Pan-Canadian Trust Framework
Model Overview

A digital representation is an electronic dataset that refers to any type of entity that can be subject to legislation, policy, or regulations within a context, and which may have certain rights, duties, and obligations. Digital representations are intended to be mapped to model real-world actors.Currently, the PCTF defines three types of digital representation:Identity – Information that makes it possible to identify a unique entity (e.g., personal 359 information), either on its own or with supporting related information. Examples for 360 persons include names, dates of birth, birth registrations (in the future), or 361 biometrics. Examples for machines could include the serial number, a trusted digital 362 certificate, or network MAC address.Credential – Information describing attributes or properties of an entity. This information 364 may exist on its own (e.g., as a credential that contains no personal information, only a 365 unique string identifier) or be related to personal information. Examples include 366 education levels (e.g., a university degree in engineering), permission to operate a 367 vehicle (e.g., a driver’s license), income level, or status as an employee at a given firm.Authenticator – Data issued to an entity that provides access to restricted or protected 369 systems. Examples of common authenticators are use

Establishes the existence and digital representation of real, legally recognized entities. 

Establishes identity and digital representations of entities in specific contexts or use cases. This type includes IDs that are selfissued or assigned.

A credential that provides one or more pieces of information about a single entity. Examples: A simple credential issued by a province that contains a single piece of information attesting to the entity’s age. A simple credential attesting to the entity’s security clearance level. A credential attesting to the fact that a certain mobile phone number is assigned to the entity’s handset. A more complex credential that is a university transcript consisting of data that identifies the courses a student has taken.

A credential that attests to the fact that an entity is connected to, affiliated with, or otherwise related in some way to a second entity. Example: A credential issued by a corporate registrar attesting to the fact that a person is an officer of a corporation or credentials issued by the corporation to its personnel that prove they are employed by the firm. A delegation of authority is a particular type of relationship. These credentials attest to the fact that an entity has delegated certain rights, privileges, authorities, etc. to a second entity. Example: A simple credential attesting to the fact that a corporate officer has delegated financial authority to an entity.

Authenticators are data used to access managed or protected systems (e.g., a financial institution’s website). An authenticator may be a simple username-password pair or a more complex object like an access token or biometric data.

The establishment of the uniqueness of a subject within a program/service population through the use of identity information. A program or service defines its identity resolution requirements in terms of identity attributes; that is, it specifies the set of identity attributes that is required to achieve identity resolution within its population.

The creation of an authoritative record of identity that may be relied on by others for subsequent programs, services, and activities. 

The process of ensuring that identity information is as accurate, complete, and up-to-date as is required. Identity Maintenance also includes identity notification which is the disclosure of identity information triggered by a change in identity information, (e.g. a vital or a major life event) or an indication that identity information has been exposed to a risk factor. May be time-based or event-based.

The process during which a credential is created, assigned to a subject (i.e., a person, organization, application, or device), and optionally bound to one or more authenticators. Authenticators can be subsequently used to prove that a credential is referring to the same subject that was originally bound to the credential.

The process of associating credentials to an attributed actor.

The process includes lifecycle activities such as updating credential details. This process is typically initiated by the subject but may also be initiated by a system administrator or automatically by the system. 

Transitions an issued credential to a suspended credential. This can be triggered by the subject (e.g. forgotten password) or the system (e.g., lockout due to successive failed authentications, inactivity, suspicious activity, etc.). A suspended credential is prohibited from being passed to a Relying Party, thereby ensuring that the subject is denied access.

Transitions a suspended credential back to a usable state (i.e., an issued credential). The process may be triggered by the subject, system administrator, or automatically by the system. 

Ensures that a credential is permanently disabled or deleted. Once a credential is revoked, it can no longer be used. The process can be initiated by the subject, system administrator, or automatically by the system. 

Verifies that a subject has control over their issued credential. 

The process during which an authenticator is created and assigned/bound to a subject (i.e., a person, organization, application, or device), and bound to one or more authenticators

The process of associating authenticators to an attributed actor. 

The process includes lifecycle activities such as removing authenticators, binding new authenticators, and updating authenticators (e.g., password change, updating security questions and answers). This process is typically initiated by the subject but may also be initiated by a system administrator or automatically by the system.

Transitions an issued authenticator to a suspended authenticator. This can be triggered by the subject (e.g., forgotten password) or the system (e.g., lockout due to successive failed authentications, inactivity, suspicious activity). A suspended authenticator is prohibited from being passed to a Relying Party, thereby ensuring that the subject is denied access.

Transitions a suspended authenticator back to a usable state. The process may be triggered by the subject, system administrator, or automatically by the system. Examples include:The subject correctly answers the security questions to reset a forgotten passwordA system administrator releases an authenticator that was suspended due to inactivityAfter 24 hours the system automatically releases an authenticator that was suspended due to excess failed authentication attempts 

For most people, proving identity, accessing an account, or demonstrating that certain criteria are met (e.g., residency, age, possession of a permit) is a necessary part of online interactions. Functions in this category concern the use of digital representations for these purposes. The interactions that depend on trusted digital representations are often interactions between a relying party and a digital representations subject: 

The confirmation of the accuracy of identity information about a subject as established by an authoritative party. It should be noted that identity validation does not ensure that the entity is using their own identity information (this is Identity Verification) – only that the identity information that the subject is using is accurate when compared to an authoritative record.

