Please note that this transcription has not been completely edited to eliminate AI-goofiness. If there is something that does not make sense, please use the links above. In the meantime, please bear with the AI-goofiness. I will fix up when I have more time.
My name is Tim Bouma, and this is Definitely identity.
Definitely identity, all things identity in this podcast out talking to people about the interesting things that are happening in the world, public and private sector, in the country and around the world.
Welcome to episode nine of Definitely identity. This is a special episode as we have just released the latest version of the pan Canadian trust framework. It’s version 1.1. We just posted it on GitHub this afternoon. And I decided that in addition to posting the documents online, I do a quick interview with my colleague Dave Roberts, who has been a significant contributor to the document and to the development of the pan Canadian trust framework.
In this episode, we actually not only talked about the trust framework itself, but we also talked about the history and the documents leading up to what we produced. Dave and I go into quite a bit of detail during the discussion. So you may want to go to GitHub. I’ve provided the link in the show notes, get the document, download it, have a look at it beforehand, at least take a look at the table of contents and maybe give it a quick read. That’s how you might benefit most from the podcast. If you don’t have it handy. Feel free to listen, I think you’ll enjoy the conversation between Dave and myself. And certainly afterward, please do download the document and give it a read and if you have any questions. I’m more than happy to entertain them and please contact me so enjoy the conversation.
Today my guest is Dave Roberts. And he’s been working with me on developing the Pan-Canadian Trust Framework, the public sector profile. And we’re kind of having a bit of a fireside chat here on what we’ve been doing over the past few months but more importantly over the past number of years on developing the pan Canadian trust framework. So before we get into it, Dave, how about you introduce yourself, just give a quick background and just maybe just give a bit of a story and how you actually arrived on this project and working on the trust framework?
Sure. I spent most of my career as an IT professional mainly in the Government of Canada. For the longest time I worked at Statistics Canada, which, as most listeners would probably guess is a huge collector and repository of data so my main interest in focus was on data modelling my work at Stats Canada. And it was in that capacity that I came over to Treasury Board to work on a project that was meant to facilitate the exchange of identity information between government departments, and ultimately between the Government of Canada and the jurisdictions. This was to be a modern version of a system that was developed in the mid 2000s, called the National routing systems because I worked on that project. I came over to Treasury Board to help out on that. In the course of that, though, it became apparent that Tim who was working in a different area on I guess it was just called identity then it wasn’t as digital identity.
And he needed some help in coming up with some of the standards that related to identity management, such as the standard on identity validation, and ultimately on things like notification and retrieval. So we worked on that for a bit. And then during the course of that, the pan Canadian trust framework became a thing. Under the Identity Management Subcommittee of the Joint Council, there was an initiative taken to develop a pan Canadian trust framework. And so I worked with Tim on the early days of that, and then I went off to do other stuff. And then Tim brought me back in when he needed more help. Yeah, I think we started the trust framework in earnest. It was late 2014. I remember because then we had produced a what we called an identity validation standard, but then we iterated we had Dave and I worked on a subsequent version to that that came out but a couple of years after that 2008 2016 and the work on the trust framework began in earnest in 2015. We started talking about late 2014. It was kind of like what next? We had done like, early very much earlier on like I literally going back to beating beginning of the decade we had done under the IMC what was called the pan Canadian assurance model. We did a paper on trusting identities that was in 2010 2011, we did a trusting identities paper, treasure board, we actually produced another paper called federated identity management for the government Canada, which incorporated a vision of the jurisdictions we realised back then that not only authentication was something that we could give out to industry, but we needed we needed to work with the jurisdictions on on the identity piece, and that’s where we started talking about the pan Canadian approach. And then as you said, they
You came in on the project, which then became called Canada’s digital interchange, which was kind of the next generation of what was the national routing system. And then just by by nature of the work, we ended up working closely together, and more recently, Dave’s been the main pen, if you will, on the pan Canadian trust framework, which we’ve got the the latest version that we’re literally putting out on GitHub, like today. And so that’s a bit of background there an of work that we’ve done in the background very quietly, very deliberately that outside the public sector or even outside of the federal government, and nobody’s actually aware of a lot of work has been done. Do we want to talk about version 1.1? The document that we just finalised with a working group and then talk about it and maybe talk about how some of the concepts evolved, leading up to this document the night
