DRAFT Pan Canadian Identity Management Steering Committee March 1, 2010

Transcription

1 DRAFT Pan Canadian Identity Management Steering Committee March 1, 2010 Pan Canadian Identity Management & Authentication Framework Page 1

2 1 Introduction This document is intended to describe the forming the Identity Component of the pan Canadian Identity Management and Authentication Framework. The is intended to be used as a standardized tool by jurisdictions to develop processes to verify and validate the identity of individuals that can be evaluated against a common set of Assurance Levels defined in the pan Canadian Assurance Model. This is expected to enhance the ability of Identity Management Services to interoperate between jurisdictions and improve the consistency of the experiences of citizens and businesses when interfacing with Identity Management Services in Canada regardless of the jurisdiction or level of government. 1.1 Pan Canadian Identity Management and Authentication Framework The Identity Component is one of seven components identified in the Pan Canadian Identity Management Framework. The diagram below depicts the Identity Component in the context of the overall Identity Management and Authentication Framework. An initial description of the Identity Component is provided in section A.7 of the Annex of the Pan Canadian Strategy for Identity Management. This document expands upon and enhances the initial description. Pan Canadian Identity Management & Authentication Framework Page 2

3 The Pan Canadian Strategy for Identity Management identified six areas that the Identity Component should address: 1. Identity Context Identity Context is the situation or context in which an identity (or person) operates (i.e., as a parent, patient, business representative, etc.). 2. Separation of Identity Contexts or Roles It should be possible to separate a person s professional identity from personal or other identities. It may be beneficial to group users with similar contexts into categories to simplify deployment and management of Identity Management Services. 3. Identity Types or User Groups As a starting point, three different identity contexts should be considered by defining three user groups Citizen Government identities (external individuals), Business Government Identities (external organizations) and Government Government identities (internal individuals). 4. Applicable Identity Attributes by Type Attributes are qualities or characteristics of individuals or organizations. A collection of attributes can be used to verify or validate the identity of an individual. 5. The Identity lifecycle the identity lifecycle establishes stages for the creation, use, termination and archival of physical and electronic credentials that apply to each identity type. 6. Agents, dependents and designates/delegates The Identity Component should also deal with the issue of agency, dependants, designates and delegates. Section A6 of the Annex of the Pan Canadian Identity Management Framework describes the initial description of the Assurance Component, which also addresses certain Identity Assurance Components. The Pan Canadian Assurance Model document primarily addresses these components, however, in implementing the pan Canadian Strategy for Identity Management, specific elements of Identity are addressed in this document. This document further enhances and expands upon section A6.1. Identity Assurance and section A6.5 Registration. 1.2 Document Status This is a draft document under development by the Working Group for the Identity Management Steering Committee. Please contact the document editor with questions or comments as appropriate: Michael Crerar Director of Information Security Policy and Planning Corporate Information Security Office Government of Alberta [email protected] Pan Canadian Identity Management & Authentication Framework Page 3

4 2 Document Overview As described in the Pan Canadian Assurance Model draft, Identity Assurance is the level of confidence that the client is really who they claim to be. This document, the, elaborates three separate areas: The Identity Attributes that characterize an individual. Identity Attributes are generally asserted by (or about) an individual. The Authentication Processes that are applied against Identity Attributes to verify the accuracy of an assertion or validate the assertion against an attribute that has been verified The criteria used to evaluate the Identity Assurance Level resulting from Authentication Processes The underlying artifacts and concepts are: Identity Management Assurance model Describes the concept of identity assurance and credential assurance and the relationship between them. Describes the fact that there are Levels within each assurance category. Describes the parties and roles involved in the assurance activities: standards authority, Authoritative Party, Relying Party, Client The Pan Canadian Assurance Model is one identity management assurance model. Jurisdictions may want to create their own Pan Canadian Identity Management & Authentication Framework Page 4

5 profile of the Identity Management Assurance Model. E.g. Alberta has created its IdM&A Directive which sets the IdM Assurance model for Alberta. Identity information attribute assertions The assertions and classes of assertion to be authenticated. This includes all the typical identity information elements such as legal name, date of birth, address of record, citizenship and so on. Also includes identity relationship assertions for guardianship, trustee, family unit, and so on This may be a data element or data model standard. E.g. data format for names, date of birth, etc. Identity Authentication processes a.k.a. Identity Proofing processes These are the business processes that are applied to verify identity attribute assertions. Each business process can be compared against a set of criteria to categorize which assurance level the process meets. The result of identity authentication processes is the identity assurance level for the identity information attribute or assertion The processes are performed by Authoritative Parties Identity Management Assurance Standard This is the set of criteria that comprise the Identity Management Assurance Standard. The identity authentication processes are evaluated against a set of criteria with parameters that rise in stringency as the target assurance level rises. The criteria should be independent of the business processes and based on how strongly the accuracy or correctness of an attribute can be trusted. 3 Definitions The Definition of Key Terms found in section 5 of the Pan Canadian Assurance Model should be referenced. This section identifies several terms to augment those terms. Pan Canadian Identity Management & Authentication Framework Page 5

