DRAFT Pan Canadian Identity Management Steering Committee March 1, 2010



Similar documents
Glossary of Key Terms

GOALS (2) The goal of this training module is to increase your awareness of HSPD-12 and the corresponding technical standard FIPS 201.

IDENTITY INFORMATION MANAGMENT ARCHITECTURE SUMMARY Architecture and Standards Branch Office of the CIO Province of BC People Collaboration Innovation

HSPD-12 Implementation Architecture Working Group Concept Overview. Version 1.0 March 17, 2006

A unique biometrics based identifier, such as a fingerprint, voice print, or a retinal scan; or

Good Afternoon! Since Yesterday we have been talking about threats and how to deal with those threats in order to protect ourselves from individuals

Announcing Approval of Federal Information Processing Standard (FIPS) Publication 201-2,

BC SERVICES CARD DIRECTION

The Leading Provider of Identity Solutions and Services in the U.S.

esign FAQ 1. What is the online esign Electronic Signature Service? 2. Where the esign Online Electronic Signature Service can be used?

Digital Records Preservation Procedure No.: 6701 PR2

NSF AuthentX Identity Management System (IDMS) Privacy Impact Assessment. Version: 1.1 Date: 12/04/2006. National Science Foundation

Alternative authentication what does it really provide?

PERSONAL IDENTITY INFORMATION DIRECTION

Audio: This overview module contains an introduction, five lessons, and a conclusion.

Learning English with CBC Radio Living in Alberta. Identity Theft

An affidavit is a document containing a statement that the deponent swears to be true to the best of their knowledge.

Central Application Tracking System (CATS) Privacy Impact Assessment (PIA) Version 1.0. April 28, 2013

Life After PIV. Authentication In Federated Spaces. Presented to. Card Tech/Secure Tech. May By Lynne Prince Defense Manpower Data Center

IDIM Privacy Enhancing Features Summary Identity Information Management Project (IDIM) Integration Infrastructure Program (IIP) Office of the CIO

Application of Biometric Technology Solutions to Enhance Security

Provincial IDIM Program BC Services Card Project Identity Assurance Services Solution Architecture Overview

2. Privacy Policy Guidance Memorandum , OHS Policy Regarding Privacy Impact Assessments (December 30, 2008)

1. The human guard at the access control entry point determines whether the PIV Card appears to be genuine and has not been altered in any way.

Introduction to Online Identity Management By Thomas J. Smedinghoff 1

esign Online Digital Signature Service

Veda: Fraud Focus Group Forum

Identity Theft PROTECT YOUR INFORMATION AND YOUR IDENTITY HIGHLIGHTS

SOLUTIONS FOR HEALTHCARE PROFESSIONALS AND GOVERNMENTS

Government of Canada Update. Municipal CIO Summit April 10-12, 2014 Banff, AB

De-duplication The Complexity in the Unique ID context

BLUEPRINT FOR THE FEDERATION OF IDENTITY MANAGEMENT

Justice Management Division

Report to the Council of Australian Governments. A Review of the National Identity Security Strategy

Digital Identity Management

Auditor General of Canada to the House of Commons

CONNECTICUT IDENTITY THEFT RANKING BY STATE: Rank 19, 68.8 Complaints Per 100,000 Population, 2409 Complaints (2007) Updated November 28, 2008

Tasmanian Government Identity and Access Management Toolkit

VENDOR / CONTRACTOR. Privacy Basics

Service Alberta BUSINESS PLAN

This Instruction implements Department of Homeland Security (DHS) Directive , Privacy Policy for Operational Use of Social Media.

The Manitoba Identification Card. Secure proof of age, identity and Manitoba residency

11 Date of issue YYYY-MM-DD. If you are married, is your spouse a Canadian citizen or permanent resident?

UNCITRAL United Nations Commission on International Trade Law Introduction to the law of electronic signatures

For Official Use Only (FOUO)

Understanding Digital Signature And Public Key Infrastructure

MANITOBA DENTAL ASSOCIATION Corydon Avenue, Winnipeg, MB, R3N 0K4

AADHAAR E-KYC SERVICE

Administrative Procedures Memorandum A2005

Contents. Identity Assurance (Scott Rea Dartmouth College) IdM Workshop, Brisbane Australia, August 19, 2008

DHS / UKvisas Project

NOAA HSPD-12 PIV-II Implementation October 23, Who is responsible for implementation of HSPD-12 PIV-II?