The nice thing about this document we released version 1.0. And it’s on GitHub. I can I’ll provide the link that was sent out or published July of last year, almost a year, eight months, nine months, right. We applied it, we applied it to the province of BC for an assessment programme. We had identified a number of thematics and version 1.0. When I say see thematic issues, as we call them, things that we needed to resolve, but we just couldn’t resolve just by making changes to the document with a sit back and think about it. And then we resolved a lot of those thematic issues leading up to version 1.1. I think maybe the approach should be like most, I’m sure the listeners may not have the background. They probably want to start from the current document and then we can talk about how we, how we got to where we were by highlighting some of the issues that we resolve, actually, Tim, what might help the listeners is if we talked about a few of the aha moments that we’ve had in the development of the PCTF. Because, to be quite honest, in the early days back in 2015 2016, the group of us were tasked with creating this thing, there was a lot of floundering a lot of trying to figure out exactly what should be in the trust framework, what was out of scope, and, and, and, and trying to get a handle on what concepts were important, what we needed to focus in on what was fluff. I would say that actually one of the things we did in the early days was we created a laundry list of things that we thought might be appropriate for a pan Canadian trust framework, a set of processes a set of ideas,concepts. And one of the things that we’ve been doing is winnowing down that list or shoving them into buckets that really aren’t relevant to the focus of the pan Canadian trust framework. And if you were to look over the document over the last four years, and its various iterations, you’ll see that it’s just becoming a tighter and tighter and tighter focus. But that’s the first stab that that that that set of processes actually led us to what I would say is the first thing that occurred to us is that there is a set of fundamental processes, which we call atomic processes, that can’t be decomposed into anything smaller. Or if you do, it loses its formal cohesion. And interestingly enough, those processes align very nicely with many of the ideas that were put forward, back
In those papers that Tim was referring to the guidelines on identity assurance and credential assurance. So a lot of that earlier thinking, we began to see that these atomic processes model those very, very, very nicely. So that was the first thing that came out of this thinking process. And in fact, is probably the one concept that has been consistent. I would say, over the last two, three years, when developing the Church of Our policy instruments, developing policy instruments that are intended to be applied in a very different set of contexts, you actually have to step back and say, What are the fundamental things that you’re actually concerned with from a central agency point of view? Things like uniqueness, how you verify individuals, how you validate the information, how do you collect and use the evidence, are you operating within your authority, so you can take that set of you know, we’re calling them atomic processes. You take that as a toolkit.
into a departmental context and actually have them describe what they’re doing in their language, then you map it back to the to the to the policy incident. That was the other thing that we learned to when we started to work with the jurisdictions. Everybody calls their business processes a little bit differently in one jurisdiction, maybe registration, another one, it may be enrollment, another one may be service registration programme enrollment. And it’s really hard to tell like a jurisdiction or department or anyone for that matter to say you have to change your terminology so that we can understand you, you have to kind of do the other way around and say, Okay, this is how you describe it in your context. This is how we’ve mapped it into the the trust framework, and this is how we’re decomposing it to actually do the assessment. So it becomes like a lens that you can actually use to look at a wide variety of contexts and operational contexts that have evolved over years, if not decades, and they’re not going to change anytime soon, but there’s a nugget that you need to look at within the context that you’re concerned with, or maybe a lot of stuff that you don’t need to be concerned with. So we took that experience, from our point of view as a central agency and applied that into the trust framework and put a lot of effort into coming up with that lens, if you will. Yeah. The beauty about to the atomic process is that they’re essentially dealing with a transition from from from an input to an output. And because of their internal logical cohesion, they’re basically doing on one thing and one thing only of importance, for instance, in the identity space identity resolution is you have some identity information, and you haven’t unique, made that identity information assigned to a unique entity within your identity context or your population of interest. And so what’s going on inside the
