Episode 052: 10‐01‐2024 Canada's 103‐1 Digital Trust and Identity - GluuFederation/identerati-office-hours GitHub Wiki

Title: What is Canada's 103-1 Digital Trust and Identity Certification?

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Tim Bouma, Special Advisor, Canada Digital Governance Council
• Co-Host: Bonnie Yau, Acting Chief Operating Officer, Digital Trust Laboratory of Canada

Youtube Video

Description

While identity and risk can be largely mitigated by default in the physical world through closed and fragmented systems, established standards, and regulatory safeguards, the same cannot be said in an online world. In the absence of a national standard, public and private sector organizations are continuing to rely on organization-specific, vendor-driven and ad-hoc document-based identity management processes, impacting integrity, security, privacy, trust, and service delivery

Canada's 103-1 Digital Trust and Identity Standard specifies minimum requirements and a set of controls for developing, implementing, operating, monitoring, and governing trust in systems and services that consume and assert digital identity within and between organizations. The requirements in the standard ensure that digital systems and services are safe, secure, reliable, and protected. It has a super-detailed assessment process, and several juristications have been certified.

What is it? And how can those outside of Canada benefit from the work?

Homework

• CAN/DGSI 103-1: Fundamentals – Part 1

Extra-Credit

• CAN/DGSI 103-2: Healthcare – Part 2
• CAN/DGSI 103-3: Credentials – Part 3
• Public Sector Profile of the Pan-Canadian Trust Framework

Takeaways

• The genesis of the 103-1 Digital Trust and Identity certification was to formalize how the federal government of Canada assessed the governance, policies and procedures behind the digital identity asserted by the ten autonomous provinces. Learning from this process was formalized in the certification standard.

• 103-1 which is about identity "Fundamentals" covers several operational program processes: person identity, relationships, credentials and consent management. 103-2 addresses considerations specific to healthcare. 103-3 covers more details about digital credentials.

• These digital identity program governance standards are fit for global use. Even if not directly adopted, the standards are a good starting point for a government (or even private sector organization) to achieve uniformity aross some of their jurisdictions.

• One area that 103-1 addresses is relationships, for example a person may be a principal at an Organization. Is this a claim? Or is it a credential that should be asserted by the Organization (if they can issue digital assertions)? Consent management is also considered in 103-1, but not all the details are fully flushed out. There is room for improvement in these docs, which contiue to evolve.

Livestream Audio Archive

here