How To Manage Records And Information Management In Alberta

Department of Veterans Affairs VA DIRECTIVE 6510 VA IDENTITY AND ACCESS MANAGEMENT

Enforcement Integrated Database (EID) Criminal History Information Sharing (CHIS) Program

Standards for Identity & Authentication. Catherine J. Tilton 17 September 2014

White Paper 2 Factor + 2 Way Authentication to Criminal Justice Information Services. Table of Contents. 1. Two Factor and CJIS

TECHNICAL ADVISORY GROUP ON MACHINE READABLE TRAVEL DOCUMENTS (TAG/MRTD)

This method looks at the patterns found on a fingertip. Patterns are made by the lines on the tip of the finger.

PERSONAL IDENTITY INFORMATION DIRECTION

Arkansas Department of Information Systems Arkansas Department of Finance and Administration

Day-to-Day Banking. Opening a Personal Deposit Account or Cashing a Federal Government Cheque at Scotiabank. Cheque Holding Policy

THE LEADING EDGE OF BORDER SECURITY

I. Purpose. Definition. a. Identity Theft - a fraud committed or attempted using the identifying information of another person without authority.

Status: Final. Form Date: 30-SEP-13. Question 1: OPDIV Question 1 Answer: OS

Passenger Protect Program Transport Canada

Identity Cards Act 2006

REAL ID Act Title II H.R.1268

Smart Cards and Biometrics in Physical Access Control Systems

PRIVACY IMPACT ASSESSMENT (PIA) For the

United States Visitor and Immigrant Status Indicator Technology Program (US-VISIT)

Biometrics and National Strategy for Trusted Identities in Cyberspace Improving the Security of the Identity Ecosystem September 19

Trustis FPS Healthcare Certificate Services Enrolment Requirements Acceptable Evidence in Support of an Application for a Digital Certificate

DEPARTMENTAL REGULATION

Business Information Form

Overseas: NOTES. Application for an Australian Passport. Your checklist. Keep your passport safe at all times.

Registration and Licensure as a Pharmacy Technician

MISSOURI IDENTITY THEFT RANKING BY STATE: Rank 21, 67.4 Complaints Per 100,000 Population, 3962 Complaints (2007) Updated January 11, 2009

SUBJECT: Directive-Type Memorandum (DTM) , Interim Policy Guidance for DoD Physical Access Control

Grande Prairie Public School District #2357 Student Registration Form

CLIENT IDENTIFICATION AND VERIFICATION RULES

Establishing your identity

All you need to know about the electronic residence permit (eat)

Frequently Asked Questions: Identity Theft Red Flags and Address Discrepancies

Statewatch Briefing ID Cards in the EU: Current state of play

E X E C U T I V E O F F I CE O F T H E P R E S I D EN T

Pacific University. Policy Governing. Identity Theft Prevention Program. Red Flag Guidelines. Approved June 10, 2009

Registration and Licensure as a Pharmacy Technician

Transcription:

DRAFT Pan Canadian Identity Management Steering Committee March 1, 2010 Pan Canadian Identity Management & Authentication Framework Page 1

1 Introduction This document is intended to describe the forming the Identity Component of the pan Canadian Identity Management and Authentication Framework. The is intended to be used as a standardized tool by jurisdictions to develop processes to verify and validate the identity of individuals that can be evaluated against a common set of Assurance Levels defined in the pan Canadian Assurance Model. This is expected to enhance the ability of Identity Management Services to interoperate between jurisdictions and improve the consistency of the experiences of citizens and businesses when interfacing with Identity Management Services in Canada regardless of the jurisdiction or level of government. 1.1 Pan Canadian Identity Management and Authentication Framework The Identity Component is one of seven components identified in the Pan Canadian Identity Management Framework. The diagram below depicts the Identity Component in the context of the overall Identity Management and Authentication Framework. An initial description of the Identity Component is provided in section A.7 of the Annex of the Pan Canadian Strategy for Identity Management. This document expands upon and enhances the initial description. Pan Canadian Identity Management & Authentication Framework Page 2