That particular topic process is the method that you use to achieve identity uniqueness within your population of interest. And because they’re rather, they’re very tight and coherent. There’s a kind of beautiful plug and play aspect to these atomic processes. There are in some cases, dependencies between the atomic processes, it’s, it only makes sense to do identity resolution first before you do anything else in the identity space, but the other ones can be done and any particular sequence. But more importantly, don’t have to all be done by one particular actor. It allows for multiple actors doing these little component pieces, and then someone integrates it all together and have achieved some level of identity assurance by doing that. That’s a key simplifying as
That we baked into the trust framework is that we don’t make any assumptions of which organisations are carrying these things out again one province a may be organised separately from differently than province B. One province may have it organised under one ministry, other problems may have it spread across other industries. ministries, one province may have a special operating agency and other might not. The idea here is that regardless of who’s actually carrying out within a jurisdiction for example, you should be able to find those trusted process and understand were they carried it again. When we did the province of bc I think we found that there were nine organisational units at play ministries, divisions within ministries, crown provincial crown corporations as well as some organisations that were our commercial contractors. So we identified a set of organisations that together we’re providing these atomic atomic processes
is the other thing too is that what Dave was talking about? There are dependencies that we formally defined when you’re born in one province and you move to another province, the registrar, your birth certificate, the registrar isn’t another province. So you’re depending on your depending on a process that comes outside of the province. So we’ve identified those things is dependency. So it gives us full clarity into a digital identity programme, what we need to assess. And when we do the assessment, we actually highlight those key things that are what we call opposite observations. It gives us a full transparency into a programme. Yeah, as Tim was mentioning, during the assessment process, one of the first steps is this is this process mapping, which is basically to take whatever documentation the jurisdiction in this case might have how how they do things, and it could be through a set of diagrams or whatever, but it’s to do an analysis and to figure out, Okay, what you’re calling the x y Zed process.
Where you’re doing identity validation, or, or here’s where you do some sort of identity linking process and so on. And and so translating their particular business process into the set of atomics, for which we have established conformance criteria about against which they can be measured. And so what makes on the surface seem like a very unwieldy process, because of every organisation has a different way of doing things or so it would seem, and every organisation has different names and labels for those processes. In the in the end, once you do that mapping process, you find out that yes, indeed, they’re doing exactly what we’ve outlined, they should be doing in the pan Canadian trust framework. And therefore, it then comes down to assessing the quality with which they do those atomic processes. And it’s also called
clarifies the accountabilities between jurisdictions. Another important concept that we’ve refined in the trust framework is this notion of context. We we define that as the identity domains, we have the foundational and contextual identity. Where this becomes really important is that, for example, a province may provide the federal government with a trusted digital identity. We make it very clear that the province has to map that to one and only one individual identity resolution. For example, when that goes into a federal programme space, there is then the responsibility of the Federal programme to map that to the same person. Same individual that is the resident of BC resident of Alberta, but are also a recipient of a federal programme. That’s no longer the responsibility of the province or territory or province or territory, they did their job and delivering the right person to the front door. But then the federal programme has to make sure that that person coming to the front doors map to the right person on record. So it really helped clarify what the providing jurisdiction is providing versus the consuming jurisdiction. And as we’ve discovered that those processes are kind of mixed together. And now we have an ability not only to separate down into those atomic processes, but also to say, well, they’re carried out in one context, but when that individual moves on into another context, some of those processes may have to be carried out again, to make sure it maps to the right person. So it really helped clarify that which is a really ambiguous and ambiguous area in a lot of situations. Yeah. And and Tim has touched on what I would call another aha moment for, for for bringing together the PC TF and that was the distinction between the two identity domains, foundational identity and contextual identity.until until we nail that concept down there was a lot of floundering and confusion about what say a private sector organisation does in terms of identity establishment are they subject to the same rigours? as say, a vital statistics organisation within a province a territory when when they created any establish it became clear that it was a model so that in fact, foundational identity in Canada is is pretty clear cut mandate for establishing identity of that sort of foundational identity is given to the provinces territories in the case of people born in Canada, and to irctc immigration refugees. Canada, Canada, the for the case of Canadians who were born abroad, and have entered Canada legally and are subject to a whole whole chain of events that ultimately will lead to citizenship in the organisational space. It’s equally true that establishment of organisations foundational identity of an organisation is under the mandate of the provinces and territories in the case of those that are incorporated provincially or corporations Canada under I said, For those that incorporate federally and so not only is it clearly within the domain of the public sector, the identity establishment a foundational identity, but it’s two very specific organisational units within those within the public sector. So they almost then become a special case for identity establishment and are as the name implies foundation upon which all other identity both for for persons and for organisations follows and so the vast majority