The confirmation that the identity information being presented relates to the subject who is making the claim. It should be noted that Identity Verification is a separate process from Identity Validation and may employ different methods and use personal information that is not related to identity. Different methods may be used (separately or in combination) such as:Knowledge-based confirmationBiological or behavioural confirmationTrusted referee confirmationPhysical possession confirmation

This process establishes a level of confidence that an entity has control over a credential or authenticator issued to that entity. 

The process of ensuring that the right subject is properly associated across different service delivery contexts. This process is dependent on authority and privacy constraints and may result in the association of an identity with a service assigned identifier, and/or, the mapping of multiple service assigned identifiers associated with an identity. 

The dynamic confirmation that a subject has a continuous existence over time (i.e., “genuine presence”). This can be used to ensure that there is no malicious or fraudulent activity (past or present) and to address identity spoofing concerns.

Produces a statement that describes what personal information is being collected; with which parties the personal information is being shared; for what purposes the personal information is being collected, used, or disclosed; how the personal information will be handled and/or protected; the time period for which the statement will be applicable; and under whose Jurisdiction/Authority the statement is applicable. This statement is presented to the subject (i.e., the natural person to whom the personal information in question pertains) in the form of a notice statement.

Presents the notice statement to the subject and providing a capability for the subject to provide consent or decline consent based on the contents of the notice statement, resulting in a consent decision.

Persists the notice statement and the subject’s consent decision, to storage. In addition, information about the subject, the version of the notice statement that was presented, the date and time that the notice statement was presented, and, if applicable, the expiration date for the consent decision may be stored. Once the consent information has been stored, a notification on the consent decision made is issued to the relevant parties to the consent decision.

The process to review consent involves making the details of a stored consent decision visible to the subject or to a reviewer.

Updating a consent decision involves the subject establishing a revised consent decision from a previously stored consent decision. This could include the subject revoking the consent. This process results in an updated consent decision (which will require persisting via the Record Consent process). 

Guidelines and standards for processes that infrastructure providers deliver to other participants. These processes, which fall into technical and operational infrastructure, include:physical and system security;data confidentiality, integrity and availability;incident reporting; andrecord keeping

IT security practices designed to ensure the confidentiality, integrity, and availability of supporting infrastructure. 

Processes and policies for the lifecycle management of digital representation data, including oversight of data collection, validation, storage, and accessibility on an on-going basis. 

Processes to establish and maintain a chronological record or records that provide evidence of events and activities of events (system, transaction, or otherwise) related to supported functions. 

PCTF reference to relevant industry standards in support of specified functions.

Processes for the identification of direct or indirect risks to supported functions and related efforts to reduce or eliminate the likelihood of these risks occurring. 

Processes that support typical record-keeping activities for supported functions. This includes classification, retention schedules, preservation, and disposition.

Processes to identify, assess, and respond to events that adversely affect supported functions and (in the case of disputes) ecosystem participants – including efforts to reduce or eliminate the likelihood of the incident recurring.

Participants that create and manage identities. Sometimes referred to as identity service providers or identity issuers. In some cases, the subject is the creator and manager of its own identity.

Participants that create and manage credentials. Sometimes referred to as attribute providers.

Participants that create and manage authenticators. Sometimes referred to as credential service providers. These are not the same as PCTF Credential Providers. See section 5.1.2 for details. Authenticator providers are responsible for creating and managing authenticators. They perform functions that ensure lifecycle management of the authenticator (including processes for issuance, suspension, recovery, maintenance, and revocation of authenticators).

The entity represented by and to which data held in a digital object pertains (e.g., the person whose age can be verified using a credential). In this context, the digital representation subject is typically a person who wishes to conduct a transaction, access a system, or interact with a relying party in some other manner. 

Participants who rely on digital representations created and managed by other participants.

The entity that the digital representation is representing. Typically, the entity to whom the digital representation is issued.In many use cases, the subject of a digital representation will assume explicit functions and/or responsibilities. There may also be implicit functions performed by the subject in the context of the digital identity ecosystem. For example, functions associated with a “motivation to recover” a digital representation when problems or suspicious events are detected.

Participants that provide the physical and electronic infrastructure needed to enable digital interactions.

Participants that assess another participant’s compliance with the PCTF.

As a trust framework intended for broad adoption, the PCTF defines governance roles for certain ecosystem stakeholders. Participants acting in these roles are responsible for drafting, maintaining, and helping ensure consistent adoption of the various components of the PCTF. Governance roles may also be extended to include governance of the use and application of the PCTF in the digital ecosystem.