Pan-Canadian Trust Framework ™ Work Program


The Pan-Canadian Trust Framework ™ (PCTF) is an economic benefits focused set of resources that are developed in collaboration in the DIACC’s Trust Framework Expert Committee (TFEC), published by the neutral governance of the DIACC, and benefiting from the broad input of the economic sector and from Canada’s federal, provincial, and territorial representatives of the Joint Councils Identity Management Subcommittee (IMSC).

PCTF describes the roles and requirements to be agreed on by participating public and private sector organizations, to meet current and future Canadian innovation needs. PCTF documents and artifacts are intended to secure interoperability of public and private sector identity capabilities while prioritizing user-centred design, privacy, security, and convenience of use.

PCTF Discussion Drafts and Draft Recommendations are released in a phased approach to work in the open where all Canadians and international interested parties are invited to submit comments.

PCTF is developed as an open public resource.  PCTF will always be freely available to the public for review and adoption. Drafts are continually made available for public review and input. PCTF is developed under DIACC’s neutral good governance policies and procedures

Notice of Intent

NumberNoticeTitleStatusScopeNeed
P1010TBA - Fall 2019Pan-Canadian Trust Framework Governance: Assessment & Compliance Discussion DraftsThis PCTF component will establish the system by which a third-party certifies that the process, service, or product of another digital identity ecosystem participant conforms with conformance criteria defined in other PCTF components. The component's primary subject areas are i) the operation of a certification program generally (including stakeholder roles within the program, governing policies, and information that DIACC must provide to certification candidates) and ii) specific methods and requirements for demonstrating, assessing, and indicating compliance with PCTF conformance criteria. Within these subject areas, the scope of this component is anticipated to include definition of:

1. Roles and responsibilities of DIACC, compliance assessors, and candidates for certification
2. Baseline assessment methods and procedures, application of these methods and procedures to specific PCTF conformance criteria
3. Inputs to the certification process from certification candidates
4. Instruments for indicating/proving certification and compliance with PCTF conformance criteria
5. Certification renewals
6. Appeals procedures

This scope of the PCTF component does not include:

1. Certification candidate internal processes related to certification processes
2. Compliance and assessment with PCTF profiles
The Governance Component will provide value to all Canadians, businesses, and governments by setting a baseline standard to guide public and private sector interoperability of identity solutions and services. The DIACC’s mandate is to collaboratively develop and deliver resources to help Canadian’s to digitally transact with security, privacy and convenience. The Pan-Canadian Trust Framework is one such resource. The Pan-Canadian Trust Framework represents a collection of industry standards, best practices, and other resources that help to establish interoperability of an ecosystem of identity services and solutions. The DIACC is a not-for-profit coalition of members from the public and private sector who are making a significant and sustained investment in accelerating the establishment of Canada’s Identity Ecosystem.
P1009TBA - Fall 2019Pan-Canadian Trust Framework Technology & Operations Infrastructure Discussion DraftsThis PCTF component will specify conformance criteria that provide general requirements and guidelines regarding the trustworthiness of the IT infrastructure that enables implementation and delivery of the trusted processes defined in other PCTF components. The component's primary subject areas are the security and integrity of technical components. Within these areas of interest, the component's scope includes:

1. IT security (as a general consideration)
2. Preserving the confidentiality and integrity of supporting IT infrastructure
3. Oversight of data collection, validation, storage, and accessibility
4. Audit and logging.

The component's secondary subject area concerns prevention of and response to IT events that compromise the trustworthiness of the digital identity ecosystem. Within this area of interest, the component's scope includes identification of direct or indirect risks to IT and reducing or eliminating the likelihood of these risks occurring (risk management), identification and assessment of and responses to events that adversely affect IT, including reducing or eliminating the likelihood of the incident recurring (incident response).

This scope of the PCTF component does not include the suitability of specific products to support a given trusted process.
The Technology & Operations Infrastructure Component will provide value to all Canadians, businesses, and governments by setting a baseline standard to guide public and private sector interoperability of identity solutions and services. The DIACC’s mandate is to collaboratively develop and deliver resources to help Canadian’s to digitally transact with security, privacy and convenience. The Pan-Canadian Trust Framework is one such resource. The Pan-Canadian Trust Framework represents a collection of industry standards, best practices, and other resources that help to establish interoperability of an ecosystem of identity services and solutions. The DIACC is a not-for-profit coalition of members from the public and private sector who are making a significant and sustained investment in accelerating the establishment of Canada’s Identity Ecosystem.
P1008TBA - Fall 2019Pan-Canadian Trust Framework Credential (Relationship/Attributes)Discussion DraftsThis PCTF component will specify conformance criteria related to the creation, issuance, and management of credentials existing in digital form. The baseline use case from which this component's criteria will be derived is creation and provision of a digital credential by a single issuer to a human subject/owner who is not also the issuer. The component's secondary use case is self-issuance of a digital credential (i.e., the issuer is also the subject/owner). Within the broad parameters of these use cases, this component's scope includes:

1. Verification of credential content and details
2. Recommendations for limiting disclosure of data from a credential
3. Credential life-cycle management, including revocation.