II have organisations that will be subject to assessment are actually dealing with contextual identities, identities that are created from foundational identity, we were faced with an interesting challenge in developing the trust framework. We want to be standards based, we want to be open and interoperable. And we want the ecosystem to thrive, if you will. But as Dave was saying, we had to make sure that what we needed for the public sector was going to do the job for the public sector. And we have very specialised requirements. One One of the issues that would always have is vendors would claim, well, we have a level three identity, you should be able to just use that they should be able to access a service to get a passport or access to services, social benefits, and we’d say, Well, you know, level three, the issue that we have there is that what you call level three, doesn’t actually have a clear link back to foundational identity for sure you’re looking at evidence that might be foundational, oftentimes is not because you’re looking at a passport, for example. But at the end of the day, we needed to have an absolute clear link back to that foundational or that Genesis event coming from the province or the territory or from immigration and we needed to have confidence that we can actually tie that back to that event. And I would say today, we’re only in a position from a federal standpoint to trust other jurisdictions to do that. There’s no there’s no reason that as the market evolves and capabilities evolve, that may change, but we just it now it gives us a tool to actually specify our requirements that we need for the public sector. Absolutely. The the private sector may be able to provide value added services in what we call supporting infrastructure, but also provide services in for the processes that we defined, but not in lieu of a government department or agency.
Providing that for for citizens. You know, Tim just mentioned another key concept within the pcts models that we’re proposing. And that’s the supporting infrastructure piece.
Way back four years ago, when we were first talking about this, we had all sorts of things thrown into the pan Canadian trust framework bucket, you know, things like privacy impact assessments, various interoperability, standards, tech standards, you name it, we soon realised that those aren’t things that we should be concerning ourselves with because they already exist as standards or methodologies or policy that, quite frankly, we can’t change in some cases and other cases we shouldn’t change and therefore we don’t need to assess an organisation
On, on on how well it does those things. We do like to know what what standards that are out in the walls that they do us and so on. This all helps. But it’s not as though we’re going to look under the hood and see how they do a privacy impact assessment, for example, this bar itself out in practice, when we did the assessment of a province, the pan Canadian trust framework, the assessment that we did based on this was one of eight workstreams. There was like a technical integration work stream, there was a an agreements work stream, there was a communications were extreme, there was a security authorization assessment workstream there was a privacy Impact Assessment work stream and then there was a couple of other for like coordination in that. So this was only a small part of a much larger components. The other thing that we didn’t the trap that we didn’t fall into, which I’ve seen in other trust frameworks is that they kind of veer off into articulating requirements that aren’t germane to the trust framework, which are the privacy requirements, and are the security requirements and those are going to change. Depending on the systems that are employed. The legislation, really the trust framework is having confidence in those processes being carried out. On the interoperability side, we have a very nice clean division now that we recognise that there’s different technical protocols like there’s Security Assertion Markup Language, which is traditional legacy integration, which we have, there’s the more modern protocols like open ID Connect, and then the the newer stuff that’s coming on on stream, which is the verifiable credentials. The nice thing is that we’ve had that office, technical and proper interoperability protocols that we don’t necessarily need to be centrally concerned with in the the assessment in the assessment process. So while while the the pan Canadian trust framework model, acknowledges the existence of this supporting infrastructure and if you’re if you’re too low,
Look at the the current document that’s up on GitHub. There’s a nice diagram of this, it itself, the supporting infrastructure is not subject to a pcts assessment. It acknowledges the existence and the need for its existence. But it’s not the focus of the assessment itself.
