Jul 20, 2020 in Interoperability by DIACC

Request for Comment and IPR Review: PCTF Assessment and Infrastructure (Technology & Operations) Draft Recommendations V1.0

Notice of Intent: DIACC is collaborating to develop and publish an Assessment and Infrastructure (Technology & Operations) industry standards as components of the Pan-Canadian Trust Framework™ (PCTF) to set a baseline of public and private sector interoperability of identity services and solutions.

To learn more about the Pan-Canadian vision and benefits-for-all value proposition please review the Pan-Canadian Trust Framework Overview.

Document Status: These review documents have been approved as Draft Recommendations V1.0 by the DIACC’s Trust Framework Expert Committee (TFEC) that operates under the DIACC controlling policies.

Summary: 

The intent of the PCTF Assessment component is to establish the certification scheme to verify that a process, service, or product conforms with criteria defined in the PCTF.

The intent of the PCTF Infrastructure (Technology & Operations) component is to identify the operational policies, plans, technology and technology operations requirements to support implementation of the principles of the PCTF Profiles in the context of a Digital Identity Ecosystem.

Invitation: All interested parties are invited to comment.

Period: Opens: July 20, 2020 at 23:59 PST | Closes: August 20, 2020 at 23:59 PST

Document: Assessment Draft Recommendation V1.0

When reviewing this draft, consider the following and note that responses to these questions are non-binding and serve to improve the PCTF.

  1. Is the description of roles and responsibilities clear at this level?
  2. This draft describes a tiered assessment process with varying levels of evidence examination applied depending on risk and usage profile of the service being examined for certification
    • Are the two processes defined enough? If not, what would be the nature of any additional discrete process? What would it apply to? Would its addition change the nature of either of the two processes defined?
    • If the two process versions defined are sufficient, do the differences between them meet the goals of application of a less onerous certification process to some applications for certification? If not, then what would you suggest as an alternative?
    • Keeping in mind the noting of potential adjustment based on the output of the TFEC Working group on LoA, are the criteria for determining which certification process applies acceptable in principle?
    • A draft definition of classification based on service usage is included. Does this meet the needs of this Profile at this level? If not, what alternative would you suggest?
  3. Are there concepts or terminology that remain unclear or inconsistently applied?
  4. This Overview is meant to define the high level model and process for certification. Development of the significant Programme execution supporting information has been deferred until the model at this level is ratified. Are there any significant omissions from this high level Overview that would preclude you from understanding the model at this level?
  5. Do you agree with the process for certification of Services as described? If not, what specific modifications would you suggest?
  6. Do you agree with the process for certification of Accredited Assessors as described? If not, what specific modifications would you suggest?
  7. The last section of the document identifies a number of required documents to support this certification process. The intent is to capture detailed process-oriented content in these documents after the Certification Assessment Program has been approved in principle. With this in mind, and considering the level of detail appropriate for this document, are there any major elements of the certification program not yet addressed in this draft?

NOTE that elements of examination for certification may be adjusted based on the finalization of the Working group on LoA, please keep this in mind when commenting on this document.

Documents: Infrastructure (Technology & Operations) Draft Recommendations V1.0

When reviewing this draft, consider the following and note that responses to these questions are non-binding and serve to improve the PCTF.

  1. Several feedback items suggest that additional prescriptive detail be added to this Conformance Profile. Some adjustments were made but additional input is sought to identify areas where further detail should be included. Where specific methods or standards are to be expanded upon, please include suggested methods, tools, or plan/policy items that you feel should be added. 
  2. The Conformance Criteria are organized into three categories. Are these appropriate and understandable? If not, please suggest an alternate categorization scheme.
  3. Care was taken to try to strike a balance between generic Criteria defined at a high level and being too prescriptive. Do the criteria meet this objective of being prescriptive enough to be useful and generic enough to be applicable to most Digital Identity Ecosystem instances?
  4. Note that there are several instances where cross references to related information in other Profiles. Are there other instances where this would be appropriate?
  5. Are there significant requirements missing from this draft? If so, please identify the requirements you believe should be included.
  6. Care was taken not to identify a specific technology or technology protocol, believing that none applied as a requirement in every instance. Is this correct, or is there a specific technology or protocol that should be included as a PCTF requirement?

NOTE that the PCTF Working Group on LoA is underway with the objective of defining how LoA will be treated across all PCTF Profiles. Treatment of potential variances in Conformance Criteria based on Service LoA were deferred in this version of the Profile. Please reserve your comments in this area to an enhanced draft of these documents when the LoA Working Group has published their results.

Intellectual Property Rights: Comments must be received within the 30-day comment period noted above. All comments are subject to the DIACC contributor agreement; by submitting a comment you agree to be bound by the terms and conditions therein. DIACC Members are also subject to the Intellectual Property Rights Policy. Any notice of an intent not to license under either the Contributor Agreement and/or the Intellectual Property Rights Policy with respect to the review documents or any comments must be made at the Contributor’s and/or Member’s earliest opportunity, and in any event, within the 30-day comment period. IPR claims may be sent to review@diacc.ca. Please include “IPR Claim” as the subject.

Process:

  • All comments are subject to the DIACC contributor agreement.
  • Submit comments using the provided DIACC Comment Submission Spreadsheet.
  • Reference the draft and corresponding line number for each comment submitted.
  • Email completed DIACC Comment Submission Spreadsheet to review@diacc.ca.
  • Questions may be sent to review@diacc.ca.

Value to Canadians: The PCTF Assessment and Infrastructure (Technology & Operations) components will provide value to all Canadians, businesses, and governments by setting a baseline of auditable criteria to assess business, legal, and technical interoperability. The DIACC’s mandate is to collaboratively develop and deliver resources to help Canadian’s to digitally transact with security, privacy, and convenience. The PCTF is one such resource that represents a collection of industry standards, best practices, and other resources that help to establish interoperability of an ecosystem of identity services and solutions. The DIACC is a not-for-profit coalition of members from the public and private sector who are making a significant and sustained investment in accelerating Canada’s Identity Ecosystem.

Context: The purpose of this Draft Recommendation review is to ensure transparency in the development and diversity of a truly Pan-Canadian, and international, input. In alignment with our Principles for an Identity Ecosystem, processes to respect and enhance privacy are being prioritized through every step of the PCTF development process.

DIACC expects to modify and improve these Draft Recommendations based upon public comments. Comments made during the review will be considered for incorporation into the next drafts and DIACC will prepare a Disposition of Comments to provide transparency with regard to how each comment was handled.  

Thank you for your support and participation in this review period.