The scope of this component is also anticipated to include the following use case variants: instances where the holder/controller of a credential is not also the owner/subject, delegation by the issuer to a third-party credential issuance and management responsibilities, owner/subject authorization to a third-party to use an issued credential.

This scope of the PCTF component does not include:

1. Requirements related to issuer rules and policy governing qualification or eligibility for a credential
2. Issuer processes for assessing qualification or eligibility for a credential
3. Verifier/relying party rules and policy governing acceptance of a credential
4. Verifier/relying party use of credential data in a credential in downstream processes

In the PCTF Model Overview, relationships are considered a type of credential. While conformance criteria falling within the above scope generally apply to relationships additional considerations are applicable to this type of credential. The scope of this component is anticipated to include conformance criteria related to the following with respect to relationships between two parties: references to verification of person and organization identity as applicable, managing changes to personal information of either party that may affect the relationship and its verification, and use of independent third-parties to verify a relationship. With respect to relationships between organizations and the persons acting on their behalf, this component will consider criteria regarding minimum requirements for creating and defining the nature of a relationship outside the bounds of regulated processes.
The Credential Component will provide value to all Canadians, businesses, and governments by setting a baseline standard to guide public and private sector interoperability of identity solutions and services. The DIACC’s mandate is to collaboratively develop and deliver resources to help Canadian’s to digitally transact with security, privacy and convenience. The Pan-Canadian Trust Framework is one such resource. The Pan-Canadian Trust Framework represents a collection of industry standards, best practices, and other resources that help to establish interoperability of an ecosystem of identity services and solutions. The DIACC is a not-for-profit coalition of members from the public and private sector who are making a significant and sustained investment in accelerating the establishment of Canada’s Identity Ecosystem.
P1007TBA - Fall 2019Pan-Canadian Trust Framework Verified OrganizationDiscussion DraftsThe Verified Organization Component defines a set of processes that allow organizations to exchange trustworthy information about themselves or others (individuals or organizations) with external parties. The primary objective of this information exchange is to verify the existence and identity of an organization in a given service or transaction. A secondary objective is the verification of organization attributes to support various service requirements. The integrity of these processes is established and assessed by means of standardized conformance criteria and certifications for each process.
Taken together, these processes and certifications provide business, operational, and technical conventions for the development of reliable, secure, and interoperable technical implementations in which other participants of the Pan-Canadian Trust Framework can trust.
The Verified Organization Component will provide value to all Canadians, businesses, and governments by setting a baseline standard to guide public and private sector interoperability of identity solutions and services. The DIACC’s mandate is to collaboratively develop and deliver resources to help Canadian’s to digitally transact with security, privacy and convenience. The Pan-Canadian Trust Framework is one such resource. The Pan-Canadian Trust Framework represents a collection of industry standards, best practices, and other resources that help to establish interoperability of an ecosystem of identity services and solutions. The DIACC is a not-for-profit coalition of members from the public and private sector who are making a significant and sustained investment in accelerating the establishment of Canada’s Identity Ecosystem.
P1006TBA - Fall 2019Pan-Canadian Trust Framework Verified Person Discussion DraftsThe Verified Person Component defines a set of processes used to establish that a natural person is real, unique and identifiable. This is a key ingredient in establishing a Trusted Digital Identity, an electronic representation of a person, used exclusively by that same person, to receive valued services and to carry out transactions with trust and confidence.The Verified Person Component will provide value to all Canadians, businesses, and governments by setting a baseline standard to guide public and private sector interoperability of identity solutions and services. The DIACC’s mandate is to collaboratively develop and deliver resources to help Canadian’s to digitally transact with security, privacy and convenience. The Pan-Canadian Trust Framework is one such resource. The Pan-Canadian Trust Framework represents a collection of industry standards, best practices, and other resources that help to establish interoperability of an ecosystem of identity services and solutions. The DIACC is a not-for-profit coalition of members from the public and private sector who are making a significant and sustained investment in accelerating the establishment of Canada’s Identity Ecosystem.
P1005August 6, 2019Pan-Canadian Trust Framework PrivacyDiscussion Drafts
Details
The Privacy Component of the PCTF is concerned with the handling of personal data for digital identity purposes. The objective of the Privacy Component is to ensure the ongoing integrity of the privacy processes, policies and controls of organizations in a digital identity ecosystem by means of standardized conformance criteria used for assessment and certification against the Pan-Canadian Trust Framework (PCTF). The Conformance Criteria for the Privacy Component specify how the PIPEDA Fair Information Principles, defined by the Office of the Privacy Commissioner of Canada, are relevant/apply to the handling of digital identity data. (Note: These do not intend to replace existing regulations; organizations are expected to meet privacy regulations in their jurisdiction.) The Privacy Component will provide value to all Canadians, businesses, and governments by setting a baseline standard to guide public and private sector interoperability of identity solutions and services. The DIACC’s mandate is to collaboratively develop and deliver resources to help Canadian’s to digitally transact with security, privacy and convenience. The Pan-Canadian Trust Framework is one such resource. The Pan-Canadian Trust Framework represents a collection of industry standards, best practices, and other resources that help to establish interoperability of an ecosystem of identity services and solutions. The DIACC is a not-for-profit coalition of members from the public and private sector who are making a significant and sustained investment in accelerating the establishment of Canada’s Identity Ecosystem.