The other thing that occurs to me and this is a more recent aha moment, because it’s something we struggled with for a while to the point of ignoring it for for a good while. And but eventually our colleagues clamoured for some clarity on this issue, and that had to deal with, with roles and stakeholders and, and and that sort of stuff. And our initial take on it was a muddle, to say the least. And then Tim and I came to the conclusion that probably
The model that works best for this environment is actually something that we kind of took from the verifiable credentials world. It’s not just them it’s it’s it’s been around for a while. And we’ve modified it slightly, but essentially, and you’ll see it in w three c documentation on verifiable credentials. And it’s it’s the notion that the, the key roles in this digital ecosystem that the pan Canadian trust framework is, is it’s doing its assessment within issuer holder and verifier. And we in fact, in the document, map those generic roles to some of the common terms that have been used over the years alternate terms for issue or for example, being authoritative party
Or an identity provider, or credential provider etc. verifier used to traditionally call them relying parties a whole bunch of different names for them.
The notion of holder is alien to some people because they said, Well, isn’t that the subject? Well, the 99.9% of the time, it is the subject, but the W three c allows for the fact that they may not be synonymous. there’s a there’s a tight relationship between the two, I suspect that the reality will be for the area of interest, the pan Canadian trust framework, subject and holder will be the same entity. But for completeness we allow for subject and holder to the two independent identities but they’re closely coupled in most cases, but where we kind of veer away from the W three see is course in verifiable credentials. Their preoccupation is with storing the truth the verifications in some sort of data store, which is like a blockchain or what any of the newer technologies. And because for the PCTF we’ve been trying to be as technology agnostic as possible. And there’s a simple reason for that not because it’s a philosophical thing with us. But in fact, we have to be because the parties that we’re, we’re trying to cover in the pan Canadian trust framework are at all sorts of different stages of technologies from the stuff that dates back to the 1980s to those that are on the bleeding edge, you know, so, if we as soon as we start talking about certain types of texts,
ologies then all of a sudden, we’re losing folks on the call, basically, because they’re not there yet. So we came up with this more generic concept of order, which is, I won’t I won’t go into all the details, but it covers off all those things which, which in a sense, generate assurance that whatever technology you use, is appropriate, isn’t compromised and is workable in some way. Okay. It took us a while to sort this out. But we tracked very closely all the debates around blockchain centralization, decentralisation and realise that the primary concern there was, you actually trust the system in between which we call the convenient conveyance system, if you will, and that you actually trust the correctness that actually things are the same going in and coming out and we took this notion of order, and we we
Based on it’s a term basic commercial law called private ordering, which, which really means setting up your own, setting up your own rules that aren’t necessarily government rules. And we, we looked at it said, Well, this blockchain fits into this decent, you know, distributed systems, centralised systems. It’s basically what and it’s more than just a single organisation or a single implementation. It also fits really well with the emerging concepts in the W three C with decentralised identifiers and methods, where you can actually abstract an entire network behind a mess and specifications. So if we decide that we’re going to trust a network, whether it’s like sovereign or Interac, or Bitcoin that can all be it’s abstracted behind that notion of order. So it it’s a really useful concept to enable us to actually entertain different as I said, technic, technological options and different technical networks that that we have to account for, with the you know, the wide variety potential implementation of the trust framework Sosa, it was just a nice way to actually really slice out the ecosystem and in an unequivocal way, and quite frankly, going into the, you know, we had quite the carryover of terms from the Federation world. They were just like an continuously growing list. And we actually took the effort of mapping into this roles and it worked out quite nicely and cleanly. So we’re pretty, pretty excited about that. That notion of order, helping us to compartmentalise the pieces that we be concerned with or not, because the thing that we’re kind of grappling with now is, and Tim and I have talked about this at some length offline, is the whole notion of