The Pan Canadian Strategy for Identity Management identified six areas that the Identity Component should address: 1. Identity Context Identity Context is the situation or context in which an identity (or person) operates (i.e., as a parent, patient, business representative, etc.). 2. Separation of Identity Contexts or Roles It should be possible to separate a person s professional identity from personal or other identities. It may be beneficial to group users with similar contexts into categories to simplify deployment and management of Identity Management Services. 3. Identity Types or User Groups As a starting point, three different identity contexts should be considered by defining three user groups Citizen Government identities (external individuals), Business Government Identities (external organizations) and Government Government identities (internal individuals). 4. Applicable Identity Attributes by Type Attributes are qualities or characteristics of individuals or organizations. A collection of attributes can be used to verify or validate the identity of an individual. 5. The Identity lifecycle the identity lifecycle establishes stages for the creation, use, termination and archival of physical and electronic credentials that apply to each identity type. 6. Agents, dependents and designates/delegates The Identity Component should also deal with the issue of agency, dependants, designates and delegates. Section A6 of the Annex of the Pan Canadian Identity Management Framework describes the initial description of the Assurance Component, which also addresses certain Identity Assurance Components. The Pan Canadian Assurance Model document primarily addresses these components, however, in implementing the pan Canadian Strategy for Identity Management, specific elements of Identity are addressed in this document. This document further enhances and expands upon section A6.1. Identity Assurance and section A6.5 Registration. 1.2 Document Status This is a draft document under development by the Working Group for the Identity Management Steering Committee. Please contact the document editor with questions or comments as appropriate: Michael Crerar Director of Information Security Policy and Planning Corporate Information Security Office Government of Alberta michael.crerar@gov.ab.ca 780 415 9745 Pan Canadian Identity Management & Authentication Framework Page 3

2 Document Overview As described in the Pan Canadian Assurance Model draft, Identity Assurance is the level of confidence that the client is really who they claim to be. This document, the, elaborates three separate areas: The Identity Attributes that characterize an individual. Identity Attributes are generally asserted by (or about) an individual. The Authentication Processes that are applied against Identity Attributes to verify the accuracy of an assertion or validate the assertion against an attribute that has been verified The criteria used to evaluate the Identity Assurance Level resulting from Authentication Processes The underlying artifacts and concepts are: Identity Management Assurance model Describes the concept of identity assurance and credential assurance and the relationship between them. Describes the fact that there are Levels within each assurance category. Describes the parties and roles involved in the assurance activities: standards authority, Authoritative Party, Relying Party, Client The Pan Canadian Assurance Model is one identity management assurance model. Jurisdictions may want to create their own Pan Canadian Identity Management & Authentication Framework Page 4

profile of the Identity Management Assurance Model. E.g. Alberta has created its IdM&A Directive which sets the IdM Assurance model for Alberta. Identity information attribute assertions The assertions and classes of assertion to be authenticated. This includes all the typical identity information elements such as legal name, date of birth, address of record, citizenship and so on. Also includes identity relationship assertions for guardianship, trustee, family unit, and so on This may be a data element or data model standard. E.g. data format for names, date of birth, etc. Identity Authentication processes a.k.a. Identity Proofing processes These are the business processes that are applied to verify identity attribute assertions. Each business process can be compared against a set of criteria to categorize which assurance level the process meets. The result of identity authentication processes is the identity assurance level for the identity information attribute or assertion The processes are performed by Authoritative Parties Identity Management Assurance Standard This is the set of criteria that comprise the Identity Management Assurance Standard. The identity authentication processes are evaluated against a set of criteria with parameters that rise in stringency as the target assurance level rises. The criteria should be independent of the business processes and based on how strongly the accuracy or correctness of an attribute can be trusted. 3 Definitions The Definition of Key Terms found in section 5 of the Pan Canadian Assurance Model should be referenced. This section identifies several terms to augment those terms. Pan Canadian Identity Management & Authentication Framework Page 5

Determination of Assurance captures the stringency of the decision making process (or the adjudication). These requirements may include and range from blanket operational approval to separation of duties or authorized officers, etc. Validation is the process that uses objective evidence to confirm that the information being used or presented is the same as the information collected at the outset (refer to verification). Verification is the process that uses objective evidence to confirm the truth or accuracy of a fact or claim (ensures that the information collected at the outset is truthful and accurate) 4 Identity Assurance Levels The Identity Assurance Levels from Table 4 in the Pan Canadian Assurance Model are used as part of the. These are reproduced here for reference purposes. Identity Assurance Level None Level 1 Level 2 Level 3 Level 4 Identity Assurance Level Description No confidence required that the client is really who they claim to be or that the client is claiming a stolen or fictitious identity. Little confidence required that the client is really who they claim to be or that the client is claiming a stolen or fictitious identity. Some confidence required that the client is really who they claim to be or that the client is claiming a stolen or fictitious identity. High confidence required that the client is really who they claim to be or that the client is claiming a stolen or fictitious identity. Very high confidence required that the client is really who they claim to be or that the client is claiming a stolen or fictitious identity. 5 Identity Attribute Information 5.1 Identity Attribute Categorization Identity attributes can be organized into three categories: 1) Biographical attributes that provide an account of an individual s life such as Name, Date of Birth, Place of Birth, Gender, Mother s Maiden Name. 2) Biometric attributes that provide an account of an individual s physical characteristics such as an Iris Pattern, Fingerprint, Face, Voice, or Finger Veins. 3) Assigned attributes that have been assigned to an individual by a third party such as Social Insurance Number, Passport Number, Birth Registration Number, or Student Identification Number. Pan Canadian Identity Management & Authentication Framework Page 6

