Anil John
Making Digital Services Secure and Trustworthy

Anil John

A C2G Identity Services Overview of Canada

 Share  Print  Email

Canada, as part of securing its Citizen to (Federal) Government Digital Services, is currently taking a dual track approach to externalizing authentication and account management while keeping identity management in-house. This blog post provides a ** high level technical overview of the components** of Canada’s Cyber Authentication Renewal Initiative.

I am not a fan of re-inventing wheels and detest the ’Not Invented Here’ syndrome, so tend to first look for lessons on securing high value digital services from strategies and approaches implemented in other communities and jurisdictions. Based on the feedback on what folks would like to see here from my recent reader survey, this is of interest to my readership as well.

So, to the extent feasible and based solely on publicly available information, I am starting a series of blog posts to convey my understanding of the approaches that non-US jurisdictions have taken in securing their C2G digital services. For points I get wrong, and I am sure that there will be many, please provide corrections and pointers to updated information.

Enter Canada.

Approach to Identity Services

The starting point of the Canadian approach is a clear separation of concerns between assurances provided by an ‘anonymous credential’ and assurances of identity.

Canadian implementations use the term ‘Credential’ while making it clear that there should not be any identity information associated with the credential. If there is, it should not be relied upon for any identity purposes. This usage is equivalent to what is meant by the term ‘Token’, so I will continue to use that term here to avoid confusion.

Both types of assurances are needed by a program to deliver digital services to a specific individual, but there is no expectation that they be provided by the same entity.

Given this separation they have, as a first step, implemented the federation of Tokens i.e. the ability to out-source authentication and account management to an external (to a relying party) entity.

From a practical perspective this means that agencies and departments in the Canadian Federal Government can utilize out-sourced Token/Login Providers which ‘Assert Sameness’ to varying levels of assurance without it being linked to a particular identity.

Agencies (program owners), as part of enrolling the individual within their particular system, are directly accountable and responsible for identity proofing the individual, and linking that assured identity to the presented token via a secure process.

A critical by-product is the explicit support for privacy respecting interactions where it may be enough for a program to know that it is the same person with a high degree of assurance, rather than knowing the actual identity of the person.

As noted in their federation backgrounder document, the lessons learned from these initial steps will be used as stepping stones to how Canada will ‘federate identity’.

Implementation

The implementation of this approach comes under the umbrella of Canada’s Cyber Authentication Renewal Initiative which currently has two tracks:

  1. A commercial Credential Broker Service capability that allows individuals to use one or more private sector ‘Sign-In Partner’ logins they already have
  2. A Government branded token/login provider which allows individuals to create one or more logins which can only be utilized to access government agencies

The consistent themes across the initiative are:

  • Use standards for integration with RPs
  • Enable multiple token/login provider services
  • Provide choice of tokens/logins to individuals
  • Assurance level of the token/login starts at Level 2
  • Agency (Program Owner) is responsible for the identity proofing and is accountable for access management to the digital service

The current implementation of the Credential Broker Service uses the brand name SecureKey Concierge, enables multiple financial sector based ‘Sign-In Partners’, and is based on an implementation by SecureKey Technologies.

The current implementation of the Government branded token/login provider uses the brand name GCKey, and is based on an implementation by 2Keys Security Solutions.

From an interoperability perspective the CSP-RP interface provided by both implementations to agencies are based on the identical profile of SAML 2.0 (Cyber-Authentication Technology Solutions Interface Architecture and Specification Version 2.0: Deployment Profile)

Adoption

My Thoughts and Take-Aways

Most jurisdictions tend to focus on an either/or approach to federation - outsource account management + identity management or have the agencies do it. Canada, from my perspective as an outsider looking in, seems to have stepped back and asked three particularly relevant questions:

  1. How can you address concerns around liability and privacy regarding out-sourced identity?
  2. How can you address the concerns of those who will never use a private sector provider for government digital interactions without passing that burden onto individual agencies?
  3. How can you provide ‘reach’ i.e. touch the greatest number of individuals when delivering digital services?

They did the first by separating token/login from identity and not outsourcing identity. By all indicators, including the active engagement of their privacy commissioner, the approach appears to be successful.

The second and third items are very much intertwined. The population of Canada is a bit over 35 million and is distributed over a land area which makes it the second largest country in the world, with corresponding connectivity infrastructure challenges. Even with that, about 15% of the population uses GCKey and 3% use Sign-In Partners via the SecureKey Concierge.

I expect the actual individual usage number of GCKey to be a bit lower as a person can create multiple logins, one for each agency they want to transact with if they so choose. Which, BTW, is precisely the point!

The deployment of both the broker, with financial sector entities as ‘Sign-In Partners’, and the government branded token/login provider as a complementary and NOT competing solution addresses the ‘agency burden’ and ‘reach’ questions very effectively.

The challenge here is that each individual agency is responsible for identity proofing to a level commensurate with its risk assessment. While that may be as it should be, there appears to be a lack of technical standards around identity proofing and associated costs that are unique to each agency.

My sense is that this is a point in time reality, and a hint at the potential way forward can seen be in the proof-of-concept work taken up by the recently launched Digital ID and Authentication Council of Canada (DIACC). DIACC is a public-private partnership with a board of directors that includes Federal and Provincial Government representatives as well extensive representation from the banking and telecommunication sectors.

It remains to be seen how the products and approaches developed under the DIACC umbrella will integrate with the Cyber Authentication Renewal Initiative federation roadmap.

In conclusion, Canada appears to have a cohesive, incremental strategy around securing their public facing digital services. The strategic choice made to separate token/login from identity, and the deployment of complementary solutions with a focus on ‘reach’ seem to be working very well for them and offers many lessons for other jurisdictions that are on this journey.

RELATED INFO



This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post.
Meet me over on Mastodon to join the conversation!

I am a public interest technologist. I help organizations and leaders make digital services secure and trustworthy.
Learn more »