Prudential and this again is another way in which we kind of veer away from the W three see the WCC is talking about a specific type of credential, they call a verifiable credential. It’s very much embedded in a particular technology and data model. We can’t do that. Nor do we want to we want to come up with a model that is as broad as possible for the notion of credential. We’ve even said, you know, if we can’t model something as physical and, and tangible, as Marco polos, letters of introduction to the Emperor Kubo a con, then we failed, because those are credentials too. And they exist in the real world. Not everyone is going to nor are they capable of adopting verifiable credentials tomorrow. So we need to come up with a model that encompasses credentials in all the forms, but the idea is is that
So many of us still carry around pieces of paper and pieces of plastic and, and they’re they’re viewed as as credentials and in in, in part of the identity management world anyways. And then the term credential often gets conflated with things like user ID password, in other words, the authentication strategies, and there is some bleed over between those particular notions and the methods that are used for identity verification. And if if my voice is trailing off and sounding vague, it’s because right now, these are just two kind of amorphous cloud of ideas that are beginning to coalesce into one coherent model. And we’re not there yet, but that’s the area we’re moving into
Because we think if we can nail that down the assessment of credentials within the pan Canadian trust framework will be that much more precise and exact going in the sexercise four years ago and create creating what were called verified login at the time, I would say the assumption that we had was that this would be carried out to syndication or credentials means to maintain by a centralised platform and with username and password or maybe some more sophisticated or to call the indicators but when we started to ingest the the work from the W3C, and looked at it very closely, we realised that there was another model at play. And we have as Dave talked about, we have identified that as a somatic issue which remains in the latest release of the report and I quote, this is thematic issue to the evolving state of credentials. We now find ourselves in the middle of some very interesting developments in the areas of digital credentials. There is a
The change happening in the industry where there is a movement from information sharing to presenting digital proofs. There are some good standards work going on with the WCC related to verifiable credentials and decentralised identifier. So we are excited about that work. But we are recognising that there may be a broader set of mental models that are shifting. And we’re not so sure if we have a quite right yet. I think in this version of the trust framework, I think we’ve gone a long way, as we talked about a bit earlier, this model issue or holder verifier, underwritten by a generic order, and that the subject, in most cases is the holder, but may not be in all cases. A good example is that a parent presenting something on behalf of the child that’s where the subject is not not the holder. So we feel that we have a good model to actually explore those different you know, edge cases, as they call them, but those edge cases are the ones that I think I said this in another interview become the Achilles heel for these major systems. So we have to
Sure, the model is actually going to work for that whole spectrum of cases that we need to account for from a government point of view. Yeah, the The other area that needs more work that we’re diving into is the whole notion of digital relationships within the issuer holes are verifier model. In fact, relationships between two individuals or between an individual and organisation is in effect, an attribute. Ultimately, that can be modelled as such. So it may not really be one aspect, or a separate form of digital representation as we’ve currently documented in, in our current version, you know, we talked about digital representations being a two kind, digital identity, which models real world actors
Like people and organisations, and ultimately devices slash machines. And the other kind of digital representation, you said is a digital relationship. I’m not 100% convinced that that’s the way it’s going to play out. In the end, it may be that a digital relationship is an attribute of one or both entities. Yeah, and or keeping your options open there a big lesson that we’ve learned and doing other types of work like this is not to try to jump the gun conceptually, if you don’t quite have it. Right. It may actually be a disservice to try to come up with something that’s too clear too soon. So as Dave was saying, we’re exploring that. The other area which we we need further investigation is this notion of informed consent we have this idea of noticing consent with respect to the the atomic processes, but we are very open to see how that evolves.