5.2 Identity Attribute Context The provides for separation of Identity Contexts and specifically considers three categories of identities or users. Each category may be further divided or additional categories may be established by jurisdictions as required. The three categories of users specifically considered are: 1) Citizen to Government (C2G) This category which is sometimes referred to as external individuals includes all individuals who request or receive services from government. 2) Business to Government (B2G) This category which is sometimes referred to as external organizations includes businesses and other external organizations (societies, not for profit organizations) that interact with government. In some jurisdictions, this may also include the broader public sector (e.g. school boards, health authorities, etc.). The business or external organization is generally accountable for all actions of individuals acting on its behalf. 3) Government to Government (G2G) This category which is sometimes referred to as internal individuals includes government employees, or other individuals acting in that capacity (e.g., contractors, business partners or other affiliates that provide services on behalf of government). 6 Authentication Processes for Identity Attributes Where verification of a real world identity is required by the registration process (i.e., for Medium level identification or higher), proof of identity (or assurance of an identity claim) is commonly established by relying on authoritative parties. There are two primary ways that organizations rely on authoritative parties when verifying identity claims (and sometimes both methods are used): 1) Evidence Based Identity Proofing An assertion of an identity attribute is assured through the presentation and verification of documentary evidence that has been issued by an authoritative party (e.g., a citizen or business representative presents government issued photographic documentation at a counter). This document standardizes what constitutes acceptable evidence and what documents are authoritative on which identity attributes. 2) Authoritative Party Based Identity Proofing An assertion of an identity attribute is assured through direct verification or validation by an authoritative party (e.g., Vital Statistics Agency, Revenue Canada) and/or corroborated by a trusted third party professional (e.g., lawyer, doctor, minister). The verification process may involve the exchange or confirmation of shared secrets. This document standardizes what and/or who constitutes an authoritative party. An assertion of a identity attributes can assured by comparing the asserted attribute with an attribute on documentary evidence issued by an authoritative party or by direct verification or validation by an authoritative party. In practice, often biographic and biometric identity attributes are assured by comparing the asserted attribute with an attribute on documentary evidence. For example, where name or date of birth attributes are assured, a comparison of the asserted attributes with name and date of birth attributes on a birth certificate can be compared. Where the facial image attribute is assured, the asserted attribute and the facial image on a provincial motor vehicle license are compared. Pan Canadian Identity Management & Authentication Framework Page 7

There may be processes where biometric or biographic attributes are assured by direct verification or validation by an authoritative party. For example, a trusted party may validate an assertion that a facial image is that of an individual known to the trusted party. Assigned attributes are often assured by either method. 6.1 Identity Attribute Examples This section identifies some examples of biometric, biographic and assigned identity attributes that are used during identity verification processes. 6.1.1 Biographic Identity Attributes This section identifies some biographic identity attributes that are used during identity verification processes. 1. Legal Name 2. Date of Birth 3. Place of Birth 4. Gender 6.1.2 Biometric Identity Attributes This section identifies some biometric identity attributes that are used during identity verification processes. 1. Face or Facial Image 2. Fingerprint 3. Iris Pattern 6.1.3 Assigned Identity Attributes This section identifies some assigned identity attributes that are used during identity verification processes. 1. Motor Vehicle Operator License Number 2. Provincial Health Care Insurance Number 3. Social Services Benefit Number 4. Code or Phrase provided to individual out of band 5. Assigned or Calculated value known by an individual or organization but not likely known by others 6.2 Strong and Weak Factors Identity attributes may be presented individually, but in most cases presented as a combination that can be presented as a piece of documentary evidence or directly verified or validated by an authoritative party. For example, an Alberta provincial Health Insurance Card contains: Name Pan Canadian Identity Management & Authentication Framework Page 8

