First
Previous
Why and How to Use the Principles
Principles for Electronic Authentication
A Canadian Framework
May 2004
The Principles are intended to provide guidance for the development, implementation and use of authentication products and services in Canada. They complement the existing governance structure1 for authentication by establishing benchmarks to ensure that authentication products and services embody sound business and market practices, meet the needs of Canadians and are accepted internationally.
The governance structure that applies to authentication services in Canada today consists of, among other instruments, the Government of Canada's 1998 Cryptography Policy, federal and provincial legislation, including the 2000 Personal Information Protection and Electronic Documents Act, the Principles of Consumer Protection for Electronic Commerce, developed in 2001, and the Canadian Code of Practice for Consumer Protection in Electronic Commerce (January 2004).
It is anticipated that the Principles for Electronic Authentication will be of greatest use to those involved in the design, development and deployment of authentication services and products. The Principles identify the functions and responsibilities of participants in authentication processes and provide a framework to assess and manage the risks that accompany these responsibilities. The Principles also identify security, privacy, disclosure and complaint-handling matters that need to be taken into account at each stage of the design, development, implementation and assessment of an authentication process.
Those involved with the design, implementation and ongoing operation of authentication processes are encouraged not only to respect the Principles but also to publicize them. The Principles should form the basis of codes of conduct, voluntary initiatives and guidelines that are tailored to the requirements of specific industries and government. Such initiatives are strongly encouraged, and can provide strategic advantages in domestic and international markets.
The Principles are intended as a useful source of information and as benchmarks for individual and business users of authentication. While the Principles define the responsibilities of participants (Principle 1) and address aspects of risk management (Principle 2), they do not address the liabilities that could be borne by the various participants involved in authentication processes. In particular, the Principles do not address issues of consumer protection or liability, and should not be interpreted as allocating liability to end users of authentication services. Legislative or other measures may evolve to address the needs of end users, particularly the risk and liability assumed by consumers participating in authentication processes.
The authentication environment is dynamic and the technologies used will continue to evolve. Although every effort has been made to define principles that can encompass foreseeable developments, they are open to revision as needed to take into account significant technological advances, changes in market characteristics and international developments. Comments and views on the Principles are welcome at any time and should be addressed to:
Richard Simpson
Director General
Electronic Commerce Branch
Industry Canada
300 Slater Street, Room D2090
Ottawa ON K1A 0C8
Comments can also be provided by facsimile at (613) 941-1164 or by electronic mail at authen@ic.gc.ca.
The Principles will be reviewed at least every five years, or more frequently if necessary. The Authentication Principles Working Group is charged with the periodic review and revision of the Principles. The composition of this group will be assessed and adjusted as appropriate as the authentication environment evolves.
1 The term governance structure refers to the range of policy tools, regulatory instruments and self-regulatory guidelines that relate to the development and implementation of authentication services in Canada.