I’m witnessing a lot of discussion around expressing it more as digital rights may be a way of doing it, but we’re not sure yet. And also, I’m seeing a lot of criticism about the implementation of GD GDPR in terms of noticing consent, while on the face of it, it looks like it’s protecting the individual, the individual is actually subjected to more confusion that they have to bear. And then the the providers actually say that they comply with the law or the regulation on the face of it, but at the expense of the individual. So that’s an area that we are quite open for change. And I think what we’ve done with the model, as we said, we’ve collapsed all the various and sundry deliverables into one main deliverable the main document, and not only is it extensive all we see this moving into like it could be academic credentials, it can be any claim we can actually graft on, but if we have to rethink some of these key concepts, it won’t take
Much of a renovation to fix that up. So we’re quite open to actually adjusting that as need be. It’s what I what’s up there I think is good, but it’s by no means perfect and, and it’s still need some some work going forward. But based on everything else that I’ve seen out there, it’s about as good as it gets even internationally. And I think Tim has been receiving quite a bit of positive feedback on the international stage regard. We’ve had discussions with various international organisations were actually a member of another, we’ll call it the digital nations which I’ll be presenting to as well. We’re quite familiar with the Ei das or the EU regulations around digital identity and understand there’s some discussions to actually extend the mutual recognition process originally for the 28 member states now 27, of course, but it could actually
to Canada as well. And I think this could the work that we’ve done could be easily a neutral lens to actually see what the European Union has done. The New Zealand has a trust framework, Australia’s trust framework as well, it basically to map it into what we need to do from it from the Canadian point of view, not saying that it could become an international standard, but I’d say what we what we’ve learned with what we’ve had to deal with and what I would call a microcosm of 13 territories and prop provinces and then the federal federal jurisdiction, I think we’ve we’ve learned a lot to come up with a tool that’s as legislatively neutral as possible. And really to get to the nub of the issue, which is, can you accept that trusted digital identity? and by extension, can you trust the processes that are occurring to provide that? Yeah, and I think that’s important. The fact is, Canada is a federal polity. And because we’re a federal state, we right from the get go, we’ve had to deal with the issues of multiple jurisdictions having multiple variant authorities and mandates. And so we’ve had to come up with a model and a methodology that encompasses that. And that puts us at, well, in some ways, it makes the work harder. But it also puts us in an advantage when you move it on to the international stage. And the really establishing mutual trust at the international level. Because we’ve had to do it between jurisdictions with within Canada, I have to know that there have been many false starts in the identity space, especially trying to come up with national identities for citizens and whatnot. And usually those are the outcome of a unitary state, where it’s only one level of government, which has all the authority and so they can decide and impose on on a country.
Sometimes they rush their ideas to market way too soon, because there have been no checks on them as there is in a in a federal system where we in the federal government can post something. And then we’ll get one of the provinces sticking up their hand. Yes, but they will say, and it’s that, that that sober second thought to us another good old Canadian term that has actually helped us along the way. And we’ve worked very hard to make sure that those assumptions that aren’t appropriate aren’t built into the framework. Like there’s no assumption that’s a single programme that’s responsible for there’s no assumption that a single system or technology is going to do the job. There’s no no no assumption that even a single network is going to do the job. We are setting ourselves up to enable a multiplicity of networks, systems and that can serve Canadians and actually provide them with choice. I think that’s the most important is to ensure that not only Canadians rights are upheld. I know that might sound rather grand. But I think more importantly, is that they they have choices and how they want to interact electronically. So we don’t fall into these situations of natural monopolies in the digital realm. And just making sure that we keep the keep the balance. And I think you’ll see as you read through the document, we make no assumptions around the relative asymmetry as well, like the that’s why that model of the issuer verify holder we make no assumption of one is by like an a, like a government authority. And the other one is from an individual, anyone, anyone can actually assume these roles in the model. And so, you know, the framework itself, it’s not legislation, it’s not policy. It’s not even governance is basically a tool with which you can actually look at your systems that you have in place and then map it to your own legislation and policy and then also engage in
A process of understanding what you’re doing subject to a set of neutral norms, which then can be used to assess in a mutual recognition process. So I think we’ll, we’ll leave it at that. So thanks, Dave, for giving us a bit of a fireside fireside chat on the the document, I realised that there might have been tonnes of information that we talked about, I will add the link to the document and the GitHub site on the on the show notes and feel free if you have any, any questions or comments. We’re totally open to that. This is a work in progress, but I think where we’re at with what we have, we’ve done it we’ve done a pretty good job and we’re looking forward to applying it and actually make it even better. So that’s it. So that’s that’s it for another episode of definitely identity
Transcribed by https://otter.ai
