http://ssimeetup.org/overview-proposed-pan-canadian-trust-framework-ssi-tim-bouma-webinar-19/
Tim Bouma is a Senior Analyst with Government of Canada, specializing in digital identity and the development of the Pan-Canadian Trust Framework. This presentation provides an overview of the Pan-Canadian Trust Framework (PCTF) and the latest iteration, building on policy and standards that have been in development in Canada for more than a decade.
Within Canada, there is no national identity program. Rather it is a shared responsibility across all jurisdictions. The PCTF is being developed to enable a pan-Canadian approach – a collective approach that serves the needs for all jurisdictions – federal, provincial and territorial, and in collaboration of the private sector.
The PCTF is being designed to work across many contexts (legal, business, program and services) and to provide a consistent method to assess digital identity programs, the integrity of their trusted processes, and enabling solutions. The PCTF is also being designed to take advantage of new and emerging technologies, namely self-sovereign identity, verifiable credentials, and decentralized identifiers.
Call Girls Service Chandigarh Lucky ❤️ 7710465962 Independent Call Girls In C...
Overview of the Proposed PanCanadian Trust Framework for SSI - Tim Bouma
1. For Discussion Purposes Only
SSI Meetup
Wednesday January 16, 2019
3-4pm ET (2100 CET)
Tim Bouma
Senior Analyst, Digital Identity
Government of Canada
Twitter: @trbouma
#GCDigitalID Video is here FWD50 Conference deck is here
Consultation deck is here. (pls add your comments to this doc)
Trusted Process mapping analysis here.
Github repo here (still a work in progress)
2018-12-13 1
Overview of the Proposed Pan-Canadian
Trust Framework
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
2. 1. Empower global SSI communities
2. Open to everyone interested in SSI
3. All content is shared with CC BY SA
SSIMeetup.org
Alex Preukschat @SSIMeetup @AlexPreukschat
Coordinating Node SSIMeetup.org
https://creativecommons.org/licenses/by-sa/4.0/
SSIMeetup objectives
3. Government of Canada Digital Standards
A Set of Guiding Principles
Design with users
Iterate and improve frequently
Work in the open by default
Use open standards and solutions
Address security and privacy risks
Build in accessibility from the start
Empower staff to deliver
better services
Be good data stewards
Design ethical services
Collaborate widely
2018-12-13 3
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
4. For Discussion Purposes Only 4
Can I trust this digital identity?
4
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
4
Digital Identity
5. For Discussion Purposes Only
Context (Goals, Rules, Facts)
Basics of a ‘ [Digital] Trust Framework’
55
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
[Digital]
Representation
A tool to answer the question:
[Within a given context] what do I need to hold true to rely on ?
6. For Discussion Purposes Only
Digital Identity in Canada
2018-12-13 6
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
What is it?
Trusted digital identity is an electronic equivalent of who you are as a real person,
used exclusively by you, to receive valued services and to carry out transactions with
trust and confidence.
Digital Identity confirms that ‘you are who you say you are’ in an online context.
Why does it matter?
Digital Identity is the foundation to moving more services online, where our citizens
expect to be. 6
7. For Discussion Purposes Only
Trusted Digital Identity Ecosystem
7
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
Trusted Digital Identity Ecosystem*
(*governed by the Pan-Canadian Trust Framework) Other
Banks Telcos
The GC vision is to build a federated, digital identity ecosystem where
trusted digital identities are used to deliver GC services in a seamless
manner on any platform, with any partner, on any device. 7
8. For Discussion Purposes Only
Enabled by the Pan-Canadian Trust Framework
2018-12-13 8
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
8
The Pan-Canadian Trust Framework is a set of criteria and specifications to ensure
that all jurisdictions abide by a common, agreed-upon set of rules to trust and
accept each other’s digital identities.
Pan-Canadian Trusted Infrastructure Component
Security, Privacy, User Experience, Communications
Trusted Digital Identity
This is
me!
Verified Login
Is it the same
person?
Verified Person
Is it a real existing
person?
Confirmation,
Binding, Notice and
Consent
Has the user given
consent?
8
9. For Discussion Purposes Only
Goals of the Pan-Canadian Trust Framework (PCTF)
1. A simple and integrative framework that is easy to understand yet
capable of being applied in a complex environment
2. Technology-agnostic: provides flexibility and logical precision in
assessing the trustworthiness of digital identity solutions and digital
identity providers
3. Complements existing frameworks (security, privacy, service
delivery, etc.)
4. Provides clear links to applicable policy, regulation, and legislation
by defining conformance criteria that can be easily mapped
5. Normalizes (standardizes) key processes and capabilities to enable
cross-sector collaboration and ecosystem development
2018-12-13 9
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
Consultationdeck can be found here.
