GOC epass Presentation to LC VII - Brenda Watkins Treasury Board of Canada Secretariat Chief Information Officer Branch May 27, 2003
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
GOC epass
Presentation to LC VII
Brenda Watkins
Treasury Board of Canada Secretariat
Chief Information Officer Branch
May 27, 2003Agenda
• GOL Authentication Services
• epass Overview
• Project Status
• Demonstration of epass use with
ROE WebGOL Authentication Services • Strategic initiative funded by the GoC to develop a secure means of offering online authentication services to individuals and businesses in Canada • Common CA established, capable of scaling to accommodate all Canadians (30+ million) • Concept subject to focus group testing and Privacy Impact Assessments
Authentication Services Infrastructure
T Y P IC A L O N -LIN E S E R V IC E S S E C U R IT Y
P R O V ID ER S
P u b lic K e y
A ccess and
C h a n g e s to In fr a s tr u c tu r e
P e rs o n a l
In fo r m a tio n
C o r p o r a te F o r m F ilin g
B e n e fit A p p lic a tio n s P IN s
P a s s w o rd s
T a x F ilin g S h a re d S e c re ts
P a id P u b lic a tio n s SSL
A c c e s s to P u b lic In fo r m a tio nAuthentication Services Strategy • Respect privacy and security • Start small so as to lessen risk • Common authentication infrastructure – epass issuance and management • Individual identification managed at each program – Retains information silos
epass Overview
• epass
– Collection of an individual’s public and private key
credentials
• Registration and enrolment
– epass registration (generation and issuance)
– Identification to government program
– Program mapping of certificate identifier to a
program-specific identifierRegistration and Enrolment
• Registration with Common CA
– Obtain one or more epasses
– Indexed by MBUN (Meaningless But Unique
Number managed by CA)
– Supports roaming individuals
– No link to individual received or maintained at CA
– Holds challenge questions and answers for
recovery and self-revocationRegistration and Enrolment…
• Enrolment with government program
– Identification of individual
– Binding of MBUN to PID of identified
individual
– PID (Program IDentifier) managed by
programRegistration and Enrolment…
C e n tra l C A P ro g ra m S p e c ific
R e p o s ito rie s
U s e rID E n c ry p te d C re d s
J1969 XXXXXXXXX P ro g ra m A
M B U N P ID
1035 123456
P ro g ra m B
M B U N P ID
1035 133498
P ro g ra m C
M B U N P ID
1035 998321Enrolment Example • Canada Customs and Revenue Agency (CCRA) Address Change Online (ACO) • Online identification of individual – Date of birth – Line 150 from previous tax submissions – Access code from previous tax assessment – Social Insurance Number (SIN) • PID is the SIN • MBUN from epass mapped to PID at program
Mapping MBUN to PID
• epass MBUN is mapped to PID, and mapping
is held only at the program
• Programs continue to key on PID (not MBUN)
as MBUN may change
– Individual re-registration
– Individual may choose to associate new epass
with PIDepass Management
• Renewal
– 5-year certificate lifetime
– Updates attempted at 50% of lifetime
• Revocation
– Self-revocation of epass supported
– Per-program de-activation of MBUN-PID mapping
• Recovery
– Individual provides answers to registered
questions
– New epass with same MBUN (“account recovery”)epass Use • Central logon and retrieval of epass – Standard browser plus Java applet • epass credentials used to authenticate to program • Persistent signatures and encryption
Respecting Privacy
• Choice
– epass optional for obtaining government services
– Option to have more than one epass
• Pseudonymity
• Separation between epass registration and
program enrolment
– CA is central, but has no identifying information
– Individual manages relationships with each program
• Protection against data matching
– Legislation and policy
– Possible changes in MBUN encourage maintenance
of PID indexingAuthentication Services Status
• 1st application: CCRA’s Address Change On line
launched Sept 2002.
– Each individual registers for an epass that may be used
across the federal government as new services are epass
enabled.
– No communications regarding the launch were carried out to
minimize risk.
– 50,000 epasses have been issued in support of this
application.
– Service is available to everyone via CCRA’s web site
• 2nd application: HRDC’s Record of Employment
(ROE Web)application.
– Focuses on business clients who prepare ROEs.
– Went into production earlier this monthRecord of Earnings Project • This project offers significant benefits for HRDC and Canadian businesses. • 8 million ROE’s are prepared annually by 1. 4 Million businesses. • Eliminates a paper process that has been identified as one of the most cumbersome government programs by Canadian businesses. • The process is being re-engineered for on-line IA&A. • Annual savings estimated at $250 million once fully implemented.
ROE Web IA&A Module
Employer Account
Senior Executive
(if required)
Primary Officer
Account
Officer Account Officer Account
(as
(as required)
required) (as
(as required)
required)
Issuer Account Issuer Account Issuer Account Issuer Account
(as
(as required)
required) (as
(as required)
required) (as
(as required)
required) (as
(as required)
required)
== Created
Created by
by HRDC
HRDC == Created
Created by
by Employer
EmployerFor more information Brenda Watkins (613)952-6358 Watkins.Brenda@tbs-sct.gc.ca
You can also read
