreements and authorities.
2. Assessment process is iterative and continuously improving.
• Applying best practices from other frameworks (e.g., security assessment and authorization)
• Development of master spreadsheet to assess evidence against conformance criteria with traceability to policy requirements.
• Evidence collected in separate documents and filed for subsequent analysis, review and audit. Final review results in a Letter of
Acceptance.
3. Next Steps: PCTF is evolving for fit and purpose (we are defining the ‘state of the art’)
• Continue to clarify distinction of responsibilities between departments and jurisdictions. Identifying dependencies with processes in
existing programs (e.g. vital statistics, motor vehicle licensing) and other jurisdictions (e.g., federal immigration).
• Maintain focus of PCTF as a business process integrity framework that complements (not replaces) existing technical interoperability
standards and frameworks (e.g., SAML, Open ID Connect, Verifiable Credentials). PCTF also complements existing assessment processes
or agreements (e.g., Privacy Impact Assessment, Security Assessment and Authorization, SOC2 Trust Principles).
• Ensure PCTF is alignment with global frameworks, World Bank, European Union, Financial Action Task Force (customer due diligence)
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
23. More Info:
Public Sector Profile of the PCTF is available on GitHub:
https://canada-ca.github.io/PCTF-CCP/
Open Government Licence - Canada:
https://open.canada.ca/en/open-government-licence-canada
Twitter (Tim Bouma):
@trbouma
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/