10. For Discussion Purposes Only
Trusted Digital Representations and Trusted Processes
• Currently, the PCTF is composed of:
– 3 trusted digital representations
– 24 atomic trusted processes
• Atomic trusted processes can be grouped together to form various
compound trusted processes such as:
– Identity Assurance
– Credential Assurance
– Notification and Consent
• The PCTF is extensible and interoperable:
– additional trusted processes can be added as required
– the trusted processes can be mapped to Vectors of Trust (VoT)
2018-12-13 10
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
11. For Discussion Purposes Only
Foundational Identity Versus Functional Identity
All Federation Members
Provinces, Territories,
Federal Immigration, First
Nations, etc.
Functional
Identity
Pan-Canadian Trust Framework
Foundational
Identity
Public Sector
Public and
Private Sector
2018-12-13 11
12. For Discussion Purposes Only
Trusted Digital Representations
Trusted Digital Identity
(Person)
Trusted Digital Identity
(Organization)
Verified Relationship
2018-12-13 12
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
13. For Discussion Purposes Only
The Trusted Process Model
A trusted process is an activity (or set of activities) that results in a state transition
in an object that can be relied on by other trusted processes.
Trusted
Process
Object Input
State
Object Output
State
Conformance Criteria
ensure process integrity
An output state that can be
relied on as a ‘proof’ (or
‘verifiable claim’) by others
Formalizing (and standardizing) the trusted processes, the input states, the
output states, and the conformance criteria, is the essence of defining the trust
framework!
2018-12-13 13
14. For Discussion Purposes Only
Examples of Atomic Trusted Processes (Modeled)
Credential
Authentication
Issued
Credential
Authenticated
Credential
2018-12-13 14
Identity
Validation
Unconfirmed
Identity
Information
Confirmed
Identity
Information
Persist Consent
One-Time
Consent
Ongoing
Consent
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
16. For Discussion Purposes Only
The Identity Confirmation Compound Trusted Process
Identity Confirmation
Identity
Validation
Identity
Maintenance
Liveness and
Fraud Detection
Identity
Verification
2018-12-13 16
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
17. For Discussion Purposes Only
Other Compound Trusted Processes
Trusted Digital Identity Creation
Identity Creation
Identity
Confirmation
Identity
Registration
Linking
Notification and
Consent
Binding
Credential
Creation
Credential
Authentication
Service Enrolment
Service
Registration
2018-12-13 17
18. For Discussion Purposes Only
Compound Trusted Process: Identity Assurance
2018-12-13 18
Identity Assurance
Attributed
Claims
Authoritative
Record
Identity Resolution
Non-Unique
Identity
Information
Unique Identity
Information
Confirmed
Identity
Information
Identity PresentationStatic Presence Active Presence
Identity Verification
Unattributed
Claims
Identity-Credential
Binding
Unbound
Credential
Bound
Credential
Identity
Establishment
No Authoritative
Record
Identity Validation
Unconfirmed
Identity
Information
Identity Linking
Unlinked
Identifier
Linked Identifier
Identity Maintenance
Non-Current
Identity
Information
Current Identity
Information
Evidence of
Identity
Proof of
Identity
20. For Discussion Purposes Only
Notification and Consent
Review ConsentConsent
Reviewed
Consent
Persist Consent
One-Time
Consent
Ongoing Consent
Consent NotificationNo Notification
Notification
Issued
Formulate
Notification
Requirements
No Notice Notice Provided
Validate
Authorization for
Consent
Presumed
Authorization
Validated
Authorization
Request ConsentNo Consent Consent
Consent
Maintenance
Consent
Updated
Consent
Compound Trusted Process: Notification and Consent
Implicit
Consent
Active
Informed
Consent
2018-12-13 20
21. For Discussion Purposes Only
Trusted Digital Identity (Person)
Trusted Digital Identity (Person)
Trusted Supporting Infrastructure (see detail on later slide)
2018-12-13 21
Identity
Assurance
Credential
Assurance
Notification and
Consent
22. For Discussion Purposes Only
A trusted digital Identity can
be conceptualized as a set of
trusted process outputs (or
proofs) that are independent
of conveyance method.
Depending on the
ecosystem, some of these
trusted processes may be
carried out by multiple
parties at different points in
time.