Date of Birth Gender Personal Health Number A particular combination of identity attributes can be treated as a single factor used in an identity verification process. The strength of a factor is determined by what identity attributes can be verified or validated using that factor and the level of certainty that those identity attributes are accurate. A factor used in an identity verification process should: Be created or managed by a documented process under authority of a Policy, Legislation or Regulation; Be subject to routine review and audit; and Have a clearly defined purpose or use. A strong factor should have the following characteristics: Includes at least one biometric identity attribute or at least one assigned attribute where there is a high level of confidence that the attribute is only known to the individual or organization assigned the attribute and the issuer of the attribute; and Be widely used by most provincial governments (and possibly other levels of governments or private sector organizations); Be embodied in documentary evidence where it is difficult to forge and possible to detect tampering or forgery attempts. If a factor is not a strong factor, it should be treated as a weak factor. Some examples of strong factors are: Provincial Motor Vehicle Operators License Provincial Identity Card (with photo) Canadian Passport Provincial Health Care Insurance Card (with photo) Pass code or phrase provided to an individual out of band Documentary evidence issued by other jurisdictions (within Canada and international) may be treated as strong factors provided they have the characteristics of a strong factor. For example, motor vehicle operators licenses issued by jurisdictions outside Canada may be accepted as strong factors but may be subjected to further investigation or assessment to confirm their legitimacy. An identity verification process may require more than one factor be involved in verifying or validating identity attributes. When more than one factor is required, factors should be independent from one another. This means that factors should be created or managed by different authoritative parties. For Pan Canadian Identity Management & Authentication Framework Page 9

example, one factor may be managed by Alberta Registries and another managed by Alberta Sustainable Resource Development. 7 Criteria for Verifying or Validating Identity Attributes This section identifies the what identity attributes should be asserted in order to achieve a specific level of assurance and identifies the criteria for verifying or validating identity attributes at each level of assurance. The criteria established requires that the factors that comprise an assertion be of greater quality and represent multiple sources in order to meet greater levels of Identity Assurance. The following table represents the overall criteria. The table describes four sets or criteria that must be considered. 1) Attribute Categorization. What attributes are acceptable? Biographic, Biometric or Assigned? 2) What evidence must be provided to communicate the identity attributes? 3) What authentication processes must be applied to verify or validate the identity attributes? 4) Determination of Assurance. Who makes the final decision to approve that and individual or organization has met the requirements of an identity verification process? For the 4 levels of identity assurance, the processes of verification and validation are based upon a combination of and will have differing requirements for factor types, factor independence and factor strength. Attribute Categorization Level 1 Level 2 Level 3 Level 4 Biographic: Biographic: Biographic: Biographic: Biometric: Biometric: Biometric: Biometric: Assigned: Assigned: Assigned: Assigned: Evidence Any factor 1 strong factor 2 strong factors or 1 strong factor and 2 weak factors 3 strong factors or 2 strong factors and 2 weak factors elements) Validation and Verification Process No validation or verification required In person Verified and validated by authorized official. Remote Automated In person Verified by authorized official. Validated against source record. In person Verified by authorized official. Validated against source record. Pan Canadian Identity Management & Authentication Framework Page 10

verification, validated against source record. Remote Automated verification. Remote Not permitted. Determination of Assurance (adjudication) Departmental/ Agency authority Blanket Operational Authority Validated against source record Authorized Officer (s) Authorized Officer (s) Separation of duties 7.1 Level One (Little Confidence) 7.1.1 Evidence In Person Public Verification Self assertion of ID Remote Public Verification Phone # or e mail 7.1.2 Verification In Person Public Verification Accept assertion Remote Public Verification Call phone # Send confirmation e mail and receive positive acknowledgement 7.2 Level Two (Some Confidence) 7.2.1 Evidence In Person Public Verification Primary Government photo ID Remote Public Verification Submits reference of and attests to current possession of at least one primary Government photo ID, and Pan Canadian Identity Management & Authentication Framework Page 11

2nd Government photo ID, or Student/employee ID # Financial account # Utility account # and Additional verifiable personal information that at a min. must include; Name that matches photo ID Date of birth Current address or personal telephone # 7.2.2 Verification 7.3 Level Three(High Confidence 7.3.1 Evidence 7.3.2 Verification 7.4 Level Four (Very High Confidence) 7.4.1 Evidence 7.4.2 Verification Pan Canadian Identity Management & Authentication Framework Page 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information