6 Determination of Assurance captures the stringency of the decision making process (or the adjudication). These requirements may include and range from blanket operational approval to separation of duties or authorized officers, etc. Validation is the process that uses objective evidence to confirm that the information being used or presented is the same as the information collected at the outset (refer to verification). Verification is the process that uses objective evidence to confirm the truth or accuracy of a fact or claim (ensures that the information collected at the outset is truthful and accurate) 4 Identity Assurance Levels The Identity Assurance Levels from Table 4 in the Pan Canadian Assurance Model are used as part of the. These are reproduced here for reference purposes. Identity Assurance Level None Level 1 Level 2 Level 3 Level 4 Identity Assurance Level Description No confidence required that the client is really who they claim to be or that the client is claiming a stolen or fictitious identity. Little confidence required that the client is really who they claim to be or that the client is claiming a stolen or fictitious identity. Some confidence required that the client is really who they claim to be or that the client is claiming a stolen or fictitious identity. High confidence required that the client is really who they claim to be or that the client is claiming a stolen or fictitious identity. Very high confidence required that the client is really who they claim to be or that the client is claiming a stolen or fictitious identity. 5 Identity Attribute Information 5.1 Identity Attribute Categorization Identity attributes can be organized into three categories: 1) Biographical attributes that provide an account of an individual s life such as Name, Date of Birth, Place of Birth, Gender, Mother s Maiden Name. 2) Biometric attributes that provide an account of an individual s physical characteristics such as an Iris Pattern, Fingerprint, Face, Voice, or Finger Veins. 3) Assigned attributes that have been assigned to an individual by a third party such as Social Insurance Number, Passport Number, Birth Registration Number, or Student Identification Number. Pan Canadian Identity Management & Authentication Framework Page 6

7 5.2 Identity Attribute Context The provides for separation of Identity Contexts and specifically considers three categories of identities or users. Each category may be further divided or additional categories may be established by jurisdictions as required. The three categories of users specifically considered are: 1) Citizen to Government (C2G) This category which is sometimes referred to as external individuals includes all individuals who request or receive services from government. 2) Business to Government (B2G) This category which is sometimes referred to as external organizations includes businesses and other external organizations (societies, not for profit organizations) that interact with government. In some jurisdictions, this may also include the broader public sector (e.g. school boards, health authorities, etc.). The business or external organization is generally accountable for all actions of individuals acting on its behalf. 3) Government to Government (G2G) This category which is sometimes referred to as internal individuals includes government employees, or other individuals acting in that capacity (e.g., contractors, business partners or other affiliates that provide services on behalf of government). 6 Authentication Processes for Identity Attributes Where verification of a real world identity is required by the registration process (i.e., for Medium level identification or higher), proof of identity (or assurance of an identity claim) is commonly established by relying on authoritative parties. There are two primary ways that organizations rely on authoritative parties when verifying identity claims (and sometimes both methods are used): 1) Evidence Based Identity Proofing An assertion of an identity attribute is assured through the presentation and verification of documentary evidence that has been issued by an authoritative party (e.g., a citizen or business representative presents government issued photographic documentation at a counter). This document standardizes what constitutes acceptable evidence and what documents are authoritative on which identity attributes. 2) Authoritative Party Based Identity Proofing An assertion of an identity attribute is assured through direct verification or validation by an authoritative party (e.g., Vital Statistics Agency, Revenue Canada) and/or corroborated by a trusted third party professional (e.g., lawyer, doctor, minister). The verification process may involve the exchange or confirmation of shared secrets. This document standardizes what and/or who constitutes an authoritative party. An assertion of a identity attributes can assured by comparing the asserted attribute with an attribute on documentary evidence issued by an authoritative party or by direct verification or validation by an authoritative party. In practice, often biographic and biometric identity attributes are assured by comparing the asserted attribute with an attribute on documentary evidence. For example, where name or date of birth attributes are assured, a comparison of the asserted attributes with name and date of birth attributes on a birth certificate can be compared. Where the facial image attribute is assured, the asserted attribute and the facial image on a provincial motor vehicle license are compared. Pan Canadian Identity Management & Authentication Framework Page 7

8 There may be processes where biometric or biographic attributes are assured by direct verification or validation by an authoritative party. For example, a trusted party may validate an assertion that a facial image is that of an individual known to the trusted party. Assigned attributes are often assured by either method. 6.1 Identity Attribute Examples This section identifies some examples of biometric, biographic and assigned identity attributes that are used during identity verification processes Biographic Identity Attributes This section identifies some biographic identity attributes that are used during identity verification processes. 1. Legal Name 2. Date of Birth 3. Place of Birth 4. Gender Biometric Identity Attributes This section identifies some biometric identity attributes that are used during identity verification processes. 1. Face or Facial Image 2. Fingerprint 3. Iris Pattern Assigned Identity Attributes This section identifies some assigned identity attributes that are used during identity verification processes. 1. Motor Vehicle Operator License Number 2. Provincial Health Care Insurance Number 3. Social Services Benefit Number 4. Code or Phrase provided to individual out of band 5. Assigned or Calculated value known by an individual or organization but not likely known by others 6.2 Strong and Weak Factors Identity attributes may be presented individually, but in most cases presented as a combination that can be presented as a piece of documentary evidence or directly verified or validated by an authoritative party. For example, an Alberta provincial Health Insurance Card contains: Name Pan Canadian Identity Management & Authentication Framework Page 8

