GC Credential Management Evolution

for the OASIS/World Bank eGov Workshop

17th April, 2009 For information, please contact:

Bob.Sunday@pwgsc.gc.ca

2

Typical GOL Services• Canada Site• Gateways• Clusters• EI on the Web• Census 2006 (surveys..)• E-consultation• Dep’t web sites(info)• Tax Filing Online• My Tax Account• Business Tax Account• Record of Employment• Address Change• Interactive Info Service• GC Employee Services• Passport On-line

Secure Channel: The Enabler for Government On-Line

CitizensBusinessesVisitors

• Federal• Provincial• Municipal• Business

3

Issued epass Certificates (since Sept 2002)

Issued 2003Issued 2004

Issued 2005

Issued 2006

Issued 2007

Issued 2008

Issued 2009

0

1,000,000

2,000,000

3,000,000

4,000,000

5,000,000

6,000,000S

ep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

2002 2003 2004 2005 2006 2007 2008 2009

Issued 2002 Issued 2003 Issued 2004 Issued 2005 Issued 2006 Issued 2007 Issued 2008 Issued 2009

4

5

So why does GC need to change?

• $$$$ Decentralized funding Expense of PKI Custom GC code

• Risk based Assurance Model

• Multi-jurisdiction environment Provincial, municipal

• Changing policy requirements Digital signature Positioning for future identity possibilities

6

Business View of Authentication Interfaces

Credential User Interface

Program User Interface

Credential Service Interface

UserDepartment/Agency (RP)

Credential Provider(CP)

7

Architecture Decisions to support the Business Model

8

Decision 1: Underlying ArchitectureWe are adopting the SAML v2.0 architecture and

associated set of technical standards: SAML v2 was standardized by OASIS in 2005 Adopted by the ITU as X.1141 in 2006 The most frequently recommended standard in the RFI

responses Technical standard most widely supported by COTS

products Most widely implemented in public and private sector

federations Denmark, France, USA, New Zealand, …

Primary objective is to provide long–term interface stability for departments

9

Decision 2: Proven Implementation Profile

We are adopting the US E-Authentication Profile for SAML: The GC interface definition will be based on an existing, live,

public sector implementation as a starting point Less GC customization and associated long-term costs Reduced risk Greater alignment with evolving standards

Government’s successful implementations of authentication services based on SAML v2 were considered: Denmark, USA, New Zealand

Primary objective is to ensure availability of proven interoperable COTS products for departments

10

Potential Evolution Strategy

New GC-Branded

Credential

Epass Applications

Agency FederatedCredential

ProvincialFederatedCredential

BankFederatedCredential

OpenIDetc.

Credential

New Applications

GC Federation Hub

Converted Applications

EpassCredential

11

Questions?

Thank Youbob.sunday@pwgsc.gc.ca