Trusted Digital Identity (Person)
– a set of trusted process outputs
Liveness and
Fraud Checked
Attributed
Claims
Issued
Credential
Authoritative
Record
Unique Identity
Information
Confirmed
Identity
Information
Current Identity
Information
Authenticated
Session
Authenticated
Credential
Consent
Validated
Authorization
Notice Provided
Ongoing Consent
Updated
Consent
Reviewed
Consent
Notification
Issued
2018-12-13 22
Bound
Credential
23. For Discussion Purposes Only
No. Trusted Process
LOA/VoT
Requirement
Trusted Digital
Identity Provider
Credential Service
Provider Relying Party
1 Identity Resolution … Province/Territory Federal service
2 Identity Establishment 3 Province/Territory Federal service
3 Identity Validation 3 Province/Territory
4 Identity Verification 3 Province/Territory Federal service
5 Identity Maintenance 3 Province/Territory Federal service
6 Liveness and Fraud Detection … Province/Territory Federal service
7 Identity-Credential Binding … Province/Territory
8 Identity Linking … Federal service
9 Credential Issuance 2 Province/Territory
10 Credential Authentication 2 Province/Territory
11 Credential Suspension 2 Province/Territory
12 Credential Recovery 2 Province/Territory
13 Credential Maintenance 2 Province/Territory
14 Credential Revocation 2 Province/Territory
15 Authentication Session Initiation 2 Province/Territory
16 Authentication Session Termination 2 Province/Territory
17 Validate Authorization for Consent … Province/Territory Federal service
18 Formulate Notification Requirements … Province/Territory Federal service
19 Request Consent … Province/Territory Federal service
20 Persist Consent … Province/Territory Federal service
21 Consent Maintenance … Province/Territory Federal service
22 Review Consent … Province/Territory Federal service
23 Consent Notification … Province/Territory Federal service
24 Signature ...
Trusted Processes can be carried out by multiple parties
(e.g., a Provincial/Territorial Trusted Digital Identity being consumed by a Federal service)
2018-12-13 23
26. For Discussion Purposes Only
Relying Party
Service Enrolment (with a Trusted Digital Identity)
Identity Creation
❑ Identity Resolution
❑ Identity Establishment
Service Registration
Notification and Consent
❑ Validate Authorization for Consent
❑ Formulate Notification Requirements
❑ Request Consent
❑ Persist Consent
❑ Consent Maintenance
❑ Review Consent
❑ Consent Notification
Identity Confirmation
❑ Identity Maintenance
❑ Liveness and Fraud Detection
❑ Identity Verification
Trusted Supporting Infrastructure
Linking
❑ Identity Linking
2018-12-13 26
Identity Assurance
(Identity Proofing)
27. For Discussion Purposes Only
Trusted Supporting Infrastructure
Digital Service Delivery
Privacy and Security
Audit and Logging
Federation Interoperability - Standards and
Specifications
PCTF Endorsements
Service Authorization and Access
Auditing
Logging
Security Assessment and Authorization
Privacy Impact Assessment
Pan-Canadian Endorsement
Jurisdictional Endorsement
Technical (e.g., SAML, OIDC)
Business (e.g., PCIM Standards)
Communications
User Needs and Experience
Service Level Agreements
Resource Management
Access Control
Service Authorization
Relying Parties onlyAll Federation Members
2018-12-13
27
28. For Discussion Purposes Only
Trusted Processes and Conveyance
Trusted
Process
Input
State
Output
State
Trusted
Process
Input
State
Output
State
Party A Party B
Traditional/Centralized Model
Trusted process outputs (i.e., proofs) are independent of conveyance model. The proofs
(output states) can be conveyed using a traditional/centralized model (e.g., a trusted
third party) or a decentralized model (e.g., a distributed ledger, a blockchain) – or both.
Trusted
Process
Input
State
Output
State
Party A Distributed
Ledger;
Blockchain
Decentralized Model
Trusted
Process
Input
State
Output
State
Party B
Conveying proofs between parties
Trusted
Third Party
2018-12-13 28
29. For Discussion Purposes Only
W3C Verifiable Credentials Ecosystem
HolderIssuer Verifier
Issues
Credential
Presents
Credential
Decentralized Identifiers (DIDs)
Public Blockchain or other Decentralized Network
Signs
Credential
Countersigns
Credential
Verifies
Signatures
Wallet
31. For Discussion Purposes Only
Vectors of Trust
• A proposed IETF standard (RFC 8485, October 2018)
• Currently, the Standard consists of 4 components:
– Identity Proofing (P): describes how likely it is that a given digital
identity transaction corresponds to a particular, real-world identity
subject
– Primary Credential Usage (C): defines how strongly the primary
credential can be verified by the TDIP
– Primary Credential Management (M): conveys information about
the expected lifecycle of the primary credential in use, including its
binding, rotation, and revocation
– Assertion Presentation (A): defines how well the TDI can be
communicated across the network without information leaking to
unintended parties and without spoofing
2018-12-13 31
32. For Discussion Purposes Only
Using an Associative Entity
Internal and External Many-to-Many Relationships
Entities and Relationships
Person Organization
0:n0:n
0:n
Person Relationship Organization
0:n 0:n
2018-12-13 32
33. For Discussion Purposes Only 33
www.IdentityBook.info
Tim Bouma: The meaning of trust and identity
@IdentityBookHQ
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/
34. For Discussion Purposes Only 34
Twitter:
@trbouma
GitHub:
https://canada-ca.github.io/PCTF-CCP/
SSIMeetup.orghttps://creativecommons.org/licenses/by-sa/4.0/