Public Sector Profile of the Pan-Canadian Trust Framework Version 1.2 and Next Steps

The Public Sector Profile of the Pan-Canadian Trust Framework Working Group Close-Out Report

Public Sector Profile of the Pan-Canadian Trust Framework Version 1.2

Note: This post is of the author based on knowledge and experience gained at the time. The author recognizes that there may be errors and biases, and welcomes constructive feedback to correct or ameliorate.

Additional context: This post is based on the report and presentation that was provided on December 10, 2020, to the newly-formed Jurisdictional Experts on Digital Identity (JEDI), the committee responsible for public sector governance for digital identity.

The consultation draft of the Public Sector Profile of the Pan-Canadian Trust Framework Version 1.2 is now available and directly downloadable at this link. The folder with related artifacts is available here.

The remainder of this post is the content of the report, lightly edited for Medium.

Objective of the PSP PCTF Working Group (PSP PCTF WG)

The primary objective of the PSP PCTF WG had been the development of the Public Sector Profile of the Pan-Canadian Trust Framework (PSP PCTF). This has been achieved by contributing and reviewing content, attaining the consensus of the public sector jurisdictions, and monitoring related developments that might impact the development of the PSP PCTF.

The main deliverable of the PSP PCTF WG has been the PSP PCTF, the various versions of which consist of a consolidated overview document, an assessment methodology, and an assessment worksheet.

The PSP PCTF WG has also facilitated other activities such as:

• Sharing information, updates, and lessons learned from various digital identity initiatives; and
• Consultation and engagement with multi-jurisdictional and international fora.

Membership

At its dissolution, the PSP PCTF WG had 111 confirmed members on its distribution list consisting of representatives from all jurisdictions and various municipalities across Canada, as well as international participants from the Digital Nations. The working group normally met on a weekly call that averaged 20 to 30 participants.

Achievements

PSP PCTF Deliverables

The PSP PCTF Version 1.2 is now available at: https://github.com/canada-ca/PCTF-CCP. It should be noted that this has been the iterative product of several prior versions:

• April 2018: The Public Sector Profile of the Pan-Canadian Trust Framework Alpha Version — Consolidated Overview document;
• July 2019: The Public Sector Profile of the Pan-Canadian Trust Framework Version 1.0 — Consolidated Overview document;
• June 2020: The Public Sector Profile of the Pan-Canadian Trust Framework Version 1.1 — Consolidated Overview document; and
• For each of these versions of the PSP PCTF, a companion PSP PCTF Assessment Worksheet consisting of approximately 400 conformance criteria.

PSP PCTF Assessments

The PSP PCTF was used in the following assessments conducted by the federal government to accept trusted digital identities from the provinces of Alberta and British Columbia:

• September 2018: Assessment and Acceptance of the MyAlberta Digital Identity (MADI) Program for use by the Government of Canada (using the PSP PCTF Alpha Version); and
• January 2020: Assessment and Acceptance of the British Columbia Services Card Program for use by the Government of Canada (using the PSP PCTF Version 1.0).

Insights and lessons learned from the application of these PSP PCTF assessments were brought back to the PSP PCTF WG and the learnings were incorporated into subsequent versions of the PSP PCTF.

Joint Council Briefings

The PSP PCTF is the result of a long-term and deep collective experience of the public sector. Efforts on the PSP PCTF began in late 2014 and have been reported regularly to the Joint Councils by the Identity Management Sub-Committee (IMSC) Working Group and its successor, the PSP PCTF Working Group. The following is the list of updates that are on record and are available for reference in the joint-councils-update folder (GitHub link):

• February 2017 — Joint Councils Update;
• October 2017 — Joint Councils Update;
• February 2018 — Joint Councils Update;
• September 2018 — Joint Councils Update; Whitehorse Declaration and MADI Update;
• February 2019 — Joint Councils Update; and
• February 2020 — Joint Councils Update.

Related Deliverables

In addition to the PSP PCTF itself, the following related deliverables should be noted:

• Whitehorse Declaration — a declaration of shared intent among the federal, provincial, territorial, and municipal governments to pursue the establishment of trustworthy digital identities for all Canadians (GitHub link);
• IMSC Public Policy Paper — recommendations for a Pan-Canadian policy position on the question of roles and responsibilities of the public and private sector in digital identity (GitHub link); and
• Many historical deliverables that are too numerous to list in this report. A Public Historical Archive of deliverables and briefings, many of which pre-date the efforts of the PSP PCTF are being compiled in a folder on a best-effort basis (GitHub link).

Other

It also should be noted that content from the PSP PCTF Version 1.1 was incorporated into the National Standard of Canada, CAN/CIOSC 103–1, Digital Trust and Identity — Part 1: Fundamentals, developed by the CIO Strategy Council, and approved by the Standards Council of Canada (Website link).

PSP PCTF WG Work Plan 2020–2021

At the time of its dissolution, the work plan of the PSP PCTF WG was as follows:

1. PSP PCTF Version 1.2

• A Consolidated Overview document (released on December 4th, 2020) which includes:
• A revised Normative Core (containing new concepts that were developed as a result of the credentials and relationships analysis work);
• A revised Credential Model (based on the working group discussion document); and
• An incorporated Relationship Model (based on work led by ISED).

2. An Assessment Worksheet (draft released on December 4, 2020) which contains new and revised conformance criteria for assessment purposes

3. A re-assessment of the MyAlberta Digital Identity (MADI) Program for use by the Government of Canada (using the PSP PCTF Version 1.2) with planned completion by March 2021.