9 Date of Birth Gender Personal Health Number A particular combination of identity attributes can be treated as a single factor used in an identity verification process. The strength of a factor is determined by what identity attributes can be verified or validated using that factor and the level of certainty that those identity attributes are accurate. A factor used in an identity verification process should: Be created or managed by a documented process under authority of a Policy, Legislation or Regulation; Be subject to routine review and audit; and Have a clearly defined purpose or use. A strong factor should have the following characteristics: Includes at least one biometric identity attribute or at least one assigned attribute where there is a high level of confidence that the attribute is only known to the individual or organization assigned the attribute and the issuer of the attribute; and Be widely used by most provincial governments (and possibly other levels of governments or private sector organizations); Be embodied in documentary evidence where it is difficult to forge and possible to detect tampering or forgery attempts. If a factor is not a strong factor, it should be treated as a weak factor. Some examples of strong factors are: Provincial Motor Vehicle Operators License Provincial Identity Card (with photo) Canadian Passport Provincial Health Care Insurance Card (with photo) Pass code or phrase provided to an individual out of band Documentary evidence issued by other jurisdictions (within Canada and international) may be treated as strong factors provided they have the characteristics of a strong factor. For example, motor vehicle operators licenses issued by jurisdictions outside Canada may be accepted as strong factors but may be subjected to further investigation or assessment to confirm their legitimacy. An identity verification process may require more than one factor be involved in verifying or validating identity attributes. When more than one factor is required, factors should be independent from one another. This means that factors should be created or managed by different authoritative parties. For Pan Canadian Identity Management & Authentication Framework Page 9

10 example, one factor may be managed by Alberta Registries and another managed by Alberta Sustainable Resource Development. 7 Criteria for Verifying or Validating Identity Attributes This section identifies the what identity attributes should be asserted in order to achieve a specific level of assurance and identifies the criteria for verifying or validating identity attributes at each level of assurance. The criteria established requires that the factors that comprise an assertion be of greater quality and represent multiple sources in order to meet greater levels of Identity Assurance. The following table represents the overall criteria. The table describes four sets or criteria that must be considered. 1) Attribute Categorization. What attributes are acceptable? Biographic, Biometric or Assigned? 2) What evidence must be provided to communicate the identity attributes? 3) What authentication processes must be applied to verify or validate the identity attributes? 4) Determination of Assurance. Who makes the final decision to approve that and individual or organization has met the requirements of an identity verification process? For the 4 levels of identity assurance, the processes of verification and validation are based upon a combination of and will have differing requirements for factor types, factor independence and factor strength. Attribute Categorization Level 1 Level 2 Level 3 Level 4 Biographic: Biographic: Biographic: Biographic: Biometric: Biometric: Biometric: Biometric: Assigned: Assigned: Assigned: Assigned: Evidence Any factor 1 strong factor 2 strong factors or 1 strong factor and 2 weak factors 3 strong factors or 2 strong factors and 2 weak factors elements) Validation and Verification Process No validation or verification required In person Verified and validated by authorized official. Remote Automated In person Verified by authorized official. Validated against source record. In person Verified by authorized official. Validated against source record. Pan Canadian Identity Management & Authentication Framework Page 10

11 verification, validated against source record. Remote Automated verification. Remote Not permitted. Determination of Assurance (adjudication) Departmental/ Agency authority Blanket Operational Authority Validated against source record Authorized Officer (s) Authorized Officer (s) Separation of duties 7.1 Level One (Little Confidence) Evidence In Person Public Verification Self assertion of ID Remote Public Verification Phone # or e mail Verification In Person Public Verification Accept assertion Remote Public Verification Call phone # Send confirmation e mail and receive positive acknowledgement 7.2 Level Two (Some Confidence) Evidence In Person Public Verification Primary Government photo ID Remote Public Verification Submits reference of and attests to current possession of at least one primary Government photo ID, and Pan Canadian Identity Management & Authentication Framework Page 11

12 2nd Government photo ID, or Student/employee ID # Financial account # Utility account # and Additional verifiable personal information that at a min. must include; Name that matches photo ID Date of birth Current address or personal telephone # Verification 7.3 Level Three(High Confidence Evidence Verification 7.4 Level Four (Very High Confidence) Evidence Verification Pan Canadian Identity Management & Authentication Framework Page 12