P1004May 15th, 2019Pan-Canadian Trust Framework Verified LoginDiscussion Drafts
Details
The Verified Login Component defines a set of processes used to enable access to digital systems and a set of conformance criteria for each process. These processes include binding a credential to a subject, binding authenticators to a credential, as well as lifecycle management functions that include updates, suspension, recovery, and revocation, and session management. For the purposes of Verified Login, a subject may be a person, organization, application, or device.The objective of the Verified Login Component is to ensure the ongoing integrity of the login processes by applying standardized conformance criteria for assessment and certification. Verified Login is a set of processes that are intended to help establish confidence and trust in the use of a trusted digital identity. A certified process is a Trusted Process that can be relied on by other participants of the Pan-Canadian Trust Framework.The Verified Login Component will provide value to all Canadians, businesses, and governments by setting a baseline standard to guide public and private sector interoperability of identity solutions and services. The DIACC’s mandate is to collaboratively develop and deliver resources to help Canadian’s to digitally transact with security, privacy and convenience. The Pan-Canadian Trust Framework is one such resource. The Pan-Canadian Trust Framework represents a collection of industry standards, best practices, and other resources that help to establish interoperability of an ecosystem of identity services and solutions. The DIACC is a not-for-profit coalition of members from the public and private sector who are making a significant and sustained investment in accelerating the establishment of Canada’s Identity Ecosystem
P1003April 3rd, 2019Pan-Canadian Trust Framework Notice & ConsentDraft Recommendations
Details
The Notice and Consent Component defines a set of processes used to formulate a statement about the collection, use and disclosure of personal information, and to obtain a consent decision on that statement from a person authorized to do so. The Notice and Consent processes ensure that notice statements are accurately formulated according to defined requirements, that the person making the consent decision has the authority to do so, and that the management of that consent decision is possible.The objective of the Notice and Consent Component is to ensure the ongoing integrity of the notice and consent processes by applying standardized conformance criteria for assessment and certification. A certified process is a trusted process that can be relied on by other participants of the Pan-Canadian Trust Framework.The Notice and Consent Component builds on the forthcoming Privacy baseline that is in development and scheduled for Discussion Draft release in the coming months.The Notice and Consent Component will provide value to all Canadians, businesses, and governments by setting a baseline of business, legal, and technical interoperability. The DIACC’s mandate is to collaboratively develop and deliver resources to help Canadian’s to digitally transact with security, privacy and convenience. The Pan-Canadian Trust Framework is one such resource. The Pan-Canadian Trust Framework represents a collection of industry standards, best practices, and other resources that help to establish interoperability of an ecosystem of identity services and solutions. The DIACC is a not-for-profit coalition of members from the public and private sector who are making a significant and sustained investment in accelerating Canada’s Identity Ecosystem.
P1002February 12th, 2019Pan-Canadian Trust Framework Model v1.0Draft Recommendation
Details
This document provides the high-level model of the PCTF and a recap of PCTF contextual information, goals, and objectives. This document also outlines functional areas that are the primary focus of the PCTF. The outline provides a sense of the digital representations with which the PCTF is concerned and the various processes involved in creating, managing, and using these digital objects. Individual PCTF components and profiles will provide detailed descriptions of the processes highlighted in this document.The PCTF is intended to standardize trusted digital representations (i.e., identities, attributes, relationships) of people and other types of entities in Canada.
P1001August 1st, 2016Pan-Canadian Trust Framework OverviewFinal
English / French
The PCTF exists to enable the Canadian digital identityecosystem and will be used to identify applicable existing policy and technology standards that meet the needs defined in the PCTF. The PCTF may be used to identify future areas for collaboration, development, and standardisation.The PCTF leverages the outputs and previous accomplishments of the IMSC through collaboration with the Canadian economic sector. The PCTF develops mechanisms for digital identity ecosystem participants to interact with integrity based on common terminology, concepts and technical specifications. The PCTF is designed to be suitable for digitalidentification, electronic authentication, online credential, and authorization systems used to provide services to government entities, citizens, business partners, and customers.Canadian citizens and consumers, i.e. end users, are the ultimate beneficiaries of trust that is achieved through service standardisation and accountability to the PCTF. The intended participants and implementers of the PCTF are government, commercial, non-profit, and other entities who offer and consume identity services in support of their business and program activities.