PSP PCTF Thematic Issues

During the development of the PSP PCTF, the working group has identified several high-level thematic issues that must be addressed in order to advance the digital ecosystem.

Thematic Issue 1: Relationships (Priority: High)

The development of a relationship model is required.

This issue has been initially addressed in the PSP PCTF Version 1.2 Consolidated Overview document released in December 2020.

Thematic Issue 2: Credentials (Priority: High)

The development of a generalized credential model is required. This model should integrate traditional physical credentials and authentication credentials with the broader notion of a verifiable credential.

This issue has been initially addressed in the PSP PCTF Version 1.2 Consolidated Overview document released in December 2020.

Thematic Issue 3: Unregistered Organizations (Priority: High)

Currently, the scope of PSP PCTF includes all organizations registered in Canada (including inactive organizations) for which an identity has been established in Canada. There are also many kinds of unregistered organizations operating in Canada such as sole proprietorships, trade unions, co-ops, NGOs, unregistered charities, and trusts. An analysis of these unregistered organizations needs to be undertaken.

Thematic Issue 4: Informed Consent (Priority: High)

The current version of the PSP PCTF Consolidated Overview document does not adequately capture all the issues and nuances surrounding the topic of informed consent especially in the context of the public sector. A more rigorous exploration of this topic needs to be done.

Thematic Issue 5: Privacy Concerns (Priority: Medium)

In regards to the Identity Continuity and Relationship Continuity atomic processes, it has been noted that there are privacy concerns with the notion of dynamic confirmation. Further analysis based on feedback from the application of the PSP PCTF is required to determine if these atomic processes are appropriate.

Thematic Issue 6: Assessing Outsourced Atomic Processes (Priority: Medium)

The PSP PCTF does not assume that a single Issuer or Verifier is solely responsible for all of the atomic processes. An organization may choose to outsource or delegate the responsibility of an atomic process to another party. Therefore, several bodies might be involved in the PSP PCTF assessment process, focusing on different atomic processes, or different aspects (e.g., security, privacy, service delivery). It remains to be determined how such multi-actor assessments will be conducted.

Thematic Issue 7: Scope of the PSP PCTF (Priority: Low)

It has been suggested that the scope of the PSP PCTF should be broadened to include academic qualifications, professional designations, etc. The PSP PCTF anticipates extensibility through the generalization of the PSP PCTF model and the potential addition of new atomic processes. Expanding the scope of the PSP PCTF into other domains needs to be studied.

Thematic Issue 8: Signature (Priority: Low)

The concept of signature as it is to be applied in the context of the PSP PCTF needs to be explored.

Thematic Issue 9: Foundation Name, Primary Name, Legal Name (Priority: Low)

The PSP PCTF has definitions for Foundation Name, Primary Name, and Legal Name. Since the three terms mean the same thing, a preferred term should be selected and used consistently throughout the PSP PCTF documents.

Thematic Issue 10: Additional Detail (Priority: Low)

It has been noted that the PSP PCTF Consolidated Overview document contains insufficient detail in regards to the specific application of the PSP PCTF. The PSP PCTF Consolidated Overview document needs to be supplemented with detailed guidance in a separate document.

Thematic Issue 11: Review of the Appendices (Priority: Low)

A review of the current appendices contained in the PSP PCTF Consolidated Overview document needs to be undertaken. Each appendix should be evaluated for its utility, applicability, and appropriateness, and a determination made as to whether it should continue to be included in the document.

Recommendations for Next Steps

1. Continue the development of the PSP PCTF based on the thematic issues identified above. These thematic issues may be addressed as part of a working group, or through task groups, or practice groups.
2. Continue the application of the PSP PCTF through the Assessment Process with the Provinces and Territories, with a view to incorporating learnings back into subsequent versions of the PSP PCTF, and, evolving the assessment process toward a standards-based process that has a formal certification scheme with accredited bodies and independent assessors.
3. Support the changes in digital identity governance to ensure that the PSP PCTF is developed and used in the public interest and is aligned with other industry and international efforts.
4. Establish as required, working groups, task groups, or practice groups for:
5. Ongoing development and maintenance of the PSP PCTF and related assessment processes and certification schemes;
6. Carrying out specific time-bound tasks or address issues. (e.g., addressing the thematic themes through discussion papers, analysis of other trust frameworks, etc.);
7. Testing practical applications of the PSP PCTF standards and conformance criteria through assessments and use cases; and
8. Sharing knowledge and lessons learned in relation to the application of the PSP PCTF and the assessment process.
9. Facilitate broader engagement using the PSP PCTF, including:
10. Engaging standards development organizations, domestic and international, to support the standards development and certification scheme development;
11. Engaging international organizations having an interest in applying or adapting the PSP PCTF for their purposes;
12. Collaborating with industry associations wishing to advance the aims of their membership, or their specific sector; and
13. Encouraging dialogue with other governments, either bilaterally facilitated through the federal government, or multilaterally through established bodies (e.g., UNCITRAL, the Digital Nations).

Conclusion

At the time of its dissolution, the PSP PCTF WG was an important vehicle for ensuring public sector communication and discussion across Canada in order to cultivate a shared understanding of how identity and digital identity could be best developed for the country.

Much has been achieved by the working group, building on prior work going back more than a decade. However much more work remains. It is hoped that the work accomplished to date and the recommendations put forward in this report will be considered by the JEDI to support their mandate to accelerate the specific goals of the digital identity priority of the Joint Councils.