Public Sector Profile of the Pan-Canadian Trust Framework Version 1.0 Recommendation Draft — Now available on GitHub
Note: This posting, plus recommendation draft documents can be found in the public sector profile link on GitHub here
Directly download the recommendation draft (87 pages pdf)
A quick recap of sequence of events leading up to this recommendation draft:
- In January 2019, weekly IMSC PCTF working group calls were established. Work-in-progress material was circulated on a regular basis.
- On February 26th, 2019, the IMSC met in person to discuss the ongoing work of the PCTF.
- On March 28th, 2019, the IMSC PCTF Version 1.0 Document Version 0.4 Consultation Draft was released.
- During the period (March 28 to present), we received almost 300 comments, which we have reviewed and disposed in the recommendation draft.
The public sector profile of the PCTF reflects:
- Evolution of the Identity Management Sub-Committee (IMSC) efforts. Over the past year we have iterated the PCTF based on testing with provincial pilots. This document reflects our iteration and learnings.
- The Need to Apply the PCTF for Assessments. We have completed a provincial assessment and we are now undertaking another. For assessment purposes, we need to stabilize the PCTF as quickly as possible. We believe this version attached (and the associated worksheet) is sufficient to conduct an rigorous and transparent assessment process. While we recognize that we will continue to learn and adjust the PCTF, what we have now is of sufficient clarity for assessment. For additional rigour, the conformance criteria can now be entered into a requirements management tool, and into a proper change management process.
- Policy Alignment. The new Treasury Board Directive on Identity Management is now in force. This new directive, a major driver for the federal government, has new policy requirements based on the collaborative work the IMSC has done, dating back to what was agreed to in April 2016 as key digital identity concepts. The Government of Canada is now executing against these new requirements, anticipating that the PCTF would become the key enabler for formalizing the assessment process for accepting trusted digital identity.
We encourage you to read through the recommendation draft carefully, as there are many subtle but significant changes. A few high-level comments:
- This recommendation draft (v0.6) is greatly improved based on the comments we received on the consultation draft (v0.5). In total we received and disposed of 83 comments, which resulted in substantive changes or were noted as work going forward in Appendix D: Thematic Issues. At our next call we will discuss how to address the thematic issues going forward.
- It is our opinion, that this recommendation draft is of sufficient detail and clarity to conduct the assessment process for accepting trusted digital identities of persons (which is currently underway in several jurisdictions). The attached spreadsheet, is the tool to carry out the assessment process. It should be noted that this tool remains a work-in-progress and changes are being informed by assessment process. Further, this tool is being used to test out the PCTF in the international context, as we have several partners interested in applying what we developed in Canada.
- During this final iteration we have been diligent in ensuring that in addition to persons, organizations is incorporated comprehensively into the framework. As such, discussions, and definitions have been changed to reflect the broader scope to include organizations and relationships.
Our immediate priorities as a public sector working group are:
- To develop a recommendation statement that we, as a working group and through consensus can provide to the Identity Management Sub-Committee (IMSC) for endorsement.
- To address the thematic issues in Appendix D of the recommendation draft. These issues essentially form the basis of the road map and efforts as a working group going forward.
To conclude, we have a solid piece of work here, but the effort continues to engage and communicate with our stakeholders. Equally important, is to ensure the validity and applicability of the framework that it meets our needs and by extension, the needs of Canadians
The thematic issues in Appendix B of the recommendation draft are excerpted below:
Thematic Issue 1: Defining the PCTF
It is becoming clear that the PCTF is a set of agreed-on concepts and criteria as opposed to being some sort of ‘standard’. Instead, it is a framework that helps to situate existing standards (both business and technical) and relevant policy, guidance, and practices. This is certainly the case at the Federal level where the atomic processes and their associated conformance criteria have been mapped to the Federal government’s policy instruments, supporting guidelines, and technical interface standards. We need to ensure that this definition of the PCTF as a detailed policy framework is communicated clearly and consistently within the document.
Thematic Issue 2: Including Organizations and Digital Relationships
We are beginning to incorporate the work that ISED has done on organizations. Although, the current version of the document is still primarily focused on persons, we are ready to fully include the organization entity type into the next version of the PCTF. Additionally, we need to work on expanding our treatment and coverage of digital relationships within the document — currently, that coverage is not much more than a definition and a set of placeholders.
Thematic Issue 3: The Evolving State of Credentials and Claims
We now find ourselves in the middle of some very interesting developments in the areas of digital credentials and verifiable claims. There is a sea-change happening in the industry where there is a movement from ‘information-sharing’ to ‘presenting digital claims’. There is also some good standards work going on at the W3C relating to verifiable credentials and decentralized identifiers.
Due to these new developments, we are now seeing the possibility that the traditional intermediated services (such as centralized/federated login providers) may disappear due to new technological advancements. This may not happen in the near future, but we are currently adjusting the PCTF model to incorporate the broader notion of a ‘verifiable credential’ (more than a login) and are generalizing it to allow physical credentials (e.g., birth certificates, driver’s licences) to evolve digitally within the model.
We are not sure that we have the model completely right (yet), but nonetheless, Canada seems to be moving into the lead in understanding the implications of applying these technologies at ecosystem-scale (both public and private). As such, we are getting inquiries about how the PCTF might facilitate the migration to digital ecosystems and to new standards-based digital credentials, open-standards verification systems, and international interoperability.
Thematic Issue 4: Stakeholders, Roles, and Actors
The current version of the PCTF still reflects differences in perspective in regards to who or what are the stakeholders, roles, and actors in the PCTF. This is due to the PCTF model’s anticipated shift towards verifiable claims, verifiable credentials, and decentralized identifiers (see Thematic Issue 3). As we resolve Thematic Issue 3, the definition and delineation of PCTF stakeholders, roles, and actors should become clearer.
Thematic Issue 5: Informed Consent
Informed consent is an evolving area and we don’t think the PCTF currently captures all the issues and nuances surrounding this topic. We have incorporated material from the DIACC and we have adjusted this material for public sector considerations. But with the recent publication of the Canada Digital Charter there is debate in the consent area, especially in what might need to change in legislation. Shortly, discussion papers will be released on how Canada might update legislation relating to privacy, consent, and digital identity. We fully expect the notion of consent to change, but for the meantime, we feel that we have enough clarity in the PCTF to proceed with assessments — but we are ready to make changes if necessary.
Thematic Issue 6: Scope of PCTF
Some have suggested that the scope of the PCTF should be broadened to include academic qualifications, professional designations, etc. We are currently experimenting with pilots in these areas with other countries. We have anticipated extensibility through the generalization of the PCTF model and the potential addition of new atomic and compound processes. Keep in mind however, that digital identity is a very specific but hugely important use case that we need to get right first. We are not yet ready to entertain a broadened scope for the PCTF into other areas, but soon we will.
Thematic Issue 7: Additional Detail
Many questions have been asked about the current version of this document in regards to the specific application of the PCTF. While we have a good idea, we still don’t have all of the answers. Much of this detail will be derived from the actual application of the PCTF (as was done with Alberta previously). The PCTF is a framework and, as it is applied, it will likely be supplemented by detailed guidance separate from the PCTF itself. We don’t know exactly what this additional material will look like until we learn more through the application of the current PCTF.