Canada: Enabling Self-Sovereign Identity
Disclaimer: The following entry is an edited excerpt from a draft chapter for the upcoming book on Self-Sovereign Identity by Manning Publications. The full draft will be available shortly in the Manning Early Access Program and the finalized chapter will be available upon publication. Given the current situation, I thought it would be better to provide this material earlier than later for the benefit of everyone. This material has been co-authored by me and Dave Roberts and is based on our experiences and perspectives. It does not represent the views of the Government of Canada or the broader Canadian Public Sector. This entry is provided for informational purposes only, and should not be considered as advice nor as an official position. Tim Bouma
The adoption of the self-sovereign identity model within the Canadian public sector is still being realized in 2020. It is too early to tell how it will change the technological infrastructure or the institutional infrastructure of Canadian public services.
Terminology notwithstanding (many have issues with the term “self-sovereign”), the core ideas of the model are now being ingested and adapted for the Canadian public sector context. This has not been an overnight process but rather, a deliberate, phased, and incremental approach over the past decade. While emerging technologies such as self-sovereign identity (SSI) might be the better way, allowances need to be made for the coexistence of different identity models. Currently, Canadian jurisdictions employ centralized and federated identity models and these will continue to coexist for the foreseeable future.
Pan-Canadian Trust Framework
The Public Sector Profile of Pan-Canadian Trust Framework (PCTF) is a model that consists of a set of agreed-on concepts, definitions, processes, conformance criteria, and an assessment approach. The PTCF will help to standardize how governments create, issue, and accept digital identities between jurisdictions and across different sectors within Canada and internationally. While standardization is key, the PCTF itself is not a formal “standard” but, instead, is a framework that relates and applies existing standards, policies, guidelines, and practices — and where such standards and policies do not exist — specifies additional criteria. The role of the PCTF is to complement existing standards and policies such as those concerned with security, privacy, and service delivery.
The PCTF also helps to support mutual recognition between jurisdiction. This mutual recognition process begins with a mapping exercise in which the program activities, business processes, and technical capabilities of the jurisdiction being assessed are mapped to the atomic processes defined in the PCTF. Once the existing business processes have been mapped to the atomic processes, they can be assessed and a determination made against each of the related atomic process conformance criteria.
Digital Ecosystem Roles
In developing the public sector profile of the PCTF, it became apparent that the roles and responsibilities of the various digital ecosystem actors needed to be clarified. These actors consist of a wide range of government institutions, organizations, and individuals acting in a variety of capacities. After analyzing existing models, including the W3C Verifiable Credentials model, and working through several iterations, a generic conceptual model emerged which is illustrated in the below:
The model above makes no assumption on any asymmetric power relationship between the digital ecosystem actors. Anyone can be subjects, issuers, holders, and verifiers, using many different methods. The digital ecosystem roles can be carried out by many different entities that perform specific roles under a variety of labels. These specific roles can be categorized into a non-exhaustive list of examples below:
- Issuers: Authoritative Party, Identity Assurance Provider, Identity Proofing Service Provider, Identity Provider, Credential Assurance Provider, Credential Provider, Authenticator Provider, Credential Service Provider, Digital Identity Provider, Delegated Service Provider
- Subjects Person, Organization, Device
- Holders: Digital Identity Owner
- Verifiers: Relying Party, Authentication Service Provider, Digital Identity Consumer, Delegated Service Provider
- Methods: Infrastructure Provider, Network Operator
Mapping to Trust over IP
To enable self-sovereign identity, the PCTF has been mapped to the emerging SSI stack, known as “Trust over IP”. This mapping can be used to help governments and industries to better define how they can work together in developing a digital ecosystem that leverages self-sovereign identity. The figure below illustrates this mapping:
Evolving World of Verifiable Credentials
In developing the PCTF, the Canadian public sector has found itself in the midst of interesting developments in the areas of verifiable credentials. There is a sea-change happening in the public sector where a shift is occurring from program-centric “information-sharing” models to user-centric models in which individuals are empowered to present their own “digital proofs”, or verifiable credentials.
The Canadian public sector is evaluating the implications of applying these technologies at the ecosystem-scale both in the public and private sectors. The PCTF may facilitate migration to digital ecosystems using open standards-based verifiable credentials and independent verification systems.
To conclude, while the Canadian Public Sector is actively pursuing SSI, it is still too early to predict the future. The Pan-Canadian Trust Framework is a tool to help understand SSI in the government context and to drive institutional change to better serve Canadians. The PCTF will encourage new institutional relationships that can leverage self-sovereign identity. If we approach SSI in the right manner, it will become pervasive and create a better digital ecosystem for everyone.
If you have any questions, please don’t hesitate to comment on this blog entry or contact me on Twitter.